Standards. Coso standards internal control integrated model year
document status: materials for the CPT meeting
developer organization: PJSC Megafon
Explanation X/2013
"Organization of the internal control system"
1. General provisions
1.1 This Policy determines the procedure for organizing and functioning of the internal control system (hereinafter referred to as the internal control system) in the Company, including describing the purpose and objectives of the internal control system, as well as the roles and responsibilities of its subjects.
1.2 This Policy has been developed taking into account the requirements and recommendations of:
- the current legislation of the Russian Federation (including Article 19 of Law No. 402-FZ “On Accounting”);
- internal regulatory documents of the Company;
- Code of Corporate Conduct of the Federal Financial Markets Service of the Russian Federation;
- leadership of the Committee of Sponsoring Organizations of the Treadway Commission “Internal Control. Integrated Model" (1992).
2. Definition and objectives of internal control
2.1 Internal control is a continuous process carried out by all employees and management of the Company at all levels of management, aimed at providing conditions for achieving the Company’s goals in the following areas:
- efficiency and effectiveness of the financial and economic activities of the Company;
- safety of assets;
- compliance with legal requirements, regulations, internal documents of the Company and other applicable regulatory requirements;
- reliability of financial statements.
2.2 Internal control system(SVK) - a system of organizational measures, policies, instructions, as well as control procedures, norms of corporate culture and actions taken by the Board of Directors, management and employees of the Company to ensure proper conduct of business activities: to ensure the financial stability of the Company, achieving an optimal balance between its growth cost, profitability and risks, for the orderly and efficient conduct of business activities, ensuring the safety of assets, identifying, correcting and preventing violations, timely preparation of reliable financial statements and, thereby, increasing investment attractiveness.
2.3 The organization of the internal control system in the Company is based on a risk-based approach. It means the close integration of the internal control system with risk management processes, which ensures the timely and effective application of risk management methods using effective mechanisms of the internal control system. At the same time, the Company's management and its employees are concentrating efforts to build and improve the internal control system, primarily in those areas of activity that are characterized by the highest level of risks.
2.4 Internal control system over the process of preparing financial statements(SVKFO) - a system of organizational measures, policies, instructions, as well as control procedures, norms of corporate culture and actions taken by the Board of Directors, management and employees of the Company to achieve goals in the field of preparing reliable financial statements.
2.5 The objectives of the functioning of the internal control system in the Company are:
- Assistance in protecting the interests of shareholders, investors and clients, preventing and eliminating conflicts of interest, supporting effective management of the Company and achieving strategic goals in the most effective way;
- Creation of conditions to protect the Company from internal and external risks arising in the course of its activities, as well as the risks of preparing the Company’s financial statements;
- Assistance in ensuring compliance by the Company with the requirements of legislation and regulatory documents of the Company;
- Creating conditions for the timely preparation and provision of reliable financial, accounting, statistical, management and other reporting for external and internal users;
- Assistance in ensuring the safety of assets and efficient use of the Company's resources and potential.
3. Operating principles and components of the ICS
3.1 The organization and functioning of the ICS in the Company is based on the following key principles:
- Integration- The ICS is an integral part of the Company’s corporate governance and is integrated into its processes and daily operations. The ICS includes procedures for informing management at the appropriate level of management about any significant violations of financial and economic activities, deficiencies and control weaknesses that have been discovered, along with an analysis of their causes, details of the corrective actions that have been taken or that should be taken;
- Continuity- The internal control system operates on an ongoing basis, continuously and at all levels of management, which allows the Company to promptly identify deviations in the internal control system and prevent their occurrence in the future;
- Methodological unity - ICS processes are implemented on the basis of uniform requirements and approaches for all divisions of the Company;
- Integrity/complexity- The ICS operates at all levels and in all divisions of the Company, covering all subjects of internal control and areas of activity and, accordingly, all risks:
- The responsibility for building and maintaining a reliable and effective internal control system lies with managers at all levels of management of the Company;
- Control procedures exist in all business processes and at all levels of management;
- Each employee of the Company knows, understands and fulfills his role in the internal control system
- Responsibility- all employees and management at all levels of the Company are responsible for the functioning of the internal control system within the limits of their powers;
- Risk-oriented- The ICS in the Company is in close cooperation with the risk management system, which contributes to the timely and effective implementation of measures to influence risks. When analyzing control procedures, one should assess the magnitude and likelihood of risks occurring, the degree of their influence on the results of financial and economic activities and the achievement of the Company’s goals, which allows one to draw a conclusion about the sufficiency of existing control procedures, or the need to develop and implement new ones.
