Information included in the reports of the internal control service. Modern problems of science and education. Characteristics of the accounting system as an integral part of the internal control system at the enterprise
The effectiveness of management decisions largely depends on the reliability of accounting and management reporting. Distortion of data in reporting may be due to errors in the processing of primary documents, incorrectly structured business processes of the company, or dishonest behavior of personnel. The introduction of an internal control system will ensure the reliability of financial information, as well as reduce the risks of making erroneous decisions.
In this article you will learn:
Building an internal control system (ICS) involves identifying the most significant risks (which may lead to financial losses), developing control procedures, and creating a system for testing the effectiveness of control procedures.
Personal experience
Vera Troshina, Deputy General Director for Economics, Commerce and Finance of Azov Sea Port OJSC
An internal control system is necessary for both independent legal entities and groups of enterprises with centralized management. Despite the fact that ICS has become widespread in foreign practice, few financial directors and top officials of Russian enterprises realize its necessity. This is explained by the fact that the effect of implementing internal control procedures cannot always be obtained instantly and can be quantified.
For our company, the decision to use an internal control system was dictated by the need to implement a quality management system (ISO 9000/2001). The first results of applying internal control procedures were obtained in the field of logistics, the costs of which amount to tens of millions of rubles (the second largest item in the company's budget). As a result, the savings amounted to about 5–8%.Igor Mironov, Head of Internal Audit Department at SABMiller (TransMark LLC and Kaluga Brewing Company LLC)
SABMiller is implementing documentation of internal controls within the framework of the requirements of the Sarbanes-Oxley act (see information about this law - Editor's note).
The project to certify the internal control system for compliance with the provisions of the Sarbanes-Oxley act in our company is designed for a period of more than two years and is approximately halfway through its journey. Now we are describing key business processes, identifying risks and documenting internal controls. In subsequent stages, the effectiveness of the control will be checked.
When organizing an internal control system, I would advise focusing on preventive control rather than subsequent (detective control) control in the company. The costs of preventive control are fully compensated by the losses prevented.Mikhail Podlazov, financial manager at Baltic Beverages Holding AB (St. Petersburg)
An internal control system is necessary for a company primarily to manage the performance of departments. It must solve five main tasks in the company:
- ensuring the reliability and reliability of information;
- protection of assets and property;
- efficient use of enterprise resources;
- ensuring compliance of work performed with company policies, procedures and regulations;
- assisting managers in achieving the company's goals and objectives.
Conventionally, the process of implementing an internal control system includes four main stages:
- determination of control directions;
- description of business processes;
- risk analysis and control;
- testing the quality of internal control systems. Let us dwell in more detail on the listed stages of implementing an internal control system, as well as the problems that a company may encounter during this work.
Determination of controlled activities
The implementation of an internal control system should begin with identifying the divisions and areas of activity for which control procedures will be developed. The introduction of control procedures in all departments and areas of activity will lead to the fact that the implementation of such a project will require significant costs, most of which will not pay off. For example, in a manufacturing enterprise, it makes no sense to implement control methods for the HR department. As a rule, ICS is used in sales, supply, production, accounting and treasury departments, that is, in those structural units that are directly related to reporting, managing cash and inventory flows in the company. The issue for a group of companies is resolved in a similar way. The composition of the areas of activity of the enterprise for which control procedures will be introduced is determined by expert means. The experts can be heads of departments or the general director of the company, that is, those specialists who have experience and knowledge of business processes that are more susceptible to various risks.
Personal experience
Sergei Kachalov, financial controller of the company "Pharmacy 36.6"
The internal control system will be incomplete if it does not cover the activities of all company employees, regardless of the work they perform. This allows you to manage the maximum number of risks to which the company’s activities are exposed.
Once the boundaries of the internal control system have been determined, a work schedule is drawn up and a working group is formed to develop control methods. It can be recommended to include an internal auditor and a specialist in risk analysis and identification in its composition, as well as to involve as experts the heads of those functional departments for which control procedures are created.
Description of business processes
In order to build an effective internal control system, there is no need to describe all the business processes of the departments that have been selected for the implementation of internal control procedures. In such a situation, the ICS will be unreasonably cumbersome and unmanageable. To limit the composition of business processes, significant accounts should be identified. These are accounting or management accounts, the distortion of information on which can mislead the company's management or potential investors. In addition, these may be accounting accounts whose turnover for the period is more than 10% in relation to the company's revenue. Expert judgment may also be used to determine the materiality of accounts. For example, the company's activities depend on the patents and licenses it uses, the value of which does not exceed 5% of the balance sheet currency. However, the patent and license accounts will be classified as significant, since the effectiveness of control over these assets will depend on the results of the enterprise.
The next step in the process of building an internal control system should be a description of the business processes associated with the reflection of information on significant accounts. It should be noted that the description of business processes should be as detailed as possible and take into account the movement of individual documents within the company 2
Personal experience
Natalia Startseva, Vice President for Finance at Gamma Management Group (Kaliningrad)
The main problem we encountered when organizing an internal control system in the company was the lack or not very clear content of internal standards and regulations. The first task of the internal control service employees was to develop a system of in-house standards. After the approval of such standards as the regulations on document flow, regulations on the budgeting system, accounting policies (separately for accounting and management accounting), regulations on the submission of periodic financial statements to the board of directors, regulations on the internal audit of the company, the “rules of the game” became clear to everyone, and the internal control service received a real tool for organizing its work.
The matrix management system and the direct reporting of the internal control service to the board of directors make it possible to have prompt and objective information about the compliance of the company’s activities with current regulations and to correct the actions of managers in case of their violation.
The main task that must be solved during the description of business processes is a visual representation of all the work performed by department employees, in order to subsequently, based on this data, identify areas associated with the risk of unreliable information or significant financial losses.
Risk analysis and control
The company's business processes are analyzed for the existence of risks that could lead to significant financial losses for the company 3 .
Personal experience
Mikhail Podlazov
It should be noted that attention should be paid only to those risks that can actually lead to significant financial losses or distort financial or management reporting. In my practice, there was a case when the internal auditor insisted that storing spare parts in one of the warehouses was associated with the risk of their loss due to cracks in the floor of the warehouse. During the analysis of this risk, it turned out that the floor in the warehouse was covered with tiles, and cracks meant holes at the junction of the tiles. Obviously, the only losses that a company can incur due to identified “defects” in the floor are the loss of one or two nuts worth a few kopecks. Of course, no procedures were introduced to control this risk.
The risks associated with certain business processes can be most accurately identified by analyzing the information accumulated by the company about negative events (errors in reporting, theft, damage to inventory, etc.), the frequency of their occurrence and the amount of damage caused.
However, such a situation can only exist in companies that have implemented a quality management system. An enterprise that, until the introduction of an internal control system, did not carry out systematic risk management, usually does not have such statistical data. In such a situation, risk identification can be completely entrusted to experts - heads of departments. For example, a chief accountant who has worked in a company for a long time can always predict quite accurately where an error could have been made if the asset and liability items do not match. Experts will also be required to assess the frequency of occurrence of adverse events and the likely damage. At the stage of implementing an internal control system, expert assessments of existing risks may have a large error. However, in the future, having introduced an internal control system and accumulated a sufficient amount of data on errors that occurred in the work of departments, the composition of risks and their significance can be assessed with high accuracy.
For the most significant risks associated with serious financial losses, control procedures are developed 4 .
As a rule, the implementation of control procedures involves the creation of additional levels of approval. For example, in order for an accountant to make a payment on an application from a production unit, it must be endorsed by the financial director. Control procedures may also include the distribution of responsibilities. For the procurement process, control will boil down to the fact that the customer is the company’s production division and it also controls the quality of the purchased materials; the search for a supplier and work on supply contracts is carried out by the procurement department, and the payment process is controlled by the financial director.
Personal experience
Sergey Pustovalov, Financial Director of Bridgetown Foods CJSC (Moscow)
An example of internal control is the formation of reconciliation reports with debtors. It would seem like a simple and understandable tool, but not all enterprises create reconciliation reports with all their counterparties. The absence of such acts can lead to the following situation. Suppose the debtor company has counterclaims to the enterprise, for example, an advance has been paid on account of a future delivery. If in the near future the debtor company goes bankrupt and a liquidation commission is formed, then it will be extremely difficult to recover the advance received without reconciliation reports. And it is almost impossible to prove that this advance should be offset against repayment of previously incurred receivables.Mikhail Podlazov
The effectiveness of the control procedures created will depend on the implementation of the following factors:
- the responsibility of officials for the implementation of control procedures is clearly defined and understood;
- access to information or action is limited;
- all transactions are authorized in accordance with accepted regulations;
- there is a documented description of control procedures;
- control, execution and decision-making tasks are distributed among employees.
It is important to note that in order to implement the created control procedures, they must be documented. The description of the control procedure must contain the following basic provisions: control objectives; sequencing; frequency of control; employee responsible for control; a document that reflects the fact of control (for example, an approval sheet).
Personal experience
Igor Mironov
Our company conducts an assessment of the most significant risks annually. A sample fragment of a summary report on existing risks, established control procedures and planned audits is presented in the table on p. 16.
Testing the quality of implemented control procedures
An effective internal control system involves testing control procedures and assessing their quality.
Testing of the control system is carried out in two directions:
- compliance with the developed regulations of control procedures;
- occurrence of errors in reporting that were not prevented by the control system.
Compliance with the developed regulations is assessed through a random check of documents that should reflect the fact of control. For example, for a number of payment orders, the presence of correctly executed and signed approval sheets is checked.
The occurrence of errors in reporting is identified during an audit of reporting and primary documentation.
Personal experience
Igor Mironov
After an audit of existing control procedures has been carried out, an audit report is generated, which contains the following sections: audit comments; potential risks; risk rating (high, medium, low); auditors' recommendations; planned management actions; date of elimination of the comment; responsible person. First of all, the report is discussed with the managers of the departments for which there are comments. It is extremely important to get an answer from them: do they agree with the comments made and in what time frame will actions be taken to correct the shortcomings. Only then is the report presented to the company's board of directors and audit committee.
