organising issues of operative system of internal control in
TRANSCRIPT
RyabovO.V.
OrganisingIssuesofOperativeSystemofInternalControlinBankingSector
Monograph
ISBN 978-5-4480-0344-8
St.Petersburg
2021
ukonf.com/mon 9 785448 003448
RyabovO.V.OrganisingIssuesofOperativeSystemofInternalControlinBankingSector:
Monograph.MinistryofEducationandScience,North-WestInstituteofManage-ment,branchofRANEPA.St.Petersburg:ConsultingcompanyUcom,2021.114p.
ISBN 978-5-4480-0344-8 https://ukonf.com/doc/mon.2021.04.02.pdf Rev i ewers : AlekseyShipitsyn,CandidateofEconomicSciencesProjectmanagementLlc.,St.PetersburgThe Au to r : OlegRyabov,CandidateofEconomicSciences,associateProfessorNorth-WestInstituteofManagement,branchofRANEPA,St.PetersburgThe information about published Monograph is given to the RISQ
system(contract№856-08/2013K)Monograph.Format60´84/16.Printedsides7,13ConsultingcompanyUcom392000,Tambov,PObox44Circulation500pcs.E-mail:[email protected]
ã2021,RyabovO.V.
3
CONTENTS
Introduction..................................................................................................................4
Chapter1.Theoreticalbasisofinternalaudit.........................................................................6
1.1.Theessenceofinternalaudit:concept,goals,objectivesandrights.............61.2.Theroleofinternalauditinthemanagementsystem
ofaneconomicentity.........................................................................................................91.3.Theplaceofinternalauditintheorganization's
managementsystemanditsimportance................................................................15
Chapter2.Basicsoforganizingthefunctioningoftheinternalcontrolsystemincreditinstitutions..................................................................37
2.1.Financialauditandcompliancecontrolasmethodsofinternalcontrol.............................................................................................................37
2.2.Themainmethodsforassessingthequalityoftheinternalcontrolsystem....................................................................................................................45
Chapter3.OrganizationoftheinternalcontrolsystemandtheimportanceofICS......................................................................................53
3.1.OrganizationoftheinternalcontrolsystemontheexampleofRussianbanks................................................................................................................53
3.2.Recommendationsforbuildinganinternalcontrolserviceincreditinstitutions.........................................................................................................64
3.3.Methodologicalapproachestotheformationoftheauditor'sreport........72
Conclusion................................................................................................................107
Listofreferences....................................................................................................110
4
Introduction
Thebankingsectorisconsidereduniqueamongothersectorsoftheecon-
omy,asitisasupplieroffinancialresourcesandamanagerofsettlementsbetweenbusinessentities.Improvingthequalityofmanagementofacreditinstitutionisaprerequisiteforincreasingthecompetitivenessofthebank,whichguaranteesthesuccessfuldevelopmentofthebankingbusinessinthelongterm.Theresultsoftheinternal auditors have becomemore visible to themanagement of commercialbanks,asthequalityoftheinternalauditstaff,internalcontrolandriskservicelifewasEC–useofsupervisoryauthoritiestoassessthecontrolenvironmentandthedecisionontheamountofcontributionstothedepositinsurancesystem.
Oneofthemosteffectivetoolsfor identifyingopportunitiesfor improvingtheefficiencyofactivities,thequalityofbankmanagement,and,therefore,oneofthecompetitiveadvantagesofacreditinstitutioncanbeaneffectiveinternalcon-trolsystem.Thevalueofsuchasystemisduetothefollowing.
Firstly, theactivitiesof financial institutionsareprimarilyassociatedwiththeabilitytoattractfundsfromcustomers,whichplaceshigherdemandsonthestability,reliabilityandsafetyofcreditinstitutions.Secondly,theactivitiesoffi-nancialinstitutionsarepredominantlyintangibleinnature.Themaincomponentoftheiractivitiesistheidentification,assessmentandmanagementofeventsthatmayhaveanimpactontheiractivities.Thatis, financialinstitutionshelpclientsachievetheirgoalsbyusingavailableopportunitiesorbyreducingtheimpactofnegativefactors.Atthesametime,thekeytotheeffectiveactivityofacreditinsti-tutionisaconstantchangeintheexistingsetofservicesprovided1.Thirdly,giventhattheactivitiesoffinancialinstitutionsaffectthefinancialstabilityandstabilityoftheirclientsandcounterparties,thestatepaysincreasedattentiontothecontrolandsupervisionofthisarea.Asaresult,specialattentionispaidtothecreationofan internal control system that will adequately assess and manage risks.
1 Malykhin D., Tikhomirov A. Features of the functioning of internal control and audit in banks. // http://www.iia-ru.ru/pu blication
5
Regulationoftheactivitiesoffinancialorganizationsisexpressedinthedevelop-mentofrequirementsthataremandatoryforapplicationincurrentactivities.
Themonographanalyzestheroleoftheinternalcontrolserviceandthein-ternalauditserviceinthemanagementofbankingrisksbyassessingthesystemoforganizinginternalcontrolinthebank.
Therelevanceofthetopicisduetoasignificantincreaseintheimportanceoftheinternalcontrolfunctioninbanksinthecontextoftheongoingglobalfinancialcrisis.Thepracticalsignificanceofthemonographliesinrecommendationsforim-provingtheefficiencyofinternalauditandinternalcontrolservicesincreditinsti-tutions.
Theobjectoftheresearchistheinternalcontrolserviceandtheinternalau-ditservice.
Thesubjectoftheresearchistheprocessofinternalcontrolinabankasatoolthatensurestheeffectivenessofthebank'scontrolinmanagingbankrisks.
ThetheoreticalbasisofthemonographwastheworkofsuchresearchersasR.Adams,A.Daley,B. Stanmeier,Hahn.D., CochranC., BrownL.M.,Russell J.P.,Spencer Pickett K. H., Kiran D.R., Reichmann Th., Utkin E.A., Beloglazova G.N.,KroliveskayaL.P.,SukhanovM.S.,ZemskovV.V.,ZadorozhnayaK.A.,PashkovR.V.,YudenkovYu.N.,LotobaevaG.G.,TavasievA.M.,TarasovI.T.andetc.
Themainpurposeof themonograph is to identify theroleof the internalcontrolserviceandtheinternalauditserviceinthemanagementofbankingrisks.
Inaccordancewiththesetgoal,thefollowingtasksaresolvedinthemono-graph:
–to reveal the essenceof the conceptof internal control of a commercialbank;
–analyzetheexistingregulatoryframeworkfororganizingtheinternalcon-trolofthebank;
–definetheroleandfunctionsoftheinternalcontrolserviceandtheinternalauditserviceinthebank'sinternalcontrolsystem;
–evaluateoptionsfororganizingandforminginternalcontrolandauditser-vicesofthebank;
–givepracticaladviceonthespecificsofconductinginternalaudits;–explainthesubtletiesofwritinganauditreportbyaninternalauditorofa
commercialbankusingspecificexamples.
6
Chapter 1.
Theoretical basis of internal audit
1.1. The essence of internal audit:
concept, goals, objectives and rights
Internalauditisunderstoodasacontrolsystemorganizedbyaneconomicentity,actingintheinterestsofitsmanagementand(or)owners,regulatedbyin-ternaldocuments,overtheobservanceoftheaccountingprocedureandtherelia-bilityoftheinternalcontrolsystem.
Internalauditisanactivityregulatedbytheinternaldocumentsoftheor-ganizationtocontrolthelevelsofmanagementandvariousaspectsofthefunction-ingoftheorganization,carriedoutbyrepresentativesofaspecialcontrolbodyintheframeworkofassistancetothemanagementbodiesoftheorganizationines-tablishingthelegalityofbusinessoperationscarriedoutbyemployeesandtheireconomicfeasibilityfortheenterprise,incompliancewiththeestablishedproce-dureformaintainingaccountingaccounting.Internalauditistheactivityofprovid-ingindependentandobjectiveguaranteesandadviceaimedatimprovingtheeco-nomicactivitiesofanorganization. Ithelpsanorganizationachieve itsgoalsbyusingasystematicandconsistentapproachtoassessandimprovetheeffective-nessofriskmanagement,controlandcorporategovernancesystems.Itisworthnotingthattheorganization,goals,roleandfunctionsofinternalauditaredeter-minedbythemanagementand(or)theowneroftheeconomicentity,dependingontheorganizationalandlegalformandtheexistingmanagementsystem,thecon-tentandspecificsofactivities,thevolumeoffinancialandeconomicactivitiesandthestateofinternalcontrol2.
Theobjectivesoftheorganizationoftheinternalcontrolsystemattheen-terpriseare: implementationoforderlyandefficientactivitiesoftheenterprise,including profitability and protection from losses; ensuring compliance withthemanagementpolicyof eachemployeeof theenterprise; ensuring the safety
2 9. Itkin Yu.M. Problems of the formation of audit. M.: Finance and statistics, 2016, P.13.
7
ofproperty;maintaininggoodrelationshipswithregulatoryauthorities.Sinceex-ternalandinternalcontrolareinterdependent,interdependentcomponentsofaunifiedcontrolsystem,inthedevelopmentoftasksfacinginternalauditors,aswellas in the performance of functions, it is necessary to take into account the im-portantroleoftheaccompanyingaudit,detailedintheFederalLawNo.119-FZ"OnAuditingActivity"services,whichwillallowmorespecifically,withlegislativejus-tification, toassess thepossibilityof implementingsuch internalaudit services,whichshouldbeunderstoodas:accountingandtaxconsulting;analysisofthefi-nancialandeconomicactivitiesoftheorganization,economicandfinancialcon-sulting;managementconsulting,includingthoserelatedtoorganizationrestruc-turing;legaladvice,aswellasrepresentationincourtandtaxauthoritiesontaxandcustomsdisputes;accountingautomationandimplementationofinformationtechnologies; appraisal of property value, appraisal of enterprises as propertycomplexes,aswellasentrepreneurialrisks;developmentandanalysisofinvest-mentprojects,drawingupbusinessplans;marketingresearch;provisionofotherservicesrelated toauditactivities.Toachieve theabovegoalsoforganizing theinternalcontrolsystem,itisnecessarytosolvethefollowingtasks:periodiccon-troloverthefinancialandeconomicactivitiesoftheparentorganizationanditsbranches;analysisofeconomicandfinancialactivitiesandassessmentofeconomicand investment projects, economic security of accounting systems and internalcontroloftheparentorganizationanditsbranches.Thesolutiontothisproblemmakesitpossibletoincreasetheefficiencyoftheactivitiesofindividualseparatedivisionsandtheentireorganizationasawhole,whichwillmakeitpossibletofullyfulfillthemaingoalsetfortheinternalauditservice;seminars,professionaldevel-opmentandtrainingofpersonnel,assistancetotheHRdepartmentintheselectionandtestingofaccountingpersonneloftheparentorganizationanditsbranches;toensurethatthecomputerprogramsthatcontrolthefunctioningoftheaccountingsystem,includingtheformationofprimarydocuments,theiranalysisandpostingtoaccounts,cannotbefalsified;enterprisefundsshouldnotbemisappropriatedorineffectivelyused;internalreportingshouldbepromptlytransferredtopersonsauthorizedtomakemanagementdecisionsforitsoptimaluse;scientificdevelop-ment,publicationofmethodologicalmanualsandrecommendationsonaccount-ing,taxation,analysisoffinancialandeconomicactivities,audit,businesslaw,andinformationservicesfortheheadorganizationanditsbranches;advisingonfinan-
8
cial, tax,bankingandothereconomic legislation, investmentactivities,manage-ment,marketing,taxoptimization,registration,reorganizationandliquidationofenterprises.Anaccountant inchargeofday-to-dayworkmayneedprofessionalhelpinunusualorrareeconomicsituations,aswellasincaseofsignificantchangesinlegislation.Interactionwithexternalauditors,representativesoftaxauthoritiesandotherregulatoryauthorities.
Tosolveproblems,theinternalauditserviceisendowedwithcertainrights:checkingaccountingregistersandprimarydocuments,theavailabilityofmoney,valuablesandsecuritiesatthecashdesk,researchingestimates,plansandotherdocumentsoffinancialandeconomicactivities;acquaintancewithorders,ordersofthehead,decisionsofmeetingsoffounders,shareholders,boardandofficials,already concluded and draft (non-concluded) contractswith organizations andotherdocuments;inspectionofconstructionsites,territories,warehouses,work-shopsandotherproduction,utilityandofficepremises,storageareasforfinishedproducts,equipment,etc.;checkingtheavailability,conditionandsafetyofprop-erty,inventoryitemsfrommateriallyresponsiblepersons;therequirementforafullorpartialinventoryofthepropertyandobligationsoftheorganizationorin-ventorydirectlybytheauditorwiththeparticipationofemployeesoftheorgani-zationinvolvedinthis, ifnecessary,sealingofsafes,cashregisters,warehouses,storerooms,archivesandotherplacesofstorageoffunds;monitoringthecorrect-nessofthereflectionofbusinesstransactionsinaccounting,checkingthecorrect-nessofthecalculationoftaxes,feesandpayments,aswellasthetimelinessoftheirpaymenttothebudgetandoff-budgetfunds;verificationofthereliabilityoftheindicatorsofaccountingandstatisticalreporting,thecorrectnessofthecompila-tionofcalculationsfortaxesandmandatorypayments;therighttoreceivefromtheheadsofstructuraldivisions,specialistsoftheorganizationnecessaryfortheaudit of documents, certificates, calculations, certified copies of documents fortheirattachmenttotheactoropinion,oralandwrittenexplanationsonissuesaris-ingduringtheaudit;examinationoftheeffectivenessofthesegmentmanagementsystemandanalysisofproductionandeconomicactivities,financialcondition,sol-vencyandliquidationoftheorganization;preparationoftheorganizationforex-ternalauditandtaxcontrol;representationoftheorganization'spropertyinter-ests ineconomicdisputes incourtandinanarbitrationcourt;evaluationofthesoftwareusedbytheeconomicentity;special investigationsof individualcases,forexample,suspicionsofabuse;developmentandpresentationofproposalsto
9
eliminate the identified deficiencies and recommendations to improve the effi-ciencyofmanagement3.
Theresponsibilityoftheinternalauditserviceisdeterminedbythreemainpoints: thevalidityand timelinessof submissionofopinionson the stateof ac-countingandreporting,thecomplianceofconstituentdocuments,internalregula-tionswiththecurrentlegislationandthelegalstatusoftheorganization,aswellasconclusionsontheachievedlevelandefficiencyfactorsofproduction,economicandfinancialactivities;thevalidityofthesubmittedproposalsforimprovingtheorganizationofthecontrolsystem,accounting,financialresponsibilityofofficials,programs for the development of activities, projects for optimizing productioncosts,taxablebases,distributionofprofits,creationanduseoffundsandotheris-sues;thecorrectnessoftheconsultationsprovidedtothefounders,headsofde-partments,specialistsandemployeesofthemanagementapparatusontheorgan-izationofproduction,themanagementsystemontheorganizationofproduction,themanagementsystem,accounting,methodsofanalyzingeconomicandfinancialactivities,legalandotherissues.Theobjectivityofinternalauditisensuredbythedegreeof its independence in themanagementstructureofaneconomicentity.This requirement for internal audit is ensuredby the fact that he obeys and isobligedtosubmitreportsonlytothemanagementwhoappointedhimand(or)theownersandindependentoftheheadsoftheauditedbranchesoftheeconomicen-tity,structuraldivisions,internalcontrolbodies,etc.
1.2. The role of internal audit in the management
system of an economic entity
Theprocessofmanaginganeconomicentityandaproperlyorganizedsys-temofinternalcontrolcannotbeseparatedfromeachotherwithoutviolatingtheharmonyandefficiencyoftheentiremanagementsystem,then,asaresult,thereis a need not for the occasional use of an independent external audit, but forapermanentandeffectivestructure,whichispartoftheinternalcontrolsystemasanintegralpartofit4.
3 Burtsev V.V. Organization of the internal control system of a commercial organization. M.: "Exam", 2020, p.109 4 Dodge R. A Brief Guide to Auditing Standards and Norms: Per. from English; foreword by S.A. Stukov. (Audit: theory and practice). M.: Finance and statistics; UNITY, 2017, p.89
10
Itisknownthatevenatthestageofacquaintancewiththenatureandchar-acteristicsofthefinancialandeconomicactivityofaneconomicentity,theauditormustassessthequalityoftheaccountingsystemsandinternalcontrolofthisen-tity.However,itshouldberememberedthatthevalueforaneconomicentityofanyinformation,includingthatobtainedasaresultofanaudit,isthehigher,thelowerthecostofobtainingit.Atthesametime,anecessaryconditionfortheeffec-tivenessoftheinternalcontrolsystemistheavailabilityofanindependentorgan-izationalstructureforaneconomicentity–aninternalauditservice.
IntheofficialRussianregulationsinthefieldofauditing , internalauditisunderstoodas“…organizedbyaneconomicentity,acting in the interestsof itsmanagementand(or)owners,asystemofcontrolovercompliancewiththeestab-lishedaccountingprocedureandthereliabilityoftheinternalcontrolsystemreg-ulatedbyinternaldocuments"Or"…oneofthewaystocontroltheefficiencyofthelinksinthestructureofaneconomicentity."5
Intheeconomicliterature,theconceptofinternalauditisinterpretedindif-ferentwaysbybothdomesticandforeignauthors.
So,forexample,BychkovaS.M.believesthat"internalauditisanelementoftheinternalcontrolsystem,organizedbythemanagementoftheenterpriseinor-dertoanalyzeaccountingandothercontroldata".6
AccordingtoV.V.Burtsev,"internalauditisanactivityregulatedbythein-ternaldocumentsofanorganizationtocontrolthelevelsofmanagementandvar-iousaspectsofthefunctioningofanorganization,carriedoutbyrepresentativesofaspecialcontrolbodywithintheframeworkofassistancetothemanagementbodiesoftheorganization…"7
FromthepointofviewofA.M.BogomolovandGoloshchapovaN.A.,“internalaudit(internal,internal)isanintegralpartofageneralauditorganizedataneco-nomicentityintheinterestsofitsownersandregulatedbyitsinternaldocuments
5 International Standards on Auditing and the Code of Ethics for Professional Accountants (1999). M.: MTsRSBU, 2018 P.218. 6 International Standards on Auditing and the Code of Ethics for Professional Accountants (1999). M.: MTsRSBU, 2018, P. 21 7 Bogomolov A.M., Goloshchapov N.A. Internal audit. Organization and methodology. M.: "Exam", 2014, P.212
11
tocomplywiththeestablishedprocedureforaccounting,protectionofpropertyandthereliabilityoftheinternalcontrolsystem"8.
ThefamousEnglishscientistR.Dodge,whopresentedoneofthefirstworksrelatedtointernationalauditinRussia,giveshisunderstandingofinternalaudit.“Internalauditisanintegralpartofinternalcontrol;carriedoutbythedecisionofthemanagementbodiesofthecompanyforthepurposesofcontrolandanalysisofeconomicactivity”9
AccordingtothefamousAmericanscientistsE.A.Arens.andLobbekJ.K.,in-ternalaudit isan internalaudit thatprovides theadministrationwith“valuableinformationformakingdecisionsregardingtheeffectivefunctioningoftheirbusi-ness”.10
Fromtheabovedefinitionsdescribingtheconceptofinternalaudit,itfollowsthatitstillhassignificantdifferencesfromexternalaudit,whichcanbeidentifiedas:limitedindependence;ensuringregularcontroloverthefinancialandeconomicactivitiesofaneconomicentity;regularprovisionofinformationforthepurposeofmakingandadjustingpreviouslyadoptedmanagementdecisions.
Beforedefiningtheplaceofinternalauditintheprocessofmanaginganeco-nomicentity,andinparticularintheinternalcontrolsystem,letusconsiderthemaincharacteristicfeaturesofthissystem.
AccordingtotheprovisionsexistinginbothRussianandinternationalprac-tice,theinternalcontrolsystemconsistsofthreemainelements:aproperlyorga-nizedaccountingsystem;controlenvironment;separatecontrols.
Thus,themodernsystemofinternalcontrolofaneconomicentityisacertainpolicyandprocedures(controls)adoptedbythemanagementsystemofthisentitytoachievethegoalsofthemanagementprocess,providingforthedegreeoffeasi-bilityoftheorderlyandefficientconductofthefinancialandeconomicactivitiesofthisentity,includingstrictadherencetothemanagementpolicy,ensuringthesafetyofproperty,detectingandpreventingdistortionsarisingfrombothuninten-tionalactionsandabuse,therelativeaccuracyandcompletenessofaccounting(fi-nancial)information11.
8 Bogomolov A.M., Goloshchapov N.A. Internal audit. Organization and methodology. M.: "Exam", 2014, P.6. 9 Danilevsky Yu.A., Shapiguzov S.M., Remizov N.A., Starovoitova E.V. Audit. M.: ID FBK-PRESS, 2018, P.87. 10 Federal Law of Russia. "On Auditing" No. 119-FZ, P14 11 Kamyshanov P.I. A practical guide to auditing. M.: INFRA-M, 2018, P.49.
12
Analysisoftheabovedefinitionsofinternalaudit,aswellasthemainele-mentsoftheinternalcontrolsystem,allowsustodefineinternalauditasaneffec-tive,multifunctional(integrated)controltoolorganizedbythemanagementofaneconomicentity,designedtoensuretheeffectivenessoftheentireinternalcontrolsystemandoptimizationofmanagementdecisions.
Before determining the feasibility of organizing internal auditwithin anyeconomicentity,itisnecessarytounderstanditsmaingoal,ontheachievementofwhichtheeffectivenessofitsfunctioningdepends.
Sinceinternalauditisaconstituentelementoftheinternalcontrolsystem,itsstrategicfocusshouldbe,firstofall,adequatetothetargetsettingsofthissys-tem.
Ifweproceedfromthisstatement,thenitisnecessarytotakeintoaccountthefactthatthepurposeoftheinternalcontrolsystemistoensurethemanage-mentprocessofaneconomicentitywithvarious,properlyprocessedandanalyzedboth internal and external information flowsnecessary to achieve the strategicgoalsofthefunctioningofaneconomicentity.
Forthisreason,thegoalofinternalauditatthepresentstageofdevelopmentofeconomicrelationscanbedefinedasmultifunctionalassistancetothemanage-mentsystemofaneconomicentityintheimplementationoftheeffectivefunction-ingoftheinternalcontrolsystemand,asaconsequence,optimizationoftheman-agementdecisionstaken.
Atthepresentstage,thetargetsettingofinternalaudithasshiftedfromcon-trol-confirmingtocontrol-regulating,which,inturn,radicallychangedthenatureandscopeofthetasksitsolves,whichcanbeformulatedasfollows:regularcontroloverthefinancialandeconomicactivitiesofaneconomicentityanditsbranches;controlofthetimelinessandcompletenessofthereflectionoffinancialandeco-nomictransactionsinaccounting;controloverthesafetyofthepropertyofaneco-nomic entity and its branches; control over settlement andpaymentdiscipline;controlovercompliancewithlegislationandotherregulatorylegalacts;controlover the timeliness of settlements with the budget of different levels and off-budgetfunds;identificationorpreventionandcontroloverthecorrectionofdis-tortionsinaccountinginformationduetounintentionalerrorsandabuse;checkingtheaccountingofproductioncosts,completenessandcorrectnessofthereflectionofproceedsfromthesaleofproducts,works(services),aswellastheformationoffinancialresultsofaneconomicentityanditsbranches;assessmentofthedegree
13
ofefficiencyofaccountingandinternalcontrolsystemsofaneconomicentityanditsbranches;controlovercompliancewiththepolicyofaneconomicentityandensuringtheeffectivenessofitsfinancialandeconomicactivities;analysisofthefinancialandeconomicactivitiesofaneconomicentityanditsbranches;assess-mentofeconomicsecurity;evaluationofinvestmentandothereconomicprojects;identificationandmobilizationofavailablereservesoflimitedresources;advisingthepersonnelofaneconomicentityanditsbranchesonallaspectsfallingwithinthe competence of internal audit; scientific developments and preparation ofmethodological recommendations and manuals on accounting and other areaswithinitscompetence;computerizationofaccounting,preparationandformationofaccounting(financial)statements,calculationsfortaxation, financialandeco-nomicanalysisandotherareaswithinthecompetenceoftheinternalauditofaneconomicentity;controlovertheexecutionofdecisionstoeliminateidentifieddis-tortionsandothershortcomings;assessmentofthedegreeofreliabilityofthein-formationprovidedto thecontrolsystem;organizationofofficial investigationsintovariousemergenciesandcircumstances;interaction,ifnecessary,withexter-nalauditors,representativesoftaxandotherregulatoryauthorities.
Thegiven,althoughnotclaimingtobecomplete,listoftasksfacingtheinter-nalauditmayvarydependingontheemergingneedinthemanagementprocess.Atthesametime,itsdiversityconfirmsthemultifunctionalcapabilitiesofinternalaudit.Moreover, all these tasks canbe combined intoa generalized concept. Inotherwords,thetaskofinternalauditatthepresentstageofitsdevelopmentistoprovidetheprocessofmanaginganeconomicentitywithsufficientandappropri-atecontrolandregulatoryinformationthatallowsmakingthemosteffectiveman-agementdecisions,aswellaspromptlyandtimelyadjustmentstopreviouslymadedecisions.
Inthiscase,sufficiencyshouldbeunderstoodasthecompletenessofinfor-mationflows,andbyrelevance–theirreliability.
Sincethegoalandobjectivesofanyactivitymainlycharacterizeonlyitsmainfocus,thenforadeeperunderstandingoftheessenceofthisactivity,itisimportanttodeterminethefundamentalprinciplesonwhichitisbased.
Forthisreason,thenext,nolessimportantaspectthatdeterminesthecon-ditions for the functioningof internal audit is the setting and characteristics ofthoseprinciplesthatpredetermineitsfeatureandtherequirementsimposedonitbythemanagementsystemofaneconomicentity.
14
IntheofficialRussianlegislativeandregulatoryactsinthefieldofaudit,in-ternalauditisregulatedonlyintheRules(standards)ofauditingactivitiesand,atthesametime,onlyforthepurposeoftheexternalauditor'sassessmentofthein-ternalcontrolsystemofaneconomicentity.
Thetheoreticalstudiesofscientistsandthepracticalexperienceofauditorsfromcountrieswithdevelopedmarketeconomiesinthedevelopmentandappli-cationof fundamentalprinciplesofauditdefine themasethicalrules,normsorprinciples,theobservanceofwhichmakesitpossibletoincreasethedegreeofcon-fidenceintheresultsofauditactivitiesofinterestedusers.
Theseprinciplesinclude:independence,honesty,honesty,objectivity,confi-dentiality,professionalcompetence,professionalbehavior.
Anyauditor,includinganinternalone,mustrespectthepriorityoftheinter-estsofthesocio-economicsystemthatheservesandmaintainahighreputationforhisprofession.Atthesametime,hisresponsibility:foranimprudent,withinreasonablelimits,assessmentoftheamountofworkrequiredtoachievethegoalssetforhim;forasubjectiveassessmentofthecomplexity,materialityorsignifi-canceofcertainaspectsinrelationtowhichheformshisconclusions;forassessingtheadequacyandeffectivenessofriskmanagement,aswellasaccountingandin-ternal control systems; for the likelihood of significant errors; for the costs in-curredfortheprovidedauditedinformationforthemanagementsystemofaneco-nomicentity, exceeding thepossibleeconomicbenefits frommanagementdeci-sionsthatarenotformedonitsbasis,–shouldbeadequatetothepossibleconse-quenceswithinitscompetence.
Inaddition,theinternalauditorisobligedatallstagesofhisactivity,solvingcertaintasksassignedtohim,toproceedfromawell-knownpositionofprofes-sionalskepticism,realizingthatthereisapossibilitythatallinformationreceivedbyhimfromvarioussourcesmaycarryacertainlevelofunreliability…
Despitethefactthatadherencetotheprinciplesdiscussedaboveincreasesthedegreeofconfidenceininternalaudit,however,thelackofthedevelopmentofcertainrulesgoverningtheprocedurefortheirpracticalapplicationmakesitpos-sible to judge them only as high ethical intentions declared by general moralnorms.