- Optimality - the volume and complexity of control procedures used in the Company are necessary and sufficient for effective risk management and achievement of the Company’s goals. Resources and costs for the implementation and subsequent operation of control procedures should not exceed the consequences of risk implementation (cost-economic effect ratio), and the total level of residual risk should correspond to the Company’s risk appetite.
- Segregation of duties- the Company differentiates the rights and responsibilities of subjects of internal control depending on their attitude to the processes of development, approval, application and monitoring of the internal control system. It is not allowed for one employee/unit to simultaneously be entrusted with the following powers:
- approval of transactions with assets;
- carrying out transactions with assets;
- accounting/registration of transactions;
- checking the correctness, completeness and fact of the transaction and ensuring the safety of assets.
- Formalization- ICS should be formalized:
- risks and controls for all significant business processes affecting the achievement of the Company’s goals are described;
- the results of control procedures are documented and stored (primary documents, reports, transaction logs, etc.);
3.2 Relevance and development- all documentation on the internal control system (description of risks, controls, and other information) must be updated in a timely manner and constantly improved in order to increase the efficiency of risk management. Top management provides conditions for the continuous development of the internal control system, taking into account the need to solve new problems arising as a result of changes in internal and external operating conditions. The basis for the organization and functioning of the internal control system in the Company are the following components:
- Control environment;
- Risk assessment;
- Controls;
- Information and communications;
- ICS monitoring.
A detailed description of the components of the ICS is given in Appendix 1 of this Policy.
4. Subjects of internal control and their functions
4.1 The Company’s internal control system is determined by a combination of objects and subjects. The objects of the ICS are the financial and economic activities of the Company's divisions. Subjects of internal control are determined by this Policy and other regulatory documents of the Company in the field of internal control.
4.2 The composition of subjects of internal control is determined by the organizational structure of the Company and includes:
- Board of Directors;
- Audit Committee;
- General Director;
- Internal control division;
- Heads of structural divisions and employees of the Company.
4.3 Board of Directors- determines the general directions of organizing the internal control system in the Company, analyzes the overall effectiveness and compliance of the internal control system with the nature, scale and conditions of the Company’s activities in the event of their change - considers the results of assessing the effectiveness of the internal control system, identified significant deficiencies and recommendations for their elimination. Approves the internal control policy and changes to it.
The functions and tasks of the Board of Directors in relation to the internal control system are set out in the regulations on the Board of Directors of the Company.
4.4 Audit Committee of the Board of Directors- evaluates compliance with the principles of internal control and risk management and the overall effectiveness of the internal control system in the Company (including based on reports from the internal audit and internal control departments), makes recommendations for improving the internal control system.
The functions and tasks of the Audit Committee of the Board of Directors are set out in the relevant regulations on the Audit Committee of the Company.
4.5 CEO- is responsible for organizing and maintaining the functioning of an effective internal control system in the Company and monitoring the functioning of the internal control system, including:
- Determines the directions for development and improvement of the internal control system in the Company;
- Approves the Regulations on the internal control system, the Regulations for diagnosing and improving the internal control system and other regulatory documents in the field of internal control systems;
- Reviews the results of the work of the internal control structural unit, including the results of diagnostics of the internal control system;
- Establishes responsibility for implementing senior management decisions in the area of internal control;
- Reviews and approves an action plan to eliminate deficiencies in the internal control system.
4.6 Internal Audit Division- carries out an independent assessment of the effectiveness of individual components of the ICS, the ICS of the audited objects and the Company’s ICS as a whole and develops recommendations to improve its reliability and efficiency, including:
- Checks the compliance of the activities of departments and employees with regulatory documents that determine the procedure for organizing and functioning of the internal control system;
- Assesses the compliance of the content of regulatory documents regulating the organization and functioning of the internal control system with the nature and scale of the Company’s activities;
- Identifies facts of violations, analyzes the reasons for their occurrence and develops recommendations for improving existing and/or introducing new control procedures to prevent recurrence of violations;
- Monitors the timely and complete elimination of identified violations and shortcomings;
- Carries out quality control of the diagnostic process of the internal control system in the Company, carried out by management and employees;
- Advises on improving internal control.
4.7 Tasks Internal control units are:
Coordination of activities to form and maintain the effectiveness of the internal control system;
- Methodological support for internal control systems;
- Organization of the process of diagnostics of SVC in the Company:
- Preparation of plans for the development and improvement of the internal control system in the Company;
- Maintaining and keeping the ICS infrastructure up to date (registers of risks, control procedures and business processes);
- Monitoring the implementation of the action plan to eliminate deficiencies and improve the internal control system, incl. quality control of elimination of deficiencies;
- Informing all ICS participants about changes in approaches, documentation and other requirements in the field of ICS;
- Organization of preparation of personnel training programs on organizing and improving the internal control system.
