RyabovO.V.

OrganisingIssuesofOperativeSystemofInternalControlinBankingSector

Monograph

ISBN 978-5-4480-0344-8

St.Petersburg

2021

ukonf.com/mon 9 785448 003448

RyabovO.V.OrganisingIssuesofOperativeSystemofInternalControlinBankingSector:

Monograph.MinistryofEducationandScience,North-WestInstituteofManage-ment,branchofRANEPA.St.Petersburg:ConsultingcompanyUcom,2021.114p.

ISBN 978-5-4480-0344-8 https://ukonf.com/doc/mon.2021.04.02.pdf Rev i ewers : AlekseyShipitsyn,CandidateofEconomicSciencesProjectmanagementLlc.,St.PetersburgThe Au to r : OlegRyabov,CandidateofEconomicSciences,associateProfessorNorth-WestInstituteofManagement,branchofRANEPA,St.PetersburgThe information about published Monograph is given to the RISQ

system(contract№856-08/2013K)Monograph.Format60´84/16.Printedsides7,13ConsultingcompanyUcom392000,Tambov,PObox44Circulation500pcs.E-mail:mon@ukonf.com

ã2021,RyabovO.V.

3

CONTENTS

Introduction..................................................................................................................4

Chapter1.Theoreticalbasisofinternalaudit.........................................................................6

1.1.Theessenceofinternalaudit:concept,goals,objectivesandrights.............61.2.Theroleofinternalauditinthemanagementsystem

ofaneconomicentity.........................................................................................................91.3.Theplaceofinternalauditintheorganization's

managementsystemanditsimportance................................................................15

Chapter2.Basicsoforganizingthefunctioningoftheinternalcontrolsystemincreditinstitutions..................................................................37

2.1.Financialauditandcompliancecontrolasmethodsofinternalcontrol.............................................................................................................37

2.2.Themainmethodsforassessingthequalityoftheinternalcontrolsystem....................................................................................................................45

Chapter3.OrganizationoftheinternalcontrolsystemandtheimportanceofICS......................................................................................53

3.1.OrganizationoftheinternalcontrolsystemontheexampleofRussianbanks................................................................................................................53

3.2.Recommendationsforbuildinganinternalcontrolserviceincreditinstitutions.........................................................................................................64

3.3.Methodologicalapproachestotheformationoftheauditor'sreport........72

Conclusion................................................................................................................107

Listofreferences....................................................................................................110

4

Introduction

Thebankingsectorisconsidereduniqueamongothersectorsoftheecon-

omy,asitisasupplieroffinancialresourcesandamanagerofsettlementsbetweenbusinessentities.Improvingthequalityofmanagementofacreditinstitutionisaprerequisiteforincreasingthecompetitivenessofthebank,whichguaranteesthesuccessfuldevelopmentofthebankingbusinessinthelongterm.Theresultsoftheinternal auditors have becomemore visible to themanagement of commercialbanks,asthequalityoftheinternalauditstaff,internalcontrolandriskservicelifewasEC–useofsupervisoryauthoritiestoassessthecontrolenvironmentandthedecisionontheamountofcontributionstothedepositinsurancesystem.

Oneofthemosteffectivetoolsfor identifyingopportunitiesfor improvingtheefficiencyofactivities,thequalityofbankmanagement,and,therefore,oneofthecompetitiveadvantagesofacreditinstitutioncanbeaneffectiveinternalcon-trolsystem.Thevalueofsuchasystemisduetothefollowing.

Firstly, theactivitiesof financial institutionsareprimarilyassociatedwiththeabilitytoattractfundsfromcustomers,whichplaceshigherdemandsonthestability,reliabilityandsafetyofcreditinstitutions.Secondly,theactivitiesoffi-nancialinstitutionsarepredominantlyintangibleinnature.Themaincomponentoftheiractivitiesistheidentification,assessmentandmanagementofeventsthatmayhaveanimpactontheiractivities.Thatis, financialinstitutionshelpclientsachievetheirgoalsbyusingavailableopportunitiesorbyreducingtheimpactofnegativefactors.Atthesametime,thekeytotheeffectiveactivityofacreditinsti-tutionisaconstantchangeintheexistingsetofservicesprovided1.Thirdly,giventhattheactivitiesoffinancialinstitutionsaffectthefinancialstabilityandstabilityoftheirclientsandcounterparties,thestatepaysincreasedattentiontothecontrolandsupervisionofthisarea.Asaresult,specialattentionispaidtothecreationofan internal control system that will adequately assess and manage risks.

1 Malykhin D., Tikhomirov A. Features of the functioning of internal control and audit in banks. // http://www.iia-ru.ru/pu blication

5

Regulationoftheactivitiesoffinancialorganizationsisexpressedinthedevelop-mentofrequirementsthataremandatoryforapplicationincurrentactivities.

Themonographanalyzestheroleoftheinternalcontrolserviceandthein-ternalauditserviceinthemanagementofbankingrisksbyassessingthesystemoforganizinginternalcontrolinthebank.

Therelevanceofthetopicisduetoasignificantincreaseintheimportanceoftheinternalcontrolfunctioninbanksinthecontextoftheongoingglobalfinancialcrisis.Thepracticalsignificanceofthemonographliesinrecommendationsforim-provingtheefficiencyofinternalauditandinternalcontrolservicesincreditinsti-tutions.

Theobjectoftheresearchistheinternalcontrolserviceandtheinternalau-ditservice.

Thesubjectoftheresearchistheprocessofinternalcontrolinabankasatoolthatensurestheeffectivenessofthebank'scontrolinmanagingbankrisks.

ThetheoreticalbasisofthemonographwastheworkofsuchresearchersasR.Adams,A.Daley,B. Stanmeier,Hahn.D., CochranC., BrownL.M.,Russell J.P.,Spencer Pickett K. H., Kiran D.R., Reichmann Th., Utkin E.A., Beloglazova G.N.,KroliveskayaL.P.,SukhanovM.S.,ZemskovV.V.,ZadorozhnayaK.A.,PashkovR.V.,YudenkovYu.N.,LotobaevaG.G.,TavasievA.M.,TarasovI.T.andetc.

Themainpurposeof themonograph is to identify theroleof the internalcontrolserviceandtheinternalauditserviceinthemanagementofbankingrisks.

Inaccordancewiththesetgoal,thefollowingtasksaresolvedinthemono-graph:

–to reveal the essenceof the conceptof internal control of a commercialbank;

–analyzetheexistingregulatoryframeworkfororganizingtheinternalcon-trolofthebank;

–definetheroleandfunctionsoftheinternalcontrolserviceandtheinternalauditserviceinthebank'sinternalcontrolsystem;

–evaluateoptionsfororganizingandforminginternalcontrolandauditser-vicesofthebank;

–givepracticaladviceonthespecificsofconductinginternalaudits;–explainthesubtletiesofwritinganauditreportbyaninternalauditorofa

commercialbankusingspecificexamples.

6

Chapter 1.

Theoretical basis of internal audit

1.1. The essence of internal audit:

concept, goals, objectives and rights

Internalauditisunderstoodasacontrolsystemorganizedbyaneconomicentity,actingintheinterestsofitsmanagementand(or)owners,regulatedbyin-ternaldocuments,overtheobservanceoftheaccountingprocedureandtherelia-bilityoftheinternalcontrolsystem.

Internalauditisanactivityregulatedbytheinternaldocumentsoftheor-ganizationtocontrolthelevelsofmanagementandvariousaspectsofthefunction-ingoftheorganization,carriedoutbyrepresentativesofaspecialcontrolbodyintheframeworkofassistancetothemanagementbodiesoftheorganizationines-tablishingthelegalityofbusinessoperationscarriedoutbyemployeesandtheireconomicfeasibilityfortheenterprise,incompliancewiththeestablishedproce-dureformaintainingaccountingaccounting.Internalauditistheactivityofprovid-ingindependentandobjectiveguaranteesandadviceaimedatimprovingtheeco-nomicactivitiesofanorganization. Ithelpsanorganizationachieve itsgoalsbyusingasystematicandconsistentapproachtoassessandimprovetheeffective-nessofriskmanagement,controlandcorporategovernancesystems.Itisworthnotingthattheorganization,goals,roleandfunctionsofinternalauditaredeter-minedbythemanagementand(or)theowneroftheeconomicentity,dependingontheorganizationalandlegalformandtheexistingmanagementsystem,thecon-tentandspecificsofactivities,thevolumeoffinancialandeconomicactivitiesandthestateofinternalcontrol2.

Theobjectivesoftheorganizationoftheinternalcontrolsystemattheen-terpriseare: implementationoforderlyandefficientactivitiesoftheenterprise,including profitability and protection from losses; ensuring compliance withthemanagementpolicyof eachemployeeof theenterprise; ensuring the safety

2 9. Itkin Yu.M. Problems of the formation of audit. M.: Finance and statistics, 2016, P.13.

7

ofproperty;maintaininggoodrelationshipswithregulatoryauthorities.Sinceex-ternalandinternalcontrolareinterdependent,interdependentcomponentsofaunifiedcontrolsystem,inthedevelopmentoftasksfacinginternalauditors,aswellas in the performance of functions, it is necessary to take into account the im-portantroleoftheaccompanyingaudit,detailedintheFederalLawNo.119-FZ"OnAuditingActivity"services,whichwillallowmorespecifically,withlegislativejus-tification, toassess thepossibilityof implementingsuch internalaudit services,whichshouldbeunderstoodas:accountingandtaxconsulting;analysisofthefi-nancialandeconomicactivitiesoftheorganization,economicandfinancialcon-sulting;managementconsulting,includingthoserelatedtoorganizationrestruc-turing;legaladvice,aswellasrepresentationincourtandtaxauthoritiesontaxandcustomsdisputes;accountingautomationandimplementationofinformationtechnologies; appraisal of property value, appraisal of enterprises as propertycomplexes,aswellasentrepreneurialrisks;developmentandanalysisofinvest-mentprojects,drawingupbusinessplans;marketingresearch;provisionofotherservicesrelated toauditactivities.Toachieve theabovegoalsoforganizing theinternalcontrolsystem,itisnecessarytosolvethefollowingtasks:periodiccon-troloverthefinancialandeconomicactivitiesoftheparentorganizationanditsbranches;analysisofeconomicandfinancialactivitiesandassessmentofeconomicand investment projects, economic security of accounting systems and internalcontroloftheparentorganizationanditsbranches.Thesolutiontothisproblemmakesitpossibletoincreasetheefficiencyoftheactivitiesofindividualseparatedivisionsandtheentireorganizationasawhole,whichwillmakeitpossibletofullyfulfillthemaingoalsetfortheinternalauditservice;seminars,professionaldevel-opmentandtrainingofpersonnel,assistancetotheHRdepartmentintheselectionandtestingofaccountingpersonneloftheparentorganizationanditsbranches;toensurethatthecomputerprogramsthatcontrolthefunctioningoftheaccountingsystem,includingtheformationofprimarydocuments,theiranalysisandpostingtoaccounts,cannotbefalsified;enterprisefundsshouldnotbemisappropriatedorineffectivelyused;internalreportingshouldbepromptlytransferredtopersonsauthorizedtomakemanagementdecisionsforitsoptimaluse;scientificdevelop-ment,publicationofmethodologicalmanualsandrecommendationsonaccount-ing,taxation,analysisoffinancialandeconomicactivities,audit,businesslaw,andinformationservicesfortheheadorganizationanditsbranches;advisingonfinan-

8

cial, tax,bankingandothereconomic legislation, investmentactivities,manage-ment,marketing,taxoptimization,registration,reorganizationandliquidationofenterprises.Anaccountant inchargeofday-to-dayworkmayneedprofessionalhelpinunusualorrareeconomicsituations,aswellasincaseofsignificantchangesinlegislation.Interactionwithexternalauditors,representativesoftaxauthoritiesandotherregulatoryauthorities.

Tosolveproblems,theinternalauditserviceisendowedwithcertainrights:checkingaccountingregistersandprimarydocuments,theavailabilityofmoney,valuablesandsecuritiesatthecashdesk,researchingestimates,plansandotherdocumentsoffinancialandeconomicactivities;acquaintancewithorders,ordersofthehead,decisionsofmeetingsoffounders,shareholders,boardandofficials,already concluded and draft (non-concluded) contractswith organizations andotherdocuments;inspectionofconstructionsites,territories,warehouses,work-shopsandotherproduction,utilityandofficepremises,storageareasforfinishedproducts,equipment,etc.;checkingtheavailability,conditionandsafetyofprop-erty,inventoryitemsfrommateriallyresponsiblepersons;therequirementforafullorpartialinventoryofthepropertyandobligationsoftheorganizationorin-ventorydirectlybytheauditorwiththeparticipationofemployeesoftheorgani-zationinvolvedinthis, ifnecessary,sealingofsafes,cashregisters,warehouses,storerooms,archivesandotherplacesofstorageoffunds;monitoringthecorrect-nessofthereflectionofbusinesstransactionsinaccounting,checkingthecorrect-nessofthecalculationoftaxes,feesandpayments,aswellasthetimelinessoftheirpaymenttothebudgetandoff-budgetfunds;verificationofthereliabilityoftheindicatorsofaccountingandstatisticalreporting,thecorrectnessofthecompila-tionofcalculationsfortaxesandmandatorypayments;therighttoreceivefromtheheadsofstructuraldivisions,specialistsoftheorganizationnecessaryfortheaudit of documents, certificates, calculations, certified copies of documents fortheirattachmenttotheactoropinion,oralandwrittenexplanationsonissuesaris-ingduringtheaudit;examinationoftheeffectivenessofthesegmentmanagementsystemandanalysisofproductionandeconomicactivities,financialcondition,sol-vencyandliquidationoftheorganization;preparationoftheorganizationforex-ternalauditandtaxcontrol;representationoftheorganization'spropertyinter-ests ineconomicdisputes incourtandinanarbitrationcourt;evaluationofthesoftwareusedbytheeconomicentity;special investigationsof individualcases,forexample,suspicionsofabuse;developmentandpresentationofproposalsto

9

eliminate the identified deficiencies and recommendations to improve the effi-ciencyofmanagement3.

Theresponsibilityoftheinternalauditserviceisdeterminedbythreemainpoints: thevalidityand timelinessof submissionofopinionson the stateof ac-countingandreporting,thecomplianceofconstituentdocuments,internalregula-tionswiththecurrentlegislationandthelegalstatusoftheorganization,aswellasconclusionsontheachievedlevelandefficiencyfactorsofproduction,economicandfinancialactivities;thevalidityofthesubmittedproposalsforimprovingtheorganizationofthecontrolsystem,accounting,financialresponsibilityofofficials,programs for the development of activities, projects for optimizing productioncosts,taxablebases,distributionofprofits,creationanduseoffundsandotheris-sues;thecorrectnessoftheconsultationsprovidedtothefounders,headsofde-partments,specialistsandemployeesofthemanagementapparatusontheorgan-izationofproduction,themanagementsystemontheorganizationofproduction,themanagementsystem,accounting,methodsofanalyzingeconomicandfinancialactivities,legalandotherissues.Theobjectivityofinternalauditisensuredbythedegreeof its independence in themanagementstructureofaneconomicentity.This requirement for internal audit is ensuredby the fact that he obeys and isobligedtosubmitreportsonlytothemanagementwhoappointedhimand(or)theownersandindependentoftheheadsoftheauditedbranchesoftheeconomicen-tity,structuraldivisions,internalcontrolbodies,etc.

1.2. The role of internal audit in the management

system of an economic entity

Theprocessofmanaginganeconomicentityandaproperlyorganizedsys-temofinternalcontrolcannotbeseparatedfromeachotherwithoutviolatingtheharmonyandefficiencyoftheentiremanagementsystem,then,asaresult,thereis a need not for the occasional use of an independent external audit, but forapermanentandeffectivestructure,whichispartoftheinternalcontrolsystemasanintegralpartofit4.

3 Burtsev V.V. Organization of the internal control system of a commercial organization. M.: "Exam", 2020, p.109 4 Dodge R. A Brief Guide to Auditing Standards and Norms: Per. from English; foreword by S.A. Stukov. (Audit: theory and practice). M.: Finance and statistics; UNITY, 2017, p.89

10

Itisknownthatevenatthestageofacquaintancewiththenatureandchar-acteristicsofthefinancialandeconomicactivityofaneconomicentity,theauditormustassessthequalityoftheaccountingsystemsandinternalcontrolofthisen-tity.However,itshouldberememberedthatthevalueforaneconomicentityofanyinformation,includingthatobtainedasaresultofanaudit,isthehigher,thelowerthecostofobtainingit.Atthesametime,anecessaryconditionfortheeffec-tivenessoftheinternalcontrolsystemistheavailabilityofanindependentorgan-izationalstructureforaneconomicentity–aninternalauditservice.