15
1.3. The place of internal audit in the organization's
management system and its importance
Theemergingmarketrelations,firstofall,representeconomicfreedom.Thefreedomofoneeconomicentityisaccompaniedatthesametimebythefreedomofothereconomicentitiesthathavetheopportunitytobuyornotbuyitsproducts,offer theirprices for it,dictatetheir termsof transactions.At thesametime,allmarketparticipantsentering intoeconomicrelationsstrive, firstofall, for theirownbenefit,fortheprofitoftheircompany,whichcanobjectivelybecomealossforothers,becauseanybusinessentityseekstosurpassitsopponent,attractmoredemandforitsproducts,thusbypushingoutitscompetitorfromthemarket,thesearethelawsofcompetition.Fromtheabove,animportantruleofentrepreneurialbehaviorfollows:nottoavoidrisk,buttoanticipateit,tryingtoreduceittothelowestpossiblelevel.Thisrequiresconstant,effectiveandtimelycontrolovertheactivitiesofemployeesandthefirmasawholethroughaproperlyseteconomicandlegalwork,accountingandreporting,etc.
Controlistheprocessofdeterminingthequalityandadjustingtheworkper-formedbysubordinatesinordertoensurethetasksfacingtheenterprise.Itspur-poseistoidentifyweaknessesanderroneousdecisions,correcttheminatimelymannerandpreventrepetition.Allmaterials,peopleofactionarecontrolled.Mon-itoringallowsyoutodeterminetheeffectivenessandtakethenecessarymeasurestoensurethefulfillmentofthetask.Knowclearlywhointheenterpriseisperson-allyresponsiblefordeviatingfromtargetsandtakingcorrectiveaction.Controlofactivities iscarriedoutbypeople.Toknowwho isresponsible for thesafetyofmaterialand financial resources, their storage, leave,accountingand inventory,preparationofprimarydocuments,deviations fromassignmentsandcorrectiveactions,theremustbecompleteclarityregardingthedistributionofresponsibilitythroughouttheorganization.Anessentialpreconditionforeffectivecontrolistheexistenceofanorganizationalstructure,whichisobjectivelyduetothecreationofaninternalauditserviceinthemanagementapparatus.Thetasksofinternalauditincludethecreationofaninternalcontrolsystemnecessaryfortheimplementa-tionofthecompetence,rightsandresponsibilitiesofmanagementbodiesandoffi-cials,aswellasaclearsystemofeconomicresponsibilityofofficialsandspecialistsoftheenterprise.
16
Internalauditisanimportantmanagementfunctionthatcoversaccounting,financial analysis and control, comparison and assessment of the actual resultsachievedwiththegoalsandobjectivesoftheenterprise.Internalauditsystemati-callymonitorstheactivitiesofallmanagementobjects,identifiesthereasonsfordeviationsfromstandards,deviationsfromthegoalssetforaspecificobject,whichcontributestotheprompteliminationofidentifiedviolations.Organizationofin-ternalauditasafunctionofenterprisemanagementimpliesstrictregulationofitsactivities, determination of the rights, duties and responsibilities of specialists,qualificationrequirements,relationshipswithdepartmentsandpersonneloftheenterprise.Theworkoftheinternalauditserviceattheenterpriseisorganizedinaccordancewithindividualandcalendarworkplans,whichareapprovedbytheheadoftheenterprise.Attheendofanytypeofwork,theinternalauditorsubmitsareporttotheheadoftheenterprisethatallowshimtodrawthehead'sattentiontotheidentifiedorpossibleviolations.Theworkisconsideredcompletedwhentheissuesraisedinthereportsofinternalauditorsareconsideredbytheheadoftheenterpriseandwhenanofficialorderhasbeenissuedontheacceptance(re-jection)oftherecommendationsoftheauditors.
Organizationoftheriskmanagementsystemasasubsystemofinternal
controlThemostfamousschoolinthetheoryoffinancialriskandriskmanagement
since1955istheAmericanschool.AmongitsmodernrepresentativesareD.Galai,H.Groening,A.Damodaran,F.Jorion,J.Kalman,M.Crui,M.McCarthy,R.Mark,T.Flynnandanumberofotherfamousscientists.
H.Grüningmadeasignificantcontributiontothestudyofbankingrisks,cor-porateandfinancialriskmanagement.
A.Damodaranisaspecialistinfinance,anemployeeoftheSternSchoolofBusinessattheUniversityofNewYork(specialistincorporatefinanceandcapitalvaluation).His areas of interest are capital valuation, portfolio capitalmanage-ment,corporatefinanceandstrategicriskmanagement.In1994,BusinessWeekmagazine named him one of the top twelve professors to teach inUS businessschools.HisworkshavebeenpublishedintheJournalofFinancialandQuantitativeAnalysis,JournalofFinance,JournalofFinancialEconomics,ReviewofFinancialStudies.Hisworksaredevotedtoissuesofcapitalvaluation(DamodaranonValu-
17
ation,InvestmentValuationandDarkSideofValuation),aswellascorporatefi-nanceissues(CorporateFinance:TheoryandPractice,AppliedCorporateFinance:AUser'sManual).ThelatestbookbyA.Damodaranisdevotedtotheprinciplesandmethods of strategic risk management: it combines various areas of riskknowledge:theeconomic justificationof itsbehavioralaspects, financialassess-ment,riskmanagementitself,andforthefirsttimeprovidesitscompletepicture;showshowtobuildanorganizationallinkbetweenriskmanagementfunctionsinacompany:strategy,financeandcurrentactivities,sothatthetoolsandresultsofassessmentaredeterminedbythedecision-makingprocess,andnotviceversa;usingpracticalexamples,hearguesthepositiveeffectofrisk,itsusetoincreasethecompany'sprofit.Experienceshowsthatevaluatinginnovativeprojectscausesdifficultiesforcompanies,sincetheircashflowsaredifficulttopredict.Theuseofthemethodofrealoptions,clearlystatedbytheauthor,allowsyoutosolvethisproblem;topmanagerswhomakedecisionsrelatedtorisksanduncertaintieswillbeabletoreasonablychooseanyofthemoderntoolsforassessingrisk:risk-dis-countadjustedrates,options.12Analysisofstudiesofforeignscientificschoolsofriskmanagement,simulationmodeling,scenarioanalysis,VARmethodsandrealoptions.Thisstudywillhelpmanagerstakeadvantageofthepositivecomponentof risksanddevelopaneffectivesystemformanaging themusingvaluepricingmodels.Successfulmanagementisdistinguishedpreciselybytheabilitytoidentifyrisksandmaintainanoptimalbalancebetweenhedgingthem,sharetheresponsi-bilityofriskmanagementwithinvestorsandusethemtoincreasecashflows,and,consequently,thevalueoftheircompanies.Expertsandanalystsseetherelation-shipofriskassessmentstotheholisticpictureofacompany'sriskmanagement.
Dr.J.Kalmanisarenownedspecialistinriskmanagement,riskcontrol,fi-nancingriskandfinancialmanagement.Dr.J.KalmanistheownerofKallmanCon-sultingServices (KCS),whichprovidespractical applications for enterprise riskmanagement.BytheopeningofKCS,J.KalmanwasExecutiveVicePresidentoftheNationalAllianceresponsibleforthecertificationofriskmanagersfortheinterna-tionalprogramoftheAcademyforRiskandInsuranceResearch.Hisresearchfo-cuses on risk management and loss control of project solutions. Dr. J. Kalman
12 Arens A., Lobbek J. Audit: / Ch. series editor prof. I'M IN. Sokolov. (Series on accounting and au-diting). M.: Finance and Statistics, 2017
18
servesonvarious committees for theAmericanRiskand InsuranceAssociationandtheWesternRiskandInsuranceAssociation.13
ManybooksonriskmanagementhavebeenpublishedintheWest.BookofM.Crui,D.GalaiandR.Mark"FundamentalsofRiskManagement"14-oneofthebest,availablenotonlytoriskmanagers,butalsotoawideraudienceinterestedinunderstandingmodernriskmanagement.Attentionispaidnottomodels(whichpresupposes a certain level ofmathematical training), but to the essential andpracticalaspectsofriskmanagement.Therefore, inparticular, it is intended forbothcreative-mindedtopmanagersandcolleaguesofriskmanagerswhoseactiv-itiesare facedwithriskmanagement issues, forexample, internalauditors.Thebookisacompletelyoriginalwork,whichisdifficulttofindananalogueinthelit-eratureonthistopic.Thisisbynomeansamonographoracomprehensivetext-bookonriskmanagement.Theauthorsofthebookarerenownedexpertsinthedevelopment of the theory of riskmanagement, occupying leading positions inwell-known international financialorganizations.Thebookcoversa fairlywiderangeofissues:riskclassification,riskassessmentmethods,forexample,VaR,RA-ROC,etc.,Modernriskmanagementtools.Theauthorsarequitecriticalregardingthepracticeofriskmanagement,itsregulation,thelevelofunderstandingandap-plicationoftherelevantmodelsatthepresentstage.Andthiscriticismisveryuse-ful forallparticipants in theriskmanagementprocess, since it contributes toamore accurate and careful application ofmodern technologies, a change in theprinciplesofriskmanagementandtheirregulation.Itisnocoincidencethatthisbookwas chosen by the Professional RiskManager's International Association(PRMIA)asthemainguideforpreparingfortheentry-levelcertificationexam–AssociateProfessionalRiskManager(APRM).
Research carriedoutbyKPMG topmanagersM.McCarthyandT.Flynn15,highlightshowtoday'sleadingcorporateleadersmanagerisksandcontroltheirimpacton thecorporation, reveals the internal sourcesof themost threateningcorporaterisksandmethodsofneutralizingtheirimpact;waysofmanagingrisks,
13 Bogomolov A.M., Goloshchapov N.A. Internal audit. Organization and methodology. M.: "Exam", 2014 14 Burtsev V.V. Organization of the internal control system of a commercial organization. M.: "Exam", 2020 15 Bychkova S.M. Auditing activity. Theory and practice. (Series "Textbooks for universities. Special literature"). SPb.: Publishing house "Lan", 2021
19
donotinterferewiththeimplementationofcurrentprojects;therelationshipbe-tweentheareasofcorporategovernanceandriskmanagementwiththeincreaseinthevalueofthecompany,analyzestheactionstorecognize,assessandneutral-izetheriskoftoday'scorporate leaders inthefaceofrisk.Therearealsomanyexamples from corporate governance practice and exclusive interviews with anumberofleadingtopmanagersofourtime–theleadersofMicrosoft,Hewlett-Packard,Sprint,MotorolaandothersbelongingtotheFortune500list.Thatis,thisisastudyonoptimizationandriskmanagement,inwhichgiven:provenmethodsofprevention,responseandeffectivereductionofoperational,businessandfinan-cialrisks;strategiestohelpthecompanybecomeanadaptiveorganization–anorganizationthatperceivesriskasanopportunityratherthanaburden;programs,thankstowhichitispossibletomakeriskmanagementtheresponsibilityofalmosteveryemployeeandtointroducethemostimportantconceptsofriskmanagementatalllevelsofmanagement.
F. Jorion, inhisthirdeditionofthis internationalbestseller,addressesthefundamentalchangesinriskmanagementthathavetakenplacearoundtheworldinrecentyears.F.JorionprovidesthelatestinformationneededtounderstandandimplementVARsandmanagefinancialrisk.F. JorionreferstothecalculationofVARandtheuseofmodelstopredictriskandcorrelations:hedescribestheuseofVARforriskcontrolfortrading,investmentmanagement,aswellasforcorporateriskmanagement,andalsopointsoutthekeymistakesofriskmanagement.
InastudybyS.Borodina,A.Shvyrkov,withtheparticipationofJ.Bui, thestateofcorporategovernanceinthelargestcountries–Russia,Brazil,India,Chinaand South Africa – was assessed in terms ofmarket infrastructure, ownershipstructure,legalandregulatoryinfrastructure,informationtransparency.16Theau-thorspresentamethodologyforanalyzingcorporatepracticesinsuchaspectsastransparencyofownershipandcontrolstructure,attitudetowardsshareholders,informationdisclosure,efficiencyoftheboardofdirectorsandriskmanagement.Corporategovernancemistakescanbeverycostly.Forexample,therecentfinan-cialcrisis,thecollapseofEnronandothercorporatescandalsearlyinthelastdec-ade,or the1997Asian financialcrisis.Allof themhave thesameprerequisites:poor quality of corporate governance. Companies used false business models,couldnotunderstandtheconsequencesofoff-balancesheettransactionsorhigh-
16 Danilevsky Yu.A. General audit, audit of stock exchanges, off-budget funds and investment insti-tutions. M.: Accounting, 2018
20
riskborrowingpolicies,andhadsignificantforeignexchangerisks.Theresultformanycompanieswasthecollapse,whichturnedintosignificantfinanciallossesforshareholdersandemployees,humiliationanddishonorforthemanagement. In-vestmentsintheBRICScountries.Itissometimesdifficulttounderstandwhatef-fectivecorporategovernanceprovidesatthelevelofday-to-dayactivities.Inde-velopedmarkets,wherecompaniesadheretosimilarstandards,therearenotal-ways visible differences in the cost of capital. But in emergingmarkets,wherestandardsmay differ significantly, these differences becomemore pronounced.Companiesthatdemonstratetheiradherencetocorporategovernancestandardsaregenerallyratedsignificantlyhigherbythemarketthanothercompanies.Asaresult,theytakeadvantageofthelowercostofraisingcapital,thatis,theyincreasetheircompetitiveness.Theideaofthestudyistohighlighttheimportanceofgoodcorporategovernanceforcompanies intheBRICScountries.Effectivecorporategovernancecertainlyrequiresalotofeffort,especiallyintimesofeconomicandfinancialuncertainty,capitalflowsaredirectedtothosecountriesthatarereadytoaccepttheseefforts,andgoodcorporategovernancecanimprovethesituation.
Agreatcontributiontothedevelopmentofthetheoryandpracticeofriskmanagementwasmade byEnglish economists – representatives of the EnglishschoolofriskmanagementT.Andersen,T.Bedford,A.Griffin,A.Zaman,R.Cook,P.Sweeting,P.Hopkin,GermanP.Schroederandothers.17
T.AndersenandP.Schroederbelievethattoday,whencorporatescandalsandmajorfinancialfailuresoccur,therelevanceofeffectiveriskmanagementisincreasing.Lackormismanagementofriskcanhavedevastatingconsequencesforthe organization and the economy as a whole (Barings Bank, Enron, LehmannBrothers,NorthernRock,tonamejustafew).Modernorganizationsandcorporateleadersmustlearnfromsuchfailuresbydevelopingpracticestoeffectivelydealwithrisk.BasedonaEuropeanperspective,thispaperbringstogetherideas,con-ceptsandmethodologiesdevelopedindifferentriskmarketsandacademicfieldstoprovideamuchneededoverviewofdifferentapproachestoriskmanagement.Theauthorscriticize theprevailingenterpriseriskmanagement(ERM)systemsandproposeanappropriatealternative.
T.BedfordandR.Cookinsituationswhereclassicalstatisticalanalysisisdif-ficultor impossibletouse,applyprobabilisticriskanalysistoquantifyrisk.The
17Danilevsky Yu.A., Shapiguzov S.M., Remizov N.A., Starovoitova E.V. Audit. M.: ID FBK-PRESS, 2018
21
bookbyEnglisheconomists–T.BedfordandR.Cook–examinesthefundamentalconceptsofuncertainty,itsrelationshipwithprobability,boundarieswithaquan-titativeassessmentofuncertainty.Drawingonextensiveexperienceinrisktheoryandanalysis,theauthorsfocusedontheconceptualandmathematicalfoundationsthat underpin the quantification, interpretation andmanagement of risk. Theycoverstandardandimportantnewtopicssuchastheuseofexpert judgmentofuncertainty.
A.Griffin,havingextensiveexperienceinmanagingacompany'sreputation,usesspecificexamplestoanalyzetheeffectiveanderroneousactionsofcorpora-tionstocreate,managetheirownreputationandreputationrisks.Corporationsmustnotonlyprotecttheirownreputationunderpressure,strengthenedbythecorporationfromthestateandsociety,butlearntocontrolit.
AccordingtotheDecreeoftheCentralBankoftheRussianFederationdated04.15.2015No.3624-U"Onrequirementsfortheriskmanagementsystemandthecapitalofacreditinstitutionandbankinggroup"theriskmanagementandcapitalmanagementsystemofacreditinstitution(bankinggroup)shouldcoverfactorsofcredit,marketandoperationalrisks,aswellasothersignificantrisks,forexample,interestrateriskandconcentrationrisk.
Theimplementationofriskmanagementinthebankisassignedtotheriskmanagementservice,whiletheinternalauditservicemustverifytheeffectivenessofindividualriskmanagementandtheriskmanagementsystemasawhole.
Typicalbankingrisks includefinancialandnon-financialrisksarisingasaresultoftheBank'scorebusiness:
Credit risk is theriskof theBank incurring lossesasa resultof failure tofulfill,untimelyorincompletefulfillmentbythedebtoroffinancialobligationstotheBank.
Withintheframeworkofcreditriskmanagement,industryandcountryrisksaremanaged:
–Industryrisk–theriskoftheBankincurringfinanciallosses(damage)asaresultofthedebtor'sfailuretofulfillhisobligationsasaresultofchangesintheeconomicconditionoftheindustryandthenatureofthesechangesbothwithintheindustryandincomparisonwithotherindustries.
–Countryrisk–theriskoftheBankincurringlossesasaresultofnon-ful-fillmentby foreign counterparties (legal entities and individuals) of obligationsdue to economic, political, social changes, andalsobecause the currencyof the
22
monetaryobligationmaynotbeavailabletothecounterpartyduetothepeculiar-itiesofnationallegislation(regardlessofthefinancialpositionofthecounterpartyitself)
Marketrisk–theriskoftheBankincurringfinanciallosses(losses)duetoanadversechangeinthemarketvalueoffinancialinstrumentsofthetradingport-folioandderivativefinancialinstrumentsoftheBank,aswellasforeignexchangeratesand(or)preciousmetals…Marketriskincludesstock,currencyandinterestraterisks.
Stockrisk–theriskof lossesduetoadversechangesinmarketpricesforstockvalues(securities, includingfixingrightstoparticipateinmanagement)ofthetradingportfolioandderivativefinancialinstrumentsundertheinfluenceoffactorsrelatedtoboththeissuerofstockvaluesandderivativefinancial instru-ments,andgeneralfluctuationsinmarketpricesforfinancialinstruments.
Currencyrisk– theriskof lossesdue toadversechanges in theexchangeratesofforeigncurrenciesand(or)preciousmetalsatopencreditinstitutionpo-sitionsinforeigncurrenciesand(or)preciousmetals.
Interestraterisk–theriskoffinanciallosses(losses)resultingfromadversechangesininterestratesonassets,liabilitiesandoff-balancesheetinstrumentsoftheBank. “Interestrateriskinthebankingbook(IRRBB)gaineditsimportancethrough the regulatory requirements that have been growing and guiding thebankingindustryforthelastcoupleofyears.TheimportanceofIRRBBisshiftingforbanks,awayfrom‘just’aregulatoryrequirementtohavinganimpactontheoverall profitability of a financial institution. Interest Rate Risk in the BankingBookshedslightonthebestpracticesformanagingthisimportanceriskcategoryandprovidesdetailedanalysisofthehedgingstrategies,practicalexamples,andcasestudiesbasedontheauthor’sexperience.ThishandbookisrichinpracticalinsightsonmethodologicalapproachandcontentsofALCOreport,IRRBBpolicy,ICAAP,RiskAppetiteStatement(RAS)andmodeldocumentation.ItisintendedfortheTreasury,RiskandFinancedepartmentandishelpfulinimprovingandopti-mizingtheirIRRBBframeworkandstrategy.BytheendofthisIRRBBjourney,thereaderwillbeequippedwithallthenecessarytoolstobuildaproactiveandcom-pliantframeworkwithinafinancialinstitution”. 18
18 Beata Lubinska. Interest Rate Risk in the Banking Book: A Best Practice Guide to Management and Hedging (Wiley Finance) 1st Edition. John Wiley&Sons, Ltd, 2021, p.248
23
LiquidityriskistheriskoflossesduetotheBank'sinabilitytofullyfulfillitsobligations.LiquidityriskarisesasaresultoftheimbalanceoftheBank'sfinancialassets and financial obligations with respect to the repayment and repaymentterms(includingduetountimelyfulfillmentoffinancialobligationsbyoneormoreoftheBank'scounterparties)and(or)theunforeseenneedfortheBanktoimme-diatelyandimmediatelyfulfillitsfinancialobligations.
Operationalrisk– theriskof lossesresulting from inconsistencywith thenatureandextentoftheBank'sactivitiesand(or)therequirementsofapplicablelaw,internalproceduresandproceduresforbankingoperationsandothertrans-actions,theirviolationbytheBank'semployeesand(or)otherpersons(duetoin-competence,unintentionalorintentionalactionsorinaction),disproportion(in-sufficiency) of functionality (characteristics) of information, technological andothersystemsusedbytheBankand(whether)theirfailures(malfunctions),aswellasfromexternalevents.«ОperationalRiskManagementinFinancialServicesalsofeaturesresultsfrompollstakenbyriskpractitionerswhichprovideasnap-shotofcurrentpracticesandallowthereadertobenchmarkthemselvesagainstotherfirms.Thisistheessentialguideforprofessionalslookingtoderivevalueoutofoperationalriskmanagement,ratherthanapplyingacompliance'tickbox'ap-proach19».
Strategicrisk–theriskoftheBankincurringlossesasaresultoferrors(de-ficiencies)madewhenmakingdecisionsthatdeterminetheBank'sactivityandde-velopmentstrategy(strategicmanagement)andexpressedinthefailuretotakeintoaccountor insufficientconsiderationofpossibledangersthatmaythreatentheBank'sactivities,incorrectorinsufficientareasonabledeterminationofprom-isingareasofactivityinwhichtheBankcanachieveanadvantageovercompeti-tors,theabsenceorpartialprovisionofnecessaryresources(financial,material,technical,human)andorganizationalmeasures(administrativedecisions),whichshouldensuretheachievementofthestrategicobjectivesoftheBank.
Legalrisk–theriskoftheBankincurringdirectlossesorlossesintheformoflostprofitdueto:
–non-compliancebytheBankwiththerequirementsofregulatorylegalactsandconcludedagreements;
19 Elena Pykhova Operational Risk Management in Financial Services: A Practical Guide to Estab-lishing Effective Solutions 1st Edition. Kogan Page Ltd, United Kingdom, 2021, p.364
24
–legalerrorsmadeincarryingoutactivities(incorrectlegaladviceorincor-rectpreparationofdocuments,includingwhenconsideringdisputedissuesinthejudiciary);
–imperfectionsofthelegalsystem(inconsistencyoflegislation,lackoflegalnormstoregulatecertainissuesarisinginthecourseoftheBank'sactivities);
–violationbycounterpartiesofnormativelegalacts,aswellasthetermsofcontracts.
TheriskoflossoftheBank'sbusinessreputation(reputationalrisk)istheriskoftheBankincurringlossesasaresultofadecreaseinthenumberofcustom-ers(counterparties)duetotheformationinthecompanyofanegativeideaoftheBank'sfinancialstability,thequalityofitsservicesorthenatureofitsactivitiesingeneral.
Additionalrisksincludethoserisksthatariseasaresultofvariousprofes-sionalactivitiesbytheBankinthesecuritiesmarket,aswellasrisksthatmayarisewhentheseprofessionalactivitiesarecombined.
Theriskmanagementprocessincludesthefollowingsteps:–riskidentificationandidentification;–riskassessment(quantitative,qualitative);–restriction(minimization)ofrisk;–monitoringandcontrollingthelevelofrisk.Riskidentificationistheestablishmentofinternalandexternalfactors,the
effectofwhichhasaninfluenceontheriskoftheemergenceandestablishmentofoperationsand/orprocesses,whichresultintheoccurrenceandimplementationofthisrisk.
Riskidentificationistheassignmentofrisktoaspecifictypeoftypicalriskinordertoimplementspecificmeasurestolimitthelevelofrisk.
RiskassessmentisdeterminationofthelikelyconsequencesthattheBankmayhaveintheeventoftheimplementationofexternaland/orinternalriskfac-tors during the commission of any transaction. Due to the fact that the conse-quences canbepresentednot only in the formof a certain amount of possiblelosses,butalsointheformofotherconsequencesfortheBank'sactivities,theriskassessmentcanbequantitativeandqualitative.
QuantitativeriskassessmentinvolvesthedeterminationandanalysisoftheamountoflossesthattheBanksufferedasaresultoftheimplementationofanytypeofrisk.
25
Aqualitativeassessmentinvolvesananalysisofanemergencysituation,de-terminingthereasonsfortheimplementationoftherisk,aswellasdeterminingmethodsandtoolstoeliminatetheconsequencesoftherisk,aswellasthewaystopreventtheimplementationoftheriskinthefuture.
Risk restriction (minimization) – a set ofmeasures to develop limits andotherrestrictionsaimedatpreventingtheimplementationoftherisk.
Themainmethodsoflimiting(minimizing)bankingrisksinclude:–riskpooling–amethodaimedatreducingriskbyturningrandomlosses
intorelativelysmallfixedcosts;–riskdistribution–amethod inwhichtheriskofprobabledamage isdi-
videdbetweentheparticipantsinsuchawaythatthepossiblelossesofeacharerelativelysmall;
–limiting–amethodofminimizingrisks,involvingthedevelopmentofde-tailedstrategicdocumentationestablishingthemaximumpermissiblelevelofrisk,acleardistributionoffunctionsandresponsibilitiesofpersonnel;
–diversification–amethodof reducingriskby formingagroupofassetswhoseincomesareweaklycorrelatedwitheachother;
–hedging–abalancingtransactionaimedatminimizingrisk;–assetsecuritization–theissueandsubsequentsaleoftheBank'ssecurities
backedbyhomogeneousassetsgeneratingstablecashflows.Riskmonitoringandcontrol–asetofmeasurestomonitorthelevelofeach
specifictypeofriskandtotalbankingriskingeneral,aimedatmaintainingbankingrisksatanacceptablelevel.
Monitoringandcontroliscarriedoutonadynamicbasis,takingintoaccounta retrospective and prospective analysis of bank portfolios, events and perfor-mancefeaturesofkeyriskindicators.Monitoringandcontroloftheriskleveliscarriedoutonaperiodicbasis,itsresultsareusedtomakeadequatemanagementdecisionsinorderto:
–achievecomplianceoftheamountofformedreserveswiththelevelofac-ceptedrisks;
–preventingadecreaseintheBank'sequity;–preventofviolationsofestablishedriskrestrictions;–preventthelong-termexposureoftheBanktoexcessiverisk;–increasetheprofitabilityofthebankingbusiness;–optimizetheorganizationalstructureoftheBank;
26
–improvetheinformationandtechnologicalsystems.Credit riskThebasicprinciplesof theBank'screditactivitiesof theorganization, the
mainprinciplesoftheBank'screditactivityorganization,strategyandtacticsofcreditriskmanagementaredefinedintheCreditpolicy.
Creditpolicyisenshrinedbythefollowingmanagementsystemelementsofcreditrisk:
–alistofoperationsandtransactions,theimplementationofwhichmaybeaccompaniedbytherealizationofcreditrisks;
–generalapproachestocreditriskmanagement(toolsformanagingcreditrisk,asystemoflimitsandrestrictionsoncreditrisk,theauthorityofsubjectsofcredit riskmanagement andmulti-step decision-making on credit transactions,risklevelcontrol);
–functionunitsofthecreditinstitutionintheprocessofanalysis,evaluation,monitoringandcontroloflevelofcreditriskwithintheframeworkdevelopedbytheconstraintsofthesystem.
AssessmentoftheBank'screditriskforthetotalportfolioofloanandequiv-alentdebtiscarriedoutinaccordancewiththevaluesofmandatorystandardses-tablishedintheInstructionoftheCentralBankoftheRussianFederationNo.180-I,aswellasinaccordancewithindicatorsofthequalityoftheloanportfolioandthedegreeofconcentrationofrisksforassetsestablishedrequirementsoftheCen-tralBankoftheRussianFederationNo.3277-U.
Thelevelofcreditrisksforloans,debtandequivalentdebt,aswellasthedeterminationofthequalitycategoryofloanandequivalentdebtiscarriedoutinaccordancewiththerequirementsoftheRegulationoftheCentralBankoftheRus-sianFederationNo.590-P.
Thelevelofcreditrisksforcontingentliabilitiesofacreditnature,aswellasforanumberofotherinstruments,isdeterminedinaccordancewiththerequire-mentsdefinedintheRegulationoftheCBRNo.611-P.
Assessmentofcreditrisksofborrowers(groupsofrelatedborrowers)iscar-riedouttakingintoaccountindustryrisks.Theanalysisiscarriedoutinthecon-textoflong-termandshort-termindustryrisks.
