Analysis of the effectiveness of the internal control system of a commercial organization. The effectiveness of internal control: problems and evaluation criteria Evaluation of the effectiveness of the internal control system in the organization

05.02.2021

One of the tasks of SVA in the conditions strategic management the company is to assess the adequacy and effectiveness of the system internal control, as well as an assessment of the consequences of non-compliance with the procedures established within the framework of the ICS.
The effectiveness and adequacy of the company's ICS must be understood as a combination of the following conditions:
formalized means of internal control;
developed and approved internal regulatory documents (plans, budgets, regulations, instructions, etc.);
employees of the company are familiar with the current regulations, well understand their essence and the need to comply;
the company's employees know the company's mechanism for updating, changing and monitoring compliance with the regulations by the management;
management decisions are identified with high level risk, assessment of the degree of risk and consequences of such decisions;
IAS employees have high professional competence, deep knowledge of the company's business, and the ability to analyze management decisions and their consequences.
The main elements of the ICS are:
control environment - the general attitude of the company's management to internal control, its awareness and practical actions aimed at organizing and maintaining the ICS;
regulation - development, approval and compliance with internal regulatory documents;
control procedures - methods and rules for controlling the company's business processes aimed at preventing, detecting and correcting errors and deviations;
monitoring of the internal control system - continuous monitoring of the functioning of the ICS by the management and employees of the company, including the IA, in order to identify deviations in its work, assess its compliance strategic goals companies. Obviously, there are many interrelated criteria that determine the effectiveness of the ICS. Each company must select criteria that are most consistent with its management strategy.
For example, when evaluating the effectiveness of functions internal audit The following important criteria must be taken into account:
the specific organizational status of the IAS in the structure of the company (structural unit) and its impact on the objectivity of control estimates;
content and scope of IAS functions;
professional competence of auditors;
conscientiousness of auditors when planning, carrying out inspections, drawing up conclusions about their results.
Evaluation of the performance of the IAS can be based on the following criteria:
audits are carried out in accordance with programs that meet the objectives of the audit;
internal audit is carried out by specialists with the appropriate level of education, experience and skills;
audits are conducted in a qualified manner and are properly documented;
based on the results of audits, conclusions are drawn that correspond to the circumstances and facts identified;
the auditors' remarks have been eliminated, the problems identified by them have been resolved.
The most significant criteria include:
1) customer satisfaction (of the board of directors, top managers, heads of structural subdivisions, etc.) - shows how the work of the IAS meets their expectations;
the degree of coverage of key risks - shows how fully the IAS during its audits analyzes the shortcomings of the company's risk management system (the risk of financial irregularities, possible fraud, incorrect reflection of business transactions in accounting, reporting distortions, etc.);
percentage of recommendations implemented - shows how clearly the problems and their consequences are identified, as well as how acceptable the proposals for their elimination turned out to be.
When evaluating the effectiveness of the ICS, auditors study common system organization of internal control in the audited unit or business process, actual compliance with existing internal regulatory documents, organization of control over the safety of assets, correct organization of the accounting system, compliance with established control procedures aimed at identifying and eliminating distortions and errors. To assess the effectiveness of the ICS, a testing method is usually used, on the basis of which a conclusion is made about the magnitude of the risk of control inefficiency. Another important criterion for evaluating the effectiveness of the ICS by auditors is the interaction of its individual components. This takes into account the complementarity of control mechanisms, which eliminates unnecessary expenditure of time and effort. Evaluation of the effectiveness of the ICS is carried out for individual business processes and structural units.
From the point of view of auditors, the ICS can be considered effective if, on the one hand, it warns management in a timely manner about the occurrence of inaccurate information, and, on the other hand, it detects misstatements within a limited time after they occur.
The main reasons for the inefficient functioning of the ICS include the following:
requirement minimal cost on the organization of the ICS by the management;
insufficient control over unusual transactions;
misunderstanding of regulatory documents, negligence in their implementation;
intentional violation of ICS procedures by heads and employees of departments.
In the general case, the criterion for the effectiveness of the ICS is the observance of the principles of its functioning, already described earlier. If all the principles are observed in the company, then the ICS can be considered effective if the benefits from its use exceed the amount of costs for its organization.
It is quite difficult to correlate costs and benefits, since costs can be expressed in monetary terms, but benefits cannot always be expressed. At the same time, it is important to focus on the goals of creating the ICS, the focus of the work of the ICS and the expected results.
Key benefits include increased accountability for business processes and activities structural divisions company, efficiency, improving corporate governance, preventing and detecting fraud, and improving the company's credit ratings.
The calculation of costs for organizing the ICS includes: remuneration of IAS employees, travel expenses, employee training expenses, expenses for professional services of external experts and consultants, other expenses (documentation and software, etc.).

Economics and Mathematics

modeling

USE OF MATHEMATICAL MODELS IN ASSESSING THE EFFICIENCY OF THE INTERNAL CONTROL SYSTEM

IN AND. THROAT,

Candidate of Economic Sciences, Associate Professor Bryansk State Agricultural Academy

The internal control system as an extensive organizational structure is a set of units staffed with personnel of appropriate qualifications and powers, carrying out information interaction in the form of direct and feedback links, having appropriate material, technical and information support and reporting to the relevant executive body.

The main objective of internal control in the enterprise is to reduce financial losses arising for various reasons. The more developed and structured the control system, the higher the result of its action, which is expressed in the reduction of losses.

Efficiency evaluation allows considering the qualitative and quantitative certainty of individual elements of the internal control system, establishing their difference. Evaluation of the effectiveness of the internal control system is a generalization of indicators of its effectiveness and efficiency. A measure of the quantitative assessment of the result of the effectiveness of the internal control system can be an indicator of the average mathematical expected value of an event or result. Such assessments are usually based on expert opinions and are subjective.

In absolute terms, the result of the control system at the enterprise, according to the author, is the amount of savings in losses that arose in connection with the functioning of the control system:

where R is the result of the functioning of the control system;

C0 - losses (losses) in the absence of control;

C1 - losses (losses) under the current control system.

However, certain costs are required to establish and maintain an internal control system. Without taking into account investments in the creation of a control system, the savings of an enterprise from the implementation of a control system is the difference between the result of the functioning of the system and the cost of maintaining it: E = ^ C,

where E is the savings in losses (efficiency); C is the cost of the control system. It is obvious that the application of the internal control system will bring benefits to the enterprise only if the result of its functioning exceeds the cost of its maintenance:

E > 0 or R > C. The degree of complexity of the control system is directly related to the cost of using specific controls and potential losses in case of their absence. When the cost exceeds the return, it is obviously not profitable, and if the sum of the costs of maintaining the internal control system (in years 1 to n) exceeds the return, these controls should not be used. To monitor system efficiency

it is necessary to evaluate and compare the potential losses of the enterprise, the expected result of the system and the costs of its maintenance. Thus, the effectiveness of the internal control system is the difference between the predicted losses before and after the predicted impact of the internal control system.