IntheofficialRussianregulationsinthefieldofauditing , internalauditisunderstoodas“…organizedbyaneconomicentity,acting in the interestsof itsmanagementand(or)owners,asystemofcontrolovercompliancewiththeestab-lishedaccountingprocedureandthereliabilityoftheinternalcontrolsystemreg-ulatedbyinternaldocuments"Or"…oneofthewaystocontroltheefficiencyofthelinksinthestructureofaneconomicentity."5

Intheeconomicliterature,theconceptofinternalauditisinterpretedindif-ferentwaysbybothdomesticandforeignauthors.

So,forexample,BychkovaS.M.believesthat"internalauditisanelementoftheinternalcontrolsystem,organizedbythemanagementoftheenterpriseinor-dertoanalyzeaccountingandothercontroldata".6

AccordingtoV.V.Burtsev,"internalauditisanactivityregulatedbythein-ternaldocumentsofanorganizationtocontrolthelevelsofmanagementandvar-iousaspectsofthefunctioningofanorganization,carriedoutbyrepresentativesofaspecialcontrolbodywithintheframeworkofassistancetothemanagementbodiesoftheorganization…"7

FromthepointofviewofA.M.BogomolovandGoloshchapovaN.A.,“internalaudit(internal,internal)isanintegralpartofageneralauditorganizedataneco-nomicentityintheinterestsofitsownersandregulatedbyitsinternaldocuments

5 International Standards on Auditing and the Code of Ethics for Professional Accountants (1999). M.: MTsRSBU, 2018 P.218. 6 International Standards on Auditing and the Code of Ethics for Professional Accountants (1999). M.: MTsRSBU, 2018, P. 21 7 Bogomolov A.M., Goloshchapov N.A. Internal audit. Organization and methodology. M.: "Exam", 2014, P.212

11

tocomplywiththeestablishedprocedureforaccounting,protectionofpropertyandthereliabilityoftheinternalcontrolsystem"8.

ThefamousEnglishscientistR.Dodge,whopresentedoneofthefirstworksrelatedtointernationalauditinRussia,giveshisunderstandingofinternalaudit.“Internalauditisanintegralpartofinternalcontrol;carriedoutbythedecisionofthemanagementbodiesofthecompanyforthepurposesofcontrolandanalysisofeconomicactivity”9

AccordingtothefamousAmericanscientistsE.A.Arens.andLobbekJ.K.,in-ternalaudit isan internalaudit thatprovides theadministrationwith“valuableinformationformakingdecisionsregardingtheeffectivefunctioningoftheirbusi-ness”.10

Fromtheabovedefinitionsdescribingtheconceptofinternalaudit,itfollowsthatitstillhassignificantdifferencesfromexternalaudit,whichcanbeidentifiedas:limitedindependence;ensuringregularcontroloverthefinancialandeconomicactivitiesofaneconomicentity;regularprovisionofinformationforthepurposeofmakingandadjustingpreviouslyadoptedmanagementdecisions.

Beforedefiningtheplaceofinternalauditintheprocessofmanaginganeco-nomicentity,andinparticularintheinternalcontrolsystem,letusconsiderthemaincharacteristicfeaturesofthissystem.

AccordingtotheprovisionsexistinginbothRussianandinternationalprac-tice,theinternalcontrolsystemconsistsofthreemainelements:aproperlyorga-nizedaccountingsystem;controlenvironment;separatecontrols.

Thus,themodernsystemofinternalcontrolofaneconomicentityisacertainpolicyandprocedures(controls)adoptedbythemanagementsystemofthisentitytoachievethegoalsofthemanagementprocess,providingforthedegreeoffeasi-bilityoftheorderlyandefficientconductofthefinancialandeconomicactivitiesofthisentity,includingstrictadherencetothemanagementpolicy,ensuringthesafetyofproperty,detectingandpreventingdistortionsarisingfrombothuninten-tionalactionsandabuse,therelativeaccuracyandcompletenessofaccounting(fi-nancial)information11.

8 Bogomolov A.M., Goloshchapov N.A. Internal audit. Organization and methodology. M.: "Exam", 2014, P.6. 9 Danilevsky Yu.A., Shapiguzov S.M., Remizov N.A., Starovoitova E.V. Audit. M.: ID FBK-PRESS, 2018, P.87. 10 Federal Law of Russia. "On Auditing" No. 119-FZ, P14 11 Kamyshanov P.I. A practical guide to auditing. M.: INFRA-M, 2018, P.49.

12

Analysisoftheabovedefinitionsofinternalaudit,aswellasthemainele-mentsoftheinternalcontrolsystem,allowsustodefineinternalauditasaneffec-tive,multifunctional(integrated)controltoolorganizedbythemanagementofaneconomicentity,designedtoensuretheeffectivenessoftheentireinternalcontrolsystemandoptimizationofmanagementdecisions.

Before determining the feasibility of organizing internal auditwithin anyeconomicentity,itisnecessarytounderstanditsmaingoal,ontheachievementofwhichtheeffectivenessofitsfunctioningdepends.

Sinceinternalauditisaconstituentelementoftheinternalcontrolsystem,itsstrategicfocusshouldbe,firstofall,adequatetothetargetsettingsofthissys-tem.

Ifweproceedfromthisstatement,thenitisnecessarytotakeintoaccountthefactthatthepurposeoftheinternalcontrolsystemistoensurethemanage-mentprocessofaneconomicentitywithvarious,properlyprocessedandanalyzedboth internal and external information flowsnecessary to achieve the strategicgoalsofthefunctioningofaneconomicentity.

Forthisreason,thegoalofinternalauditatthepresentstageofdevelopmentofeconomicrelationscanbedefinedasmultifunctionalassistancetothemanage-mentsystemofaneconomicentityintheimplementationoftheeffectivefunction-ingoftheinternalcontrolsystemand,asaconsequence,optimizationoftheman-agementdecisionstaken.

Atthepresentstage,thetargetsettingofinternalaudithasshiftedfromcon-trol-confirmingtocontrol-regulating,which,inturn,radicallychangedthenatureandscopeofthetasksitsolves,whichcanbeformulatedasfollows:regularcontroloverthefinancialandeconomicactivitiesofaneconomicentityanditsbranches;controlofthetimelinessandcompletenessofthereflectionoffinancialandeco-nomictransactionsinaccounting;controloverthesafetyofthepropertyofaneco-nomic entity and its branches; control over settlement andpaymentdiscipline;controlovercompliancewithlegislationandotherregulatorylegalacts;controlover the timeliness of settlements with the budget of different levels and off-budgetfunds;identificationorpreventionandcontroloverthecorrectionofdis-tortionsinaccountinginformationduetounintentionalerrorsandabuse;checkingtheaccountingofproductioncosts,completenessandcorrectnessofthereflectionofproceedsfromthesaleofproducts,works(services),aswellastheformationoffinancialresultsofaneconomicentityanditsbranches;assessmentofthedegree

13

ofefficiencyofaccountingandinternalcontrolsystemsofaneconomicentityanditsbranches;controlovercompliancewiththepolicyofaneconomicentityandensuringtheeffectivenessofitsfinancialandeconomicactivities;analysisofthefinancialandeconomicactivitiesofaneconomicentityanditsbranches;assess-mentofeconomicsecurity;evaluationofinvestmentandothereconomicprojects;identificationandmobilizationofavailablereservesoflimitedresources;advisingthepersonnelofaneconomicentityanditsbranchesonallaspectsfallingwithinthe competence of internal audit; scientific developments and preparation ofmethodological recommendations and manuals on accounting and other areaswithinitscompetence;computerizationofaccounting,preparationandformationofaccounting(financial)statements,calculationsfortaxation, financialandeco-nomicanalysisandotherareaswithinthecompetenceoftheinternalauditofaneconomicentity;controlovertheexecutionofdecisionstoeliminateidentifieddis-tortionsandothershortcomings;assessmentofthedegreeofreliabilityofthein-formationprovidedto thecontrolsystem;organizationofofficial investigationsintovariousemergenciesandcircumstances;interaction,ifnecessary,withexter-nalauditors,representativesoftaxandotherregulatoryauthorities.

Thegiven,althoughnotclaimingtobecomplete,listoftasksfacingtheinter-nalauditmayvarydependingontheemergingneedinthemanagementprocess.Atthesametime,itsdiversityconfirmsthemultifunctionalcapabilitiesofinternalaudit.Moreover, all these tasks canbe combined intoa generalized concept. Inotherwords,thetaskofinternalauditatthepresentstageofitsdevelopmentistoprovidetheprocessofmanaginganeconomicentitywithsufficientandappropri-atecontrolandregulatoryinformationthatallowsmakingthemosteffectiveman-agementdecisions,aswellaspromptlyandtimelyadjustmentstopreviouslymadedecisions.

Inthiscase,sufficiencyshouldbeunderstoodasthecompletenessofinfor-mationflows,andbyrelevance–theirreliability.

Sincethegoalandobjectivesofanyactivitymainlycharacterizeonlyitsmainfocus,thenforadeeperunderstandingoftheessenceofthisactivity,itisimportanttodeterminethefundamentalprinciplesonwhichitisbased.

Forthisreason,thenext,nolessimportantaspectthatdeterminesthecon-ditions for the functioningof internal audit is the setting and characteristics ofthoseprinciplesthatpredetermineitsfeatureandtherequirementsimposedonitbythemanagementsystemofaneconomicentity.

14

IntheofficialRussianlegislativeandregulatoryactsinthefieldofaudit,in-ternalauditisregulatedonlyintheRules(standards)ofauditingactivitiesand,atthesametime,onlyforthepurposeoftheexternalauditor'sassessmentofthein-ternalcontrolsystemofaneconomicentity.

Thetheoreticalstudiesofscientistsandthepracticalexperienceofauditorsfromcountrieswithdevelopedmarketeconomiesinthedevelopmentandappli-cationof fundamentalprinciplesofauditdefine themasethicalrules,normsorprinciples,theobservanceofwhichmakesitpossibletoincreasethedegreeofcon-fidenceintheresultsofauditactivitiesofinterestedusers.

Theseprinciplesinclude:independence,honesty,honesty,objectivity,confi-dentiality,professionalcompetence,professionalbehavior.

Anyauditor,includinganinternalone,mustrespectthepriorityoftheinter-estsofthesocio-economicsystemthatheservesandmaintainahighreputationforhisprofession.Atthesametime,hisresponsibility:foranimprudent,withinreasonablelimits,assessmentoftheamountofworkrequiredtoachievethegoalssetforhim;forasubjectiveassessmentofthecomplexity,materialityorsignifi-canceofcertainaspectsinrelationtowhichheformshisconclusions;forassessingtheadequacyandeffectivenessofriskmanagement,aswellasaccountingandin-ternal control systems; for the likelihood of significant errors; for the costs in-curredfortheprovidedauditedinformationforthemanagementsystemofaneco-nomicentity, exceeding thepossibleeconomicbenefits frommanagementdeci-sionsthatarenotformedonitsbasis,–shouldbeadequatetothepossibleconse-quenceswithinitscompetence.

Inaddition,theinternalauditorisobligedatallstagesofhisactivity,solvingcertaintasksassignedtohim,toproceedfromawell-knownpositionofprofes-sionalskepticism,realizingthatthereisapossibilitythatallinformationreceivedbyhimfromvarioussourcesmaycarryacertainlevelofunreliability…

Despitethefactthatadherencetotheprinciplesdiscussedaboveincreasesthedegreeofconfidenceininternalaudit,however,thelackofthedevelopmentofcertainrulesgoverningtheprocedurefortheirpracticalapplicationmakesitpos-sible to judge them only as high ethical intentions declared by general moralnorms.

15

1.3. The place of internal audit in the organization's

management system and its importance

Theemergingmarketrelations,firstofall,representeconomicfreedom.Thefreedomofoneeconomicentityisaccompaniedatthesametimebythefreedomofothereconomicentitiesthathavetheopportunitytobuyornotbuyitsproducts,offer theirprices for it,dictatetheir termsof transactions.At thesametime,allmarketparticipantsentering intoeconomicrelationsstrive, firstofall, for theirownbenefit,fortheprofitoftheircompany,whichcanobjectivelybecomealossforothers,becauseanybusinessentityseekstosurpassitsopponent,attractmoredemandforitsproducts,thusbypushingoutitscompetitorfromthemarket,thesearethelawsofcompetition.Fromtheabove,animportantruleofentrepreneurialbehaviorfollows:nottoavoidrisk,buttoanticipateit,tryingtoreduceittothelowestpossiblelevel.Thisrequiresconstant,effectiveandtimelycontrolovertheactivitiesofemployeesandthefirmasawholethroughaproperlyseteconomicandlegalwork,accountingandreporting,etc.

Controlistheprocessofdeterminingthequalityandadjustingtheworkper-formedbysubordinatesinordertoensurethetasksfacingtheenterprise.Itspur-poseistoidentifyweaknessesanderroneousdecisions,correcttheminatimelymannerandpreventrepetition.Allmaterials,peopleofactionarecontrolled.Mon-itoringallowsyoutodeterminetheeffectivenessandtakethenecessarymeasurestoensurethefulfillmentofthetask.Knowclearlywhointheenterpriseisperson-allyresponsiblefordeviatingfromtargetsandtakingcorrectiveaction.Controlofactivities iscarriedoutbypeople.Toknowwho isresponsible for thesafetyofmaterialand financial resources, their storage, leave,accountingand inventory,preparationofprimarydocuments,deviations fromassignmentsandcorrectiveactions,theremustbecompleteclarityregardingthedistributionofresponsibilitythroughouttheorganization.Anessentialpreconditionforeffectivecontrolistheexistenceofanorganizationalstructure,whichisobjectivelyduetothecreationofaninternalauditserviceinthemanagementapparatus.Thetasksofinternalauditincludethecreationofaninternalcontrolsystemnecessaryfortheimplementa-tionofthecompetence,rightsandresponsibilitiesofmanagementbodiesandoffi-cials,aswellasaclearsystemofeconomicresponsibilityofofficialsandspecialistsoftheenterprise.

16

Internalauditisanimportantmanagementfunctionthatcoversaccounting,financial analysis and control, comparison and assessment of the actual resultsachievedwiththegoalsandobjectivesoftheenterprise.Internalauditsystemati-callymonitorstheactivitiesofallmanagementobjects,identifiesthereasonsfordeviationsfromstandards,deviationsfromthegoalssetforaspecificobject,whichcontributestotheprompteliminationofidentifiedviolations.Organizationofin-ternalauditasafunctionofenterprisemanagementimpliesstrictregulationofitsactivities, determination of the rights, duties and responsibilities of specialists,qualificationrequirements,relationshipswithdepartmentsandpersonneloftheenterprise.Theworkoftheinternalauditserviceattheenterpriseisorganizedinaccordancewithindividualandcalendarworkplans,whichareapprovedbytheheadoftheenterprise.Attheendofanytypeofwork,theinternalauditorsubmitsareporttotheheadoftheenterprisethatallowshimtodrawthehead'sattentiontotheidentifiedorpossibleviolations.Theworkisconsideredcompletedwhentheissuesraisedinthereportsofinternalauditorsareconsideredbytheheadoftheenterpriseandwhenanofficialorderhasbeenissuedontheacceptance(re-jection)oftherecommendationsoftheauditors.

Organizationoftheriskmanagementsystemasasubsystemofinternal

controlThemostfamousschoolinthetheoryoffinancialriskandriskmanagement

since1955istheAmericanschool.AmongitsmodernrepresentativesareD.Galai,H.Groening,A.Damodaran,F.Jorion,J.Kalman,M.Crui,M.McCarthy,R.Mark,T.Flynnandanumberofotherfamousscientists.

H.Grüningmadeasignificantcontributiontothestudyofbankingrisks,cor-porateandfinancialriskmanagement.

