Вы находитесь на странице: 1из 28
Continuous monitoring and continuous auditing From idea to implementation 持续监控与持续审计 从构想到实施

Continuous monitoring and continuous auditing From idea to implementation

持续监控与持续审计

从构想到实施

Continuous monitoring and continuous auditing From idea to implementation 持续监控与持续审计 从构想到实施
Continuous monitoring and continuous auditing From idea to implementation 持续监控与持续审计 从构想到实施

Continuous Monitoring and Continuous Auditing:

From Idea to Implementation

Most financial and auditing executives are aware of continuous controls monitoring and continuous auditing and of the general benefits of such programs. Yet relatively few enterprises have realized their full potential, particularly at the enterprise-wide level. Deloitte sees the reason for this as twofold: first, executives have not seen a clear, strong business case for establishing either continuous monitoring (CM) or continuous auditing (CA) in their enterprises; second, they lack a clear picture of how CM or CA would be implemented in their organizations.

A quick definition: CM and CA are actually two distinct types of programs. As the name implies, continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness. Similarly, continuous auditing enables internal audit to continually gather from processes data that supports auditing activities.

The current environment of rising risks, regulatory activity, and compliance costs makes this the ideal time to consider (or to reconsider) the potential role of CM or CA, or both, in your enterprise. You might also consider what it would take to implement them, what they would look like, how they would operate, and whether to further inves- tigate these modes of monitoring and auditing.

This paper, prepared for internal audit, accounting, financial, and risk management executives, can guide you in these considera- tions. CEOs, COOs, and board members who share those executives' concerns about rising risk, regulation, and costs and the potential impact on their enterprises may also find this paper informative.

Continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness. Continuous auditing enables internal audit to continually gather from processes data that supports auditing activities.

Continuous monitoring and continuous auditing From idea to implementation

持续监控与持续审计:

从构想到实施

大部分财务和审计主管人员对于持续监控CM

和持续审计CA及其一般优点都较为了然

已经充分认识到上述计划的所有潜力的企业

其是从企业层面认识却为数极少

德勤认为这主要有两方面原因

第一主管人员尚未发现在所属企业建立持续监

控和持续审计之明确和充分的商业理由

第二主管人员对于在所属企业内部如何实施持

续监控和持续审计缺乏明确的认识

简明定义: 持续监控和持续审计实际上是两种不 同的程序顾名思义,持续监控可使管理层持续 审核业务流程,检视其是否遵循或背离预期的业 绩水平和绩效与此同时持续审计可使内部审 计从支持审计工作的流程数据中持续收集信息

当前环境下企业面对不断提升的风险监管要

与合规成本这正是考虑或重新考虑

续监控或是持续审计抑或二者在贵企业内部可

担当之潜在角色的理想时机您亦可同时考虑实

施上述计划需要哪些准备具体表现形式如何

如何运作以及是否进一步研究此类监控及审

计模式

本文专为主管内部审计会计财务及风险管理

之人士编纂可为您考虑上述问题提供指引

于同样忧虑不断提升的风险监管要求与合规

成本及其对企业之潜在影响的首席执行官首席

运营官和董事会董事本文亦颇具参考价值

, 本文亦颇具参考价值 。 持续监控可使管理层持续审核业务流程 ,

持续监控可使管理层持续审核业务流程,检视其是

否遵循或背离预期的绩效水平和效能。

持续审计可使内部审计从支持审计工作的流程数据

中持续收集信息。

持续监控与持续审计从构想到实施

What Do CM and CA Do?

CM enables management to determine more

quickly and accurately where it should be focusing attention and resources in order to improve processes, implement course corrections,

address risks, or launch initiatives to better enable

the

enterprise to achieve its goals.

CA

enables internal auditors to determine more

quickly and accurately where to focus attention

and resources in order to better allocate audit

resources and improve the quality of its audits

and support of management.

CM is an automated, ongoing process that enables management to:

• Assess the effectiveness of controls and detect associated risk issues

• Improve business processes and activities while adhering to ethical and compliance standards

• Execute more timely quantitative and qualita- tive risk-related decisions

• Increase the cost-effectiveness of controls and monitoring through IT solutions

Continuous monitoring and continuous auditing From idea to implementation

CA is an automated, ongoing process that enables internal audit to:

• Collect from processes, transactions, and accounts data that supports internal and external auditing activities

• Achieve more timely, less costly compli- ance with policies, procedures, and regulations

• Shift from cyclical or episodic reviews with limited focus to continuous, broader, more proactive reviews

• Evolve from a traditional, static annual audit plan to a more dynamic plan based on CA results

• Reduce audit costs while increasing effec- tiveness through IT solutions

The value of CM is that it gives management greater visibility into, and more timely infor- mation on, business processes designed to achieve strategic and operational goals.

The value of CA is that it enables internal audit to move from sampling accounts and transac- tions to coverage of 100 percent of accounts and transactions (when and where desired).

Although CM and CA can be adopted sepa- rately or together, enterprises may achieve the most cost-effective development by imple- menting both; either simultaneously or in planned sequence.

持续监控与持续审计具体内容

持续监控可使管理层更为准确快速地确定应予

重点关注及投入资源的领域以改进流程修订

方针应对风险或启动新计划使得企业更好地实

现其目标

持续审计可使内部审计师更为准确快速地确定应

予重点关注及投入资源的领域以更好地分配审

计资源改进其审计质量及管理层的支持力度

持续监控是一套自动化的长期程序,使管理层能

够:

评估管控活动的效能查知相关风险问题

遵循职业道德与合规准则的同时改进业务

流程及活动

更为适时地执行定量和定性风险相关决策

借助信息技术解决方案提升管控及监控的成

本效益

持续审计是一套自动化的长期程序,使管理层

能够:

从流程交易及账目数据中收集支持内外部

审计工作的信息

实现更为适时成本更少的政策程序和规

章合规遵循

从关注程度有限的周期性审核或临时性审核

转变为持续广泛且更为积极主动的审核

由传统的静态年度审计计划发展为基于持续

审计结果实施的更加动态的计划

借助信息技术解决方案在提升效能的同

减少审计成本

持续监控的价值在于对于为实现战略和运营目

标而设计的业务流程它能够为管理层提升其可

见性使管理层更加及时地获知相关信息

持续审计的价值在于它能够使内部审计工作从

账目和交易抽样转变为涵盖百分之百的账目和交

若有需要的话)。

尽管持续监控和持续审计可分开或同时采用

企业若两项一起实施则可能实现最佳的成本

效益二者并行实施或按计划的顺序依次实施

均可

持续监控与持续审计从构想到实施

CM and CA and Risk Management

CM

and CA can improve the risk management

and

control activities of virtually any large enter-

prise. These activities have risen in importance on the agendas of many senior executives and boards, given the events of the past few years

and continuing challenges in the financial and

business environment.

Those challenges range from heightened global competitive pressures, to more stringent regula- tory regimes, to endless pressure to increase revenue and margin, to exposure to ever more aggressive forms of theft, fraud, and cybercrime.

Executives allocate resources to the initiatives they perceive as yielding the greatest return, in keeping with their organization's mission and priorities.

