ACCA F8 考试：Internal Control Systems: Control Environment & Risk Assessment Process
1. Control Environment
The control environment relates to:
governance and management functions; and
the attitude, awareness and actions of management.
The control environment is the foundation for effective internal control, providing discipline and structure because it:
Sets the tone of an organisation, influencing the control consciousness of its management and employees.
Strongly relates to how management (and governance) has created a culture of honesty and ethical behaviour, supported by appropriate controls to prevent and detect fraud and error, through:
Communication and enforcement of integrity and ethical values.
Cascade effect (i.e. following management's best governance practice).
Commitment to competence (e.g. only those with the appropriate skills and knowledge are considered for each position).
Participation by those charged with governance
? independent (as far as possible) from the entity and management (e.g. non-executive directors, audit committee);
? experienced and prepared to be a sounding board for management;
? prepared to work with, but stand up to, management;
? demanding and challenging of management decisions;
? access to documents and information as required;
? effective interaction with internal and external auditors; and
? operation of "whistle-blowing" procedures, independent of management.
Management's philosophy and operating style (including approach to risk management and application of accounting policies).
Organisational structure (e.g. open and transparent or closed and opaque).
Assignment of authority and responsibility (e.g. clearly defined).
Human resource policies and practices (e.g. commitment to best practice in recruitment, training, appraisal, counselling, progression, compensation and remedial actions).
2. Risk Assessment Process
These are the procedures by which the entity's management identifies events which may lead to risks relevant to the corporate objectives (including financial statement risks), and how it decides to address those risks and review the results of doing so.
A risk event is essentially any external or internal matter which can lead to a positive or negative effect on the entity achieving its objectives. Events may be expected (e.g. routine and recurring) or unexpected, but predictable.
Beyond the development of a sound understanding of the strategic and operational objectives, identifying events which may affect the achievement of those objectives requires a very detailed understanding of the entity, its markets, legal, political, economic, social, technological ("PEST"), environmental and cultural environments in which it operates.