A.Damodaranisaspecialistinfinance,anemployeeoftheSternSchoolofBusinessattheUniversityofNewYork(specialistincorporatefinanceandcapitalvaluation).His areas of interest are capital valuation, portfolio capitalmanage-ment,corporatefinanceandstrategicriskmanagement.In1994,BusinessWeekmagazine named him one of the top twelve professors to teach inUS businessschools.HisworkshavebeenpublishedintheJournalofFinancialandQuantitativeAnalysis,JournalofFinance,JournalofFinancialEconomics,ReviewofFinancialStudies.Hisworksaredevotedtoissuesofcapitalvaluation(DamodaranonValu-

17

ation,InvestmentValuationandDarkSideofValuation),aswellascorporatefi-nanceissues(CorporateFinance:TheoryandPractice,AppliedCorporateFinance:AUser'sManual).ThelatestbookbyA.Damodaranisdevotedtotheprinciplesandmethods of strategic risk management: it combines various areas of riskknowledge:theeconomic justificationof itsbehavioralaspects, financialassess-ment,riskmanagementitself,andforthefirsttimeprovidesitscompletepicture;showshowtobuildanorganizationallinkbetweenriskmanagementfunctionsinacompany:strategy,financeandcurrentactivities,sothatthetoolsandresultsofassessmentaredeterminedbythedecision-makingprocess,andnotviceversa;usingpracticalexamples,hearguesthepositiveeffectofrisk,itsusetoincreasethecompany'sprofit.Experienceshowsthatevaluatinginnovativeprojectscausesdifficultiesforcompanies,sincetheircashflowsaredifficulttopredict.Theuseofthemethodofrealoptions,clearlystatedbytheauthor,allowsyoutosolvethisproblem;topmanagerswhomakedecisionsrelatedtorisksanduncertaintieswillbeabletoreasonablychooseanyofthemoderntoolsforassessingrisk:risk-dis-countadjustedrates,options.12Analysisofstudiesofforeignscientificschoolsofriskmanagement,simulationmodeling,scenarioanalysis,VARmethodsandrealoptions.Thisstudywillhelpmanagerstakeadvantageofthepositivecomponentof risksanddevelopaneffectivesystemformanaging themusingvaluepricingmodels.Successfulmanagementisdistinguishedpreciselybytheabilitytoidentifyrisksandmaintainanoptimalbalancebetweenhedgingthem,sharetheresponsi-bilityofriskmanagementwithinvestorsandusethemtoincreasecashflows,and,consequently,thevalueoftheircompanies.Expertsandanalystsseetherelation-shipofriskassessmentstotheholisticpictureofacompany'sriskmanagement.

Dr.J.Kalmanisarenownedspecialistinriskmanagement,riskcontrol,fi-nancingriskandfinancialmanagement.Dr.J.KalmanistheownerofKallmanCon-sultingServices (KCS),whichprovidespractical applications for enterprise riskmanagement.BytheopeningofKCS,J.KalmanwasExecutiveVicePresidentoftheNationalAllianceresponsibleforthecertificationofriskmanagersfortheinterna-tionalprogramoftheAcademyforRiskandInsuranceResearch.Hisresearchfo-cuses on risk management and loss control of project solutions. Dr. J. Kalman

12 Arens A., Lobbek J. Audit: / Ch. series editor prof. I'M IN. Sokolov. (Series on accounting and au-diting). M.: Finance and Statistics, 2017

18

servesonvarious committees for theAmericanRiskand InsuranceAssociationandtheWesternRiskandInsuranceAssociation.13

ManybooksonriskmanagementhavebeenpublishedintheWest.BookofM.Crui,D.GalaiandR.Mark"FundamentalsofRiskManagement"14-oneofthebest,availablenotonlytoriskmanagers,butalsotoawideraudienceinterestedinunderstandingmodernriskmanagement.Attentionispaidnottomodels(whichpresupposes a certain level ofmathematical training), but to the essential andpracticalaspectsofriskmanagement.Therefore, inparticular, it is intended forbothcreative-mindedtopmanagersandcolleaguesofriskmanagerswhoseactiv-itiesare facedwithriskmanagement issues, forexample, internalauditors.Thebookisacompletelyoriginalwork,whichisdifficulttofindananalogueinthelit-eratureonthistopic.Thisisbynomeansamonographoracomprehensivetext-bookonriskmanagement.Theauthorsofthebookarerenownedexpertsinthedevelopment of the theory of riskmanagement, occupying leading positions inwell-known international financialorganizations.Thebookcoversa fairlywiderangeofissues:riskclassification,riskassessmentmethods,forexample,VaR,RA-ROC,etc.,Modernriskmanagementtools.Theauthorsarequitecriticalregardingthepracticeofriskmanagement,itsregulation,thelevelofunderstandingandap-plicationoftherelevantmodelsatthepresentstage.Andthiscriticismisveryuse-ful forallparticipants in theriskmanagementprocess, since it contributes toamore accurate and careful application ofmodern technologies, a change in theprinciplesofriskmanagementandtheirregulation.Itisnocoincidencethatthisbookwas chosen by the Professional RiskManager's International Association(PRMIA)asthemainguideforpreparingfortheentry-levelcertificationexam–AssociateProfessionalRiskManager(APRM).

Research carriedoutbyKPMG topmanagersM.McCarthyandT.Flynn15,highlightshowtoday'sleadingcorporateleadersmanagerisksandcontroltheirimpacton thecorporation, reveals the internal sourcesof themost threateningcorporaterisksandmethodsofneutralizingtheirimpact;waysofmanagingrisks,

13 Bogomolov A.M., Goloshchapov N.A. Internal audit. Organization and methodology. M.: "Exam", 2014 14 Burtsev V.V. Organization of the internal control system of a commercial organization. M.: "Exam", 2020 15 Bychkova S.M. Auditing activity. Theory and practice. (Series "Textbooks for universities. Special literature"). SPb.: Publishing house "Lan", 2021

19

donotinterferewiththeimplementationofcurrentprojects;therelationshipbe-tweentheareasofcorporategovernanceandriskmanagementwiththeincreaseinthevalueofthecompany,analyzestheactionstorecognize,assessandneutral-izetheriskoftoday'scorporate leaders inthefaceofrisk.Therearealsomanyexamples from corporate governance practice and exclusive interviews with anumberofleadingtopmanagersofourtime–theleadersofMicrosoft,Hewlett-Packard,Sprint,MotorolaandothersbelongingtotheFortune500list.Thatis,thisisastudyonoptimizationandriskmanagement,inwhichgiven:provenmethodsofprevention,responseandeffectivereductionofoperational,businessandfinan-cialrisks;strategiestohelpthecompanybecomeanadaptiveorganization–anorganizationthatperceivesriskasanopportunityratherthanaburden;programs,thankstowhichitispossibletomakeriskmanagementtheresponsibilityofalmosteveryemployeeandtointroducethemostimportantconceptsofriskmanagementatalllevelsofmanagement.

F. Jorion, inhisthirdeditionofthis internationalbestseller,addressesthefundamentalchangesinriskmanagementthathavetakenplacearoundtheworldinrecentyears.F.JorionprovidesthelatestinformationneededtounderstandandimplementVARsandmanagefinancialrisk.F. JorionreferstothecalculationofVARandtheuseofmodelstopredictriskandcorrelations:hedescribestheuseofVARforriskcontrolfortrading,investmentmanagement,aswellasforcorporateriskmanagement,andalsopointsoutthekeymistakesofriskmanagement.

InastudybyS.Borodina,A.Shvyrkov,withtheparticipationofJ.Bui, thestateofcorporategovernanceinthelargestcountries–Russia,Brazil,India,Chinaand South Africa – was assessed in terms ofmarket infrastructure, ownershipstructure,legalandregulatoryinfrastructure,informationtransparency.16Theau-thorspresentamethodologyforanalyzingcorporatepracticesinsuchaspectsastransparencyofownershipandcontrolstructure,attitudetowardsshareholders,informationdisclosure,efficiencyoftheboardofdirectorsandriskmanagement.Corporategovernancemistakescanbeverycostly.Forexample,therecentfinan-cialcrisis,thecollapseofEnronandothercorporatescandalsearlyinthelastdec-ade,or the1997Asian financialcrisis.Allof themhave thesameprerequisites:poor quality of corporate governance. Companies used false business models,couldnotunderstandtheconsequencesofoff-balancesheettransactionsorhigh-

16 Danilevsky Yu.A. General audit, audit of stock exchanges, off-budget funds and investment insti-tutions. M.: Accounting, 2018

20

riskborrowingpolicies,andhadsignificantforeignexchangerisks.Theresultformanycompanieswasthecollapse,whichturnedintosignificantfinanciallossesforshareholdersandemployees,humiliationanddishonorforthemanagement. In-vestmentsintheBRICScountries.Itissometimesdifficulttounderstandwhatef-fectivecorporategovernanceprovidesatthelevelofday-to-dayactivities.Inde-velopedmarkets,wherecompaniesadheretosimilarstandards,therearenotal-ways visible differences in the cost of capital. But in emergingmarkets,wherestandardsmay differ significantly, these differences becomemore pronounced.Companiesthatdemonstratetheiradherencetocorporategovernancestandardsaregenerallyratedsignificantlyhigherbythemarketthanothercompanies.Asaresult,theytakeadvantageofthelowercostofraisingcapital,thatis,theyincreasetheircompetitiveness.Theideaofthestudyistohighlighttheimportanceofgoodcorporategovernanceforcompanies intheBRICScountries.Effectivecorporategovernancecertainlyrequiresalotofeffort,especiallyintimesofeconomicandfinancialuncertainty,capitalflowsaredirectedtothosecountriesthatarereadytoaccepttheseefforts,andgoodcorporategovernancecanimprovethesituation.

Agreatcontributiontothedevelopmentofthetheoryandpracticeofriskmanagementwasmade byEnglish economists – representatives of the EnglishschoolofriskmanagementT.Andersen,T.Bedford,A.Griffin,A.Zaman,R.Cook,P.Sweeting,P.Hopkin,GermanP.Schroederandothers.17

T.AndersenandP.Schroederbelievethattoday,whencorporatescandalsandmajorfinancialfailuresoccur,therelevanceofeffectiveriskmanagementisincreasing.Lackormismanagementofriskcanhavedevastatingconsequencesforthe organization and the economy as a whole (Barings Bank, Enron, LehmannBrothers,NorthernRock,tonamejustafew).Modernorganizationsandcorporateleadersmustlearnfromsuchfailuresbydevelopingpracticestoeffectivelydealwithrisk.BasedonaEuropeanperspective,thispaperbringstogetherideas,con-ceptsandmethodologiesdevelopedindifferentriskmarketsandacademicfieldstoprovideamuchneededoverviewofdifferentapproachestoriskmanagement.Theauthorscriticize theprevailingenterpriseriskmanagement(ERM)systemsandproposeanappropriatealternative.

T.BedfordandR.Cookinsituationswhereclassicalstatisticalanalysisisdif-ficultor impossibletouse,applyprobabilisticriskanalysistoquantifyrisk.The

17Danilevsky Yu.A., Shapiguzov S.M., Remizov N.A., Starovoitova E.V. Audit. M.: ID FBK-PRESS, 2018

21

bookbyEnglisheconomists–T.BedfordandR.Cook–examinesthefundamentalconceptsofuncertainty,itsrelationshipwithprobability,boundarieswithaquan-titativeassessmentofuncertainty.Drawingonextensiveexperienceinrisktheoryandanalysis,theauthorsfocusedontheconceptualandmathematicalfoundationsthat underpin the quantification, interpretation andmanagement of risk. Theycoverstandardandimportantnewtopicssuchastheuseofexpert judgmentofuncertainty.

A.Griffin,havingextensiveexperienceinmanagingacompany'sreputation,usesspecificexamplestoanalyzetheeffectiveanderroneousactionsofcorpora-tionstocreate,managetheirownreputationandreputationrisks.Corporationsmustnotonlyprotecttheirownreputationunderpressure,strengthenedbythecorporationfromthestateandsociety,butlearntocontrolit.

AccordingtotheDecreeoftheCentralBankoftheRussianFederationdated04.15.2015No.3624-U"Onrequirementsfortheriskmanagementsystemandthecapitalofacreditinstitutionandbankinggroup"theriskmanagementandcapitalmanagementsystemofacreditinstitution(bankinggroup)shouldcoverfactorsofcredit,marketandoperationalrisks,aswellasothersignificantrisks,forexample,interestrateriskandconcentrationrisk.

Theimplementationofriskmanagementinthebankisassignedtotheriskmanagementservice,whiletheinternalauditservicemustverifytheeffectivenessofindividualriskmanagementandtheriskmanagementsystemasawhole.

Typicalbankingrisks includefinancialandnon-financialrisksarisingasaresultoftheBank'scorebusiness:

Credit risk is theriskof theBank incurring lossesasa resultof failure tofulfill,untimelyorincompletefulfillmentbythedebtoroffinancialobligationstotheBank.

Withintheframeworkofcreditriskmanagement,industryandcountryrisksaremanaged:

–Industryrisk–theriskoftheBankincurringfinanciallosses(damage)asaresultofthedebtor'sfailuretofulfillhisobligationsasaresultofchangesintheeconomicconditionoftheindustryandthenatureofthesechangesbothwithintheindustryandincomparisonwithotherindustries.

–Countryrisk–theriskoftheBankincurringlossesasaresultofnon-ful-fillmentby foreign counterparties (legal entities and individuals) of obligationsdue to economic, political, social changes, andalsobecause the currencyof the

22

monetaryobligationmaynotbeavailabletothecounterpartyduetothepeculiar-itiesofnationallegislation(regardlessofthefinancialpositionofthecounterpartyitself)

Marketrisk–theriskoftheBankincurringfinanciallosses(losses)duetoanadversechangeinthemarketvalueoffinancialinstrumentsofthetradingport-folioandderivativefinancialinstrumentsoftheBank,aswellasforeignexchangeratesand(or)preciousmetals…Marketriskincludesstock,currencyandinterestraterisks.

Stockrisk–theriskof lossesduetoadversechangesinmarketpricesforstockvalues(securities, includingfixingrightstoparticipateinmanagement)ofthetradingportfolioandderivativefinancialinstrumentsundertheinfluenceoffactorsrelatedtoboththeissuerofstockvaluesandderivativefinancial instru-ments,andgeneralfluctuationsinmarketpricesforfinancialinstruments.

Currencyrisk– theriskof lossesdue toadversechanges in theexchangeratesofforeigncurrenciesand(or)preciousmetalsatopencreditinstitutionpo-sitionsinforeigncurrenciesand(or)preciousmetals.

Interestraterisk–theriskoffinanciallosses(losses)resultingfromadversechangesininterestratesonassets,liabilitiesandoff-balancesheetinstrumentsoftheBank. “Interestrateriskinthebankingbook(IRRBB)gaineditsimportancethrough the regulatory requirements that have been growing and guiding thebankingindustryforthelastcoupleofyears.TheimportanceofIRRBBisshiftingforbanks,awayfrom‘just’aregulatoryrequirementtohavinganimpactontheoverall profitability of a financial institution. Interest Rate Risk in the BankingBookshedslightonthebestpracticesformanagingthisimportanceriskcategoryandprovidesdetailedanalysisofthehedgingstrategies,practicalexamples,andcasestudiesbasedontheauthor’sexperience.ThishandbookisrichinpracticalinsightsonmethodologicalapproachandcontentsofALCOreport,IRRBBpolicy,ICAAP,RiskAppetiteStatement(RAS)andmodeldocumentation.ItisintendedfortheTreasury,RiskandFinancedepartmentandishelpfulinimprovingandopti-mizingtheirIRRBBframeworkandstrategy.BytheendofthisIRRBBjourney,thereaderwillbeequippedwithallthenecessarytoolstobuildaproactiveandcom-pliantframeworkwithinafinancialinstitution”. 18

18 Beata Lubinska. Interest Rate Risk in the Banking Book: A Best Practice Guide to Management and Hedging (Wiley Finance) 1st Edition. John Wiley&Sons, Ltd, 2021, p.248

23

LiquidityriskistheriskoflossesduetotheBank'sinabilitytofullyfulfillitsobligations.LiquidityriskarisesasaresultoftheimbalanceoftheBank'sfinancialassets and financial obligations with respect to the repayment and repaymentterms(includingduetountimelyfulfillmentoffinancialobligationsbyoneormoreoftheBank'scounterparties)and(or)theunforeseenneedfortheBanktoimme-diatelyandimmediatelyfulfillitsfinancialobligations.

Operationalrisk– theriskof lossesresulting from inconsistencywith thenatureandextentoftheBank'sactivitiesand(or)therequirementsofapplicablelaw,internalproceduresandproceduresforbankingoperationsandothertrans-actions,theirviolationbytheBank'semployeesand(or)otherpersons(duetoin-competence,unintentionalorintentionalactionsorinaction),disproportion(in-sufficiency) of functionality (characteristics) of information, technological andothersystemsusedbytheBankand(whether)theirfailures(malfunctions),aswellasfromexternalevents.«ОperationalRiskManagementinFinancialServicesalsofeaturesresultsfrompollstakenbyriskpractitionerswhichprovideasnap-shotofcurrentpracticesandallowthereadertobenchmarkthemselvesagainstotherfirms.Thisistheessentialguideforprofessionalslookingtoderivevalueoutofoperationalriskmanagement,ratherthanapplyingacompliance'tickbox'ap-proach19».