We propose further development of this approach. Let us determine the effectiveness of the internal control system using the example of the internal control system operating at JSC Krasnogorsk Cheese Plant from 2001 to 2005.

The effectiveness of the internal control system is determined by the savings in losses arising from the operation of the control system. A formula is proposed for evaluating the result of the operation of the control system as the sum of savings in losses from the operation of the control system.

We present the formula in following form.

Let x be the organizational level of the internal control system. We understand that our approach is controversial, but many different approaches are possible here.

b1(x) - system losses at the appropriate level of the internal control system. It is easier to measure this indicator as a percentage of some base, for example, from b0, and, therefore, b0 = 100%. The complexity of the problem lies in the measurement of indicators, which are more qualitative than quantitative. To clarify this problem, it is necessary to conduct special-purpose studies, and this does not fit into the scope of our study. In our consideration, this problem is not the main one, since we are trying to build a general mathematical model, with the help of which the main properties of the behavior of the internal control system should be obtained.

C (x) - the cost of maintaining the internal control system. Here it is also very difficult to separate this part from the total amount of costs, but a rough estimate of the costs of maintaining the internal control system is possible.

R(х) - efficiency of the system from the introduction of the internal control system, expressed in the amount of reduction of losses from the maintenance of the internal control system. It is logical to believe that this indicator should grow to a certain value x, then decrease, since we postulated such behavior (exactly the opposite) for b1(x) - the loss function, then

R(x) = ^(x). (2)

Let us show that bx(x) - with the growth of x decreases to some Xmin, further growth of x leads to an increase in b1(x). The simplest form of dependence can be a parabola or an exponential. As a model loss function b1(x), it is easier to take a parabola, since if empirical data are available, it is possible to determine the parameters of the equation using the least squares method.

As a result of the study, the effectiveness of the internal control system can be represented as the following formula:

R (x) = b - (ax2 + bx + c). (3)

From here, the efficiency optimum point is easily determined:

R (x) \u003d - 2ax - b \u003d 0;

When constructing a specific parabola, according to the scores and losses of the system at the appropriate level of the internal control system, the optimum point is determined, i.e. such a value of the quality of the internal control system at which the best efficiency of the control system is achieved.

The proposed indicators make it possible to evaluate the effectiveness of the internal control system at enterprises and determine the optimal values for the level of the internal control system and possible losses corresponding to a given level of organization of the accounting and internal control system (see table).

As a result of the calculations, the following model for determining the value of losses (regression equation) was obtained:

y \u003d 164.73 - 27.4x + 1.23x2.

In this case, the optimal value of the level of the internal control system will be:

^optim= 11.04.

This value x (the level of organization of the internal control system) corresponds to the optimal value of losses:

Khoptim.) = 14.92.

The efficiency in this case will be 85.08%.

Taking into account some conventionality of the initial data, it can, however, be argued that the best for the organization is the level of organization of the internal control system of 10-12 points of the test survey. In this case, the losses are 15% in comparison with the situation when

Determination of the effectiveness of the internal control system in Krasnogorsk Cheese Plant OJSC

Year X X2 Y Y est. I)

2001 6,00 36,00 24,00 46,15 53,85

2002 9,50 90,25 19,00 17,84 82,16

2003 11,00 121,00 10,00 14,92 85,08

2004 12,15 147,62 21.00 16,43 83,57

2005 15,70 246,49 29.00 41,58 58,42

Optimal point 11.04 121.91 14.92

The following designations are used in the table:

х - scoring of the level of organization of the internal control system in JSC "Krasnogorsk Cheese Plant" (from 2001 to 2005); y - losses from the level of organization of the internal control system (the figures were obtained as a result of processing an expert survey, or otherwise - expert opinions); R (x) - efficiency of the internal control system.

the enterprise does not have a system of internal control or when control is weak.

Schematically, the graph of the loss functions and the effectiveness of the internal control system can be represented in the following way(Fig. 1).

In turn, on the other hand, the costs of maintaining the internal control system grow with the growth of the quality of the internal control system.

C (x) \u003d kx, which implies x \u003d -

As a result, the formula for the effectiveness of the internal control system from the costs of its operation will look like this:

The optimal cost value is determined by the formula:

C \u003d - b x k / 2a

This follows from the formula: R (x) = 0,

ICS level Efficiency losses

R "(x) \u003d - 2a / K2 C (x) - bd \u003d 0.

This condition is a necessary condition for the presence of an optimum (minimum or maximum of the function). The calculation of the parameters a, b, c and k, as well as the problems of data preparation, is an independent and thorough study.

On the other hand, starting from considering the internal control system as a “black box” (input costs - output results), it is obvious that costs are the input parameters of the system, and losses are the output parameters of the system. Therefore, we can assume that losses are a function of costs.

We consider it plausible that the efficiency of the internal control system grows with the growth of costs up to a certain optimal value, after which, with the continuing increase in the costs of the internal control system, the efficiency of the internal control system decreases.

This statement can be described by the following function:

R (^ = a0 - C^-C + C0. (5)

Thus, approaching the characteristics of the effectiveness of the internal control system in two different ways, we obtained, in general, the same dependence of efficiency on the implementation of the internal control system.

To implement the previously described approaches, three parameters are evaluated:

The quality of the internal control system;

The cost of maintaining the internal control system;

Losses from maintaining the internal control system.

If it is possible to collect the relevant statistical material, then in principle it is possible

evaluate the parameters of specific dependencies described earlier. As x, it is quite possible to take the score of the internal control system, which we proposed when testing accounting.

A simpler approach to solving this problem can be presented as follows. As mentioned earlier, the effectiveness of an internal control system is measured by the savings in losses arising from the operation of the control system. A formula was proposed for evaluating the result of the control system as the sum of the savings in losses from the operation of the control system.

On the graph, we can represent the function in the following form (Fig. 2):

When there is no control system, i.e. b0 = 0, then R (0) = L0, i.e. losses (losses) with the current control system are equal to zero, then the result of the operation of the control system will be equal to losses (losses) in the absence of control. In the case of maximum efficiency, i.e. when R (b) = 0, bk should be equal to b0, i.e., the losses from the introduction of an internal control system are the same as in the absence of an internal control system.

This conclusion is illogical, since the losses from the introduction of an internal control system cannot be the same as in the absence of an internal control system.

Modernizing the efficiency formula (1), introducing the efficiency coefficients of different structures of the control system, we obtain the following formula for determining the efficiency:

R (1K) \u003d b - kbk (6),

where k is the efficiency coefficient;

R (b) = 0 at 1K = b 0/k.

On the graph, the function will look like this (see figure).

The system is efficient if b1 is as small as possible. And this is possible if k > 1.

The system is less efficient if k< 1.

The practical implementation of this approach is fraught with many difficulties, in particular, the inability to determine losses in different cases.

To create and maintain an internal control system, certain costs are required. Without taking into account investments in the creation of an internal control system, the savings of an enterprise from the introduction of an internal control system have the form of the following formula:

E = R - C, where C is the cost of the control system.

