Analytics - Continuous monitoring and continuous auditing: From idea to implementation

Continuous monitoring andcontinuous auditingFrom idea to implementation持续监控与持续审计从构想到实施

Continuous Monitoring and Continuous Auditing:From Idea to Implementation

Continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness.

Continuous auditing enables internal audit to continually gather from processes data that supports auditing activities.

Most financial and auditing executives are aware of continuous controls monitoring and continuous auditing and of the general benefits of such programs. Yet relatively few enterprises have realized their full potential, particularly at the enterprise-wide level. Deloitte sees the reason for this as twofold: first, executives have not seen a clear, strong business case for establishing either continuous monitoring (CM) or continuous auditing (CA) in their enterprises; second, they lack a clear picture of how CM or CA would be implemented in their organizations.

A quick definition: CM and CA are actually two distinct types of programs. As the name implies, continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness. Similarly, continuous auditing enables internal audit to continually gather from processes data that supports auditing activities.

The current environment of rising risks, regulatory activity, and compliance costs makes this the ideal time to consider (or to reconsider) the potential role of CM or CA, or both, in your enterprise. You might also consider what it would take to implement them, what they would look like, how they would operate, and whether to further inves-tigate these modes of monitoring and auditing.

This paper, prepared for internal audit, accounting, financial, and risk management executives, can guide you in these considera-tions. CEOs, COOs, and board members who share those executives' concerns about rising risk, regulation, and costs — and the potential impact on their enterprises — may also find this paper informative.

� Continuous monitoring and continuous auditing From idea to implementation

大部分财务和审计主管人员对于持续监控（CM）

和持续审计（CA）及其一般优点都较为了然，但

已经充分认识到上述计划的所有潜力的企业，尤

其是从企业层面认识却为数极少。

德勤认为这主要有两方面原因：

第一，主管人员尚未发现在所属企业建立持续监

控和持续审计之明确和充分的商业理由；

第二，主管人员对于在所属企业内部如何实施持

续监控和持续审计缺乏明确的认识。

简明定义: 持续监控和持续审计实际上是两种不

同的程序。顾名思义,持续监控可使管理层持续

审核业务流程,检视其是否遵循或背离预期的业

绩水平和绩效。与此同时，持续审计可使内部审

计从支持审计工作的流程数据中持续收集信息。

当前环境下企业面对不断提升的风险，监管要

求，与合规成本。这正是考虑（或重新考虑）持

续监控或是持续审计、抑或二者在贵企业内部可

担当之潜在角色的理想时机。您亦可同时考虑实

施上述计划需要哪些准备？具体表现形式如何？

如何运作？以及是否进一步研究此类监控及审

计模式。

本文专为主管内部审计、会计、财务及风险管理

之人士编纂，可为您考虑上述问题提供指引。对

于同样忧虑不断提升的风险，监管要求，与合规

成本及其对企业之潜在影响的首席执行官、首席

运营官和董事会董事，本文亦颇具参考价值。

持续监控与持续审计：从构想到实施

持续监控可使管理层持续审核业务流程,检视其是

否遵循或背离预期的绩效水平和效能。

持续审计可使内部审计从支持审计工作的流程数据

中持续收集信息。

持续监控与持续审计从构想到实施 �

What Do CM and CA Do?

CM enables management to determine more quickly and accurately where it should be focusing attention and resources in order to improve processes, implement course corrections, address risks, or launch initiatives to better enable the enterprise to achieve its goals.

CA enables internal auditors to determine more quickly and accurately where to focus attention and resources in order to better allocate audit resources and improve the quality of its audits and support of management.

CM is an automated, ongoing process that enables management to:

• Assess the effectiveness of controls and detect associated risk issues

• Improve business processes and activities while adhering to ethical and compliance standards

• Execute more timely quantitative and qualita-tive risk-related decisions

• Increase the cost-effectiveness of controls and monitoring through IT solutions

CA is an automated, ongoing process that enables internal audit to:

• Collect from processes, transactions, and accounts data that supports internal and external auditing activities

• Achieve more timely, less costly compli-ance with policies, procedures, and regulations

• Shift from cyclical or episodic reviews with limited focus to continuous, broader, more proactive reviews

• Evolve from a traditional, static annual audit plan to a more dynamic plan based on CA results

• Reduce audit costs while increasing effec-tiveness through IT solutions

The value of CM is that it gives management greater visibility into, and more timely infor-mation on, business processes designed to achieve strategic and operational goals.

The value of CA is that it enables internal audit to move from sampling accounts and transac-tions to coverage of 100 percent of accounts and transactions (when and where desired).

Although CM and CA can be adopted sepa-rately or together, enterprises may achieve the most cost-effective development by imple-menting both; either simultaneously or in planned sequence.


持续监控可使管理层更为准确快速地确定应予

重点关注及投入资源的领域，以改进流程、修订

方针、应对风险或启动新计划使得企业更好地实

现其目标。

持续审计可使内部审计师更为准确快速地确定应

予重点关注及投入资源的领域，以更好地分配审

计资源，改进其审计质量及管理层的支持力度。

持续监控是一套自动化的长期程序，使管理层能

够：

• 评估管控活动的效能，查知相关风险问题

• 遵循职业道德与合规准则的同时，改进业务

流程及活动

• 更为适时地执行定量和定性风险相关决策

• 借助信息技术解决方案提升管控及监控的成

本效益

持续监控与持续审计具体内容

持续审计是一套自动化的长期程序，使管理层

能够：

• 从流程、交易及账目数据中收集支持内外部

审计工作的信息

• 实现更为适时，成本更少的政策、程序和规

章合规遵循

• 从关注程度有限的周期性审核或临时性审核

转变为持续广泛且更为积极主动的审核

• 由传统的静态年度审计计划发展为基于持续

审计结果实施的更加动态的计划

• 借助信息技术解决方案，在提升效能的同

时，减少审计成本

持续监控的价值在于，对于为实现战略和运营目

标而设计的业务流程，它能够为管理层提升其可

见性，使管理层更加及时地获知相关信息。

持续审计的价值在于，它能够使内部审计工作从

账目和交易抽样转变为涵盖百分之百的账目和交

易（若有需要的话）。

尽管持续监控和持续审计可分开或同时采用，但

企业若两项一起实施，则可能实现最佳的成本

效益，二者并行实施或按计划的顺序依次实施

均可。


CM and CA and Risk Management

CM and CA can improve the risk management and control activities of virtually any large enter-prise. These activities have risen in importance on the agendas of many senior executives and boards, given the events of the past few years and continuing challenges in the financial and business environment.

Those challenges range from heightened global competitive pressures, to more stringent regula-tory regimes, to endless pressure to increase revenue and margin, to exposure to ever more aggressive forms of theft, fraud, and cybercrime.

Executives allocate resources to the initiatives they perceive as yielding the greatest return, in keeping with their organization's mission and priorities.

CM and CA are best considered in the context of the enterprise's overall risk management effort at the operational level. Often executives and boards consider risk management in broad terms, but have trouble bringing it down to the operational level. Yet that is where effective risk management occurs. To bring their thinking about CM and CA to operational levels, leaders can start by asking themselves:

• How do we currently monitor controls?

• How well do the enterprise's controls currently function?

• How do we currently allocate internal audit resources?

• How do we determine that this allocation is optimal?