Strategicrisk–theriskoftheBankincurringlossesasaresultoferrors(de-ficiencies)madewhenmakingdecisionsthatdeterminetheBank'sactivityandde-velopmentstrategy(strategicmanagement)andexpressedinthefailuretotakeintoaccountor insufficientconsiderationofpossibledangersthatmaythreatentheBank'sactivities,incorrectorinsufficientareasonabledeterminationofprom-isingareasofactivityinwhichtheBankcanachieveanadvantageovercompeti-tors,theabsenceorpartialprovisionofnecessaryresources(financial,material,technical,human)andorganizationalmeasures(administrativedecisions),whichshouldensuretheachievementofthestrategicobjectivesoftheBank.

Legalrisk–theriskoftheBankincurringdirectlossesorlossesintheformoflostprofitdueto:

–non-compliancebytheBankwiththerequirementsofregulatorylegalactsandconcludedagreements;

19 Elena Pykhova Operational Risk Management in Financial Services: A Practical Guide to Estab-lishing Effective Solutions 1st Edition. Kogan Page Ltd, United Kingdom, 2021, p.364

24

–legalerrorsmadeincarryingoutactivities(incorrectlegaladviceorincor-rectpreparationofdocuments,includingwhenconsideringdisputedissuesinthejudiciary);

–imperfectionsofthelegalsystem(inconsistencyoflegislation,lackoflegalnormstoregulatecertainissuesarisinginthecourseoftheBank'sactivities);

–violationbycounterpartiesofnormativelegalacts,aswellasthetermsofcontracts.

TheriskoflossoftheBank'sbusinessreputation(reputationalrisk)istheriskoftheBankincurringlossesasaresultofadecreaseinthenumberofcustom-ers(counterparties)duetotheformationinthecompanyofanegativeideaoftheBank'sfinancialstability,thequalityofitsservicesorthenatureofitsactivitiesingeneral.

Additionalrisksincludethoserisksthatariseasaresultofvariousprofes-sionalactivitiesbytheBankinthesecuritiesmarket,aswellasrisksthatmayarisewhentheseprofessionalactivitiesarecombined.

Theriskmanagementprocessincludesthefollowingsteps:–riskidentificationandidentification;–riskassessment(quantitative,qualitative);–restriction(minimization)ofrisk;–monitoringandcontrollingthelevelofrisk.Riskidentificationistheestablishmentofinternalandexternalfactors,the

effectofwhichhasaninfluenceontheriskoftheemergenceandestablishmentofoperationsand/orprocesses,whichresultintheoccurrenceandimplementationofthisrisk.

Riskidentificationistheassignmentofrisktoaspecifictypeoftypicalriskinordertoimplementspecificmeasurestolimitthelevelofrisk.

RiskassessmentisdeterminationofthelikelyconsequencesthattheBankmayhaveintheeventoftheimplementationofexternaland/orinternalriskfac-tors during the commission of any transaction. Due to the fact that the conse-quences canbepresentednot only in the formof a certain amount of possiblelosses,butalsointheformofotherconsequencesfortheBank'sactivities,theriskassessmentcanbequantitativeandqualitative.

QuantitativeriskassessmentinvolvesthedeterminationandanalysisoftheamountoflossesthattheBanksufferedasaresultoftheimplementationofanytypeofrisk.

25

Aqualitativeassessmentinvolvesananalysisofanemergencysituation,de-terminingthereasonsfortheimplementationoftherisk,aswellasdeterminingmethodsandtoolstoeliminatetheconsequencesoftherisk,aswellasthewaystopreventtheimplementationoftheriskinthefuture.

Risk restriction (minimization) – a set ofmeasures to develop limits andotherrestrictionsaimedatpreventingtheimplementationoftherisk.

Themainmethodsoflimiting(minimizing)bankingrisksinclude:–riskpooling–amethodaimedatreducingriskbyturningrandomlosses

intorelativelysmallfixedcosts;–riskdistribution–amethod inwhichtheriskofprobabledamage isdi-

videdbetweentheparticipantsinsuchawaythatthepossiblelossesofeacharerelativelysmall;

–limiting–amethodofminimizingrisks,involvingthedevelopmentofde-tailedstrategicdocumentationestablishingthemaximumpermissiblelevelofrisk,acleardistributionoffunctionsandresponsibilitiesofpersonnel;

–diversification–amethodof reducingriskby formingagroupofassetswhoseincomesareweaklycorrelatedwitheachother;

–hedging–abalancingtransactionaimedatminimizingrisk;–assetsecuritization–theissueandsubsequentsaleoftheBank'ssecurities

backedbyhomogeneousassetsgeneratingstablecashflows.Riskmonitoringandcontrol–asetofmeasurestomonitorthelevelofeach

specifictypeofriskandtotalbankingriskingeneral,aimedatmaintainingbankingrisksatanacceptablelevel.

Monitoringandcontroliscarriedoutonadynamicbasis,takingintoaccounta retrospective and prospective analysis of bank portfolios, events and perfor-mancefeaturesofkeyriskindicators.Monitoringandcontroloftheriskleveliscarriedoutonaperiodicbasis,itsresultsareusedtomakeadequatemanagementdecisionsinorderto:

–achievecomplianceoftheamountofformedreserveswiththelevelofac-ceptedrisks;

–preventingadecreaseintheBank'sequity;–preventofviolationsofestablishedriskrestrictions;–preventthelong-termexposureoftheBanktoexcessiverisk;–increasetheprofitabilityofthebankingbusiness;–optimizetheorganizationalstructureoftheBank;

26

–improvetheinformationandtechnologicalsystems.Credit riskThebasicprinciplesof theBank'screditactivitiesof theorganization, the

mainprinciplesoftheBank'screditactivityorganization,strategyandtacticsofcreditriskmanagementaredefinedintheCreditpolicy.

Creditpolicyisenshrinedbythefollowingmanagementsystemelementsofcreditrisk:

–alistofoperationsandtransactions,theimplementationofwhichmaybeaccompaniedbytherealizationofcreditrisks;

–generalapproachestocreditriskmanagement(toolsformanagingcreditrisk,asystemoflimitsandrestrictionsoncreditrisk,theauthorityofsubjectsofcredit riskmanagement andmulti-step decision-making on credit transactions,risklevelcontrol);

–functionunitsofthecreditinstitutionintheprocessofanalysis,evaluation,monitoringandcontroloflevelofcreditriskwithintheframeworkdevelopedbytheconstraintsofthesystem.

AssessmentoftheBank'screditriskforthetotalportfolioofloanandequiv-alentdebtiscarriedoutinaccordancewiththevaluesofmandatorystandardses-tablishedintheInstructionoftheCentralBankoftheRussianFederationNo.180-I,aswellasinaccordancewithindicatorsofthequalityoftheloanportfolioandthedegreeofconcentrationofrisksforassetsestablishedrequirementsoftheCen-tralBankoftheRussianFederationNo.3277-U.

Thelevelofcreditrisksforloans,debtandequivalentdebt,aswellasthedeterminationofthequalitycategoryofloanandequivalentdebtiscarriedoutinaccordancewiththerequirementsoftheRegulationoftheCentralBankoftheRus-sianFederationNo.590-P.

Thelevelofcreditrisksforcontingentliabilitiesofacreditnature,aswellasforanumberofotherinstruments,isdeterminedinaccordancewiththerequire-mentsdefinedintheRegulationoftheCBRNo.611-P.

Assessmentofcreditrisksofborrowers(groupsofrelatedborrowers)iscar-riedouttakingintoaccountindustryrisks.Theanalysisiscarriedoutinthecon-textoflong-termandshort-termindustryrisks.

Whenassessingindustryrisksinthelongterm,thefollowingindicatorsareused:

27

–industrysensitivitytomacroeconomicconditions;–averageleverageofanindustryenterprise.Asfactorsofshort-termindustryrisksareconsidered:–productiondynamicsintheshortandmediumterm;–thedynamicsoftheEntrepreneurialConfidenceIndex;–dynamicsofinventories.Keyeventsthathaveoccurredorareexpectedtochangetheindustry'sen-

vironment.Asaresultoftheanalysisofindustryrisks,thepreferredorpromisinglend-

ingareasfortheBankaredetermined.Aspartofcreditriskmanagement,countryriskmanagementiscarriedout.

Intheprocessofestablishing(revising)limitsoncounterparties,thefollowingin-formationistakenintoaccount:

–thetotalamountof limitsonresidentcounterpartiesofonecountryandtheriskstakenbytherespectivecountryfortheaggregateofalloperationsoftheBankwithcounterparties;

–assessments of international rating agencies of the country where thecounterpartyislocated;

–macroeconomic indicatorsbycountries(budgetdeficit,publicdebt,GDPgrowthrate,inflationrate,unemploymentrate);

–theamountofstatesupportallocatedtothebankingsector;–TheresultsofstresstestingofthebankingsectorconductedbytheEuro-

peanBankingOrganization(hereinafter–EBA)amongEuropeanbanksandtheFederalReserveSystem(hereinafter–theFed)oftheUnitedStates.

Managementreportingoncreditriskassessmentincludesanumberofana-lyticaltables:

–thestructureofloanandequivalentdebtfortheBankasawhole,bytypesofcreditrequirementsandcurrencies,overtimeforthereportingperiod;

–thestructureoftheBank'sloanportfoliobycreditqualitycategoriesindi-catingtheamountoftheformedreserveforpossiblelosses;

–tablesforassessingtheconcentrationofcreditrisk;–assessmentoflong-termindustryrisks;–loanportfoliostructurebyindustry;–analysisoftheindustrystructureoftheBank'sportfoliowithdata.

28

Market riskThemarketriskmanagementprocessisregulatedbyinternaldocumentsof

theBank.Forexample:Regulationonmanagingrisksarisingintheoperationswithfinancialinstruments;Regulationonforeignexchangemanagement;Regulationoninterestmanagement.

Internaldocumentsonmanagementofmarketrisksaresecuredbythefol-lowingmanagementsystemelementsofcreditrisk:

–alistofoperationsandtransactions,theimplementationofwhichmaybeaccompaniedbytheimplementationofmarketrisks;

–sourcesofmarketrisksandtypesoflossesresultingfromtheimplementa-tionofmarketrisks;

–approachestomanagingstock,currencyandinterestraterisks(manage-menttools,asystemoflimitsandrestrictions,thepowersofmarketriskmanage-mententitiesandtheprocedureformakingdecisionsontheconductofrelevantoperationsandtransactions,monitoringthelevelofrisk);

–functionsofstructuralunitsoftheBankintheprocessofmarketriskman-agement.

AggregateassessmentofmarketriskiscarriedoutinaccordancewiththeRegulationoftheCentralBankoftheRussianFederationNo.511-PandisincludedinthecalculationofthemandatorystandardsoftheBankinaccordancewiththeInstructionoftheCentralBankoftheRussianFederationNo.180-I.

Liquidity riskLiquidityriskmanagementisregulatedbyinternaldocumentsinacreditin-

stitution.Externalsourcesofliquidityriskinclude:–theinstabilityoftheeconomicandpoliticalsituationinthecountryandin

theregion;–significantchangesinthelegalregulationofbankingactivities;–thecapacityofmarkets,includingfinancial,notmeetingtheinterestsofthe

bank;–forcemajeurecircumstances.–Internalcausesofliquidityriskinclude:–imbalanceofclaimsandobligationsbythetermsofreturnandrepayment;–poorassetquality;

29

–diversionoffundstolong-termprojects;–significantinvestmentinrealestate;–instabilityandhighconcentrationoftheresourcebase.Methodsforidentifyingliquidityriskinclude:–analysisofthecapacityandprofitabilityofthemarketsinwhichtheBank

operates;–analysisofchangesinthevaluesofmandatoryliquidityratios;–studyoftheBank'scustomerbaseforitsstability,analysisofthestability

oftheBank'sliabilities;–analysisofthestateoftheBank'sassets,especiallywithoverduematuri-

ties;–analysis of concentration of credit risk and concentration of borrowed

funds;–analysisofliquidityusingascenario-baseddevelopmentapproach;–theidentificationofanextraordinaryconflictofinterestbetweenliquidity

andprofitability.Asindicatorsforassessingtheliquidityrisklevel,theBankusesthemanda-

torystandardsestablished in the Instructionof theCentralBankof theRussianFederationNo.180-I(standardsfor instant,currentand long-termliquidity),aswellastherelevantindicatorsestablishedintheInstructionoftheCentralBankoftheRussianFederationNo.3277-U(indicatorsofassetliquidity,liquidityindica-torsandstructureofliabilities,indicatorsofthegeneralliquidityofthebank,riskindicatorsforlargecreditorsanddepositors;theaboveindicatorsareincludedinthecalculationofthegeneralizedresultfortheindicatorsliquiditymarket(RGL)).

LiquidityassessmentiscarriedoutbytheBankbasedonthecalculationandanalysisofliquiditygaps(maturityofassetsandliabilities),forecastsoftheade-quacyofliquidityreserves,theBank'spaymentposition,andinterbankloanmar-ketcapacity.

Methodstominimizeliquidityriskinclude:–forecastingthelevelofliquidity,drawinguppaymentcalendars;–developmentofdecision-makingproceduresformobilizingliquidassets,

attractingadditionalresourcesincaseofaliquidityshortage;–thedevelopmentofdifferentscenariosincaseofworseningconditionsac-

tivitiesofcreditorganization;

30

–developmentofanactionplantorestoreandmaintainliquidityatthere-quiredlevel.

Themostcommonriskminimizationtoolsincludelimitsandrestrictionsonoperations,forecasts,andpaymentcalendars.

TheBankcanconsideredonlyfourpossiblescenariosofthecurrentcondi-tion and liquidity forecast, to determine which uses data analysis of paymentschedulesandtheliquiditygap,"Optimistic","Standard","Alarm"and"Crisis".

In order tomake adequatemanagement decisions, liquidity risk ismoni-tored.ThemonitoringresultisthemaintenanceoftheoptimalratiobetweenthevolumeoftheBank'sliabilitiesandthevolumeofliquidityreserves,whichensureshighprofitabilityofbankingoperationswhileensuringtheproperlevelofliquidityindicators.

Themanagementreportingonliquidityriskassessmentisthefollowingre-porting(withacertainfrequencyofpreparationandprovision):

–standardsN2andN3,structuralbalance;–aforecastplanforoperationsontheBank'scorrespondentaccountsforthe

day,receipts-write-offsontheBank'scorrespondentaccounts,largebalancesoncustomeraccounts;

–theBank'spaymentpositionasofmorningandapromisingpaymentposi-tion(timehorizonof7-15days).

–forecastvaluesofthestandardsN2andN3;–liquidity status report: current liquidity scenario, volume, structure and

adequacyofliquidityreserves;opportunitiestoattractfundsfromthebudgetandtheBankofRussia,thesizeoftheinterbankloanmarket;

–forecastofliquidityreservesforthenextthreemonths.–reportonliquiditygaps;–reportonliquidityreserves:currentliquidityscenario;volume,structure

andadequacyofliquidityreserves;refinancingopportunities.OperationalriskOperational risk management is regulated by an internal document of a

creditinstitution.Thefollowingelementsoftheoperationalriskmanagementsystemshould

bedescribedindetailinthisinternaldocument:

31

–the procedure for implementing the basic principles of operational riskmanagement;

–sourcesandcausesofoperationalrisks;–waystoidentifyandidentifyoperationalrisks;–procedureforassessing(quantitativeandqualitative)thelevelofopera-

tionalrisks;–thesystemofkeyindicatorsofoperationalriskinallareasoftheBank's

business;–theprocedurefortheformationandupdatingofthedatabaseofexternal

andinternaldataonoperationaleventsandlosses;–methodsandtoolstominimizeoperationalrisks;–procedureformonitoringoperationalrisks;–internalreportingsystemforoperationalriskmanagement;–theprocedureforconductingself-assessmentandquestionnairesonoper-

ationalriskmanagement;–separationofpowersandresponsibilitiesintheprocessofoperationalrisk

management.AnimportantcomponentofensuringthecontinuityoftheBank'soperations

incaseofemergencysituationsisthepresenceoftheBank'sinternaldocumentsset,fixingthegoals,objectives,procedures,methodsandtimingoftheimplemen-tationofapackageofmeasuresforthepreventionortimelyliquidationofconse-quencesofapossibleviolationofthenormalfunctioningoftheBank.