Table Risk assessment
Buisness process | Main risks | The likelihood of the risk materializing and the degree of impact on the business before implementing the ICS | Risk control | The likelihood of the risk materializing and the degree of impact on the business after the implementation of the ICS | Management Requests for Audits | Date of last audit |
Sales | ||||||
Shipments products |
Shipments with incorrect invoices |
Separation of responsibilities for preparing trade documents and monitoring shipments. Sales are confirmed by contractual relations |
Conducting an audit annually |
I quarter 2005 |
||
Providing discounts |
Providing discounts not determined by the discount policy |
A procedure for monitoring the provision of discounts has been developed and is being followed. Management regularly checks its implementation |
Audit at the request of the commercial director |
- | ||
Finished goods warehouse management |
Overstocking or shortage of goods |
Sales and production planning (purchases). Analysis and forecast |
Annual audit |
IV quarter 2004 |
||
Production |
||||||
Purchase of raw materials and materials |
Poor quality or expensive raw materials |
Tender for suppliers. Monitoring prices on the market. Quality control |
Audit at the request of the Purchasing Director |
It should be noted that during the first half of the year from the moment of implementation of the system, monthly testing of control procedures is necessary. This will eliminate errors made during development. In the future, testing of the internal control system can be carried out every six months.
Personal experience
Mikhail Podlazov
The audit system must be built based on the significance of the risks being controlled. In our work practice, all divisions of the company were divided into three groups depending on the size and volume of cash flows. For the first category, audits of control procedures and processes themselves are carried out once a year, for the second category - once every two years, for the third - once every three to five years.
Based on the test results, a report on its results should be drawn up, which also includes recommendations for eliminating identified deficiencies in control procedures.
Automation of internal control
Strict implementation of the developed control procedures can be ensured by introducing information systems. For example, an information system can provide electronic document management and block payments that have not been authorized, or prevent the generation of documents necessary to ship products to the buyer if he has exhausted his credit limit.
There is also software that allows you to test created control procedures, for example Aris Audit Manager; There are separate modules in Axapta, SAP, Oracle.
Personal experience
Igor Mironov
In our practice, we use the Team Mate program developed by Pricewater-houseCoopers. This system allows you to automate audit activities at all stages: from planning an audit and conducting audit tests to generating audit reports and subsequent monitoring of management actions.
In conclusion, it should be noted that the effective operation of the internal control system will largely depend on the unit testing the created procedures. As a rule, these tasks are assigned to the internal audit service. In order for the testing results to be objective, this division must be directly subordinate to the owners of the business, that is, its work should not be influenced by the decisions of the company’s top management.
How to describe business processes to build an internal control system
Interview with the internal auditor of the Moscow Cablecom representative office Peter Skuridin
- What caused the need to implement an internal control system in companies?
- The very idea of building internal control systems is not new for the business community - the main approaches were developed by COSO 5 15-20 years ago. Now it has become widespread due to the adoption of the Sarbanes-Oxley Act in the United States, which provides for the liability of top officials of the company. For example, if it turns out that the company’s reporting was deliberately distorted, then its manager faces a fine of up to $5 million or imprisonment of up to 20 years.
The shares of our management company are listed on the American stock exchange. Initially, management's report on the level of internal control was required to be provided as at 31 December 2005. However, the US Securities and Exchange Commission decided
Delays the effective date of Section 404 of the Sarbanes-Oxley Act for certain types of companies until December 31, 2006.
Peter, why is it necessary to describe the business processes of an enterprise when creating an internal control system?
- The main task of describing business processes is to accurately identify actions within business processes that carry risks. It should be noted that one business process, as a rule, involves several departments. If we tried to identify risks, for example, based on the organizational structure of the company, we would not take into account many risks associated with all kinds of conflicts between divisions, which means the internal control system would be ineffective. In our company, business processes are described without using specialized software in Visio (see Figure 1).
Figure 1. Example of business process description
But a visual representation of a business process is not enough. A detailed description of the process is necessary to eliminate inaccuracies in its interpretation, as well as to agree on this description “as is” with the process owner and issue step-by-step confirmation. For example, the business process for making payments shown in Figure 2 includes a cash plan, an application for payment, an invoice for payment, a payment order, a bank statement and other documents that make it possible to track how one transaction passes through various accounting systems and is reflected in documents Links link step-by-step confirmations to process descriptions, allowing you to illustrate virtually any step in the process.
Figure 2. Description of the business process “Payment of funds from current accounts”
- Once business processes are described, how to identify their inherent risks?
- Unfortunately, analysis and identification of risks are always expert assessments. Risk libraries are maintained by the Big Four companies, but even they do not always provide sufficiently detailed solutions. The fact is that the risks of any enterprise are associated with industry specifics. One day, quite by accident, I purchased a book by L.V. Sotnikova in a bookstore in Veliky Novgorod. “Audit of cash transactions”, which described examples of control procedures and signs of deficiencies in the control system, on the basis of which risks in the payment of funds can be identified. The cash disbursement process has many common steps for companies operating in different industries, but this example is rather an exception. Therefore, risks are identified and described based on audit experience. An auditor who has worked in the same industry for more than three years can be considered experienced.
For each risk, a significant account is determined, the data of which may be distorted as a result of the occurrence of a risk event. As a rule, different companies use different methods for determining the materiality of financial statements. For example, accounts may be considered significant if their turnover or balances exceed 5% of profit before deduction of income tax, dividends and interest on loans. Another criterion for the materiality of an account is the liquidity of the assets and liabilities recorded on the account. Let's say that funds have high liquidity and, therefore, are associated with high risks of loss. Therefore, cash accounts can always be considered significant. It is also necessary to analyze the existing control procedures (see table).
Table Description of risks and existing control procedures
Risk <1> | |||
Payment for unordered goods and services |
2. Payment for unordered goods and services (change of requirement) |
3. Unauthorized access to the Bank-Client system |
4. The accountant does not carry out the operation to write off the debt or carries out an inaccurate amount |
Description of the risk | |||
The Contractor will create a demand for payment for goods and services not ordered by the company for personal purposes |
The payment request will be changed after approval, which may result in a purchase not ordered by the company |
An employee who has the right to access the treasury premises will create a payment order to pay for goods and services not ordered by the company for personal purposes |
The accountant will not carry out or will carry out an inaccurate amount of the operation to write off accounts payable |
Name of business process step | |||
Creating a request for payment and transferring documents to the accounting department |
Creating a payment order |
Wiring Dt XX Kt 51.XX |
|
Significance of risk | |||
Detailed description of control procedures, goals, frequency of control | |||
Coordination of payment requirements. The purpose of control: to prevent loss of assets. Description of the control procedure: once a requirement is created, it becomes available for viewing. The requirement is checked by: the head of the department, the head of the department, the budget controller. A requirement moves to the next level of approval only if it is agreed upon at all previous levels. Monitoring frequency: for every requirement. Incoming documents: request for payment |
- | Approval of payment order. The purpose of control: to prevent loss of assets. Description of the control procedure: as soon as a payment order is created, it becomes available for approval in the distributed Bank-Client system. The requirement is approved by officials who have the right to sign payment orders. When approved by the last official, the payment order is automatically sent to the bank. Monitoring frequency: for every requirement. Incoming documents: payment order template with payment details | Reconciliation of settlements. The purpose of control: an accurate reflection of the state of calculations. Description of the control procedure: the accountant carries out reconciliation with the counterparty on a quarterly basis. Monitoring frequency: quarterly. Incoming documents: postings, primary documents |
Evidence of control implementation (document/file)< | |||
Signature of the requirement by each employee who carries out the approval | - | Mark on approval of the payment order in the “Bank-Client” system | Reconciliation report of mutual settlements, quarterly analysis of reconciliation with debtors/creditors |
Control covers risk | |||
- | Yes | Yes | |
Effectiveness of the selected control procedure | |||
- | |||
Substantial account | |||
Cash |
Accounts payable |
||
The control procedure is ineffective, since the selection of counterparties is made only on the basis of large balances of debtors/creditors and does not take into account large turnovers. Improve instructions on the reconciliation procedure with counterparties |
|||
<1>The numbers correspond to the risk number on the business process diagram. - Note editors. |
- Do your tasks include the development of control procedures?
- Not always, our department gives recommendations on how to eliminate existing shortcomings, and the methodology and implementation of control procedures are, as a rule, the responsibility of the heads of functional departments. However, there are situations when we formulate recommendations for improving the control system and facilitate their implementation.
Our traditional question: what can be advised to companies that are just starting to implement an internal control system?
- Description of business processes in the form of creating written regulations, procedures and instructions that define the order in which the process is carried out is the starting point for any company when creating an internal control system. Only after describing the financial, as well as the basic processes of procurement, production and sales using the example of a manufacturing company, can you begin to identify risks.
Interviewed by Alexander Afanasyev
1 The text of the standard, as well as basic information about the activities of the International Federation of Accountants (IFAC), can be found on the website www.ifac.org. – Note editors.
2 For more details, see the interview “How to describe and optimize business processes” (“Financial Director”, 2003, No. 7–8, p. 30). - Note editors.
3 On the analysis of business processes in order to identify risks, see the article “Ensuring Business Continuity” (“Financial Director”, 2003, No. 9, p. 26). - Note editors.
4 On company risk management, see the article “Building a corporate risk management system” (“Financial Director”, 2005, No. 2, p. 27). - Note editorial staff
5 The Committee of Sponsoring Organizations of the Treadway Commission (for more information, see www.coso.org) is a non-profit organization established to develop recommendations to improve the quality of financial reporting by establishing internal control procedures and improving corporate governance. – Note editors.
The issues of creating internal control systems in organizations began to be actively discussed in the professional community from the moment the provisions of Art. 19 of the Federal Law of December 6, 2011 No. 402-FZ “On Accounting”. Despite the availability of publications on this topic, many business entities do not fully understand the need to form an internal control system and the mechanism for its implementation. Therefore, we consider it necessary to provide some clarifications and recommendations on the implementation of an internal control system and its reflection in the accounting policies of organizations.
First of all, you should pay attention to the fact that the Law separates the concepts of internal control of the facts of economic life and internal control of accounting.