CM

and CA are best considered in the context of

the

enterprise's overall risk management effort at

the

operational level. Often executives and boards

consider risk management in broad terms, but have trouble bringing it down to the operational level. Yet that is where effective risk management occurs. To bring their thinking about CM and CA

to operational levels, leaders can start by asking

themselves:

• How do we currently monitor controls?

• How well do the enterprise's controls currently function?

• How do we currently allocate internal audit resources?

• How do we determine that this allocation is optimal?

• What costs and unintended risks do our current methods of controls monitoring and auditing create?

Such questions bring current methods of controls monitoring and auditing to light, and allow for a clearer comparison between current methods and

CM and CA.

Deloitte's approach to CM and CA supports,

and is supported by, the principles of the Risk

Intelligent Enterprise™, which embodies Deloitte's philosophy of and approach to risk manage- ment. A risk intelligent approach departs from traditional approaches to risk management in specific ways (see sidebar, The Risk Intelligent Enterprise™).

Risk intelligence provides an integrated risk

management framework in which leaders and employees at all levels can recognize and manage risks in their decision-making and operating activities.

Risk intelligent practices should guide develop-

ment of CM and CA systems and techniques.

For instance, when contemplating CM or CA it's

best to consider the full spectrum of risks across "silos," interactions among risks, and ways to build CM/CA into activities and processes.

Continuous monitoring and continuous auditing From idea to implementation

持续监控、持续审计与风险管理

持续监控与持续审计能够改善几乎任何大型企

业的风险管理和管控活动虑及过去数年发生的

种种事件以及金融和商业环境遭遇的持续挑战

在许多高管和董事会的日程之中此类活动的重

要性大大提升

这些挑战包括从日益加剧的全球竞争压力到更

加严苛的监管制度再到增创收入和利润的无尽

压力以及日益猖獗的失窃舞弊和网络犯罪风

企业高管遵循所在企业的目标使命和优先要务

向他们认为能够产生最大回报的计划分配资源

持续监控和持续审计最好能在企业整体风险管

理工作的大环境下从运营层面上予以思考高管

和董事会常常从广义角度来考虑风险管理但落

实到运营层面之时却遭遇困难而这恰好是有效

风险管理之所在要将他们对持续监控和持续审

计的看法拉回到运营层面企业领导者可以先问

自己如下几个问题

我们目前如何监控企业的管控活动

企业管控活动目前运转如何

我们目前如何分配内部审计资源

我们如何确定该分配是最佳选择

我们对于管控活动的现有监控和审计方法引

发了哪些成本和无意招致的风险

这些问题有助于揭示企业现有的监控和审计方

并且能够将现有方法与持续监控和持续审计

进行明晰对比

德勤采用的持续监控和持续审计方法与风险智能

企业原则之间互为支持而风险智能企业原则

亦体现了德勤的风险管理哲学和方法风险智能

方法与传统的风险管理方法在具体方式上颇为不

详见侧栏风险智能企业”)。

风险智能提供了一套综合性的风险管理框架

层级领导者和员工在进行决策和从事运营活动时

均可依据该框架识别并管理风险

风险智能实践应当指引持续监控和持续审计系统

与技术的开发例如构想持续监控和持续审计

最好通盘考虑各部门之间的所有风险风险之

间的交互作用以及建立持续监控/持续审计活动和

程序的方式

此外当前商业环境下有些因素可能也会促使企业

考虑实施持续监控和持续审计它包括

对速度更快效果更好的决策以及明显改善

且兼具成本效益的风险管理需求上升

要求内部审计为利益相关者提供及时认证的

压力持续上升

监管要求愈加复杂变化增多

大力调整内部审计活动使其符合管理层之

战略业务目标

持续监控与持续审计从构想到实施

In addition, several factors in the prevailing business environment should prompt enterprises to consider implementing CM and CA. These include:

• Heightened demand for faster, better decisions and for improved, but cost-effective risk management

• Rising pressures on internal audit to provide timely assurance to stake holders

• Increasing complexity and change in regula- tory requirements

• Greater efforts to align internal audit activi- ties with management's strategic business goals

To support the work of internal audit, CA provides information that relates to compli- ance with policies, procedures, and regulations, which supports financial reporting activities and goals. CM provides relevant data on processes, transactions, and accounts to management in a timely manner and at low cost, with the aim of monitoring performance and supporting decision making. Both CA and CM usually use IT-enabled tools to monitor processes, transactions, and accounts to enhance the efficiency and effective- ness of internal audit's and management's efforts.

The Risk Intelligent Enterprise

Risk intelligence is Deloitte's philosophy of and approach to risk management, and it consists of practices that:

• Address the full spectrum of risks, including strategic, operational, compli- ance, reporting, security, environmental, and other risks across the enterprise

• Acknowledge the need for specialization by business and function, but also across organizational "silos"

• Consider the interaction of multiple risks rather than focusing on a single risk or event, and consider the potential impacts of multiple threats

• Create common terms and metrics for risk, and a culture in which people account for risk in every activity

• Support risk taking for reward and value creation, rather than pure risk avoidance

Continuous monitoring and continuous auditing From idea to implementation

为支持内部审计工作持续审计能够提供有关政

程序和规章合规的信息从而为财务报告活

动及目标提供支持持续监控能够以较低的成本

及时向管理层提供有关流程交易和帐户方面的

信息其目标在于监控绩效并支持决策的制定

持续审计和持续监控一般都采用信息技术工具

来监控流程交易和账目以增进内部审计与管

理层工作的效率和效能

理层工作的效率和效能 。 风险智能企业 ™

风险智能企业

风险智能是德勤有关风险管理的哲学思考和

解决方法主要包含六大方面的实践

应对企业各个层次的风险包括战略风

运营风险合规性风险报告风险

全性风险环境风险以及企业内部其他风

肯定按业务和部门分类以发挥专长优势

及在组织内部地窖之间建立联系的必

要性

不是单独地去考虑某项风险或一件事情

而应该考虑一系列风险之间的相互作用

并考虑一系列威胁的潜在影响

创立共通的风险条款和度量标准及企业

文化员工可依此阐释各项活动的风险

支持为获取回报和创造价值承担一定风

而非一味规避风险

持续监控与持续审计从构想到实施

How would they operate?

What would CM and CA look like and how would they operate?

In which situations does CM or CA have the most

value?

To help answer those questions, we provide a few case studies in this document, and the following brief examples of CM in action:

Transaction Monitoring

A lender wanted comfort that the pricing of each

loan it extended was in keeping with its under-

writing policies, in order to ensure profitability. Its practice had been to calculate loan price on

a defined set of business and credit rules, but to allow manual override of these rules.

However, when implemented by the lender's agents, that manual override could occur without detection, causing a potential control failure.

The solution was to continually monitor loan prices and to report deviations from the price calculated only on the basis of the business and credit rules. (Any significant deviation is now detected and reported, and exceptions are inves- tigated and resolved.)

Controlling Freight Costs

An operating manager needed to detect unnec- essary freight payments, which were set by the trucking company per the weight of the goods being shipped.

The contract between the enterprise and the trucking company included clauses that guar- anteed a minimum payment if the weight of a delivery fell short of the truck's maximum load. Generally, the minimum cost was set at 0 percent of the cost of a truck's maximum load. Thus, the manager needed to ascertain when

trucks were being loaded at less than 0 percent

of the vehicle's capacity, situations that would

represent inefficiency and excess costs.