The functions, tasks and powers of the structural unit for coordinating the Company's internal control system are defined in the relevant Regulations.
4.8 Managers and employees of structural divisions are responsible for the formation, maintenance and constant monitoring of the internal control system in the relevant functional areas of activity of divisions throughout the management vertical, and also carry out control procedures in accordance with their official responsibilities, including:
- timely identification and analysis of risks in the financial and economic activities of the Company;
- development, formalization, as well as subsequent execution and ensuring the effectiveness and sufficiency of control procedures within the framework of their business processes;
- updating the description of the internal control system and timely informing the internal control unit about changes;
- monitoring the functioning of internal control systems, as well as independent assessment of the effectiveness of the control procedures they perform;
- informing management about any committed or possible errors/deficiencies that have led or may lead to potential negative events;
- completion of training in the field of internal control and risk management in accordance with the approved training program.
4.9 The Company ensures the creation of effective channels for information exchange, including both vertical and horizontal communications, in order to form among all subjects of internal control an understanding of the normative documents adopted in the organization and functioning of the internal control system and ensuring their implementation.
4.10 Information about the operation of the internal control system, about deficiencies found and other significant circumstances is provided to the Board of Directors, the Audit Committee of the Board of Directors, the General Director, the Management Board or other bodies in accordance with existing legal requirements and regulatory documents of the Company.
5. Roles
5.1 To ensure the effective functioning of the internal control system, the following roles are distributed among the managers and other employees of the Company:
- Process/Risk Owner
- ICS Coordinator
- Control executor
5.2 Process/Risk Owner- head of the unit/department who is responsible for:
- for the effective functioning of all components of the ICS ( see ICS components in Appendix 1) in terms of covering the risks of business activities and preparing financial statements within the framework of their business processes/risks;
- for appointing control executors and assigning responsibility for the implementation of these procedures in the job descriptions of the relevant employees;
- for ensuring the execution and documentation of controls by control executors in accordance with the documentation on the internal control system;
- for identifying changes in processes, risks or controls that require changes to the ICS documentation and informing the employees of the Internal Control Unit / ICS Coordinator in the relevant department about this;
- for timely approval of documentation on internal control systems (detailed description of risks, unified and adapted controls and other information);
- for eliminating deficiencies in the internal control system identified as a result of testing or monitoring.
5.3 Control executor- an employee of any level who is responsible for:
- for timely and high-quality implementation of control procedures in accordance with the ICS documentation;
- for notifying, if necessary, the deputy control executor and an employee of the Internal Control Division about the need to perform the relevant control procedure instead of the executor;
- for timely approval of documentation on the internal control system (detailed description of risks, controls and other information);
- for performing procedures for self-assessment of the effectiveness of the internal control system;
- for identifying changes in processes, risks or controls that require changes to the ICS documentation and informing the risk/process owner, the ICS Coordinator in the relevant department and the employees of the Internal Control Unit about this;
- for eliminating the shortcomings of the internal control system identified as a result of testing and monitoring.
5.4 ICS Coordinator An employee in each department who is responsible for:
- for organizing and coordinating the process of functioning of the internal control system within the relevant department;
- for monitoring the quality of implementation and documenting control procedures in terms of controls performed in the relevant department;
- for the relevance of documentation on the internal control system in relation to the relevant structural unit;
- for informing the Internal Control Unit about the need to change the ICS documentation (changes in processes, risks or controls, including proposing new wording regarding risks, controls and other information).
6. Requirements and responsibilities in ensuring the effectiveness of the internal control system
6.1 Internal control is an integral part of the functioning of any division of the Company.
6.2 All employees are responsible for the functioning and ensuring the effectiveness of the Company’s internal control system.
6.3 The Company’s management must convey to employees the importance of having and ensuring the effective functioning of the internal control system, as well as the role of each employee in this system, including the following basic requirements:
- No employee, directly or indirectly, may allow or cause the intentional falsification of accounting, management or other reporting data.
- No changes can be made to accounting data if it is known that these changes may distort the essence of the relevant transactions.
- No amounts/accounts/transactions may be concealed for the purpose of underreporting.
- All employees of the Company are obliged to preserve the Company's assets and ensure their effective use.
6.4 If an employee of the Company has information about the shortcomings or ineffectiveness of internal control procedures, he must immediately report this to his immediate supervisor, as well as the heads of the internal control and internal audit departments.