Regarding the first, the Law establishes that “an economic entity is obliged to organize and carry out internal control of the ongoing facts of economic life” (clause 1 of Article 19).
Regarding internal control over the functioning of the company’s accounting system, clause 2 of Art. 19 of the Law determines that “an economic entity whose accounting (financial) statements are subject to mandatory audit is obliged to organize and exercise internal control over accounting and preparation of accounting (financial) statements.”
It should be noted that to date, many existing regulatory documents are associated with the concept of internal control, the main of which are:
- Art. 19 “Internal control” Federal Law of December 6, 2011 No. 402-FZ “On Accounting”;
- a list of terms and definitions used in the rules (standards) of auditing (approved by the Commission on Auditing under the President of the Russian Federation on December 25, 1996);
- clause 41 and clause 42 of Rule (standard) No. 8 (Resolution of the Government of the Russian Federation of September 23, 2002 No. 696 “On approval of federal rules (standards) of auditing activities”);
- paragraphs 15-18 art. 38 of the Federal Law of November 29, 2001 No. 156-FZ “On Investment Funds”;
- Art. 10 of the Federal Law of February 7, 2011 “7-FZ “On Clearing and Clearing Activities”;
- Art. 9 of the Federal Law of December 1, 2007 No. 315-FZ “On Self-Regulatory Organizations”;
- Art. 85 of the Federal Law of December 26, 1995 No. 208-FZ “On Joint-Stock Companies”;
- Regulation of the Central Bank of Russia dated December 16, 2003 No. 242-P “On the organization of internal control in credit institutions and banking groups”;
- information of the Ministry of Finance of the Russian Federation dated September 14, 2012 “On the disclosure of information about the risks of an organization’s economic activities in the annual financial statements (PZ-9/2012)”;
- system of internal control in banks: fundamentals of the organization (Basel Committee on Banking Supervision, Basel, September 1998) Risk Management Subgroup of the Basel Committee on Banking Supervision;
- clause 16 of the plan of the Ministry of Finance of the Russian Federation for 2012-2015 for the development of accounting and reporting in the Russian Federation on the basis of International Financial Reporting Standards (approved by order of the Ministry of Finance of the Russian Federation dated November 30, 2011 No. 440);
- Order of the Federal Commission for the Securities Market dated April 4, 2002 No. 421/r “On recommendations for the application of the Code of Corporate Conduct”;
- Art. 5 of the Federal Law of December 30, 2008 No. 307-FZ “On Auditing Activities”.
The very concepts of “internal control” and “internal control system” are quite new for domestic business. In general, these terms come from auditing practice.
Internal control system (ICS) is a set of organizational structure, methods and procedures adopted by the management of an economic entity as a means for the orderly and efficient conduct of business activities, which also includes supervision and inspection organized within a given economic entity by its forces:
The internal control system in an organization usually includes the following elements:
Control environment includes the official position, awareness and actions of representatives of owner and management regarding the internal control system, as well as understanding of the significance of such a system. The control environment influences employees' control consciousness. It is the basis for an effective internal control system that ensures the maintenance of discipline and order. The following is the composition of the main elements of the organization’s control environment (Table 1).
Table 1. Composition of the organization's control environment
Risk Assessment Process represents the identification and, if possible, elimination of risks in business activities, as well as their possible consequences. It should be taken into account that risks can be associated with both external and internal events and circumstances. The list of main factors considered in the risk assessment process is given in Table. 2.
Table 2. Key factors considered in the risk assessment process
p/p | Circumstances influencing the emergence or change of risks | |
---|---|---|
1 | External | Changes in the environment of a business entity (macroeconomic changes, including those associated with changes in the regulatory environment, can lead to changes in competitive pressure and significant changes in risks) |
2 | Domestic | New personnel (new employees may have a different point of view on the internal control system or different priorities). |
3 | Domestic | Introduction of new or changes to existing information systems (significant and rapid changes in information systems can also change the risks associated with the internal control system). |
4 | Domestic | Rapid growth and development of a business entity (existing controls may not cope with the increased volume of operations and contribute to an increase in the risk of their non-compliance with new operating conditions). |
5 | Domestic | New technologies (the introduction of new technologies into production processes or information systems may change the risk associated with the internal control system). |
6 | Domestic | New approaches to conducting business activities, new types of goods, works, services (the development of new types of activities, products in which a person has little experience may cause the emergence of new risks associated with the internal control system). |
7 | Domestic | The reorganization of a business entity may be accompanied by a reduction in the number of personnel and changes in the distribution of responsibilities and control functions performed by employees: these may also affect the risk associated with the internal control system. |
8 | External and internal | Expansion of operations abroad (expansion of the volume of business transactions abroad and the opening of subsidiaries, branches, investments in foreign enterprises entail new and, as a rule, unusual risks that may have an impact on the internal control system, for example, additional or changed risks in as a result of transactions with foreign currency, additional or changed risks due to the peculiarities of foreign, including tax, legislation). |
9 | External and internal | New principles, standards, regulations, instructions in the field of accounting and reporting (the adoption of new accounting principles or their changes may affect the risks associated with the preparation of financial (accounting) statements). |
Recommendation: When identifying possible risks, management considers their importance, the likelihood of their occurrence and how to manage them. Management may formulate plans, programs, or take appropriate actions to address these risks, or decide to ignore the risks because the controls available to them are expensive or for other reasons.
The information system, including those related to the preparation of financial (accounting) statements, ensures that employees understand the duties and responsibilities associated with the organization and application of the internal control system. The main component of the system is the function of informing personnel about the importance of their participation in processes and the connection of their actions in the information system with the work of other employees, as well as an understanding of ways to convey information about any exceptional situations to managers at the appropriate level.
The functioning of information systems related to the preparation of financial (accounting) statements is ensured by the following means:
- technical means;
- software;
- staff;
- relevant procedures;
- databases.
The list of the main functions of information systems aimed at organizing internal control is given in Table. 3.
Table 3. Main functions of internal control information systems
p/p | Functions of information systems |
---|---|
1 | Identification and recording of all legitimate transactions. |
2 | Timely and sufficiently detailed recording of transactions, which allows for proper classification of transactions for further inclusion in financial (accounting) statements. |
3 | Carrying out an assessment of accounting objects in such a way that the relevant information can be included in the financial (accounting) statements in the appropriate amount. |
4 | Determination of the time period in which transactions took place, which allows them to be attributed in accounting to the corresponding reporting period. |
5 | Proper presentation of transactions and related disclosures in financial statements. |
Table 4. List of methods and procedures used in control actions
p/p | Methods and procedures used in control activities |
---|---|
1 | Checking progress Such control actions include:
|
2 | Data processing A variety of control procedures regarding information processing are performed to verify the accuracy, completeness and authorization of transactions and are divided in the field of information systems into two large groups of controls:
|
General controls An information system typically includes controls over:
These controls apply to mainframe computers, minicomputers, and end-user computers on local area networks. Examples of such general controls are:
|
|
Application Controls apply to the processing of certain types of information. These controls help ensure that business transactions carried out have been fully authorized and accurately recorded and processed. Examples of application controls are:
|
|
3 | Checking the presence and condition of objects These control actions are aimed at ensuring the safety of assets, including:
|
Table 5. List of activities related to monitoring controls
p/p | Activities Related to Monitoring Controls |
---|---|
1 | Monitoring management to ensure that bank reconciliations are prepared on a timely basis; |
2 | assessment by internal auditors of the compliance of the actions of sales personnel with the organization's policies regarding certain terms of contracts with customers; |
3 | overseeing the compliance of personnel actions with the organization's ethics or business practices policies; |
4 | regularly assessing the organization and application of controls, as well as taking necessary corrective actions in relation to controls due to changes in business conditions; |
5 | monitoring activities may include the use of information obtained from outside; |
6 | Management, when monitoring, may also take into account reports from external auditors regarding the internal control system; |
7 | Internal auditors or personnel performing similar functions regularly provide information on the functioning of the internal control system, focusing primarily on the assessment of the organization and the application of the internal control system, provide information on the strengths and weaknesses of the internal control system, and make recommendations for its improvement. |
Recommendation: The personnel information system can take such forms as internal regulations, guidelines for the preparation of financial (accounting) statements, instructions and guidelines. Information can be brought to the attention of employees using electronic communications, orally, and through instructions from management.
Control actions include policies and procedures that help ensure that management's directives are followed (for example, that necessary actions are taken to address risks that may interfere with the achievement of objectives). Control activities, carried out manually or using information systems, have different purposes and are applied at different organizational and functional levels.
Monitoring Controls includes monitoring whether they are functioning and whether they have been modified appropriately when necessary. Monitoring of controls is the process of assessing the effective functioning of the internal control system over time.
In accordance with the above approaches and recommendations for the formation and assessment of the work of internal control systems, it is necessary to pay primary attention to the compliance of the internal control system built in the organization with the current regulatory document and the main ideological “message” embedded in it - the desire to minimize risks in business activities and timely detection of violations .
Bibliography
- Federal Law of December 6, 2011 No. 402-FZ “On Accounting”.
- Decree of the Government of the Russian Federation of September 23, 2002 No. 696 “On approval of federal rules (standards) of auditing activities.”
- Federal Law of November 29, 2001 No. 156-FZ “On Investment Funds”.
- Federal Law of February 7, 2011 No. 7-FZ “On Clearing and Clearing Activities”.
- Federal Law of December 1, 2007 No. 315-FZ “On Self-Regulatory Organizations”.
- Federal Law of December 26, 1995 No. 208-FZ “On Joint Stock Companies”.
- Regulations of the Central Bank of Russia dated December 16, 2003 No. 242-P “On the organization of internal control in credit institutions and banking groups.”
- Information from the Ministry of Finance of the Russian Federation dated September 14, 2012 “On the disclosure of information about the risks of an organization’s economic activities in the annual financial statements (PZ-9/2012).”
- Internal control system in banks: fundamentals of organization (Basel Committee on Banking Supervision, Basel, September 1998). Risk Management Subgroup of the Basel Committee on Banking Supervision.