The solution was to automatically identify and report trucks that had been loaded at less than 0 percent of capacity on the same route or destina- tion within a given period of time.

Limiting Breaches of Authority

A comptroller wanted to be able to detect limit- of-authority breaches in areas such as purchases, payables, and sales discounts. The enterprise had established systemic preventive controls to support approval levels in some processes, but those controls could be circumvented. For example, if a person authorized to sign for individual purchases of up to €,000 wanted to approve a purchase of €10,000, he could input and approve five purchase orders for €,000 for the same supplier and thus complete the transaction.

The solution was to continually monitor approvals of expenditures or disbursements to the same entity by each individual with spending authority and to compare the individual and total amounts author- ized for a specific entity in a specific period, such as one day or five business days.

in a specific period, such as one day or five business days. 10 Continuous monitoring and

如何运作?

持续监控和持续审计表现形式如何及如何运

何种情况下持续监控和持续审计才能发挥最大

价值

为帮助解决上述问题本文提供若干案例分析并

简要介绍几则运作中的持续监控范例

交易监控

为确保盈利性某贷款机构希望获取保证借出的

每笔贷款都符合其信贷要求

虽然该贷款机构一直按照一套确定的业务和信

贷规定来计算贷款价格但却允许人为凌驾于此

等规则

然而经贷款机构代理方实施之后此类人为越

权可能难以察觉有可能导致管控失败

解决方案持续监控贷款价格并将仅依照业务

和信贷规定计算得出的价格误差进行报告。(

今任何重大偏差都可以被检测出来并得到调查

和解决。)

控制运费

某运营经理需要探查不必要的运费支付而运费

由货运公司根据货物载重量设定

该企业与货运公司签订的合同中包括这样的条 款如果一次运货的重量不足货运公司最大载 重量需支付最低运费一般而言最低成本设

定为卡车最大载重成本的0%因此这位经理

需要确定当卡车载重低于车辆最大载重能力

0%之时是否会出现效率低下成本超支的情

解决方案自动识别并报告特定时期同一路线或

同一目的地载重量仅0%的汽车

限制越权

财务主管希望能够发现采购应付款和销售折 扣等方面的越权行为为了支持部分流程的审批 级别企业建立了系统的预防控制措施但仍可 能受到规避例如有权为最高 ,000 欧元的个 人采购签字的人员要批准一宗 10,000 欧元的采 购可能输入并批准同一家供应商的五张 ,000 欧元的采购定单从而完成交易

解决方案持续监控每个有财务开支权限的个人

向同一家实体的开支或报销的审批情况就个人

和一天或五个工作日等特定时期内对特定实体所

批准的总额进行对比

个人密码保护

首席信息官希望能够保护密码检测用户与同事

等人员共享密码的情况系统安全政策规定

统访问仅限拥有授权用户登陆信息和密码信息

的个人但违反政策的行为时有发生

解决方案检测由未进入工作场所人员以身份

识别卡刷卡记录为准的访问情况在不同计算

机上同时使用相同登陆信息和密码信息的情况

以及系统访问的异常情况自动识别共享登陆信

息和密码的用户

如上述简单的例子所示持续监控或持续审计能

够以目标方式有选择地使用从而使管理层或内

部审计能够开展试行工作积累经验提前实现

收益再增加收益也就是说风险智能企业

不仅能够认识到流程之间和风险之间的相互联

而且还能够考虑可能受持续监控或持续审计

每项变化或措施影响的其他方面企业如何能够

协调持续监控或持续审计措施最大的效益就是

实现自动化控制和审计机制使用的最大化但关

键是在风险管理环境下查看持续监控和持续审

参见侧栏案例分析一)。

Personal Password Protection

A chief information officer wanted to protect passwords and detect situations in which users shared their passwords with co-workers or other parties. System security policies stipulated that system access was limited to individuals with authorized user login and password information, yet breaches had been occurring.

The solution was to automatically identify users sharing login information and passwords by detecting access by parties who had not entered the premises (as recorded by identification card swipes), concurrent use of the same login and password information at different computers, and other anomalies in instances of access.

As these brief examples show, CM or CA can be applied selectively and in targeted ways. This enables management or internal audit to experi- ment, gain experience, and realize early, and then incremental, returns. That said, the Risk Intelligent Enterprise™ will recognize the interconnected- ness of processes and of risks and consider other areas that could be affected by each CM or CA change or initiative. The greatest benefits accrue to enterprises that coordinate CM or CA initia- tives to maximize the use of automated control and audit mechanisms. The key however, is to view CM and CA in a risk management context (see sidebar, Case Study #1).

Case Study #1: Television Broadcaster

CM & Transaction Monitoring/Expense Control

The Situation:

The Shared Services group of a fast-growing global provider of cable

television news and entertainment programming faced skyrocketing travel and entertainment (T&E) transaction volume. Given the company's resource limitations, both that volume and time-consuming manual audits of expense claims potentially increased the risk of error, fraud, and misuse within the T&E reimbursement process. The enterprise needed assistance in scoping, planning, configuring, and implementing its Audit Command Language (ACL) continuous controls monitoring (CCM) tools.

The Solution:

As in many business processes, moving from a manual to an automated

review system involves data analytics. Data analytics assist in auditing

and risk management and in testing controls and control overrides. For

example, data analytics can be used to test a population of transactions, as in this instance T&E claims, so that no overrides occur without proper approval. In this case, Deloitte helped provide a suite of automated, customizable analytics for T&E expense processing, control, and audit.

This

system enables monitoring of T&E transactions and claims with the

aim

of identifying suspicious activity, errors, and exceptions.

The

Shared Services group can now monitor T&E transactions on a

continuous basis. The group also moved from employing a random sample approach to a more focused approach of reviewing claims that display attributes of potentially fraudulent or erroneous expenses. Using nearly real-time CM, analysts can investigate and resolve issues that might otherwise go undetected. In addition to containing costs and minimizing losses, the CCM tool provides additional assurance around compliance

relating to T&E business processes.