Whenassessingindustryrisksinthelongterm,thefollowingindicatorsareused:
27
–industrysensitivitytomacroeconomicconditions;–averageleverageofanindustryenterprise.Asfactorsofshort-termindustryrisksareconsidered:–productiondynamicsintheshortandmediumterm;–thedynamicsoftheEntrepreneurialConfidenceIndex;–dynamicsofinventories.Keyeventsthathaveoccurredorareexpectedtochangetheindustry'sen-
vironment.Asaresultoftheanalysisofindustryrisks,thepreferredorpromisinglend-
ingareasfortheBankaredetermined.Aspartofcreditriskmanagement,countryriskmanagementiscarriedout.
Intheprocessofestablishing(revising)limitsoncounterparties,thefollowingin-formationistakenintoaccount:
–thetotalamountof limitsonresidentcounterpartiesofonecountryandtheriskstakenbytherespectivecountryfortheaggregateofalloperationsoftheBankwithcounterparties;
–assessments of international rating agencies of the country where thecounterpartyislocated;
–macroeconomic indicatorsbycountries(budgetdeficit,publicdebt,GDPgrowthrate,inflationrate,unemploymentrate);
–theamountofstatesupportallocatedtothebankingsector;–TheresultsofstresstestingofthebankingsectorconductedbytheEuro-
peanBankingOrganization(hereinafter–EBA)amongEuropeanbanksandtheFederalReserveSystem(hereinafter–theFed)oftheUnitedStates.
Managementreportingoncreditriskassessmentincludesanumberofana-lyticaltables:
–thestructureofloanandequivalentdebtfortheBankasawhole,bytypesofcreditrequirementsandcurrencies,overtimeforthereportingperiod;
–thestructureoftheBank'sloanportfoliobycreditqualitycategoriesindi-catingtheamountoftheformedreserveforpossiblelosses;
–tablesforassessingtheconcentrationofcreditrisk;–assessmentoflong-termindustryrisks;–loanportfoliostructurebyindustry;–analysisoftheindustrystructureoftheBank'sportfoliowithdata.
28
Market riskThemarketriskmanagementprocessisregulatedbyinternaldocumentsof
theBank.Forexample:Regulationonmanagingrisksarisingintheoperationswithfinancialinstruments;Regulationonforeignexchangemanagement;Regulationoninterestmanagement.
Internaldocumentsonmanagementofmarketrisksaresecuredbythefol-lowingmanagementsystemelementsofcreditrisk:
–alistofoperationsandtransactions,theimplementationofwhichmaybeaccompaniedbytheimplementationofmarketrisks;
–sourcesofmarketrisksandtypesoflossesresultingfromtheimplementa-tionofmarketrisks;
–approachestomanagingstock,currencyandinterestraterisks(manage-menttools,asystemoflimitsandrestrictions,thepowersofmarketriskmanage-mententitiesandtheprocedureformakingdecisionsontheconductofrelevantoperationsandtransactions,monitoringthelevelofrisk);
–functionsofstructuralunitsoftheBankintheprocessofmarketriskman-agement.
AggregateassessmentofmarketriskiscarriedoutinaccordancewiththeRegulationoftheCentralBankoftheRussianFederationNo.511-PandisincludedinthecalculationofthemandatorystandardsoftheBankinaccordancewiththeInstructionoftheCentralBankoftheRussianFederationNo.180-I.
Liquidity riskLiquidityriskmanagementisregulatedbyinternaldocumentsinacreditin-
stitution.Externalsourcesofliquidityriskinclude:–theinstabilityoftheeconomicandpoliticalsituationinthecountryandin
theregion;–significantchangesinthelegalregulationofbankingactivities;–thecapacityofmarkets,includingfinancial,notmeetingtheinterestsofthe
bank;–forcemajeurecircumstances.–Internalcausesofliquidityriskinclude:–imbalanceofclaimsandobligationsbythetermsofreturnandrepayment;–poorassetquality;
29
–diversionoffundstolong-termprojects;–significantinvestmentinrealestate;–instabilityandhighconcentrationoftheresourcebase.Methodsforidentifyingliquidityriskinclude:–analysisofthecapacityandprofitabilityofthemarketsinwhichtheBank
operates;–analysisofchangesinthevaluesofmandatoryliquidityratios;–studyoftheBank'scustomerbaseforitsstability,analysisofthestability
oftheBank'sliabilities;–analysisofthestateoftheBank'sassets,especiallywithoverduematuri-
ties;–analysis of concentration of credit risk and concentration of borrowed
funds;–analysisofliquidityusingascenario-baseddevelopmentapproach;–theidentificationofanextraordinaryconflictofinterestbetweenliquidity
andprofitability.Asindicatorsforassessingtheliquidityrisklevel,theBankusesthemanda-
torystandardsestablished in the Instructionof theCentralBankof theRussianFederationNo.180-I(standardsfor instant,currentand long-termliquidity),aswellastherelevantindicatorsestablishedintheInstructionoftheCentralBankoftheRussianFederationNo.3277-U(indicatorsofassetliquidity,liquidityindica-torsandstructureofliabilities,indicatorsofthegeneralliquidityofthebank,riskindicatorsforlargecreditorsanddepositors;theaboveindicatorsareincludedinthecalculationofthegeneralizedresultfortheindicatorsliquiditymarket(RGL)).
LiquidityassessmentiscarriedoutbytheBankbasedonthecalculationandanalysisofliquiditygaps(maturityofassetsandliabilities),forecastsoftheade-quacyofliquidityreserves,theBank'spaymentposition,andinterbankloanmar-ketcapacity.
Methodstominimizeliquidityriskinclude:–forecastingthelevelofliquidity,drawinguppaymentcalendars;–developmentofdecision-makingproceduresformobilizingliquidassets,
attractingadditionalresourcesincaseofaliquidityshortage;–thedevelopmentofdifferentscenariosincaseofworseningconditionsac-
tivitiesofcreditorganization;
30
–developmentofanactionplantorestoreandmaintainliquidityatthere-quiredlevel.
Themostcommonriskminimizationtoolsincludelimitsandrestrictionsonoperations,forecasts,andpaymentcalendars.
TheBankcanconsideredonlyfourpossiblescenariosofthecurrentcondi-tion and liquidity forecast, to determine which uses data analysis of paymentschedulesandtheliquiditygap,"Optimistic","Standard","Alarm"and"Crisis".
In order tomake adequatemanagement decisions, liquidity risk ismoni-tored.ThemonitoringresultisthemaintenanceoftheoptimalratiobetweenthevolumeoftheBank'sliabilitiesandthevolumeofliquidityreserves,whichensureshighprofitabilityofbankingoperationswhileensuringtheproperlevelofliquidityindicators.
Themanagementreportingonliquidityriskassessmentisthefollowingre-porting(withacertainfrequencyofpreparationandprovision):
–standardsN2andN3,structuralbalance;–aforecastplanforoperationsontheBank'scorrespondentaccountsforthe
day,receipts-write-offsontheBank'scorrespondentaccounts,largebalancesoncustomeraccounts;
–theBank'spaymentpositionasofmorningandapromisingpaymentposi-tion(timehorizonof7-15days).
–forecastvaluesofthestandardsN2andN3;–liquidity status report: current liquidity scenario, volume, structure and
adequacyofliquidityreserves;opportunitiestoattractfundsfromthebudgetandtheBankofRussia,thesizeoftheinterbankloanmarket;
–forecastofliquidityreservesforthenextthreemonths.–reportonliquiditygaps;–reportonliquidityreserves:currentliquidityscenario;volume,structure
andadequacyofliquidityreserves;refinancingopportunities.OperationalriskOperational risk management is regulated by an internal document of a
creditinstitution.Thefollowingelementsoftheoperationalriskmanagementsystemshould
bedescribedindetailinthisinternaldocument:
31
–the procedure for implementing the basic principles of operational riskmanagement;
–sourcesandcausesofoperationalrisks;–waystoidentifyandidentifyoperationalrisks;–procedureforassessing(quantitativeandqualitative)thelevelofopera-
tionalrisks;–thesystemofkeyindicatorsofoperationalriskinallareasoftheBank's
business;–theprocedurefortheformationandupdatingofthedatabaseofexternal
andinternaldataonoperationaleventsandlosses;–methodsandtoolstominimizeoperationalrisks;–procedureformonitoringoperationalrisks;–internalreportingsystemforoperationalriskmanagement;–theprocedureforconductingself-assessmentandquestionnairesonoper-
ationalriskmanagement;–separationofpowersandresponsibilitiesintheprocessofoperationalrisk
management.AnimportantcomponentofensuringthecontinuityoftheBank'soperations
incaseofemergencysituationsisthepresenceoftheBank'sinternaldocumentsset,fixingthegoals,objectives,procedures,methodsandtimingoftheimplemen-tationofapackageofmeasuresforthepreventionortimelyliquidationofconse-quencesofapossibleviolationofthenormalfunctioningoftheBank.
ThemanagementbodyofthecreditinstitutionapprovestheBusinessconti-nuityand/orrestorationplan,hereinafterreferredtoastheBCRPlan.
Thesetofmeasuresprovidedby theBCRPlanhelpsminimize theBank'soperationalandreputationalrisks,aswellasliquidityrisks.
Legal risk Riskmanagementisregulatedbyaninternaldocumentofacreditorganiza-
tion.Themainobjectiveoflegalriskmanagementistomaintainthelegalriskas-
sumedbytheBankataleveldeterminedbytheBankinaccordancewithstrategicobjectives.Thepriorityistoensuremaximumsafetyofassetsandcapitalonthebasisofreducingandpossiblelosses.
32
ThespecifiedinternaldocumentoftheBankmaydescribeindetailthefol-lowingcontrolsystemelementsofthelegalrisk:
–externalandinternalfactorsofthelegalrisk;–theprocedureforassessingthelevelofthelegalriskandasystemofindi-
catorsofthelegalrisk;–thelegalriskmonitoring;–methodsandtoolstominimizethelegalrisk;–internalreportingsystemforoperationalriskmanagement;–theprocedureforconductingself-assessmentsandquestionnairesonthe
legalriskmanagementissues;–separationofpowersandresponsibilitiesintheprocessofmanaginglegal
risks.Goodwillrisk(reputationalrisk)Reputational riskmanagement is regulated by an internal document of a
creditorganization.ThemainobjectivesoftheBank'sreputationriskmanagementare:–ensuringthemaximumsafetyoftheBank'sassetsandcapitalbyprevent-
ingorreducingpossiblelossesoftheBankduetotherealizationofreputationalrisk;
–maintainingandmaintainingtheBank'sbusinessreputationwithcustom-ersandcounterparties,founders(participants),participantsinthefinancialmar-ket,stateauthoritiesandlocalgovernments,bankingunions(associations),self-regulatoryorganizationsofwhichtheBankisaparticipant.
ThespecifiedinternaldocumentoftheBankmaydescribethefollowingcon-trolsystemelementsofthereputationrisk:
–externalandinternalfactorsofoccurrenceofthereputationrisk;–procedureforassessingthelevelofreputationalriskandasystemofindi-
catorsofthereputationalrisk;–thereputationriskmonitoring;–methodsandtoolstominimizereputationrisk;–thesystemofinternalreportingonthereputationriskmanagement;–theprocedureforconductingself-assessmentsandquestionnairesonis-
suesofreputationriskmanagement;
33
–differentiationofpowersandresponsibilitiesintheprocessofmanagingreputationrisks.
Strategic risk The main sources of the strategic risk of the Bank are: – the Bank's lack of a strategic development plan for the near and medium term; – insufficiency of taking into account global trends (including possible dangers)
in the development of the banking system of the Russian Federation and the global fi-nancial system;
– complete or partial lack of necessary resources from the Bank, including finan-cial, logistical and human, to achieve the goals set in the strategic development plan;
– the Bank's lack of well-developed and effective approaches to making manage-rial decisions ensuring the achievement of strategic business goals.
Assessment of the strategic risk is carried out on the basis of professional moti-vated judgment, formed on the result of analysis in the framework of identifying strate-gic risk.
When forming a motivated judgment on the level of the strategic risk, the follow-ing are analyzed:
– results of a SWOT analysis of the external and internal factors of the Bank's activity with the aim of determining the level of its competitiveness in the market.
– Bank development strategy, trends in increasing the volume and range of oper-ations and services;
– the compliance of the values of the planned indicators established by the stra-tegic plan for the Bank as a whole, and differentiated by business units, to the actual values of these indicators (periodicity – quarterly, semi-annual and annual);
– reasons for a significant deviation of actual indicators; – existing opportunities to compensate for failure to meet planned targets. – Minimization of strategic risk is achieved by improving the quality of the stra-
tegic planning process in the Bank due to: – monitoring the macroeconomic situation and the environment; – monitoring the implementation of strategic objectives by the Bank; – timely adjustments to the strategic development plan; – compliance of annual corporate (business and financial) plans with a long-term
strategy; – making collegial decisions in the face of multivariate development of the busi-
ness environment;
34
– assessment of the Bank's market position and comparative analysis of compet-itors;
– professional development of top managers of the Bank involved in the devel-opment of the Bank's strategy and its implementation.
Interaction in the strategic risk management process. The strategic development plan of the Bank is approved by the governing body
of the credit organization. Monitoring the implementation of the strategic development plan of the Bank, within its powers, is carried out by the executive bodies of the credit organization.
Directorate of Planning and Financial Control: – organizes the process of development and approval of a strategic plan; –providestheauthorizedmanagementbodiesoftheBankwiththeneces-
saryinformationonthecurrentperformanceofindicatorsdefinedbythestrategy;–possibleanalyzespossiblesourcesofstrategicrisk;–makesapreliminaryassessmentofstrategicriskandofferswaystomini-
mizestrategicrisk.20ThestructuraldivisionsoftheBankcarryouttheirfunctionsandsolveprob-
lemswithintheframeworkoftheapprovedRegulationsandthetargetsspecifiedfortheimplementation.
Assessmentandmanagementoftheaggregatebankingrisk.Theaggregatebankingriskistheriskoflossesanddamagesintheactivities
ofacredit institution for theentiresetofacceptedrisks,aswellas therisksofcombiningprofessionalactivities.Thestructureoftheaggregatebankingriskde-pendsonthetypesandvolumesofoperationscarriedoutbytheBankandonthequalityofmanagingspecificrisks,includinganeffectiveapproachtolimitingtheserisks.Thestructureoftheaggregatebankingriskisusuallydominatedbytheriskassociatedwithactiveoperations,whichhavethelargestshareintheBank'snetassets.Otherbankingrisksofafinancialandnon-financialnaturemaysignificantlyaffecttheaggregatebankingrisk.
20 Risk From the CEO and Board Perspective: What All Managers Need to Know About Growth in a Turbulent World Hardcover – Illustrated, 2003 by Mary Pat McCarthy, Tim Flynn.
35
Themainindicatorforassessingthe leveloftheaggregatebankingrisk ismandatorystandardN1“Capitaladequacyratio”establishedintheCBRinstruc-tionNo.180-I.Whencalculatingthisindicator,thelevelofcredit,marketandop-erationalrisksistakenintoaccount.TheimpactontheBank'scapitaladequacyofothertypicalbankingrisksisassessedonthebasisofprofessionalreasonedjudg-ment.
Asadditionalindicatorsinassessingthetotalbankingrisk,theindicatorsusedarethoseestablishedintheCentralBankoftheRussianFederationNo.3277-U.
Methods for limiting aggregate banking risk. Since the aggregate bankingriskisanintegralindicator,themethodsoflimitingitarethemethodsoflimitingindividualriskcomponents.
InteractionofstructuraldivisionsoftheBankinassessingthe leveloftheaggregatebankingrisk.
Specific management decisions regarding the limitation of the aggregatebankingriskaremadebytheBank'sgoverningbodies–theGeneralMeetingofShareholders,theSupervisoryBoard,theManagementBoardoftheBankwithinthepowersdefinedbytheBank'sCharter,theRegulationontheSupervisoryCoun-cilandtheManagementBoard.Tomakemanagerialdecisions,theBank'smanage-mentbodiesconsidertheresultsoftheassessmentoftheaggregatebankingrisk,methodsandtoolstominimizethem,proposedbytherelevantcollegialmanage-mentbodies.21
TheBank'sInternalAuditServiceperformsacontrolfunctiontoverifythecorrectapplicationofBankofRussiaregulatorydocumentsandtheBank'sinternaldocumentsregulatingthemanagementofcertaintypesof typicalbankingrisks,andalsoevaluatestheeffectivenessofbankriskmanagement.
RiskManagementReports.Basedontheresultsofriskmanagement,aRiskManagementReportissub-
mitted.Thereportispreparedintermsofthecompetenceoftherespectiveunits,summarized and submitted for consideration to themanagement bodies of thecreditorganization22.
21 Investments in the BRICS Countries: Assessing Risk and Corporate Governance in Brazil, Russia, India, China and South Africa M.: Alpina Publishers, 2010. 356 p. 22 Panfilova E.A. The concept of risk: a variety of approaches and definitions // Economic analysis: theory and practice. 2017. No. 95 (143).
36
Inaddition,thefinalstatementscontainingcertainaspectsoftheBank'sriskmanagementinclude:
–Reportsoftheauditorofaprofessionalparticipantinthesecuritiesmarketontheworkdonefortheperiod;
–Reportsoftheauditoroftheexchangeintermediaryontheworkdonefortheperiod;
–ReportsonmonitoringtheinternalcontrolsystemandtheworkoftheIn-ternalControlServicefortheperiod;
–Report on the implementation of the Internal Control Rules in order tocounterthelegalization(laundering)ofproceedsfromcrimeandthefinancingofterrorism,includingitsimplementationprogramsfortheyear.
Theprocedure forpreparingandpresentingthesereports isregulatedbytherelevantinternaldocumentsoftheBank,whichdeterminetheseareasofactiv-ityandriskmanagement.
37
Chapter 2.
Basics of organizing the functioning of the internal control system in
credit institutions
2.1. Financial audit and compliance control
as methods of internal control
AccordingtotheRegulationoftheBankofRussiadatedDecember16,2003,No.242-P"Ontheorganizationofinternalcontrolincreditinstitutionsandbank-inggroups",thereare4possiblewaystocarryoutinspectionsbytheinternalauditservice:
1)financialaudit,thepurposeofwhichistoassessthereliabilityofaccount-ingandreporting;
2)verificationofcompliancewiththelegislationoftheRussianFederation(banking,onthesecuritiesmarket,oncounteringthelegalization(laundering)ofproceedsfromcrimeandthefinancingofterrorism,ontaxesandfees,etc.)andotheractsofregulatoryandsupervisorybodies,internaldocumentsofthecreditinstitutionandthemethods,programs,rules,proceduresandproceduresestab-lishedbythem,thepurposeofwhichistoassessthequalityandconformityofthesystemscreatedinthecredit institutiontoensurecompliancewiththerequire-mentsofthelegislationoftheRussianFederationandotheracts;
3)operationalaudit,thepurposeofwhichistoassessthequalityandcon-formity of systems, processes and procedures, analysis of organizational struc-turesandtheiradequacytoperformtheassignedfunctions;
4)qualitycontrolofmanagement,thepurposeofwhichistoassessthequal-ityoftheapproachesofthemanagementbodies,divisionsandemployeesofthecredit institution tobankingrisksandmethodsofcontrolover themwithin theframeworkoftheobjectivesofthecreditinstitution.
AccordingtoRegulationNo.242-P,theinternalauditservicemustdevelopanauditplan,whichincludesaschedulefortheimplementationofaudits.Thisplanmustbeapprovedbytheboardofdirectors(supervisoryboard)ofthecreditin-stitution.
38
Planningtheupcomingwork,drawingupaprogramofinspectionspresentsa certaindifficulty for thebank's internalauditdepartment.Theauditprogramshouldcontaintheobjectivesoftheauditandidentifykeybankingrisksandmech-anismstoensurethecompletenessandeffectivenessofcontrolintheauditedareaofbankingactivities.Consequently,thefrequencyandscopeofinspectionsoftheactivitiesofvariousdepartmentsandtheeffectivenessofthebank'sproductsareusuallydetermineddependingon their inherentrisk. It is thepossiblerisk thataffectsthevalueofmateriality,whichinturndeterminesthescopeofauditproce-dures.Theauditschedulingcanbeviewedasasequenceofthefollowingsteps23:
1)determinationofthetypesofactivitiesandproductsofthebanktobever-ified;
2)assessmentofintra-businessrisk,riskofcontrolsforthebank'sdivisionsandproducts;
3)rankingtheriskvaluesofthebank'sdivisionsandproducts;4)determinationofobjectsandfrequencyofinspections,distributionofin-
ternalauditresourcesinthecontextofinspections;5)monitoringandadjustingat leastannually theriskvaluesof thebank's
divisionsandproducts.Theriskofabankunit(product)includestwocomponents–intra-business
riskandcontrolrisk24.Thetableshowstheriskassessmentofadivision(bankingproduct)dependingontheassessmentofcontrolsandthelevelofinherentriskonascalefrom0(lowrisk)to4(highrisk).Therefore,theriskwillbeminimalifthelevelofinherentriskisassessedaslow.
Table3.Division(product)riskassessmentmatrix
Controlrisk Intra-businessrisklevelShort Average High
Short Belowaverage-1 Aboveaverage-3 High-4Average Low-0 Medium-2 Aboveaverage-3High Low-0 Belowaverage-1 Medium-2
23 Posokhov I.M. Analysis of the content of the concept of risk and scientific approaches regarding the essence of risk // Actual problems of economics. 2018. No. 17. S. 25-32. 24 Utkin E.A., Sukhanov M.S. Banking audit. M.: TEIS, 2003. 223 p.
39
Whenassessingrisk,thefollowingfactorsareusuallytakenintoaccount:1)quantitative characteristicsof transactions (for example, thevolumeof
transactions);2)qualitativecharacteristicsofoperations(complexity,economicandlegal
conditions);3)internalcontrolprocedures,security,appliedinformationsystems;4)personnelcharacteristics(competence,turnover);Thelistofriskfactorsandtheprinciplesofitsassessmentareenshrinedin
aseparatedocument,whichincludes,amongotherthings:one)scaleofriskvalues(low,medium,high;scoresfrom1to10,etc.);2)thedurationoftheinternalauditcycledependingonthemagnitudeofthe
risk:forexample,sixmonthsforhigh-riskactivities,1yearforactivitieswithme-diumrisk,over1yearforactivitieswithlowrisk;
3)theconditionsunderwhichtheriskassessmentmaynotbetakenintoac-count,thelistofpersonsauthorizedtomakesuchdecisions(boardofdirectors,auditcommittee,managementoftheinternalauditunit),aswellasrequirementsfordocumentingdecisions.Ignoringriskassessmentshouldbetheexceptionra-therthantherule;
4)thefrequencyofriskassessmentforeachdivisionandproduct.Riskas-sessmentisimportanttocarryoutannually,butitcanbecarriedoutmoreoftenifthebankorbankingproductisdevelopingrapidly;
5)minimumdocumentationrequirementsforriskassessment;Theinternalauditserviceneedstoconstantlymonitorauditobjects,riskval-
ues,adjustthevolumeandstructureofauditprocedures,itisalsousefultokeepcardfilescontainingriskassessment,descriptionofauditobjectsandthedurationoftheauditcycleforeachdivisionandproductofthebank.
BasedonthemainmethodsofICSchecksproposedbytheCentralBankoftheRussianFederationinAppendix3toRegulationNo.242-p,thefollowingtypesof internalauditcanbedistinguished,dependingonthecontentofauditproce-dures:
1)Financialauditinvolvescheckingthereliabilityofthebank'saccountingandreportingsystem.Whenconductingthistypeofaudit,externalauditstandardscanbeappliedregardingthelevelofmaterialityandauditrisk,sampling,studyingtheaccountingsystem,andothers.
40
2)Complianceauditchecksthecomplianceofthebank'sactivitieswithleg-islation,bylaws,andinternalregulations.
3)Operational audit evaluates the effectiveness of operations and proce-dures,analyzesthecomplianceoftheorganizationalstructure,methodsofworkandresourcesofthebankwiththesetgoals.
4)Management audit evaluates the quality of management in order toachievethegoalsofthebank.
Considerafinancialauditaspartoftheinternalcontrolofacreditinstitu-tion.AccordingtotheFederalrules(standards)ofauditing25,thepurposeoftheaudit is to express an opinion on the reliability of financial (accounting) state-ments.Thus,whenconductingfinancialaudits,internalauditorscanrelyonexter-nalauditstandards.
Samplingisakeypartofaninternalaudit.Themeaningofthesampleisthatnottheentiresetofoperationsistested,butonlyapartofit.Theresultsoftestingapartofthepopulationwithasufficientdegreeofreliabilitywillmakeitpossibletojudgethepopulationasawhole.Therationalefortheneedforsamplingandthesamplingmethod,adescriptionoftheproceduresfordisseminatingthesamplingresultstotheentirepopulationshouldbeclearlyspelledoutintheworkprogramsandinternalauditreports.
According to theRussianstandardofauditingactivityNo.16"Audit sam-pling",theauditorshouldtrytoformarepresentativepopulationbyselectingsam-pleelementsthathavecharacteristicstypicalofthegeneralpopulation.26
Havingreceivedthefinalresult,theauditorshouldmakesurethattheerrorintheauditedpopulationdoesnotexceedtheallowablevalue.Todothis,theau-ditorcomparesthepopulationerrorobtainedthroughthepropagationwiththeacceptableerror.Ifthefirsterrorturnedouttobemorepermissible,theinternalauditorshouldre-assessthesamplingrisks,andifheconsidersthemunacceptable,thentherangeofauditproceduresshouldbeexpandedorauditproceduresshouldbeappliedthatarealternativetothosealreadycarriedout.
Let'sconsidercomplianceauditasanintegralpartofinternalauditincreditinstitutions.
25 Starostina A. A. Risk management: Theory and practice: [textbook. manual] / A. A. Starostina, V. A. Kravchenko. M.: Kondor, 2017. 200 p. 26 Federal rules (standards) of auditing from 23.09.2002, as amended. Resolutions of the Government of the Russian Federation of 04.07.2003, No. 405.
41
As noted earlier, compliance control is control over the compliance of acreditinstitution'sactivitieswithlegalrequirementsandinternalregulations.
Theneedforcompliancecontrolisduetothefollowingreasons27:–highmarketrequirementsforthereliabilityandsafetyofthebank;–ahighdegreeofregulationofthebank'soperationsbysupervision;–theneedforaclearformalizationofmostofthefunctionsinthebank;–thecomplexityoftheinternalstructureofthebank;–theimportanceofthehumanfactorinthehigh-qualityexecutionofopera-
tions.Compliancecontrolisapreventivemeasureinrelationtotheriskofcompli-
ance.Complianceriskisdefinedastheriskoflegalorregulatorysanctions,finan-ciallosses,damagetoreputationthatmaybedirectedtoabankasaresultofitsfailuretocomplywith laws,regulations,codeofconductandstandardsofgoodpractice(collectivelyreferredtoas"laws,rulesandstandards").Complianceriskissometimesinterpretedasariskofhonesty(orintegrity),sinceabank'sreputa-tioniscloselyrelatedtoitsobservanceoftheprinciplesofdecencyandfairnessinitsactivities.Non-complianceriskisthepresentandpotentialriskoflossofprofitorcapitalforabankduetoviolationornon-compliancewithlaws,rules,regula-tions,prescribedpractices,internalprocedures,policiesorethicalstandards.
Inthebankingsector,compliancecontrolisoftenequatedwiththefunctionofgeneralinternalcontrolorcounteringthelegalization(laundering)ofproceedsfromcrimeandthefinancingofterrorism,whichisnotentirelycorrect.
AccordingtotheLetteroftheCentralBankoftheRussianFederationdated02.11.2007No.173-T"OntherecommendationsoftheBaselCommitteeonBank-ingSupervision","theconceptof"responsiblelegalofficer","(head)employeeofthecompliancefunction",complianceofficer,compliancespecialist,"(Chief)Com-plianceRiskManager"aresynonymous."Accordingtoclause2.2.3.RegulationNo.242-P,"responsibleofficerforlegalaffairs"exercisesinternalcontrolinthecreditinstitution.Accordingtoclause2.4.ofthisprovision,the“responsiblelegalofficer”maybeincludedintheinternalcontrolservice.Thus,inaccordancewithRussianlegislation,wecanconsiderthecompliancecontrolserviceaspartoftheICS,on
27 Bortnikov G. “Compliance risk (risk of non-compliance): international standards and their applica-bility for banks in the CIS countries”. //http://www.iia-ru.ru/publication/foreign_mass_media_arti-cles/bortnikov/
42
theonehand.Ontheotherhand, thecompliancecontrolservicecanbe formedindependentlyoftheICS,whichalsowillnotcontradictthelegislation.