If we assume that b1 is an internal control system and a variable value, then: E b) \u003d R (bv) - C (b)

Naturally, if we assume that the more perfect the internal control system, the greater the costs for it, i.e.:

Efficiency is determined by the inequality E > 0 or R > C:

b0 - kk bk > K bc.

The degree of complexity of the control system is directly related to the cost of using specific controls and the potential loss in case of their absence.

We consider the formulation of this problem in theoretical aspect. When the formula was proposed R (b1) = b0 - b1 where b1 - losses from the func-

quotation of the internal control system, it was clear that Dshould be considered as a variable. Only this assumption made it possible to reach theoretical analysis and generalizations. Further, it was proposed to introduce an abstract, hard-to-determine measure of the quality of the internal control system, which was also presented in a quantitative form. Finally, when the dependence of the effectiveness of the internal control system on the costs of its operation was modeled, it was assumed that the costs are not literally calculated costs for individual items, but more complex, not fully observable costs.

Literature

Thus, the construction of models characterizes the assessment of the effectiveness of the implementation of the internal control system, taking into account the characteristics of losses as a constant, given by the contingent costs of maintaining it or changing according to a linear law.

The extended application of mathematical methods and models is an objective trend associated with the level of development of specific industries. The use of mathematics in auditing is justified by the fact that it allows us to make extensive reasoning of the nature described. Audit takes place with quantitative ratios, which in turn inevitably requires the use of mathematical approaches.

1. On-farm audit in the enterprises of the agro-industrial complex Russian Federation: Sat. regulatory and methodological materials on internal audit / Comp. D. N. Written and others - M .: RAM and A, 1994. - 52 p.

2. Gubanov A. G., Vasilenko A. A., Stefanova S. N. Features of accounting, control and economic analysis at processing enterprises of the agro-industrial complex: Proc. allowance. - Rostov-on-Don, 1997. - 71 p.

3. Karamaiki D. R., Benis M. Standards and norms of audit. - M.: Audit, UNITI, 1995. - 527 p.

4. Organization of audit activities in the agro-industrial complex: Sat. regulatory and methodological materials on audit / Comp. D. N. Written and others - M .: RAM and A, 1994. - 48 p.

5. Rules (standards) of audit activity / Comp. and the author of the introduction N. A. Remizov. - Mu: ID FBK-PRESS, 2000. - 384 p.

6. Encyclopedia of general audit. Legislative and normative base, practice, recommendations and methodology for implementation. - T. 2. - M.: "DIS", 1999. - 569 p.

7. Mazur I.I. Quality management: Proc. allowance. - M.: Higher School, 2003. - 307 p.

Publishing House "Finance and Credit" provides services for the publication of books, brochures, monographs, textbooks, educational and methodological and fiction. The publication is carried out at the expense of the author. Production time for paperback monographs with a volume of 10 printed sheets is 40 days.

One of the management functions of a business entity is internal control, the subjects of which are:

Carry out comparison of planned and actual values of parameters;

Draw an analogy with the external economic and legal environment;

Detect deviations in parameters;

They give an assessment of the danger of the size of deviations for a business entity;

The factors that caused deviations are identified, the degree of their influence is determined;

Prepare the information base for making managerial decisions.

Internal control is a process designed and maintained by those charged with governance, management and other personnel to achieve reasonable assurance about the achievement of the entity's objectives for financial reporting integrity, performance and regulatory compliance.

As a management function, internal control performs the following tasks:

Gives information about the processes taking place in a business entity;

Helps to make the most appropriate decisions on general and special issues of enterprise development;

Provides an opportunity to judge the correctness of the decisions made, the timeliness and effectiveness of their implementation;

Contributes to the timely detection and elimination of conditions and factors that do not contribute to the efficient conduct of production and the achievement of the goal;

Allows you to adjust the activities of a business entity or its individual production units;

It makes it possible to establish which services and divisions of the enterprise, as well as the directions of its activity, contribute to the achievement of the set goal and increase the effectiveness of the enterprise.

In a joint-stock company, a council of the joint-stock company (supervisory board) may be created, which exercises control over the activities of its executive body. Charter of a joint-stock company or by decision general meeting shareholders, the board of a joint-stock company (supervisory board) may be entrusted with certain functions that fall within the competence of the general meeting. Members of the board of a joint-stock company (supervisory board) cannot be members of the executive body. In the event of a significant threat to the interests of the joint-stock company or revealing abuses committed officials, the audit commission is obliged to demand an extraordinary convocation of the general meeting of shareholders. Members of the audit commission may take part in meetings of the board with the right of an advisory vote.

Internal audit should be considered as an integral part of the overall management system. The internal audit service is created at the enterprise to perform control functions, depending on the purpose and tasks assigned to internal auditors by the management of the enterprise. Internal auditors are dependent, subordinate to higher management, they conduct inspections, both scheduled and unscheduled, at the direction of management. Based on the results of the audit, they draw up a report on the work carried out, report to the management, give an assessment, recommendations, advice and information. They are not required to be certified. It can be an accounting specialist, an economist, a financier.

ISA 315, Understanding an Entity's Operations and Assessing the Risk of Material Misstatement, highlights the following components of internal control:

Control environment;

The organization's risk assessment process; the information system, including its elements related to the preparation of financial statements, and informing;

control activities; control monitoring.

The control environment is understood as the attitude of management and those charged with governance to internal control, understanding of its significance for the organization, their awareness of internal control and actions directly related to it.

An organization's risk assessment process is the process of identifying and responding to business risks and the results of those actions. For financial reporting, an entity's risk assessment process involves management identifying risks associated with the preparation of financial statements that are fair in all material respects in accordance with applicable principles and rules, assessing their significance and likelihood of occurrence, and making decisions about how to respond to those risks. .

The risks associated with financial reporting arise from internal and external factors that may adversely affect an entity's ability to generate, record, process and present financial information in accordance with the assertions stated by management in the financial statements.

As a risk is identified, management assesses its extent and significance and develops ways to respond. Management may conclude that it is not appropriate to respond to a risk, for example, because the costs of such activities are disproportionate to the magnitude of the negative effect to be avoided.

An organization's information system includes hardware, software, labor resources, certain procedures and data. As part of the preparation of financial statements, the information system includes procedures and documents used to generate, document, process and report transactions and events, as well as to enable the recording of related assets, liabilities and equity.

The information system should provide:

Formation of information about all ongoing operations;

Timely reflection of the details of the transactions performed, necessary for the correct classification of transactions in the reporting;

Measurement of transactions in monetary terms, which allows reporting information in the correct. amounts;

Determination of the time period for the implementation of operations for the correct reflection of information in accounting;

Disclosure of information about transactions in financial statements in accordance with applicable principles and rules.

Control monitoring is management's ongoing monitoring that internal controls are within specified parameters and are modified in response to changing circumstances.

The main purpose of studying and evaluating the client's internal control system by the auditor is to prepare the basis for planning the audit and establishing the types, timing and scope of audit procedures.

If the auditor is satisfied that he can rely on appropriate internal controls, he is able to perform audit procedures in less detail and more selectively, and can also make changes to the nature of the audit procedures that will be applied and the planned time spent on them.