案例分析一:某电视广播公司 持续监控与交易监控 / 费用控制 背景信息:

案例分析一:某电视广播公司

持续监控与交易监控/费用控制

背景信息:

某全球性高成长有线电视新闻娱乐节目编排

共享服务组的差旅娱乐交易量急剧上涨

于公司资源有限差旅娱乐交易量和耗时的费

用报销人工审计有可能增加差旅娱乐报销流

程的错误风险舞弊风险和误用风险企业在

审计命令语言ACL持续控制监控CCM

具的界定规划配置和实施方面需要协助

解决方案:

正如在许多业务流程中一样从手动审阅系统

向自动审阅系统的转变均涉及数据分析数据

分析有助于审计和风险管理以及测试控制与

越权控制例如数据分析能够用于测试交易

总量在本案中能够用于测试差旅娱乐报销

从而避免发生擅自越权情况在本案中

德勤协助提供了一套差旅娱乐费用处理的自

动定制化分析系统监控差旅娱乐交易和报销

情况以发现可疑的行为错误和异常情况

目前共享服务组已经能够持续监控差旅娱

乐交易此外共享服务组还摒弃了随机抽样

转为采用针对性更强的方法审核带有可

能存在虚假费用或错误费用特征的报销

过采用接近实时的持续监控分析人员能够对

可能隐藏的问题开展调查并加以解决持续控

制监控工具不仅能够控制成本降低损失

且还能够确保符合差旅娱乐业务流程

持续监控与持续审计从构想到实施 1

Developing the Business Case

Exhibit 1 — Moving CM up the value chain Optimize processes Apply technology to optimize
Exhibit 1 — Moving CM up the value chain
Optimize processes
Apply technology to optimize processes (e.g., financial
operational, compliance, etc.)
Improve
operations
Apply controls automation and monitoring techniques
to achieve operational control objectives
(e.g., merchandise management)
Improve
controls
and reduce
Apply controls monitoring techniques to achieve
regulatory control objectives (e.g., SOX financial
reporting control objectives and risks)
cost
SOX financial reporting control objectives and risks) cost Leverage initial technology investment for compliance to

Leverage initial technology investment for compliance to help improve operations and optimize process

compliance to help improve operations and optimize process Drive process improvement Drive operational improvement

Drive process

improvement

Drive operational

improvement

Drive sustainable

cost-effective

compliance

In many risk management initiatives, costs can appear more certain than benefits. That's because the costs are specific near-term outlays and risks are more indistinct, longer-term, potential events. Thus, the business case for CM or CA can be difficult to make in traditional, ROI-based, monetary terms. But risks are real and that case can be made, particularly for specific activities and processes. For example, auto- mating controls can reduce incidents of duplicate payments, internal fraud, inappropriate warranty claims, unauthorized discounts, and underper- formance by service providers. The monetary losses due to future incidents, after adoption of controls, can be compared with those of past incidents.

In addition, a significant CM or CA initiative can (and arguably should) harmonize, rationalize, and optimize controls. This process can eliminate redundant controls, help institute needed controls, close control gaps, and eliminate needless reports. The savings in reduced loss, audit, administrative, and report generation and review costs can all be calculated.

Perhaps most importantly, CM can enable management to achieve financial and operational control objectives while exploiting new process- improvement opportunities. The enterprise can

in that way use CM to increase the value of its investment (See Exhibit 1).

There are three stages of CM adoption, which accomplish the following:

1.

Initially, the enterprise uses controls moni- toring techniques to achieve regulatory control objectives, such as those related to Sarbanes-Oxley (SOX) financial reporting and risk management objectives. This reduces costs.

.

Then, the enterprise applies controls automa- tion and monitoring techniques to achieve operational control objectives, such as inventory, receivables, payables, credit, or warranty claims management.

.

Finally, the enterprise applies technology to optimize processes, including operational, compliance, financial, risk management, and other processes.

Generally, it makes sense first to improve controls and reduce costs, then to improve operations, then to optimize processes. This movement up the value chain helps to make the business case at each level. It also casts a CM or CA effort as a process improvement, rather than "policing" initia- tive, and helps in defining short-, intermediate-, and long-term goals.

商业论证

图表一: 利用持续监控提高投资价值 应用科技以完善流程 (例如:财务,运营,合规等)。
图表一: 利用持续监控提高投资价值
应用科技以完善流程 (例如:财务,运营,合规等)。
完善流程
应用自动化控制和监控技术,以实现业务的控制目标
改善运营
(例如:商品管理)
应用控制监控技术,以实现监管目标(例如,萨班斯
改进控制
法案的财务报告控制目标和风险)
降低成本
法案的财务报告控制目标和风险) 降低成本 利用现有资讯科技投资 ,

利用现有资讯科技投资以帮助改善运营和优化流程

改善
改善

驱动流程

驱动运营改善

驱动可持续并

具成本效益

的合规性

在许多风险管理措施中由于成本是具体的近期

开支而风险是模糊的长期潜在事件成本的确

定性比效益可能更高因此以基于投资收益的传

统金钱量化术语很难用来进行持续监控或持续

审计的商业论证但风险是真实存在的商业论

证是可行的对于具体的活动和流程尤为如此

例如控制自动化能够减少重复付款内部舞弊

不当保修索赔未经授权给予折扣以及未完全满

足服务条款的服务提供商等事件采用控制后

因未来事件造成的金钱损失与因历史事件造成的

金钱损失形成鲜明对比

此外重大持续监控或持续审计措施能够而且

应该实现控制的协调化合理化和优化从而

消除冗余的控制帮助建立必要的控制减少控

制漏洞消除不必要的报告减少的损失审计成

管理成本报告制作成本和审阅成本等都全

部能够量化计算

最重要的可能在于持续监控能够使管理层实 现财务与运营控制目标同时深入挖掘改善流程 的新机会这样企业就能够利用持续监控提高 投资价值 (见图表一).

采用持续监控分为下列三个阶段

1.

首先企业利用控制监控技术实现监管控制

目标如与萨班斯法案财务报告与风险管理

目标相关的监管控制目标从而降低成本

.

其次企业采用控制自动化与监控技术实现

运营控制目标如库存应收账款应付账

信贷和保修索赔管理

.

最后企业采用技术优化运营合规财务

风险管理等流程

通常先改善控制并降低成本再改善运营

优化流程是可行的价值链的这种改善有助于

在各个层面进行商业论证而且还将持续监控或

持续审计工作视为流程改善而非政策制定

有助于明确短期中期和长期目标

Barriers to CM and CA Adoption

Despite the potential benefits of CM and CA, barriers to adoption exist in many enterprises. Common ones include misunderstanding CM and CA and implementation issues, particu- larly the IT dimensions. The latter can include confusion regarding the efficacy of Enterprise Resource Planning (ERP) and Governance, Risk Management and Compliance (GRC) systems, and the fit of CM or CA with such systems. Other obstacles arise in the form of internal competition for resources and funds. Often, until a risk event occurs or internal audit buckles under its workload, CM and CA can appear as “nice but not necessary.”

Barriers also arise in the following areas:

Perceived impact on the enterprise: CM or CA impact internal audit and other areas of the enterprise. In particular, the impact on internal audit — on its costs, head count, audit plans, workload, quality of audits, and stakeholder satisfaction — should be consid- ered. So should the impact on the IT function and business units, and on operating, decision-making, and risk-management processes.

Priority of implementation: Implementation is best planned in the context of an overall risk management framework. A method of prioritizing controls and audit activities for automation should be developed based on factors such as risk rankings, importance of audit evidence, return on investment, and ease of implementation.

Internal audit's readiness to develop and adopt CA: Various audit functions vary in their readiness for CA, depending on

the enterprise's lifecycle, audit focus (rota-

tional or risk based), and use of automation (automated work papers versus real-time

monitoring). Generally, the more progressive

the internal audit function, the more readily

it may adopt CA.

IT and software considerations: Enterprises vary in their experience and success with IT-based ERP or GRC systems. These two factors — experience and success — as well

as the brands, configurations, and functions in which they have been deployed will affect

CM and CA decisions and initiatives.