Let'shighlightthemainareasofcompliancecontrol:1)Maintainproperknowledgeofemployeesoftherelevantprovisions,reg-
ulationsandtheirinterpretations;2)tocarryoutthenecessaryexplanationsofthewordingofthecurrentnor-
mativeacts,aswellastrackpossibleinnovations;3)facilitate trainingofbankpersonneloncompliancecontrolpoliciesand
procedures;4)monitorandpromptlyrespondtopossiblecomplaintsanddissatisfaction
ofthecreditinstitution'scustomers;5)conductongoingprogramstoanalyzethecomplianceofthesysteminthe
bankwithapplicablelawsandregulations;6)coordinatetheinteractionofbankemployeeswiththelegaldivisionand
otherdepartmentsofthebankinrelationtonewprojects,businessinitiatives,ac-quisitionstoensurecompliancewithregulatoryrequirements.
In practice, compliance controlmanagement is divided into the followinggroups:
1)anti-moneylaunderinggroup;2)financialmonitoringdepartment;3)groupsinvolvedinpreventingconflictsof interestbetweenownersand
customers(employees),handlingcustomercomplaints,adheringtothebank'spol-icyongifts;
4)agroupthatmonitorspurchasesofsecuritiestothepersonalaccountsofemployees,andmonitorstheexternalinterestsofemployees.
Thedivisionintogroupsproposedaboveallowsminimizingthereputationandimagerisksofacredit institution.Forexample,abankhasa“closedlist”ofclients.Supposethebankfinancesoneoftheclientsincludedinthelisttopurchaseanotherasset,whileatthesametimeactiveoperationsarebeingcarriedoutaimedatpurchasingthesecuritiesofthespecifiedclientbythebank.Inthefuture,aneg-ativereactionfromthemarketmayarise–theemployeewasabletoplayaheadofthecurve,sincehehadnon-publicinformation.Thus,ifthissituationarises,itwillbedifficult toconvince themarketof thebank's innocence, thebankmay incurimagecosts.
43
Speakingaboutapossibleconflictofinterest,considerthefollowingsitua-tion:let'ssayonedivisionofacreditinstitutionprovidesfundstoclient"1"toac-quireclient"2".Supposeanotherdivisionofthesamecreditinstitutionprovidesservicestoclient"2"inthesearchforpotentialinvestors.Thus,intheeventthatcustomer“2”isacquiredbycustomer“1”andinformationabouttheservicespro-videdbyonecreditinstitutionismadepublic,thebank'sreputationmaybeseri-ouslydamaged.Topreventthenegativeconsequencesoftheconsideredsituation,thebank'sdivisionsmustensurethatallthenecessaryinformationaboutalltrans-actions,includingthoseplanned,ispromptlyreflectedinthedatabase.Thetaskofthecompliancedepartmentwillbetoremindtheneedtokeepthedatabaseuptodate.
Ameasureofincreasingtheeffectivenessofcompliancecontrolisthehighrequirementsforthequalificationsandexperienceoftheheadofthecompliancecontrolservice.InRussianlegislationfollowingrequirementsareimposedontheheadandemployeesoftheICS,and,therefore,thecompliancecontroldepartment(ifweconsiderthelatteraspartoftheICS):
–Thehead(hisdeputies)andemployeesoftheinternalcontrolservicemusthavesufficientknowledgeofbankingandmethodsofinternalcontrolandcollec-tion of information, its analysis and assessment in connectionwith the perfor-manceofofficialduties.
–Itisrecommendedthatacreditinstitutionestablishrequirementsforthehead(hisdeputies)oftheinternalcontrolservicetohaveexperienceinmanaginga structural unit of a credit institution related tobankingoperations andothertransactions.
–Training(retraining)ofthehead(hisdeputies)andemployeesoftheinter-nalcontrolserviceisrecommendedtobecarriedoutonaregularbasis.
Americanbanksalsohavefairlyhighdemandsontheofficerinchargeofthecompliancefunction.InformationaboutthestructureoftheexamfortheCertifiedRegulatoryComplianceManager(CRCM)allowsyoutomakeamorecorrectper-ceptionofthecompliancefunctioninamodernWesternbank.Notallcompliancemanagershavesuchacertificate,butpossessionof it isanadditionalplus forafinancialinstitution.
InDecember2002,theOfficeoftheComptrolleroftheUnitedStates(OCC)issuedguidelinesonriskcomplianceinbanks.Thecomplianceprogramshouldin-clude6mandatorycomponents(SMAART):
44
1)(S)System–Implementationofproceduresandinternalcontrolstoen-surethattransactionsareconductedandrecordedinaccordancewithlegalregu-lationsandcustomerservicerequirements.
2)(M)Monitoringinvolvessupervisiononadailyordailybasis–theoper-ationofthecompliancesystemsinthebanktoensurereal-timeexecutioninac-cordancewiththestandardsofthecomplianceprogramsinthebank.
3)(A)Evaluationreferstoperiodicallyreviewingsystematizedrecordsandtransactionstoidentifyoperationaldisruptionsandprogramdeficiencies.
4)(A)Liability.Allocationofresponsibility,authorityandaccountabilityfordirectingpersonneltoimplementthecompliancepolicyinthebankandnotifyingthebank'sboardandcouncilabouttheeffectivenessofthecomplianceprogram.
5)(R)React.Theprocessofhandlingcustomercomplaints,overcomingvi-olationsofregulatoryrequirements,correctingproceduresandcontrols,correct-ingdeficienciesininternaloversightandimplementingpolicies,procedures,revis-ingorupdatingthem.
Figure1.Risk-basedplanningofinternalauditactivities
Determining the feasibility of an audit
Overall assessment of inherent risk General assessment of the effectiveness of internal control
Materiality Impact of risk Evaluation of controls
Reliability of information
Impact on the achievement of bank goals Complexity of the process Degree of external requirements Business dynamics level
Risks:
• Market • Liquidity • Operating • Reputation • Credit • Strategic • Financial • others
Linear Control Assessment (Level 1)
Assessment of the 2nd level of control
Assessment of the 3rd level of control (for subsidiaries
Evaluation of the effectiveness of manament control
External / internal evaluations (external audit, regulatory reviews, etc.)
Date of last audit
Assessment of the previous audit
Completeness of closing recommendations
45
6)(T)Training.Communicationregardingcompliancewithpolicies,proce-dures,directives, regulatoryrequirements, informationaboutproductsandser-vices,includingensuringstaffawareness.
Oneofthetypesofcontrolovertheobservanceofcurrentrequirementsbythebank–compliancecontrol,which isgraduallygainingpopularity inRussianbanks.Theessence,mainfunctionsandgoalsofcompliancecontrol.[7]
Inconclusion,awell-planned,implementedandmaintainedcompliancecon-trolprogramcanpreventorreduceregulatoryviolations,whichinturnprovidescostefficiencyandisaneffectivetoolinmanagingcompliancerisks.
2.2. The main methods for assessing
the quality of the internal control system
AccordingtotheRegulationof theBankofRussiaNo.242-P28 ,oneof thewaystocarryoutauditsbytheinternalauditserviceisanoperationalaudit,thepurposeofwhichistoassessthequalityandconformityofsystems,processesandprocedures,toanalyzeorganizationalstructuresandtheirsufficiencytoperformtheassignedfunctions.Itfollowsfromthisthatthefunctionofassessingthequalityofthecurrentinternalcontrolsysteminacreditinstitutionisentrustedtothein-ternalauditservice.Atthesametime,theassessmentoftheeffectivenessoftheinternalcontrolsystemofthebank'sbusinessprocessesisanintegralprocedurefortheinternalauditoffinancialstatements,asitaffectsthelevelofmateriality.Thus,operationalcontrolcanbeconsideredasanintegralpartoffinancialauditandasanindependentprocedurethatdirectlyevaluatesthequalityoftheinternalcontrolsysteminacreditinstitution.
Operationalcontrolasanassessmentoftheeffectivenessoftheinternalcon-trolsystemis theprocessofcollecting,evaluatingandanalyzingauditevidenceregardingtheinternalcontrolsystemoftheauditedbusinessprocess.Theresultofthischeckistheauditor'sassessmentofthedegreeofreliabilityoftheinternalcontrolsystemoftheauditedobject.
Theprocessofassessingtheeffectivenessoftheinternalcontrolsystemin-cludesthefollowingstages:
28. Regulation of the Central Bank of the Russian Federation of December 16, 2003 No. 242-P "On the Organization of Internal Control in Credit Organizations and Banking Groups
46
1)Initiationofverification–carriedoutbytheheadoftheICSonthebasisofapreviouslyapprovedworkplan,oronbehalfofanauthorizedperson;
2)Auditplanning;3) Conducting audit procedures (includes an assessment of the design of
control,anassessmentoftheimplementationofcontrolprocedures,ananalysisoftheelementsoftheinternalcontrolsystem,anoverallassessmentoftheeffective-nessoftheinternalcontrolsystem);
4)Formationoftheresultsoftheaudit;5)Workwiththematerialsoftheaudit,includingmonitoringtheimplemen-
tationofrecommendations.Thekeytothesuccessfulworkoftheinternalauditserviceishigh-quality
preparationfortheaudit,includingthestudyofcontrolledprocessesandopera-tions.Oneofthewaystocollectanalyticalmaterialistostudythenecessarydocu-mentationandconductconversationswithparticipantsintheprocesses(opera-tions).Theresultscanbepresentedintheformofadiagramthatreflectsthestruc-tureoftechnologicalprocessesthataffectorareobjectsofcontrol29.
Auditobjectives:–Checkingthereliabilityoffinancialaccounting;–VerificationofcomplianceoftransactionswithRussian legislationtoex-
cludeso-called"shadow"transactions;–Checkingorganizationalstructuresforcompliancewiththefunctionsper-
formed;–Verification ofmethods of control over risks and access to information
flows.Itistheauditor'sresponsibilitytofullyassessthemanagementcriteriathat
determinetheeffectivenessandeconomicperformanceoftheprocess.Particularattentionispaidtothereviewofthecurrentsystemofmotivationforallemploy-eesofthecreditinstitution.
Particularattentionispaidtothegoalsofactivitiesanddevelopmentpro-spects. If thedevelopmentgoalsarenot formulated,and themanagement teamcannotclearlystatethem,thentheauditorneedstorecordthefactsidentifiedanddeveloprecommendationstocorrectthecurrentsituation.
29Miroshnikova A.Yu. Compliance Control in commercial banks // Alley of Science. 2017. No. 9, volume 2. –p. 141-146.
47
Atthestageofcollectinginformation,theauditoridentifiesnotonlytherisksassociatedwiththetechnologicalprocess,butalsotherisksassociatedwithcon-trolmethods.
Factorstakenintoaccountwhenassessingrisksare:–Thenumberoftransactionsmade;–Economicandlegalcomponent;–Features of personnel policy (qualifications of employees, the so-called
turnover).Let'shighlightthefollowingmainstagesintheverificationprocess:–Constructionoftechnologicalprocessdiagrams;–Assessmentofpossiblerisksattheinitialstagesofplanning;–Collectionandanalysisofinformationsufficienttoformanopiniononthe
effectivenessofcontrolwithintheanalyzedprocesses;–Testingofexistingproceduresandmeasuresforriskmanagement.Toassessthereliabilityandefficiencyoftheinternalcontrolsystem,thefol-
lowingiscarriedout:–Analysisofaccountingandfinancialdocuments;–Verificationofcompliancewithregulatorydocuments;–Reviewoftheorganization'smanagementandpracticalsystemactions;–Independentcomparativeanalysisofsimilartransactionsofothercredit
institutions.Theanalysisallowsustoassesstheeffectivenessoftheimplementedinter-
nalcontrolandidentifytheadvantagesordisadvantagesoftheimplementedpro-ceduresandmeasures,withtheaimoffurtherapplyingeffectivemethods(aswellastheirpossibleuseinrelatedareas)oreliminatingineffectiveones.
Observingcurrentprocesses,whentheperformercarriesoutcurrentoper-ations,providestherepresentativeoftheinternalcontrolservicewithadditionalinformationthatallowshimtodrawaconclusionaboutthe levelandqualityofcurrentcontrolatthestageinquestion.Itisalsonecessarytochecktheavailabilityofauthorityandaccessfortheemployeewhoimplementsthecontrolfunctions.
The auditor needs to independently carry out control operations imple-mentedbytheperformer,forexample,toenteranexistingautomateddatasystemwithoutauthorization.
Afterprocessingallthedataobtainedfromthetestresults,theauditoreval-uatesandconcludesonthereliabilityofthefunctioningprocesscontrolsystemon
48
themanagementoftheanalyzedrisks.Theauditoralsoindicatesthepossiblecon-sequencesiftheperceivedriskmaterializes.Theauditorcarriesouttheformationofrecommendationsthatoptimizetheexistingsystemorbuildanewonethatisoptimalinthissituation.
Preliminary examinations and testing of actually implemented measuresandriskmanagementprocedures,whicharecloselyrelatedtotheanalyzedbank-ingprocess,endswiththeformationofageneralopinionontheeffectivenessoftheexistinginternalcontrolsystemoftheauditedobject.
Oneoftheconstituentelementsoftheinternalcontrolofacreditinstitutionisaregularfinancialaudit,theneedforwhichisduetothehighrequirementsforthefinancialreliabilityofthebankandthesafetyofitsoperations.
Whencarryingoutafinancialaudit,inthecaseofaspotcheck,theformationofasampleoftheanalyzedtransactionswillbefundamental.Ifnecessary,usespe-cialsoftwarecontainingarandomnumbergenerator.
Basedontheresultsoftheaudit,anemployeeoftheinternalcontrolservicedrawsupareport.Theinformationandconclusionscontainedinthereportmustbeobjective,constructive,concise,timelyandclear(thatis,notsuggestinghintsandmultipleinterpretations).
Thefollowinginformationmustbeindicatedinthereport:–objectandsubjectofverification;–theobjectivesoftheauditor;–employeescarryingoutthecheck;–thetermoftheinspection;–adescriptionoftheidentifiedshortcomingsandviolations,aswellasan
assessmentoftheirsignificance;–recommendations for eliminating the causesof violationsand identified
deficiencies;–recommendationsforreducingrisksthathaveasignificantimpactonthe
objectofanalysis.Theconclusionsandrecommendationspreparedbytheemployeesofthein-
ternalcontrolservicearefurtherusedtoimproveandoptimizethebank'sinternalcontrolsystems.
Itshouldbenotedtheneedforanannualreassessmentoftherisksarisinginthebank'sactivities.Thereassessmentunderconsiderationiscarriedoutbythe
49
internalauditserviceandisasetofmeasures,includingupdatingthelistofobjectstobeinspected.
Therearethreeapproachestoassessingthequalityoftheinternalcontrolsystemincreditinstitutions.
1)COSOModel–offersacomprehensiveapproachtoriskmanagementthatconsidersthediversityandinterdependenceofacreditinstitution's“weaknesses”andtheinfluenceofexternalfactorssuchasincreasedcompetition,changingmar-ketconditions,changinglegislation,andsoon.
The2013updatetotheInternalControl–IntegratedFrameworkhelpsor-ganizationsdesignandimplementinternalcontrolinlightofthemanychangesinbusiness andoperating environments since the issuance of the original Frame-workin1992.
AccordingtotheCOSOInternalControl–IntegratedFrameworkmodel,theinternal control systemconsistsof5 interrelated components: control environ-ment,riskassessment,controlprocedures,informationenvironmentandcommu-nicationsystem,monitoring.
Thecontrolenvironmentincludesso-called"controlpillars".Riskassessment.Sincecontrolsareestablishedtomitigaterisk,aneffective
controlsystemisknowledgeofthecurrent"riskmap".Riskassessmentindifferentareasiscarriedoutwithvaryingdegreesofformality.Theinternalauditdepart-mentconductsanannualreassessmentoftheso-calledrisk."Universeofauditing",whichisalistofauditedareas.Typically,the“universeofauditing”encompassesawiderangeofprocesses inanorganization.But it isnotall-encompassing, i.e.therearerisksintheorganizationthatarenot“captured”bythe“audituniverse”.Forexample,theprocessofpreparingfinancialstatementsisusuallyfoundintheuniverse.Andtheprocessofanalyzingfinancialresultsandforecastingthemisnot.Thereasonforthisisthedifficultyofauditingnon-routineprocesses.
Controlproceduresareso-called“actions”ofcontrol,whichareinstrumentsof“direct”control:
–Certaintyinthedivisionofpowers;–Physicalandsystemaccesscontrol;–Adequatesupervision,training,segregationofduties;–Transactionsareauthorizedandrecorded;–Existingpolicies,procedures,responsibilitiesaredocumented;–Theassetsrecordedarecomparedwithwhatisavailable.
50
Thesecontrolactionsareclearenoughfromtheirnames.Hereisanexampleoftheconsequencesofineffectivetransactionauthorization.Themanager,notau-thorizedtoselltheequipment,instructedtheengineertofindpotentialbuyersfortheretiredproductionline.Theextremelyexpensivelinesoldforhalfitsmarketvalue.
Informationandcommunicationimpliesthepresenceofcommunicationbe-tweenthestructuralunitsofoneorganizationalunit,whichcontributestotheex-changeofexperience,knowledge,therebypreventingpossiblemistakes.
Monitoring.Thisgroupincludesvarioustypesofsupervisionofhigherlevelsofmanagementovertheworkoflowerones.Thisincludesvarioustypesofaudits,includingqualityaudits,safetyprecautions,andinternalaudits.Monitoringofteninvolvescomparingcurrentresultswithexpectedones.Therefore,thestandardsrefertothisgroupofcontrolelements.
Thus,accordingtotheCOSOmodel,controlisanecessaryconditionformin-imizingrisk.Aninternalcontrolsystemiseffectiveifitisformedthroughareason-ablecombinationoftheaboveelements.30
2)TherecommendationsoftheBaselCommitteeonBankingSupervisionareacertainsetofprinciplesaccordingtowhichtheassessmentofthequalityofin-ternalcontrolsystemsshouldbebuilt.TheseprinciplesarepublishedintheLetteroftheCentralBankoftheRussianFederationdatedJuly10,2001No.87-T.TheBaselCommitteeproposes13principlesforassessinginternalcontrolsystems.InaccordancewiththerecommendationsoftheBaselCommittee,thefollowingcri-teriaforaneffectiveinternalcontrolsystemcanbedistinguished:
–ResponsibilityoftheBoardofDirectorsforthecreationandfunctioningofanadequateandeffectiveinternalcontrolsystem;
–Managementactionsaimedatensuringaneffective internalcontrolsys-tem;
–Creationofacorporateculturethatemphasizestheimportanceofinternalcontrol;
–Assessmentandidentificationofpossiblerisksonanongoingbasis;–Creationofanappropriatecontrolstructureinwhichcontrolfunctionsare
definedforeachlevelofthebank'sactivity;–Cleardivisionofresponsibilities;
30 The Essentials of Risk / Management from English / M. Crui, D. Galay, R. Mark; scientific. ed. V. B. Minasyan. M.: Yurayt Publishing House, 2017. 390 p.
51
–Timely,complete,accessibleinformationofafinancial,operationalnature,aswellasinformationoncompliancewithestablishedregulatoryrequirements;
–Availabilityofreliableinformationsystemscoveringallthemainactivitiesofthebank;
–Availabilityofeffective informationsystemsavailable forunderstandingandcompliancebyemployeesinpractice;
–Monitoringtheeffectivenessofinternalcontrolonanongoingbasis;–Havinganinternalauditfunctionthatindependentlyevaluatesthecontrol
systemsintheorganization.–Timelyinformingmanagersandshareholdersaboutidentifieddeficiencies
ininternalcontrol;–Theinternalcontrolsystemshouldbeconsistentwiththenatureandcom-
plexityofthebank'sactivities.Thus,aprerequisitefortheeffectivenessoftheinternalcontrolsystemisthe
implementationoftheprinciplesproposedbytheBaselCommitteeonBankingSu-pervision.
3)InstituteofInternalAuditorsrecommendations[11]andtheAssociationforAuditandControlofInformationSystems[12]–thepurposeofthisapproachistopopularizetheinternalauditorintheprofession.
RussianbankingpracticeinrelationtoapproachestoassessingthequalityoftheinternalcontrolsystemiscurrentlydeterminedbytheLetteroftheCentralBankoftheRussianFederationdatedMarch24,2005No.47-T“OnMethodologicalRecommendations for theAuditandAssessmentof theOrganizationof InternalControlinCreditInstitutions”.TheMethodologicalRecommendationsclarifytheprocedureforconductinganauditoftheorganizationofinternalcontrolandareintendedmainly forusebyauthorized representativesof theBankofRussia inmakingreasonedjudgmentsandfortestingnewapproachestoassessingtheor-ganizationofinternalcontrolincreditinstitutions.Theguidelinesindicatethefol-lowingverificationobjectives:
one)assessmentofthecreditinstitution'scompliancewiththerulesforor-ganizingandexercisinginternalcontrolestablishedbyregulation242-P,
2)assessmentofthereliabilityofreportsandotherinformationoninternalcontrolinacreditinstitutionsubmittedtotheBankofRussia;
3)assessmentofthecomplianceoftheinternalcontrolorganizationwiththenature,scaleandconditionsofthecreditinstitution'sactivities.
52
AccordingtotheMethodologicalRecommendations,theauditoftheorgani-zationoftheinternalcontrolsystemcanbecarriedoutbothasanauditofthein-ternalcontrolsystemasawhole,andasanauditofindividualoperationsofinter-nalcontrol.TheCentralBankappliesamethodofqualitativeassessmentof theinternalcontrolsystemusingscoresandweights.DespitethefactthattheMeth-odologicalRecommendationsunderconsiderationareintendedforusebyauthor-ized representativesof theBankofRussia, these recommendations can alsobeconsideredbytheheadsoftheinternalcontrolserviceasanadditionalsourceofassessingthequalityoftheexistinginternalcontrolsystem.
53
Chapter 3.
Organization of the internal control system and the importance of ICS
3.1. Organization of the internal control
system on the example of Russian banks
Itisadvisabletoincludethefollowingthreatstothemostimportantthreatstothefinancialsecurityofacommercialbank:
-generaleconomicdownturn;-devaluationofthenationalcurrency;-volatilityandunpredictabilityofexchangerates;-lackofliquidity;-lossofbusinessreputation;-lossofclientsandtheirtrustininstitutionsandcompanies;-seizureoffinancialassetsforpreservationandmanagement;-decreaseddemandforfinancialservices;-lowlevelofregulatoryandreservecapital;-fallingincomesofthepopulationandtheirinabilitytofulfilltheirfinancial
obligations;-reductionofcreditandothertypesoffinancialtransactions;-ineffectivenessoffinancialmanagement;-fraud;-shortcomingsintheorganizationofstateregulationandsupervision.Thus, thespecificationof threats to the financial securityofacommercial
bankwillallowthebank'smanagementtorealizethenecessarydirectionsforriskmanagement.
Thebasisforensuringthefinancialandeconomicsecurityofacommercialbankisacertainconceptthatincludesgoals,objectivesandprinciplesofactivity.Thepurposeofthissystemistominimizeexternalandinternalthreatstotheeco-nomicactivityofthebank,includingitsfinancial,material,informationalandhu-manresources.
54
For the timely identificationofexistingandpotential shortcomings in thefieldofensuringthecomprehensivefinancialsecurityofacommercialbank,itisnecessarytodeterminetheappropriateindicatorsandconductconstantmonitor-inginordertodevelopandimplementthenecessarymeasures.
The reliability, and, consequently, the financial security of a commercialbank,canbedeterminedusingquantitativeindicatorsinanalyticalworksuchas:
-theshareofproblemloansinthevolumeofthebank'snetassets,whichtestifiestothequalityofitsloanportfolio,aswellastheriskinessofthecreditpol-icy;
- theratioofhighly liquidfundsandcurrent liabilitiesofthebank,whichshowsthedegreeofitsprotectionagainsttheriskofwithdrawaloffundsatonemomentbyallclients;
-theratioofownandborrowedfunds,whichcharacterizesthelevelofthebank'sreliabilityinthelongterm,beinganassessmentofitsabilitytocoverwithitsownfundsthevolumeofliabilitiestocustomers;
-theshareofhighlyliquidassetsinthebank'snetassets,thevalueofwhichhelpstoassessthemedium-termlevelofliquidity;
-returnonnetassets.Next,let'slookatthequalityindicators.Amongtheindicatorsofthefinancial
securityofacommercialbank,animportantplaceshouldbegiventotheindicatoroftheshareofcreditdebtofthepopulationinthetotalvolumeofcreditdebt.
Animportantplaceinthefinancialsecuritysystemofcommercialbankcli-entsisthesizeoftheloaninterest,sinceitallowsyoutofindouttheprofitabilityoftheimplementationoftheprojectforwhichaloanistaken,thatis,whetherthecostswillberecouped.Inturn,theinterestcoverageratio,whichischaracterizedbytheratioofnetprofittotheamountofinterestpaid,indicatesthelevelofsecu-rityoflendingactivitiesofcommercialbanks.
Averyexpressiveindicatorofthefinancialsecurityofacommercialbankisthe share of funds raised from citizens in the total amount of funds raised. Ofcourse,theindicatorsofthefinancialcondition,and,consequently,ofthesecurityofthebankingsystem,isthelevelofprofitabilityoftheauthorizedcapitalofcom-mercialbanksandtheirnetassets.
Inassessingtheperformanceandsuccessofthebank,thefollowingindica-torsareindicative:firstly,theratioofprofittoaverageannualcapital(minimumexpectationsofshareholdersintermsofbusinessprofitability,takingintoaccount
55
medium-termdevelopmentcosts)and,secondly,theratioofprofittoaveragean-nualassets(efficiencyofusingthebankclientfunds).Itisthesecriteriathatareindicatorsofthebank'seffectiveness,takingintoaccounttherisks.
Foradeeperanalysisofthestrengthsandweaknessesofacommercialbank,morespecificqualitativeindicatorsareused:averageassetsperemployee(indi-cates the efficiency of staff loading), operating profit per employee (staff effi-ciency), intrinsicvalueofbankingservices,efficiencyratioraised fundsandthelike.Theindicatorcanalsoserveasthevolumeofassetsperoneemployeeofthebank.
Failuretocomplywiththestandardsisanindicatorofthepotentialthreatoflossofliquidityandsolvencyofacommercialbank.
Compliancewiththerules,requirementsandstandardsestablishedbythestatesupervisoryauthorityisguided,firstofall,byintrabankcontrol.Controlovertheactivitiesofacommercialbankiscarriedoutbybankmanagersinaccordancewiththeirfunctionalresponsibilities,aswellasbyinternalandexternalauditors.Themainpurposeofinternalbankcontrolisthetimelyidentificationofnegativetrendsandshortcomingsinthebank'sactivitiesinordertodevelopmeasurestoeliminatethem.Thus,controlnotonlylogicallycompletesthebankmanagementprocess,butalsogivesimpetustonewmanagementdecisions.
Consequently, ensuring the economic security of a commercial bank is acomplex,continuousandmultilateralprocess.Bankmanagersmustviewsecurityasoneofthemostimportantareasoftheirmanagementactivities.Tobuildanef-fectivesystemformanagingtheeconomicsecurityofacommercialbank,itisnec-essary to involve various specialists: not only economists, but alsomathemati-cians,programmers,psychologists,analysts.Itisnecessarytocontinuouslymod-ernizemanagement tools and keep upwith the development ofmodern infor-mationtechnologies.Bankownersshouldunderstandthatitisbettertopreventcrisissituations,andnotaccumulatedmoneytoensurefinancialandeconomicse-curity,thanthenincreasecosts,eliminatingtheconsequencesofacrisissituation.
Inmodernconditionsofdevelopmentofthebankingsystem,thetaskofas-sessingitsfinancialandeconomicsecurityanddevelopingasetofcriteriaandin-dicators thatwouldgiveaqualitativeandquantitativecharacteristicof its levelbecomesespeciallyurgent.Themainindicatorsoftheanalysisoftheeconomicse-curityofacommercialbankshouldincludeindicatorsrelatedtotheorganizationof money circulation, the sphere of payments and settlements, lending, the
56
effectivenessofthedevelopmentofthebankingsector,thepresenceofforeigncap-ital,aswellasindicatorscharacterizingtheobservanceofstatelegislationandreg-ulationsbycreditinstitutions,andthelike.
