Analysis of the Problems in Enterprise Internal Control from Five Elements

risks can be divided into three categories, namely, preventive risks (internal risks), strategic risks and external risks. The strategic risk and external risk voluntarily accepted for the pursuit of profit cannot be avoided by making rules, but rules can coordinate employees' values and behaviors, and effectively change or avoid internal risks. Internal risks are mostly related to fraud and negligence in enterprises. Establishing and implementing a strict internal control system is the main means to reduce such risks.

how should enterprises make rules to control internal risks? Su Xijia, professor of accounting at China Europe International Business School, academic deputy director of EMBA and academic director of CFO course, gave an in-depth explanation on how business leaders can strengthen internal control, effectively manage risks and improve business performance in an increasingly complex external environment on the theme of "Enterprises in Crisis and Crises in Enterprises".

COSO is a fraud investigation institution in the United States, which extends to internal control and puts forward the framework of internal control. The most basic internal control framework of COSO is the so-called "three objectives and five elements". Three goals, one is to use the company's resources efficiently and effectively, and the latter two goals are added by COSO-financial statements and compliance. In the three goals, five elements from bottom to top and from basic to high-end have been formed.

first, control the environment. Controlling the environment is to establish a corporate culture so that honest people can be reused. Corporate culture is invisible and intangible, but its impact is very great. Doing management is to form a small environment in the enterprise, which makes everyone willing to show their bright and sunny side and try to suppress their negative and disgraceful things. Two years ago, a team in the United States did a study and said to the big companies in the Fortune 5 in the United States, please give me a list. How many people lost their management team in your company last year? Tell me how many people there are after listing, and the company will try to keep them if possible. He asked these people one by one. What were the reasons given by many people? I see that many colleagues in the office use the company's phone to talk about personal matters at work, or use the company's envelope to send personal letters. I don't want to be colleagues with these people. This tells us a truth. The most important function of corporate culture is to bring people with the same values together and drive people who don't agree with this value away from the company. Over time, all the people who stay in the company are people with the same values.

A company is made up of people, so a good company culture must start from establishing and recruiting the most suitable people. Recruiting employees is actually very risky. Because there is a problem with environmental integrity, how to ensure that these people are honest and reliable is very critical. After the operation, it is necessary to establish various mechanisms, institutions, boards of directors and audit committees, and form a certain business style and management style; Most of the time, the top leader determines the style of this enterprise, and many styles are difficult to change once they are formed. In an environment without religious belief, it is more difficult to guard against risks than in other environments.

second, risk assessment. Risk is a possibility that will happen in the future, and it is very difficult to find it before it happens. There are various classifications of risks. First, internal risks, risks that can be solved by doing things yourself; Second, external risks, sudden changes in the market environment, natural disasters and so on; There are inherent risks and residual risks.

the key to risk identification is to see how likely each risk is to occur. How big is the loss? If the loss may be very large and the probability of occurrence is very high, the best way is for us not to do it. The risk I pose may be very large, but the probability of occurrence is not too high. What can I do? Transfer, one way is to buy insurance, (transfer) part (risk) to others; And find someone to join the venture and share it with. If the probability of occurrence is quite high (but the loss will not be too great), the most typical problem is the quality problem of the product, and the countermeasures are to strengthen quality control measures and reduce the occurrence of bad frequencies. If I take precautions, the cost may not be worth the benefits.

after you really establish the concept of (risk), your actions become completely different. The performance of two companies in the Fukushima earthquake (middle) in Japan tells you to be risk-conscious. No one is going home tonight. I immediately found out that there is something in the world that is only produced in Fukushima, Japan. Whether it has anything to do with our company or not, the whole world went to find it and bought it at any price. The whole company jumped on it in one night. After all the work is done the next day, go back to sleep now, and everyone will wait to count the money! It's a bit morally bad, but it's absolutely powerful in terms of business sensitivity. The second example is that Shanghai Automobile held an emergency group office meeting at 9: a.m. the day after the Fukushima earthquake. The chairman only asked a question: How long can Shanghai Automobile production last if production in Fukushima area is not resumed? Because many parts of cars are made in Japan. The whole company reported it immediately, six months. The second question is, continue to check whether there are any substitutes in the spare parts world. One by one, it is reported that there are substitutes for everything in the world. Ask again, can it be used? I can't. Because all auto parts must go through a certification process, how long is the certification process? The shortest time is 9 months. The chairman said that from today, the whole company will go all out to solve the certification problem and must solve the certification within six months. For the risk prevention, the company immediately thinks about what will be affected as soon as something happens, and can't delay for a day.