Realistic expectations: CM and CA deliver clear benefits as detailed toward the end of this paper, but they are not achieved

overnight. A large organization with complex systems and myriad activities and transac- tions needs time and commitment to realize

the benefits. Again, however, it is possible

to implement CM or CA in a limited area to gain experience and to realize substantial benefits.

In addition, it is useful to distinguish between the process side and the technology side of CM and CA, and to consider various perspectives from these angles.

采用持续监控和持续审计的障碍

尽管持续监控和持续审计具有各种潜在效益

许多企业都存在采用持续监控和持续审计的各

种障碍常见的障碍包括对持续监控和持续审计

的种种误解以及如何实施等问题尤其在于信

息技术维度上后者可能包括混淆企业资源规

ERP和治理风险管理与合规GRC系统

的功能问题并误认为持续监控或持续审计与该系

统之间的匹配关系此外其他障碍表现在对资

源和资金的内部竞争上通常除非发生风险事

件或内部审计因工作量巨大而崩溃持续监控和

持续审计往往被视作虽然不错但并非必要”。

此外下列方面也存在障碍

对企业影响的认知:持续监控或持续审计对

企业的内部审计等方面具有影响尤其

考虑对内部审计的影响即对成本员工人

审计计划工作量审计质量和利益相关

方满意度的影响还应考虑对信息技术部门

和业务部门的影响以及对运营决策和风

险管理流程的影响

实施的优先性:在总体风险管理框架下

划实施工作的优先性根据风险排序审计

证据的重要性投资回报和实施难易情况等

因素制定优化控制和审计活动并实现自动

化的方法

内部审计对开发和采用持续审计的准备情

况:不同审计部门对采用持续审计的准备情

况有所不同这取决于企业的生命周期

计重点轮流制还是以风险为基础以及自

动化自动化工作底稿对应实时监控的使

用情况通常内部审计部门越积极其采用

持续审计的准备就越充分

信息技术和软件考虑:企业实施信息化

ERPGRC系统的经验和成功各有不同

验与成功两大要素以及品牌配置与运用部

门都将影响持续监控和持续审计的决策和

举措

现实期望:如本文结束处所列明实施持续

监控和持续审计大有裨益但这些裨益并非

一蹴而就大型机构系统复杂活动和交易

多元发展需要投入时间和承诺才能从中受

但是可以在限定领域实施持续监控或

持续审计以获取经验并从中切实受益

此外区分持续监控和持续审计的流程面和技

术面以及从这些角度考虑多种观点也很有用

术面以及从这些角度考虑多种观点也很有用 。 持续监控与持续审计 从构想到实施 1

Varying Perspectives and IT Considerations

Deloitte has found a wide range of perspectives on CM and CA in enterprises. Some internal audit functions view the matter from the process perspective. They focus on activities and transac- tions that might be subject to CA and on how to replace current audit data gathering mechanisms with continuous ones or on how disbursement limits or Segregation of Duties (SOD) might be automated. Others view the matter from the technology perspective and focus on how ERP, GRC, and third-party systems might enable CA or CM and the potential roles of the various vendors and systems.

Other considerations center on operationalizing

CM or CA a perspective we have found that

most enterprises fail to consider adequately.

For instance, issues in operationalizing include

whether you take a bottom-up or top-down

approach. A bottom-up approach starts with

the tools and technologies you have and works

toward developing them into a platform. A top- down approach starts with the platform and more or less promulgates it throughout internal

audit or another area initially and then, perhaps, other areas of the enterprise or even throughout

the enterprise.

IT capabilities are a major consideration. Can the available technology enable desired controls, warnings, and exception reports? Are the desired CM or CA mechanisms compatible with existing or contemplated ERP systems? Can the mechanisms be implemented within ERP or GRC capabilities? Or must they be added on or programmed into these systems?

Most enterprises with ERP systems view them as integral to their processes and, in turn, view their GRC systems as integral to their ERP systems. This is a logical outgrowth of ERP systems providers acquiring risk management and compliance systems and offering them as part of a "total solution." The point is that these systems must be considered in any CM or CA design or implemen- tation effort (see sidebar, Case Study #)

Case Study #2: Global Durable Goods Manufacturer

CM & ERP Assessment

The Situation:

As part of its enterprise transformation initiative, a global manufacturer of durable goods planned a worldwide rollout of the next generation of its ERP system. This initiative aimed to commonize core finance and purchasing processes across global operating regions. This multi-year project to enable worldwide business processes required that security controls be reviewed and documented during the implementation lifecycle to minimize the potential for (and instances of) post-launch remediation.

The Solution:

The

enterprise required a methodology for assessing pre-implementation

ERP

security and internal controls. Deloitte's methodology focused on

internal controls in four key areas: business process controls, application security, data and interface controls, and general computer controls. This approach has been built into a repeatable, proven process for designing, building, testing, and deploying internal controls.

A controls assessment identified, documented, and assessed ERP internal control and security recommendations. This enabled the enterprise to evaluate their ERP control structure through successive phases and to drive management's control requirements into the program. The enter- prise realized efficiencies as each regional launch progressed. Pre-imple- mentation assessments established the controls baseline, supported future test plans, and provided the controls that were designed into the processes.

This pre-implementation review of security and business process controls

consisted of three phases: Phase 1: Plan, define and design; Phase :

Construct, test, and deploy; Phase : Execute deliver, and help provide

ERP

support. This initiative also called for audit-related assessments of

the

enterprise's segregation of duties tools and warranty claims manage-

ment program.

不同观点和信息技术考量

德勤发现企业对持续监控和持续审计持有多种

观点部分内部审计部门从流程角度看待问题

重点关注对持续审计产生影响的活动和交易以

及如何用持续机制取代现有的审计数据采集机

制或者支付限额或职责分离SOD如何被自动

化处理其他则从技术角度看待问题重点关注

ERPGRC或第三方系统可能促成持续监控或持

续审计以及不同供应商和系统的潜在作用

其他考虑则集中在持续监控或持续审计的操作

问题上我们发现多数企业未对这一角度进行

充分考虑例如操作问题包括采用自下而上还

是自上而下的方法自下而上的方法是从现有的

工具和技术出发目标是将其发展为工作平台

自上而下的方法是从平台出发最初先在内部审

计或其他领域进行尝试然后可能在企业的其他

领域甚或是整个企业范围内施行

信息技术能力是一个主要考虑因素现有技术能

否实现所需控制警示和异常报告所需的持续

监控或持续审计机制是否与现有或预期的ERP

统兼容机制能否在ERPGRC中实施或是否必

须附加在或编入这些系统中

实施ERP系统的多数企业将其视为企业流程不可

或缺的组成部分进而GRC系统视为其ERP

统不可或缺的组成部分这是ERP系统供应商采

购风险管理和合规系统并将其作为整体解决方

组成部分进行出售的合理产物问题是这些

系统必须纳入持续监控或持续审计的设计或实

施工作中。(参阅侧边栏案例分析二

案例分析二:某全球性耐用品制造公司

持续监控与企业资源规划评估

背景信息:

作为企业转型计划的一部分某全球性耐用品

制造公司计划在全球范围实施下一代企业资

源规划系统实现全球各运营地区核心财务和

采购流程的一致性”。该项目持续多年使全

球业务流程要求在实施过程中审核并记录安

全控制情况以降低启动后进行补救工作的可

能性和情况)。

解决方案:

企业需要掌握实施前企业资源规划安全与内

部控制的方法德勤的方法针对内部控制的四

个主要方面业务流程控制应用安全数据

与界面控制和一般计算机控制并且已经嵌入

可重复经实践证明的内部控制设计构建

试与部署流程

控制评估工作识别记录并评估企业资源规

划内部控制和安全建议使企业能够通过持

续的阶段对其企业资源规划控制结构进行评

促使管理层的控制要求能够融入计划中

随着各地区启动工作的不断推进企业认识

到了效率问题实施前评估工作建立了控制基

为未来测试计划提供了支持并实现了为

各流程所设计的控制

安全和业务流程实施前审核包括三个阶段

即第一阶段规划界定和设计第二阶段

建设测试和部署第三阶段执行交付

助提供企业资源规划支持这项计划需要到

企业职责划分工具和保修索赔管理项目的审

计评估

The CM/CA Roadmap

Although there is no universal, sure-fire recipe for implementing CM or CA, there is a general template

4.