Thecompleteness,timelinessandeffectivenessofmanagementmeasurestoliquidate,preventexistingandpotentialthreatsinthebankingsystem,and,conse-quently,thenationaleconomyandsocialsphereoftheRussianFederation,largelydependonanadequateassessmentofthecurrentleveloffinancialsecurityofacommercialbank.31
Theproblemsofinternalcontrolremaintothisdayforthebankingcommu-nity as significant, relevant and important. The main document regulating theworkistheRegulationoftheBankofRussiadatedDecember16,2003N242-P"Ontheorganizationofinternalcontrolincreditinstitutionsandbankinggroups."
Letusconsidertheorganizationoftheinternalcontrolsystemusingtheex-ampleoftwoconditionalbanks(theso-calledfederalandregionalbanks)inordertoidentifycommonfeatures,maindisadvantagesandadvantagesoftheexistingsystem,andalsoofferrecommendationsforimprovingthecurrentsystem.
TheinternalcontrolsystemofthefederalbankisformedinaccordancewiththeprinciplesofCOSO,whichwerediscussedinChapter2of thiswork,andin-cludesthefollowingelements:
1)Controlenvironment;2)Regulation;3)Riskassessment;4)Controlprocedures;5)Informationsupportandinformationexchangesystem;6)Controlandmonitoringoftheefficiencyofthesystemitself.Notethatthefederalbank'sinternalcontrolsystemincludessuchacompo-
nentas"regulation",whichisnotmandatoryintheCOSOmodel.Regulationisasystemofnormativedocumentsgoverningtheactivitiesofthebank,itsdivisionsandemployees.Regulationincludesthedevelopment,adoptionandenforcementofregulations.Thus,regulationisacomponentoftheinternalcontrolsystemthatprovidescompliancecontrol.
Theconsideredfederalbankprovidesforthefollowingcontrolprocedures:1)Controlovertheimplementationofthefinancialandbusinessplan;
31 Andreeva T. E. Risk in a market economy: [textbook. manual] / T. S. Andreeva, T. E. Petrovskaya. X.: "Burun and K", 2017. 128 p.
57
2)Reconciliationofoperationaldatawiththebudget;3)Reconciliation of data submitted by various structural divisions of the
bank;4)Arithmeticverificationofthecorrectnessofaccountingrecords;5)Checkingthecorrectnessoftheworkflow;6)Evaluatingtheeffectivenessofcertaintransactions;7)Checkingthepresenceofpermissiveresolutionsofmanagersonprimary
documents;8)Conductingregularandunscheduled inspectionsand inventoriesof the
bank'spropertyanditsobligations;9)Conductingreconciliationandconfirmationofsettlements;10)Usinginformationfromexternalsourcesforcontrolpurposes;11)Controlovertheuseoftangibleassets;12)Physicalrestrictionofaccesstoassets,primarydocumentation,account-
ingregistersandcomputeraccountingfiles.Thepresentedlistofcontrolproceduresissufficienttoensureaneffective
internalcontrolsystemwithintheCOSOmodel.Tosolvetheproblemsofinformationsupportofinternalcontrolinafederal
bank,asystematicapproachisused.Asystematicapproachtoinformationsupportofinternalcontrolinabankmeansthepresenceofasetofinterrelatedelementsthatensuretheorganizationofinformationfortheimplementationofeffectivein-ternalcontrol.Informationisprovidedthroughexternalandinternalinformationsystems.Externalinformationsystemsincludelegislative,regulatorydocuments,informationsystemsbasedoninformationtechnology(SWIFT,REITER,Internetresources).InternalinformationsystemsincludeinternalregulationsoftheBank,accountingandreportingsystem,automatedbankingsystem,economicsecuritysystemoftheBank,marketinginformationsystem(theBank'swebsiteontheIn-ternet).
ToensurethatallsubjectsofinternalcontrolunderstandtheinternalcontrolpoliciesandproceduresadoptedbytheBankandensuretheirimplementation,thefederalbankoperateseffectiveinformationexchangechannels:e-mail,automatedbankingsystem.
In order to ensure information security, the federal bank takesmeasuressuch as password protection; access control to the premises where computerequipmentisinstalled;controlbytheinformationsecurityadministratoroverthe
58
actionsofusersatallstagesofwork;establishingtheprocedure forconnectinguserstotheautomatedbankingsystem.
Monitoring–thefinalstageoftheinternalcontrolprocess–iscarriedoutinthecourseofcurrentactivities,throughperiodicinspectionsbythemanagementandemployeesofvariousdepartments,includingdepartmentscarryingoutbank-ingoperationsandother transactionsandtheirreflection inaccountingandre-porting,aswellasbytheinternalcontrolservice.
ThesubjectsofinternalcontrolofthefederalbankareshowninFigure2.Ascanbeseen,theinternalcontrolsystemincludesallemployeesofthecreditinsti-tution,whichcomplieswiththeBaselprinciplesofbuildinganeffectiveinternalcontrolsystem.Awiderangeofsubjectsofinternalcontrolofthefederalbankcon-firmsthatinternalcontroliscarriedoutatalllevelsofthemanagementstructure:fromordinaryemployeestotopmanagersandisheadedbyrepresentativesoftheBank'sowners.
Figure 2. Subjects of internal control of the bank
Let'sconsidertheAuditCommitteeandtheInternalControlDepartmentin
order to identify functional differences between the specified subjects of the
Internal Audit Service
Strategy and Risk Audit Committee
Supervisory Board / Directorate Board
Accountability
Management Board of the Bank
Referral for consideration
Special services performing control functions and risk management
59
bank'sinternalcontrol.AccordingtoRegulationNo.242-P,thecreationoftheIn-ternalControlServiceandtheInternalControlServiceisaprerequisitefororgan-izing internal control in credit institutions.Nevertheless, the creationof such abodyastheAuditCommitteeisnotregulatedinRussianlegislation,therefore,thequestionariseswhethertheauditcommitteeduplicatestheactivitiesoftheICS,howjustifiedistheformationofanauditcommitteeingeneral.
TheAuditCommitteewas created to analyze the effectivenessof internalcontrolandaudit,aswellastoanalyzefinancialstatementsandpreparerecom-mendationstotheBoardofDirectorsontheseissues.Thisbodyisfullyaccounta-bletotheBoardofDirectors,whichensurestheindependenceofinternalcontrol.ThemaingoaloftheAuditCommitteeisthecreationandfunctioningofeffectiveinternalcontrolintheBank,withtheexceptionofthecontrolfunctionintermsofbankingrisksmanagement(thisiswithinthecompetenceoftheInternalControlDepartment).TheexclusivefunctionsoftheCommitteearetheassessmentofcan-didatesforauditors(external)oftheBank,assessmentoftheopinionoftheexter-nalauditor,assessmentoftheeffectivenessoftheinternalcontrolproceduresoftheBankandpreparationofproposalsfortheirimprovement.Thatis,theCommit-tee acts as an intermediary between the external auditors of theBank and theBoardofDirectors.Atthesametime,theAuditCommitteeactsasacoordinatoroftheworkof the InternalControlDepartmentandother internal controlbodies,takes measures to ensure prompt implementation by the Bank's ManagementBoardoftherecommendationsandcommentsoftheInternalControlDepartment,theauditorganizationandsupervisorybodies.Thus,theAuditCommitteecanbeconsideredasthehighestinternalcontrolbodyinthehierarchyoftheinternalcon-trolsystem.
ThemostimportantsubjectsofinternalcontrolaretheBank'sspecialser-vices:theInternalControlDepartmentandtheRiskManagementDepartment.
RiskassessmentisakeylinkintheinternalcontrolsystemandisanelementoftheCOSOmodelofaneffectiveinternalcontrolsystem.TheRiskManagementDepartmentisvestedwiththenecessarypowerstoimplementtheriskmanage-mentprocessintheBank.ItistheRiskManagementDepartmentthatisresponsi-blefortheimplementationofmeasuresaimedatriskreduction:
1)IdentificationofrisksthatarebasicandinherentforthemainactivitiesoftheBank;
60
2)Implementationofappropriateprocessesandproceduresthatareneces-saryandaimedatidentifyingandtrackingchangesinrisks;
3)EstablishingthelevelofriskthatwillbeacceptablefortheBankanditsdivisions,thatis,whichtheycantakeoninordertoachievethesetgoals;
4)Determinationofcorecontrolmethodsandconceptsthatdonotallowthespecifiedlevelsofrisktobeexceeded.
Theriskmanagementsysteminafederalbankisrepresentedbythreelev-els:
1stLevel– Internaldocumentsof theBankgoverning theassessmentandprocessofbankingriskmanagement;
2ndLevel–Subjectsoftheriskmanagementsystem;3rdLevel–Thelistofmanagementreports–whichdepartmentoremployee
preparesthereport,towhomitisprovided,thetimingofthesubmission.
Figure 3. Internal control system
TheInternalControlDepartmentrepresentstheinternalcontrolserviceat
thefederalbank.TheInternalControlDepartmentreportstotheBoardofDirec-tors.ThemaintasksoftheInternalControlDepartmentareanindependentandobjectiveassessmentofthereliabilityandefficiencyoftheriskmanagementandinternalcontrolsystems.Infact,theInternalControlDepartmentcarriesoutinter-nalauditofacreditinstitution,includingfinancialaudit,operationalaudit,man-agementqualityauditandcompliancecontrol. It is theInternalControlDepart-mentthatassessestheeffectivenessoftheRiskManagementDepartmentinman-agingbankingrisks.Thus,theroleoftheInternalControlDepartmentinbanking
•Business and other divisions responsible fordirect work with the client, or control in one line(4-eyes principle)
1stlevelofcontrol
•Financialmonitoring(AML),Backoffice,Risks,control,Security,Accounting,Internalcontrol,etc.
2ndlevelofcontrol
•InternalAuditService3rdlevelofcontrol
61
riskmanagementistoverifythecompletenessandeffectivenessoftheriskassess-mentmethodologyand riskmanagementprocedures,whicharedirectly imple-mentedbytheRiskManagementDepartment.
ConsidertheinteractionoftheAuditCommittee(AuditCommittee)andtheInternalControlDepartment.TheAuditCommitteecoordinates theworkof theInternalControlDepartmentbyattendingdepartmentmeetingstodiscussauditandinternalcontrol issues.TheInternalControlDepartmentprovidestheauditcommitteewiththenecessaryreports,theauditcommitteeconsidersdocumentsontheinternalcontrolstructureoftheBank,approvesmeasurestoensurethattheBank'sManagementBoardtimelyfulfillstheinstructionsandrepliesoftheBank'sInternalControlDepartment.Thus,theauditcommitteeanalyzestheactivitiesoftheInternalControlDepartment,formsrecommendationsfortheexecutivebodiesoftheBankonthebasisoftheinformationreceived,andisresponsibleforimple-mentingmeasuresthat increasetheefficiencyofthecredit institution's internalcontrol system.Consequently, theaudit committeedoesnotduplicate the func-tionsoftheInternalControlDepartment,butplaystheroleofanindependentreg-ulatoroftheBank'sinternalcontrolsystem,relyingontheresultsoftheICSde-partment.
In conclusion,we note that among the obvious advantages of the federalbank's internalcontrolsystemis itscompliancewiththeprinciplesoftheCOSOmodel,therecommendationsoftheBaselCommitteearealsotakenintoaccount.ItisinterestingthatthereisanAuditCommitteeintheorganizationalstructureoftheBank,whichisnotquitetypicalforRussianpractice.SuchabodyastheAuditCommitteemakesitpossibletoensuretheeffectiveindependenceofthesubjectofinternalcontrolfromtheexecutivebodies.TheAuditCommitteecanbeconsideredasanintermediarybetweentheBoardofDirectorsandtheBank'sexternalaudi-tors.Atthesametime,theAuditCommitteecloselyinteractswiththeICS,contrib-utingtotheimprovementoftheefficiencyandqualityofthelatter'sactivities.
Considertheorganizationoftheinternalcontrolsysteminaregionalbank.Aregionalbankischaracterizedbytheorganizationofaninternalcontrolsystemtraditional forcredit institutionsof theRussianFederation ,which includes thefollowingsubjectsofinternalcontrol:
1)Managementbodies(BoardofDirectors,President,ManagementBoard);2)Auditcommittee;3)Chiefaccountant(hisdeputies)ofacreditinstitution;
62
4)Head(hisdeputies)andchiefaccountant(hisdeputies)ofabranchofacreditinstitution;
5)Bankcommittees(riskmanagementcommittee,assetandliabilityman-agementcommittee,others);
6)InternalControlServiceandInternalControlService7)RiskManagementService.Accordingtotheauthorofthework,itisimperativetoincludeordinaryem-
ployeesofthebankinthelistofsubjectsofinternalcontrol,sincetheyaretheex-ecutors–participantsinthebank'sbusinessprocesses,therefore,controlattheexecutionlevelcouldbethekeytoincreasingtheoverallefficiencyofcontrolpro-cedures.
LetusconsiderthefunctionsandroleoftheICSintheinternalcontrolsys-temoftheBankasawhole,inthemanagementofbankingrisksinparticular.
DirectcontroloftheBoardofDirectorsensurestheindependentfunctioningoftheinternalauditservice.Also,IASdoesnotcarryoutactivitiessubjecttoaudits.
Intheregionalbank,aspecialbodycoordinatingtheworkoftheIAS,suchasanauditcommittee,hasnotbeencreated.TheInternalAuditServiceinteractswiththeBoardofDirectorsoftheBankdirectly,reportingonissuesandproblemsthatariseduringtheinternalaudit,aswellasrecommendationsfortheirsolutionand/ or elimination. In addition, the audit servicediscloses this information to thePresident,theManagementBoardoftheBank.
Tocarryoutinternalcontrolinthebranchesoftheregionalbank,aspecialInternalControlDepartmentwascreated,thefunctionsofwhichcorrespondtothefunctionsoftheICSoftheheadoffice.TheheadoftheinternalcontroldepartmentreportstotheheadoftheBank'sICS.
OneoftheIASfunctionsistocheckthecompletenessandeffectivenessofthebankingriskassessmentmethodologyandbankingriskmanagementprocedures.Itshouldbenotedthatriskmanagementiscarriedoutbytheriskdepartment.TheroleoftheIASinminimizingbankingrisksisthesubsequentcontrolandanalysisoftheactivitiesoftheRiskManagementCommittee.
Thus,incomparisonwithafederalbank,thesystemofinternalcontrolinaregionalbankiseasiertoorganize.Inaregionalbank,IASperformsthefunctionsoftheInternalAuditDepartmentoftheFederalBank,aswellastheAuditCommit-teeoftheFederalBank.Suchanarrangementmaytakeplaceifthecostsofsetting
63
upanindependentintermediarybody,suchasanauditcommittee,outweighthepotentialbenefits.
Figure3.Themaincomponentsoftheaudit
oftheinternalcontrolsystem
Internalproceduresaredefinedandimplemented;processes,rolesandre-
sponsibilitiesare regulatedandensure thatall risksareproperlymanagedandregulatorycomplianceismet.
ICSisconsideredadequateif thecontrolofthefirstandsecondlinespro-videscoverageofthemainrisks.TheICSshouldbebuiltaccordingtotheprincipleofproportionalitywithexistingbusinessrisks.
TheICSeffectivelyfunctionswhencontrolsofthefirstandsecondlevelsofprotectionarepromptlyintroducedintobusinessprocesses.AllcomponentsoftheICSworkinanintegratedmanner.
TheICScanbeconsideredreliableifthecontrolsallowtimelyidentificationofpotentialorexistingproblems.CorrectiveactionsarepromptlytakentosolveproblemsandimprovetheoverallefficiencyoftheICS.
Anybusinessprocessissomehowassociatedwithrisk.Thisiswhatledtotheemergenceofarisk-orientedaudit,inwhichaspecialistassessesthelikelihoodandpossibleconsequencesofrisks,thesecurityofthecompanyandgivesrecom-mendationsonminimizingrisksandbuildingacontrolandriskmanagementsys-tem.
Risk-basedaudit–theformationofanindependentassessmentofthedegreeoftheBank'ssecurity,itsabilitytoachievethesetgoals,identificationanddeter-minationofthedegreeofrisks,developmentofanactionplantocoverthem.
Completeness
Adequacy
Functionality
Reliability
64
Thehighpopularityoftherisk-basedapproach(comparedtothecomplianceapproach)isensuredbyitsfocusonhigh-riskareas,whichallowstakingpreven-tivemeasuresintime,identifyingandeliminatingweaknessesandtherebyavoid-ing thenegativeconsequencesof risk realization, including the risksassociatedwithfraud.
Theexistingmethodsofidentifyingandassessingrisksareessentialfactorsofeffectiveaudit inmodernconditions,however,theirmodernizationintheor-ganizationofinternalriskmanagementallowsinternalaudittoreduceauditrisksandatthesametimeimprovethequalityofwork.
The effectiveness of modern internal audit also significantly depends on the pro-fessionalism of the team of internal auditors.
3.2. Recommendations for building an internal
control service in credit institutions
InRussianlegislation,theplaceoftheinternalcontrolserviceintheorgani-zationalstructureofthebankisenshrinedinRegulation242-p,whiletheinternalcontrolserviceisassignedthefunctionofmanagingregulatoryrisk.While,accord-ing toA.A.Arslambekov-Fedorov, considering the bank as a certainproductionunit, the IAS isadivision thatperformsproduction functions [2]32.At thesametime, the ICS performs both production and organizational functions. Conse-quently,theICSisengagedinorganizingandcreatingcontrolmechanismsfortheentirespectrumofbankingactivities.Itshouldbenotedthatinternalauditispri-marilyaimedatensuringfollow-upcontrol,inparticular,atidentifyingviolationsafter the operation on the basis of data on its performance. Internal control isaimedatensuringconditionsandalgorithmsfortheimplementationofbankingoperations,allowingtoexcludeorsignificantlyreduceerrorsandabuse.
FromthepointofviewofthegoalsoftheICSandIASactivities,themaintaskoftheICS,asarule,istobuildandmaintainanorganization'sinternalcontrolsys-tem.Inturn,theIASiscalledupontoperformbroadertasksofprovidingguaran-teesandadviceintheareasofinternalcontrol,riskmanagement,andcorporategovernance.
32 Arslambekov-Fedorov A.A. Internal control system of a commercial bank. M.: UNITI-DANA, 2004. 191 s.
65
Accordingtothedefinitionofinternalaudit,whichisgivenbytheinterna-tionalInstituteofInternalAuditors:“internalauditistheactivityofprovidingin-dependentandobjectiveguaranteesandadviceaimedatimprovingtheactivitiesoforganizations.Internalaudithelpsanorganizationachieveitsobjectivesbytak-ingasystematicandconsistentapproachtoassessingandimprovingtheeffective-nessofitsriskmanagement,controlandgovernanceprocesses.”33Takingintoac-counttheabovedefinition,internalauditcanbeconsideredasanintegralpartoftheICS.
Thestructureoftheinternalcontrolservicecanbeorganizedinoneofthefollowingways.Inthefirstcase,theinternalcontrolserviceincludessuchstruc-turesasinternalcontrolandinternalauditdepartments,aswellasadepartmentdealingwithriskmanagementandotheranalyticalandcontrollingdepartmentsofacredit institution. In thiscase,wearedealingwithamultifunctionalstructurecoveringvariousareasofthebank'sactivities.
Inthesecondcase,theinternalcontrolserviceisaseparatestructuralunitthatinteractswithotherunitsperformingcontrolfunctions.Inthiscase,itisnec-essarytoprovidetherelevantrightsandobligationstotheinternalcontrolservice.
Thechoiceofstructureisdeterminedbythespecificsofthebank,theavail-abilityofthenecessaryresources,andestablishedpractice.However,bothinthefirstandinthesecondcase,thefunctionsandmethodsofworkoftheinternalcon-trolserviceinthemainremainidenticalandshouldnotdisruptthetechnologicalprocessesinthecreditinstitution.
Anadvisorybodymaybecreatedunder theboardofdirectors–anauditcommittee,which isnot responsible for specific aspectsof activities,unlike theboardofdirectorsandmanagement,sinceitstasksincludeonlyfacilitatingtheex-changeofinformationbetweenthevariouspartiesinvolvedintheinternalcontrolprocessandprovidingassistingtheboardofdirectors intheperformanceof itsdutiesbythisbody.
Theauditcommitteecanperformthefollowingfunctions34:
33 International Standards for the Professional Practice of Internal Auditing. The Institute of Internal Auditors, 2005 34 Pashkov R.V., Yudenkov Yu.N. Corporate governance in the bank (monograph). M.: RUSAYNS. 2016. 312 p.
66
1)ensurecommunicationbetweentheboardofdirectors,managementandinternalandexternalauditors;
2)monitortheperformanceofinternalauditfunctionsandassessthedegreeofindependence,qualityofworkandthescaleandcost-effectivenessoftheunitperformingtheinternalauditfunctions;
3) conductan independentauditof financial informationcontained in re-portsforexternalusers;
4)makerecommendationsontheappointmentofanexternalauditor;5)checkthecomplianceoftheboardofdirectorsandthebankwithapplica-
blelawsandregulations;6)evaluatethesufficiencyandefficiencyoftheinternalcontrolingeneral.Theauditcommitteeshouldbeabletorequestanynecessarydataandma-
terials,toorderanyinvestigation.Forapprovalbytheauditcommittee,aprovisionontheinternalauditunit,anauditschedule,aswellascalculationsoftheresourcesnecessaryfortheunitmaybesubmitted.
Itisadvisabletocoordinatetheworkofinternalandexternalauditorsattheleveloftheauditcommittee.Thiscommitteeisprovidedwiththeworkplanoftheexternal auditors, their conclusions and recommendations. In addition, internalandexternalauditorscanexchangereports,discussissuesthatareintheirgeneralcompetence.Theheadoftheinternalauditdepartmentiscalledupontoensurethattheworkofhissubordinatesdoesnotduplicatetheactivitiesofexternalau-ditors.
Itisnecessarytoorganizemeetingsoftheauditcommittee,whichmaybeattendedbythechairmanofthebank'sboard,internalauditor,andexternalaudi-torinordertoimproveperformance.
Atmeetingsoftheauditcommittee,thefollowingcanbediscussed:one)thefunctioningoftheinternalcontrolsystem;2)problemsoffunctioningoftheinternalauditdepartment;3)areasofrisktobecoveredbytheinternalandexternalauditorintheana-
lyzedyear;4)dataonthereliability,completenessandaccuracyoffinancialinformation
providedtothebank'smanagementandexternalusers;5)problemsidentifiedduringinternalandexternalaudit;
67
6)prospectiveexternalauditcandidacy35;Theauthorsofthedocument"Conceptualframeworkforriskmanagement
oforganizations"notethattheinternalauditservice(IAS)shouldbeorganizedinsuchawayas toassess theBank'sworkobjectivelyandhaveaccess to the topmanagementandtheauditcommitteeundertheboardofdirectors(BoD).Inaddi-tion,thelevelofsubordinationofthechiefauditorshouldbesuchthattheinternalauditfunctionoperatessmoothlyandefficiently.
AlloftheaboveisachievableduetothefunctionalsubordinationoftheIAStotheboardofdirectorsandtheheadoftheorganization.Thisisalsostatedinthedocument"Conceptualframeworkforriskmanagementoforganizations".Theau-thorsemphasizetheneedfortheheadoftheIAStobeaccountabletotheheadsofthecompany:theheadoftheIASisfunctionallysubordinatetotheboardofdirec-torsandisadministrativelysubordinatetothegeneraldirector.SuchastructureisnecessaryfortheindependenceoftheIASanditsaudits.Issuesrelatedtothesubordinationoftheinternalauditfunctiongeneratealotofdebateincompanies.This is influencedby theprofessionalismofboardmembersandmanagers, thespecificsoftherelationshipbetweentheboardofdirectorsandexecutivemanage-ment,andthespecificsofcorporatecultureinaparticularorganization.
TheroleofwhattheinternalauditserviceisdoingintheBankalsoplaysarole.Ifsheisengagedinaudits,then,logically,sheobeysthetopexecutiveman-agement– in thisway itcontrols theworkofmanagement. If the internalauditserviceisapartofthecorporategovernancesystemthroughwhichtheBoardofDirectorsfulfillsitsobligations.Then,accordingtothesamelogic,theIASissub-ordinatetotheboardofdirectorsinordertobeindependentfromtheBank'sman-agement.Inturn,theIASandexternalauditorscontributetothepreservationoftheindependenceoftheboardofdirectorsfrommanagementintermsofobtainingdataontheactivitiesoftheorganization.IASwillbeabletoprovidetheboardofdirectorswithobjective informationonly if itdoesnotdependontheexecutivemanagement.
IftheIASissubordinatetotheboardofdirectors,isthisacompleteguaran-teeofitsindependenceanddoesitincreasetheusefulnessoftheinternalauditorsattheBank?Theanswertothisquestiondependsontheprofessionalismofthe
35 Utkin E.A., Sukhanov M.S. Banking audit. M.: TEIS, 2003. 223 p.
68
boardofdirectorsanditscomposition.SubmissiontohimoftheCBAisbeneficialonlywhen:
–TheBoardofDirectorsisanindependentbody,notatoolforimplementingtheideasofexecutivemanagement;
–inthecompositionoftheBDincludesonlytheindependentdirectors;–Boardmembersunderstandexactlywhatinternalauditisneededfor.However,eveniftheseconditionsaremet,andtheIASissubordinatetothe
boardofdirectors,notinallcasesitispossibletoachievepositiveresults:1.SometimesthereisalackofconfidenceintheexecutiveleadershipofIAS.
Thisnegativelyaffectsthecourseandresultsoftheauditors'work.2.WhentheIACSisaccountabletotheBoardofDirectors,ratherthantoex-
ecutivemanagement,itcanbecomean“uncontrolled”bodybecausetheBoardcan-notmonitoritsactions.Theeffectivenessoftheresultsinthiscasewillbeinflu-encedbytheprofessionalismandpersonalqualitiesofthechiefinternalauditor.Inmanyinternationalcreditinstitutions,theindependenceandobjectivityofauditassessmentsoftheICSexistsonlybecauseinternalauditorsaresubordinatetotheboardofdirectors,whichisfullyresponsibleforthesafetyandfinancialsuccessofitsorganization.
ThestagesofcreatingaICScanbeasfollows:I.Openingasubdivision,includingamanagerandseveralemployees,draw-
inguparegulationontheformationoftheICS.Atthisstage,thestaffingtableisprepared,theemployeesareassignedtasks.ICSinteractswiththepersonnelde-partmentandtheheadsofthecreditinstitution.
II.AlistofbusinessprocessesthatareimportanttocontrolinaparticularBankiscompiled.Thislistcanvarysignificantlyfromorganizationtoorganization.Thelistofprocessesisformedtakingintoaccountthemostseriousfinancialrisksin the Bank. ICS interacts with the accounting department and back officebranches.
III. ICS interacts with different departments of the credit institution anddrawsupalistofcontrolproceduresnecessarytominimizerisks.Ifyouneedtokeep trackof the limitsof anopenposition, transactionswith clients, limitsoncounterparties,marketquotesoftransactions,theICStalkswiththeemployeesofthedepartmentsinvolved.InorderfortheICStoworkeffectively,itmustemploy
69
auditorswhoareabletoindependentlycopewithinformationprocessing,under-standthedatabasesandothersoftwareoftheBank.
IV.ThelistofbusinessprocessessubjecttocontrolbytheICSisexpanding.Itincludesallareasoftheorganization.
Ifthebankismulti-branch,thenatthefifthstagetheactivitiesoftheinternalcontrolserviceextendtothebank'sdivisions.
Itisrecommendedtocarryoutscheduledinspectionsduringthelastmonthoftheyeartoregularlyassesstherisksassociatedwithbusinessprocesses.Audi-torsanalyzethemainbusinessprocesses,findoutwhichlinksoftheseprocessesareatrisk,askthenecessaryquestionstothe"owners"oftheprocessassociatedwithahighdegreeofrisk.Forexample,inthecaseofissuingplasticcards,theroleofthe"owner"oftheprocessisplayedbytheplasticcardsdepartment.TheICSmeetswiththeheadofthedepartmentandhisstaff,findsoutiftheauditors'as-sumptionsaboutrisksarecorrect,anddiscussespossiblechangestoreducethem.Theinternalcontrolservicemakesitsconclusionsaftercollectingandanalyzingtheopinionsofallparties.
Afterthat,anassessmentoftherisksthemselvesiscarriedout.Personnelturnoversignificantlyincreasesthelevelofoperationalrisk.Ifmanynewemploy-eesappearinacreditinstitution,theyhavetobetrainedandbepreparedforpos-siblemistakesduetotheinexperienceoftheseemployeesorignoranceofthespe-cificsofbusinessprocessesinaparticularbank.