There are still some thoughts on risks. The first is whether risks should be avoided. You have to think clearly that doing business is essentially adventure. Successful entrepreneurs are willing to take risks, and those who are unwilling to take risks cannot succeed. But we will always think clearly that enterprises need to take risks, but they must only take risks that they can bear, and never take risks that they cannot bear. For example, I said I'd take out a coin to play with you, turn heads and you give me five dollars, turn tails and you give me five dollars. It's quite fun. Play. I'll say, turn heads and you give me 5 million, and turn tails and I'll give you 5 million? Do you want to play? At this time, you won't think about how to spend this money at night if I make 5 million today. The first thing that comes to your mind is that in case I lose, where can I get 5 million back to this guy? Can I take the risk? I just did it. How much benefit will it have if it succeeds?

enterprises take risks, and the risks that affect life and death are decisions. People in China often say that people who are suspicious don't need to be suspicious, which is very hypocritical, because in modern business society, people who are suspicious are not responsible for them, and the best thing is that I don't give you any chance to make mistakes. Therefore, I am an independent director in every company, and I only give you eight words for those who do risk control and internal management, which is relatively independent and reasonable to welcome.

We encourage innovation. Is innovation equal to taking risks? Is it true that once innovation and risk control are carried out, it will be poor? The more innovative companies are, the more they use control. In fact, innovation and control are not contradictory. To be truly innovative and effective, we should not throw money around like headless flies. This is not innovation.

if you are faced with the following choices, one is to sacrifice core employees to eliminate major risks, and the other is to protect core employees but may leave major risks, which one do you choose? Which is more important, protecting core employees or eliminating major risks? Eliminate major risks. First of all, plug the risk. No matter who is involved, we will talk about it later. If we are wronged again, the knife must be cut down. Theoretically speaking, risk prevention is the first, and protecting core employees is the second; But the man who really asked you to do it looks so innocent. Now you have to kill him first for a little risk. Can you do it? If you can't do it and get cold feet, do you think this person is guilty? Should it be punished? These are very practical problems in actual risk control. When you encounter these confusing (problems), many people often feel that they can't do it, but they can't do it. If the risk really breaks out, the whole ship is likely to sink. Let's think about it. What will happen to this man who was injured by mistake? Will you resent it? "7" in the movie is really noble. I came back to the police headquarters without complaining, and I want to continue fighting. No one can do it in practical work. What if no one can do it? This brings us to the following question: If these people prove to be really wronged, should they, and can they, be reinstated? The basic rule is that you can't bring him back even if you kill him.

why? Tell you a simple example. An incident happened in Renault a few years ago. One vice president reported and exposed another vice president's confidential business information to competitors and produced evidence. The company's board of directors was furious and fired all the vice presidents and their staff. A year later, it turned out that reporting was a conspiracy to retaliate, and the falsely accused vice president was fired again. The (wronged) vice president asked to return to the company, and Renault (said) how much money was negotiable, and there was no room for discussion (room) when he came back. Why? Not only has the mentality changed, but you have to think clearly. At that time, the company went through a very drastic political change, and the people in that line were transferred out. Now, if it is brought back, the company will not be at peace. He will come back (rectify) the people who used to mess with him, and everyone will stand back. This company can't afford to toss around, so (so) it can't come back. You have to think clearly that individuals are always secondary to the company.

third, control activities. There are many measures to control activities. In a company, all the inventory purchases and everything purchases come in. If no one collects them within ten days, a red light will light up on the general manager's computer. (He) will immediately check who put forward the purchase request. What is the reason for the purchase? What is the reason for approval? Why is it useless to buy it for ten days? Who will bear the capital cost? After this (system) is established, similar mistakes will not be made twice. The company is not afraid of making mistakes, but most afraid of making repetitive low-level mistakes, which the company can't stand.