6.5 If an employee intentionally fails to comply with this Policy and does not comply with control procedures for which he is responsible, disciplinary action will be applied to this employee, up to and including dismissal, in accordance with the requirements of current legislation.
7. Monitoring the effectiveness of the internal control system
7.1 The purpose of monitoring is to assess the effectiveness of the Company’s internal control system, including its ability to ensure the fulfillment of its goals and objectives, as well as to determine the significance of the system’s deficiencies.
7.2 Monitoring the system of internal control over financial reporting includes:
- the implementation by the management of divisions of constant monitoring of the implementation of control procedures in the divisions reporting to them;
- Conducting a self-assessment of the internal control system in the Company;
- carrying out periodic checks of the implementation of control procedures and checks of compliance of operations with legal requirements and the provisions of the organization’s regulatory documents by the internal audit unit;
- assessing the effectiveness of the internal control system over the process of preparing financial statements by an external auditor
- timely communication of information about identified deficiencies in the internal control system over financial reporting to stakeholders within the management vertical.
7.3 Self-assessment of the effectiveness of the internal control system (hereinafter referred to as self-assessment of the internal control system) is carried out directly by the subjects of the internal control system by:
- Distribution of questionnaires - used to collect information about the efficiency of the internal control system and changes in business processes from employees and managers of the Company's departments.
- Monitoring the status of the internal control system is the process of checking the completeness, timeliness of implementation and correctness of documentation of the control system.
- Assessing the effectiveness of control procedures - analysis of the effectiveness of the description and execution of control, as well as analysis of the sufficiency of control procedures (assessment of the extent to which control, subject to its effective implementation, can effectively reduce the risks associated with it).
7.4 Regular assessment of the ICS helps improve its effectiveness by:
- timely identification of changes in business processes, design or stages of control procedures;
- increasing the motivation of Control Performers and their Managers through direct participation in improving the internal control system and constant monitoring of the quality of control implementation;
- providing an information base to the Company’s management to confirm the effectiveness of the internal control system.
7.5 The results of the ICS assessment must be documented and presented to the management of the Company and the Audit Committee of the Board of Directors:
- The internal audit unit prepares a report based on the results of the internal control system assessment;
- The external auditor prepares a letter to management about significant deficiencies identified based on the results of an external independent assessment of the internal control system;
- The internal control division prepares a report based on the results of self-assessment of the internal control system carried out by the structural divisions of the Company.
8. Making additions and changes to the Policy
8.1 When changes and additions are made to legislative acts, regulatory requirements and regulatory documents of the Company regulating the functioning of the internal control system, changes and additions to this Policy can only be made by duly executed decisions of the Board of Directors of the Company. The Board of Directors of the Company may also decide to approve a new version of the Policy.
Annex 1. ICS components according to the COSO methodology
Internal control, according to the COSO Internal Control-Integrated Framework, consists of five interrelated components that come from the way business is conducted and are associated with the process of its management. The five components include:
Control medium: The control environment creates an atmosphere in the organization that influences staff's awareness of the importance of performing controls. It is the basis for all other components of internal control, providing orderliness and discipline. Control environment factors include integrity, ethical values, management style, the distribution of authority and responsibilities, as well as the management and development processes of the organization's personnel. Also, the effectiveness of the control environment depends on the attention to this issue on the part of the Board of Directors.
Risk assessment: Every organization faces different external and internal risks that need to be assessed. A prerequisite for risk assessment is the definition of goals, therefore risk assessment implies the identification and analysis of relevant risks associated with achieving established goals. Risk assessment is a prerequisite for risk management.
Controls: Controls are the policies and procedures that ensure management's decisions are carried out. They help ensure that necessary actions are taken against risks that may prevent the organization from achieving its goals. Controls are implemented throughout the organization, at all levels and across all functions. They include a range of activities such as approvals, permits, inspections, reconciliations, reports on ongoing activities, asset preservation and segregation of duties.
Information and communication: All necessary information must be identified, formulated and promptly communicated to the appropriate employees so as to ensure that they are able to fully perform their job duties. Information systems also play an important role in internal control because they contain financial, operational and compliance information to help manage and control the business. The issue is not only in terms of disseminating internal company information, but it is also important to inform employees about external events and activities that are necessary to make various decisions. Effective communication in a broader sense must ensure information flows down and up and between departments throughout the organization. It is important that company personnel receive a clearly articulated position from senior management about the importance of fulfilling their responsibilities regarding internal control. It is also important that each employee clearly understands his role in the internal control system, and how the result of his work is related to the activities of other employees. Personnel must be aware of the need to communicate all important information to company management. Effective communication on matters related to the interests of the company must also be ensured with external parties, for example, customers, suppliers, regulators and shareholders.