Basedontheresultsoftheriskassessment,thePresidentoftheBankcomestohisownconclusionsandinformstheICS,whichofthemrequireaprioritycheck.Prioritiesareallocatedamongrisksonapointsystem.Basedonthisrating,anau-ditplanisdrawnup,takingintoaccounttheneedforrotation.Iftheinternalcon-trol servicehas already considered the risksof someprocess, for example, lastyear,anddidnotfindseriousviolations,itwillre-assessitinayearortwo.Ifinanybusinessprocessviolationsandrisksarefoundregularly,andtheyareserious,itisrecommendedtoconductanauditannually.
ItisnecessarytostriveforcomplianceoftheICSactivitieswiththeaddvalueprinciple.Thatis,thedivisionmustactinsuchawayastobeusefultotheBankandincreaseitsmarketvalue.Alloftheaboveappliestothisprinciple:
–prioritizingrisks;–collectionofopinionsofthe"owners"ofthebusinessprocess;–estimatesfromtheSLEandthePresidentoftheBank.
70
"Prioritychecks"oftheICSareauditsthatareinitiatedbythebusiness,thatis,theywerenotplannedintheannualplanandwerenotapprovedbytheauditcommittee.Forexample,inregionsthecostforthesameservicesdiffers,andtheBankstartedworkingwithanewsupplier,andthereisinformationthattheBankpayslessforthesameservices,butinanotherregion.Insuchcases,theICScon-ductsanindependentinvestigationandestablishesthereasons.Forexample,suchreasonscanbeattributedtotheilliterateconductofatender,violationoftheprin-ciple of "conflict of interest" (acquaintances or contacts used for personal pur-poses),theremayalsobeanelementarymistakeofabankemployee–lackofthenecessaryknowledgeofpricesandservicesinaparticularregion.
The third area of ICS activity is risk and advisory services (RAS), whichmeansbusinessconsultingatthestagesofdevelopingnewdirectionsandintro-ducingnewprojects,consultingwhenissuingnewinternalguidancedocuments.
Thus,theroleoftheICSintheproposedriskmanagementmodelistoperi-odicallyanalyzeandassessrisks in thebank'sbusinessprocesses,aswellas toprovideconsultingservicesatthestageofdevelopingandimplementingnewpro-jects.
Fromthepointofviewoftheeffectivenessoftheorganizationoftheinternalcontrolsystem,thedivisionscanbedividedasfollows.
Firstly,itisadvisabletoseparateaunitthatisnotentitledtoconductbank-ingoperations–arepresentativeoffice.
Secondly, it makes sense to divide the rest of the geographically remotestructuraldivisionsofthebankinto2groupsaccordingtothedegreeofriskinessoftheiractivities.Group1–remotesubdivisions,whichusuallycarryoutall,mostorasignificantpartoftheoperations(transactions)accordingtothebank'slicenseandalsocarriedoutbytheheadofficeofthebank.Branchesaresuchsubdivisions.Therisksofbranchactivitiesarealwaysquitehigh. Inaddition,significantcashflowscanpassthroughthem.Itshouldalsobeborneinmindthatthebranchmain-tainsitsownbalancesheet.
Group2includesallotherremotesubdivisions,whichusuallyprovidealim-itedrangeofbankingservices,and,asarule,arenothigh-risk,andthroughwhich,asarule,insignificantcashflowspass.Thatis,therisksoftheactivitiesofthesedivisionsinthestandardcasearerelativelysmall.
ThemostexperiencedemployeesofICSshouldworkinthebranchesoftheBank.Perhapsthemanagerofeachbranchshouldappointacontrollerfromamong
71
theemployeesof the ICS.Thisemployeewillbeaccountable to theheadof theBank'sICS.
Ifthereisnowaytochooseacontroller,oneofthebranchemployeeswillhavetoperformhiswork.Forthis,anorderisissuedtothemanagerofthebranch.Theemployeeshouldnotbelongtothebusinessunit,becausehisactivitieswillmostlikelybeauditedbytheICS.Thecontroller'scandidacymustbecoordinatedwiththeheadoftheBank'sICS.
Inorderforthecontrollertotakeuphisduties,hisstatusandsubordinationmustbeapprovedinthecorrespondingposition.Thespecifieddocumentstipu-latestheindependenceofthestafffromthemanagementofthebranch,thedatatransfertothemainofficeoftheBankwithouttheconsentoftheleadershipofthebranch, freeaccesstoalldocuments(including–electronic)andthedataofthebranch. The controllermust be independent from the administration in all re-spects.Itisunacceptablefortheheadofabranchtobeallowedtodismissthecon-troller,demote,orreducetheamountofwages.Everythingrelatedtothecontrol-ler'sincentivesshouldbedecidedbytheheadoftheUCWU.
Thecontrollermustbeprovidedwithadescriptionofhisdutiesandtherulesfortheirimplementation.Themeaningofhisworkistocontroltheactivitiesofthebranchintheprovisionofbankingservices,providedthattheBankismanagedbyemployeesoftheheadoffice.Theemployeepreparesandsendstotheheadofficestandardizedreportsontheprocedures.Thesereportswillbeprocessedautomat-ically.Inouropinion,itisadvisabletousespecialsoftware.
The formationof the ICS is inmanywaysdifferent from the formationofotherservicesincreditinstitutions:
Theemployeesoftheinternalcontrolservicefindthemselves"above"thebusiness processes. Therefore, they are obliged to know about everything thathappensintheBank.Thisisalwaysduetotheircloseattentiontoemployeesofotherpartsoftheorganization.EmployeesoftheICSarerequiredtohaveprofes-sionalqualificationsandexperiencenolessthanthatofemployeesoftheauditedunits.Suchahighqualificationimpliesahighreward.
EmployeesoftheICSwillbeinoppositionwiththosewhoworkinthein-spectedsubdivisions.Mostoften,divisionsformallyagreeontheneedforregularinspections,but implyatthesametimeconductinginspectionsinallotherdivi-sions,exceptfortheirown.
72
IncombinationwiththefactthatthecostsofmaintainingtheICSaretangibleforanycreditinstitution,theabovecircumstancesmayentailoppositionbetweentheBank'semployeesatthestageofICSformation.Inorderforthisoppositiontoceasetointerferewiththewell-coordinatedworkoftheBank,it isnecessarytoeliminatetheuncertaintyassoonaspossible,identifyingthespecificgoalsandob-jectivesofcreatingtheICS.
3.3. Methodological approaches to the
formation of the auditor's report
ThisdocumentwasdevelopedinadditiontothecurrentRegulationontheIAS,aswellasinadditiontothe"ProcedureforinteractionoftheInternalAuditServicewithauditedunitsduringtheaudit"(documentunderdevelopment)anddefinesalistofrequirementsfortheformation/writingofauditreports,includ-ing:
-Coverpage,includingthesection“Mainresultsoftheaudit”;-AuditReportStructures;-Sectionintroductoryinformation;-Auditresults;-Auditareaassessments;-Formation/writingofauditobservationsandrecommendations;-Coordinationofauditobservationsandrecommendations;-Formationofworkingpapers/Documentingtheresultsofthecheck;-Makingrecommendationsinthedatabase“PrescriptionsoftheICSandIAS.TITLEPAGEThecoverpageoftheauditreportcontainsthefollowingelements:2.1.Banknameintheheader.2.2.Besuretoindicatethe“Confidential”stampintheheaderontheright
oppositetheinscriptionindicatedinclause2.1.2.3.DocumentTitle–AuditReport2.4.Audittopic:Inthecaseofascheduledaudit,thetopicoftheauditcoincideswiththetopic
specifiedintheIASworkplanforthecurrentyear.Incaseofanunscheduledaudit,thefollowingmustbeindicated:
73
–Specialinvestigationintothefact/s…–Analysisofthecausesandfactorsoftheformationofaproblemasset…–Auditoftheprocess/functionalofthedepartment…2.5.Subdivisionstobechecked:Whenlistingthedepartmentstobechecked,themaindepartmentsrespon-
siblefortheprocess/functionality,thefactsanalyzedduringtheunscheduled/plannedcheckwillbeindicatedfirst.
2.6.Dateofissueofthereport:indicateintheformatDD.MM.YEARThedateofissueofthereportmustcoincidewiththedateoftheSZofthe
releaseofthereport.Beforethereleaseofthereport,itisnecessarytoclarifywiththeHeadofthe
IAS thepossibilityof issuing thereportby thecurrentdate (relevant forauditscompletedattheendofthecalendarmonth).
2.7.Audittype:
Audittype СommentProcess Indicatedduringtheprocessaudit.Functional Indicatedwhenanalyzingthefunctionalityoftheauditedunit.Compliance ItisindicatedduringtheauditofthecomplianceofthecurrentIRRwith
therequirementsoftheregulators.PAanalysis Indicatedwhenanalyzingthecausesandfactorsoftheformationofa
problemassetInvestigation Indicatedduringtheinvestigation.
2.8.Overallauditscore:Theauditorchoosesoneofthefollowingoptions,whichisformedontheba-
sisoftheoverallauditassessment,formedonthebasisoftheassessmentsoftheauditareas(seesection5ofthedocument).
EvaluationUnoptimalorUnsatisfactorymustbeagreedwiththeHeadoftheDirectorateandtheHeadoftheIAS.
2.9.Headsofdepartments:Thiscolumnindicates(inthenominativecase):position,surname,initialsof
theheadsoftheauditeddivisions,dependingontheinvolvementintheprocess(fromhighesttolowest)withintheframeworkoftheaudit.
74
Overallassessment/
Assessmentoftheauditarea
Optimally
Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Duringtheaudit,effectivemethodswereestablishedtoreducerisksinallaspects.Atthesametime,thedisadvantagesarein-significantorabsent.Correctiveactionisnotrequiredorisminor.
Satisfactorily
Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Duringtheaudit,sufficientlyeffectivemethodsofriskreductionwereidentified.However,thedeficienciesidentifiedareminorandcanbecorrectedinthenormalcourseofbusiness;however,somecorrectiveactionwillberequired.
Suboptimal
Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Inthecourseoftheaudit,insufficientlyeffectivemethodsofriskreductionwereidentified.Atthesametime,theidentifiedshortcomingsarequitesignificant.Thesituationrequiresmakingchangesbyadoptingrecommendedmeasureswiththerequirementsforadditionalmonitoringofthesitua-tion.
Unsatisfactory
Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Theauditrevealedineffectiveriskmitigationmeth-ods.Atthesametime,theidentifiedshortcomingsaresignificant.Thesituationcanbecorrectedbytakingimmediateandeffectivemeasurestoeliminatesignificantrisksthatcouldaffectthequalityoftheprocesses.
2.10.Ontherightintheadjacentfieldareindicated(inthenominativecase,
incaseofamatch,thereisnoneedtoduplicate):FullnameoftheHeadofInternalAuditServiceFullnameofthesupervisorofthecheck(HeadoftheDirectorate)FullnameoftheInspectorNameoftheauditor/auditors2.11.ProcedureforWritingtheMainAuditResultssection:
75
!!!THISSECTIONOFTHEAUDITREPORTISTHEMOSTIMPORTANTPART
OFIT,ITSUMMARIZESTHERESULTSOFTHEAUDITTEAM.!!!ONTHEBASISOFTHISSECTION,THEHEADOFTHEIASPREPARESONA
QUARTERLYBASISAPRESENTATIONFORSUBMISSIONTOTHEBANK'SMAN-AGEMENTBOARD,THERISKANDSTRATEGYAUDITCOMMITTEEANDTHESU-PERVISORYBOARD.
!!!THISSECTIONSHOULDNOTEXCEEDONETOONEANDAHALFPAGES.Thefirstpartofthesectiononthemainauditfindingsprovidesanoverall
assessmentintwothreeparagraphs:Forinstance:Asaresultoftheaudit,theIASnotestheexistenceofagenerallyorganized,
streamlinedandregulatedprocessofcounteringonmoney-launderingandcoun-teringthefinancingofterrorism(hereinafterCoPoC/FoC).
The SFM pays special attention tominimizing the Bank's involvement intransitoperations,whichisconfirmedbyadecreaseinthevolumeoftheseopera-tions,accordingtotheregulator.Accordingtotheresultsof1stquarterof2017thevolumeoftransitoperationsamountedto18.10billionrubles.(528clients);attheendofthe2ndquarter.2017turnoverof8.5billionrubles(279clients).
Inthispart,itisnecessarytoreflectboththenegativeaspectsandindicatetheobjective"achievements"ontheauditedtopicoftheaudit,itispossibletopre-senttheanalyticalinformationobtainedduringtheaudit(minimum,forexample,theloanportfolioforcorporateclients,thelevelofdelinquencyandtheamountoftheformedreserve),incl.onthedynamicsintheauditedperiod,forexample,giveacutatthebeginningoftheauditedperiod,andatthelastreportingdatebeforethestartoftheaudit.
Forinstance:Asaresultoftheaudit,theIASnotes,ingeneral,thattheremunerationsys-
temmeetstherequirementsofInstructionNo.154-I.TheBankistakingmeasurestoensurethattheremunerationsystemmeetsthelegalrequirements.Atthesametime,theIASwithintheframeworkoftheauditnotedthefollowingshortcomingsthatrequirefurtheractiononthepartoftheBank'semployees:
76
Asaresultoftheaudit,theIASnotesthatthebuilt-inprocesscontrolsystemisnoteffectiveenoughdueto:lackoftheproperlevelofprocessautomation,in-correctdistributionof functionsbetween theunits involved in theprocess andshortcomingsintheregulationofthecurrentprocess.
Aspartofthisaudit,IAScarriedoutacomparativeanalysisoftheBank'sin-ternalregulatoryframeworkdevelopedbytheBankofRussiaOrdinanceNo.3624-U(hereinafterreferredtoas3624-U),aswellastheCentralBankquestionnaireused by the Bank for self-assessment. IAS believes that the Bank's regulatoryframeworkmustcomplywithboththe3624-UnormsandthequestionsoftheCen-tralBankquestionnaire.
Basedontheresultsoftheaudit,theIASconfirmsthattheBankhasdevel-opedanddulyapproveddocumentsrequiredinaccordancewiththerequirementsof3624-U.Nevertheless,theIASdrawsattentiontotheneedfortheirinsignificantrevisioninordertoeliminatetheexistinginconsistencieswiththerequirementsoftheBankofRussia,whichisreflectedinthecorrespondingobservationsoftheIASnotedinthisreport.Herearethemainones:…
BypointsofsaleAsaresultoftheaudit,theIASnotestheexistenceofagenerallyorganized,
streamlined,regulatedandefficientprocessoforganizingtheworkofthe___addi-tionalofficeofthe___BranchofBANKURALSIBPJSC___(hereinafter–AO).
Ingeneral, theplannedandbudgetary indicatorsof subsidiaries for2017weremet.Accordingtotheindicators"Operatingexpensesinrelationtoincome"and"Operatingprofitperemployee"during4quartersof2017,AOswereassessedas"Highlyeffective"and"Highlyproductive",respectively.
Next,itisnecessarytoreflectthemainmostsignificant/riskyobservationsmadebytheReviewTeamaspartoftheaudit.
YoucanstartwithanintroductoryphraselikeIASduringtheaudit,thefol-lowingobservationsorsimilarcontentweremade:
Thelistofobservationsmustbestructuredbysubject(ITsystems.Process,Reporting,etc.),byanalogywiththesectionsoftheaudit.Thissectionisfinalizedaftertheapprovalofobservationsandrecommendationsonthedraftauditreport.
Intermsofthespecificsofregionalaudits,itisworthnotingtheneedtore-flectaggregatedinformationonsimilarshortcomingsinquantitativetermsinthecontextofthesectionsoftheaudit:
Forinstance:
77
Lendingtoindividuals'clients–IASfoundaviolationofthedeadlinesforthetransferofcreditdossiersfor
support to the Credit Controller (mortgage – 3 facts, consumer loans – 4 facts,creditcards–2facts);
–aviolationoftheestablishedrequirementsforthecertificationofcopiesofdocuments for the Credit Dossier provided by borrowing clients was revealed(mortgage–1fact,consumerloans–6facts,creditcards–5facts,carloans–1fact).
–the absence of a credit dossier was established on the issued car loan,whichhasanoverduedebtof238.10thousandrubles.(1fact);
Intheconclusionofthissectionoftheauditreport, therecommendationsgivenbytheIAStotheresponsibledivisionsarebrieflyaggregated,herethefol-lowingoptionsarepossible:
Forexample,iftherearefewrecommendationstogivethemostimportantInordertoeliminatethenotedshortcomingsandreducetheidentifiedrisks
ofIAS,thefollowingrecommendationsweregiven:–RegulatethemissingissuesintermsofconductingprojectsofcategoriesA
andB;–Considerthepossibilityofintroducinganagileprojectmanagementpro-
cedure;–ImprovetheSD-Mini-projectsportal intermsofreflectingmissinginfor-
mationfortheuser,systematizingtestresults;–Considerthepossibilityofdevelopingaresourceplanningtoolforthepur-
poseofoperationalworkandexclusionofpossibleoperationalerrors.OrmakeashortsummarybydirectionsInordertoeliminatetheidentifieddeficienciesandreducetherisksofIAS,
recommendationsweremadeontherevisionoftheexistingCompanyRegulatorydocumentation(CRD),reportingforms,strengtheningtheinternalcontrolsystem,andonincludingrequirementstocovertherisksidentifiedduringtheauditinthePre-project“Implementationofthesystemofmarketrisklimits”.
STRUCTUREOFTHEAUDITREPORTWhenconductingascheduledaudit,thestandardstructureofthereportas-
sumesthefollowingsections:PurposeandscopeoftheauditIntroductoryinformation
78
AuditresultsWhengeneratingareportontheresultsoftheinvestigationandanalysisof
thecausesoftheproblemasset,thefirsttwofirstsectionsarenotdrawnup!!!Inthesectionauditresults,thereflectionoftheresultsoftheinvestigation/
analysisofthecausesoftheproblemassetbeginsimmediately!!!Theauditordoesnotassesstheauditareas!!!Thistitleisnotreflected.3.1.PurposeandscopeoftheauditThissectionoftheauditreportreflectsthegeneralinformationontheaudit,
atleastduplicatestheinformationreflectedintheOrderandtheNoticeontheau-dit.Itispossibletomakesomechangesinrelationtotheoriginalobjectivesandareasoftheauditspecifiedintheabovedocuments.
Itismandatorytoindicate:verificationmethods (interviews, solid checks, spot checks, documentary
checks,workwithautomatedsystems);verificationperiod;checkedperiod:auditbudgetinman-daysForinstance:Theauditwascarriedoutinordertoanalyzetheprocessofmanagingmod-
elsforcalculatingeconomiccapitaltocovermarketrisk,aswellasassessingthecorrectnessoftheirimplementation,includingthecomplianceoftherelevantin-ternalregulatoryframeworkwiththerequirementsofBankofRussiaOrdinanceNo.3624-U.
Themainareasofauditare:–auditofthemodeldevelopmentprocess;–auditoftheprimarymodelvalidationprocess;–auditofthemodelapprovalprocess;
79
–auditofthemodelimplementationprocess;–auditofthemodelmonitoringprocess;–auditoftheprocessofregularandunscheduledmodelvalidation;–verificationofcompliancewiththerequirementsofOrdinanceoftheBank
ofRussiaNo.3624-U.Verificationmethods:interview,documentaryverification.Verificationperiod:from22.11.2017to15.12.2017.Periodunderreview:modelsforcalculatingeconomiccapitaltocovermar-
ketriskasof01.11.2017.Forinstance:Purpose:Evaluationoftheeffectivenessoftheorganizationofworkatthe
pointofsale,developmentofrecommendationsfortheoptimizationofbusinessprocessesandtheorganizationofcontrolprocedures.
Auditareas:–fulfillmentofplannedandbudgetaryindicatorsintheauditedperiod;–lendingtosmallbusinessclients;–lending to retail customers, including mortgage lending, car loans, con-
sumerlendingandissuanceofcreditbankcards;–settlementandcashservicesforlegalentitiesandindividualentrepreneurs
(includingdepositoperations);–settlementandcashservicesforindividuals(includingdepositoperations
andtransfersofindividualswithoutopeninganaccount);–organizationofcashwork;–organizationofthedivision'sworkwithintheframeworkofCoPoC/FoC;–organizationofworkintermsofinformationsecurity;–generalorganizationofworkinthedepartment(includingexternal,inter-
nalappearance,equipmentofthepointofsale,physicalsecurity,availabilityofjobdescriptionsforemployees);
Verificationmethods:interviews,analyticalprocedures,documentaryveri-fication.
Checkperiod:from12.03.2018to20.04.2018.Checkedperiod:from01.01.2017to01.03.2018.
80
IntroductoryinformationThissectionof theaudit reportprovidesconcise information thatmaybe
usefultotheuserinordertobetterunderstandtheorganization/processbeingaudited.
Thissectionmayreflectthefollowing:–importantinternalinformationandchangesduringtheyear(forexample,
newproducts, newprojects, changes inmarketing strategy, personnel changes,changesininherentrisk,changesintheprocess,significantitemsofincome/ex-penses);
–importantexternalinformationandchanges(egcompetition,population,lawsandregulations,taxes,suppliersupport,globalmarketconditions);
–changes in the structure and volume of risks (for example, new rules,changes inbusinessvolumes, changes inregulatorydocuments;volatility inex-changerates;crisis,changesincustomerexpectations);
–financialindicators(forexample,fortwoyears);–descriptionofITsystems,equipmentrelatedtotheaudit(insimplebusi-
nesslanguage)(forexample,newsystemimplementations, listofequipmentaf-fectedbythisaudit);
–other“interesting”informationaboutthebusiness,technologyorrisks(forexample,descriptionofthetechnologyplatform,numberofjobs,numberofem-ployees,privacyinformation).
Forinstance:ThekeypriorityoftheBank'sstrategicdevelopment,inaccordancewiththe
currentDevelopmentStrategyof theBank for2016-2018, isbuilding long-termrelationshipswithcustomersbasedonanunderstandingoftheirneedsandmutualbenefits.Themostimportantcomponentofsucharelationshipisthehighqualityofcustomerservice.
In this regard, the creation of an effective quality control system for cus-tomer service to individuals in theBank'sbranches isbecomingoneof thekeytasksoftheRetailBusinessandRetailBusinessDivision,inparticular.
Inaccordancewiththe"Businessprocessformanagingthequalityofserviceinservicingindividuals"approvedbytheBoard,thefollowingtoolswerechosentoassessthequalityofcustomerserviceforindividuals:
pollingsystem:
81
-telephonesurveyofcustomers'opiniononthelevelofserviceinthelastservicedepartment;
-e-mail-survey,whichisasurvey-questionnaireonthequalityofserviceintheBank'sbranches;
anelectronicqueuesystemusedtoorganizeservicesanddistributetheflowofvisitors, increase the throughputof thepointof sale, aswell as collect infor-mationforsubsequentstatisticalanalysis;
marketingresearch:-"MysteryShopper"–astudyaimedatcheckingthecomplianceof front-
officeemployeeswiththestandardsofcommunicationwithclientsandstandardsofappearance;
-"AuditoftheexternaldesignoftheBank'sbranches"–astudyaimedatcheckingthestandardsofmaintenanceofoffices,workplaces,theappearanceofemployees;
"Loyaltybutton"locatedontheservicequalityassessmentpanelandallow-ingtoassesscustomersatisfactionwiththeserviceprovided.
During2017,RetailBusinessDivisionreplacedthetelephonesurveyofcus-tomerswithanSMSsurvey,whichallowsyoutoquicklygettheopinionofcustom-ersaboutthequalityofserviceataparticularpointofsaleona10-pointscaleim-mediatelyaftertheendofthevisittotheoffice,andalsorefusedthe“loyaltybut-ton”inconnectionwithalowpercentageofopinionsreceivedduringthereportingperiod.
AuditresultsTheauditresultsreflectinformationontheassessmentsoftheauditareas
(seethetableinclause2.8ofthisCRD)Aspartoftheaudit,theAuditGroupisobligedtoverifythefollowingareas
providedforbyBankofRussiaRegulationNo.242-P,withthemandatoryreflec-tionoftheauditresultsintheauditreport(ifrelevantwithintheframeworkoftheaudit):
Checkingandevaluatingtheeffectivenessoftheinternalcontrolsystemasawhole,theimplementationofdecisionsofthemanagementbodiesofthecreditin-stitution(generalmeetingofshareholders(participants), theboardofdirectors(supervisoryboard),executivebodiesofthecreditinstitution).
82
Thetablebelowisused:Auditareas Optimally Satisfactorily Suboptimal Unsatisfactory
1strategyandbudget 2.Assessmentoftheprocess/functional-ityofthedepartment
3.Analysisofinternalregulatoryandorgan-izationalandadminis-trativedocuments
4.Assessmentoftheadequacyofinternalcontrolandriskman-agementprocedures
5.Accountingandre-porting
6.ITsystems 7.Staff 8.Otherquestions Overallscore
Checkingtheeffectivenessof themethodologyforassessingbankingrisks
andbankingriskmanagementproceduresestablishedbytheinternaldocumentsofthecreditinstitution(methods,programs,rules,proceduresandproceduresforbankingtransactionsandtransactions,bankingriskmanagement),andthecom-pletenessoftheapplicationofthesedocuments.
Checkingthereliabilityofthefunctioningoftheinternalcontrolsystemovertheuseofautomatedinformationsystems, includingmonitoringtheintegrityofdatabasesandtheirprotectionfromunauthorizedaccessand(or)use,takingintoaccountmeasurestakenincaseofnon-standardandemergencysituationsinac-cordancewiththeactionplanaimedatensuringcontinuityactivitiesand(or)res-torationof theactivitiesofacredit institution intheeventofnon-standardandemergencysituations.
83
Verificationandtestingoftheaccuracy,completenessandtimelinessofac-countingandreporting,aswellasthereliability(includingaccuracy,completenessandtimeliness)ofthecollectionandpresentationofinformationandreporting.
Verificationofthemethods(methods)usedtoensurethesafetyoftheprop-ertyofthecreditinstitution.
Assessmentoftheeconomicfeasibilityandefficiencyofoperationsandothertransactionsperformedbythecreditinstitution.
Reviewofinternalcontrolprocessesandprocedures.Verificationoftheactivitiesoftheinternalcontrolserviceofthecreditinsti-
tutionandtheriskmanagementserviceofthecreditinstitution9intheeventthatitscompetenciesareaffected(includingforidentifieddeficienciesthatentailreg-ulatoryrisk).
Otherissuesstipulatedbytheinternaldocumentsofthecreditinstitution.Followingtheexampleofthetablebelow.Theauditreportreflectstheiden-
tifiedobservations:
OBSERVATIONLIST
THECODE
OBSERVATIONRATINGOBSER-VATIONS
RESPONSI-BLEUNIT
DATEOFREMOVAL
NO.OFPAGESINTHERE-PORT
1. Smallbusinesslending1.1. Theinventoryofdocuments
ontheloanprovidedbyLLC"RAMProfessional"hasnotbeenformed
Moder-ately
OKMB(RogozhinS.N.)
31.07.2018 6-7
2 Lendingtoindividuals'clients2.1. Violationsofcertificationof
copiesofdocumentsandex-ecutionofcreditdocuments.
Moder-ately
AO(KovalevS.V.)
05/31/2018 8
2.2 Providingaloanontermsthatdonotcorrespondtothedecisionmadeintermsoftheloanterm.
Important
DCC(Ar-duvanovaY.R.)
05/31/2018 9
3 Settlementandcashservicesforindividuals3.1. Violationsoftheprocedure
forscanningandplacingcopiesoftheCPCintheABS"CFT"
Moder-ately
AO(KovalevS.V.)
31.07.2018 12
84
OBSERVATIONLIST
THECODE
OBSERVATIONRATINGOBSER-VATIONS
RESPONSI-BLEUNIT
DATEOFREMOVAL
NO.OFPAGESINTHERE-PORT
3.2. Violationsoftheprocedureforclosingsavingsaccountsofclientsoflegalentities
Moder-ately
AO(KovalevS.V.)
31.07.2018 12
4 Settlementandcashservicesforindividuals4.1. Failuretomonitorforthe
presenceandcompletenessofLegalAffairsontheac-countofthedepositandthecorrectnessoftheexecutionofdocumentswithafre-quencyofatleasttwiceayear.
Moder-ately
AO(KovalevS.V.)
31.07.2018 14
4.2. Failuretocarryoutsubse-quentcontroloftheproce-dureforconnectingclientstotheRBSystemandchang-ingtheparametersofacli-ent'saccount.