The auditor should be satisfied that the controls of the entity being audited achieve the following objectives:

Business operations are carried out with the consent of management, both in general and in specific cases;

All transactions are recorded in accounting in the correct amounts, on proper balance accounts, in the period of time in which they were carried out, in accordance with the accounting policy adopted by the client, and provide the possibility of preparing reliable financial statements;

Access to assets is possible only with the permission of the relevant managerial employee;

Compliance of recorded in accounting and actually existing assets is determined by management at regular intervals, and in case of discrepancies, appropriate actions are taken by management.

When determining the effectiveness of an internal control system, many factors are taken into account:

1) the circle of employees involved in the formation of information at the enterprise, and whether they have responsibility for the assigned work;

2) the presence of an orderly relationship between them in the conduct of business and the formation of information;

3) availability technical means control; availability of control technology;

4) controlled parameters.

The auditor must take into account that the internal control system cannot confirm with absolute certainty, but only with a certain degree of probability, that the objectives of its creation have been achieved. The reason for this is the inevitable limitations of the internal control system:

The natural desire of the management of an economic entity that the costs of implementing control measures are less than the economic benefits that cause the use of such measures;

Most controls aim to identify unwanted business transactions, not those that are unusual;

Errors due to negligence, inattention, incorrect judgment or misunderstanding of instructional materials by service employees;

Deliberate violation of the control system as a result of collusion of employees of an economic entity, both with other employees of this economic entity, and with third parties;

Violations of the control system due to abuse by management representatives responsible for the functioning of these aspects of control, ^

There is a widespread practice of significant changes in the conditions of doing business or accounting rules, as a result of which the adopted control procedures may cease to fulfill their functions.

The procedure for studying and evaluating the internal control system is mandatory when conducting an audit, regardless of the characteristics of the client. As a rule, this is carried out simultaneously with the verification of accounting data.

Having at its disposal the materials of the study performed before the conclusion of the contract, the report of the previous auditor conducts an examination of the internal control system by interviewing the customer's personnel, conducting its own observation, interviewing the previous auditor, studying organizational non-administrative and accounting documentation on the spot, studying the results of audits and inspections of all inspection bodies and so on.

The auditor uses the following methods of studying the internal control system:

Personnel survey;

Observation;

Request to the previous auditor;

Acquaintance with management and accounting documents;

Studying the documents of the previous research of the client,

Studying the results of audits and inspections of all inspection bodies;

Acquaintance with the existing requirements for the organization of the internal control system;

Testing of the internal control system.

Given that the accounting system occupies a significant place in the internal control system, the auditor should single out questions for its study and evaluation. Acquaintance with the accounting system includes the study, analysis and evaluation of evidence regarding the following aspects of the economic activity of the audited economic entity:

Accounting policy and basic principles of accounting. The auditor should make sure that the chosen accounting method accurately reflects the specifics of the client's activities;

Organizational structure of the unit responsible for accounting and preparation of financial statements;

Distribution of duties and powers between employees who take part in record keeping and reporting;

Organization of preparation, circulation and storage of documents reflecting business transactions;

The procedure for displaying business transactions in accounting registers, forms and methods for summarizing data from such registers;

The procedure for preparing periodic financial statements based on accounting data;

The role and place of computer technology in accounting and reporting;

Critical areas of accounting, where the risk of errors or distortions in financial statements is particularly high;

Controls provided in certain areas of the accounting system.

An external auditor should review the work of internal audit and assess its impact on the audit. ISA 610, Reviewing the Work of Internal Auditing, refers to the term “internal auditing” as an evaluation activity carried out within an organization, including the evaluation of the effectiveness of internal controls.

When assessing the effectiveness and reliability of the internal control system as a whole, the control environment and individual controls, the auditor may use the following assessments of the quality of internal control: “high”, “medium”, “low”.

The auditor evaluates the client's internal control system in three stages:

1. general familiarization with the internal control system;

2. initial assessment of the reliability of the internal control system;

3. confirmation of the correctness of the assessment of the internal control system.

At the stage of general familiarization with the internal control system, the auditor should get a general idea of the specifics and scope of the client's activities, his accounting system. Based on the results of familiarization, the auditor must decide on the advisability of relying on the client's internal control system in his work.

If the auditor decides that he cannot rely on the system of internal control, then he should plan the audit so that the auditor's report is not based on reliance on this system. This is also necessary in cases where the reliability of the system is assessed as “low” or if it is more convenient or economically justified for the auditor not to rely on this system.

If, based on the results of a general familiarization with the internal control system of an economic entity, the auditor decides that he can rely on the internal control system in his work, he should conduct an initial assessment of the reliability of the internal control system.

The primary assessment of the reliability of the internal control system is carried out on the basis of methods and techniques that audit organizations develop independently.

Based on the results of the initial reliability assessment procedure, the auditor may assess the reliability of the entire internal control system and individual controls as "medium" or "high". In this case, the auditor should plan audit procedures based on this assessment, but should not have absolute confidence in this system.

If, based on the results of the initial assessment procedure, the auditor evaluates the reliability of the internal control system as a whole and individual controls as “low”, he is obliged to ascertain this and plan audit procedures accordingly in the future.

The auditor who, following the results of the initial assessment procedure, made a decision to trust the internal control system, is obliged to carry out procedures for confirming the reliability of this assessment during the audit. The procedures for confirming the reliability of the assessment of the internal control system are carried out during the period of verification on the basis of methods and techniques that are developed by the audit organization independently.

If the external auditor intends to use the work of internal auditors, it is advisable to familiarize yourself with the internal audit plan, as well as agree on the timing of the procedures, materiality levels, methods for selecting sets for testing, the procedure for documenting the results of the procedures performed, and other significant aspects.

The nature and extent of the audit procedures to be performed by the external auditor in relation to the results of specific internal audit work are determined depending on the assessment of the risk of material misstatement, the preliminary assessment of internal audit work and the assessment of the results of specific work. Such procedures may include retesting items already audited by internal auditors, testing similar items, and reviewing the work of internal auditors.

The auditor shall, within a reasonable time, notify those charged with governance or the appropriate level of management of significant deficiencies in the design or operation of internal control that the auditor has identified.

The results of the evaluation of specific internal audit work and the procedures performed in relation to it should be described in the auditor's working papers.

In their working papers, the auditor should reflect:

The results of discussions with members of the audit team about the exposure of the client's financial statements to material misstatement as a result of fraud and error;

The results of the study of all aspects of the client's activities and all components of internal control in accordance with ISA 315 "Understanding the activities of the organization and assessing the risk of material misstatement"; sources of information involved for this; ongoing risk assessment procedures;

The results of identifying and assessing the risks of material misstatement at the financial statement and assertion levels;

The results of identifying and assessing significant risks and risks that are not

It is possible to obtain sufficient appropriate audit evidence from the entity's existing control procedures;

The results of the assessment of internal control in terms of responding to risks.

Questions for self-control:

What is information risk?

What are the ways to reduce information risk.