Monitoring: The internal control system requires monitoring - a process of periodic assessment of the quality of its work. This is achieved through constant monitoring of the quality of execution of certain operations, through separate checks to assess the effectiveness of a particular process, or through a combination of these two options. Continuous monitoring is carried out on a daily basis, incl. activities for the management and management of relevant processes, as well as other activities within the framework of personnel performance of their duties. The scope and frequency of individual audits depends on the level of assessment of the relevant risks, as well as the results of ongoing monitoring of these operations. Internal control deficiencies identified during monitoring should be brought to the attention of management, and the most significant observations should be communicated to senior management and the Board of Directors.
The close relationship of these components ensures the formation of an integrated system that is able to quickly respond to emerging challenges. The internal control system is an integral part of operating activities. The most effective internal control system is if controls are built into the organization's infrastructure and are part of its essence. Built-in controls enhance the quality and effectiveness of activities, and also help to avoid additional costs and allow you to respond more quickly to certain events.
“COSO - The Committee of Sponsoring Organizations of the Treadway Commission, USA”
Committee of Sponsoring Organizations of the Treadway Commission(English) The Committee of Sponsoring Organizations of the Treadway Commission, COSO) is a voluntary, private, organization established in the United States and designed to provide appropriate advice to corporate management on critical aspects of organizational governance, business ethics, financial reporting, internal controls, corporate risk management and anti-fraud.
The committee of sponsoring organizations of the treadway commission (COSO) has developed a general internal control model against which companies and organizations, including banks, can evaluate their own management systems. COSO was formed in 1985. supported by the National Commission on Financial Reporting Fraud (Treadway Commission).
The COSO model defines an organization's internal controls as a process undertaken by the board of directors, senior management and other personnel of an organization designed to provide “reasonable assurance” regarding the achievement of objectives in the following categories:
- efficiency and productivity of operations;
- reliability of financial reporting;
- compliance with laws and regulations.
The COSO model of internal control includes several basic concepts:
internal control is a process. It is a means to an end, not an end in itself;
internal control depends on people. It represents not only management policies and uniforms, but also people at all levels of the company;
internal control can provide management and the board of directors of the company only with sufficient confidence, but not absolute guarantees;
internal control is aimed at achieving objectives in one or more separate but overlapping categories.
The essence of the COSO model can be expressed as follows: you manage when the risk is assessed and managed.
Elements of internal control according to the COSO system include (Table 1):
1) control environment;
2) risk assessment;
3) control measures;
4) collection and analysis of information, as well as its transfer for its intended purpose;
5) monitoring and error correction.
Table 1. Components of the internal control system
Component | Description | Essential elements |
---|---|---|
Control environment | Awareness and actions of representatives of the owner and management regarding the organization’s internal control system, as well as an understanding of the significance of such a system for the activities of this organization | - reliability, honesty and morality; - competence; - management philosophy and style; - organizational structure; - distribution of rights and responsibilities; - personnel policy and practice. |
Risk assessment | Identification and assessment of possible risks in the preparation of financial statements | - changes in legislation; - changes in business conditions; - assessment of consequences. |
Information and networks | Ensure that staff understand the role of their participation in the process of preparing financial (accounting) statements | - recording, processing, summarizing and presenting the operations of organizations; - distribution of duties; - providing managers at various levels with information. |
Control procedures | Provide policies and procedures that help ensure that management orders are followed | - checking the implementation of orders (reports); - data processing; - checking the presence and condition of objects; - distribution of duties. |
Monitoring | Monitoring whether controls are functioning properly. This is the process of assessing the effective functioning of the internal control system over time. | - continuous monitoring; - periodic control. |
The model includes eight components:
internal environment. The internal environment represents the atmosphere within an organization and determines how risk is perceived and responded to by the organization's employees. The internal environment includes the risk management philosophy and risk appetite, integrity and ethical values, as well as the environment in which they exist;
goal setting (objective setting). Goals must be defined before management begins to identify events that may affect their achievement. The risk management process provides reasonable assurance that the company's management has a properly organized process for selecting and setting goals and that they are consistent with the organization's mission and the level of its risk appetite;
event identification. Internal and external events that have an impact on the achievement of the organization's objectives should be identified in terms of risks or opportunities. Opportunities must be taken into account by management when formulating strategy and setting goals;
risk assessment. Risks are analyzed based on their likelihood and impact to determine what actions need to be taken to address them. Risks are assessed in terms of inherent and residual risk;
risk response. Management chooses a method of responding to risk - risk avoidance, acceptance, reduction or redistribution of risk - by developing a series of activities that allow the identified risk to be brought into line with the acceptable level of risk and risk appetite of the organization;
control activities. Policies and procedures are designed and established to provide reasonable assurance that the risk involved is responded to in an effective and timely manner;
information and communication. The necessary information is determined, recorded and transmitted in such a form and in such a time frame that allows employees to fulfill their functional responsibilities. There is also an effective exchange of information within the organization, both vertically from top to bottom and bottom to top, and horizontally;
monitoring. The entire risk management process of the organization is monitored and adjusted as necessary. Monitoring is carried out as part of management's ongoing activities or through periodic assessments.