- Plan of the Ministry of Finance of the Russian Federation for 2012-2015 for the development of accounting and reporting in the Russian Federation on the basis of International Financial Reporting Standards (approved by order of the Ministry of Finance of the Russian Federation dated November 30, 2011 No. 440).
- Order of the Federal Commission for the Securities Market dated April 4, 2002 No. 421/r “On recommendations for the application of the Code of Corporate Conduct.”
- Federal Law of December 30, 2008 No. 307-FZ “On Auditing Activities”.
List of terms and definitions used in the rules (standards) of auditing (approved by the Commission on Auditing under the President of the Russian Federation on December 25, 1996).
Clause 42 of rule (standard) No. 8 (Resolution of the Government of the Russian Federation of September 23, 2002 No. 696 “On approval of federal rules (standards) of auditing activities”).
All parties using its reporting prepared in accordance with IFRS standards are interested in the availability and effective operation in practice of the internal control system (hereinafter referred to as the ICS) of the reporting enterprise. First of all, these are the owners of the company, who bear the greatest risks and may suffer (financially and reputationally) if internal controls are ineffective, not to mention situations where controls are not developed at all and are absent.
Other users of reporting are potential investors, creditors, suppliers, clients, and employees. All of them are interested in ensuring that the reporting of the enterprise with which they are in any way connected is not subject to fraud and does not contain significant errors, concealment of waste, abuse and inefficiency of management.
After all, the high goal of IFRS to provide users with transparent, neutral and objective information will not be achieved if, for example, the financial statements (hereinafter - FI) contain a biased and one-sided interpretation of business events (such as, say, unjustifiably accelerated recognition of revenue) or deliberately omit important disclosures about events after the reporting date - even if at the same time management maintains the appearance of meeting all the requirements of IFRS standards.
That is why it is critical for every enterprise and its owner to build an internal control system over the process of drawing up financial statements. An effective ICS cannot, of course, completely eliminate motivation distort the reporting (if, for example, management exists for the sake of a large annual bonus or to maintain its leadership position), but it can significantly eliminate opportunities to perform such manipulations.
For information
In some countries, such as the United States, the acronym ICOFR (Internal Controls over Financial Reporting) is familiar to all investors, and an independent audit of internal control systems is an integral and separate part of the annual audit of US public companies.
There, back in 2002, Congress passed a law (known as the Sarbanes-Oxley Act) The Public Company Accounting Reform and Investor Protection Act, which significantly increased the liability of the company and even personally its top management for the presence and functioning of an effective internal control system over the federal district.
Violation of the requirements of this act may lead to criminal prosecution of the company's top managers who personally sign (“certify”) a regular report on the state of internal controls in their company and on the absence of cases of fraud or manipulation of reporting (Management’s Responsibility for Internal Control).
In this article we will focus on the purely practical aspects of building an effective control system. We will not consider internal controls that ensure a company's compliance with various laws, regulations and codes (the so-called compliance controls), or controls designed to ensure high operating efficiency of the company and regulations (the so-called operational internal controls).
What is SVK?
Usually under ICS over financial statements understand a set of procedures and processes aimed at preventing distortion of financial statements and carried out under the supervision of the management of the reporting company itself.
The patron ("sponsor") of the ICS must be the company's key executive and financial officers. Persons appointed by senior management who regularly perform such functions (for example, employees of the internal audit service) should directly support the internal control system and test its effectiveness. The purpose of the effective functioning of the ICS as a whole is to provide reasonable assurance regarding the reliability of financial statements, and the goals of the main types of individual control procedures are to ensure:
Availability of primary records and documents that, in reasonable detail, reliably and accurately reflect the essence of business transactions and procedures for using the company’s assets;
Reasonable assurance that all transactions are recorded in accordance with the procedures prescribed by accepted accounting and reporting principles (for example, in accordance with IFRS standards);
Receipt of economic benefits and expenses of the company only in accordance with the permissions of the relevant management of the company;
Prevention or timely detection of unauthorized acquisition, use or disposal of company assets that may have a significant impact on the financial institution’s performance.
Let's consider the specific tasks that the ICS should solve in relation to individual elements of the financial institution. In relation to the assets presented by the company in its statement of financial position (SFP), the task is to ensure that:
They are actually available;
The enterprise has ownership (or control) over them;
Assets listed at a certain value are highly likely to bring future economic benefits to the enterprise at least in this amount (i.e., they have not depreciated and are reflected at the “correct”, conservative value);
All assets of the enterprise are indicated in full, without omissions;
Their useful life is adequately estimated and, therefore, depreciation is calculated based on the reasonable useful life of the asset;
When the use of an asset changes, the depreciation method and period are revised accordingly.
With regard to obligations and expenses, the task of the internal control system is to provide reasonable confidence in the completeness of their reflection, the correctness of measurement and the competence of authorization for their implementation (by employees on behalf of the enterprise) by the appropriate level of management.
Unfortunately, the work of building an internal control system is not the final project, i.e., after its development and implementation, it itself will not work indefinitely and correctly without regular support. Even if there are correctly identified risks and a competent system of preventive, determinative and corrective controls corresponding to them has been built, constant work is still required to maintain the internal control system. This is due to the high dependence on the human factor, the presence of a huge number of individual, diverse business transactions and the emergence of new situations in which direct fraud by employees, management manipulation of reporting, or computer and unintentional human errors are possible.
Types of controls
Purpose preventive controls is the company’s intention to prevent events that are undesirable for it or to restrain their development. These are active controls that help prevent losses. Examples of preventive controls are:
Division of duties between employees - to eliminate abuse and fraud with reporting (in the absence of such control, there may be a risk of theft of funds and corresponding distortion of reporting, when, for example, the same employee completely prepares payment documents and is responsible for reconciliation with the bank);
System of internal coordination (for example, with other functional departments);
Rules that require you to obtain proper permission from your supervisor to perform certain actions within established limits of authority;
Availability of proper documentation (for example, special formats of vouchers or other strict reporting forms to exclude falsifications that are easily accessible to employees; absence of signed blank forms; pre-numbered document forms, printed to ensure the integrity of serial numbers, etc.);
System of physical control over the safety of assets.
Defining controls are designed to detect unwanted employee actions after these actions have already taken place. Determining controls, while indicating that losses have occurred, are not intended to prevent them. Examples of such controls are:
Scheduled and unannounced inspections by management of the activities of their employees;
Various analyzes (for example, the relationship of financial and subject non-financial information, ratio analysis, investigation of unexpected results in reporting or unusual data, design factor analysis);
Various reconciliations (for example, management reporting data and financial statements by business segments, data from the company’s accounting systems with external sources or counterparties);
Inventory (for example, to check the availability of inventories and fixed assets listed on the company’s balance sheet);
Audit (internal and external).
Corrective controls are aimed at correcting specific errors that have already been made in order to correct the situation, restore an objective picture of the business and eliminate distortions in reporting (for example, corrective intra-group reconciliations of turnover and balances, during which records of activities between branches and subsidiaries of the reporting enterprise are reconciled and corrected).
All three types of controls are important for the effective operation of the internal control system as a whole. From a quality reporting perspective, preventive controls are particularly important because they are proactive in nature (requiring specific actions from employees and/or management) and are explicitly aimed at maintaining the quality of both the production process and the reporting resulting from it. . On the other hand, determinative controls play an important role in providing evidence that preventive controls are indeed functioning as intended and preventing both business losses and misstatements in its reporting. Such specific control activities as control over information systems can be both preventive and determinative (due to the very nature of the IT environment).
In addition to introducing a control system that removes or reduces specific risks (for example, requiring a manager’s signature and permission on an invoice from a supplier before the accounting department prepares payment documents), it is also possible to carry out other measures that generally contribute to strengthening the enterprise’s internal control system. These include, in particular:
Regular reporting. If reporting is prepared not once a year, but quarterly or even monthly, then this can significantly reduce the risks of human and machine errors due to the more frequent use of control procedures and, therefore, increasing the likelihood of detecting views or inconsistencies;
Quick closing. The procedure for quickly closing and generating reports is impossible without clear regulations and specific procedures, where each department and even employee knows its task in the process of forming a financial statement. Such clarity disciplines reporting compilers, each of whom, as in a project chain, expects certain information on his section from its supplier and, in connection with this, develops his expectation of both absolute figures and their relationships (for example, to the last year’s fact and to the plan reporting period) and various ratios.
System construction
In order to correctly and effectively begin work on building an internal control system over a federal district, it is necessary to first analyze and evaluate the status at the “zero point”. It is possible that some control procedures already exist in the company without their formalization, documentation and appointment of employees responsible for their development and maintenance (for example, specialists from the internal control service or internal audit service). In the process of identifying and analyzing existing deficiencies, it is necessary to immediately, without delaying it, begin to think about the design of specific ICS procedures that will allow them to be identified, as well as develop measures to most effectively eliminate and prevent detected deficiencies in the future.
The same steps that are taken at the beginning of the process of building a control system will need to be followed in the event that it is necessary to draw up a management report on the functioning of internal controls at the enterprise (for example, at the request of the board of directors, shareholders, creditors or when generating reporting in accordance with the law specific jurisdiction, such as for public companies in the USA).
Let's present these stages in the form of a table. 1.
Table 1
Stages of analysis and action plan for assessing, constructing and improving the ICS
Stage |
Events |
Planning and scope of the assessment process |
Implement a process for assessing internal controls and appoint a responsible person. Identify all financial statements that are subject to internal controls. Determine the materiality level for each report. Identify the most significant accounts in the chart of accounts, the assumptions regularly used in financial statements, and the main types of business transactions. Build a mapping (correspondence table) of accounts in the chart of accounts and main transactions. Determine organizational approach (who tests what and when) |
Formalization of internal controls |
Document and clarify the understanding, usefulness and significance of internal controls already in place for all significant accounts, groups of accounts and business transactions |
Evaluating the design and operational effectiveness of a control system |
Evaluate the design and operational effectiveness of the existing internal control system over the FS preparation process. Document the assessment results |
Identification and elimination of deficiencies |
Identify, group and evaluate weaknesses that relate separately to the design and operating effectiveness of individual internal controls. Summarize the findings. Correct errors in controls and eliminate deficiencies |
Preparing of report |
Prepare a written management report for the board of directors or shareholders to ensure the effectiveness of the internal control system over the preparation of financial statements |
From this plan it becomes obvious that the company’s top management must implement them, and therefore it is he who is responsible for building an effective internal control system.