What types of risk does the auditor face in his professional activities?

What is the essence of audit risk?

What are the goals of audit practice in Ukraine?

Should the auditor, under certain conditions, strive for less audit risk?

In what range can the level of audit risk fluctuate?

What factors should the auditor consider and evaluate in determining the level of inherent risk?

What internal factors of the control environment do you know? Give examples.

How do you understand the concept: organizational structure as a factor of internal control?

How does the form of accounting affect the organization of internal control?

control risk?

What powers do enterprises have in implementing their own accounting policies?

What is own risk?

Where is the greater risk of control: when using machine media or paper?

How does the organization of an archive of accounting records affect the risk of control?

Who has the right to authorize business transactions?

Does restricting access to assets affect control risk?

How is the control risk assessment established?

What are the main questions you would include in a questionnaire to study the environment of control?

What are the main questions you would include in the questionnaire for studying the accounting system?

What is the methodology for assessing audit risk?

How is the audit risk assessment model formed?

What does testing involve to achieve ultimate assurance about the magnitude of internal control risk?

What factors contribute to the development of uniform standards for assessing audit risk?

What internal control systems do you know?

How does the general state of the economy affect the organization of internal control?

Does the subordination of enterprises affect the organization of internal control?

What control functions are carried out during the execution of primary documents?

List the special procedures for the implementation of internal control.

What forms of document processing reduce the risk of control?

Name the control procedures carried out by accounting workers.

At what stage does the auditor study the internal control system?

How does the assessment of control risk affect the choice of methodology and scope of the audit?

List the main methods of studying the internal control system.

Is it mandatory to document the results of the study of the client's internal control system?

Describe the structure of the internal control system and evaluate it.

How are rights and obligations distributed under internal control?

What methods of auditing the internal control system are used?

Name and describe the stages of the study of the internal control system.

Literature:

Questions organization of internal control for economic entities, individual organizational and legal forms are regulated by the following legislative acts of the Russian Federation:

Federal Law No. 208-FZ of December 26, 1995 “On joint-stock companies", paragraph 1 of Art. 85;
Federal Law No. 14-FZ of February 8, 1998 “On Companies with limited liability", paragraph 1 of Art. 47;
Federal Law No. 41-FZ of May 8, 1996 “On production cooperatives", paragraph 1 of Art. 18;
Federal Law No. 193-FZ of 08.12.1995 “On Agricultural Cooperation”, paragraph 1 of Art. thirty.

It should be noted that in the texts of these legislative acts the concepts of "internal control" and "audit" are identified. In terms of their content, these concepts are quite close to each other, which is confirmed by clause 18.1 of the Information of the Ministry of Finance of Russia No. PZ-11/2013.

Taking into account the above, we can conclude that it is necessary to regulate and fix in the administrative information of the economic entity responsibilities in terms of internal control.

Internal control is a process aimed at achieving a sufficient level of confidence that an economic entity ensures: the efficiency and effectiveness of its activities, including the achievement of financial and operational indicators, the safety of assets; reliability and timeliness of accounting (financial) and other reporting; compliance with applicable law, including when performing business activities and maintaining accounting records.

At present, the methodology for conducting internal control, as well as the methodology for assessing the effectiveness of internal control, have not been established by law and are the object of research by many scientists and specialists, including R.A. Alborov, V.B. Ivashkevich, N.N. Khorokhordin and V.G. Shirobokov.

Unfortunately, not all economic entities, especially in companies from the small business segment, currently have internal control services. At the same time, in those companies where internal control is organized, the analysis of its effectiveness is often not carried out.

Internal control is one of the main functions of management, in the absence of which it is impossible effective management economic entity. It is internal control that allows the development and implementation of solutions for efficient use resources. The process of managing financial and economic activities can be characterized both as an interconnected, one-time or periodic targeted impact of the totality of its functions on an object, and as a process carried out in a temporal aspect and in a spatial hierarchy.

The management system of any economic entity is inextricably linked with accounting and control systems. The presence of accounting and control in corporate management is explained by the need to generate information on each fact of economic life, including those associated with the use of material, labor and financial resources, which allows to increase the efficiency of financial and economic activities of an economic entity.

It should be noted that not all user groups have equal access to information generated by internal control and accounting services. As a rule, the administration can have unlimited access to information, and owners can have partial access. Therefore, internal control must be organized in such a way as to realize the possibility of providing necessary information for management purposes on different levels hierarchy, with different requirements for its completeness, form and content. Internal control in the management system of an economic entity can function effectively only in conjunction with other management functions. The connection of control, accounting and analytical processes allows you to best solve the problem information support management.

The interaction of the powers of control bodies is realized through the function of managing an economic entity, which is quite fully disclosed in their work by S.R. End, V.A. Karasev and N.K. Kostenkov. The relationship of management functions, reflected by these scientists in their work in the form of a diagram (Fig. 1).

Figure 1. Interrelation of control functions commercial organization when exercising control

Thus, the mutual influence of management functions is undeniable, which must be indicated in the course of assessing the effectiveness of the organization's internal control.

The purpose of internal control is determined by each economic entity independently. Thus, according to the information of the Ministry of Finance of Russia No. PZ-11/2013, internal control contributes to the achievement by an economic entity of the goals of its activities and should ensure the prevention or detection of deviations from established rules and procedures, as well as distortions of accounting data, accounting (financial) and other reporting. The implementation of control actions is impossible without considering its components.

In this information, the Ministry of Finance of the Russian Federation identifies as the main elements of internal control of an economic entity:

control environment;
risk assessment;
internal control procedures;
information and communication;
assessment of internal control.

The analysis of the above document and the work of individual specialists allows generating data to characterize the elements of internal control, including the use of organization resources, which are systematized in Table. 1.

Table 1. Characteristics of the elements of the internal control system

Control environment	Risk assessment	Internal control procedure	Information and communication	Assessment of internal control
A set of principles and standards for the activity of an economic entity	Risk Identification and Analysis Process	Actions aimed at minimizing risks affecting the achievement of the goals of an economic entity	Ensures the functioning of internal control and the possibility of achieving the set goals	Carried out in relation to the elements of internal control in order to determine their effectiveness and efficiency, as well as the need to change
Purposefulness. Timeliness. Effectiveness. Objectivity. Consistency. Confidentiality. Flexibility. Simplicity	Origin and existence. Completeness. Rights and obligations. Evaluation and distribution. Presentation and disclosure	Documenting. Confirmation of conformity between objects (documents) or their compliance with established requirements. Sanctioning (authorization) of transactions and operations, providing confirmation of the eligibility of their commission. Data reconciliation. Separation of powers and rotation of duties. Procedures for monitoring the actual presence and condition of objects, including physical security, access restriction, inventory. Supervision, providing an assessment of the achievement of set goals or indicators. Procedures related to computer processing of information and information systems	Information systems of an economic entity. Spread of information	Monitoring of internal control. Periodic evaluation of internal controls

It should be noted that, in the elements of internal control, the issue of assessing the effectiveness of internal control is not sufficiently developed, both for management purposes and for the purposes of an independent audit of financial statements. As a result, there is no methodological framework that allows companies to carry out efficient work over mistakes and influencing managerial decision-making. Therefore, for the purposes of management, it is most significant and necessary for economic entities to form a system of indicators and criteria for evaluating the effectiveness of internal control over the use of resources, including material, labor and financial ones.