To summarize, we note that:
COSO places great importance on the internal environment.
COSO places much greater emphasis on internal control monitoring as a form of follow-up control. Monitoring is one of the core elements of the COSO model.
At COSO, great importance is attached to the work of the board of directors.
Literature:
- Kakovkina T.V. Internal control system as a means of identifying organizational risks // International accounting. 2014, No. 36
- Kalacheva O.N. Problems of internal control in small and medium-sized businesses // Auditor. 2015, No. 10
- Krainova V.V. Justification of directions for the development of internal control in inland water transport organizations // International accounting. 2014, No. 46
- Koske M.S., Mishuchkova Yu.G., Voyutskaya I.V. Internal control as a labor function of the chief accountant // International accounting. 2015, No. 6
- Puchkova A.O. The need to assess the internal control system and its elements during an audit // Audit statements. 2012. No. 1/2
- Pashkov R. Monitoring the internal control system // Accounting and banks. 2015. No. 1
- Yanova Ya.Yu. The concept of risk-oriented internal control is an ideal to be strived for // Internal control in a credit institution. 2014. No. 4
- Internal Control - Integrated Framework (2013)
COSO concept “Organizational Risk Management. Integration with strategy and performance efficiency" (COSO ERM) 2017 in Russian appeared on sale in the online bookstore TOTbook.ru. It is available at the link: https://totbook.ru/catalog/345/1136970/
The COSO ERM concept consists of 3 books:
1. Basic book (110 pages)
2. Applications (30 pages)
3. Summary (10 pages)
The COSO ERM concept aims to enhance the relationship between risk, strategy and company value. It looks at risk in terms of its role in making strategic decisions that ultimately affect the performance of the organization as a whole. The first part of the core book provides an overview of current and evolving concepts and applications of organizational risk management. The second part of the core book, Conceptual Framework, includes five components that take into account different perspectives and operating structures and help improve strategy and decision making.
Exclusive right to publish and distribute (in printed form only) the COSO Concept “Organizational Risk Management. Integration with Strategy and Operational Performance (COSO ERM) 2017 by the Institute of Internal Auditors. The publication of this publication and the translation of the text into Russian were carried out with the support of Deloitte CIS.
First, it must be said that there are almost no Russian standards for risk management, internal control and internal audit. I think it's bad because there was a lot of interesting stuff. But it is quite possible to use bourgeois ones. The key problem lies in their interpretation presented by many specialists: for risk management - with an emphasis on financial risks, for internal control providers and internal auditors - with an emphasis on reporting. That is, you need to remember that each standard contains many components and, keeping them all in mind, you can achieve significantly greater usefulness.
The most well-known standards are:
- for risk management: FERMA standard (Federation of European Risk Manager Associations), COSO ERM standard (COSO - Committee of Sponsoring Organizations of the Treadway Commission, ERM - Enterprise Risk Management), GOST ISO31000;
- for internal control systems – COSO IC IF (Internal Control – Integrated Framework) standard;
- on internal audit – International Framework of Professional Practice (IFPP).
Where can I read the standards?
Initially, all standards were developed, naturally, in English. However, translations into Russian exist.
FERMA – both Russian and English versions were once freely available. Website – http://ferma.eu. Now, alas, it has disappeared, but the link below contains the latest one.
During my observation there were several translations there. I especially liked that in one translation the phrase
“Although risk identification can be carried out by independent consultants, an assessment carried out internally, with close collaboration between its functions, with consistent and coordinated use of the processes and tools provided, is likely to be more effective.”
was replaced with a phrase (on the FERMA website it is now corrected, on the Rusrisk website it still hangs)
« Identification of an organization's risks is usually carried out by independent consultants. However, the organization's own understanding and analysis of risks is critical to a successful risk management process.”