Company management cannot delegate this task to external consultants, middle managers, internal control or external auditors. The company's top management should act as a patron of the process of building a control system, while skillfully delegating technical authority to specialists (for example, employees of the internal audit service).
Each of the stages described in table. 1 requires significant effort from management. The problem is that building an internal control system is not a narrow task of one or two specialists, but an event that covers absolutely the entire enterprise. At the same time, there will likely be resistance from various functional services, which will believe that the development and implementation of an internal control system is the task of only accountants or financiers of the company. On the contrary, each functional manager and the managers “under him” must bear their personal responsibility for those internal controls that depend on them and were prescribed by them during the implementation of the ICS.
In the first phase of work, it is necessary to solve all the main organizational tasks, which include - as a best practice - the establishment of an internal audit function, which, unlike the internal control service responsible for compliance and operational efficiency, can concentrate solely on minimizing the risks associated with preparation of financial statements of the enterprise.
An experienced and proven specialist should be placed at the head of the internal audit service, highly preferably with experience in external or internal audit of companies in the same industry as the reporting enterprise. Corporate governance standards recommend that the head of the internal audit service report directly to the board of directors or at least the audit committee of the company, and not to one of the executive directors of the company, including the general or his deputy for risk management. Such a system of subordination will allow the work of the internal audit service to be structured as objectively as possible and to achieve the greatest independence from executive management, while participating in all major management decisions.
In addition, it is recommended that other members of the internal audit team be appropriately trained and have experience in finance, information technology, accounting or auditing. There should also be employees with project management skills and experience. It is desirable that the main employees of the IAS have the appropriate certificates (for example, a certified accountant ACCA, CPA or DipIFR, a certified internal auditor or a certified financial manager).
In any large modern organization, IT controls are so important that at least one IAS employee must be a certified IT specialist. Failures in the operation of large IT systems, especially with “home-written” modification modules, can create significant risks of distortion in the process of forming the company’s financial statements. Therefore, the IAS IT specialist must be competent in conducting simulation testing of the controls of various IT systems used by the company. Such testing consists of “running” fictitious transactions, various business scenarios or fictitious clients through the IT system being tested and then comparing the results obtained for such “simulated” transactions with expectations.
In addition to simulation tests, the enterprise must develop and implement the following IT controls:
Rules for employee access to various types of information, servers and files.
Physical safety of computer equipment and storage media (for example, issuing flexible security cords for employee laptops in order to avoid theft of equipment and official data contained).
Rules and regulations for software development and modifications to it.
Data recovery in case of catastrophic events (for example, a fire in a server room, etc.).
Controls related to the validation of data generated by an employee, a specialist from a related department (for example, budget) or a manager.
Controls related to data processing and reporting.
Other purely organizational steps to build an internal control system over a federal district include:
Providing professional training and training. The leader of the internal control system implementation team (or director of the internal internal control system) should consider the need for training and education for all employees who will be involved in the process. Training should be tailored to the level and type of participation in the ICS implementation project expected of the participants (for example, heads of functional departments and workshops, project managers and individual specialists such as accountants, risk managers or economists).
Development of templates for documentation. It is necessary to develop standard “work papers” and forms that will be used by the project team to document the various processes, their testing findings on the desired types of internal controls for a given risk. Standardization of documentation templates can be achieved by automating documentation development. Such electronic templates, formats and working papers will further significantly speed up the process of specialists working with each of the individual internal controls.
Formalization of sponsorship and supervisory responsibilities of top management. It is necessary to ensure documentation of the role of top management as a sponsor of the process of development and implementation of the ICS in the company. It is necessary to develop in advance formats by which top management will evaluate the progress of the group’s work on the implementation of the ICS; determine when and how project milestones will be monitored; draw up a working “calendar” - an action plan. Work to find shortcomings, identify risks and develop the design of the most effective methods for preventing them includes numerous interviews with many managers and specialists from various functional and line departments.
It is necessary to draw up a competent schedule of such interview meetings as early as possible, which would correspond to the flow of operational processes within the company - from receiving orders from customers (to analyze the period of revenue recognition and the availability of its various components) to the purchase of raw materials (to check the correctness of the method used for calculating the cost of goods sold) and further through the entire technological and operational chain until the preparation of the financial statements.
A timely schedule of interviews, which is broadcast to respondents in advance, along with a request not only to describe the existing situation, but also to think about ways to eliminate or reduce the risks present in it, will allow the owners of the relevant business processes to prepare for a meeting with an IAS specialist to discuss the internal control systems relevant to their departments, and carefully consider ways to introduce or improve certain internal controls. An important element of practical management of the process of building an internal control system is holding regular meetings with detailed discussion of the so-called status reports. This tool allows you to timely identify the status of all individual tasks, steps and stages on the way to a complete identification of problem areas (from the point of view of the reliability of financial statements), grouping of various risks and finding adequate responses in the form of appropriate elements of the ICS, such as preventive or determinative controls. In the process of regular discussion of status reports, tasks for the near and distant future are outlined in terms of the successful and timely completion of the entire project to build a strong internal control system, and problems that units cannot solve on their own or have simply been left out of the zone of their attention and control are resolved. Naturally, such “status” meetings should be entered in advance into the work calendars of all participants in the project to implement an internal control system in the company.
It is necessary to pay special attention to such a component of the ICS formation process as the establishment of new document management procedures and information flows related to the design and operation of the ICS. In particular, it is necessary:
Create a base and channels for broadcasting information about the status of work on the development and implementation of internal controls in various departments from top management to IAS specialists and to linear and functional departments, as well as feedback channels when aggregated information and conclusions are received, for example, from the head of IAS to top management;
Establish procedures for monitoring, review and control over the implementation and ongoing functioning of the ICS by top management;
Implement a mechanism for correcting deficiencies in the process of project implementation for the development and implementation of various individual internal controls;
Create an institute for approval of internal control specialists and all interested parties, as well as obtaining final authorization from top management regarding the practical implementation of this or that control in a particular division.
As we have already mentioned, it is top management that is responsible for the development and implementation of the ICS, even though many functions, such as documenting work processes, identifying bottlenecks, identifying risks, etc., are performed in practice by specialists, for example, service employees internal audit. Therefore, it is necessary to make sure that the company already has (or is creating) a process for communicating all information related to the procedures for forming an internal control system to the very top: representatives of top management responsible for the functioning of an effective internal control system.
This process should include capabilities and documents that allow appropriate members of top management to review, comment on, or otherwise respond to documentation summarizing the progress of the project to implement and maintain the internal control system. In the same system (say, a separate database on the corporate Internet portal) it should be possible for IAS specialists and department heads to respond to comments from top management and for top management itself to give the final go-ahead for the implementation or refusal to implement one or another specific internal control procedures. With such a process support system in place, it will be possible to always analyze the adequacy of the company’s identification of certain risk areas, return to them in the future and, possibly, reconsider your decisions on the design and operation of the internal control system if its partial (or complete) ineffectiveness is discovered after implementation in practice .
Determining the level of materiality
The company must determine for itself what amounts are considered material for each statement. Material is considered to be the level of error or other unintentional misstatement of financial information that would change the opinions and decisions of the company's management or other users of these financial statements with respect to past and/or future economic events.
These levels must be analyzed and established by specialists working on the internal control system in order to formulate exactly those tests of internal control that can prevent and (or) identify all errors and distortions exceeding this level, predetermined by management. Internal control procedures must be adequate in the sense of identifying all material events and ensuring the correctness of their reflection in the financial statements.
At the same time, we must not forget that materiality is not only measured by a quantitative threshold, but also has qualitative criteria. For example, the theft of materials from a warehouse in an amount less than the established “usual” quantitative level of materiality, nevertheless, in itself for the purposes of individual defining tests of internal control should be considered a material event, since minor thefts can be a signal and evidence of larger problems. additions, attempts to conceal shortages, other types of economic fraud and the general weakness and inefficiency of the entire internal control system at the enterprise.
Accordingly, the developed individual internal control procedures should be drawn up taking into account their design, which would allow them to uncover, in addition to large transactions, events that potentially lead to financial distortions in a relatively small amount, but for “dangerous” reasons, such as management waste, mis-grading, fraud on the part of clients, damage to the interests of third parties or simple theft by employees. Such events, in addition to direct damage to the company, can themselves lead to potentially much more material problems, such as large lawsuits from affected customers or environmentalists, sanctions from law enforcement or government regulators, fines, or even revocation of licenses and complete loss of business.
Is it important for FI users to understand such possible consequences of “small” distortions, and for top management to be aware that such phenomena could be revealed by effective internal control procedures? Of course, this is a rhetorical question. That is why building an effective, comprehensive ICS is a necessity for any serious business that is aimed at long-term and uniform sustainable development.
Since the scope of review and the view of external auditors on a company’s financial statements is wider than the “angle of review” of top management used when assessing individual financial statements, it is quite natural that top management, as the main internal user of the statements, should set a lower ( and perhaps a much lower level of materiality, by an entire order of magnitude, for the purposes of the design of relevant internal controls than external auditors set for themselves in the process of conducting substantive tests.
Moreover, different materiality levels must be established for different individual internal controls in order to be adequate and appropriate to the nature and size of the individual items that make up the individual pools of financial statement elements.
For example, with a balance sheet currency of 100 million rubles. external auditors can set the materiality threshold for general physical financial statements at the level of 3 million rubles, but at the same time, the company, for the purpose of establishing an adequate hard currency, will set its own level of materiality in general for general financial statements in the amount of 0.5 million rubles, while for the element “Buildings and structures”, this level will be set at 300 thousand rubles, and for the general financial product element “Accounts receivable” - at 100 thousand rubles.
