Nakenov B.

Kazakh Economic University named after T.Ryskulov, Kazakhstan

 

Auditing of the Internal Control System

Internal control system (ICS) can be defined as the combination of the organizational structure management and the efforts, methods, procedures adopted and permanently realized by the management of the company. The aforementioned activities are aimed at the following goals and objectives:

·        improvement of the company’s activity and its management structures;

·        provision of the financial-economic activity effectiveness;

·        safety of the company’s assets;

·        internal and external risks’ prevention;

·        assurance of the reports and statements of the company;

·        observance of the legislation and internal documentation requirements as well as the regulations accepted within the company.

Reliable ICS is the key element of the company’s corporate governance system and it allows the company’s management to reach adequate decision with respect to the improvement of the company’s business processes; identification, prevention and restriction of the operational, financial and other types of  risks in active and effective way; provision of the reasonable confidence in achieving strategic goals of the company and its shareholders.

Formation of the reliable ICS, which is able to increase business effectiveness and protect shareholders’ interests, is the responsibility of the company’s management. However, even the “well-built” and organized ICS needs to be evaluated from the standpoints of effectiveness and economy.  The role of independent and professional appraiser evaluating the reliability and effectiveness of existing ICS should be fulfilled by the internal audit, which evaluates the ICS and thereafter suggests recommendations for its improvement (optimization).

One of the core audit procedures directed to achievement of adequate conclusions in relation to reliability and effectiveness of ICS operation is testing the actual risk management procedures taking into account the risks peculiar to the business process being analyzed.

When performing the test for ICS reliability the auditor aims at identifying probability of achieving the goal set towards the control procedure, which in turn allows the owner of the analyzed risk to effectively manage the given risk. In this respect the control procedure goal is defined by the auditor based on the analysis of the process, interview with the owner of the process or independently with reference to the “best practices” of organizing the given processes in similar companies.

Generally, testing is performed by the auditor on a sample basis. The sample size should provide enough grounds for the auditor to be confident in the fact that the conclusions made on the basis of sample data analysis would be applicable for the whole size of data (in the aggregate) being sampled and tested. Moreover, the sample size could be defined either with an application of special formulas derived from probability theory and mathematical statistics or based on professional judgment of the auditor.

Referring to the testing results the auditor should give an assessment for the existing ICS in terms of managing the risk being analyzed. The evaluation should also indicate the possible scenarios of the given risk realization (taking into account the extrapolation of the sample test results for the whole aggregate). If required the auditor would formulate the recommendations regarding arrangement and optimization of the existing ICS for the business process purposes.

ICS assessment should be performed taking into consideration the fee for the control procedure alone as well as the cost required for the creation and support of the whole ICS. Recommendations concerning the existing ICS arrangement and optimization should be reasonable from the “cost-benefit” analysis standpoint. In case several control procedures are operating with a purpose of managing one risk or related (dependent) risks it is required to make an assessment for different scenarios of using control procedures  so that extra (duplicating) procedures are excluded.   

The analysis of control procedure effectiveness is performed with respect to provision of reasonable assurance for achievement of the analyzed business process’s corresponding goals.

Effectiveness and adequacy of internal control system should be defined bearing in mind not only the specific forms, methods of control, quantity of people involved in control, number of conducted inspections and identified errors (mistakes) but also management and the company owners’ activity (or failure), which is directed to incorporation of internal control in all business processes, prompt risk assessment, and effectiveness of control procedures used for mitigation of risk effects. In this regard detection of disadvantages or violations could be considered as an alarm signaling potential problem related with an absence or wrong operation of control system; and this requires thorough analysis of the reasons and good understanding of business process.  

The joint work of internal audit with the management of the company in terms of building and optimization of ICS is mainly directed to control over the program of correcting actions, which were considered as necessary in view of the audit findings.

Another direction of the aforementioned collaboration is related with provision of consulting support for the management. Top management of the company is responsible for creation of reliable ICS and maintenance of the system’s proper operation. However management of the company usually needs for additional specific knowledge and skills in the areas such as internal control and risk management. Thereby internal audit could be attracted as a consultant on the issues relating to testing of the introduced internal control procedures, assessment of control methods, examination of the internal control procedures’ fulfillment as well as a provider of methodological support during organization of internal control processes and risk management.