• What costs and unintended risks do our current methods of controls monitoring and auditing create?

Such questions bring current methods of controls monitoring and auditing to light, and allow for a clearer comparison between current methods and CM and CA.

Deloitte's approach to CM and CA supports, and is supported by, the principles of the Risk Intelligent Enterprise™, which embodies Deloitte's philosophy of and approach to risk manage-ment. A risk intelligent approach departs from traditional approaches to risk management in specific ways (see sidebar, The Risk Intelligent Enterprise™).

Risk intelligence provides an integrated risk management framework in which leaders and employees at all levels can recognize and manage risks in their decision-making and operating activities.

Risk intelligent practices should guide develop-ment of CM and CA systems and techniques. For instance, when contemplating CM or CA it's best to consider the full spectrum of risks across "silos," interactions among risks, and ways to build CM/CA into activities and processes.


持续监控、持续审计与风险管理

持续监控与持续审计能够改善几乎任何大型企

业的风险管理和管控活动。虑及过去数年发生的

种种事件以及金融和商业环境遭遇的持续挑战，

在许多高管和董事会的日程之中，此类活动的重

要性大大提升。

这些挑战包括从日益加剧的全球竞争压力到更

加严苛的监管制度、再到增创收入和利润的无尽

压力、以及日益猖獗的失窃、舞弊和网络犯罪风

险。

企业高管遵循所在企业的目标使命和优先要务，

向他们认为能够产生最大回报的计划分配资源。

持续监控和持续审计最好能在企业整体风险管

理工作的大环境下从运营层面上予以思考。高管

和董事会常常从广义角度来考虑风险管理，但落

实到运营层面之时却遭遇困难。而这恰好是有效

风险管理之所在。要将他们对持续监控和持续审

计的看法拉回到运营层面，企业领导者可以先问

自己如下几个问题：

• 我们目前如何监控企业的管控活动？

• 企业管控活动目前运转如何？

• 我们目前如何分配内部审计资源？

• 我们如何确定该分配是最佳选择？

• 我们对于管控活动的现有监控和审计方法引

发了哪些成本和无意招致的风险？

这些问题有助于揭示企业现有的监控和审计方

法，并且能够将现有方法与持续监控和持续审计

进行明晰对比。

德勤采用的持续监控和持续审计方法与风险智能

企业™原则之间互为支持，而风险智能企业™原则

亦体现了德勤的风险管理哲学和方法。风险智能

方法与传统的风险管理方法在具体方式上颇为不

同（详见侧栏“风险智能企业™”）。

风险智能提供了一套综合性的风险管理框架，各

层级领导者和员工在进行决策和从事运营活动时

均可依据该框架识别并管理风险。

风险智能实践应当指引持续监控和持续审计系统

与技术的开发。例如，构想持续监控和持续审计

时，最好通盘考虑各部门之间的所有风险、风险之

间的交互作用以及建立持续监控/持续审计活动和

程序的方式。

此外，当前商业环境下有些因素可能也会促使企业

考虑实施持续监控和持续审计，它包括：

• 对速度更快、效果更好的决策，以及明显改善

且兼具成本效益的风险管理需求上升

• 要求内部审计为利益相关者提供及时认证的

压力持续上升

• 监管要求愈加复杂，变化增多

• 大力调整内部审计活动，使其符合管理层之

战略业务目标


In addition, several factors in the prevailing business environment should prompt enterprises to consider implementing CM and CA. These include:

• Heightened demand for faster, better decisions and for improved, but cost-effective risk management

• Rising pressures on internal audit to provide timely assurance to stake holders

• Increasing complexity and change in regula-tory requirements

• Greater efforts to align internal audit activi-ties with management's strategic business goals

To support the work of internal audit, CA provides information that relates to compli-ance with policies, procedures, and regulations, which supports financial reporting activities and goals. CM provides relevant data on processes, transactions, and accounts to management in a timely manner and at low cost, with the aim of monitoring performance and supporting decision making. Both CA and CM usually use IT-enabled tools to monitor processes, transactions, and accounts to enhance the efficiency and effective-ness of internal audit's and management's efforts.

The Risk Intelligent Enterprise™Risk intelligence is Deloitte's philosophy of and approach to risk management, and it consists of practices that:

• Address the full spectrum of risks, including strategic, operational, compli-ance, reporting, security, environmental, and other risks across the enterprise

• Acknowledge the need for specialization by business and function, but also across organizational "silos"

• Consider the interaction of multiple risks rather than focusing on a single risk or event, and consider the potential impacts of multiple threats

• Create common terms and metrics for risk, and a culture in which people account for risk in every activity

• Support risk taking for reward and value creation, rather than pure risk avoidance


风险智能企业™

风险智能是德勤有关风险管理的哲学思考和

解决方法，主要包含六大方面的实践：

• 应对企业各个层次的风险，包括战略风

险、运营风险、合规性风险、报告风险、安

全性风险、环境风险以及企业内部其他风

险

• 肯定按业务和部门分类以发挥专长优势、

及在组织内部“地窖”之间建立联系的必

要性

• 不是单独地去考虑某项风险或一件事情，

而应该考虑一系列风险之间的相互作用，

并考虑一系列威胁的潜在影响。

• 创立共通的风险条款和度量标准及企业

文化，员工可依此阐释各项活动的风险

• 支持为获取回报和创造价值承担一定风

险，而非一味规避风险。

为支持内部审计工作，持续审计能够提供有关政

策、程序和规章合规的信息，从而为财务报告活

动及目标提供支持。持续监控能够以较低的成本

及时向管理层提供有关流程、交易和帐户方面的

信息，其目标在于监控绩效并支持决策的制定。

持续审计和持续监控一般都采用信息技术工具

来监控流程、交易和账目，以增进内部审计与管

理层工作的效率和效能。


Limiting Breaches of AuthorityA comptroller wanted to be able to detect limit-of-authority breaches in areas such as purchases, payables, and sales discounts. The enterprise had established systemic preventive controls to support approval levels in some processes, but those controls could be circumvented. For example, if a person authorized to sign for individual purchases of up to €�,000 wanted to approve a purchase of €10,000, he could input and approve five purchase orders for €�,000 for the same supplier and thus complete the transaction.

The solution was to continually monitor approvals of expenditures or disbursements to the same entity by each individual with spending authority and to compare the individual and total amounts author-ized for a specific entity in a specific period, such as one day or five business days.

How would they operate?

What would CM and CA look like and how would they operate?

In which situations does CM or CA have the most value?

To help answer those questions, we provide a few case studies in this document, and the following brief examples of CM in action:

Transaction MonitoringA lender wanted comfort that the pricing of each loan it extended was in keeping with its under-writing policies, in order to ensure profitability. Its practice had been to calculate loan price on a defined set of business and credit rules, but to allow manual override of these rules.

However, when implemented by the lender's agents, that manual override could occur without detection, causing a potential control failure.

The solution was to continually monitor loan prices and to report deviations from the price calculated only on the basis of the business and credit rules. (Any significant deviation is now detected and reported, and exceptions are inves-tigated and resolved.)

Controlling Freight CostsAn operating manager needed to detect unnec-essary freight payments, which were set by the trucking company per the weight of the goods being shipped.