Another problem is the absence in the Russian Federation of general criteria for evaluating efficiency, which is explained by the lack of internal control standards or their insufficient development. As R.O. Kostirko, the issue of assessing the quality of the activities of subjects of internal control is complicated by the fact that "in the economic literature, the issues of the theory of the effectiveness of control and the generalization of the characteristics of its quality" are not sufficiently developed. To assess the effectiveness of internal control, domestic scientists propose to use individual private indicators, and the proposed recommendations aimed at improving the effectiveness of control are of a local nature. Available methods for assessing the effectiveness of internal controls are limited to assessing the effectiveness of internal controls due to risk reduction.

In recent years, increased attention has been paid to internal control at the international level. The result of work in this area was the development of a number of documents that attempt to identify, evaluate, describe and identify areas for improving internal control. Short description individual documents are presented in Table. 2.

Table 2. Characteristics of internal control models

Document (model)	Short description
Standard "Targets of control when using information technologies» (Control Objectives for Information and Related Technology, COBIT)	Developed by the Association for Audit and Control of Information Systems ISACA (Informatio № Systems Audit and Control Foundation "s Control Objectives for Informatio № and Related Technology). Contains a toolkit for the full and effective performance of duties to control the security of information systems
Report "Control and audit of systems" (Security access control, SAC)	Prepared by the Research Foundation of the Institute of Internal Auditors (Institute of Internal Auditors Research Foundation "s Systems Auditability and Control). Contains explanations for internal auditors on the control and audit of information systems and technologies
Report "Internal control: an integrated approach" (COSO model - Committee of Sponsoring Organizations of the Treadway Commission)	Prepared by the Committee of Sponsoring Organizations of the Treadway Commission's Internal control - Integrated Framework. Provides guidance to management on assessing, describing and improving control systems
Statement on consideration of the internal control structure in the audit of financial statements (Statement on Auditing Standards 55, SAS 55)	Approved by the American Institute of Certified Public Accountants (America№Institute of Certified Public Accountants" Consideration of the Internal Control Structure i№a Financial Statement Audit) as amended (SAS 78). SAS 55 and SAS 78 provide guidance to external auditors regarding the impact of internal control over planning and conducting an audit of the entity's financial statements

Since the listed documents were developed by different bodies for different target groups, there may be some inconsistencies between them. However, each document focuses on internal controls and a particular target group. A comparison of the documents shows that each of them builds on the ideas of the previous documents.

Noteworthy is the comparison of the concepts of internal control, which is given on the website Bankir.ru (Table 3).

Table 3 Comparative analysis concepts of internal control

Comparison criterion	Regulatory document
Comparison criterion	COBIT	SAC	COSO	SAS 55/78
Main target group	Management. Users. Information systems auditors	Internal auditors	Management	External auditors
Internal control	A set of processes, including norms, procedures, practices and organizational structures	A set of processes, subsystems and people	Process	Process
Organizational objectives of internal control	Efficient and efficient operations. Confidentiality, integrity and availability of information. Reliable financial reporting. Compliance with laws and regulations		Efficient and efficient operations. Reliable financial reporting. Compliance with laws and regulations	Reliable financial reporting. Efficient and efficient operations. Compliance with laws and regulations
Components or zones	Zones: planning and organization; acquisition and implementation; delivery and support; monitoring	Components: control environment; manual and automatic systems; control procedures	Components: control environment; risk management; control actions; information and communication; monitoring	Components: control environment; risk assessment; control actions; information and communication; monitoring
Focus	Information Technology	Information Technology	Whole organization	Financial statements
Evaluation of the effectiveness of internal control	Over a period of time	Over a period of time	At the point in time	Over a period of time
Responsibility for internal control	Management	Management	Management	Management

Evaluation of the effectiveness of internal control must begin with its organization, since only a well-organized system can be effective. Sufficiently detailed requirements for the organization of internal control are set out in the already mentioned information of the Ministry of Finance of Russia No. PZ-11/2013.

The system of internal control over the use of resources cannot be effective without clearly defined powers of the control bodies of an economic entity. The delimitation of the control powers of departments is an internal affair of each organization and depends entirely on the interaction of corporate governance, the risk management system and internal control itself. The organization of effective interaction between departments involved in management is another problem in assessing the effectiveness of internal control. The scheme of interaction between divisions of an economic entity in the implementation of control measures is shown in fig. 2.

Figure 2. Interaction of competencies (authorities) of the control units of the organization

When developing a methodology for assessing the effectiveness of internal control, it is necessary to clearly formulate the methods for its implementation, depending on the goals set by corporate management. As a result, controls may vary. At the same time, the lists of procedures for assessing the effectiveness of internal control applied within each event will be similar:

control and approval of documents;
verification of arithmetic entries;
maintenance and verification of analytical reports;
preparation and approval of reports, as well as bringing reports to the attention of management.

When evaluating the effectiveness of internal control, a hierarchical "ladder" of methods and methods of evaluation, shown in Fig. 1, can be used. 3.

Figure 3. Hierarchy of techniques and methods for assessing the effectiveness of internal control

Internal control procedures are actions aimed at minimizing risks that affect the ability to achieve the goals of an economic entity.

A survey of the personnel of an economic entity is conducted in order to assess their knowledge and qualifications, as well as to obtain information on the procedure for committing the facts of economic life and the functioning of internal control. Observation of the facts of economic life and the implementation of internal control allows you to confirm the fact of its existence and effectiveness. Analytical techniques are used when it is necessary to highlight formalized indicators for assessing internal control.

Verification of evidence of internal control and its results is applied if its results have been documented.

Re-conducting the internal control procedure is applied if all other methods failed to provide sufficient evidence of the effectiveness of internal control and its documenting absent.

The opinion of the inspector, which is formed in the course of assessing the effectiveness of internal control, serves as the basis for making any decisions based on it.

According to the authors, the results of assessing the effectiveness of internal control should be documented. There are no special requirements for the execution of the final document based on the results of the assessment of internal control. At the same time, it should be noted that the generated document must be sufficient and appropriate and meet criteria such as: simplicity; visibility; understandability; neutrality of information, etc.

It is advisable to assess internal control based on the following requirements for the implementation of control measures: the proportion of a sample of documents or objects of control; the validity of the identified deviations; consideration of possible causes of errors; developing recommendations for correcting errors; assessment of the impact of errors on managerial decision-making (risks of ineffectiveness of managerial decisions caused by undetected errors).

Based on these criteria, benchmarks should be summarized on a specific checklist. The assessment of internal control is carried out as a percentage. 100% is assigned if all documents are checked and there are no comments on the control results. Accordingly, zero percent is assigned if control measures in any direction were not carried out.