Speaking about the qualitative criteria for establishing the level of materiality, it should be noted that it is influenced not only by the nature of a particular element of the financial statement (for example, any theft of company assets, and not just over 3 million rubles, should be considered material), but also by its special “ controllability" by management. For example, if top management closely monitors compliance with the operating expenses budget, then all “sub-budget” items may require an even lower level of materiality for the purpose of establishing adequate internal controls. This is the difference between the approach to the formation of concepts about the threshold of materiality for the purposes of designing individual internal controls from the generally accepted definition of materiality in relation to the audited financial institution as a whole.
Role of external auditors
As is known, in the process of conducting an external audit of financial statements, independent auditors make their own assessment of the internal control system of the audited company. This is required by the International Standards on Auditing for a number of reasons: for adequate planning of the audit itself (in terms of determining the scope of work, answering the question “Can an external auditor rely on the ICS and, therefore, reduce the number and depth of substantive tests?”), for identification of potential weaknesses in the company’s reporting (i.e., risks not addressed by an effective internal control system), time frames for carrying out certain audit procedures, and for a number of other reasons.
In this regard, it is quite natural from the point of view of organizing the process of building an ICS, which includes its design, detailed development and implementation, to involve external auditors as, if not direct consultants (which may be prohibited due to the need to maintain the independence of the external auditor essence and form of relationship with the client), then at least as a party providing a qualified professional opinion on the level of quality developed by the ICS company.
If the company's external auditor is involved in the process of developing the internal control system from the very beginning, both parties will undoubtedly receive benefits from such cooperation. Auditors will have access to the process of forming the internal control system starting from the planning phase, which will allow them to point out to the company the need to develop and implement certain internal control procedures, which, as auditors know based on the history of working with a given client, have often caused the greatest number of problems and errors in the past in accounting and financial reporting. If the auditor has been involved in the design of the internal control system from the outset, he will naturally be able to rely on its use with greater confidence and, as a result, reduce the scope of his own audit procedures. And this is a direct benefit for the company, both in terms of improving the process of preparing financial statements, and reducing the cost of the audit and reducing its time.
It is obvious that both parties are interested in an effective, functioning and powerful ICS: both the company itself (at least in the person of its shareholders) and its external auditors, therefore their cooperation in the process of developing an ICS is a classic example of a situation where both parties (and both the examiner and the audited) clearly benefit from close cooperation.
Identification of significant accounts
After management has identified all types of individual reports that must be covered by the internal control system and established the appropriate levels of materiality, it is necessary to analyze and identify those accounts in the chart of accounts or their groups that, individually or in combination with other related accounts, can lead to material deviations in the company's individual financial statements.
Efforts to define such “tangible” accounts must carefully consider both their quantitative and qualitative attributes.
Quantitative characteristics The main, “separating” criterion should include the question of whether there is a “more yes than no” probability that the account may contain distortions (either in the direction of exaggeration or understatement of actual data). It must be remembered that we are talking not only about individual distortions in a given account of the chart of accounts, but also about its ability to have a significant impact on the financial statements in conjunction with other similar errors or manipulations within this account.
Qualitative characteristics of material account allocation may include:
High volatility or sensitivity of a given business activity or balance sheet item into which the chart of accounts account is included;
The importance of a given balance sheet item or element of the income statement for the company's activities from the point of view of its management or regulatory purposes from the point of view of various departments and supervisory agencies of their subordinate institutions (for example, for banks in this regard, the chart of accounts accounts included in calculation of various standards for banks on which the revocation of their license by the Bank of Russia depends);
Statistics, experience and knowledge about the frequency and (or) magnitude of past errors on a given account;
The account's susceptibility to loss due to error or fraud (for example, intentional manipulation of estimates and assumptions used in financial statements or knowledge of (past) misappropriation of assets recorded in the account);
Estimated complexities associated with accounting and reporting for a given account (for example, deferred tax liabilities or assets, environmental liabilities, actuarial liabilities);
The likelihood of significant contingent liabilities arising from the main activity and reflected in this account (for example, the consequences of legal proceedings, fines, etc.);
Changes in the characteristics or attributes of a given account (for example, a company's new rules for amortization of intangible assets after a review of their use).
Identification of relevant statements, reflected in the financial statements
The group authorized by the company's management to develop the internal control system (for example, internal internal control staff) must understand and determine what specific financial statements (or so-called management's assertions- statements or “assurances” of management) are associated with each of the significant accounts of the chart of accounts and, therefore, will be reflected through it in the financial statements. The following types of management assertions are believed to be common to many accounts:
- Availability and fact of implementation ( Existence and occurrence). This statement tells the user of the statements that all assets and liabilities actually exist as of the reporting date, and also that all business transactions included and reflected in the statements of profit and loss, capital flows and cash flows actually exist. occurred during the reporting period.
- Completeness ( Completeness). All assets, liabilities and transactions that should have been reflected in the financial statements were fully included in it; on the other hand, no “air” transactions or balances were included in the statements.
- Rights and obligations ( Rights and obligations). All assets are legally owned by the company (or controlled by it, as in the case of a finance lease), and all liabilities are legal, contractual or constructive obligations of the company.
- Grade ( Valuation). All assets and liabilities of the company have been properly calculated or valued and, where applicable, all expenses have been correctly allocated.
- Presentation and disclosure of information ( Presentation and disclosure). The financial statements are presented in a form consistent with accounting standards (eg IFRS) and all required disclosures have been made.
- Compliance (compliance with laws - Compliance). All reported transactions were conducted in accordance with the applicable laws and regulations of the relevant jurisdiction. This concept can be explained with the following illustrative example. If a company, having decided to “save” on various taxes, gave its manager a large bonus in the form of an interest-free loan for 20-30 years, or even wrote off the issued funds for fictitious “representative” or “consulting” expenses, then the head of the internal control system must ensure that this operation is reflected in FI as a workers compensation expense rather than a loan or other type of expense. This approach, by the way, is also followed by IFRS standards, which will also require additional reflection of the financial expenses incurred in connection with the “packaging” of the transaction in the form of an interest-free loan.
- Asset safety ( Safeguarding). All of the company's assets were reasonably protected against fraud and abuse.
- Documentation ( Documentation). Documentation confirming all significant business transactions and other significant events for the company, as well as working documents for testing internal controls, are available and easily accessible for study and verification.
It is important to realize that not all of the above “statements” are relevant for every significant account in the chart of accounts.
For example, from the point of view of constructing an internal control system, the statement “Evaluation” will not be relevant for the account “Current account in bank”, because the balance of this account is already expressed in a specific and clear amount in Russian rubles and no additional assessment or assumptions on the part of management are required here (if we do not take into account the unlikely situation of partial or complete loss of these funds due to the bankruptcy of the bank in which the current account is opened, and the subsequent impossibility of receiving them in the process of liquidation or reorganization of the bank; if there is still a likelihood of such events, then perhaps , the company will be required to create a reserve even for such an asset).
Since each type of “statement” has its own specific risks, IAS employees must consider each significant (both in amount and in significance for the company) account in the chart of accounts to determine these risks and the associated types (pools) of significant errors or distortions that may occur within each statement. This step is the most important when building an internal control system. The results of the analysis and evaluation of the assertions within each account and the identification of their associated risks will help management determine the specific types of internal controls that must be designed and implemented to “protect” that account.
Identifying Major Transaction Cycles
The next step towards establishing an internal control system is to identify the main transaction cycles. These are usually understood as the main, recurring classes of business transactions that significantly affect individual significant accounts of the chart of accounts or group of accounts.
An important transaction cycle is one of the company's regular business processes, for which the number and monetary volume of business transactions inherent in it are so large that if a material error occurs in this business process, it will significantly distort the reporting and, therefore, affect the acceptance process decisions by users of reporting (primarily management and (or) shareholders).
For example, the “Revenue” transaction cycle is important for any company and, accordingly, for its internal control system, because a significant error in this cycle can affect several key accounts (for example, such as revenue and receivables), which, in aggregate form, fall in financial statements, most directly affect the economic behavior of creditors, investors, suppliers and customers in relation to a given company.
Each company must determine its main transaction cycles before preparing a full-scale ICS design. The following are examples of such transaction cycles with their usual components:
- “Human Resource Management” includes components:
- payroll processing;
- control of time (worked and vacation);
- pension plans;
- management of voluntary health insurance;
- management of personnel and related budgets.
- fixed asset ordering system and capital expenditure budget;
- depreciation;
- disposal of fixed assets;
- revaluation of buildings;
- testing fixed assets for impairment;
- lease (operating and financial).
- inventory acquisition management;
- inventory distribution;
- inventory consumption.
Information Technology:
- general information security control environment;
- software development;
- changes in the programs used;
- access control to systems;
- IT systems support.
Let us now consider the relationship between the transaction cycle and internal controls that must be built in for the successful functioning of this cycle, using the example of the “Fixed Assets” transaction cycle.
Control type: " Segregation of duties».
The employee responsible for maintaining the fixed assets journal should not make entries in the general ledger.
The reconciliation of fixed asset journal details with control accounts and the entry of entries into the program are separated from each other.
The employee responsible for the storage and safety of fixed assets cannot make decisions and independently carry out their physical inventory.
The employee responsible for placing tags on fixed assets cannot simultaneously be the person responsible for the safety of assets.
The employee responsible for searching for and replacing missing fixed assets cannot be the person responsible for the safety of the assets.
All purchases of fixed assets must require appropriate authorization and cannot be made by any one employee.
All disposals of fixed assets require appropriate permission.
Control type: " The need to obtain proper permission».
There are written procedures for acquiring, receiving, recording assets and managing inventory.
Control type: " Availability of proper documentation».
Accounts correctly identify and classify assets.
Gains and losses on disposals of assets are correctly recorded.
Special acts and invoices are drawn up each time assets are received, sold, moved, transferred, damaged or disposed of.
Control type: " System of physical control over the safety of assets».
Assets are insured for an adequate amount.
Assets immediately receive inventory numbers upon their capitalization.
Assets not found during inventory are reflected in a special missing assets register for further investigation.
Control type: " Checking calculations».
All asset receipts are correctly recorded in the correct amount.
The capitalized costs required to bring the asset to the required location and state of readiness for use are correctly added to the cost of the asset (including direct and preparation costs, assembly, capitalized interest, asset dismantling liabilities, etc.).
Control type: " Reconciliation (reconciliation of data from different systems)».