To establish a control system, some things are very important:

One is to distinguish incompatible posts, that is, to follow a basic principle-it is safer for two people to do one thing than for one person, because two people have a supervision and constraint. Some jobs can't be done by one person, such as accounting and cashier. Let me give you an example. This is the function of enterprise guarantee. There are several management links involved in this link. I have listed 1, 2, 3, 4, 5, 6 and 7, and there are at least seven functions, which must be done by different people. Now, if incompatible jobs are divided, there will still be problems after they are made. Where is the risk? Under what circumstances did incompatible duties separate and finally something happened? Collusion The most feared thing of all control measures is collusion. How to solve the possibility of collusion? This is something that every company has racked its brains for. Some small enterprises and some bosses will have some private secrets. Some bosses say that my unique secret is that when the cashier is not here and the accountant is here today, you should pay attention to it. The cashier has reflected it several times. You often walk out at work, and the accountant hates the cashier when he hears it. (But) when the two of them make it clear and thorough, (the boss) will be miserable, so it's not control, it's Machiavellian. There are also some people who say that my basic principle is that these two people must never be a man and a woman, especially not close in age, not from the same hometown, not (graduated from) the same school, and so on, so that the less you speak the same language, the better. How to solve the problem of collusion is always a puzzle. Key positions must be forced to take a continuous vacation for more than 1 days, and there must be someone to fill the post during the vacation. For example, these people who brought down the British bank in Singapore all have the same characteristics. They work very hard and have not taken a vacation for several years. How can he take a vacation? When he takes a vacation, all of them will be exposed.

the second is to clarify the post responsibility. I have repeatedly stressed that there must be a written post responsibility commitment letter, which should be signed once a year, which brings two major benefits. The first advantage is to re-check every post every year and remind him of his responsibilities. Although it is routine, it is at least a reminder. Second, once something goes to court, it is a legally binding document, that is to say, you promised that you must fulfill this responsibility. If you fail to do so, you must be legally responsible. The post responsibility commitment letter must be signed by you in basically large companies, but the post responsibility commitment letter itself must be certified and rechecked, most afraid that you have not accurately described it.

the third is the operation flow chart, which puts each step on paper, and what you go first and then. For example, supplier selection is a very, very annoying thing in every company. Why? Because many work processes are informal, once informal things are put on paper, endless quarrels will be found. When I met a similar problem, the heads of four departments were put together, and this thing was done. Once the flow chart failed, I had to go to him first, and I used the flow to do it. All four people jumped up and said, How can this be done? Now, if I agree, you three can veto me in minutes. What do I mean? Now I don't even have a chance to see what the three of them disagree with? Once the process is defined, who has the right to do what, because it involves the interests of different departments and involves the re-division of responsibilities, which is a very big trouble.

fourth, information and communication. Now is the information age, so it is extremely crucial to make information play a good role among enterprises. For information control, the key point is to let people get the right information at the right time. This sentence is easier said than done. Now every enterprise has its own information system more or less, but the amount of information is generated every day. What role does it play? Few people in the enterprise make it clear. The authorization of enterprises to contact information is not precise in most enterprises. Because of many invisible things in the information system, as long as someone has the opportunity to patch it, the consequences will be unimaginable. Some patches lose some, and some patches bring great losses.

There is a French-funded supermarket in Shanghai, Auchan Supermarket. There is a young man in charge of the computer system. After the business closes every day, he sends the business data summary statistics to the French headquarters, which doomed him to be behind others after work every day. Sometimes he is hungry. One night when he is hungry, he goes to the supermarket to get bread. I am working at work, and I take a loaf of bread to eat. In case the quantity is wrong with the computer number, I should be responsible. He ate a loaf of bread and put a patch on it. When he was finished, he found it was very simple. When he was hungry, he went to the front to eat bread. One day, a stevedore was his friend. Are you hungry? Would you like some bread? Help yourself. How do you have this ability? I promise you there is no problem. How did it happen? To tell you the truth, I put a patch on the computer and no one can see it. That man is more careful than he is. He can take bread, so can the money! He's wrong. I can't get the money. It's all at the cashier. He said leave it alone, I'll take care of the cashier, you take care of the computer, and this person will buy off the cashier. He recruited more than 2 cashiers and made a patch on the computer. (Later) the French headquarters found that the daily turnover of this branch was not as good as before, and several people could not find it out. Later, a person from France, by chance, picked up the receipt and knew it at a glance.