The contract between the enterprise and the trucking company included clauses that guar-anteed a minimum payment if the weight of a delivery fell short of the truck's maximum load. Generally, the minimum cost was set at �0 percent of the cost of a truck's maximum load. Thus, the manager needed to ascertain when trucks were being loaded at less than �0 percent of the vehicle's capacity, situations that would represent inefficiency and excess costs.

The solution was to automatically identify and report trucks that had been loaded at less than �0 percent of capacity on the same route or destina-tion within a given period of time.

10 Continuous monitoring and continuous auditing From idea to implementation

限制越权

财务主管希望能够发现采购、应付款和销售折

扣等方面的越权行为。为了支持部分流程的审批

级别，企业建立了系统的预防控制措施，但仍可

能受到规避。例如，有权为最高 �,000 欧元的个

人采购签字的人员要批准一宗 10,000 欧元的采

购，可能输入并批准同一家供应商的五张 �,000 欧元的采购定单，从而完成交易。

解决方案：持续监控每个有财务开支权限的个人

向同一家实体的开支或报销的审批情况，就个人

和一天或五个工作日等特定时期内对特定实体所

批准的总额进行对比。

个人密码保护

首席信息官希望能够保护密码，检测用户与同事

等人员共享密码的情况。系统安全政策规定，系

统访问仅限拥有授权用户登陆信息和密码信息

的个人。但违反政策的行为时有发生。

解决方案：检测由未进入工作场所人员（以身份

识别卡刷卡记录为准）的访问情况、在不同计算

机上同时使用相同登陆信息和密码信息的情况，

以及系统访问的异常情况，自动识别共享登陆信

息和密码的用户。

如上述简单的例子所示，持续监控或持续审计能

够以目标方式有选择地使用，从而使管理层或内

部审计能够开展试行工作，积累经验，提前实现

收益，再增加收益。也就是说，风险智能企业™ 不仅能够认识到流程之间和风险之间的相互联

系，而且还能够考虑可能受持续监控或持续审计

每项变化或措施影响的其他方面。企业如何能够

协调持续监控或持续审计措施，最大的效益就是

实现自动化控制和审计机制使用的最大化。但关

键是，在风险管理环境下查看持续监控和持续审

计（参见侧栏案例分析一）。

持续监控和持续审计表现形式如何及如何运

作？

何种情况下持续监控和持续审计才能发挥最大

价值？

为帮助解决上述问题，本文提供若干案例分析并

简要介绍几则运作中的持续监控范例：

交易监控

为确保盈利性，某贷款机构希望获取保证借出的

每笔贷款都符合其信贷要求。

虽然该贷款机构一直按照一套确定的业务和信

贷规定来计算贷款价格，但却允许人为凌驾于此

等规则。

然而，经贷款机构代理方实施之后，此类人为越

权可能难以察觉，有可能导致管控失败。

解决方案：持续监控贷款价格并将仅依照业务

和信贷规定计算得出的价格误差进行报告。（如

今任何重大偏差都可以被检测出来并得到调查

和解决。）

控制运费

某运营经理需要探查不必要的运费支付，而运费

由货运公司根据货物载重量设定。

该企业与货运公司签订的合同中包括这样的条

款：如果一次运货的重量不足货运公司最大载

重量，需支付最低运费。一般而言，最低成本设

定为卡车最大载重成本的�0%。因此，这位经理

需要确定，当卡车载重低于车辆最大载重能力

�0%之时，是否会出现效率低下、成本超支的情

况。

解决方案：自动识别并报告特定时期同一路线或

同一目的地载重量仅�0%的汽车。

如何运作？

持续监控与持续审计从构想到实施 11

Case Study #1: Television Broadcaster

CM & Transaction Monitoring/Expense Control

The Situation:

The Shared Services group of a fast-growing global provider of cable television news and entertainment programming faced skyrocketing travel and entertainment (T&E) transaction volume. Given the company's resource limitations, both that volume and time-consuming manual audits of expense claims potentially increased the risk of error, fraud, and misuse within the T&E reimbursement process. The enterprise needed assistance in scoping, planning, configuring, and implementing its Audit Command Language (ACL) continuous controls monitoring (CCM) tools.

The Solution:

As in many business processes, moving from a manual to an automated review system involves data analytics. Data analytics assist in auditing and risk management and in testing controls and control overrides. For example, data analytics can be used to test a population of transactions, as in this instance T&E claims, so that no overrides occur without proper approval. In this case, Deloitte helped provide a suite of automated, customizable analytics for T&E expense processing, control, and audit. This system enables monitoring of T&E transactions and claims with the aim of identifying suspicious activity, errors, and exceptions.

The Shared Services group can now monitor T&E transactions on a continuous basis. The group also moved from employing a random sample approach to a more focused approach of reviewing claims that display attributes of potentially fraudulent or erroneous expenses. Using nearly real-time CM, analysts can investigate and resolve issues that might otherwise go undetected. In addition to containing costs and minimizing losses, the CCM tool provides additional assurance around compliance relating to T&E business processes.

Personal Password ProtectionA chief information officer wanted to protect passwords and detect situations in which users shared their passwords with co-workers or other parties. System security policies stipulated that system access was limited to individuals with authorized user login and password information, yet breaches had been occurring.

The solution was to automatically identify users sharing login information and passwords by detecting access by parties who had not entered the premises (as recorded by identification card swipes), concurrent use of the same login and password information at different computers, and other anomalies in instances of access.

As these brief examples show, CM or CA can be applied selectively and in targeted ways. This enables management or internal audit to experi-ment, gain experience, and realize early, and then incremental, returns. That said, the Risk Intelligent Enterprise™ will recognize the interconnected-ness of processes and of risks and consider other areas that could be affected by each CM or CA change or initiative. The greatest benefits accrue to enterprises that coordinate CM or CA initia-tives to maximize the use of automated control and audit mechanisms. The key however, is to view CM and CA in a risk management context (see sidebar, Case Study #1).

1� Continuous monitoring and continuous auditing From idea to implementation

案例分析一：某电视广播公司

持续监控与交易监控/费用控制

背景信息：

某全球性高成长有线电视新闻娱乐节目编排

共享服务组的差旅娱乐交易量急剧上涨。鉴

于公司资源有限，差旅娱乐交易量和耗时的费

用报销人工审计有可能增加差旅娱乐报销流

程的错误风险、舞弊风险和误用风险。企业在

审计命令语言（ACL）持续控制监控（CCM）工

具的界定、规划、配置和实施方面需要协助。

解决方案：

正如在许多业务流程中一样，从手动审阅系统

向自动审阅系统的转变均涉及数据分析。数据

分析有助于审计和风险管理以及测试控制与

越权控制。例如，数据分析能够用于测试交易

总量，在本案中能够用于测试差旅娱乐报销

量，从而避免发生擅自越权情况。在本案中，

德勤协助提供了一套差旅娱乐费用处理的自

动定制化分析系统，监控差旅娱乐交易和报销

情况，以发现可疑的行为、错误和异常情况。

目前，共享服务组已经能够持续监控差旅娱

乐交易。此外，共享服务组还摒弃了随机抽样

法，转为采用针对性更强的方法，审核带有可

能存在虚假费用或错误费用特征的报销。通

过采用接近实时的持续监控，分析人员能够对

可能隐藏的问题开展调查并加以解决。持续控

制监控工具不仅能够控制成本、降低损失，而

且还能够确保符合差旅娱乐业务流程。

持续监控与持续审计从构想到实施 1�

In many risk management initiatives, costs can appear more certain than benefits. That's because the costs are specific near-term outlays and risks are more indistinct, longer-term, potential events. Thus, the business case for CM or CA can be difficult to make in traditional, ROI-based, monetary terms. But risks are real and that case can be made, particularly for specific activities and processes. For example, auto-mating controls can reduce incidents of duplicate payments, internal fraud, inappropriate warranty claims, unauthorized discounts, and underper-formance by service providers. The monetary losses due to future incidents, after adoption of controls, can be compared with those of past incidents.