Reconciliations of asset amounts between journals and general ledger are actually performed.
Control type: " Inventory».
Planned asset inventories are actually carried out.
Unscheduled asset inventories are carried out every time there is a change in the employee responsible for the safety of assets.
1Recently, a pressing issue is the formation of reliable, transparent and neutral accounting (financial) reporting. This article examines the content of the Sarbanes-Oxley Act and its application for the preparation of reliable accounting (financial) statements; it shows the influence of the Sarbanes-Oxley Act on the formation of the internal control system (ICS) of American companies. The article analyzes the requirements imposed by the legislation of the Russian Federation on the internal control system. In connection with the need to organize and implement internal control of transactions, accounting and reporting, as well as to reduce the costs of creating an internal control system, the authors proposed the use of management accounting data as a tool of the internal control system for the purpose of increasing the reliability and transparency of accounting (financial) organization reporting.
internal control
financial statements
Sarbanes–Oxley Act
Management Accounting
1. Audit and consulting [site] Sarbanes-Oxley Act (SOX) in Russian / translation. - URL: http://www.as-audit.ru/consult/show/2821/ (access date: 04/03/2015).
2. BMC [Official website] Explanation X/2013 “Organization of an internal control system.” - URL: http://bmсenter.ru/Files/R_2013_Organizaсiya_vnutrennego_kontrolya (access date: 04/03/2015).
3. Committee of Sponsoring Organizations of the United States (COSO) [Official website]. - URL: http://www.coso.org (access date: 04/03/2015).
4. Koptelov A.K., Shmataluk A.E. Business process management technologies [Electronic resource] // Corporate finance management. – 2004. - No. 5. - URL: http://businessproсess.narod.ru/index2.htm (access date: 04/03/2015).
6. On approval of the Regulations on accounting and financial reporting in the Russian Federation: Order of the Ministry of Finance of the Russian Federation dated July 29, 1998 N 34n (as amended on December 24, 2010).
7. On approval of accounting regulations (together with the “Accounting Regulations “Accounting Policy of the Organization” (PBU 1/2008)”, “Accounting Regulations “Changes in Estimated Values” (PBU 21/2008)”): Order of the Ministry of Finance Russia dated October 6, 2008 N 106n (as amended on December 18, 2012).
8. On accounting: Federal Law of December 6, 2011 N 402-FZ (as amended on November 4, 2014).
The reliability of financial reporting has a significant impact on the adoption of management decisions by business entities, and, consequently, on the efficiency of their activities and future development. Over the past twenty years, confidence in the financial statements of both Russian and international companies has decreased significantly.
The most famous case in international practice is the bankruptcy of the energy corporation Enron and its contractor, Arthur Andersen, which audited Enron. As a result of unreliable financial reporting, a large number of small shareholders suffered, which led to the bankruptcy of previously reliable and quite profitable companies.
In connection with numerous corporate scandals caused by dishonest behavior of managers of large companies, namely falsification of financial statements, on July 30, 2002, US President D. Bush signed the Sarbanes-Oxley Act, or SOX.
The purpose of the law is to restore investor confidence and ensure transparency of corporate accounting and financial reporting of companies that have or plan to do business with commercial partners and their foreign subsidiaries whose securities are listed on the US open market. The law strictly defines the need to implement internal control systems. Since July 2005, SOX applies to resident and non-resident companies whose securities have stable ratings on the US stock market. In accordance with the law, company managers are required to evaluate the internal control system, disclosing in the appendices to the financial statements all its significant deficiencies and proposing measures to eliminate them.
The global practice of more than ten years of its application dictates the need to restructure the commercial organization of its business processes in order to increase investment attractiveness and conduct activities in the international market.
The legislative act imposes serious requirements on internal control procedures, business organization, incl. to management accounting and budgeting. Its main provisions are aimed at regulating the work of financial services, transparency of banking operations and independence of auditors, introducing new certification standards for external auditors and certification rules for financial and executive directors, which ultimately increases the responsibility of management, audit committees and increases fines for non-compliance - Company directors bear personal responsibility. For example, if it turns out that a company’s reporting was deliberately distorted, its manager faces a fine of up to $5 million.
The SOX law contains 11 chapters regulating the activities of public companies and auditors, ensures the independence of auditors and audit committees, indicates the responsibility of management for organizing the internal control system at the enterprise, and the audit committee for certified reporting, establishes both additional responsibility of the board of directors and criminal sanctions in the field of company document flow and financial reporting.
Chapter 4 of SOX requires companies to present as much financial information as possible in their reports, which must be prepared in accordance with generally accepted accounting principles and disclose all material transactions, arrangements and obligations.
In addition, information on off-balance sheet transactions, transactions involving management and major shareholders of the company, as well as additional information on significant changes in the financial condition or activities of the company (presentation and development trends, qualitative analysis, graphical data) is subject to disclosure.
From the point of view of organizing internal control, sections 302 and 404 deserve special attention. They establish the personal responsibility of senior and middle management of the company, as well as the need to implement an internal control system and ensure the safety of all corporate correspondence.
Section 302 “Corporate Responsibility for Financial Statements” states that the officers signing the financial statements are personally responsible for the organization and implementation of internal control, reflecting in the report their conclusions about its effectiveness, according to their assessment as of the date of its implementation . The company's management (general, executive, financial directors, line managers in areas) is required to include their own reports in the audit protocols in order to confirm the accuracy of the information contained in these protocols. Managers who intentionally present unreliable financial indicators in reporting documents bear serious administrative and criminal liability. Under Section 802, Criminal Alteration of Records, destruction, alteration, or falsification of records may result in a fine or up to 20 years in prison.
Section 404, Management's Evaluation of Internal Control, establishes the need to implement a system of internal control and establishes management's responsibility for establishing and maintaining an adequate structure and procedures for internal control over financial reporting, which is subject to five basic requirements: existence or occurrence, completeness and measurement, and accuracy. , rights and obligations, representation and disclosure.
This section of the law is the most difficult to apply, since most companies managed their financial flows without using detailed reporting. Companies are advised to develop a system of internal indicators when preparing financial data and periodically test it.
Section 404 is directly related to internal auditing, which evaluates a company's internal controls. In international practice, there are several generally accepted principles for constructing this system. The Sarbanes-Oxley Act refers to the internal control model developed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The CCSO Internal Control - Integrated Framework model includes several interconnected blocks, each of which relates to all categories of business goals (strategic, operational, reporting and compliance goals). These are five key components: control environment, risk assessment, control activities, internal communications, monitoring. In October 2004, the COSO ERM - Integrated Framework (ERM - enterprise risk model) model was published, which, in fact, combined both elements of the internal control system and elements of the risk management system.
In 2005, International Standard on Auditing 315, “Identifying and Assessing the Risk of Material Misstatement in Financial Statements by Obtaining an Understanding of the Business and the Environment in which the Entity Operates,” was adopted. Understanding the organization's activities also includes such a component as the internal control system, which, in turn, includes the control environment, the risk assessment process in the organization, the information system, control procedures and control actions and monitoring of controls. Thus, risk assessment is linked to an analysis of the reliability of the organization's internal control system from the point of view of the risk of possible unintentional misstatement or error, as well as falsification of financial statements as a result of fraud.
According to ISA 315, “the internal control system is a set of means and methods used by an organization to reduce business risks that threaten the achievement of such organizational goals as compliance of financial reporting data with the actual state of affairs, achieving efficiency and productivity of ongoing operations, as well as compliance with legal requirements.”
In Russia, by 2016, the final transition to IFRS is planned, knowledge of which and the ability to apply them correctly is the key to the success of drawing up reliable accounting (financial) statements that will attract potential investors.
In the Russian Federation, on January 1, 2013, a new version of the law on accounting came into force. In accordance with Article 19 of the Federal Law of December 21, 2011 No. 402-FZ “On Accounting,” the organization is obliged to “organize and carry out internal control of the facts of economic life. An organization, the accounting (financial) statements of which are subject to mandatory audit, is obliged to organize and exercise internal control over accounting and preparation of accounting (financial) statements (except for cases where its head has assumed the responsibility for maintaining accounting records).
The introduction of an internal control system into an organization and compliance with the requirements governing the accounting procedure will increase the reliability and reliability of reporting, strengthen investor confidence in accounting (financial) reporting and lead to increased efficiency of the organization and sustainable economic growth of the organization.
According to clause 4 of the Regulations on accounting and financial reporting in the Russian Federation, approved by Order of the Ministry of Finance of Russia dated July 29, 1998 No. 34n (as amended on December 24, 2010 N 186n), when maintaining accounting records, the organization must provide information to internal and external users accounting reports for the purpose of monitoring compliance with the legislation of the Russian Federation when carrying out business transactions and their feasibility, the availability and movement of property and liabilities, the use of basic, material, labor and monetary resources in accordance with approved norms, regulations, tariffs and estimates.
In accordance with PBU 1/2008 “Accounting policy of the organization”, approved by Order of the Ministry of Finance of Russia dated 06.10.2008 N 106n, the organization forms in its accounting policy the rules of document flow, technology for processing accounting information, the procedure for monitoring business transactions and the final synthesis of facts of economic activity, and others decisions necessary for organizing accounting, and, consequently, the internal control system.
The internal control system can also be considered as a set of organizational structure, methods and procedures adopted by the management of the organization as a means for the orderly and efficient conduct of financial and economic activities, to ensure sufficient confidence in achieving goals in terms of the reliability and reliability of financial (accounting) reporting, efficiency and effectiveness of business operations and compliance of the organization's activities with regulatory legal acts.
The organization and functioning of the internal control system is aimed at reducing the risks of the organization's economic activities. The implementation of an internal control system requires the availability of tools that will allow you to monitor internal control processes in real time, optimize document flow, introduce personal responsibility for sections of internal control, assess the degree of reliability of the resulting reports, identify and evaluate the influence of various factors on the reliability of financial statements. Thus, the internal control system introduced by Law 402-FZ is aimed at reducing risks when making management decisions and is designed to ensure the reliability of the information contained in the financial statements of companies.
The organization and functioning of the internal control system in a company is most often based on the following key principles.
