The key points of building the internal control system under risk management
3.1Creating a good internal control environment
The internal control environment is the fundamental environment for the implementation of internal control, which is the driving force for the development of the enterprise and the basis for the implementation of other risk management factors, and has a significant impact on the construction and implementation of the enterprise's internal control. directly determines the efficiency and effectiveness of its internal control and risk management.
(1) Deepen the understanding of internal control and establish the concept of risk management. Deepen the understanding of internal control, first of all, should break through the traditional understanding of internal control, should recognize that internal control is not only limited to the accounting level, internal control contains a higher level of strategic objectives, in the electric power design enterprises to diversification, general contracting and overseas projects in the process of transforming the development of the enterprise, we must be from the strategic height of risk management and internal control. Furthermore, both the management and employees of the enterprise should have the awareness of risk management, and the awareness of risk management should be carried out throughout the production and operation process of the enterprise, including business management, functional management, quality and safety management and other aspects. The cultivation of risk management concept can be realized through the exemplary role of enterprise leadership, relevant training and related rules and regulations.
(2) Establish a corporate governance structure and give full play to the responsibilities of each organization. There should be a clear division of labor between the various departments at all levels of the enterprise, as well as mutual supervision and mutual control. The company can through the provisions of the articles of association and improve the relevant incentives and constraints mechanism to ensure the realization of the company's institutional responsibilities. It is very important that the highest management organization of the electric power design enterprise should be responsible for the establishment and implementation of internal control. Enterprises should be set up under the construction of internal control and risk management, supervision and management organizations, each organization is responsible for all aspects of work, and mutual supervision and mutual constraints.
5.1 Improve the corporate governance structure to create a good internal control environment for the construction of internal control system for comprehensive risk management. The establishment of a sound internal control system is actually the embodiment of the improvement of the corporate governance structure, most of the electric power design enterprises set up an internal audit organization, but most of the internal audit organization under the leadership of the chief financial officer or general manager, so the internal audit organization of the electric power design enterprises will be upgraded to the company's board of directors as an integral part of the audit commissioner or the work of the department, so that it will be further clarified that the internal audit organization in the electric power The main position of the internal audit organization in the internal control of electric power design enterprises.
(3) Cultivate employees' professional ethics and competence. Enterprise employees are the executors of the enterprise production and management activities, employees of good professional ethics can ensure the smooth progress of business activities, can avoid fraud events. Employee knowledge and skills must be matched with the required competence of the position, which is the basic guarantee for the effective operation of business activities and internal control activities. To this end, enterprises should take professional ethics such as honesty as the code of conduct for employees, establish a reward and punishment mechanism, strengthen the re-education of employees, and implement a regular rotation system for key positions.
3.2 Setting strategic goals
Enterprises should set strategic goals according to their mission or vision, which is the highest goal of the enterprise, and other goals serve the strategic goals. Enterprises according to the strategic objectives and then layer by layer decomposition, and by the departments to implement. The formulation of strategic objectives should take into account the risk capacity of the enterprise, and the risks faced by the enterprise in realizing the strategic objectives should be within the risk capacity of the enterprise.
3.3Improve the risk management system
Enterprises should establish a risk-oriented internal control system, only to implement risk management into all aspects of the enterprise, in order to control risks. To improve the enterprise risk management system, attention should be paid to the following points:
First, establish a risk early warning mechanism. Enterprises should be through the target analysis, process analysis and other methods to identify the internal and external potential matters affecting the realization of corporate goals, to distinguish between potential matters are opportunities or risks, clear risk warning standards. The establishment of risk early warning mechanism is of great significance for enterprises to seize the development opportunities and assess and deal with risks in time.
Second, the establishment of risk assessment system. Enterprises should conduct further analysis and assessment of identified risks, analyze whether potential risks are inherent or residual risks, analyze the possibility of risk occurrence and its impact, and focus on significant risks. Evaluate the applicability of existing internal controls to the risks, the need for additional procedures, etc. Care should be taken to apply a portfolio view of risk when assessing risk.
Third, establish a risk response mechanism. Risk response is a key step in controlling risks. After risk assessment, enterprises should take different response measures for the possibility of risk occurrence and different degrees of impact, of which special attention should be paid to major risks. Risk response measures include avoiding, reducing, assuming and sharing risks. At the same time, the issue of cost and efficiency should be considered in risk response.