As can be seen from the specified file, in paragraph 1 of the control sheet, the evaluation result of 80% was obtained in the following way:

100% of the existing sample (documents) were subjected to control actions in terms of internal control regulation;
inspectors during internal control provided recommendations for eliminating violations;
internal control specialists decided that 80% of the recommendations were feasible and effective.

Total 80% (80% x 100%).

Based on the data set out in the checklist, it is necessary to evaluate the effectiveness of the organization's internal control based on the professional judgment of the person carrying out the effectiveness assessment. As N.V. Generalov and S.N. Karelskaya, one of the most frequently cited definitions of “professional judgment” is presented by L.Z. Shneidman:

Professional judgment is an opinion, a conclusion, which is the basis for making a decision under conditions of uncertainty. It is based on the knowledge, experience and qualifications of the relevant professionals.

The article notes that “professional judgment can be characterized as a reasonable opinion of a professional accountant, expressed in conditions of uncertainty in qualification, valuation, classification and assessment of the significance of the facts of economic life for the purposes of accounting, based on available, on this moment time of complete, reliable and objective information, as well as the features of the functioning of an economic entity. According to the authors, from the point of view of assessing internal control, no one can characterize internal control more reliably than professional accountant or an auditor.

If we take into account the requirements for internal control, then we can formulate separate approaches to standardizing the quality of assessments to form the professional judgment of the inspector:

validity of professional judgment (based on documented and verified results);
consistency (obtained performance evaluation data do not contradict other relevant information);
consistency (performance evaluation is based on a system of indicators and criteria fixed by internal documents in the organization);
observance of the priority of economic content over form (elevation of economic information over legal information in the course of assessing the internal control system);
objectivity (comprehensive consideration of the criteria and indicators for evaluating the effectiveness of the internal control system of an economic entity).

It is advisable to fix the procedure for assessing internal control in the local regulatory act of the organization. This can be both an accounting policy and a separate document, for example, a regulation on internal control, the formation of the second document seems to be the most rational.

The regulation on internal control of the organization should fix the internal principles for conducting inspections of the facts of economic life and other accounting objects, as reflected in 402-FZ and other federal accounting standards. The development of internal control standards requires significant labor and financial resources.

In the regulation on the internal control of the organization or in another local act of the economic entity, it is necessary to determine the indicators that the inspector will use to assess the effectiveness of internal control. So, for large organizations, it is preferable to create a separate standard, for small and medium-sized enterprises - the introduction of a separate paragraph. In addition, it is very important for the management of the organization to carry out work aimed at improving the quality of internal control. It is advisable to carry out additional activities: interviewing employees, analyzing archival data and conducting statistical studies, which can analyze the percentage of correctly executed documents, the percentage of claims from the Federal Tax Service (IFTS) that were defended in pre-trial contestation of decisions, etc.

An economic entity needs to carry out work aimed at integrating individual components of internal control into a single environment and a single information field. All functions of control units must be clearly defined (fixed in a local act reflecting their interaction and functions) and complement each other, creating a single protective space. In addition, it seems appropriate to create a unified automated risk control system, including a unified database of risk events of an economic entity. The latter will undoubtedly contribute to the prevention of risks and increase the efficiency of the functioning of the internal control of an economic entity. To assess the effectiveness of internal control, it is advisable, according to the authors, to use tests developed by Professor R.A. Alborov and used in practical audits by many audit firms.

From the analysis of the presented test data, it follows that in this example, the level of organization of internal control over research questions is low and below average. The main disadvantage of on-farm control is the lack of actual control over the receipt, availability and use of materials.

If individual deficiencies are identified during the study and evaluation of the effectiveness of the internal control system, it is recommended to use the following procedures:

consideration of the nature and causes of the ineffectiveness of internal control;
conducting additional verification or testing of the system (if the inspector deems it necessary);
identification of directions and formulation of recommendations in terms of eliminating the identified shortcomings.
When formulating recommendations to eliminate identified deficiencies in internal control, it is necessary to:
describe the lack of internal control and the associated risk;
describe the actions to be taken to correct the deficiency;
appoint a person responsible for eliminating the deficiency;
set deadlines for correcting the deficiency.

It should be noted that internal control should be aimed at identifying and preventing all errors, both significant and insignificant. Internal control is carried out by both the accounting service and the internal control service or audit departments, and if the internal control service can use selective methods during inspections, then the accounting service has a continuous audit method.

The recommended working document generated in the internal control system, containing recommendations for eliminating the identified deficiencies in the internal control system using materials as an example, is presented in the following example.

Thus, during the assessment of control procedures, it is very important to minimize the risks associated with accounting, which is achieved by the formation of recommendations to eliminate the identified shortcomings in the internal control system.

Figure 4. Scheme of formation of information flows in the process of assessing the effectiveness of the internal control system

In conclusion, it should be noted that due to the lack of a clearly formulated standard in terms of assessing the effectiveness of internal control, economic entities have to independently form an opinion on the compliance of internal control with the goals and objectives of their activities, as well as to check the effectiveness of control measures according to their professional judgment.

Bibliography:

Alborov R.A. Audit in organizations of industry, trade and agro-industrial complex: Proc. allowance. Moscow: Delo i Service, 2003. 464 p.
Belik V.D., Skakun L.S. Development of methodological approaches to assessing the quality of activities of subjects of internal control: the use of qualimetric methods // International Accounting. 2012. No. 42. pp. 48-57.
Generalova N.V., Karelskaya S.N. The use of professional judgment in different periods of the development of regulatory accounting in Russia // International Accounting. 2013. No. 33.
Gorodilov M.A. International Auditing Standard No. 610 "Using the results of the work of internal auditors": new edition // Auditor. 2013. No. 8. pp. 56-63.
Gubaidullina A.R. Accounting principles governing the exercise of an accountant's professional judgment in the context of a transition to international standards financial statements // International accounting. 2012. No. 28.
Kontsevaya S.R., Karasev V.A., Kostenkova N.K. Development of internal control in the management system of agricultural production // International Accounting. 2014. No. 2.
Kotlyachkov O.V. Criteria and evaluation indicators in the audit of the effectiveness of the use of investment funds // Vestnik IPB. 2013. No. 4. pp. 39-48.
Ostaev G.Ya., Kontsevaya S.R., Galliamova T.R. Formation and standardization of internal audit in commercial organizations // International accounting. 2012. No. 45.
Shirobokov V.G., Katelikova T.I. Directions for the audit of supply and marketing agricultural consumer cooperatives// Accounting in agriculture. 2012. №4.
Khorokhordin N.N. Internal Audit Service: Stages of Creation, Goals and Tasks // Auditorskie Vedomosti. 2007. No. 10.
Kostirko R.O. Evaluation of the effectiveness of internal control in the management of enterprise business.