Build and Implement the CM or CA System

that

a management team or internal audit function

Once the resources are approved and in place, implementation is next. For successful

can

use:

implementation:

1. Develop the Business Case

Whether you are a CFO considering enterprise-wide

CM or a chief audit executive proposing a CA initia-

tive, you need to develop a strong business case. This entails:

• Connecting the initiative to the drivers of value, and the risks, in the business

• Identifying benefits and costs, and quantifying them when possible

• Placing CM or CA in the context of the overall GRC effort and clarifying their roles

2. Develop a Strategy for Adoption

A strategy for adoption identifies potential CM and

CA initiatives and prioritizes them according to risks,

benefits, costs, and ROI. This means:

• Targeting efforts based upon risk exposure, appetite, and tolerances, enterprise-wide and locally

• Identifying which areas are appropriate to pursue based on projected benefits, costs, and ROI

• Identifying how to set thresholds and monitor risks, as well as useful intervals and notification mechanisms (e.g., real-time notification versus daily check-in)

• Considering required resources and how current resources and priorities may help or hinder adoption

3. Plan the Design and Implementation

Planning a CM or CA initiative should be an iterative process, which involves:

• Determining the scope of the objectives

• Establishing roles and responsibilities

• Designing the CM or CA process and mechanisms

• Allocating resources and creating a timeline and project plan

• Setting reasonable expectations for performance

• Aligning people, processes, and IT resources

0

Continuous monitoring and continuous auditing From idea to implementation

• Begin with relatively straightforward, low-cost, high- return projects

• Involve IT, business units, and other key stake- holders early on

• Create a sense of shared ownership of the project and the results

• Test the CM or CA system, particularly for its impact on the IT system, before actual launch and adoption

• Follow the plan, but make course corrections as needed

• Establish workable, practical (rather than ideal) CM or CA procedures

5. Monitor Performance and Progress, and Refine as Needed

Migrate the CM or CA effort into the control or audit process as soon as possible after it demon- strates its viability and value. To ensure this happens:

• Report the results of the effort to management and all other stakeholders

• Demonstrate the value added in monetary terms when possible (e.g., costs reduced, risks mitigated, or time saved)

• Verify by manual means that the early readings and results are accurate

• Adjust monitoring or notification mechanisms as needed, given their performance and the quality of the human interface

Pilot projects geared to testing the waters, gaining experience, or achieving early wins can be quite useful. With an early success or two, management or internal audit can revisit its priorities and make adjustments or move directly to the next priority. Also, given the potential savings and lower risks, many CM and CA initiatives can be structured as self-funding. Finally, be sure to obtain any necessary external expertise and guidance at each stage.

持续监控/持续审计路线图

尽管实施持续监控或持续审计并没有放之四海

皆准的方法但下面的通用模板可以供管理团队

或内部审计部门使用

1. 进行商业论证

无论您是考虑企业范围持续监控的首席财务官

还是拟定持续审计计划的首席审计官均需要

进行充分的商业论证特点如下

将计划与价值驱动因素与业务风险挂钩

识别收益和成本如果可能要进行量化

将持续监控或持续审计置于整个GRC工作

环境中并明确各自作用

2. 制定采用战略

采用战略确定潜在的持续监控和持续审计计划

并根据风险收益成本和投资利润确定优先顺

这意味着

根据风险敞口偏好和承受能力定位企业范

围和具体部门的工作

根据预期收益成本和投资收益确定哪些

领域适于投资

确定如何设定界限并监测风险以及有效区

间和通知机制实时通知还是每日核

考虑所需资源以及现有资源和工作重点如

何有助于或阻碍计划的采用

3. 规划、设计和实施

规划持续监控或持续审计计划是一个反复过

涉及

确定目标范围

明确职责

设计持续监控或持续审计流程和机制

分配资源以及编制时间表和项目计划

对项目成果设定合理预期

协调人力流程和信息技术资源

4. 建立和实施持续监控或持续审计系统

一旦资源获得审批并到位下一步就应开展实

成功实施应

从相对简单低成本高回报的项目开始

尽早使信息技术业务部门和其他主要利益

相关方参与其中

创造共享项目和成果所有权的意识氛围

在实际发布和采纳之前测试持续监控或持

续审计系统尤其是其对信息技术系统的影

按照计划进行但必要时可对进程予以修

制定切实可行而非理想化的持续监控或

持续审计流程

5. 监测项目效果和进展,根据需要进行完善

在持续监控或持续审计展示出可行性和价值后

应尽快将其纳入控制或审计流程为了确保实现

这一目标应当

向管理层和所有其他利益相关方报告持续

监控或持续审计成果

展示创造的价值如果可能以金钱的形式

降低的成本缓释的风险或节省的时

人工验证早期读数和结果准确无误

考虑到机制的效果以及人性化界面的质量

根据需要调整监测或通知机制

试点项目可能相当有用投石问路积累经验或

实现早赢在早期的一两次成功后管理层或内

部审计可以重新审视工作重点并进行适当调整

或直接开展下一项工作重点此外考虑到可能

的节省和降低的风险很多持续监控和持续审

计计划可以自筹资金最后确保在每个阶段取

得任何必要的外部专长和指导

持续监控与持续审计从构想到实施 1

Value and Benefits of CM and CA

Broadly, CM and CA add value by means of improved compliance, risk management, and ability to achieve business goals. They can be instrumental in locating revenue leakage, for instance, due to customers taking unauthorized

discounts, and in locating unnecessary costs, as in audits of service levels from third-party vendors. More broadly, CM and CA bring new levels of systematization and automation to monitoring controls, marshalling evidentiary audit data, and overseeing the enterprise. In that sense, CM

and CA represent a natural progression in the

evolution of the control environment and auditing efforts.

CM and CA give managers and auditors greater

visibility into processes, activities, and transac- tions. The resulting visibility also generates greater transparency for directors, investors, and other stakeholders. In addition, CM and CA can each generate other specific benefits for the enterprise (see sidebar, Benefits of CM and CA).

Neither CM nor CA should be viewed as a short- term project, but rather as a commitment to a new, more systematic approach. The value and benefits are real, as are the barriers to implemen- tation. The former can be realized and the latter managed, provided CM and CA are viewed in the context of risk management and implemented with a practical roadmap as your guide.