In addition, a significant CM or CA initiative can (and arguably should) harmonize, rationalize, and optimize controls. This process can eliminate redundant controls, help institute needed controls, close control gaps, and eliminate needless reports. The savings in reduced loss, audit, administrative, and report generation and review costs can all be calculated.

Perhaps most importantly, CM can enable management to achieve financial and operational control objectives while exploiting new process-improvement opportunities. The enterprise can

in that way use CM to increase the value of its investment (See Exhibit 1).

There are three stages of CM adoption, which accomplish the following:

1. Initially, the enterprise uses controls moni-toring techniques to achieve regulatory control objectives, such as those related to Sarbanes-Oxley (SOX) financial reporting and risk management objectives. This reduces costs.

�. Then, the enterprise applies controls automa-tion and monitoring techniques to achieve operational control objectives, such as inventory, receivables, payables, credit, or warranty claims management.

�. Finally, the enterprise applies technology to optimize processes, including operational, compliance, financial, risk management, and other processes.

Generally, it makes sense first to improve controls and reduce costs, then to improve operations, then to optimize processes. This movement up the value chain helps to make the business case at each level. It also casts a CM or CA effort as a process improvement, rather than "policing" initia-tive, and helps in defining short-, intermediate-, and long-term goals.

Developing the Business Case

Exhibit 1 — Moving CM up the value chain

Apply technology to optimize processes (e.g., financial operational, compliance, etc.)

Apply controls automation and monitoring techniques to achieve operational control objectives (e.g., merchandise management)

Apply controls monitoring techniques to achieve regulatory control objectives (e.g., SOX financial reporting control objectives and risks)

Improve controls

and reduce cost

Drive process improvement

Drive operational improvement

Drive sustainable cost-effective compliance

Leverage initial technology investment for compliance to help improve operations and optimize process

Optimize processes

Improve operations


在许多风险管理措施中，由于成本是具体的近期

开支，而风险是模糊的长期潜在事件，成本的确

定性比效益可能更高，因此以基于投资收益的传

统金钱量化术语很难用来进行持续监控或持续

审计的商业论证。但风险是真实存在的，商业论

证是可行的，对于具体的活动和流程尤为如此。

例如，控制自动化能够减少重复付款、内部舞弊、

不当保修索赔、未经授权给予折扣以及未完全满

足服务条款的服务提供商等事件。采用控制后，

因未来事件造成的金钱损失与因历史事件造成的

金钱损失形成鲜明对比。

此外，重大持续监控或持续审计措施能够（而且

应该）实现控制的协调化、合理化和优化，从而

消除冗余的控制，帮助建立必要的控制，减少控

制漏洞，消除不必要的报告。减少的损失、审计成

本、管理成本、报告制作成本和审阅成本等都全

部能够量化计算。

最重要的可能在于，持续监控能够使管理层实

现财务与运营控制目标，同时深入挖掘改善流程

的新机会。这样，企业就能够利用持续监控提高

投资价值 (见图表一).。

商业论证

采用持续监控分为下列三个阶段：

1. 首先，企业利用控制监控技术实现监管控制

目标，如与萨班斯法案财务报告与风险管理

目标相关的监管控制目标，从而降低成本；

�. 其次，企业采用控制自动化与监控技术实现

运营控制目标，如库存、应收账款、应付账

款、信贷和保修索赔管理；

�. 最后，企业采用技术优化运营、合规、财务、

风险管理等流程。

通常，先改善控制并降低成本，再改善运营，再

优化流程，是可行的。价值链的这种改善有助于

在各个层面进行商业论证，而且还将持续监控或

持续审计工作视为流程改善，而非“政策制定”工

作，有助于明确短期、中期和长期目标。

图表一：利用持续监控提高投资价值

应用科技以完善流程 (例如：财务，运营，合规等)。

应用自动化控制和监控技术，以实现业务的控制目标（例如：商品管理）

应用控制监控技术，以实现监管目标（例如，萨班斯法案的财务报告控制目标和风险）

改进控制降低成本

驱动流程改善

驱动运营改善

驱动可持续并具成本效益的合规性

利用现有资讯科技投资，以帮助改善运营和优化流程

改善运营

完善流程


Barriers to CM and CA Adoption

Despite the potential benefits of CM and CA, barriers to adoption exist in many enterprises. Common ones include misunderstanding CM and CA and implementation issues, particu-larly the IT dimensions. The latter can include confusion regarding the efficacy of Enterprise Resource Planning (ERP) and Governance, Risk Management and Compliance (GRC) systems, and the fit of CM or CA with such systems. Other obstacles arise in the form of internal competition for resources and funds. Often, until a risk event occurs or internal audit buckles under its workload, CM and CA can appear as “nice but not necessary.”

Barriers also arise in the following areas:

• Perceived impact on the enterprise: CM or CA impact internal audit and other areas of the enterprise. In particular, the impact on internal audit — on its costs, head count, audit plans, workload, quality of audits, and stakeholder satisfaction — should be consid-ered. So should the impact on the IT function and business units, and on operating, decision-making, and risk-management processes.

• Priority of implementation: Implementation is best planned in the context of an overall risk management framework. A method of prioritizing controls and audit activities for automation should be developed based on factors such as risk rankings, importance of audit evidence, return on investment, and ease of implementation.

• Internal audit's readiness to develop and adopt CA: Various audit functions vary in their readiness for CA, depending on the enterprise's lifecycle, audit focus (rota-tional or risk based), and use of automation (automated work papers versus real-time monitoring). Generally, the more progressive the internal audit function, the more readily it may adopt CA.

• IT and software considerations: Enterprises vary in their experience and success with IT-based ERP or GRC systems. These two factors — experience and success — as well as the brands, configurations, and functions in which they have been deployed will affect CM and CA decisions and initiatives.

• Realistic expectations: CM and CA deliver clear benefits as detailed toward the end of this paper, but they are not achieved overnight. A large organization with complex systems and myriad activities and transac-tions needs time and commitment to realize the benefits. Again, however, it is possible to implement CM or CA in a limited area to gain experience and to realize substantial benefits.

In addition, it is useful to distinguish between the process side and the technology side of CM and CA, and to consider various perspectives from these angles.