3.4 Establishment of good control activities
Enterprises should establish good control activities to ensure that the management's measures to deal with risks are effectively implemented, and that control activities are carried out across all departments, levels and activities of the organization. Control activities should include: analysis and evaluation of employee performance, departmental self-review, control of information processing (including general and application control), control of physical assets, division of responsibility and separation of incompatible positions control.
3.5 Adequate information and communication
In the process of operation, the enterprise should establish the transmission and communication of information to ensure that the employees understand the internal control and clarify their responsibilities. At the same time, through the external market information, policy information, customer information, competitors' information understanding and mastery, through the communication with all parties, it is conducive to the enterprise to deal with risks in a timely manner, seize the opportunity to achieve better development. Enterprises can realize this through employee manuals and the establishment of information collection and processing systems.
3.6 Establishment of internal control monitoring and evaluation mechanism
Monitoring and evaluation of internal control is an important means to ensure the effective implementation of the internal control system, and is conducive to the management of the enterprise to timely understand the problems of internal control, which can provide suggestions for the improvement of the internal control, and is conducive to the continuous improvement of the internal control system, which helps the enterprise to control various risks. The establishment of internal control monitoring and evaluation mechanism mainly includes internal and external aspects:
First, the enterprise should establish an independent and authoritative internal audit organization. The setup of the internal audit organization should be separated from other functional departments. The internal audit organization should have the right to implement the audit decisions and conclusions, and can establish a strong independence and authority of the board of directors or the supervisory board of internal audit organization. Internal auditing should not be limited to financial statement auditing, but should carry out comprehensive supervision and evaluation of enterprise qualification internal control system, including auditing and evaluation of enterprise financial information, operation activities and control activities. At the same time should improve the professional ethics of internal auditors and business quality, and the formation of mutual inspection and supervision mechanism between different positions.
Secondly, external supervision and evaluation should be improved. As internal audit is mainly responsible for the enterprise leadership, internal audit has inherent limitations, which may lead to some control deficiencies in the power to intervene in the cover up, not conducive to the improvement of internal control of the enterprise. Therefore, an independent third party is usually needed to participate in the supervision and evaluation of the enterprise to realize the function of supervision. First of all, the internal control information disclosure system should be improved so that the enterprise can accept extensive supervision from the government and society. Furthermore, the third-party auditing power can be utilized, and the most common one is to regularly hire a certified public accountant to audit and evaluate the design and implementation of the enterprise's internal control and to issue a review report. This is also conducive to the supervision of the construction and implementation of enterprise internal control, but also conducive to the timely discovery of problems in the enterprise internal control.
(2) Risk Assessment
Sinopec, based on the development objectives of the enterprise, collects comprehensive information from each department to determine the risk capacity of the enterprise, establishes a risk assessment and control system based on internal control according to the internal and external risks that the enterprise may face, and conducts a comprehensive risk assessment of the key links that have a significant impact on the realization of the enterprise's objectives. Internal control processes are formulated for the risks and responsibilities faced by each department. Sinopec continuously revises the Internal Control Manual based on the results of internal audits and issues identified in the management process, and each branch (sub) company also continuously revises the implementation rules. Dynamic risk assessment and response provide assurance that the enterprise will achieve its goals.
(3) Control Activities
Control measures of Sinopec include: separation of incompatible positions control, authorization and approval control (with authorization guidelines as the core), accounting system control (with the establishment of a unified financial management information system), funds disbursement control, property protection control, information technology control (with the adoption of an advanced ERP management information system control), planning control, budget control ( comprehensive budget control), contract management control, operation analysis control and scientific performance appraisal control. It also combines manual control with automatic control, and combines preventive control with incident discovery control, and establishes an early warning mechanism for major risks and an emergency response mechanism for emergencies. The business control matrix clarifies the business objectives, risks, responsible units, incompatible positions, and record documents for each control point, providing guidance for the implementation of internal control responsibilities. The description of risks reflects the requirements of internal control for comprehensive risk management.
Sinopec's Internal Control Manual safeguards internal control activities. The Internal Control Manual contains 18 categories and 59 business processes, such as procurement, assets, information management, and internal auditing, which encompass all aspects of the enterprise's operation and management activities.