The issues of organizing internal control in economic entities of certain organizational and legal forms are regulated by the following legislative acts of the Russian Federation:

1. Federal Law No. 208-FZ of December 26, 1995 “On Joint Stock Companies”, paragraph 1 of Art. 85;

2. Federal Law No. 14-FZ of February 8, 1998 “On Limited Liability Companies”, paragraph 1 of Art. 47;

3. Federal Law No. 41-FZ of May 8, 1996 “On Production Cooperatives”, paragraph 1 of Art. 18;

4. Federal Law No. 193-FZ of 08.12.1995 “On Agricultural Cooperation”, paragraph 1 of Art. thirty.

Currently, there is no VC in small businesses, and if there is, it is poorly organized. Internal control is one of basic management functions, in the absence of which it is impossible to effectively manage an economic entity. It is internal control that allows developing and implementing solutions for the efficient use of resources.

The presence of accounting and control in corporate governance is explained by the need to generate information on each fact of economic life, including those associated with the use of material, labor and financial resources, which makes it possible to increase the efficiency of the financial and economic activities of an economic entity.

It should be noted that not all user groups have equal access to information generated by internal control and accounting services. As a rule, the administration can have unlimited access to information, and owners can have partial access. Therefore, internal control must be organized in such a way as to realize the possibility of providing the necessary information for management purposes at different levels of the hierarchy, with different requirements for its completeness, form and content. Internal control in the management system of an economic entity can function effectively only in conjunction with other management functions. The connection of control, accounting and analytical processes allows the best solution to the problem of information support for management.

The purpose of internal control is determined by each economic entity independently. So, according to the information of the Ministry of Finance of Russia No. PZ-11/2013 internal control contributes achievement by the economic entity of the goals of its activities and should ensure the prevention or detection of deviations from the established rules and procedures, as well as distortions of accounting data, accounting (financial) and other reporting. The implementation of control actions is impossible without considering its components.

In this information, the Ministry of Finance of the Russian Federation identifies as the main elements of internal control of an economic entity:

the control environment;

risk assessment;

· internal control procedures;

information and communication;

· Evaluation of internal control.

Table 1. Characteristics of the elements of the internal control system

Control environment	Risk assessment	Internal control procedure	Information and communication	Assessment of internal control
A set of principles and standards for the activity of an economic entity	Risk Identification and Analysis Process	Actions aimed at minimizing risks affecting the achievement of the goals of an economic entity	Ensures the functioning of internal control and the possibility of achieving the set goals	Carried out in relation to the elements of internal control in order to determine their effectiveness and efficiency, as well as the need to change
Purposefulness. Timeliness. Effectiveness. Objectivity. Consistency. Confidentiality. Flexibility. Simplicity	Origin and existence. Completeness. Rights and obligations. Evaluation and distribution. Presentation and disclosure	Documenting. Confirmation of conformity between objects (documents) or their compliance with established requirements. Sanctioning (authorization) of transactions and operations, providing confirmation of the eligibility of their commission. Data reconciliation. Separation of powers and rotation of duties. Procedures for monitoring the actual presence and condition of objects, including physical security, access restriction, inventory. Supervision, providing an assessment of the achievement of set goals or indicators. Procedures related to computer processing of information and information systems	Information systems of an economic entity. Spread of information	Monitoring of internal control. Periodic evaluation of internal controls

It should be noted that, in the elements of internal control, the issue of assessing the effectiveness of internal control is not sufficiently developed, both for management purposes and for the purposes of an independent audit of financial statements. As a result, there is no methodological base that allows companies to carry out effective work on errors and influencing managerial decision-making. Therefore, for the purposes of management, it is most significant and necessary for economic entities to form a system of indicators and criteria for evaluating the effectiveness of internal control over the use of resources, including material, labor and financial ones.

Another problem is the absence in the Russian Federation of general criteria for evaluating efficiency, which is explained by the lack of internal control standards or their insufficient development. In recent years, increased attention has been paid to internal control at the international level. The result of work in this area was the development of a number of documents that attempt to identify, evaluate, describe and identify areas for improving internal control.

control and approval of documents;

check of arithmetic records;

maintaining and checking analytical reports;

preparation and approval of reports, as well as bringing reports to the attention of management.

When evaluating the effectiveness of internal control, a hierarchical "ladder" of methods and methods of evaluation, shown in Fig. 1, can be used. 3.

Figure 3. Hierarchy of techniques and methods for assessing the effectiveness of internal control

Internal control procedures are actions aimed at minimizing risks that affect the ability to achieve the goals of an economic entity.

Verification of evidence of internal control and its results is applied if its results have been documented.

Re-conducting the internal control procedure is applied if all other methods failed to provide sufficient evidence of the effectiveness of internal control and its documentation is missing.

The opinion of the inspector, which is formed in the course of assessing the effectiveness of internal control, serves as the basis for making any decisions based on it.

Collateral control information security constitutional rights and freedoms of citizens, enterprises and organizations in the field of informatization;

Necessary level of security of information to be protected;

· security of systems for the formation and use of information resources (technologies, systems for processing and transmitting information).

The key point of the state policy in this area is the awareness of the need to protect any information resources and information technologies, the misuse of which can cause damage to their owner, owner, user or other person.

Regulations legal regulation issues of informatization and information protection in the Russian Federation include:

Laws of the Russian Federation

Decrees of the President of the Russian Federation and approved by these decrees regulations

Decrees of the Government of the Russian Federation and normative documents approved by these decrees (Regulations, Lists, etc.)

State and industry standards

· Regulations, Orders. Guiding documents and other regulatory and methodological documents of authorized state bodies (State Technical Commission of Russia, FAPSI, FSB).

Federal laws and other regulations provide for:

Separation of information into categories of free and restricted access, and restricted information is divided into:

o classified as a state secret

o classified as an official secret (information for official use), personal data (and other types of secrets)

o and other information, the misuse of which may cause damage to its owner, owner, user or other person;

· legal regime of information protection, mishandling of which may cause damage to its owner, owner, user and other person, as determined by:

· in relation to information classified as state secrets, by authorized state bodies on the basis of the Law of the Russian Federation "On State Secrets" (dated July 21, 1993 N 5485-1);

· in relation to confidential documented information - by the owner of information resources or an authorized person on the basis of the Law of the Russian Federation "On Information, Informatization and Information Protection" (dated February 20, 1995 N 24-FZ);

in relation to personal data - by a separate federal law;

· activity licensing enterprises, institutions and organizations in the field of information security;

· attestation automated information systems that process information with limited access for compliance with information security requirements when working with information of an appropriate degree of confidentiality (secrecy);

· certification of protective equipment information and means of monitoring the effectiveness of protection used in the AU;

· entrusting decisions on the organization of licensing, attestation and certification to government bodies within their competence, determined by the legislation of the Russian Federation;

Creation of automated information systems in a secure design and special units that ensure the protection of information with limited access, which is the property of the state, as well as monitoring the security of information and granting the right to prohibit or suspend the processing of information in case of failure to comply with the requirements for ensuring its protection;

· definition of the rights and obligations of subjects in the field of information protection.

Analysis of the effectiveness of the internal control system of a commercial organization. The effectiveness of internal control: problems and evaluation criteria Evaluation of the effectiveness of the internal control system in the organization

Interesting articles

Interesting articles