尽管持续监控和持续审计具有各种潜在效益，但

许多企业都存在采用持续监控和持续审计的各

种障碍。常见的障碍包括对持续监控和持续审计

的种种误解以及如何实施等问题，尤其在于信

息技术维度上。后者可能包括混淆企业资源规

划（ERP）和治理、风险管理与合规（GRC）系统

的功能问题并误认为持续监控或持续审计与该系

统之间的匹配关系。此外，其他障碍表现在对资

源和资金的内部竞争上。通常，除非发生风险事

件或内部审计因工作量巨大而崩溃，持续监控和

持续审计往往被视作“虽然不错但并非必要”。

此外，下列方面也存在障碍：

• 对企业影响的认知：持续监控或持续审计对

企业的内部审计等方面具有影响。尤其，应

考虑对内部审计的影响，即对成本、员工人

数、审计计划、工作量、审计质量和利益相关

方满意度的影响。还应考虑对信息技术部门

和业务部门的影响，以及对运营、决策和风

险管理流程的影响。

• 实施的优先性：在总体风险管理框架下，规

划实施工作的优先性。根据风险排序、审计

证据的重要性、投资回报和实施难易情况等

因素，制定优化控制和审计活动并实现自动

化的方法。

• 内部审计对开发和采用持续审计的准备情

况：不同审计部门对采用持续审计的准备情

况有所不同，这取决于企业的生命周期、审

计重点（轮流制还是以风险为基础）以及自

动化（自动化工作底稿对应实时监控）的使

用情况。通常，内部审计部门越积极，其采用

持续审计的准备就越充分。

• 信息技术和软件考虑：企业实施信息化

ERP或GRC系统的经验和成功各有不同。经

验与成功两大要素以及品牌、配置与运用部

门都将影响持续监控和持续审计的决策和

举措。

• 现实期望：如本文结束处所列明，实施持续

监控和持续审计大有裨益，但这些裨益并非

一蹴而就。大型机构系统复杂，活动和交易

多元发展，需要投入时间和承诺才能从中受

益。但是，可以在限定领域实施持续监控或

持续审计以获取经验并从中切实受益。

此外，区分持续监控和持续审计的流程面和技

术面以及从这些角度考虑多种观点也很有用。

采用持续监控和持续审计的障碍


Deloitte has found a wide range of perspectives on CM and CA in enterprises. Some internal audit functions view the matter from the process perspective. They focus on activities and transac-tions that might be subject to CA and on how to replace current audit data gathering mechanisms with continuous ones or on how disbursement limits or Segregation of Duties (SOD) might be automated. Others view the matter from the technology perspective and focus on how ERP, GRC, and third-party systems might enable CA or CM — and the potential roles of the various vendors and systems.

Other considerations center on operationalizing CM or CA — a perspective we have found that most enterprises fail to consider adequately. For instance, issues in operationalizing include whether you take a bottom-up or top-down approach. A bottom-up approach starts with the tools and technologies you have and works toward developing them into a platform. A top-down approach starts with the platform and more or less promulgates it throughout internal audit or another area initially and then, perhaps, other areas of the enterprise or even throughout the enterprise.

IT capabilities are a major consideration. Can the available technology enable desired controls, warnings, and exception reports? Are the desired CM or CA mechanisms compatible with existing or contemplated ERP systems? Can the mechanisms be implemented within ERP or GRC capabilities? Or must they be added on or programmed into these systems?

Most enterprises with ERP systems view them as integral to their processes and, in turn, view their GRC systems as integral to their ERP systems. This is a logical outgrowth of ERP systems providers acquiring risk management and compliance systems and offering them as part of a "total solution." The point is that these systems must be considered in any CM or CA design or implemen-tation effort (see sidebar, Case Study #�)

Case Study #2: Global Durable Goods Manufacturer

CM & ERP Assessment

The Situation:

As part of its enterprise transformation initiative, a global manufacturer of durable goods planned a worldwide rollout of the next generation of its ERP system. This initiative aimed to “commonize” core finance and purchasing processes across global operating regions. This multi-year project to enable worldwide business processes required that security controls be reviewed and documented during the implementation lifecycle to minimize the potential for (and instances of) post-launch remediation.

The Solution:

The enterprise required a methodology for assessing pre-implementation ERP security and internal controls. Deloitte's methodology focused on internal controls in four key areas: business process controls, application security, data and interface controls, and general computer controls. This approach has been built into a repeatable, proven process for designing, building, testing, and deploying internal controls.

A controls assessment identified, documented, and assessed ERP internal control and security recommendations. This enabled the enterprise to evaluate their ERP control structure through successive phases and to drive management's control requirements into the program. The enter-prise realized efficiencies as each regional launch progressed. Pre-imple-mentation assessments established the controls baseline, supported future test plans, and provided the controls that were designed into the processes.

This pre-implementation review of security and business process controls consisted of three phases: Phase 1: Plan, define and design; Phase �: Construct, test, and deploy; Phase �: Execute deliver, and help provide ERP support. This initiative also called for audit-related assessments of the enterprise's segregation of duties tools and warranty claims manage-ment program.

Varying Perspectives and IT Considerations


不同观点和信息技术考量

案例分析二：某全球性耐用品制造公司

持续监控与企业资源规划评估

背景信息：

作为企业转型计划的一部分，某全球性耐用品

制造公司计划在全球范围实施下一代企业资

源规划系统，实现全球各运营地区核心财务和

采购流程的“一致性”。该项目持续多年，使全

球业务流程要求在实施过程中审核并记录安

全控制情况，以降低启动后进行补救工作的可

能性（和情况）。

解决方案：

企业需要掌握实施前企业资源规划安全与内

部控制的方法。德勤的方法针对内部控制的四

个主要方面：业务流程控制、应用安全、数据

与界面控制和一般计算机控制，并且已经嵌入

可重复经实践证明的内部控制设计、构建、测

试与部署流程。

控制评估工作识别、记录并评估企业资源规

划内部控制和安全建议，使企业能够通过持

续的阶段对其企业资源规划控制结构进行评

估，促使管理层的控制要求能够融入计划中。

随着各地区启动工作的不断推进，企业认识

到了效率问题。实施前评估工作建立了控制基

准，为未来测试计划提供了支持，并实现了为

各流程所设计的控制。

安全和业务流程实施前审核包括三个阶段，

即第一阶段：规划、界定和设计；第二阶段：

建设、测试和部署；第三阶段：执行交付、协

助提供企业资源规划支持。这项计划需要到

企业职责划分工具和保修索赔管理项目的审

计评估。

德勤发现，企业对持续监控和持续审计持有多种

观点。部分内部审计部门从流程角度看待问题，

重点关注对持续审计产生影响的活动和交易以

及如何用持续机制取代现有的审计数据采集机

制或者支付限额或职责分离（SOD）如何被自动

化处理。其他则从技术角度看待问题，重点关注

ERP、GRC或第三方系统可能促成持续监控或持

续审计，以及不同供应商和系统的潜在作用。

其他考虑则集中在持续监控或持续审计的操作

问题上。我们发现，多数企业未对这一角度进行

充分考虑。例如，操作问题包括采用自下而上还

是自上而下的方法。自下而上的方法是从现有的

工具和技术出发，目标是将其发展为工作平台。

自上而下的方法是从平台出发，最初先在内部审

计或其他领域进行尝试，然后可能在企业的其他

领域甚或是整个企业范围内施行。

信息技术能力是一个主要考虑因素。现有技术能

否实现所需控制、警示和异常报告？所需的持续

监控或持续审计机制是否与现有或预期的ERP系统兼容？机制能否在ERP或GRC中实施？或是否必

须附加在或编入这些系统中？

实施ERP系统的多数企业将其视为企业流程不可

或缺的组成部分，进而，将GRC系统视为其ERP系统不可或缺的组成部分。这是ERP系统供应商采

购风险管理和合规系统并将其作为“整体解决方

案”组成部分进行出售的合理产物。问题是这些

系统必须纳入持续监控或持续审计的设计或实

施工作中。（参阅侧边栏，案例分析二）


Although there is no universal, sure-fire recipe for implementing CM or CA, there is a general template that a management team or internal audit function can use:

1. Develop the Business Case Whether you are a CFO considering enterprise-wide CM or a chief audit executive proposing a CA initia-tive, you need to develop a strong business case. This entails:

• Connecting the initiative to the drivers of value, and the risks, in the business

• Identifying benefits and costs, and quantifying them when possible

• Placing CM or CA in the context of the overall GRC effort and clarifying their roles

2. Develop a Strategy for AdoptionA strategy for adoption identifies potential CM and CA initiatives and prioritizes them according to risks, benefits, costs, and ROI. This means:

• Targeting efforts based upon risk exposure, appetite, and tolerances, enterprise-wide and locally

• Identifying which areas are appropriate to pursue based on projected benefits, costs, and ROI

• Identifying how to set thresholds and monitor risks, as well as useful intervals and notification mechanisms (e.g., real-time notification versus daily check-in)

• Considering required resources and how current resources and priorities may help or hinder adoption

3. Plan the Design and Implementation Planning a CM or CA initiative should be an iterative process, which involves:

• Determining the scope of the objectives

• Establishing roles and responsibilities

• Designing the CM or CA process and mechanisms

• Allocating resources and creating a timeline and project plan

• Setting reasonable expectations for performance

• Aligning people, processes, and IT resources

4. Build and Implement the CM or CA SystemOnce the resources are approved and in place, implementation is next. For successful implementation:

• Begin with relatively straightforward, low-cost, high- return projects

• Involve IT, business units, and other key stake-holders early on

• Create a sense of shared ownership of the project and the results

• Test the CM or CA system, particularly for its impact on the IT system, before actual launch and adoption

• Follow the plan, but make course corrections as needed

• Establish workable, practical (rather than

“ideal”) CM or CA procedures

5. Monitor Performance and Progress, and Refine as Needed

Migrate the CM or CA effort into the control or audit process as soon as possible after it demon-strates its viability and value. To ensure this happens:

• Report the results of the effort to management and all other stakeholders

• Demonstrate the value added — in monetary terms when possible (e.g., costs reduced, risks mitigated, or time saved)

• Verify by manual means that the early readings and results are accurate

• Adjust monitoring or notification mechanisms as needed, given their performance and the quality of the human interface

Pilot projects geared to testing the waters, gaining experience, or achieving early wins can be quite useful. With an early success or two, management or internal audit can revisit its priorities and make adjustments or move directly to the next priority. Also, given the potential savings and lower risks, many CM and CA initiatives can be structured as self-funding. Finally, be sure to obtain any necessary external expertise and guidance at each stage.

The CM/CA Roadmap

�0 Continuous monitoring and continuous auditing From idea to implementation

持续监控/持续审计路线图

尽管实施持续监控或持续审计并没有放之四海

皆准的方法，但下面的通用模板可以供管理团队

或内部审计部门使用：

1. 进行商业论证

无论您是考虑企业范围持续监控的首席财务官

还是拟定持续审计计划的首席审计官，均需要

进行充分的商业论证，特点如下：

• 将计划与价值驱动因素与业务风险挂钩

• 识别收益和成本，如果可能要进行量化。

• 将持续监控或持续审计置于整个GRC工作

环境中，并明确各自作用。

2. 制定采用战略

采用战略确定潜在的持续监控和持续审计计划

并根据风险、收益、成本和投资利润确定优先顺

序。这意味着：

• 根据风险敞口、偏好和承受能力定位企业范

围和具体部门的工作

• 根据预期收益、成本和投资收益确定哪些

领域适于投资

• 确定如何设定界限并监测风险以及有效区

间和通知机制（如：实时通知还是每日核

对）

• 考虑所需资源以及现有资源和工作重点如

何有助于或阻碍计划的采用

3. 规划、设计和实施

规划持续监控或持续审计计划是一个反复过

程，涉及：

• 确定目标范围

• 明确职责

• 设计持续监控或持续审计流程和机制

• 分配资源以及编制时间表和项目计划

• 对项目成果设定合理预期

• 协调人力、流程和信息技术资源

4. 建立和实施持续监控或持续审计系统

一旦资源获得审批并到位，下一步就应开展实

施。成功实施应：

• 从相对简单、低成本、高回报的项目开始

• 尽早使信息技术、业务部门和其他主要利益

相关方参与其中

• 创造共享项目和成果所有权的意识氛围

• 在实际发布和采纳之前，测试持续监控或持

续审计系统，尤其是其对信息技术系统的影

响

• 按照计划进行，但必要时可对进程予以修

正。

• 制定切实可行（而非理想化）的持续监控或

持续审计流程

5. 监测项目效果和进展，根据需要进行完善

在持续监控或持续审计展示出可行性和价值后

应尽快将其纳入控制或审计流程。为了确保实现

这一目标，应当：

• 向管理层和所有其他利益相关方报告持续

监控或持续审计成果

• 展示创造的价值，如果可能，以金钱的形式

（如：降低的成本、缓释的风险或节省的时

间）

• 人工验证早期读数和结果准确无误

• 考虑到机制的效果以及人性化界面的质量，

根据需要调整监测或通知机制

试点项目可能相当有用，投石问路、积累经验或

实现早赢。在早期的一两次成功后，管理层或内

部审计可以重新审视工作重点并进行适当调整

或直接开展下一项工作重点。此外，考虑到可能

的节省和降低的风险，很多持续监控和持续审

计计划可以自筹资金。最后，确保在每个阶段取

得任何必要的外部专长和指导。

持续监控与持续审计从构想到实施 �1

Benefits of CM and CA

Continuous monitoring can enable an enterprise to:

• Increase value through improved financial and operating controls

• Accelerate reporting to support more rapid decision making and business improvement

• Detect exceptions in real time to enable real-time responses

• Reduce — and ultimately minimize — ongoing compliance costs

• Replace manual preventative controls with automated detective controls

• Establish a more automated, risk-based control environment with lower labor costs

• Heighten competitive advantage and increase value to stakeholders

Continuous auditing can enable an enterprise to:

• Improve risk and control assurance, usually in the same or less time than previous approaches •Reduce costs, including internal audit costs and costs associated with unaddressed control deficiencies

• Increase the level of risk mitigation for business risks

• Achieve a more robust, more effective auditing process

• Expand internal audit coverage with minimal (or no) incremental cost

• Shorten audit cycles

• Identify control issues in real time

Broadly, CM and CA add value by means of improved compliance, risk management, and ability to achieve business goals. They can be instrumental in locating revenue leakage, for instance, due to customers taking unauthorized discounts, and in locating unnecessary costs, as in audits of service levels from third-party vendors. More broadly, CM and CA bring new levels of systematization and automation to monitoring controls, marshalling evidentiary audit data, and overseeing the enterprise. In that sense, CM and CA represent a natural progression in the evolution of the control environment and auditing efforts.

CM and CA give managers and auditors greater visibility into processes, activities, and transac-tions. The resulting visibility also generates greater transparency for directors, investors, and other stakeholders. In addition, CM and CA can each generate other specific benefits for the enterprise (see sidebar, Benefits of CM and CA).

