Оценка рисков в риск-ориентированных проверках подразделениями внутреннего аудита

Abstract

The article combines the principles of risk management with the objectives of internal audit, defines and clarifies the concepts of risk management. Undoubtedly, external audit has a great influence on the formation of internal audit. This influence has both positive qualities, such as the use of the experience of highly qualified specialists from external audit, and a negative impact, due to the fact that external audit is primarily aimed at the confirmation of the financial statements of an organization, but in general does not consider business processes implemented in organizations, their effectiveness and adequacy to achieve organizations’ objectives, risks inherent in business processes. The article identifies the most important reason preventing the implementation of risk management principles in the Russian internal audit practice. The correlation of risk elements, which are sufficient for risk identification and risk level assessment within internal audit using a risk-oriented approach, has been disclosed. Based on the analysis of the essence of each risk element (risk source, event, consequence), their isolated role in assessing the likelihood of risk realization and the significance of the consequences, determining the necessity of risk management measures, has been determined. Using practical experience, the authors propose an algorithm of risk level assessment carried out within internal audit implementation. Possible qualitative and quantitative characteristics of determination of risk probability and materiality are considered. As part of the determination of the average likelihood of negative consequences’ occurrence, specific criteria of event likelihood assessment based on the history of similar events’ occurrence and the forecast assessment of likelihood of similar events’ occurrence are identified. Examples of determining the likelihood for each event within a group of events and the likelihood of occurrence of consequences in several groups of events are presented. Criteria for assessing the likelihood of risk realization are determined by establishing the set of events, whose simultaneous occurrence realizes the risk. Examples of financial and non-financial consequences and criteria for their assessment are given. In order to determine the elements of risk during internal audits, the essence of analytical procedures performed with the use of deductive and inductive methods is disclosed. At present, large Russian companies are taking certain steps to implement the principles of Industry 4.0 in their business processes. This trend has not passed unnoticed for internal audit; for example, principles of continuous audit and automated analysis of databases are being implemented. However, the implementation often ignores the main condition that this article discusses; without it implementation attempts will only lead to an irrational use of organizational resources. Contribution of the authors: the authors contributed equally to this article. The authors declare no conflicts of interests.