ThemanagementbodyofthecreditinstitutionapprovestheBusinessconti-nuityand/orrestorationplan,hereinafterreferredtoastheBCRPlan.

Thesetofmeasuresprovidedby theBCRPlanhelpsminimize theBank'soperationalandreputationalrisks,aswellasliquidityrisks.

Legal risk Riskmanagementisregulatedbyaninternaldocumentofacreditorganiza-

tion.Themainobjectiveoflegalriskmanagementistomaintainthelegalriskas-

sumedbytheBankataleveldeterminedbytheBankinaccordancewithstrategicobjectives.Thepriorityistoensuremaximumsafetyofassetsandcapitalonthebasisofreducingandpossiblelosses.

32

ThespecifiedinternaldocumentoftheBankmaydescribeindetailthefol-lowingcontrolsystemelementsofthelegalrisk:

–externalandinternalfactorsofthelegalrisk;–theprocedureforassessingthelevelofthelegalriskandasystemofindi-

catorsofthelegalrisk;–thelegalriskmonitoring;–methodsandtoolstominimizethelegalrisk;–internalreportingsystemforoperationalriskmanagement;–theprocedureforconductingself-assessmentsandquestionnairesonthe

legalriskmanagementissues;–separationofpowersandresponsibilitiesintheprocessofmanaginglegal

risks.Goodwillrisk(reputationalrisk)Reputational riskmanagement is regulated by an internal document of a

creditorganization.ThemainobjectivesoftheBank'sreputationriskmanagementare:–ensuringthemaximumsafetyoftheBank'sassetsandcapitalbyprevent-

ingorreducingpossiblelossesoftheBankduetotherealizationofreputationalrisk;

–maintainingandmaintainingtheBank'sbusinessreputationwithcustom-ersandcounterparties,founders(participants),participantsinthefinancialmar-ket,stateauthoritiesandlocalgovernments,bankingunions(associations),self-regulatoryorganizationsofwhichtheBankisaparticipant.

ThespecifiedinternaldocumentoftheBankmaydescribethefollowingcon-trolsystemelementsofthereputationrisk:

–externalandinternalfactorsofoccurrenceofthereputationrisk;–procedureforassessingthelevelofreputationalriskandasystemofindi-

catorsofthereputationalrisk;–thereputationriskmonitoring;–methodsandtoolstominimizereputationrisk;–thesystemofinternalreportingonthereputationriskmanagement;–theprocedureforconductingself-assessmentsandquestionnairesonis-

suesofreputationriskmanagement;

33

–differentiationofpowersandresponsibilitiesintheprocessofmanagingreputationrisks.

Strategic risk The main sources of the strategic risk of the Bank are: – the Bank's lack of a strategic development plan for the near and medium term; – insufficiency of taking into account global trends (including possible dangers)

in the development of the banking system of the Russian Federation and the global fi-nancial system;

– complete or partial lack of necessary resources from the Bank, including finan-cial, logistical and human, to achieve the goals set in the strategic development plan;

– the Bank's lack of well-developed and effective approaches to making manage-rial decisions ensuring the achievement of strategic business goals.

Assessment of the strategic risk is carried out on the basis of professional moti-vated judgment, formed on the result of analysis in the framework of identifying strate-gic risk.

When forming a motivated judgment on the level of the strategic risk, the follow-ing are analyzed:

– results of a SWOT analysis of the external and internal factors of the Bank's activity with the aim of determining the level of its competitiveness in the market.

– Bank development strategy, trends in increasing the volume and range of oper-ations and services;

– the compliance of the values of the planned indicators established by the stra-tegic plan for the Bank as a whole, and differentiated by business units, to the actual values of these indicators (periodicity – quarterly, semi-annual and annual);

– reasons for a significant deviation of actual indicators; – existing opportunities to compensate for failure to meet planned targets. – Minimization of strategic risk is achieved by improving the quality of the stra-

tegic planning process in the Bank due to: – monitoring the macroeconomic situation and the environment; – monitoring the implementation of strategic objectives by the Bank; – timely adjustments to the strategic development plan; – compliance of annual corporate (business and financial) plans with a long-term

strategy; – making collegial decisions in the face of multivariate development of the busi-

ness environment;

34

– assessment of the Bank's market position and comparative analysis of compet-itors;

– professional development of top managers of the Bank involved in the devel-opment of the Bank's strategy and its implementation.

Interaction in the strategic risk management process. The strategic development plan of the Bank is approved by the governing body

of the credit organization. Monitoring the implementation of the strategic development plan of the Bank, within its powers, is carried out by the executive bodies of the credit organization.

Directorate of Planning and Financial Control: – organizes the process of development and approval of a strategic plan; –providestheauthorizedmanagementbodiesoftheBankwiththeneces-

saryinformationonthecurrentperformanceofindicatorsdefinedbythestrategy;–possibleanalyzespossiblesourcesofstrategicrisk;–makesapreliminaryassessmentofstrategicriskandofferswaystomini-

mizestrategicrisk.20ThestructuraldivisionsoftheBankcarryouttheirfunctionsandsolveprob-

lemswithintheframeworkoftheapprovedRegulationsandthetargetsspecifiedfortheimplementation.

Assessmentandmanagementoftheaggregatebankingrisk.Theaggregatebankingriskistheriskoflossesanddamagesintheactivities

ofacredit institution for theentiresetofacceptedrisks,aswellas therisksofcombiningprofessionalactivities.Thestructureoftheaggregatebankingriskde-pendsonthetypesandvolumesofoperationscarriedoutbytheBankandonthequalityofmanagingspecificrisks,includinganeffectiveapproachtolimitingtheserisks.Thestructureoftheaggregatebankingriskisusuallydominatedbytheriskassociatedwithactiveoperations,whichhavethelargestshareintheBank'snetassets.Otherbankingrisksofafinancialandnon-financialnaturemaysignificantlyaffecttheaggregatebankingrisk.

20 Risk From the CEO and Board Perspective: What All Managers Need to Know About Growth in a Turbulent World Hardcover – Illustrated, 2003 by Mary Pat McCarthy, Tim Flynn.

35

Themainindicatorforassessingthe leveloftheaggregatebankingrisk ismandatorystandardN1“Capitaladequacyratio”establishedintheCBRinstruc-tionNo.180-I.Whencalculatingthisindicator,thelevelofcredit,marketandop-erationalrisksistakenintoaccount.TheimpactontheBank'scapitaladequacyofothertypicalbankingrisksisassessedonthebasisofprofessionalreasonedjudg-ment.

Asadditionalindicatorsinassessingthetotalbankingrisk,theindicatorsusedarethoseestablishedintheCentralBankoftheRussianFederationNo.3277-U.

Methods for limiting aggregate banking risk. Since the aggregate bankingriskisanintegralindicator,themethodsoflimitingitarethemethodsoflimitingindividualriskcomponents.

InteractionofstructuraldivisionsoftheBankinassessingthe leveloftheaggregatebankingrisk.

Specific management decisions regarding the limitation of the aggregatebankingriskaremadebytheBank'sgoverningbodies–theGeneralMeetingofShareholders,theSupervisoryBoard,theManagementBoardoftheBankwithinthepowersdefinedbytheBank'sCharter,theRegulationontheSupervisoryCoun-cilandtheManagementBoard.Tomakemanagerialdecisions,theBank'smanage-mentbodiesconsidertheresultsoftheassessmentoftheaggregatebankingrisk,methodsandtoolstominimizethem,proposedbytherelevantcollegialmanage-mentbodies.21

TheBank'sInternalAuditServiceperformsacontrolfunctiontoverifythecorrectapplicationofBankofRussiaregulatorydocumentsandtheBank'sinternaldocumentsregulatingthemanagementofcertaintypesof typicalbankingrisks,andalsoevaluatestheeffectivenessofbankriskmanagement.

RiskManagementReports.Basedontheresultsofriskmanagement,aRiskManagementReportissub-

mitted.Thereportispreparedintermsofthecompetenceoftherespectiveunits,summarized and submitted for consideration to themanagement bodies of thecreditorganization22.

21 Investments in the BRICS Countries: Assessing Risk and Corporate Governance in Brazil, Russia, India, China and South Africa M.: Alpina Publishers, 2010. 356 p. 22 Panfilova E.A. The concept of risk: a variety of approaches and definitions // Economic analysis: theory and practice. 2017. No. 95 (143).

36

Inaddition,thefinalstatementscontainingcertainaspectsoftheBank'sriskmanagementinclude:

–Reportsoftheauditorofaprofessionalparticipantinthesecuritiesmarketontheworkdonefortheperiod;

–Reportsoftheauditoroftheexchangeintermediaryontheworkdonefortheperiod;

–ReportsonmonitoringtheinternalcontrolsystemandtheworkoftheIn-ternalControlServicefortheperiod;

–Report on the implementation of the Internal Control Rules in order tocounterthelegalization(laundering)ofproceedsfromcrimeandthefinancingofterrorism,includingitsimplementationprogramsfortheyear.

Theprocedure forpreparingandpresentingthesereports isregulatedbytherelevantinternaldocumentsoftheBank,whichdeterminetheseareasofactiv-ityandriskmanagement.

37

Chapter 2.

Basics of organizing the functioning of the internal control system in

credit institutions

2.1. Financial audit and compliance control

as methods of internal control

AccordingtotheRegulationoftheBankofRussiadatedDecember16,2003,No.242-P"Ontheorganizationofinternalcontrolincreditinstitutionsandbank-inggroups",thereare4possiblewaystocarryoutinspectionsbytheinternalauditservice:

1)financialaudit,thepurposeofwhichistoassessthereliabilityofaccount-ingandreporting;

2)verificationofcompliancewiththelegislationoftheRussianFederation(banking,onthesecuritiesmarket,oncounteringthelegalization(laundering)ofproceedsfromcrimeandthefinancingofterrorism,ontaxesandfees,etc.)andotheractsofregulatoryandsupervisorybodies,internaldocumentsofthecreditinstitutionandthemethods,programs,rules,proceduresandproceduresestab-lishedbythem,thepurposeofwhichistoassessthequalityandconformityofthesystemscreatedinthecredit institutiontoensurecompliancewiththerequire-mentsofthelegislationoftheRussianFederationandotheracts;

3)operationalaudit,thepurposeofwhichistoassessthequalityandcon-formity of systems, processes and procedures, analysis of organizational struc-turesandtheiradequacytoperformtheassignedfunctions;

4)qualitycontrolofmanagement,thepurposeofwhichistoassessthequal-ityoftheapproachesofthemanagementbodies,divisionsandemployeesofthecredit institution tobankingrisksandmethodsofcontrolover themwithin theframeworkoftheobjectivesofthecreditinstitution.

AccordingtoRegulationNo.242-P,theinternalauditservicemustdevelopanauditplan,whichincludesaschedulefortheimplementationofaudits.Thisplanmustbeapprovedbytheboardofdirectors(supervisoryboard)ofthecreditin-stitution.

38

Planningtheupcomingwork,drawingupaprogramofinspectionspresentsa certaindifficulty for thebank's internalauditdepartment.Theauditprogramshouldcontaintheobjectivesoftheauditandidentifykeybankingrisksandmech-anismstoensurethecompletenessandeffectivenessofcontrolintheauditedareaofbankingactivities.Consequently,thefrequencyandscopeofinspectionsoftheactivitiesofvariousdepartmentsandtheeffectivenessofthebank'sproductsareusuallydetermineddependingon their inherentrisk. It is thepossiblerisk thataffectsthevalueofmateriality,whichinturndeterminesthescopeofauditproce-dures.Theauditschedulingcanbeviewedasasequenceofthefollowingsteps23:

1)determinationofthetypesofactivitiesandproductsofthebanktobever-ified;

2)assessmentofintra-businessrisk,riskofcontrolsforthebank'sdivisionsandproducts;

3)rankingtheriskvaluesofthebank'sdivisionsandproducts;4)determinationofobjectsandfrequencyofinspections,distributionofin-

ternalauditresourcesinthecontextofinspections;5)monitoringandadjustingat leastannually theriskvaluesof thebank's

divisionsandproducts.Theriskofabankunit(product)includestwocomponents–intra-business

riskandcontrolrisk24.Thetableshowstheriskassessmentofadivision(bankingproduct)dependingontheassessmentofcontrolsandthelevelofinherentriskonascalefrom0(lowrisk)to4(highrisk).Therefore,theriskwillbeminimalifthelevelofinherentriskisassessedaslow.

Table3.Division(product)riskassessmentmatrix

Controlrisk Intra-businessrisklevelShort Average High

Short Belowaverage-1 Aboveaverage-3 High-4Average Low-0 Medium-2 Aboveaverage-3High Low-0 Belowaverage-1 Medium-2

23 Posokhov I.M. Analysis of the content of the concept of risk and scientific approaches regarding the essence of risk // Actual problems of economics. 2018. No. 17. S. 25-32. 24 Utkin E.A., Sukhanov M.S. Banking audit. M.: TEIS, 2003. 223 p.

39

Whenassessingrisk,thefollowingfactorsareusuallytakenintoaccount:1)quantitative characteristicsof transactions (for example, thevolumeof

transactions);2)qualitativecharacteristicsofoperations(complexity,economicandlegal

conditions);3)internalcontrolprocedures,security,appliedinformationsystems;4)personnelcharacteristics(competence,turnover);Thelistofriskfactorsandtheprinciplesofitsassessmentareenshrinedin

aseparatedocument,whichincludes,amongotherthings:one)scaleofriskvalues(low,medium,high;scoresfrom1to10,etc.);2)thedurationoftheinternalauditcycledependingonthemagnitudeofthe

risk:forexample,sixmonthsforhigh-riskactivities,1yearforactivitieswithme-diumrisk,over1yearforactivitieswithlowrisk;

3)theconditionsunderwhichtheriskassessmentmaynotbetakenintoac-count,thelistofpersonsauthorizedtomakesuchdecisions(boardofdirectors,auditcommittee,managementoftheinternalauditunit),aswellasrequirementsfordocumentingdecisions.Ignoringriskassessmentshouldbetheexceptionra-therthantherule;

4)thefrequencyofriskassessmentforeachdivisionandproduct.Riskas-sessmentisimportanttocarryoutannually,butitcanbecarriedoutmoreoftenifthebankorbankingproductisdevelopingrapidly;

5)minimumdocumentationrequirementsforriskassessment;Theinternalauditserviceneedstoconstantlymonitorauditobjects,riskval-

ues,adjustthevolumeandstructureofauditprocedures,itisalsousefultokeepcardfilescontainingriskassessment,descriptionofauditobjectsandthedurationoftheauditcycleforeachdivisionandproductofthebank.

BasedonthemainmethodsofICSchecksproposedbytheCentralBankoftheRussianFederationinAppendix3toRegulationNo.242-p,thefollowingtypesof internalauditcanbedistinguished,dependingonthecontentofauditproce-dures:

1)Financialauditinvolvescheckingthereliabilityofthebank'saccountingandreportingsystem.Whenconductingthistypeofaudit,externalauditstandardscanbeappliedregardingthelevelofmaterialityandauditrisk,sampling,studyingtheaccountingsystem,andothers.

40

2)Complianceauditchecksthecomplianceofthebank'sactivitieswithleg-islation,bylaws,andinternalregulations.

3)Operational audit evaluates the effectiveness of operations and proce-dures,analyzesthecomplianceoftheorganizationalstructure,methodsofworkandresourcesofthebankwiththesetgoals.

4)Management audit evaluates the quality of management in order toachievethegoalsofthebank.

Considerafinancialauditaspartoftheinternalcontrolofacreditinstitu-tion.AccordingtotheFederalrules(standards)ofauditing25,thepurposeoftheaudit is to express an opinion on the reliability of financial (accounting) state-ments.Thus,whenconductingfinancialaudits,internalauditorscanrelyonexter-nalauditstandards.

Samplingisakeypartofaninternalaudit.Themeaningofthesampleisthatnottheentiresetofoperationsistested,butonlyapartofit.Theresultsoftestingapartofthepopulationwithasufficientdegreeofreliabilitywillmakeitpossibletojudgethepopulationasawhole.Therationalefortheneedforsamplingandthesamplingmethod,adescriptionoftheproceduresfordisseminatingthesamplingresultstotheentirepopulationshouldbeclearlyspelledoutintheworkprogramsandinternalauditreports.