ImportantAO(KovalevS.V.)
06/30/2018 16
5. Organizationofcashwork5.1. Lackofanup-to-dateOrder
ontheappointmentofare-sponsibleofficerforthestor-ageofdocumentationonthetechnicalstrengtheningofthepremisesoftheDirec-torate,inwhichoperationswithvaluablesareperformed
Important
TDMos-cow-North(KhapilovaN.A.)
06/01/2018 18
5.2. Therequisitesaffixedbystampimprintdonotcom-plywiththerequirementsoftheCentralBankoftheRussianFederationRegula-tionNo.318-P.
ImportantAO(KovalevS.V.)
06/01/2018 18
5.3. ViolationsofthestorageofActsofacceptanceandtransferofvaluesbetweenshifts.
Moder-ately
AO(KovalevS.V.)
06/01/2018 19
85
OBSERVATIONLIST
THECODE
OBSERVATIONRATINGOBSER-VATIONS
RESPONSI-BLEUNIT
DATEOFREMOVAL
NO.OFPAGESINTHERE-PORT
5.4. AbsenceofanOrderontheprocedurefororganizingthetemporarystorageofdiscoveredbanknotes
ImportantAO(KovalevS.V.)
06/01/2018 21
ifoneobservationistwo,threerecommendations,thenitisnecessarytoin-
dicatealltherecommendationsintheformat:
5.3. ViolationsofthestorageofActsofacceptanceandtransferofvaluesbetweenshifts.
Important
AO(KovalevS.V.)
06/01/2018nine-teen
AO(Ivanov)
06/01/2018nine-teen
AssessmentofauditareasAplanned/unscheduledauditofaprocess/departmentfunctionalalways
aimstocorroboratetheassessmentofasubsectionwithidentifiedobservations.Thesubsectionshouldalwaysbeginwith“assessmentsummary”.
1strategyandbudget Optimally Satisfactorily SuboptimalUnsatisfac-tory
Theauditorchoosesoneoffourassessments,thecharacteristicsofwhichare
reflectedinclause2.8ofthisdocument.Formation/writingofauditobservationsandrecommendationsWritingauditobservations:Observationshouldbeintwoparts:
86
“Problem”–asummaryoftheessenceoftheobservationinafewwords(upto3-4linesoftext).
"Confirmation"–theanalyticalpartoftheobservation,indicatingafulllistofthecircumstancesofthedetectedobservation.
Basicrulesforwritingrevealed"Problems":The“problem”shouldbeclearlyformulatedinthefirstsentence(inthefu-
ture,thissentencecanbecopiedtotheObservationList(seesection5).Theproblem(firstsentence)inwhichtheessenceofobservationshouldbe
reflectedintheformat"speakinginsimpleterms":–"WHODOESNOTDOWHAT";–"WHATISWRONGintheBank."Iftheidentified"problem"isthattheprocessisnotdevelopedand/ornot
formalized,theheadoftheauditmust,inthesecondsentence,indicatehowatthetimeoftheaudittheprocessbeingauditedisactually/inreality.
The "Problem" should not reflect any analytical data (numbers, dates,amounts,etc.).Iftheyexist,thenthisisalreadya"Confirmation",nota"Problem".
Thebasicrulesforwriting"Confirmation"arereflectedinclause7.1.1Colleagues,thewordsProblemandConfirmationdonotneedtobewritten
inthereport!!!Belowaresomeexamples:Forinstance:Examplesofproblemsinthe"WHODOESNOTDOWHAT"format:Problem:TheAuditandSecurityDepartmentdidnotimplementaconsistent
passageofmandatorychecks, includingpaidservices, forallparticipants in thetransaction. Inpractice, thechecksof themainborrowerandco-borrowersarecarriedoutsimultaneously.Atthesametime,IASnotesthepresenceofadditionalfinancialcoststopayforeachcalltoexternalservices.
Confirmation:Havingmadeadecisiontorefusetheapplicationduetotheidentificationofnegativeinformationonthemainborrower,theBankhasalreadyincurredadditionalcostsforcheckingtheco-borrowers(ifany).Thetotalamountof unnecessarily incurred expenses amounted to 1million rubles. 1000 creditseach.
87
Problem: SCM, when considering a loan application from a client ofNEFTERESURSLLCinAugust2015,didnotasktheguarantorofTerminal-AZSLLCfor official documentary confirmation other credit institutions of theGVZ com-pany)ofthefactofrepaymentofthecreditlineshehadfromthecreditorbank,andAuthorizedPersonsandtheUnderwriters,inturn,didnotdouble-checkthecorrectnessof theGCM'sactions,whichviolates therequirementsof theBank'sCRD.
Confirmation:Asaresult,SCM,inviolationoftheCDRrequirements, indi-catedinthecreditreportinformationontheclosureofcreditlinesattheLenderBankonthebasisofaccountingdata(trialbalanceonaccount66)receivedfromtheclient.At thesametime, IASnotesthattheclientprovidedinaccurate infor-mation.
B.Examplesofproblemsintheformat"WHATISWRONGintheBank":Problem:TheCRDoftheBankdoesnotdefinetheneedtoupdatereports
from the credit card information on the borrower and participants in the loantransactionintheeventofalongreviewoftheloanapplication(over2months).Asaresult,theupdatedReportfromtheCreditReferenceBureauonthetransac-tionwithNEFTERESURSLLCwasnotrequestedeitherfortheborrowerorfortheparticipantsinthetransactionCM,AuthorizedPersonsandtheunderwriter.TheIASnotesthatonlyanemployeeofDAKOMBrequestsanup-to-datereportfromtheBKIontheborrowerimmediatelybeforetheissuanceoffundstotheborrowerwiththeexistingdecisionoftheCCRB.
Confirmation: CC RB made a Decision on the transaction with LLCNEFTERESURSbasedonanirrelevantReportfromtheCreditRecordsBaseontheborrowerandparticipantsinthetransactionreceived3.5monthsago.
7.1.1.Methodoffivequestions(Who?What?Why?When?Where?)5Ws.
The five-question method is a very convenient way to identify all circumstances by observation.
This method is often used by journalists and police officers. In order to reflect correct information in the audit report, we strongly recommend
using this method. The auditor must answer five questions in the observation text !!!
88
Whoisresponsible(indicationofdepartment,personnel)Whathappened?(descriptionofthesituation,indicationoftheamountofloss/amountatrisk,howmanycasesoutofhowmanyverified).Wheredidithappen?(placeofevent,pointofsale/address,etc.)Whendidithappen?(timedependingonthesituationdate/month.year/year)Whydidithappen?(foranindicationofthereasonsfortheobservation,seethesection"Analysisofthereasonsforobservation").OBSERVATIONWILLBECONSIDEREDCOMPLETEONLYIFTHEABOVEQUESTIONSAREANSWERED
7.1.1.1.The"5Whys"methodtoidentifythe"problem"The5Whysmethodallowsyoutolookattheproblemidentifiedduringthe
observationfromdifferentangles.Sometimestheunderlyingreasonsfortheob-servedobservationsarenot"obvious"andmaybeduetoacombinationofcircum-stances.
Inthiscase,theauditorshouldtrytothinkoutoftheordinaryandbuildforhimselftheunderstandingthatheshouldaskhimselfthequestion“Why”atleastfivetimesandansweritwithoutrepeating:
Forinstance:
Obser-vation
Aspartoftheaudit,factsofincorrectcalculationofinterestonemployeeloanswereestablished,affectingtheamount
ofincomereceivedbythebranch.Why? Incorrectdeterminationoftheleveloftheinterestrate.Mosprime3months,
insteadofMosprime1month.Why? ITprogramincorrectlyloadstheMosprimeinterestrateWhy? TheITprogramusedthepreviouslyvalidrateanddidnotchangeitwhen
upgrading.Why? Thetermsoftheloanproductforemployeesintermsoftheinterestrate
werechangedandtheITapplicationwiththerateswasnotpilottestedbe-forelaunchingintotheindustrialenvironment.
Why? Lackofasubdivisionresponsibleforcarryingoutthecompletenessofmak-ingITsettingsinaccordancewiththechangesinloanrates
7.1.2.AnalysisofreasonsforobservationThemaingoaloftheauditoristoclearlyidentifythemaincause/reasons
forthe"rootcause"oftheobservation,withtheaimoffurtherdevelopinganup-
89
to-daterecommendationonmakingchangestotheprocess/CRD/functionality,tothemaximumcoveringthepossiblerisksofsubsequentidentificationofsimilarobservationsinthefuture.
ThereasonistheanswertothequestionWHYtherewasaproblem:–WHY"SOMEONEdidn'tdoSOMETHING"–WHY"SOMETHINGISWRONG"attheBankToindicatethereasonfortheobservation,inmostcases,theauditorshould
receivecommentsfromtheresponsibleemployees/departments.Examplesofreasonsbasedoncommentsfromtheresponsibledepartment:AccordingtothecommentsofRetailBusinessDivision,thequalitycontrol
systemofcustomerserviceforindividualsinthenetworkdivisionsisinthepro-cessofformation,andtherefore,theRetailBusinessDivisionisstill insearchofoptimalresearchmethods.
AccordingtotheRetailBusinessDivisioncomments,inconnectionwiththeprioritization of tasks and the launch of the networkmotivation system, RetailBusinessDivisionplannedtointroduceconsolidated(forallinspections)regularmanagementreportinganda“qualityshowcase”reportinQ1.2018year.
ThemanagementoftheCollateralDivisiondidnotconsideritnecessarytoformalizetherequirementsforphotographingcollateral,consideringthemunnec-essary.
Themanagementof theCollateralDivisionconsideredtheexistingwayoforganizing the storage of documents accompanying the assessment to be suffi-cient.
AccordingtothecommentsoftheDepartmentofSmallBusinessDevelop-mentandSales,theprocedureforinteractionwiththeICisplannedtobedevel-opedafterthecompletionofthedevelopmentofthe"Insurance"moduleintheISSUGARCRMsoftware.
Theworkshouldusethefollowingcategoriesofreasons(examples,thelist
isnotlimited):
90
Strategy
Definitionofstrategy:Incorrectstrategydefinition Communicationstrategy:ineffectivecommunicationofstrategyinformationtostaff Understandingandimplementingthestrategy:Shortcomingsintermsoftimelinessandcompletenessoftakingmeasuresfortheimplementationofthestrategybytheresponsibleperson/unit incorrectdeterminationofthetimingoftheimplementationofthestrategy misunderstanding/misunderstandingoftheorganizationalgoalsofthestrategy
Internalregula-tions
DisadvantagesintermsofCRDlackofGNIdeterminingtheprocess(partialorcompleteabsenceofCRD) ineffectiveCRD outdated/outdated processisnotwelldefined difficulttounderstand/conflictingCRD KPI/KRInotincludedinCRD IncorrectreportingofCRDtotheresponsiblepersons:staffnotnotifiedofnewCRD irrelevantdocumentsareusedinthework
Functional
Incorrectfunctionalityandresponsibility:unitstructure,lineofaccountability,authorityand/orfunctionalitydoesnotcorrespondtounitobjectives/functionalresponsibilities uncertain/ambiguous/conflicting(conflicting)powersandresponsibili-ties indefinite/ambiguous/contradictory(conflicting)distributionofrespon-sibility performingfunctionsnotassignedtotheemployee failuretofulfilltheircontrolfunctionsassignedtotheemployee/depart-ment incorrectassignment/delegationofauthoritytoanemployee inadequateorganizationalstructureoftheunit
Controls
Controls:theimplementationofthecontrolisnotinaccordancewithitsintendedde-sign excessiverelianceon"manual"control/lackofautomation Monitoring:ineffectivemonitoringprocess ineffectiveITmonitoringsolution ineffectivemonitoringindicators(KPI,KRI,etc.) Changemanagement:untimelyentryintothecontrolprocess
91
ITinfra-structure
Shutdown(unavailability)ofsystems:•absenceorpartialimplementationofmaintenanceplanstopreventsys-temfailures•businesssupportinappropriatetotherequiredIncident/problem/availabilitymanagement:•unavailablehelpdesk•noactivityincaseofapplication/systemfailures•delaysinresolvingproblemsChange/releasemanagement:•poorqual-itychanges(i.e.failureafterchange)•delaysinpreparationoftherelease/problemswithreleases•changesarenotapprovedbybusinessownersIn-effectivesoftware/database•complexities/impossibilityofdevelopingnewfunctionalityofapplications•delays/errorsinapplications/data-baseintegrationIneffectivemaintenance:•lackorineffectivemaintenanceplan(unsupportedsoftware/platforms)•lackofITexperiencesystemsEquipment:•inconsistencyofITequipment/technologieswithindustrialorinternalstandards•inconsistencyofITequipmentcapacitytomeetbusinessrequirementsNetwork:•inconsistencyofnetworkinfrastructurewithindustrialorinternalstandards•inconsistencyofnetworkinfrastruc-turetomeetbusinessrequirements
ITapplica-tions/functionalsupport
Missingfunctionality:•weakdesignofcontrolsinITapplications(includingconfidentiality)•inconsistencyofthefunctionalityofITapplicationswithbusinessrequire-mentsLackofaccessrightsmanagement:•lackorinadequateaccountmanagement•lackorinadequatemanagementofrights/accessprofilesCrashesinsystems:•failuresinapplicationsandtoolsthatsupporttheoperationoftheprocess•lackoftesting(eguseracceptancetesting)Weakusersupport:•insufficientdocumentation/manuals•lackofusertrainingExceedingthereactiontime:•Reactiontime,whichdoesnotallowtocarryoutcontrolsinatimelyman-nerWeakdatavalidation:•ineffectiveintegritycheckcontrols•weakautomationofdataqualitycontrol
ITsecurity BusinessContinuityPlan:
92
•poorqualityriskassessment•absenceorformalplan•theplanisnotimplemented,orispartiallyimplementedDisasterrecoveryplan:•poorqualityriskassessment•absenceorformalplan•theplanisnotimplemented,orispartiallyimplementedPhysicalsecurity:•poorelaborationofphysicalsecuritycontrols•poor-qualityimplementationofphysicalsecuritymeans•lackorineffectiveaccesscontrolstobuildings/premisesTechnologicalsafety:•non-complianceofsecuritytechnologies(forexample,firewalls,proxyservers,authorizationsystems,…)withinternalorindustrystandards•ineffectivenessofsecuritytechnologies(egfirewalls,proxyservers,au-thorizationsystems,…)tomeetbusinessrequirementsVulnerabilityandThreatManagement:•lackofinstallationofsecurityupdates(patches)/lackofcustomizationofsystems;•lackofsecuritytoolsatthesoftwaredevelopmentstage;•absenceorpoorqualitymonitoringandcorrelationofinformationsecu-rityeventsDisadvantagesofLogicalSecurityControls:•ineffectivelogicalsecuritycontrols(egweakpasswords,…)•absenceorineffectiveelaborationoflogicalsecuritycontrols(forexam-ple,privilegeescalationisnotblocked)•absenceorweakcontrolsonthedivisionofaccessrights,theprincipleofminimumprivileges,abuseofprivilegesDatasecurity:•lackorweaksecurityofunuseddata(stored,archived,…)•lackorweaksecurityofthedataused(onlocalmachines,mobiledevices,duringcomputation,…)•lackorweaksecurityoftransmitteddata(viaalocalnetwork,viatheIn-ternet,e-mail,…)Securityofservicesprovidedbythirdparties:•absenceorweaklevelofsecurityofservicesprovidedbyoutsourcers•absenceorweaklevelofsecurityofproductsprovidedbyoutsourcers
Personnel–staffingtable
Thestaffingtabledoesnotcorrespondtothelistofperformedtasks:inadequateanalysisofpersonneladequacy staffingdoesnotmatchtheneedsofthedepartment
93
QualitystaffandHRtrain-ings
Staff:lackofstaffskillsandcompetencies Thequalityofthetrainingprovided:Ineffectivetraining/insufficienttraining Trainingdoesnotcorrespondtothelevelofcompetenceofthestaff
Humanfactor
Controlnotimplemented:thecurrentcontroldoesnotcorrespondinwholeorinparttoitsdesign Failuretocomplywithcontrolrequirements:instructionfromthemanualnottocarryout/partiallynottocarryoutcon-trolprocedures non-compliancebyemployeeswithcontrolprocedures(intentional/unin-tentional) Unethicalbehaviorofemployees:theuseofprocessflawsforpersonalgain(e.g.forthepurposeofobtainingareward) Misunderstanding/misunderstandingbyemployeesoftheconsequencesoftheiractions Lack/inadequatetrainingofstaff Fraud:lackofproperinteractionbetweendepartmentsintermsofcombatingfraud deficienciesinCRDregulatingtheprocessofcombatingfraudinabank Theanti-fraudCRDisnotworking/hasnotbeencommunicatedtostaff Incorrectpersonnelmanagement:Incorrect/incorrectexamplefromthemanagementside Inadequateleadership Insufficientcontrolbymanagementoversubordinates Lackofstaffmotivation:Correctperformanceiscriticized Unreasonablepressurefrommanagement Insufficientfeedback Inadequatedisciplinaryprocess Lackofrecognitionandrewardsforoutstandingperformance
Inassessingthereasonsfortheobservation,theauditorcanbeguidedbythe
followingmethods,whichmakeitpossibletoidentifywithahighprobabilitythe“true”reasonsfortheobservationestablishedbytheauditor.
7.1.2.1.Fish-boneDiagramThistypeofdiagramisalsocalled"causeandeffect"(causeandeffect)isused
toidentifyallpossiblecausesthatservedasthebasisfortheidentifiedproblem.
94
Categoriesofcausesinclude:Management(governance/riskmanagement)Humanfactor(sufficiencyofstaff/skills)Method(Procedures/CRD)ByQuantitativedetermination(KPIsriskindicators,etc.).AutomationDataTheresultisthefollowinggraphThose.sometimesacombinationofreasonsmaybethecauseoftheproblem
identified.Forinstance:Alowlevelofautomationandlowqualificationofpersonnel,manuallygen-
eratingacontrolreport,entailssignificantoperationalerrors.Thelackofup-to-dateCRDandjobdescriptionsincombinationwithincor-
rectdecisionsofthedepartment'smanagemententailstheinabilitytolegallybringthemtojustice.
7.2.Writingauditrecommendations:7.2.1.SMARTprinciple:SpecificWhenwritingarecommendation,theauditorshouldadheretotheprinciple
of"brevityisthesisteroftalent."Itisnecessarytopresenttherecommendationwith aminimum "set ofwords",while themain "idea of the recommendation"shouldbecleartotheexecutor.
MeasurableTherecommendationshouldbewritteninsuchawaythatlateritwouldbe
possible to check its implementation, in no case should the recommendationssoundlike:
Ensurethattherequirementsaremet…Monitorasrequired…
95
Thesearerecommendations"nowhere",infacttheydonotcovertherisksandtellthepersonbeingtested"workasyoushouldwork,nomore",inthiscasethevalueofsucharecommendationisinsignificant.
AchievableTherecommendationshouldcovertheidentifiedrisksasmuchaspossible,
theproposedcontroloptionsshouldtakethisintoaccount.Relevant(comparable,relevant).Therecommendationshouldfully“cover”theobservedobservations.Ifthe
auditorhasclearlyidentifiedtheproblem,thentherecommendationisrelativelyeasytoformulate.
Didn'tknow–teachNoautomation–automateKnew,didnotdo–retrain/communicate/intentionallydid–disciplinary
action,escalatetomanagementforaction.Nocontrol–regulatecontrolNoKPI–defineaKPIInsufficientstaff–transferfunction/initiatestaffexpansionUnfortunately, all possible combinations of correlation of problems and recom-
mendations are difficult to reflect in the document. The author relies on the adequacy and professionalism of the IAS staff. If it is difficult for the auditor to determine the recommendation, please contact a
colleague / head of directorate / head of the IAS for advice. Do not be afraid to ask during the period of writing the report, correcting what
was written is more difficult than formulating at the stage of writing a draft report. Time-bound(definedintime)Thetermfortheimplementationoftherecommendationshouldbesufficient
toimplementtherecommendationinfull.Forexample:itisimpossibletogivearecommendationtomakechangesto
the"globaldocument"withaperiodofonemonth–atleastthreeormoremonths.
96
Seethematrixonthetimingofrecommendationsdependingontheobser-vationratinginsection7.3…
7.2.2.TheformatforreflectingtherecommendationintheauditreportAfterreflectingtheobservationwiththereasons,theauditorshouldissue
therecommendationusingthefollowingtemplate:
Recommen-dation
Room1.2 Rating Important
Risk StrategicOperating
Erroneousmanagementdecisionsbasedonincorrectin-formationprovidedoronthebasisofthelackofacom-pletevolumeofreportinginformation.
IncluderealestateobjectsofZPIF"Montferrand"inthereportsoftheOfficeforSupportofRealEstateOperations,whiletheNon-CoreAssetsServiceisengagedintheleaseoftheseobjects.Responsibleunit RealEstateOperationsSupportDepartment(Koroleva
P.V.)Executionstartdate 05/01/2018Eliminationdate 31.07.2018Commentsoftheresponsibledepartment
Agreed
Recommendationrating–seeobservationratingsectionNumber–indicatesthenumberofthesectionontheauditreportand,ac-
cordingly,theserialnumberoftheobservation,forexample,3.2-1,3.2-2,etc.Risk:it isnecessarytoindicateoneofthefollowingrisks(possiblytwoor
more,ifnecessary,inaddition,itisnecessarytodiscloseinmoredetailthetextontherisk,forwhichanadditionalfieldisgiven):
Responsibledepartment–indicatethefullname,oranabbreviationgener-allyrecognizedinthebank(youcanaddthefullnameoftheperformer)
Executionstartdate–byagreementwiththeresponsibledepartment,theexecutionstartdateisdetermined.Basically,thisdatecoincideswiththereleasedateofthereport,orthenearestreportingdateisindicated.
Sometimes,thoseresponsiblewillbeabletostartimplementingtherecom-mendationaftermeetingcertainconditions,andthestartdatefortheimplemen-tationmaybeshiftedbyseveralmonths.
97
Risktype DefinitionCreditrisk theriskofthecreditinstitutionincurringlossesasaresultofnon-perfor-
mance,untimelyorincompleteperformancebythedebtoroffinancialobli-gationstothecreditinstitutioninaccordancewiththetermsoftheagree-ment.Thesefinancialliabilitiesmayincludethedebtor'sobligationsunder:loansreceived,includinginterbankloans(deposits,loans),otherplacedfunds,includingclaimsforreceipt(return)ofdebtsecurities,sharesandpromissorynotesprovidedunderaloanagreement; billsdiscountedbythecreditinstitution; bankguaranteesforwhichthefundspaidbythecreditinstitutionhavenotbeenreimbursedbytheprincipal; financingtransactionsagainsttheassignmentofamonetaryclaim(factor-ing); rights(claims)acquiredbyacreditinstitutionunderatransaction(assign-mentofaclaim); mortgagesacquiredbyacreditinstitutioninthesecondarymarket; transactionsofsale(purchase)offinancialassetswithadeferredpayment(deliveryoffinancialassets); lettersofcreditpaidbythecreditinstitution(includinguncoveredlettersofcredit); returnofmonetaryfunds(assets)underatransactionfortheacquisitionoffinancialassetswiththeobligationoftheirre-alienation; therequirementsofthecreditinstitution(lessor)forfinanciallease(leasing)operations.
Marketrisk Theriskofthecreditinstitutionincurringlossesduetounfavorablechangesinthemarketvalueoffinancialinstrumentsinthetradingportfolioandde-rivativefinancialinstrumentsofthecreditinstitution,aswellasforeignex-changeratesand(or)preciousmetals.Marketriskincludesequity,foreignexchangeandinterestraterisks.Stockrisk–theriskoflossesduetounfavorablechangesinmarketpricesforstockvalues(securities,includingthosesecuringtherightstoparticipateinmanagement)ofthetradingportfolioandderivativefinancialinstrumentsundertheinfluenceoffactorsrelatedbothtotheissuerofstockvaluesandderivativefinancialinstruments,andgeneralfluctuationsinmarketpricesforfinancialinstruments. Currencyrisk–theriskoflossesduetounfavorablechangesintheratesofforeigncurrenciesand(or)preciousmetalsonpositionsopenedbyacreditinstitutioninforeigncurrenciesand(or)preciousmetals. Interestrateriskistheriskoffinanciallosses(losses)duetounfavorablechangesininterestratesonassets,liabilitiesandoff-balancesheetinstru-mentsofacreditinstitution.
98
Risktype DefinitionLiquidityrisk theriskoflossesduetotheinabilityofthecreditinstitutiontoensurethe
fulfillmentofitsobligationsinfull.Liquidityriskarisesasaresultofanim-balanceinfinancialassetsandfinancialliabilitiesofacreditinstitution(in-cludingduetountimelyfulfillmentoffinancialobligationsbyoneorseveralcounterpartiesofacreditinstitution)and(or)theemergenceofanunfore-seenneedforimmediateandone-timefulfillmentbyacreditinstitutionofitsfinancialobligations.
Businessrisk thisistheprobabilityoflossesasaresultofadeteriorationinbusinessreputationandnegativechangesintheorganizationalandmanagerialsphereoftheorganization,whichmayaffectthedebtor'sabilitytofulfillitsobligationsandthelikelihoodoflossesduetothedebtor'sdefaultonitsobligations
Strategicrisk theriskoflossesforthecreditinstitutionasaresultoferrors(shortcomings)madewhenmakingdecisionsthatdeterminethestrategyfortheactivityanddevelopmentofthecreditinstitution(strategicmanagement)andexpressedinneglectorinsufficientconsiderationofpossibledangersthatmaythreatentheactivitiesofthecreditinstitution,incorrectorinsufficientlysubstantiateddeterminationofpromisingareasofactivityinwhichacreditinstitutioncanachieveanadvantageovercompetitors,thelackorincompleteprovisionofthenecessaryresources(financial,materialandtechnical,human)andor-ganizationalmeasures(managementdecisions)thatshouldensuretheachievementofthestrategicgoalsofthecreditinstitution.
Operationalrisk
theriskoflossesasaresultofinconsistencywiththenatureandscaleoftheactivitiesofthecreditinstitutionand(or)therequirementsofthecurrentlegislationoftheinternalproceduresandproceduresforconductingbankingoperationsandothertransactions,theirviolationbyemployeesofthecreditinstitutionand(or)otherpersons(duetoincompetence,unintentionalorde-liberateactionsorinaction),disproportion(inadequacy)ofthefunctionalca-pabilities(characteristics)ofinformation,technologicalandothersystemsusedbythecreditinstitutionand(or)theirfailures(malfunctions),aswellasasaresultofexternalevents.
Reputationrisk
Theriskoflosingthebusinessreputationofacreditinstitution(reputationalrisk)istheriskofacreditinstitutionincurringlossesasaresultofadecreaseinthenumberofcustomers(counterparties)duetotheformationinsocietyofanegativeperceptionofthefinancialsta-bilityofthecreditinstitution,thequalityofitsservicesorthenatureofitsactivitiesingeneral.
99
Risktype DefinitionLegal/regu-latoryrisk
theriskofthecreditinstitutionincurringlossesdueto:non-compliancebythecreditinstitutionwiththerequirementsofregulatorylegalactsandconcludedagreements; legalerrorsmadeintheimplementationofactivities(incorrectlegaladviceorincorrectpreparationofdocuments,includingwhenconsideringcontro-versialissuesinthejudicialauthorities); imperfectionofthelegalsystem(inconsistencyoflegislation,lackoflegalnormstoregulatecertainissuesarisinginthecourseofacreditinstitution'sactivities); violationbycounterpartiesofregulatorylegalacts,aswellasthetermsofconcludedcontracts.
ITrisk thepossibilityofnegativeconsequencesassociatedwiththeemergenceofvariousthreats.Theyarepresentedintheformofviruses,variousmethodsofstealinginformation,hackerattacks,varioustypesofspecialdestructionofequipment.Examplesofrisks:LowalignmentofITstrategywithbusinessgoals; Obsolescenceofthetechnologicalinfrastructureandthelackofclearinfor-mationontheparametersofthefunctioningandefficiencyofIT; LowITefficiencyandlackofcontributiontothesuccessoftheorganization; Failuretoanticipatepotentialincidents,useofinsufficientlyeffectivepro-cessesforidentifyingandassessingrisks; InsufficientconsiderationofITrisksandtheconsequencesoftheirimple-mentationforthebusinessinthedecision-makingprocess.