Benefits of CM and CA Continuous monitoring can enable an enterprise to:

• Increase value through improved financial and operating controls

• Accelerate reporting to support more rapid decision making and business improvement

• Detect exceptions in real time to enable real-time responses

• Reduce and ultimately minimize ongoing compliance costs

• Replace manual preventative controls with automated detective controls

• Establish a more automated, risk-based control environment with lower labor costs

• Heighten competitive advantage and increase value to stakeholders

Continuous auditing can enable an enterprise to:

• Improve risk and control assurance, usually in the same or less time than previous approaches •Reduce costs, including internal audit costs and costs associated with unaddressed control deficiencies

• Increase the level of risk mitigation for business risks

• Achieve a more robust, more effective auditing process

• Expand internal audit coverage with minimal (or no) incremental cost

• Shorten audit cycles

• Identify control issues in real time

Continuous monitoring and continuous auditing From idea to implementation

持续监控和持续审计的价值和裨益

概括而言持续监控和持续审计通过改进合规

风险管理以及提高实现业务目标的能力来创造

价值持续监控和持续审计可以在查找收入流失

例如由于客户享受未授权的折扣以及确定

不必要的成本如审计第三方供应商的服务水

方面发挥重要作用更广泛而言持续监控

和持续审计实现了监测控制收集证据审计数据

以及监督企业系统化和自动化的新水平从这个

意义上讲持续监控和持续审计代表了控制环境

和审计工作发展的自然进程

持续监控和持续审计为管理人员和审计人员提

供了流程活动和交易更高的可视度由此产生

的可视度也为董事投资者和其他利益相关者创

造了更高的透明度此外持续监控和持续审计

各自可以为企业创造其他具体利益参见侧边栏

中持续监控和持续审计的裨益)。

无论是持续监控还是持续审计均不应视为短期

项目而是作为致力于实施更系统化的新方法

价值和利益是实实在在的而实施障碍也是如

如果将持续监控和持续审计纳入风险管理

中进行考虑并根据实用方案的指引开展实施

可以实现前者并有效管理后者

持续监控和持续审计的裨益

持续监控可以使企业

通过改进的财务和运营控制提升价值

加快报告以支持更快速的决策制定和业务改进

实时检测异常进行实时响应

降低持续合规成本并最终将其减到最小

用自动检测控制取代人工预防控制

建立一个更加自动化基于风险以及较低劳动力成本的控制环境

提升竞争优势为利益相关方创造更多价值

持续审计可以使企业:

和以前的方法相比通常在相同或更少的时间内提高风险和控制保

降低成本包括内部审计费用和未解决之控制缺陷的相关费用

提高业务风险的缓释水平

实现更强大更有效的审计程序

在增加最少成本或不增加成本的前提下扩大内部审计范围

缩短审计周期

实时识别控制问题

持续监控与持续审计从构想到实施

Consider Continuousness

This document has highlighted the key consid- erations for a management team or an internal audit function considering continuous monitoring or continuous auditing. It has flagged the key issues and barriers, set the matter in the context of a risk management framework, and flagged potential IT concerns.

As with every initiative, decisions about CM or CA hinge on the business case. Deloitte believes that, although the business case warrants careful development, it will often be strong for CM and CA initiatives. This is particularly so in light of rising compliance, financial, operational, and other risks, and increasing demands on internal audit and risk management resources.

Contacts

To learn more about how Deloitte professionals can help you and your organization, please contact:

Scott Raso

Asia Pacific and China Deloitte Analytics Leader Enterprise Risk Services Direct: + 10 0 011 Fax: + 10 0 scraso@deloitte.com.cn

Adrian Lee

Partner Enterprise Risk Services Direct: + 10 0 Fax: + 10 0 adrianlee@deloitte.com.cn

Tonny Xue

Partner Enterprise Risk Services Direct: + 10 0 1 Fax: + 10 0 tonxue@deloitte.com.cn

10 0 1 Fax: +  10 0  tonxue@deloitte.com.cn  Continuous monitoring and continuous auditing

Continuous monitoring and continuous auditing From idea to implementation

考虑持续性

本文强调了管理团队或内部审计部门在考虑持

续监控或持续审计时应考虑的关键事项文中

标示了关键问题和障碍提出了风险管理框架环

境下的问题同时标示了对信息技术方面的潜在

关注

联络人

如同每项举措一样有关持续监控或持续审计的

决策也取决于商业论证德勤认为虽然商业论

证能够为慎重制定计划和决策提供保证但针对

持续监控和持续审计举措的商业论证往往非常

充分尤其是在合规财务运营和其他风险日益

增加并且对内部审计和风险管理资源的需求每日

愈增的环境下更是如此

若想更多了解德勤专业人士如何为阁下以及贵公司提供帮助敬请联络

斯高达 亚太和中国德勤分析领导人 企业风险管理服务 直线+ 10 0 011 传真+ 10 0 scraso@deloitte.com.cn

011 传真 : +  10 0  scraso@deloitte.com.cn 李嘉渊 合伙人 企业风险管理服务 直线 : +

李嘉渊 合伙人 企业风险管理服务 直线+ 10 0 传真+ 10 0 adrianlee@deloitte.com.cn

薛梓源 合伙人 企业风险管理服务 直线+ 10 0 1 传真+ 10 0 tonxue@deloitte.com.cn

持续监控与持续审计从构想到实施

Beijing

Deloitte Touche Tohmatsu CPA Ltd. Beijing Branch

/F Deloitte Tower

The Towers, Oriental Plaza 1 East Chang An Avenue Beijing 100, PRC Tel: + 10 0 Fax: + 10 1 11

Chongqing Deloitte & Touche Financial Advisory Services (China) Limited Room 10-1 1/F International Trade Center Chongqing Qing Nian Road Yu Zhong District Chongqing 00010, PRC Tel: + 10 0 Fax: + 10 10

Dalian Deloitte Touche Tohmatsu CPA Ltd. Dalian Branch Room 10 Senmao Building 1 Zhongshan Road Dalian 11011, PRC Tel: + 11 1 Fax: + 11 0

Guangzhou Deloitte Touche Tohmatsu CPA Ltd. Guangzhou Branch /F Teemtower 0 Tianhe Road Guangzhou 100, PRC Tel: + 0 Fax: + 0 011 /011

Hangzhou Deloitte Business Advisory Services (Hangzhou) Company Limited Room 0, Partition A EAC Corporate Office 1 Jiaogong Road Hangzhou 1001, PRC Tel: + 1 11 100 Fax: + 1 11 10

Hong Kong SAR Deloitte Touche Tohmatsu /F One Pacific Place Queensway Hong Kong Tel: + 100 Fax: + 1 111

Macau SAR Deloitte Touche Tohmatsu 1/F The Macau Square Apartment H-N -A Av. do Infante D. Henrique Macau Tel: + 1 Fax: + 1 0

Nanjing Deloitte Touche Tohmatsu CPA Ltd. Nanjing Branch Room B, 11/F Golden Eagle Plaza Hanzhong Road Nanjing 100, PRC Tel: + 0 0 Fax: + 1