According to theRussianstandardofauditingactivityNo.16"Audit sam-pling",theauditorshouldtrytoformarepresentativepopulationbyselectingsam-pleelementsthathavecharacteristicstypicalofthegeneralpopulation.26

Havingreceivedthefinalresult,theauditorshouldmakesurethattheerrorintheauditedpopulationdoesnotexceedtheallowablevalue.Todothis,theau-ditorcomparesthepopulationerrorobtainedthroughthepropagationwiththeacceptableerror.Ifthefirsterrorturnedouttobemorepermissible,theinternalauditorshouldre-assessthesamplingrisks,andifheconsidersthemunacceptable,thentherangeofauditproceduresshouldbeexpandedorauditproceduresshouldbeappliedthatarealternativetothosealreadycarriedout.

Let'sconsidercomplianceauditasanintegralpartofinternalauditincreditinstitutions.

25 Starostina A. A. Risk management: Theory and practice: [textbook. manual] / A. A. Starostina, V. A. Kravchenko. M.: Kondor, 2017. 200 p. 26 Federal rules (standards) of auditing from 23.09.2002, as amended. Resolutions of the Government of the Russian Federation of 04.07.2003, No. 405.

41

As noted earlier, compliance control is control over the compliance of acreditinstitution'sactivitieswithlegalrequirementsandinternalregulations.

Theneedforcompliancecontrolisduetothefollowingreasons27:–highmarketrequirementsforthereliabilityandsafetyofthebank;–ahighdegreeofregulationofthebank'soperationsbysupervision;–theneedforaclearformalizationofmostofthefunctionsinthebank;–thecomplexityoftheinternalstructureofthebank;–theimportanceofthehumanfactorinthehigh-qualityexecutionofopera-

tions.Compliancecontrolisapreventivemeasureinrelationtotheriskofcompli-

ance.Complianceriskisdefinedastheriskoflegalorregulatorysanctions,finan-ciallosses,damagetoreputationthatmaybedirectedtoabankasaresultofitsfailuretocomplywith laws,regulations,codeofconductandstandardsofgoodpractice(collectivelyreferredtoas"laws,rulesandstandards").Complianceriskissometimesinterpretedasariskofhonesty(orintegrity),sinceabank'sreputa-tioniscloselyrelatedtoitsobservanceoftheprinciplesofdecencyandfairnessinitsactivities.Non-complianceriskisthepresentandpotentialriskoflossofprofitorcapitalforabankduetoviolationornon-compliancewithlaws,rules,regula-tions,prescribedpractices,internalprocedures,policiesorethicalstandards.

Inthebankingsector,compliancecontrolisoftenequatedwiththefunctionofgeneralinternalcontrolorcounteringthelegalization(laundering)ofproceedsfromcrimeandthefinancingofterrorism,whichisnotentirelycorrect.

AccordingtotheLetteroftheCentralBankoftheRussianFederationdated02.11.2007No.173-T"OntherecommendationsoftheBaselCommitteeonBank-ingSupervision","theconceptof"responsiblelegalofficer","(head)employeeofthecompliancefunction",complianceofficer,compliancespecialist,"(Chief)Com-plianceRiskManager"aresynonymous."Accordingtoclause2.2.3.RegulationNo.242-P,"responsibleofficerforlegalaffairs"exercisesinternalcontrolinthecreditinstitution.Accordingtoclause2.4.ofthisprovision,the“responsiblelegalofficer”maybeincludedintheinternalcontrolservice.Thus,inaccordancewithRussianlegislation,wecanconsiderthecompliancecontrolserviceaspartoftheICS,on

27 Bortnikov G. “Compliance risk (risk of non-compliance): international standards and their applica-bility for banks in the CIS countries”. //http://www.iia-ru.ru/publication/foreign_mass_media_arti-cles/bortnikov/

42

theonehand.Ontheotherhand, thecompliancecontrolservicecanbe formedindependentlyoftheICS,whichalsowillnotcontradictthelegislation.

Let'shighlightthemainareasofcompliancecontrol:1)Maintainproperknowledgeofemployeesoftherelevantprovisions,reg-

ulationsandtheirinterpretations;2)tocarryoutthenecessaryexplanationsofthewordingofthecurrentnor-

mativeacts,aswellastrackpossibleinnovations;3)facilitate trainingofbankpersonneloncompliancecontrolpoliciesand

procedures;4)monitorandpromptlyrespondtopossiblecomplaintsanddissatisfaction

ofthecreditinstitution'scustomers;5)conductongoingprogramstoanalyzethecomplianceofthesysteminthe

bankwithapplicablelawsandregulations;6)coordinatetheinteractionofbankemployeeswiththelegaldivisionand

otherdepartmentsofthebankinrelationtonewprojects,businessinitiatives,ac-quisitionstoensurecompliancewithregulatoryrequirements.

In practice, compliance controlmanagement is divided into the followinggroups:

1)anti-moneylaunderinggroup;2)financialmonitoringdepartment;3)groupsinvolvedinpreventingconflictsof interestbetweenownersand

customers(employees),handlingcustomercomplaints,adheringtothebank'spol-icyongifts;

4)agroupthatmonitorspurchasesofsecuritiestothepersonalaccountsofemployees,andmonitorstheexternalinterestsofemployees.

Thedivisionintogroupsproposedaboveallowsminimizingthereputationandimagerisksofacredit institution.Forexample,abankhasa“closedlist”ofclients.Supposethebankfinancesoneoftheclientsincludedinthelisttopurchaseanotherasset,whileatthesametimeactiveoperationsarebeingcarriedoutaimedatpurchasingthesecuritiesofthespecifiedclientbythebank.Inthefuture,aneg-ativereactionfromthemarketmayarise–theemployeewasabletoplayaheadofthecurve,sincehehadnon-publicinformation.Thus,ifthissituationarises,itwillbedifficult toconvince themarketof thebank's innocence, thebankmay incurimagecosts.

43

Speakingaboutapossibleconflictofinterest,considerthefollowingsitua-tion:let'ssayonedivisionofacreditinstitutionprovidesfundstoclient"1"toac-quireclient"2".Supposeanotherdivisionofthesamecreditinstitutionprovidesservicestoclient"2"inthesearchforpotentialinvestors.Thus,intheeventthatcustomer“2”isacquiredbycustomer“1”andinformationabouttheservicespro-videdbyonecreditinstitutionismadepublic,thebank'sreputationmaybeseri-ouslydamaged.Topreventthenegativeconsequencesoftheconsideredsituation,thebank'sdivisionsmustensurethatallthenecessaryinformationaboutalltrans-actions,includingthoseplanned,ispromptlyreflectedinthedatabase.Thetaskofthecompliancedepartmentwillbetoremindtheneedtokeepthedatabaseuptodate.

Ameasureofincreasingtheeffectivenessofcompliancecontrolisthehighrequirementsforthequalificationsandexperienceoftheheadofthecompliancecontrolservice.InRussianlegislationfollowingrequirementsareimposedontheheadandemployeesoftheICS,and,therefore,thecompliancecontroldepartment(ifweconsiderthelatteraspartoftheICS):

–Thehead(hisdeputies)andemployeesoftheinternalcontrolservicemusthavesufficientknowledgeofbankingandmethodsofinternalcontrolandcollec-tion of information, its analysis and assessment in connectionwith the perfor-manceofofficialduties.

–Itisrecommendedthatacreditinstitutionestablishrequirementsforthehead(hisdeputies)oftheinternalcontrolservicetohaveexperienceinmanaginga structural unit of a credit institution related tobankingoperations andothertransactions.

–Training(retraining)ofthehead(hisdeputies)andemployeesoftheinter-nalcontrolserviceisrecommendedtobecarriedoutonaregularbasis.

Americanbanksalsohavefairlyhighdemandsontheofficerinchargeofthecompliancefunction.InformationaboutthestructureoftheexamfortheCertifiedRegulatoryComplianceManager(CRCM)allowsyoutomakeamorecorrectper-ceptionofthecompliancefunctioninamodernWesternbank.Notallcompliancemanagershavesuchacertificate,butpossessionof it isanadditionalplus forafinancialinstitution.

InDecember2002,theOfficeoftheComptrolleroftheUnitedStates(OCC)issuedguidelinesonriskcomplianceinbanks.Thecomplianceprogramshouldin-clude6mandatorycomponents(SMAART):

44

1)(S)System–Implementationofproceduresandinternalcontrolstoen-surethattransactionsareconductedandrecordedinaccordancewithlegalregu-lationsandcustomerservicerequirements.

2)(M)Monitoringinvolvessupervisiononadailyordailybasis–theoper-ationofthecompliancesystemsinthebanktoensurereal-timeexecutioninac-cordancewiththestandardsofthecomplianceprogramsinthebank.

3)(A)Evaluationreferstoperiodicallyreviewingsystematizedrecordsandtransactionstoidentifyoperationaldisruptionsandprogramdeficiencies.

4)(A)Liability.Allocationofresponsibility,authorityandaccountabilityfordirectingpersonneltoimplementthecompliancepolicyinthebankandnotifyingthebank'sboardandcouncilabouttheeffectivenessofthecomplianceprogram.

5)(R)React.Theprocessofhandlingcustomercomplaints,overcomingvi-olationsofregulatoryrequirements,correctingproceduresandcontrols,correct-ingdeficienciesininternaloversightandimplementingpolicies,procedures,revis-ingorupdatingthem.

Figure1.Risk-basedplanningofinternalauditactivities

Determining the feasibility of an audit

Overall assessment of inherent risk General assessment of the effectiveness of internal control

Materiality Impact of risk Evaluation of controls

Reliability of information

Impact on the achievement of bank goals Complexity of the process Degree of external requirements Business dynamics level

Risks:

• Market • Liquidity • Operating • Reputation • Credit • Strategic • Financial • others

Linear Control Assessment (Level 1)

Assessment of the 2nd level of control

Assessment of the 3rd level of control (for subsidiaries

Evaluation of the effectiveness of manament control

External / internal evaluations (external audit, regulatory reviews, etc.)

Date of last audit

Assessment of the previous audit

Completeness of closing recommendations

45

6)(T)Training.Communicationregardingcompliancewithpolicies,proce-dures,directives, regulatoryrequirements, informationaboutproductsandser-vices,includingensuringstaffawareness.

Oneofthetypesofcontrolovertheobservanceofcurrentrequirementsbythebank–compliancecontrol,which isgraduallygainingpopularity inRussianbanks.Theessence,mainfunctionsandgoalsofcompliancecontrol.[7]

Inconclusion,awell-planned,implementedandmaintainedcompliancecon-trolprogramcanpreventorreduceregulatoryviolations,whichinturnprovidescostefficiencyandisaneffectivetoolinmanagingcompliancerisks.

2.2. The main methods for assessing

the quality of the internal control system

AccordingtotheRegulationof theBankofRussiaNo.242-P28 ,oneof thewaystocarryoutauditsbytheinternalauditserviceisanoperationalaudit,thepurposeofwhichistoassessthequalityandconformityofsystems,processesandprocedures,toanalyzeorganizationalstructuresandtheirsufficiencytoperformtheassignedfunctions.Itfollowsfromthisthatthefunctionofassessingthequalityofthecurrentinternalcontrolsysteminacreditinstitutionisentrustedtothein-ternalauditservice.Atthesametime,theassessmentoftheeffectivenessoftheinternalcontrolsystemofthebank'sbusinessprocessesisanintegralprocedurefortheinternalauditoffinancialstatements,asitaffectsthelevelofmateriality.Thus,operationalcontrolcanbeconsideredasanintegralpartoffinancialauditandasanindependentprocedurethatdirectlyevaluatesthequalityoftheinternalcontrolsysteminacreditinstitution.

Operationalcontrolasanassessmentoftheeffectivenessoftheinternalcon-trolsystemis theprocessofcollecting,evaluatingandanalyzingauditevidenceregardingtheinternalcontrolsystemoftheauditedbusinessprocess.Theresultofthischeckistheauditor'sassessmentofthedegreeofreliabilityoftheinternalcontrolsystemoftheauditedobject.

Theprocessofassessingtheeffectivenessoftheinternalcontrolsystemin-cludesthefollowingstages:

28. Regulation of the Central Bank of the Russian Federation of December 16, 2003 No. 242-P "On the Organization of Internal Control in Credit Organizations and Banking Groups

46

1)Initiationofverification–carriedoutbytheheadoftheICSonthebasisofapreviouslyapprovedworkplan,oronbehalfofanauthorizedperson;

2)Auditplanning;3) Conducting audit procedures (includes an assessment of the design of

control,anassessmentoftheimplementationofcontrolprocedures,ananalysisoftheelementsoftheinternalcontrolsystem,anoverallassessmentoftheeffective-nessoftheinternalcontrolsystem);

4)Formationoftheresultsoftheaudit;5)Workwiththematerialsoftheaudit,includingmonitoringtheimplemen-

tationofrecommendations.Thekeytothesuccessfulworkoftheinternalauditserviceishigh-quality

preparationfortheaudit,includingthestudyofcontrolledprocessesandopera-tions.Oneofthewaystocollectanalyticalmaterialistostudythenecessarydocu-mentationandconductconversationswithparticipantsintheprocesses(opera-tions).Theresultscanbepresentedintheformofadiagramthatreflectsthestruc-tureoftechnologicalprocessesthataffectorareobjectsofcontrol29.

Auditobjectives:–Checkingthereliabilityoffinancialaccounting;–VerificationofcomplianceoftransactionswithRussian legislationtoex-

cludeso-called"shadow"transactions;–Checkingorganizationalstructuresforcompliancewiththefunctionsper-

formed;–Verification ofmethods of control over risks and access to information

flows.Itistheauditor'sresponsibilitytofullyassessthemanagementcriteriathat

determinetheeffectivenessandeconomicperformanceoftheprocess.Particularattentionispaidtothereviewofthecurrentsystemofmotivationforallemploy-eesofthecreditinstitution.

Particularattentionispaidtothegoalsofactivitiesanddevelopmentpro-spects. If thedevelopmentgoalsarenot formulated,and themanagement teamcannotclearlystatethem,thentheauditorneedstorecordthefactsidentifiedanddeveloprecommendationstocorrectthecurrentsituation.

29Miroshnikova A.Yu. Compliance Control in commercial banks // Alley of Science. 2017. No. 9, volume 2. –p. 141-146.

47

Atthestageofcollectinginformation,theauditoridentifiesnotonlytherisksassociatedwiththetechnologicalprocess,butalsotherisksassociatedwithcon-trolmethods.

Factorstakenintoaccountwhenassessingrisksare:–Thenumberoftransactionsmade;–Economicandlegalcomponent;–Features of personnel policy (qualifications of employees, the so-called

turnover).Let'shighlightthefollowingmainstagesintheverificationprocess:–Constructionoftechnologicalprocessdiagrams;–Assessmentofpossiblerisksattheinitialstagesofplanning;–Collectionandanalysisofinformationsufficienttoformanopiniononthe

effectivenessofcontrolwithintheanalyzedprocesses;–Testingofexistingproceduresandmeasuresforriskmanagement.Toassessthereliabilityandefficiencyoftheinternalcontrolsystem,thefol-

lowingiscarriedout:–Analysisofaccountingandfinancialdocuments;–Verificationofcompliancewithregulatorydocuments;–Reviewoftheorganization'smanagementandpracticalsystemactions;–Independentcomparativeanalysisofsimilartransactionsofothercredit

institutions.Theanalysisallowsustoassesstheeffectivenessoftheimplementedinter-

nalcontrolandidentifytheadvantagesordisadvantagesoftheimplementedpro-ceduresandmeasures,withtheaimoffurtherapplyingeffectivemethods(aswellastheirpossibleuseinrelatedareas)oreliminatingineffectiveones.

Observingcurrentprocesses,whentheperformercarriesoutcurrentoper-ations,providestherepresentativeoftheinternalcontrolservicewithadditionalinformationthatallowshimtodrawaconclusionaboutthe levelandqualityofcurrentcontrolatthestageinquestion.Itisalsonecessarytochecktheavailabilityofauthorityandaccessfortheemployeewhoimplementsthecontrolfunctions.

The auditor needs to independently carry out control operations imple-mentedbytheperformer,forexample,toenteranexistingautomateddatasystemwithoutauthorization.

Afterprocessingallthedataobtainedfromthetestresults,theauditoreval-uatesandconcludesonthereliabilityofthefunctioningprocesscontrolsystemon

48

themanagementoftheanalyzedrisks.Theauditoralsoindicatesthepossiblecon-sequencesiftheperceivedriskmaterializes.Theauditorcarriesouttheformationofrecommendationsthatoptimizetheexistingsystemorbuildanewonethatisoptimalinthissituation.