Eliminationdate–thedateagreedwiththeresponsibledepartmentisindi-
cated.Comments of the responsible department – it is mandatory to indicate
"agreed",orthefullcommentoftheresponsibledepartment.7.2.3.ObservationAssessment:Basedontheresultsoftheaudit,theAuditTeamidentifiescontroldeficien-
ciesthatarisewhenthedesignofcontroland/ortheeffectivenessofitsoperationdoesnotadequately“cover”theidentifiedrisk,and,therefore,theresidualriskisnotreducedtoanacceptablelevel.TheIEAnotesthisfactasanobservationandgivesanappropriateassessment.
100
7.2.3.1.ThestageofassessingtheeffectivenessofcontrolAtthisstage,theemployeemustunderstandwhycontrolisineffective.There
aretwocriteriathatneedtobeassessed:Effectivenessofcontroldesign;Effectivenessofcontrolfunctioning:Basedontheassessmentofthesecriteria,theauditorarrivesatoneofthree
assessmentsinascendingorderofmateriality.
Controlisineffectiveorundefined(controlobjectivesarelargelynotachieved)Controlispartiallyeffective(controlobjectivesarepartiallyachieved)Controlisgenerallyeffective(controlobjectivesarelargelyachieved)
7.2.3.2.Assessmentofthelevelofriskinfluence
Impactofrisk
Low
Theriskinthiscaseisminimalortoagreaterextent"theoretical".Severaltensofthousands/hundredsofthousandsofrubles.Orone-timeimplementedcasesofanon-systemicnature.
Theaver-age
Theriskhasthelikelihoodofbeingrealizedorhasal-readybeenrealized,butits"cost"hasaverageindica-tors(fromseveraltenstoseveralmillionrubles,itcanbeofasystemicnature.
Signifi-cant
Theriskisofasystemicnature,theamountoflossesissignificantfromseveralmillionrubles,orthelikeli-hoodofregulators'claimsisfrom25to50%andtheamountoftheorderwillbefromseveralmillionru-blestotenmillionrubles.
HighTheriskofrevocationoftheBank'slicenseorpenal-tiesfromregulatorsamounttotens/hundredsofmil-lionrubles.
7.2.3.3.FinalassessmentofobservationAsaresult,theauditor,basedonthematrixbelow(seetable1),bycompar-
ingthe twocriteria"controleffectiveness"and"risk impact"shouldcometoanunderstandingofthefinalassessmentofobservation(seetable2)
101
Effective-nessofcon-trol
Controlisin-effectiveorundefined
Moderately Substan-tially
Critical Critical
Controlispar-tiallyeffective
Moderately Important Substan-tially
Critical
Controlisgenerallyef-fective
Norecom-mendationgiven
Moder-ately
Moder-ately
Important
Low Theaver-age
Significant High
RiskImpactLevel
Observa-tionrat-ing
Description
Critical
Aviolationisassignedaratingof"critical"ifaninsufficientlevelofcontrolex-posestheCompanytoanextremelyhighdegreeofriskandcansignificantlyaf-fecttheeffectivenessoftheinternalcontrolsystemoftheprocesses/divisions/areasofactivitythattheviolationconcerns.
Substan-tially
Aviolationisassigneda“material”ratingifaninsufficientlevelofcontrolex-posestheCompanytoasignificantdegreeofriskandmaypartiallyaffecttheef-fectivenessoftheinternalcontrolsystemoftheprocesses/divisions/areasofactivityaffectedbythisviolation.
Im-portant
Aviolationisassignedan“important”ratingifaninsufficientlevelofcontrolex-posestheCompanytoamoderatelevelofriskandmayhavealimitedimpactontheeffectivenessoftheinternalcontrolsystemoftheprocesses/divisions/ar-easofactivityaffectedbytheviolation.
Moder-ately
Aviolationisassignedaratingof"moderate"ifaninsufficientlevelofcontrolex-posestheCompanytoalowdegreeofriskandhasaninsignificanteffectontheeffectivenessoftheinternalcontrolsystemoftheprocesses/divisions/areasofactivitythattheviolationconcerns;Implementationofrecommendationsforthisviolationwillincreasetheeffectivenessofprocessesandcontrolsorensurethatactivitiesarecarriedoutinaccordancewithbestpractice.
7.3.Thespecificsofwritingauditreportsoverthenetwork.Onaperiodicbasis (at leastonceaquarter), theHeadof theAuditDirec-
torateoftheregionalnetworkinformscolleaguesoftheupdated"template"ofthe
102
draftauditreport,whichreflectsthemostrelevant"formatforpresentinganalyt-icalandintroductoryinformationbysections"oftheauditreport.AnemployeeoftheDirectorateispresentedinaconvenientformwiththestructureoftheauditreportforcompletion.
Colleagues special attention !!! When using the "audit report template", be careful, all analytical information on
the audited department, the dates and period of the audit, the name of the department must match YOURS !!! verified point of sale.
If operational errors are detected by the verification team, the information will be escalated to the attention of the IAS head. This information will be taken into account during the annual employee assessment.
7.4.Determinationofthetimeframefortheimplementationofrecommen-
dationsandthetimingoftheirprolongation,determinationofpowerstorenew
Activity/WatchingRating Critical Substan-tially
Important Moder-ately
Maximumtermforimplementationoftherecommendation**
6months* 9months 12months 12months
Firstprolongationoftherecommen-dationimplementationperiod(maxi-mumperiod)
6months 6months 9months 12months
Decisionlevel
Manage-ment
BoardoftheBank
Supervis-ingmem-beroftheManage-mentBoard
HeadM2,M3 HeadM2,
M3
Secondandsubsequentprolongationofthedeadlinefortheimplementa-tionoftherecommendation
3months 6months 6months 6months
Decisionlevel Supervi-soryBoard
Manage-ment
BoardoftheBank
SupervisingmemberoftheManagement
Board
HeadM2,M3
103
*TheinitialdeadlinefortheimplementationoftherecommendationwiththeCriticallevelissubjecttoagreementwiththeBank'sManagementBoard
**Thedeadlinefortheimplementationoftherecommendation,regardlessofthelevelofseverity,isinitiallysetbytheInternalAuditServiceandagreedwiththeowneroftherecommendation
WORKINGPAPERS:Uponcompletionoftheaudit,theAuditLeadershouldensurethatthestruc-
tureoftheauditworkingfolderisasfollows:Inthefolder"administrativedocuments"mustbeplacedtheOrderandthe
Noticeonverificationandotheradministrativedocuments(ifany).Thefolder"preparation"fortheauditcontainstheauditprogram,regulatory
documentsobtainedatthestageofpreparationandotherdocuments.The"check"foldercontainsalldocumentsreceivedduringthe"fieldwork",
thecompletedauditprogram,aswellaschecklistsandtheresultsoftheircheck.Thefollowingshouldbeplacedinthe"approval"folder:SZsavedinelectronicforminagreementwithallresolutionsasagreed.if the approval tookplace bymail to LotusNotus, then all the letters are
postedasagreedinelectronicform,indicatinginthefilename,therecommenda-tionnumberandthecoordinator(responsibleemployeeordepartment).
Allversionsofthedraftauditreportareplacedinthe"Report"folder.ThefinalversionofthereportsenttotheBank'smanagementisplacedinaseparatefolder.
Alsointhefolder"Report/Auditevidence"allauditevidenceisplacedon
identifiedobservations.Itisnecessarytocreateaseparatefolderforeachobser-vationandplace in itadocument that isauditevidence,ablockdiagram,workcorrespondence,anexcerptfromachecklist,etc.,anincorrectreport,ascanofadocument,minutesofmeetings,etc.
ESTABLISHMENTOFRECOMMENDATIONSINTHEDATABASE"PRESCRIP-TIONSOFTHEIASANDIAS"BASEDONTHERESULTSOFINTERNALAUDITSOFIASANDMONITORINGTHEIRIMPLEMENTATION
9.1.Basedontheresultsofinternalaudits,allrecommendationsrecordedin
theauditreportsmustberegisteredinthedatabase"ICSandIASprescriptions"forsubsequentcontroloftheirimplementation.
104
Toplacearecommendation/instruction,gotothedatabase"RegulationsoftheSVKandSVA":
Pressthebutton"Neworder":Next,westartarecommendation/instructionwiththefollowinginput(ex-
ampleinthescreenshotbelow):1."Order"sheet:Company:PJSC"BANKURALSIB"Author:RifatExecutors:Everyonewhomtherecommendationconcerns(bothresponsi-
blemanagersanddirectexecutors),whiletickingoffonlyresponsibleleaders!WhenmakingrecommendationsontheSecurityCouncil, it isnecessaryto
addthefollowingsecurityofficerstotheexecutors:MikhailBelokon,IrinaSobolev,andAlexandraKorobkinawithouttickingthemoff(responsible).Itisnotneces-sarytoindicateemployeesasdatacontrollers(thisfieldisonlyforIAS).
Control:weindicateourselves,aswellasLenaZheleznyakov.Subject:…\SVACheckname:fill inthechecknamethesameforeachorderrelatedtoone
check(forexample,through"copy/paste")Verifiedperiod:…No.ofActclause/Prescriptionclause:…Recommendation:PastefromthereportHigh-levelrisk:fillinthetypeofrisk(accordingtotheclassificationinclause
7.2.2credit,market, liquidity,operational(including legal), reputationand indi-catetheobservationratinginaccordancewiththetypologybelow:
Critical Substantially Important Moderately
Low-levelrisk:detailedriskdescriptionfromtherecommendationtableForinstance:Erroneousmanagementdecisionsbasedonincorrectinformationprovided
oronthebasisofthelackofacompletevolumeofreportinginformation.Riskamount:fillintheamountifthereisanestimateInformationaboutthefactofriskrealization:potentialrisk,realizedrisk,po-
tentialsavingsReasonforviolation:copyingfromthereport
105
Violation–Observationiscopiedfromthereport.Markofpartialexecutionoftheorder:weaddacommentiftherecommen-
dationispartiallyexecutedduringthecheckDate:dateofestablishmentoftherecommendationTimelineforImplementation:Agreedtimelineforimplementationoftherec-
ommendation2.Sheet"Control":Checkoutdate:dateoffillingExecutorsshouldnotbefilledinall,butonlytheonewhoisresponsiblefor
theorderandismarkedwithatickonthe"Orders"tab,i.e.towhomtowriteSZ.Itismoreconvenienttodoitthroughthebutton"tocontroleveryone"and
deletingthosewhoarenotcheckedontheprevioussheet.Timelineforimplementation:theagreedtimeframefortheimplementation
oftherecommendationNotifications:10daysbeforetheduedate,aswellasthe1stofeachmonth.9.2.Toclosetherecommendations,itisnecessaryto"accept"theexecution
accordingtothereceivedexecutionreport(bythebuttonatthetopofthereport),or,ifthereisnosuchreport,andthematerialsforclosingwerereceivedinadif-ferentway(forexample,sentfromthecontractor),closeusingthe"executed"but-ton:
Itisnecessarytomakesurethatwhentheorderisclosed(i.e.afterthere-sponsibleexecutorputsexecutedand/orthecontrollerputstheexecution)onthe"Control"tab,theexecutorsfrom"placingoncontrol"movedto"execution"(fromtheleftsidetotheright):
Fileswithsupportingmaterialscanbeattachedrightthere,asaresult,aftertheorderiscompletelyclosed,thefollowingpictureisobtained.
9.3.Openrecommendationsaremonitoredonamonthlybasis,incl.overdue.
Todothis,usetheunloadingofthereport"UCSorders–ExecutionofUCSorders(extended)4.1"fromthe"Reports4.3"database.
Whengeneratingareport,itisnecessarytoindicatetheauthor(Oleg),thedatesoftheorderandtheduedate(wechooseawiderangeofdatestocovereve-rything). The report is uploaded to Ms Excel format. It is advisable to sort
106
theresultingtablebyordernumber,andthenaddacalculationcolumntofilterout"duplicates"(=IF(B2=B3;1;0)):
Note:Intheunloading,the"Executor"fieldistakenfromthe"Order"tab(anddu-
plicatedforeach),andthe"Responsibleexecutor"–fromthe"Control"tab.Those.forexecutioncontrol,onlythe"Responsibleexecutor"fieldisinteresting,inwhichonlythosewhohavenotyetexecutedtheorderremain.
107
Conclusion
Differentareasofbankingareassociatedwithdifferentrisks.Itisalmostim-
possible to completely get rid of risky operations. Therefore, it is important toidentifyrisksintimeandorganizeinternalcontrolsothattheyarereducedtoasatisfactorylevel.Internalcontrolisthemaintoolfortransferringallriskstotheresiduallevel.Andtheinternalcontrolserviceisthebodythatisresponsibleforeffectiveriskmanagement.
Themonograph“Organizationofaneffectivesystemof internalcontrol inthebankingsector”revealstheessenceoftheconceptofinternalcontrolofacom-mercialbankfromthepointofviewofRussianlegislationandworldbankingprac-tice.Theauthorprovidesaclassificationofformsofinternalcontrolandshowstherelationshipbetweenexistingcontrolproceduresandbankingrisks:avarietyofinternalcontrolproceduresallowsyoutoexpandtheareaofbankingriskmanage-ment.
Thefirstchapteroftheworkanalyzestheroleandplaceoftheinternalcon-trolserviceintheinternalcontrolsystemofthebankingeneral,inthemanage-mentofbankingrisks,inparticular.Forminganeffectiveinternalcontrolserviceisthekeytominimizingbankingrisks.TheInternalControlServicecarriesoutanindependentassessmentofbankingbusinessprocesses,possiblerisksassociatedwiththeirimplementation,whichisespeciallyimportantinthecontextoftheon-goingglobalfinancialcrisis.Inpractice,themainfunctionoftheinternalcontrolserviceasabodyinthebank'sinternalcontrolsystemistomonitortheavailabilityandqualityofcontrol(anti-crisis)mechanisms,thetimelyandprofessionalcom-petent use ofwhich by other departments, services andmanagers of the bankshouldminimizetherisksofitsactivities.Deficienciesintheorganizationofinter-nalcontrolleadtothefactthatthebankceasestobestable,goesintothecategoryofproblembanks,which,inturn,reducestheattractivenessofthecreditinstitu-tionintheeyesofpotentialclientsandinvestors.
Thepaperdiscussesthemainwaysofcarryingoutchecks.Attentionispaidtofinancialauditasakeymethodofinternalaudit.Theresultofthefinancialaudit
108
shouldbetherecommendationsoftheinternalauditortoimprovethecurrentin-ternalcontrolsystem.Also,theinternalauditormustgenerateareport,whichin-dicatestheerrorsidentifiedasaresultoftheauditandhowtosolvethem.
Theauthorassessescompliancecontrolasan integralpartof the internalcontrolsystemincreditinstitutions.Ensuringcompliancecontrolisaprerequisiteforminimizing the reputation and image risks of a credit institution. In turn, abank'sreputationisanintangibleassetthatincreasesthevalueofacreditinstitu-tion.Thepaperprovidestwopracticalexampleswhencompliancecontrolallowsyoutoavoidadditionalcostsofacreditinstitution,and,therefore,increasestheefficiencyofitsactivities.
Thepapershowstheversatilityofoperationalcontrolasacategory:opera-tionalcontrolcanbeconsideredasanintegralpartoffinancialauditandasanin-dependentprocedurethatdirectlyevaluatesthequalityoftheinternalcontrolsys-teminacreditinstitution.Threeapproachestoassessingthequalityoftheinternalcontrolsystemincreditinstitutionshavebeenidentified:theCOSOconcept,theSACconceptproposedbytheInstituteofInternalAuditors,andtheCOBITmodelrecommendedbytheInformationSystemsAuditandControlAssociation.Accord-ingtotheauthor,theinternalcontrolsystemiseffectiveonlyifthegoalsofbuildingtheinternalcontrolsystemareachieved.Consequently,theorganizationaleffec-tivenessoftheinternalcontrolservicecanonlybetalkedaboutiftheroleoftheinternalcontrol, internalauditandriskserviceinbankingriskmanagementbe-comesobvious.
Aneffectiveinternalcontrolserviceis,firstofall,anindependentsubdivi-sionofacreditinstitution,which:
hasanideaoftheactualorganizationofbusinessprocessestakingplaceinthebank;
–assessestheavailabilityofcontrolprocedureswithineachbusinesspro-cess;
–analyzes thepossiblerisks inherent ineachbusinessprocess inacreditinstitution;
–conductsregularinspectionsofthemostriskyprocessesinordertofor-mulatereasonableconclusionsabouttheeffectivenessoftheinternalcontrolsys-tem;
–generatesareportfortheBoardofDirectors,whichpresentstheidentifiedshortcomingsofthecurrentinternalcontrolsystem,offersrecommendationsand
109
measurestoimprovetheefficiencyoftheinternalcontrolsystem,and,therefore,measurestominimizepossiblerisksofthecreditinstitution.
Inthethirdchapterofthework,thepracticalaspectsoforganizingtheinter-nalcontrolsysteminbanksareconsidered:acomparativecharacteristicisgivenfortwohypotheticalbanks.
Thepaperconsiderspossibleoptionsfororganizinganinternalcontrolser-viceinabank,emphasizingtheneedtoensuretheindependenceofinternalaudit.Theroleofinternalcontrolinthemanagementofbankingrisksistosubsequentlymonitortheeffectivenessofthecurrentcontrolsystemandriskmitigationmech-anisms.Theinternalauditorshouldnotbedirectlyinvolvedinorganizingthein-ternal control system, as this may threaten his independence. To achieve theabove,theauthorhasproposedapossiblesequenceforcreatinganinternalcon-trolservice.
Inconclusion,wenotethatthestateofmodernregulatorydocumentsisanobstacletounderstandingtheroleandfunctionsoftheinternalcontrolsystemincredit institutions.Thecurrentregulatorydocumentsdonothighlight theplaceandroleofauditcommitteesinthesystemofinternalcontrolbodies;requirementsforanexternalassessmentofthequalityofworkofdepartmentscarryingoutin-ternalcontrolandinternalaudit;theresultsofsuchanassessment,etc.Thus,theissueofdevelopingamethodologyforassessingtheinternalcontrolsystematthelegislativelevelisoneofthepriorities.
110
List of references
1.TheFederalLaw"OnBanksandBankingActivities"dated02.12.1990.No.
395-1-FZ2.FederalLawofJuly10,2002No.86-ФЗOntheCentralBankoftheRussian
Federation(BankofRussia)3.FederalLawofDecember26,1995No.208-FZOnJoint-StockCompanies4.FederalLawof08.02.1998,No.14-FZ"OnLimitedLiabilityCompanies",5.Federal rules (standards) of audit activity, approved byDecrees of the
GovernmentoftheRussianFederationNo.696of09/23/2002;6.DecreeoftheGovernmentoftheRussianFederationof January8,2003
No.6"Ontheprocedureforapprovingtherulesofinternalcontrolinorganizationsengagedinoperationswithcashorotherproperty";
7.LetteroftheCentralBankoftheRussianFederationof10/07/1999No.289-T"Onmeasurestoincreasethelevelofinternalcontrolinbanks";
8.LetteroftheCentralBankoftheRussianFederationofJuly10,2001No.87-T“OntherecommendationsoftheBaselCommitteeonBankingSupervision”;
9.LetteroftheCentralBankoftheRussianFederationdatedMarch24,2005No.47-T“OnMethodologicalRecommendations for theAuditandEvaluationoftheOrganizationofInternalControlinCreditOrganizations”
10.LetteroftheBankofRussiadated30.06.2005No.92-T“Ontheorganiza-tionoflegalriskmanagementandtheriskoflossofbusinessreputationincreditorganizationsandbankinggroups”
11.LetteroftheCentralBankoftheRussianFederationdated02.11.2007No.173-T“OntherecommendationsoftheBaselCommitteeonBankingSupervi-sion”
12.Regulationof theCentralBankof theRussianFederationofDecember16,2003No.242-P"OntheOrganizationofInternalControl inCreditOrganiza-tionsandBankingGroups"
13.Adams R. Fundamentals of Auditing: Per. from English / Ed. Ya.V.Sokolova.M.:Audit,UNITY,1995.398s.
111
14.Arslanbekov-FedorovA.A.Thesystemofinternalcontrolofacommercialbank.M.:UNITY-DANA,2004.191s.
15.BankAudit: Textbook /Ed.BeloglazovaG.N.,Krolivetskoi L.P.M.: "Fi-nanceandStatistics",2005–216p.
16.Banking: Textbook / Ed. BeloglazovaG.N., Krolivetskoi L.P. St. Peters-burg:Peter,2009.400s.
17.GamzaV.A.Riskmanagement in commercialbanks: an integrativeap-proach.M.:CJSCPublishingHouseEconomics.2006–208s.
18.MakeevR.V.Settingupinternalcontrolsystems:fromreportingauditstobusinessperformance.St.Petersburg:Peak,2008.287s.
19. PashkovR.V. Yudenkov Yu.N. Internal control as amodel and system(monograph).M.:RUSINS,2016.312p.
20.PashkovR.V.,YudenkovYu.N.Corporategovernanceinthebank(mono-graph).M.:RUSINS,2016.301p.
21.PivovarovV.V.Organizationof internalcontrol increditorganizations.St.Petersburg:PublishingHouseofSt.PetersburgStateUniversityofEconomicsandEconomics,2006–32p.
22.ProdanovaN.A. Internal audit, control and audit.M: IIA Info Tax LLC,2006.292s.
23.ReznikovA.V.Strategyandtacticsofdevelopmentoftheinternalcontrolsystem in credit organizations. Khabarovsk: Publishing house of the Pa-cific.gos.tech.University,2006.220s.
24.Ripol-ZaragoосiF.B. Internalaudit:organizationandplanning.Rostov-on-Don.:Phoenix,2006.189p.
25.SokolovB.N.Internalcontrolsystems(organization,methodology,prac-tice).M.:CJSC"PublishingHouse"Economics",2007–442p.
26.SoninA.M.Internalaudit:amodernapproach.M.:FinanceandStatistics,2007.60p.
27. Sotnikova L.V. Assessment of the status of internal audit. M.: UNITY-DANA,2005-143p.
28.TavasievA.M.Crisismanagementof creditorganizations–M.:UNITY-DANA,2006.480s.
29.TavasievA.M.Thebasicsofbanking.M.:MarketDS,2006–568p.30.UtkinE.A.,SukhanovM.S.Auditofbankingactivities.M.:TEIS,2003
112
31.YudenkovYu.N.Managementaccountingandinternalcontrolinacom-mercialbank.M.:Investsvyazizdat,2008–216s.
32.AkulovA.V.,MalykhinD.V.,MalyutaN.E.,RyzhikhN.N.Onthestandardi-zation of riskmanagement and internal control processes //Management in acreditorganization.2007.No.1.
33.Bortnikov G. “Compliance risk (risk of non-compliance): internationalstandardsandtheirapplicabilitytobanksintheCIScountries”.//http://www.iia-ru.com/publication/foreign_mass_media_articles/bortnikov/
34.BorsukM.Forecasting thenet interestmarginofbanksandtheprovi-sioningratioforloanlossesinvariouseconomicscenarios:datafromPoland//–Moneyandcredit.2019.№1.p.89-106.
35.VasilievaN.E.Internalaudit.Somewaysofitsdevelopment.//Internalcontrolinacreditinstitution.2009.No.1
36.Giniyatov R. Risk and control (COSO model) // Based on materialshttp://www.iia-ru.com/publication/member_articles/risk_and_control_gniyatov
37.DanilovaE.,RumyantsevE.,ShevchukI.OverviewofthejointseminaroftheBank of Russia and the IMF “Recent Innovations inMacroprudential StressTesting”//–Moneyandcredit.2018.No.4.p.60-83.
38.DudaevaE.S.Qualitative audit:myth or reality? // IFRS and ISAs in acreditinstitution.2008.№2.
39.ZadorozhnayaK.A.Featuresofcompliancewithauditrules(standards)intheRussianFederation//Scientificjournal"Polymatis".2018.№9.p.25-34
40.ZemskovV.V.Methodologicalfoundationsofbuildinganinternalcontrolsystem//VestnikIEAU.2016.No.12.
41.IvanovaN.,AndreevM.,SinyakovA.,ShevchukI.ReviewoftheConfer-enceoftheBankofRussia“EfficiencyofMacroprudentialPolicy:TheoryandPrac-tice”//–Moneyandcredit.2019.№3.p.89-121.
42.KozlovaT.V.Legalaspectsofthepreparationandcontentofdocumentsofacreditorganizationoninternalcontrolissues.//Moneyandcredit.2009.No.2.
43.LotobaevaG.G.Methodological foundations of building and improvingtheinternalcontrolsystemofaRussiancreditorganization:dissertation…ofacan-didateofeconomicsciences:08.00.10.Novosibirsk,2002.191p.
44.MartynovaT.Servicesofinternalcontrolandaudit.//Bankingreview.2007.No.8(98)
113
45.MalykhinD.,TikhomirovA.Featuresofthefunctioningofinternalcontrolandauditinbanks.//http://www.iia-ru.ru/publication
46.MalykhinD.V.BaselIIandtheincreasingroleofinternalauditinbanks.//Banking.2005.No.10.p.34-37.
47.MiroshnikovaA.Yu.ComplianceControlinCommercialBanks//ScienceAlley.2017.No.9,volume2.p.141-146.
48.NovikovYu.I.,IvlevaD.S.Revisionasthemainmethodoffinancialcon-trol//ElectronicscientificandmethodologicaljournaloftheOmskStateAgrarianUniversity.2018.№4(15)https://elibrary.ru/item.asp?id=36745058
49.PestelM.A.,KostyashkinaO.G.Theeffectiveoperationofcredit institu-tions is a factor in the systemic stability of the banking sector. // Finance andcredit.2009.No.17(535).
50.PronskayaN.S. Internalauditandcontrol in thebankingriskmanage-mentsystem.//Financeandcredit.2007.№42.
51.SkogorevaA.Bankprotection,orwhydoweneedcompliancecontrol.//Bankingreview.2008.No.4(106).
52.SmirnovA.A.Internalcontrolandinternalauditincreditorganizations.//Economicsciences.2007.No.12(37)
53.SokolovB.Organizationofinternalauditservices//Auditandtaxation.2009.No.1(157).
54.TarasovI.T.Essayonthescienceoffinanciallaw[Electronicresource].Access mode: https://knigogid.ru/books/839559-ocherk-nauki-finansovogo-prava.
55.FominL.Dohighinterestratesonloansanddepositsandreducedadver-tisingcostsserveas indicatorsofbankbankruptcy?DataforRussia//–Moneyandcredit.2019.№2.p.94-112.
56.YashkovaN.V.,TimofeevaL.V.Personnelauditinthepersonnelmanage-mentsystem//BasicResearch.2019.No.2.P.55-59.
57.BankforInternationalSettlementswww.bis.org58.ChiuT.,JansMJProcessMiningofEventLogs:ACaseStudyEvaluating
Internal Control Effectiveness // 2017. [Electronic resource] – - Access modehttp://dx.doi.org/10.2139/ssrn.3136043
59. Committee of SponsoringOrganizations of theTreadwayCommissionwww.coso.org
60.ComptrolleroftheCurrencywww.occ.gov
114
61.InaamAl-Zwyalif,TheRoleofInternalControl inEnhancingCorporateGovernance:EvidencefromJordan//InternationalJournalofBusinessandMan-agement; Vol. 10, No. 7; 2015. [Electronic resource] – Access mode:https://www.researchgate.net/publication/281391322_The_Role_of_Inter-nal_Control_in_Enhancing_Corporate_Governance_Evidence_from_Jordan
62.Information Systems Audit and Control Association (ISACA)www.isaca.org
63.LoewE.,MollenhauerT.AnEmpiricalAnalysisofKeyAuditMattersintheFinancialIndustry//EuropeanBankingInstituteWorkingPaperSeries2019– no. 40. (April 28, 2019). [Electronic resource] – Access mode:http://dx.doi.org/10.2139/ssrn.3379324
64.MelvinA.Eisenber,TheboardofdirectorsandInternationalcontrol//CARDOZOLAWREVIEW;vol.19;2019.P.237.[Electronicresource]–Accessmode:https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1363&con-text=facpubs
65.NNKhakhonova,TAKoltsova,LFShilova,ASKovalevDevelopmentofIn-ternalControlMethodologybyUsingStatisticalMethodsofVariabilityAssessmentofMaterialFlowBusinessProcesses//EuropeanResearchStudiesJournalVolumeXXI,SpecialIssue1,2018.Pp/178-186
66.BankofRussiawww.cbr.ru67.Bankinginformationsystemshttps://bis.ru/.68.CorporateManagementwww.cfin.ru69.InstituteofInternalAuditorswww.iia-ru.ru70.Theoryandpracticeofmanagementaccountingwww.gaap.ru