(4) Information and Communication
Sinopec adopts an advanced ERP management information system, accounting system, centralized fund management system, comprehensive budget management system, and various business management and other systematic information systems, as well as centralized management of financial information system. The system allows the business operations of the personnel of each business department to be unified in the ERP system. After the enterprise enters the business data, the production and sales of each link will generate the relevant information according to the corresponding business process and transmit it to the database of the company's headquarter for monitoring and analysis. Sinopec has formulated relevant management methods and business processes to regulate and control the information system in terms of general control and application control. The enterprise continuously improves the information collection mechanism and the information communication platform, and the Internal Control Manual has corresponding provisions to ensure smooth communication between enterprise departments, between departments and branches or subsidiaries, and between management and the outside world. PetroChina regularly discloses information to the public in accordance with relevant regulations, and the disclosure of information to the public is reviewed by the Board of Directors and the President's Office.
(5) Internal oversight
Sinopec has set up an audit committee responsible for reviewing financial reports and internal controls, and branches and subsidiaries are independently reviewed by the audit department on a regular basis. The enterprise has established a bipolar internal control daily supervision mechanism. The bipolar evaluation refers to the headquarters' comprehensive inspection and the self-inspection test of branches and subsidiaries. The comprehensive inspection of the headquarters is mainly the annual comprehensive inspection under the responsibility of the internal control leading group and the independent inspection of no less than 25 branches (subsidiaries) by the Audit Department, as well as the inspection of the headquarters. Self-inspection and testing of branches and subsidiaries are mainly self-inspection and testing by enterprises through departmental process testing and comprehensive inspection and evaluation with the participation of auditing, as well as self-inspection and random inspection and evaluation by headquarters departments. In addition to daily supervision, Sinopec has also established supervision and inspection for some major aspects of internal control.
In addition, Sinopec has formulated the Compendium of Supervision Systems of Sinopec to improve the anti-fraud system of the enterprise. Internal controls are assessed by formulating indicators for the implementation of internal controls. It regularly evaluates the design and implementation of internal controls every year, issues internal control self-evaluation reports and discloses them to the outside world for extensive supervision, and hires external certified public accountants to audit internal controls over financial reporting.
4.4 Evaluation of Sinopec's Internal Controls
Sinopec has formulated the "Measures for the Inspection, Evaluation and Assessment of Internal Controls" and the guidelines to guide the evaluation of the enterprise's internal controls. In accordance with the Internal Control Manual, Sinopec examines whether the design of internal control is sound; and examines the compliance and effectiveness of the implementation of internal control in accordance with the content and scope of application of the Internal Control Manual. Sinopec mainly conducts self-evaluation of internal control in the form of identification of internal control deficiencies and quantitative scoring. Sinopec evaluates internal control in terms of internal control elements, comprehensive inspection of business processes, and self-inspection of units, and has formulated a standardized internal control self-evaluation flowchart to regulate the evaluation and guarantee the fairness of the evaluation.
4.5 Effects of Sinopec's internal control since its implementation
Since the implementation of internal control in 2005, Sinopec has not only improved the management level of the enterprise, but also strengthened the profitability of the enterprise. Specifically, Sinopec's institutionalized management system has been continuously improved, and an institutionalized management system with Sinopec's characteristics has been formed with the guarantee of internal control. It not only improves the enterprise's anti-risk ability and guarantees the realization of the enterprise's goals, but also sets an example for the establishment of internal control of other enterprises in China. Sinopec's management level is constantly improving. Sinopec has implemented unified material procurement management, standardized material procurement and saved material costs for the enterprise. Sinopec has established standards for the consumption of raw materials and other products, which has enabled the company to refine its production and operation management. Through the establishment of IT risk control system, the risk capacity of the enterprise has been strengthened. The internal control and its audit have improved the audit efficiency and effect, so that the management level of the enterprise is constantly improved. The implementation of internal control has accelerated the establishment of corporate rules and regulations, clarified the duties and powers of each corporate organization, department and position, and standardized the business operation process, which has also improved the efficiency and management level of the enterprise. The implementation of Sinopec's internal control meets the requirements of external supervision. Sinopec, as a company listed in three places in China and abroad, has implemented and disclosed its internal control to meet the requirements of each listing place, and its internal control has been continuously improved and refined since its implementation. The implementation of internal control has optimized Sinopec's internal environment, ensured the reform of the company's system, improved the corporate governance structure, unified and implemented the corporate culture, and standardized the behavior of employees through the formulation of the Employee Code, as well as made the concepts of risk management and honesty and integrity of operation y rooted in people's hearts.