Preliminary examinations and testing of actually implemented measuresandriskmanagementprocedures,whicharecloselyrelatedtotheanalyzedbank-ingprocess,endswiththeformationofageneralopinionontheeffectivenessoftheexistinginternalcontrolsystemoftheauditedobject.

Oneoftheconstituentelementsoftheinternalcontrolofacreditinstitutionisaregularfinancialaudit,theneedforwhichisduetothehighrequirementsforthefinancialreliabilityofthebankandthesafetyofitsoperations.

Whencarryingoutafinancialaudit,inthecaseofaspotcheck,theformationofasampleoftheanalyzedtransactionswillbefundamental.Ifnecessary,usespe-cialsoftwarecontainingarandomnumbergenerator.

Basedontheresultsoftheaudit,anemployeeoftheinternalcontrolservicedrawsupareport.Theinformationandconclusionscontainedinthereportmustbeobjective,constructive,concise,timelyandclear(thatis,notsuggestinghintsandmultipleinterpretations).

Thefollowinginformationmustbeindicatedinthereport:–objectandsubjectofverification;–theobjectivesoftheauditor;–employeescarryingoutthecheck;–thetermoftheinspection;–adescriptionoftheidentifiedshortcomingsandviolations,aswellasan

assessmentoftheirsignificance;–recommendations for eliminating the causesof violationsand identified

deficiencies;–recommendationsforreducingrisksthathaveasignificantimpactonthe

objectofanalysis.Theconclusionsandrecommendationspreparedbytheemployeesofthein-

ternalcontrolservicearefurtherusedtoimproveandoptimizethebank'sinternalcontrolsystems.

Itshouldbenotedtheneedforanannualreassessmentoftherisksarisinginthebank'sactivities.Thereassessmentunderconsiderationiscarriedoutbythe

49

internalauditserviceandisasetofmeasures,includingupdatingthelistofobjectstobeinspected.

Therearethreeapproachestoassessingthequalityoftheinternalcontrolsystemincreditinstitutions.

1)COSOModel–offersacomprehensiveapproachtoriskmanagementthatconsidersthediversityandinterdependenceofacreditinstitution's“weaknesses”andtheinfluenceofexternalfactorssuchasincreasedcompetition,changingmar-ketconditions,changinglegislation,andsoon.

The2013updatetotheInternalControl–IntegratedFrameworkhelpsor-ganizationsdesignandimplementinternalcontrolinlightofthemanychangesinbusiness andoperating environments since the issuance of the original Frame-workin1992.

AccordingtotheCOSOInternalControl–IntegratedFrameworkmodel,theinternal control systemconsistsof5 interrelated components: control environ-ment,riskassessment,controlprocedures,informationenvironmentandcommu-nicationsystem,monitoring.

Thecontrolenvironmentincludesso-called"controlpillars".Riskassessment.Sincecontrolsareestablishedtomitigaterisk,aneffective

controlsystemisknowledgeofthecurrent"riskmap".Riskassessmentindifferentareasiscarriedoutwithvaryingdegreesofformality.Theinternalauditdepart-mentconductsanannualreassessmentoftheso-calledrisk."Universeofauditing",whichisalistofauditedareas.Typically,the“universeofauditing”encompassesawiderangeofprocesses inanorganization.But it isnotall-encompassing, i.e.therearerisksintheorganizationthatarenot“captured”bythe“audituniverse”.Forexample,theprocessofpreparingfinancialstatementsisusuallyfoundintheuniverse.Andtheprocessofanalyzingfinancialresultsandforecastingthemisnot.Thereasonforthisisthedifficultyofauditingnon-routineprocesses.

Controlproceduresareso-called“actions”ofcontrol,whichareinstrumentsof“direct”control:

–Certaintyinthedivisionofpowers;–Physicalandsystemaccesscontrol;–Adequatesupervision,training,segregationofduties;–Transactionsareauthorizedandrecorded;–Existingpolicies,procedures,responsibilitiesaredocumented;–Theassetsrecordedarecomparedwithwhatisavailable.

50

Thesecontrolactionsareclearenoughfromtheirnames.Hereisanexampleoftheconsequencesofineffectivetransactionauthorization.Themanager,notau-thorizedtoselltheequipment,instructedtheengineertofindpotentialbuyersfortheretiredproductionline.Theextremelyexpensivelinesoldforhalfitsmarketvalue.

Informationandcommunicationimpliesthepresenceofcommunicationbe-tweenthestructuralunitsofoneorganizationalunit,whichcontributestotheex-changeofexperience,knowledge,therebypreventingpossiblemistakes.

Monitoring.Thisgroupincludesvarioustypesofsupervisionofhigherlevelsofmanagementovertheworkoflowerones.Thisincludesvarioustypesofaudits,includingqualityaudits,safetyprecautions,andinternalaudits.Monitoringofteninvolvescomparingcurrentresultswithexpectedones.Therefore,thestandardsrefertothisgroupofcontrolelements.

Thus,accordingtotheCOSOmodel,controlisanecessaryconditionformin-imizingrisk.Aninternalcontrolsystemiseffectiveifitisformedthroughareason-ablecombinationoftheaboveelements.30

2)TherecommendationsoftheBaselCommitteeonBankingSupervisionareacertainsetofprinciplesaccordingtowhichtheassessmentofthequalityofin-ternalcontrolsystemsshouldbebuilt.TheseprinciplesarepublishedintheLetteroftheCentralBankoftheRussianFederationdatedJuly10,2001No.87-T.TheBaselCommitteeproposes13principlesforassessinginternalcontrolsystems.InaccordancewiththerecommendationsoftheBaselCommittee,thefollowingcri-teriaforaneffectiveinternalcontrolsystemcanbedistinguished:

–ResponsibilityoftheBoardofDirectorsforthecreationandfunctioningofanadequateandeffectiveinternalcontrolsystem;

–Managementactionsaimedatensuringaneffective internalcontrolsys-tem;

–Creationofacorporateculturethatemphasizestheimportanceofinternalcontrol;

–Assessmentandidentificationofpossiblerisksonanongoingbasis;–Creationofanappropriatecontrolstructureinwhichcontrolfunctionsare

definedforeachlevelofthebank'sactivity;–Cleardivisionofresponsibilities;

30 The Essentials of Risk / Management from English / M. Crui, D. Galay, R. Mark; scientific. ed. V. B. Minasyan. M.: Yurayt Publishing House, 2017. 390 p.

51

–Timely,complete,accessibleinformationofafinancial,operationalnature,aswellasinformationoncompliancewithestablishedregulatoryrequirements;

–Availabilityofreliableinformationsystemscoveringallthemainactivitiesofthebank;

–Availabilityofeffective informationsystemsavailable forunderstandingandcompliancebyemployeesinpractice;

–Monitoringtheeffectivenessofinternalcontrolonanongoingbasis;–Havinganinternalauditfunctionthatindependentlyevaluatesthecontrol

systemsintheorganization.–Timelyinformingmanagersandshareholdersaboutidentifieddeficiencies

ininternalcontrol;–Theinternalcontrolsystemshouldbeconsistentwiththenatureandcom-

plexityofthebank'sactivities.Thus,aprerequisitefortheeffectivenessoftheinternalcontrolsystemisthe

implementationoftheprinciplesproposedbytheBaselCommitteeonBankingSu-pervision.

3)InstituteofInternalAuditorsrecommendations[11]andtheAssociationforAuditandControlofInformationSystems[12]–thepurposeofthisapproachistopopularizetheinternalauditorintheprofession.

RussianbankingpracticeinrelationtoapproachestoassessingthequalityoftheinternalcontrolsystemiscurrentlydeterminedbytheLetteroftheCentralBankoftheRussianFederationdatedMarch24,2005No.47-T“OnMethodologicalRecommendations for theAuditandAssessmentof theOrganizationof InternalControlinCreditInstitutions”.TheMethodologicalRecommendationsclarifytheprocedureforconductinganauditoftheorganizationofinternalcontrolandareintendedmainly forusebyauthorized representativesof theBankofRussia inmakingreasonedjudgmentsandfortestingnewapproachestoassessingtheor-ganizationofinternalcontrolincreditinstitutions.Theguidelinesindicatethefol-lowingverificationobjectives:

one)assessmentofthecreditinstitution'scompliancewiththerulesforor-ganizingandexercisinginternalcontrolestablishedbyregulation242-P,

2)assessmentofthereliabilityofreportsandotherinformationoninternalcontrolinacreditinstitutionsubmittedtotheBankofRussia;

3)assessmentofthecomplianceoftheinternalcontrolorganizationwiththenature,scaleandconditionsofthecreditinstitution'sactivities.

52

AccordingtotheMethodologicalRecommendations,theauditoftheorgani-zationoftheinternalcontrolsystemcanbecarriedoutbothasanauditofthein-ternalcontrolsystemasawhole,andasanauditofindividualoperationsofinter-nalcontrol.TheCentralBankappliesamethodofqualitativeassessmentof theinternalcontrolsystemusingscoresandweights.DespitethefactthattheMeth-odologicalRecommendationsunderconsiderationareintendedforusebyauthor-ized representativesof theBankofRussia, these recommendations can alsobeconsideredbytheheadsoftheinternalcontrolserviceasanadditionalsourceofassessingthequalityoftheexistinginternalcontrolsystem.

53

Chapter 3.

Organization of the internal control system and the importance of ICS

3.1. Organization of the internal control

system on the example of Russian banks

Itisadvisabletoincludethefollowingthreatstothemostimportantthreatstothefinancialsecurityofacommercialbank:

-generaleconomicdownturn;-devaluationofthenationalcurrency;-volatilityandunpredictabilityofexchangerates;-lackofliquidity;-lossofbusinessreputation;-lossofclientsandtheirtrustininstitutionsandcompanies;-seizureoffinancialassetsforpreservationandmanagement;-decreaseddemandforfinancialservices;-lowlevelofregulatoryandreservecapital;-fallingincomesofthepopulationandtheirinabilitytofulfilltheirfinancial

obligations;-reductionofcreditandothertypesoffinancialtransactions;-ineffectivenessoffinancialmanagement;-fraud;-shortcomingsintheorganizationofstateregulationandsupervision.Thus, thespecificationof threats to the financial securityofacommercial

bankwillallowthebank'smanagementtorealizethenecessarydirectionsforriskmanagement.

Thebasisforensuringthefinancialandeconomicsecurityofacommercialbankisacertainconceptthatincludesgoals,objectivesandprinciplesofactivity.Thepurposeofthissystemistominimizeexternalandinternalthreatstotheeco-nomicactivityofthebank,includingitsfinancial,material,informationalandhu-manresources.

54

For the timely identificationofexistingandpotential shortcomings in thefieldofensuringthecomprehensivefinancialsecurityofacommercialbank,itisnecessarytodeterminetheappropriateindicatorsandconductconstantmonitor-inginordertodevelopandimplementthenecessarymeasures.

The reliability, and, consequently, the financial security of a commercialbank,canbedeterminedusingquantitativeindicatorsinanalyticalworksuchas:

-theshareofproblemloansinthevolumeofthebank'snetassets,whichtestifiestothequalityofitsloanportfolio,aswellastheriskinessofthecreditpol-icy;

- theratioofhighly liquidfundsandcurrent liabilitiesofthebank,whichshowsthedegreeofitsprotectionagainsttheriskofwithdrawaloffundsatonemomentbyallclients;

-theratioofownandborrowedfunds,whichcharacterizesthelevelofthebank'sreliabilityinthelongterm,beinganassessmentofitsabilitytocoverwithitsownfundsthevolumeofliabilitiestocustomers;

-theshareofhighlyliquidassetsinthebank'snetassets,thevalueofwhichhelpstoassessthemedium-termlevelofliquidity;

-returnonnetassets.Next,let'slookatthequalityindicators.Amongtheindicatorsofthefinancial

securityofacommercialbank,animportantplaceshouldbegiventotheindicatoroftheshareofcreditdebtofthepopulationinthetotalvolumeofcreditdebt.

Animportantplaceinthefinancialsecuritysystemofcommercialbankcli-entsisthesizeoftheloaninterest,sinceitallowsyoutofindouttheprofitabilityoftheimplementationoftheprojectforwhichaloanistaken,thatis,whetherthecostswillberecouped.Inturn,theinterestcoverageratio,whichischaracterizedbytheratioofnetprofittotheamountofinterestpaid,indicatesthelevelofsecu-rityoflendingactivitiesofcommercialbanks.

Averyexpressiveindicatorofthefinancialsecurityofacommercialbankisthe share of funds raised from citizens in the total amount of funds raised. Ofcourse,theindicatorsofthefinancialcondition,and,consequently,ofthesecurityofthebankingsystem,isthelevelofprofitabilityoftheauthorizedcapitalofcom-mercialbanksandtheirnetassets.

Inassessingtheperformanceandsuccessofthebank,thefollowingindica-torsareindicative:firstly,theratioofprofittoaverageannualcapital(minimumexpectationsofshareholdersintermsofbusinessprofitability,takingintoaccount

55

medium-termdevelopmentcosts)and,secondly,theratioofprofittoaveragean-nualassets(efficiencyofusingthebankclientfunds).Itisthesecriteriathatareindicatorsofthebank'seffectiveness,takingintoaccounttherisks.

Foradeeperanalysisofthestrengthsandweaknessesofacommercialbank,morespecificqualitativeindicatorsareused:averageassetsperemployee(indi-cates the efficiency of staff loading), operating profit per employee (staff effi-ciency), intrinsicvalueofbankingservices,efficiencyratioraised fundsandthelike.Theindicatorcanalsoserveasthevolumeofassetsperoneemployeeofthebank.

Failuretocomplywiththestandardsisanindicatorofthepotentialthreatoflossofliquidityandsolvencyofacommercialbank.

Compliancewiththerules,requirementsandstandardsestablishedbythestatesupervisoryauthorityisguided,firstofall,byintrabankcontrol.Controlovertheactivitiesofacommercialbankiscarriedoutbybankmanagersinaccordancewiththeirfunctionalresponsibilities,aswellasbyinternalandexternalauditors.Themainpurposeofinternalbankcontrolisthetimelyidentificationofnegativetrendsandshortcomingsinthebank'sactivitiesinordertodevelopmeasurestoeliminatethem.Thus,controlnotonlylogicallycompletesthebankmanagementprocess,butalsogivesimpetustonewmanagementdecisions.

Consequently, ensuring the economic security of a commercial bank is acomplex,continuousandmultilateralprocess.Bankmanagersmustviewsecurityasoneofthemostimportantareasoftheirmanagementactivities.Tobuildanef-fectivesystemformanagingtheeconomicsecurityofacommercialbank,itisnec-essary to involve various specialists: not only economists, but alsomathemati-cians,programmers,psychologists,analysts.Itisnecessarytocontinuouslymod-ernizemanagement tools and keep upwith the development ofmodern infor-mationtechnologies.Bankownersshouldunderstandthatitisbettertopreventcrisissituations,andnotaccumulatedmoneytoensurefinancialandeconomicse-curity,thanthenincreasecosts,eliminatingtheconsequencesofacrisissituation.

Inmodernconditionsofdevelopmentofthebankingsystem,thetaskofas-sessingitsfinancialandeconomicsecurityanddevelopingasetofcriteriaandin-dicators thatwouldgiveaqualitativeandquantitativecharacteristicof its levelbecomesespeciallyurgent.Themainindicatorsoftheanalysisoftheeconomicse-curityofacommercialbankshouldincludeindicatorsrelatedtotheorganizationof money circulation, the sphere of payments and settlements, lending, the

56

effectivenessofthedevelopmentofthebankingsector,thepresenceofforeigncap-ital,aswellasindicatorscharacterizingtheobservanceofstatelegislationandreg-ulationsbycreditinstitutions,andthelike.

Thecompleteness,timelinessandeffectivenessofmanagementmeasurestoliquidate,preventexistingandpotentialthreatsinthebankingsystem,and,conse-quently,thenationaleconomyandsocialsphereoftheRussianFederation,largelydependonanadequateassessmentofthecurrentleveloffinancialsecurityofacommercialbank.31

Theproblemsofinternalcontrolremaintothisdayforthebankingcommu-nity as significant, relevant and important. The main document regulating theworkistheRegulationoftheBankofRussiadatedDecember16,2003N242-P"Ontheorganizationofinternalcontrolincreditinstitutionsandbankinggroups."

Letusconsidertheorganizationoftheinternalcontrolsystemusingtheex-ampleoftwoconditionalbanks(theso-calledfederalandregionalbanks)inordertoidentifycommonfeatures,maindisadvantagesandadvantagesoftheexistingsystem,andalsoofferrecommendationsforimprovingthecurrentsystem.

