Оценка эффективности внутреннего контроля в риск-ориентированных проверках

Abstract

The article aims to integrate the principles of internal control, established in the Russian legislation, with the objectives of internal audit and evaluation of the effectiveness of organizations' internal control. One of the main tasks of internal risk-oriented audits is to assess the effectiveness of organizations' internal control by internal auditors to gain confidence about the presence in the company of a sufficient number of control procedures for minimizing identified risks, the presence of regulatory control over their implementation, as well as the completeness of their implementation by employees of the organization. It is well known that internal control and risk management are interrelated. In Russian regulatory documents, risk management procedures are part of internal control. When practically implementing them into production activities, Russian organizations either combine internal control and risk management systems, or separate them into parallel organization management mechanisms. The internal control system described in the regulatory documents of the Ministry of Finance of the Russian Federation and the Federal Tax Service of Russia is sufficient for an intuitive understanding of the principles of its construction, but it does not give internal auditors answers on how to evaluate internal control systems qualitatively and quantitatively. When conducting an internal audit of business processes, the authors initially focused on the identification and evaluation of risk events, and only further on the organization of internal control as a whole, which led to the approach to the evaluation of organizations' internal control the article discusses. Thus, the mechanism for evaluating the effectiveness of internal control is based on an analysis of the completeness of regulation and the quality of the control procedure (the authorial definition of control procedure differs from the concept of internal control procedures presented in Russian legislation). The essence and practical manifestation of the concept “control procedure”, which, in the authors' opinion, covers all elements of internal control, is analyzed. An algorithm sufficient for conducting a qualitative risk-based internal audit is proposed to evaluate the effectiveness of internal control by determining the effectiveness of the design of the control procedure, the degree of implementation of the control procedure, the significance of the event, the significance of the control procedure, the effectiveness of the control procedure. Qualitative and quantitative criteria for determining the effectiveness of internal control indicators are proposed; they make it possible to practically evaluate the internal control system in an organization. Based on the practical experience of evaluating internal control, the authors present an example of calculating its effectiveness.