1. Integration - consists of informing management at the appropriate level of management about detected significant violations of financial and economic activities with an analysis of their causes, deficiencies and weaknesses in control, and about corrective measures that have either been taken or should be taken.
2. Continuity - consists of implementing internal control on an ongoing basis at all levels of management, which allows the company to promptly identify and analyze deviations in the internal control system, as well as prevent their occurrence in the future.
3. Methodological unity - lies in the unity of requirements and approaches for all divisions of the company.
4. Comprehensiveness - means that the control system operates at all levels and in all divisions of the company, covers all objects of internal control and areas of the company’s activities and, accordingly, all emerging risks.
5. Responsibility means that all employees and management at all levels of the company are responsible for the functioning of the internal control system within the limits of their authority.
6. Focus on risk management - internal control should be in close interaction with the risk management system in the company, which contributes to the timely and effective implementation of measures to influence risks. When carrying out control procedures, both the magnitude and likelihood of risks occurring, as well as the degree of their impact on financial results, should be assessed.
7. Optimality - means that the volume and complexity of control procedures used in the company are necessary and sufficient for effective risk management and achievement of set goals, i.e. The cost-economic effect ratio must be met. The costs of implementation and subsequent operation of control procedures should not exceed the consequences of risks arising, and the total level of residual risk should correspond to the acceptable levels established by the company.
8. Relevance and development - means that all documentation on the internal control system (risk description, control results, etc.) must be updated in a timely manner and constantly improved in order to increase the efficiency of risk management. For the continuous development of the internal control system, the company's management must create certain conditions, since it is necessary to solve new problems arising as a result of changes in internal and external operating conditions.
The objectives of the internal control system are:
1. Establishing the compliance of ongoing financial transactions in terms of financial and economic activities and their reflection in accounting and reporting with the requirements of regulatory legal acts.
2. Establishing compliance of the operations carried out with regulations and the powers of employees.
3. Compliance with established technological processes and operations when carrying out functional activities. For this purpose, the institution must develop and approve a regulation on internal financial control.
Currently, many organizations in the Russian Federation maintain management accounting, the purpose of which is to provide information for in-production planning, management and control. Therefore, it is advisable to organize an internal control system in such organizations within the framework of management accounting in order to avoid serious costs for creating this system. After the introduction of the SOX law, companies experienced a 30% increase in audit costs, and significant costs were also required for the implementation of an internal control system, checking its effectiveness and vulnerability.
The internal control system can be built on the basis of responsibility centers already created within the framework of the management accounting system. Centers are structural units headed by managers who are responsible for the results of their work. At the same time, department heads are responsible only for those indicators that they can actually influence. The main evaluation indicator is usually the financial result, which is reflected in the accounting and management reporting.
Management accounting must clearly regulate and ensure compliance with the rules and deadlines for the preparation and presentation of management reporting and directly related benchmark indicators of external financial (accounting) reporting (income, expenses, financial results).
It is known that management accounting provides:
- formation of a system of reliable and complete information about the business processes and financial results of the company for managing the business as a whole, on the basis of which management makes operational and strategic decisions;
- assessment of the efficiency of the company, its structural divisions and functional blocks, planning (budgeting) and control of economic activities, ensuring optimal use of basic, material, labor and monetary resources and in accordance with approved norms, standards and estimates;
- decentralization of management, i.e. distribution of powers and responsibilities in decision-making between different levels of management, delegation of responsibility between managers in terms of management, planning and control of costs and performance of the unit, which will allow timely warning and prevention of negative phenomena in the economic and financial activities of the company and identification of internal reserves;
- adjustment of control influences on the processes of production and sale of products, goods and services, reduction of subjectivity in making management decisions at all levels, analysis and assessment of analytical indicators of internal control, revealing identified reserves for economic growth of the company's efficiency.
Thus, the approach to organizing the internal control system within the framework of management accounting will make it possible to prepare reliable, reliable and high-quality accounting (financial) reporting.
Reviewers:
Makarova L.G., Professor, Doctor of Economics, Professor of the Department of Accounting, Analysis and Audit, National Research University Higher School of Economics, Nizhny Novgorod.
Plekhova Yu.O., Professor, Doctor of Economics, Professor of the Department of Economics of the Federal State Autonomous Educational Institution of Higher Education "Nizhny Novgorod State University named after. N.I. Lobachevsky", Nizhny Novgorod.
The law takes its name from the names of its creators, Senator Paul Sarbanes (Democratic Party, Maryland) and Representative Michael Oxley (Republican Party, Ohio).
Bibliographic link
Shchepetova V.N., Pochekaeva O.V. MANAGEMENT ACCOUNTING AS THE BASIS OF THE SYSTEM OF INTERNAL CONTROL FOR THE ACCURACY OF FINANCIAL REPORTING // Modern problems of science and education. – 2015. – No. 1-1.;URL: http://science-education.ru/ru/article/view?id=18818 (date of access: 06/27/2019). We bring to your attention magazines published by the publishing house "Academy of Natural Sciences"
And internal control exercised by the audited entity”, the auditor needs to evaluate the accounting and internal control systems to the extent sufficient to conduct an audit of the financial statements and express a professional opinion on the degree of their reliability.
Accounting system- this is an orderly system for collecting, registering, summarizing information in monetary terms about the property and obligations of the organization and their movement through continuous, continuous and documentary accounting of all business transactions.
Internal control system is a set of organizational measures, techniques and procedures used by the management of the audited entity as a means for the orderly and efficient conduct of financial and economic activities, ensuring the safety of assets, identifying, correcting and preventing errors and distortion of information, as well as the timely preparation of reliable financial statements.
The auditor needs to obtain an understanding of the entity's accounting and internal control systems sufficient to plan the audit and develop an effective approach to conducting the audit. During the audit of financial statements, the auditor focuses only on those substantive objectives and specific procedures in the accounting and internal control systems that are relevant to the financial reporting process.
Understanding the internal control system, along with assessing inherent risk, control risk and other information, allows the auditor to:
- identify the types of likely material misstatements that may occur in the financial statements;
- take into account factors affecting the risk of material misstatements;
- develop appropriate audit procedures.
When studying and assessing accounting and internal control systems, it is necessary to take into account their relationship with the components of audit risk (Table 5.1).
Table 5.1. The relationship between accounting and internal control systems and the components of audit riskLet's look at each of the systems in more detail. The auditor studies and evaluates the accounting system. In doing so, he needs to consider the internal controls relevant to the accounting system that contribute to the achievement of the following objectives:
- carrying out operations with general or special permission from the management of the audited entity;
- timely recording of all transactions and other events in accurate amounts in the proper accounting accounts and in the proper reporting periods in order to enable the preparation of financial (accounting) statements in accordance with the established procedure;
- the ability to access assets and records only with permission from the management of the audited entity;
- Regularly comparing recorded assets with assets on hand and taking appropriate action to address any discrepancies.
The auditor needs to obtain an understanding of the system sufficient to determine:
- main groups and types of operations carried out by the audited entity;
- methods for initiating such operations;
- main accounting registers, methods of systematization and storage of primary accounting documents, accounting accounts used in the preparation of financial and other reporting;
- the process of maintaining accounting records and preparing financial statements from the moment of initiation of important transactions to the moment of their inclusion in the reporting.
The internal control system includes the control environment and control procedures.
Control environment— a concept that characterizes the general attitude, awareness and practical actions of the management of the audited organization aimed at establishing, maintaining and developing the internal control system in the organization.
It affects the effectiveness of specific controls and has the following components:
- style and basic principles of management of this audited entity;
- organizational structure of the audited entity;
- distribution of responsibilities and powers;
- implemented personnel policy;
- the procedure for preparing financial statements for external users;
- the procedure for carrying out internal management accounting and preparing reports for internal purposes;
- ensuring compliance of the audited entity’s business activities with the requirements of current legislation;
- the presence and features of the organization of work of the audit commission, the internal audit service as part of the management body of the audited entity.
When considering an organizational structure, it is necessary to take into account that it is effective if it involves a justified distribution of incompatible functions between employees of an economic entity. The functions of a given employee are incompatible if their concentration in one person may contribute to the commission of accidental or intentional errors and violations and make it difficult to detect them. The following functions are to be distributed among various employees:
- direct access to the assets of an economic entity;
- permission to carry out transactions with assets;
- direct implementation of business transactions;
- reflection of business transactions in accounting.
Control procedures- these are the components of the internal control system established by the management of the organization in certain areas and areas of economic activity to ensure effective and reliable management of it.
The control procedures adopted by the management of the audited entity include:
- accountability of some workers to others;
- internal audits and data reconciliations on financial and business activities;
- comparing the results of counting cash, securities and inventories with accounting records (i.e., conducting an inventory);
- comparison of data obtained from internal sources with data from external information sources;
- checking analytical accounts and turnover sheets and arithmetical accuracy of records;
- monitoring application programs and computer information systems;
- restricting access to assets and records;
- comparison and analysis of financial results with planned indicators.
Accounting and internal control systems have limitations for the following reasons:
- the costs of operating the internal control system should not be higher than the expected benefits;
- the orientation of most of the internal controls is aimed at routine rather than rare transactions;
- there is a possibility of errors due to human factors;
- it is possible to bypass internal control procedures through employee collusion;
- there is a possibility of abuse of powers by persons entrusted with the responsibility for implementing internal control;
- control procedures may be inadequate because the operating conditions of the economic entity have changed.
The effectiveness of the internal control system can be reduced to zero if the following facts are available: misunderstanding of instructions; errors in judgment; staff negligence; absent-mindedness or fatigue on the part of the person responsible for control procedures; clash between individuals; incorrect choice of control procedures.
The assessment of accounting and internal control systems consists of the following stages:
- general familiarity with accounting and internal control systems;
- preliminary assessment of the reliability of accounting and internal control systems;
- confirmation of a preliminary assessment of the reliability of accounting and internal control systems.
The auditor must, within a reasonable time, inform the management of the audited entity about significant deficiencies in the structure or functioning of the accounting and internal control systems that he has identified. It should be noted that only deficiencies that became known to the auditor during the audit are presented and that the audit is not intended to determine the full effectiveness of the accounting and internal control systems.