In general, people didn’t give a damn. Of course, everyone earns money as best they can, but hints about financial support for one’s loved one could have been more subtle.
GOST ISO31000 is equally easy to find both in Google and in Yandex.
COSO standards - only the “conceptual framework” is freely available in English and Russian. Website – www. coso.org. An official translation was published in Russian in 2015, sold by the Institute of Internal Auditors, haven’t read it, cost 2,000 rubles. From the “shareware” there is an “official” translation (by the way, quite readable and high-quality) of COSO ERM and an “unofficial” part of COSO IC IF. Located in the closed part of the website of the Institute of Internal Auditors of the Russian Federation, website – http://iia-ru.ru. Only IVA members can enter the closed part.
MOPP - partly is in the public domain (but not all; usefulness for setting it up begins with practical instructions), the rest is in the closed part of the website of the Institute of Internal Auditors of the Russian Federation (http://iia-ru.ru). I would like to note that MOPP, despite its volume, is a fairly easy read (at least for me), the translation is very high quality.
Total: all the necessary standards can be obtained on the great and mighty for 2,500 rubles as a membership fee to the Institute of Internal Auditors. Reasonable price, there are also bonuses in the form of several interesting presentations. To obtain a complete set in Russian, you will also need to purchase a book; the price for members of the Institute is 1800 rubles.
A little history.
The COSO IC IF standard was the first to appear in its modern form in 1992. A new version was prepared in 2013.
For some reason, COSO really loves all kinds of cubes. I’ll give you a traditional COSO cube, I specifically found the worst version (turned upside down, as if it starts with monitoring).
The following representation is much more reasonable:
Why is it reasonable? First, the control environment is important for the entire organization; monitoring should cover the entire internal control process. The process itself is quite banal, namely, it represents the relationship of “risks → control procedures” with the corresponding information support. Second, monitoring must cover all other components.
The FERMA standard appeared in 2002. I like it best because of its small volume. A schematic diagram of how this standard works is shown in the picture.
It can also be noted that the FERMA standard does not focus on the organization's reporting as a key component (for example, the nature of risk). The reason is quite banal: European risk managers (and FERMA is their organization) grew up not from financial statements auditors, but from insurers and financiers. The origin, it seems to me, also explains the classification:
Bankers and insurers classify financial risks and dangers as a separate category. Why – I think it’s clear. However, the rest (both internal auditors and COSO) grew up from reporting, which is why both the internal audit standards and the COSO standards necessarily contain goals in the area of reliability of reporting and compliance with legislation.
What happened next (version is just my opinion). The creative team of COSO, having analyzed the new standard, thought something like this: what does everyone already have about strategy, and we’re still chewing snot. And in about a year and a half they drew another cube, writing the COSO ERM standard (2004):
To make it clear where everything grows from, here is an additional picture:
In my opinion, everything is obvious. You can also compare the components along the vertical axis from the COSO cube and the sequence of actions described in FERMA.
Five years later, the International Organization for Standardization (ISO) released its risk management standard. ISO documents are developed from the point of view of business (and not sales of consulting services), therefore, in my understanding, ISO31000:2009 is the optimal standard in terms of volume/usefulness, although it requires translation from Russian into Russian. By the way, ISO introduced the principle of risk management into the most famous standard in Russia, ISO9000, which caused a certain panic in the ranks of quality management system providers.
Internal auditing standards have undergone significant evolution over 50 years. It all started with accounting and compliance. The current version is an assessment of risks and control effectiveness in terms of:
- reliability and integrity of information on financial and economic activities;
- efficiency and effectiveness of activities;
- asset safety;
- compliance with laws, regulations and contractual obligations.
As you can see, the three components coincide with COSO IC IF (where they arose first, I can’t say, I’m not a historian), and the preservation of assets, apparently, has been going on since 1957 (or since 1947?). I don’t know why it should be singled out separately: I don’t think that activities can be considered effective and efficient in the presence of theft or loss of assets due to improper storage.
Brief comments on the standards.
It is advisable to read everything. Relatively simple standards in terms of readability are FERMA, ISO31000 and MOPP. FERMA is simply small in volume, for MOPP you can limit yourself to the standards (MPSVA), practical instructions are just recommendations (albeit strict ones). Readability is explained simply: FERMA and ISO wrote standards for risk managers, the Institute of Internal Auditors - for internal auditors. It is very desirable for both to speak the same language, including ensuring uniformity of approaches. Accordingly, it was better to avoid completely complex constructions and uncertainties, which is what was done.