Neither CM nor CA should be viewed as a short-term project, but rather as a commitment to a new, more systematic approach. The value and benefits are real, as are the barriers to implemen-tation. The former can be realized and the latter managed, provided CM and CA are viewed in the context of risk management and implemented with a practical roadmap as your guide.

Value and Benefits of CM and CA

�� Continuous monitoring and continuous auditing From idea to implementation

持续监控和持续审计的裨益

持续监控可以使企业

• 通过改进的财务和运营控制提升价值

• 加快报告以支持更快速的决策制定和业务改进

• 实时检测异常，进行实时响应

• 降低持续合规成本，并最终将其减到最小

• 用自动检测控制取代人工预防控制

• 建立一个更加自动化，基于风险以及较低劳动力成本的控制环境

• 提升竞争优势，为利益相关方创造更多价值

持续审计可以使企业：

• 和以前的方法相比，通常在相同或更少的时间内提高风险和控制保

证

• 降低成本，包括内部审计费用和未解决之控制缺陷的相关费用

• 提高业务风险的缓释水平

• 实现更强大，更有效的审计程序

• 在增加最少成本或不增加成本的前提下，扩大内部审计范围

• 缩短审计周期

• 实时识别控制问题

概括而言，持续监控和持续审计通过改进合规、

风险管理以及提高实现业务目标的能力来创造

价值。持续监控和持续审计可以在查找收入流失

（例如，由于客户享受未授权的折扣）以及确定

不必要的成本（如审计第三方供应商的服务水

平）方面发挥重要作用。更广泛而言，持续监控

和持续审计实现了监测控制、收集证据审计数据

以及监督企业系统化和自动化的新水平。从这个

意义上讲，持续监控和持续审计代表了控制环境

和审计工作发展的自然进程。

持续监控和持续审计为管理人员和审计人员提

供了流程、活动和交易更高的可视度。由此产生

的可视度也为董事、投资者和其他利益相关者创

造了更高的透明度。此外，持续监控和持续审计

各自可以为企业创造其他具体利益（参见侧边栏

中持续监控和持续审计的裨益）。

无论是持续监控还是持续审计均不应视为短期

项目，而是作为致力于实施更系统化的新方法。

价值和利益是实实在在的，而实施障碍也是如

此。如果将持续监控和持续审计纳入风险管理

中进行考虑并根据实用方案的指引开展实施，则

可以实现前者并有效管理后者。

持续监控和持续审计的价值和裨益

持续监控与持续审计从构想到实施 ��

Consider Continuousness

This document has highlighted the key consid-erations for a management team or an internal audit function considering continuous monitoring or continuous auditing. It has flagged the key issues and barriers, set the matter in the context of a risk management framework, and flagged potential IT concerns.

Scott Raso

Asia Pacific and China Deloitte Analytics Leader Enterprise Risk Services Direct: + �� 10 ��0 �011Fax: + �� 10 ��0 ��[email protected]

Tonny Xue

PartnerEnterprise Risk Services Direct: + �� 10 ��0 ��1�Fax: + �� 10 ��0 ��[email protected]

Adrian Lee

PartnerEnterprise Risk Services Direct: + �� 10 ��0 ��Fax: + �� 10 ��0 ��[email protected]

Contacts

To learn more about how Deloitte professionals can help you and your organization, please contact:

As with every initiative, decisions about CM or CA hinge on the business case. Deloitte believes that, although the business case warrants careful development, it will often be strong for CM and CA initiatives. This is particularly so in light of rising compliance, financial, operational, and other risks, and increasing demands on internal audit and risk management resources.


本文强调了管理团队或内部审计部门在考虑持

续监控或持续审计时应考虑的关键事项。文中

标示了关键问题和障碍，提出了风险管理框架环

境下的问题，同时标示了对信息技术方面的潜在

关注。

考虑持续性

斯高达

亚太和中国德勤分析领导人

企业风险管理服务直线：+ �� 10 ��0 �011传真：+ �� 10 ��0 ��[email protected]

李嘉渊

合伙人

企业风险管理服务直线：+ �� 10 ��0 ��传真：+ �� 10 ��0 ��[email protected]

薛梓源

合伙人

企业风险管理服务直线：+ �� 10 ��0 ��1�传真：+ �� 10 ��0 ��[email protected]

联络人

若想更多了解德勤专业人士如何为阁下以及贵公司提供帮助，敬请联络：

如同每项举措一样，有关持续监控或持续审计的

决策也取决于商业论证。德勤认为，虽然商业论

证能够为慎重制定计划和决策提供保证，但针对

持续监控和持续审计举措的商业论证往往非常

充分。尤其是在合规、财务、运营和其他风险日益

增加并且对内部审计和风险管理资源的需求每日

愈增的环境下更是如此。


Beijing Deloitte Touche Tohmatsu CPA Ltd.Beijing Branch�/F Deloitte Tower The Towers, Oriental Plaza 1 East Chang An Avenue Beijing 100��, PRC Tel: +�� 10 ��0 �� Fax: +�� 10 ��1� 1�1�

Chongqing Deloitte & Touche Financial Advisory Services (China) LimitedRoom 10-1�1�/F International Trade Center Chongqing�� Qing Nian RoadYu Zhong DistrictChongqing �00010, PRC Tel: +�� 10 ��0� Fax: +�� 10 �1�0

Dalian Deloitte Touche Tohmatsu CPA Ltd.Dalian Branch Room 1�0� Senmao Building 1�� Zhongshan Road Dalian 11�011, PRC Tel: +�� 11 ��1 �� Fax: +�� 11 ��0 ��

Guangzhou Deloitte Touche Tohmatsu CPA Ltd.Guangzhou Branch��/F Teemtower �0� Tianhe Road Guangzhou �10��0, PRC Tel: +�� 0 �� Fax: +�� 0 �� 011� /01�1

HangzhouDeloitte Business Advisory Services(Hangzhou) Company LimitedRoom �0�, Partition AEAC Corporate Office1� Jiaogong RoadHangzhou �1001�, PRCTel: +�� 1 ��11 1�00Fax: +�� 1 ��11 1�0�

Hong Kong SAR Deloitte Touche Tohmatsu ��/F One Pacific Place �� Queensway Hong Kong Tel: +�� 1�00 Fax: +�� 1 1�11

Macau SAR Deloitte Touche Tohmatsu 1�/F The Macau Square Apartment H-N��-��A Av. do Infante D. HenriqueMacauTel: +�� 1 �� Fax: +�� 1 �0��

Nanjing Deloitte Touche Tohmatsu CPA Ltd. Nanjing BranchRoom B, 11/F Golden Eagle Plaza �� Hanzhong Road Nanjing �100��, PRC Tel: +�� 0 ��0 Fax: +�� 1 ��

Shanghai Deloitte Touche Tohmatsu CPA Ltd. �0/F Bund Center �� Yan An Road East Shanghai �0000�, PRC Tel: +�� 1 �1�1 �� Fax: +�� 1 �� 000�

Shenzhen Deloitte Touche Tohmatsu CPA Ltd. Shenzhen Branch 1�/F China Resources Building �001 Shennan Road East Shenzhen �1�010, PRC Tel: +�� Fax: +�� 1��

Suzhou Deloitte Business Advisory Services (Shanghai) Limited Suzhou Branch Suite �0�, Century Financial Tower 1 Suhua Road, Industrial Park Suzhou �1�0�1, PRC Tel: +�� 1� �� 1�� Fax: +�� 1� ��

Tianjin Deloitte Touche Tohmatsu CPA Ltd.Tianjin Branch�0/F The Exchange North Tower 1�� Nanjing Road Heping District Tianjin �000�1, PRC Tel: +�� 0 �� Fax: +�� 0 ��

WuhanDeloitte & Touche Financial Advisory Services Limited Wuhan Liaison OfficeUnit �, ��/F New World International Trade Tower�� Jianshe AvenueWuhan ��00��, PRCTel: +�� 1�Fax: +�� 0��

XiamenDeloitte & Touche Financial Advisory Services Limited Xiamen Liaison OfficeUnit E, ��/F International Plaza� Lujiang Road, Siming DistrictXiamen ��1001, PRCTel: +�� 10� ��Fax: +�� 10� ��


北京德勤华永会计师事务所有限公司北京分所中国北京市东长安街1号东方广场东方京贸城德勤大楼�层邮政编码：100�� 电话：+�� 10 ��0 �� 传真：+�� 10 ��1� 1�1�

重庆德勤咨询（重庆）有限公司中国重庆市渝中区青年路��号重庆国贸中心1�楼10-1�单元邮政编码：�00010 电话：+�� 10 ��0� 传真：+�� 10 �1�0

大连德勤华永会计师事务所有限公司大连分所中国大连市中山路1��号森茂大厦1�0�室邮政编码：11�011 电话：+�� 11 ��1 �� 传真：+�� 11 ��0 ��

广州德勤华永会计师事务所有限公司广州分所中国广州市天河路�0�号粤海天河城大厦��楼邮政编码：�10��0 电话：+�� 0 �� 传真：+�� 0 �� 011� / 01�1

杭州德勤商务咨询（杭州）有限公司中国杭州市教工路1�号欧美中心企业国际A区�0�室邮政编码：�1001�电话：+�� 1 ��11 1�00传真：+�� 1 ��11 1�0�

香港特别行政区德勤•关黄陈方会计师行香港金钟道��号太古广场一座��楼电话：+�� 1�00 传真：+�� 1 1�11

澳门特别行政区德勤•关黄陈方会计师行澳门殷皇子大马路��-��A号澳门广场1�楼H-N座电话：+�� 1 �� 传真：+�� 1 �0��

南京德勤华永会计师事务所有限公司南京分所中国南京市汉中路��号金鹰国际商城11层B座邮政编码：�100�� 电话：+�� 0 ��0 传真：+�� 1 ��

上海德勤华永会计师事务所有限公司中国上海市延安东路��号外滩中心�0楼邮政编码：�0000� 电话：+�� 1 �1�1 �� 传真：+�� 1 �� 000�

深圳德勤华永会计师事务所有限公司深圳分所中国深圳市深南东路�001号华润大厦1�楼邮政编码：�1�010 电话：+�� 传真：+�� 1��

苏州德勤商务咨询（上海）有限公司苏州分公司中国苏州市工业园区工苏华路1号世纪金融大厦�0�室邮政编码：�1�0�1 电话：+�� 1� �� 1�� 传真：+�� 1� ��

天津德勤华永会计师事务所有限公司天津分所中国天津市和平区南京路1��号津广场写字楼�0层邮政编码：�000�1电话：+�� 0 �� 传真：+�� 0 ��

武汉德勤咨询（上海）有限公司武汉办事处中国武汉市建设大道��号新世界国贸大厦��层0�号邮政编码：��00��电话：+�� 1�传真：+�� 0��

厦门德勤咨询（上海）有限公司厦门办事处中国厦门市思明区鹭江路�号国际银行大厦��楼E单元邮政编码：��1001电话：+�� 10� ��传真：+�� 10� ��


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 1�0 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 1�0,000 professionals are committed to becoming the standard of excellence.

In China, services are provided by Deloitte Touche Tohmatsu and Deloitte Touche Tohmatsu CPA Limited and their subsidiaries and affiliates. Deloitte Touche Tohmatsu and Deloitte Touche Tohmatsu CPA Limited are, together, a member firm of Deloitte Touche Tohmatsu Limited.

Deloitte China is one of the leading professional services providers in the Chinese Mainland, Hong Kong SAR and Macau SAR. We have over �,000 people in 1� offices in Beijing, Chongqing, Dalian, Guangzhou, Hangzhou, Hong Kong, Macau, Nanjing, Shanghai, Shenzhen, Suzhou, Tianjin, Wuhan and Xiamen.

As early as 1�1�, we opened an office in Shanghai. Backed by our global network, we deliver a full range of audit, tax, consulting and financial advisory services to national, multinational and growth enterprise clients in China.

We have considerable experience in China and have been a significant contributor to the development of China's accounting standards, taxation system and local professional accountants. We also provide services to around one-third of all companies listed on the Stock Exchange of Hong Kong.

This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing's affiliates (collec-tively the "Deloitte Network") are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.

Deloitte （“德勤”）泛指德勤有限公司（一家根据英国法律组成的私人担保有限公司，以下称 “德勤有限公司”) ，以及其一家或多家成员所。每一个成员所均为具有独立法律地位的法律实体。请参阅 www.deloitte.com/cn/about 中有关德勤有限公司及其成员所法律结构的详细描述。

德勤为各行各业的上市及非上市客户提供审计、税务、企业管理咨询及财务咨询服务。德勤成员所网络遍及全球逾1�0个国家，凭借其世界一流的专业服务能力及对本地市场渊博的知识，协助客户在全球各地取得商业成功。德勤约1�0,000 名专业人士致力于追求卓越，树立典范。

在中国，我们通过德勤关•黄陈方会计师行和德勤华永会计师事务所有限公司，以及其下属机构和关联机构提供服务。德勤•关黄陈方会计师行及德勤华永会计师事务所有限公司共同为德勤有限公司的成员所。

德勤中国是中国大陆及港澳地区居领导地位的专业服务机构之一，共拥有逾�,000名员工分布于包括北京、重庆、大连、广州、杭州、香港、澳门、南京、上海、深圳、苏州、天津、武汉和厦门在内的1�个城市。

早在1�1�年，我们于上海成立了办事处。我们以全球网络为支持，为国内企业、跨国公司以及高成长的企业提供全面的审计、税务、企业管理咨询和财务咨询服务。

我们在中国拥有丰富的经验，并一直为中国会计准则、税制以及本土专业会计师的发展作出重大的贡献。在香港，我们更为大约三分之一在香港联合交易所上市的公司提供服务。

本文件中所含数据乃一般性信息，故此，并不构成德勤有限公司、德勤全球服务有限公司、德勤全球服务控股有限公司、德勤全球社团组织、其任何成员所或上述其关联机构(统称为 "德勤网络")提供任何会计、商业、财务、投资、法律、税务或其它专业建议或服务。本文件不能代替此等专业建议或服务，读者亦不应依赖本文件中的信息作为可能影响自身财务或业务决策的基础。在做出任何可能影响自身财务或业务的决策或采取任何相关行动前，请咨询合资格的专业顾问。任何德勤网络内的机构不对任何方因使用本文件而导致的任何损失承担责任。

©�011 Deloitte Touche Tohmatsu CPA Ltd

©2011 德勤华永会计师事务所有限公司

BJ-011BIL-0�

This is printed on environmentally friendly paper