Shanghai Deloitte Touche Tohmatsu CPA Ltd. 0/F Bund Center Yan An Road East Shanghai 0000, PRC Tel: + 1 11 Fax: + 1 000

Shenzhen Deloitte Touche Tohmatsu CPA Ltd. Shenzhen Branch 1/F China Resources Building 001 Shennan Road East Shenzhen 1010, PRC Tel: + Fax: + 1

Continuous monitoring and continuous auditing From idea to implementation

Suzhou Deloitte Business Advisory Services (Shanghai) Limited Suzhou Branch Suite 0, Century Financial Tower 1 Suhua Road, Industrial Park Suzhou 101, PRC Tel: + 1 1 Fax: + 1

Tianjin Deloitte Touche Tohmatsu CPA Ltd. Tianjin Branch 0/F The Exchange North Tower 1 Nanjing Road Heping District Tianjin 0001, PRC Tel: + 0 Fax: + 0 Wuhan Deloitte & Touche Financial Advisory Services Limited Wuhan Liaison Office Unit , /F New World International Trade Tower Jianshe Avenue Wuhan 00, PRC Tel: + 1 Fax: + 0

Xiamen Deloitte & Touche Financial Advisory Services Limited Xiamen Liaison Office Unit E, /F International Plaza Lujiang Road, Siming District Xiamen 1001, PRC Tel: + 10 Fax: + 10

北京 德勤华永会计师事务所有限公司 北京分所

香港特别行政区 德勤关黄陈方会计师行 香港金钟道

苏州 德勤商务咨询上海有限公司 苏州分公司

中国北京市东长安街1

太古广场一座

中国苏州市工业园区工苏华路1

东方广场东方京贸城德勤大楼

电话+ 100

世纪金融大厦0

邮政编码100

传真+ 1 111

邮政编码101

电话+ 10 0 传真+ 10 1 11

澳门特别行政区

澳门广场1H-N

电话+ 1

电话+ 1 1 传真+ 1

重庆 德勤咨询重庆有限公司 中国重庆市渝中区青年路

德勤关黄陈方会计师行 澳门殷皇子大马路-A

天津 德勤华永会计师事务所有限公司 天津分所

重庆国贸中心110-1单元

传真+ 1 0

中国天津市和平区南京路1

邮政编码00010

津广场写字楼0

电话+ 10 0

南京

金鹰国际商城11B

邮政编码0001

传真+ 10 10

德勤华永会计师事务所有限公司 南京分所

电话+ 0 传真+ 0

大连 德勤华永会计师事务所有限公司

中国南京市汉中路

武汉

大连分所

邮政编码100

德勤咨询上海有限公司

中国大连市中山路1

电话+ 0 0

武汉办事处

森茂大厦10

传真+ 1

中国武汉市建设大道

邮政编码11011

新世界国贸大厦0

电话+ 11 1

上海

邮政编码00

传真+ 11 0

德勤华永会计师事务所有限公司 中国上海市延安东路

电话+ 1 传真+ 0

广州

中国广州市天河路0

外滩中心0

德勤华永会计师事务所有限公司

邮政编码0000

厦门

广州分所

电话+ 1 11 传真+ 1 000

德勤咨询上海有限公司 厦门办事处

粤海天河城大厦

中国厦门市思明区鹭江路

邮政编码100

深圳

中国深圳市深南东路001

国际银行大厦E单元

电话+ 0

德勤华永会计师事务所有限公司

邮政编码1001

传真+ 0 011 / 011

深圳分所

电话+ 10 传真+ 10

杭州

华润大厦1

德勤商务咨询杭州有限公司

邮政编码1010

中国杭州市教工路1

电话+

欧美中心企业国际A0

传真+ 1

邮政编码1001

电话+ 1 11 100 传真+ 1 11 10

持续监控与持续审计从构想到实施

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 10 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 10,000 professionals are committed to becoming the standard of excellence.

In China, services are provided by Deloitte Touche Tohmatsu and Deloitte Touche Tohmatsu CPA Limited and their subsidiaries and affiliates. Deloitte Touche Tohmatsu and Deloitte Touche Tohmatsu CPA Limited are, together, a member firm of Deloitte Touche Tohmatsu Limited.

Deloitte China is one of the leading professional services providers in the Chinese Mainland, Hong Kong SAR and Macau SAR. We have over ,000 people in 1 offices in Beijing, Chongqing, Dalian, Guangzhou, Hangzhou, Hong Kong, Macau, Nanjing, Shanghai, Shenzhen, Suzhou, Tianjin, Wuhan and Xiamen.

As early as 11, we opened an office in Shanghai. Backed by our global network, we deliver a full range of audit, tax, consulting and financial advisory services to national, multinational and growth enterprise clients in China.

We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. We also provide services to around one-third of all companies listed on the Stock Exchange of Hong Kong.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing's affiliates (collec- tively the "Deloitte Network") are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

Deloitte (“德勤”)泛指德勤有限公司一家根据英国法律组成的私人担保有限公司以下称德勤有限公司) 以及其一家或 多家成员所每一个成员所均为具有独立法律地位的法律实体请参阅 www.deloitte.com/cn/about 中有关德勤有限公司及其成员所 法律结构的详细描述

德勤为各行各业的上市及非上市客户提供审计税务企业管理咨询及财务咨询服务德勤成员所网络遍及全球逾10个国家凭借

其世界一流的专业服务能力及对本地市场渊博的知识协助客户在全球各地取得商业成功德勤约10,000 名专业人士致力于追求卓 越树立典范

在中国我们通过德勤关黄陈方会计师行和德勤华永会计师事务所有限公司以及其下属机构和关联机构提供服务德勤关黄陈

方会计师行及德勤华永会计师事务所有限公司共同为德勤有限公司的成员所

德勤中国是中国大陆及港澳地区居领导地位的专业服务机构之一共拥有逾,000名员工分布于包括北京重庆大连广州

香港澳门南京上海深圳苏州天津武汉和厦门在内的1个城市

早在11我们于上海成立了办事处我们以全球网络为支持为国内企业跨国公司以及高成长的企业提供全面的审计

企业管理咨询和财务咨询服务

我们在中国拥有丰富的经验并一直为中国会计准则税制以及本土专业会计师的发展作出重大的贡献在香港我们更为大约三

分之一在香港联合交易所上市的公司提供服务

本文件中所含数据乃一般性信息故此并不构成德勤有限公司德勤全球服务有限公司德勤全球服务控股有限公司德勤全球 社团组织其任何成员所或上述其关联机构(统称为 "德勤网络")提供任何会计商业财务投资法律税务或其它专业建议或服 务本文件不能代替此等专业建议或服务读者亦不应依赖本文件中的信息作为可能影响自身财务或业务决策的基础在做出任何 可能影响自身财务或业务的决策或采取任何相关行动前请咨询合资格的专业顾问任何德勤网络内的机构不对任何方因使用本文 件而导致的任何损失承担责任

©011 Deloitte Touche Tohmatsu CPA Ltd

©2011 德勤华永会计师事务所有限公司

BJ-011BIL-0

CPA Ltd © 2011 德勤华永会计师事务所有限公司 BJ-011BIL-0 This is printed on environmentally friendly paper

This is printed on environmentally friendly paper