COSO is a fundamental, multi-volume work; thanks to as many as 30 PwC partners have been expressed for COSO ERM. In my opinion, if there were fewer participating partners, then the document would have turned out better - as it happens, “reverse synergy” would have arisen. The peculiarity of COSO standards: from the “conceptual foundations” nothing is clear at all; what is clear begins in the very last document (using the example of COSO ERM - “Application”). You need to understand that the authors are auditors and consultants. They don’t need to make a clear standard: why lose revenue. Therefore, it is necessary for the reader to “reach out to the phone” of a Partner of a Large Consulting Company. In my opinion, it worked. Also note that, unlike this site, there is no “end-to-end” approach: there is no logic “here we take a set of risks, here we evaluate them, here we manage them, here we can conduct an audit.” The set of examples is certainly not bad. But if you try to apply them to one business, most likely, little will work. By the way, in general, my personal attitude towards COSO documents is absolutely equal. There are useful things, but it’s really not worth talking about these standards in a breathy manner, like some women do in the presence of foreigners.
When setting up risk management, I recommend using FERMA and ISO31000, if something is not specified in FERMA. Internal control is a special topic; traditionally, COSO IC IF can only be used to generate documents that are not particularly useful. The problem with COSO IC IF is its interpretation, which is either a control environment or reporting philosophy, as commented. And internal audit - there are supported standards, I signed the code of ethics (as a member of the IIA), so there is nothing else left except the MOPP.
Why don't I mention SOX?
I've heard about the Sarbanis-Oxley Act. By the way, Sarbanis is Greek, so that’s why it’s like that, not Sarbanes. So, my opinion is that the most brilliant sales people work at Big4 now.
Let's remember how SOX came into being. It appeared as a result of absolutely fictitious reporting by a bunch of companies. As to why this happened, our opinions do not agree with our fellow expert. I believe that this is absolute unprofessionalism and thirst for profit: it is clear that someone else from Big5 could well take on the reporting along with consulting contracts for the same money. And the destruction of the auditor’s working papers speaks volumes.
A colleague notes that there are at least several systemic shortcomings in audit management and provides several arguments in favor of the fact that confirmation of reporting could take place without major deals with conscience:
- little time to complete the audit. The exchange requires “come on, come on”, the topic of accelerating the closing of the period is an interesting topic for consulting. This thing, it seems to me, is the most harmful, because it actually contributes to the unreliability of reporting and does not leave time for the usual control procedures for checking documents (“downstairs” all documents must be completed in 1-2 days);
- qualifications of employees. Everything is checked by interns, each assigned to a site. The flows are large, businesses that pump up financial results need to be caught by forensic scientists rather than just auditors. Given the time allotted for the audit, it is likely that the reports will be confirmed without malicious intent. And the senior comrade, who was supposed to confirm the internal control system, did this through formal compliance tests, of which all auditors have plenty. The result of quality control is that the working papers are filled out, and it’s good that no one could go into too much detail into non-standard operations: the internal control system is at the level, the sample is random;
- partners' requirements. Yes, of course, there were errors and inconsistencies. Was this enough to recognize the statements as fake and quarrel with the client? Each individual disadvantage, taking into account a small sample, perhaps not. But they didn’t even look at the totality.
Be that as it may, the result is simply amazing. Instead of “fucking around,” as the President of the Republic of Belarus A.G. said. Lukashenko about his parliament, the entire audit community, additional demands arise not on the auditors who covered up the fraud, but on the companies themselves (including those that lived honestly). And these requirements are formulated, oddly enough, by the auditors themselves. It is clear that the requirements are formulated in such a way that auditors are again needed (well, that is, they are called consultants, but they are geographically located in the neighboring department of the audit company). Then everything is obvious.
Bottom line: in addition to a formal accounting audit, each public company had to order the installation of internal controls according to SOX (well, or hire staff, which is also not cheap). At the same time, the cost of the external audit increased, as the standard hours for assessing the internal control system for preparing reports increased. At the same time, as far as I know, even if the system of internal control over the preparation of reporting is tested inside and out by internal audit, there is no fundamental reduction in the cost of external audit services.
By the way, Big4 no longer provides auditing and consulting services to the same organization. That is, in fact, the cost of consulting services for business has increased (the “cheaper in bulk” principle has been abolished).
In general, the key result of an audit scandal caused by auditors is an increase in auditors’ revenue. “It’s great, isn’t it?” (©Zaitsev sisters, Comedy Club). That's why I try not to use the word SOX.
If you find an error, please highlight a piece of text and click Ctrl+Enter.