TheinternalcontrolsystemofthefederalbankisformedinaccordancewiththeprinciplesofCOSO,whichwerediscussedinChapter2of thiswork,andin-cludesthefollowingelements:

1)Controlenvironment;2)Regulation;3)Riskassessment;4)Controlprocedures;5)Informationsupportandinformationexchangesystem;6)Controlandmonitoringoftheefficiencyofthesystemitself.Notethatthefederalbank'sinternalcontrolsystemincludessuchacompo-

nentas"regulation",whichisnotmandatoryintheCOSOmodel.Regulationisasystemofnormativedocumentsgoverningtheactivitiesofthebank,itsdivisionsandemployees.Regulationincludesthedevelopment,adoptionandenforcementofregulations.Thus,regulationisacomponentoftheinternalcontrolsystemthatprovidescompliancecontrol.

Theconsideredfederalbankprovidesforthefollowingcontrolprocedures:1)Controlovertheimplementationofthefinancialandbusinessplan;

31 Andreeva T. E. Risk in a market economy: [textbook. manual] / T. S. Andreeva, T. E. Petrovskaya. X.: "Burun and K", 2017. 128 p.

57

2)Reconciliationofoperationaldatawiththebudget;3)Reconciliation of data submitted by various structural divisions of the

bank;4)Arithmeticverificationofthecorrectnessofaccountingrecords;5)Checkingthecorrectnessoftheworkflow;6)Evaluatingtheeffectivenessofcertaintransactions;7)Checkingthepresenceofpermissiveresolutionsofmanagersonprimary

documents;8)Conductingregularandunscheduled inspectionsand inventoriesof the

bank'spropertyanditsobligations;9)Conductingreconciliationandconfirmationofsettlements;10)Usinginformationfromexternalsourcesforcontrolpurposes;11)Controlovertheuseoftangibleassets;12)Physicalrestrictionofaccesstoassets,primarydocumentation,account-

ingregistersandcomputeraccountingfiles.Thepresentedlistofcontrolproceduresissufficienttoensureaneffective

internalcontrolsystemwithintheCOSOmodel.Tosolvetheproblemsofinformationsupportofinternalcontrolinafederal

bank,asystematicapproachisused.Asystematicapproachtoinformationsupportofinternalcontrolinabankmeansthepresenceofasetofinterrelatedelementsthatensuretheorganizationofinformationfortheimplementationofeffectivein-ternalcontrol.Informationisprovidedthroughexternalandinternalinformationsystems.Externalinformationsystemsincludelegislative,regulatorydocuments,informationsystemsbasedoninformationtechnology(SWIFT,REITER,Internetresources).InternalinformationsystemsincludeinternalregulationsoftheBank,accountingandreportingsystem,automatedbankingsystem,economicsecuritysystemoftheBank,marketinginformationsystem(theBank'swebsiteontheIn-ternet).

ToensurethatallsubjectsofinternalcontrolunderstandtheinternalcontrolpoliciesandproceduresadoptedbytheBankandensuretheirimplementation,thefederalbankoperateseffectiveinformationexchangechannels:e-mail,automatedbankingsystem.

In order to ensure information security, the federal bank takesmeasuressuch as password protection; access control to the premises where computerequipmentisinstalled;controlbytheinformationsecurityadministratoroverthe

58

actionsofusersatallstagesofwork;establishingtheprocedure forconnectinguserstotheautomatedbankingsystem.

Monitoring–thefinalstageoftheinternalcontrolprocess–iscarriedoutinthecourseofcurrentactivities,throughperiodicinspectionsbythemanagementandemployeesofvariousdepartments,includingdepartmentscarryingoutbank-ingoperationsandother transactionsandtheirreflection inaccountingandre-porting,aswellasbytheinternalcontrolservice.

ThesubjectsofinternalcontrolofthefederalbankareshowninFigure2.Ascanbeseen,theinternalcontrolsystemincludesallemployeesofthecreditinsti-tution,whichcomplieswiththeBaselprinciplesofbuildinganeffectiveinternalcontrolsystem.Awiderangeofsubjectsofinternalcontrolofthefederalbankcon-firmsthatinternalcontroliscarriedoutatalllevelsofthemanagementstructure:fromordinaryemployeestotopmanagersandisheadedbyrepresentativesoftheBank'sowners.

Figure 2. Subjects of internal control of the bank

Let'sconsidertheAuditCommitteeandtheInternalControlDepartmentin

order to identify functional differences between the specified subjects of the

Internal Audit Service

Strategy and Risk Audit Committee

Supervisory Board / Directorate Board

Accountability

Management Board of the Bank

Referral for consideration

Special services performing control functions and risk management

59

bank'sinternalcontrol.AccordingtoRegulationNo.242-P,thecreationoftheIn-ternalControlServiceandtheInternalControlServiceisaprerequisitefororgan-izing internal control in credit institutions.Nevertheless, the creationof such abodyastheAuditCommitteeisnotregulatedinRussianlegislation,therefore,thequestionariseswhethertheauditcommitteeduplicatestheactivitiesoftheICS,howjustifiedistheformationofanauditcommitteeingeneral.

TheAuditCommitteewas created to analyze the effectivenessof internalcontrolandaudit,aswellastoanalyzefinancialstatementsandpreparerecom-mendationstotheBoardofDirectorsontheseissues.Thisbodyisfullyaccounta-bletotheBoardofDirectors,whichensurestheindependenceofinternalcontrol.ThemaingoaloftheAuditCommitteeisthecreationandfunctioningofeffectiveinternalcontrolintheBank,withtheexceptionofthecontrolfunctionintermsofbankingrisksmanagement(thisiswithinthecompetenceoftheInternalControlDepartment).TheexclusivefunctionsoftheCommitteearetheassessmentofcan-didatesforauditors(external)oftheBank,assessmentoftheopinionoftheexter-nalauditor,assessmentoftheeffectivenessoftheinternalcontrolproceduresoftheBankandpreparationofproposalsfortheirimprovement.Thatis,theCommit-tee acts as an intermediary between the external auditors of theBank and theBoardofDirectors.Atthesametime,theAuditCommitteeactsasacoordinatoroftheworkof the InternalControlDepartmentandother internal controlbodies,takes measures to ensure prompt implementation by the Bank's ManagementBoardoftherecommendationsandcommentsoftheInternalControlDepartment,theauditorganizationandsupervisorybodies.Thus,theAuditCommitteecanbeconsideredasthehighestinternalcontrolbodyinthehierarchyoftheinternalcon-trolsystem.

ThemostimportantsubjectsofinternalcontrolaretheBank'sspecialser-vices:theInternalControlDepartmentandtheRiskManagementDepartment.

RiskassessmentisakeylinkintheinternalcontrolsystemandisanelementoftheCOSOmodelofaneffectiveinternalcontrolsystem.TheRiskManagementDepartmentisvestedwiththenecessarypowerstoimplementtheriskmanage-mentprocessintheBank.ItistheRiskManagementDepartmentthatisresponsi-blefortheimplementationofmeasuresaimedatriskreduction:

1)IdentificationofrisksthatarebasicandinherentforthemainactivitiesoftheBank;

60

2)Implementationofappropriateprocessesandproceduresthatareneces-saryandaimedatidentifyingandtrackingchangesinrisks;

3)EstablishingthelevelofriskthatwillbeacceptablefortheBankanditsdivisions,thatis,whichtheycantakeoninordertoachievethesetgoals;

4)Determinationofcorecontrolmethodsandconceptsthatdonotallowthespecifiedlevelsofrisktobeexceeded.

Theriskmanagementsysteminafederalbankisrepresentedbythreelev-els:

1stLevel– Internaldocumentsof theBankgoverning theassessmentandprocessofbankingriskmanagement;

2ndLevel–Subjectsoftheriskmanagementsystem;3rdLevel–Thelistofmanagementreports–whichdepartmentoremployee

preparesthereport,towhomitisprovided,thetimingofthesubmission.

Figure 3. Internal control system

TheInternalControlDepartmentrepresentstheinternalcontrolserviceat

thefederalbank.TheInternalControlDepartmentreportstotheBoardofDirec-tors.ThemaintasksoftheInternalControlDepartmentareanindependentandobjectiveassessmentofthereliabilityandefficiencyoftheriskmanagementandinternalcontrolsystems.Infact,theInternalControlDepartmentcarriesoutinter-nalauditofacreditinstitution,includingfinancialaudit,operationalaudit,man-agementqualityauditandcompliancecontrol. It is theInternalControlDepart-mentthatassessestheeffectivenessoftheRiskManagementDepartmentinman-agingbankingrisks.Thus,theroleoftheInternalControlDepartmentinbanking

•Business and other divisions responsible fordirect work with the client, or control in one line(4-eyes principle)

1stlevelofcontrol

•Financialmonitoring(AML),Backoffice,Risks,control,Security,Accounting,Internalcontrol,etc.

2ndlevelofcontrol

•InternalAuditService3rdlevelofcontrol

61

riskmanagementistoverifythecompletenessandeffectivenessoftheriskassess-mentmethodologyand riskmanagementprocedures,whicharedirectly imple-mentedbytheRiskManagementDepartment.

ConsidertheinteractionoftheAuditCommittee(AuditCommittee)andtheInternalControlDepartment.TheAuditCommitteecoordinates theworkof theInternalControlDepartmentbyattendingdepartmentmeetingstodiscussauditandinternalcontrol issues.TheInternalControlDepartmentprovidestheauditcommitteewiththenecessaryreports,theauditcommitteeconsidersdocumentsontheinternalcontrolstructureoftheBank,approvesmeasurestoensurethattheBank'sManagementBoardtimelyfulfillstheinstructionsandrepliesoftheBank'sInternalControlDepartment.Thus,theauditcommitteeanalyzestheactivitiesoftheInternalControlDepartment,formsrecommendationsfortheexecutivebodiesoftheBankonthebasisoftheinformationreceived,andisresponsibleforimple-mentingmeasuresthat increasetheefficiencyofthecredit institution's internalcontrol system.Consequently, theaudit committeedoesnotduplicate the func-tionsoftheInternalControlDepartment,butplaystheroleofanindependentreg-ulatoroftheBank'sinternalcontrolsystem,relyingontheresultsoftheICSde-partment.

In conclusion,we note that among the obvious advantages of the federalbank's internalcontrolsystemis itscompliancewiththeprinciplesoftheCOSOmodel,therecommendationsoftheBaselCommitteearealsotakenintoaccount.ItisinterestingthatthereisanAuditCommitteeintheorganizationalstructureoftheBank,whichisnotquitetypicalforRussianpractice.SuchabodyastheAuditCommitteemakesitpossibletoensuretheeffectiveindependenceofthesubjectofinternalcontrolfromtheexecutivebodies.TheAuditCommitteecanbeconsideredasanintermediarybetweentheBoardofDirectorsandtheBank'sexternalaudi-tors.Atthesametime,theAuditCommitteecloselyinteractswiththeICS,contrib-utingtotheimprovementoftheefficiencyandqualityofthelatter'sactivities.

Considertheorganizationoftheinternalcontrolsysteminaregionalbank.Aregionalbankischaracterizedbytheorganizationofaninternalcontrolsystemtraditional forcredit institutionsof theRussianFederation ,which includes thefollowingsubjectsofinternalcontrol:

1)Managementbodies(BoardofDirectors,President,ManagementBoard);2)Auditcommittee;3)Chiefaccountant(hisdeputies)ofacreditinstitution;

62

4)Head(hisdeputies)andchiefaccountant(hisdeputies)ofabranchofacreditinstitution;

5)Bankcommittees(riskmanagementcommittee,assetandliabilityman-agementcommittee,others);

6)InternalControlServiceandInternalControlService7)RiskManagementService.Accordingtotheauthorofthework,itisimperativetoincludeordinaryem-

ployeesofthebankinthelistofsubjectsofinternalcontrol,sincetheyaretheex-ecutors–participantsinthebank'sbusinessprocesses,therefore,controlattheexecutionlevelcouldbethekeytoincreasingtheoverallefficiencyofcontrolpro-cedures.

LetusconsiderthefunctionsandroleoftheICSintheinternalcontrolsys-temoftheBankasawhole,inthemanagementofbankingrisksinparticular.

DirectcontroloftheBoardofDirectorsensurestheindependentfunctioningoftheinternalauditservice.Also,IASdoesnotcarryoutactivitiessubjecttoaudits.

Intheregionalbank,aspecialbodycoordinatingtheworkoftheIAS,suchasanauditcommittee,hasnotbeencreated.TheInternalAuditServiceinteractswiththeBoardofDirectorsoftheBankdirectly,reportingonissuesandproblemsthatariseduringtheinternalaudit,aswellasrecommendationsfortheirsolutionand/ or elimination. In addition, the audit servicediscloses this information to thePresident,theManagementBoardoftheBank.

Tocarryoutinternalcontrolinthebranchesoftheregionalbank,aspecialInternalControlDepartmentwascreated,thefunctionsofwhichcorrespondtothefunctionsoftheICSoftheheadoffice.TheheadoftheinternalcontroldepartmentreportstotheheadoftheBank'sICS.

OneoftheIASfunctionsistocheckthecompletenessandeffectivenessofthebankingriskassessmentmethodologyandbankingriskmanagementprocedures.Itshouldbenotedthatriskmanagementiscarriedoutbytheriskdepartment.TheroleoftheIASinminimizingbankingrisksisthesubsequentcontrolandanalysisoftheactivitiesoftheRiskManagementCommittee.

Thus,incomparisonwithafederalbank,thesystemofinternalcontrolinaregionalbankiseasiertoorganize.Inaregionalbank,IASperformsthefunctionsoftheInternalAuditDepartmentoftheFederalBank,aswellastheAuditCommit-teeoftheFederalBank.Suchanarrangementmaytakeplaceifthecostsofsetting

63

upanindependentintermediarybody,suchasanauditcommittee,outweighthepotentialbenefits.

Figure3.Themaincomponentsoftheaudit

oftheinternalcontrolsystem

Internalproceduresaredefinedandimplemented;processes,rolesandre-

sponsibilitiesare regulatedandensure thatall risksareproperlymanagedandregulatorycomplianceismet.

ICSisconsideredadequateif thecontrolofthefirstandsecondlinespro-videscoverageofthemainrisks.TheICSshouldbebuiltaccordingtotheprincipleofproportionalitywithexistingbusinessrisks.

TheICSeffectivelyfunctionswhencontrolsofthefirstandsecondlevelsofprotectionarepromptlyintroducedintobusinessprocesses.AllcomponentsoftheICSworkinanintegratedmanner.

TheICScanbeconsideredreliableifthecontrolsallowtimelyidentificationofpotentialorexistingproblems.CorrectiveactionsarepromptlytakentosolveproblemsandimprovetheoverallefficiencyoftheICS.

Anybusinessprocessissomehowassociatedwithrisk.Thisiswhatledtotheemergenceofarisk-orientedaudit,inwhichaspecialistassessesthelikelihoodandpossibleconsequencesofrisks,thesecurityofthecompanyandgivesrecom-mendationsonminimizingrisksandbuildingacontrolandriskmanagementsys-tem.

Risk-basedaudit–theformationofanindependentassessmentofthedegreeoftheBank'ssecurity,itsabilitytoachievethesetgoals,identificationanddeter-minationofthedegreeofrisks,developmentofanactionplantocoverthem.

Completeness

Adequacy

Functionality

Reliability

64

Thehighpopularityoftherisk-basedapproach(comparedtothecomplianceapproach)isensuredbyitsfocusonhigh-riskareas,whichallowstakingpreven-tivemeasuresintime,identifyingandeliminatingweaknessesandtherebyavoid-ing thenegativeconsequencesof risk realization, including the risksassociatedwithfraud.

Theexistingmethodsofidentifyingandassessingrisksareessentialfactorsofeffectiveaudit inmodernconditions,however,theirmodernizationintheor-ganizationofinternalriskmanagementallowsinternalaudittoreduceauditrisksandatthesametimeimprovethequalityofwork.

The effectiveness of modern internal audit also significantly depends on the pro-fessionalism of the team of internal auditors.

3.2. Recommendations for building an internal

control service in credit institutions

InRussianlegislation,theplaceoftheinternalcontrolserviceintheorgani-zationalstructureofthebankisenshrinedinRegulation242-p,whiletheinternalcontrolserviceisassignedthefunctionofmanagingregulatoryrisk.While,accord-ing toA.A.Arslambekov-Fedorov, considering the bank as a certainproductionunit, the IAS isadivision thatperformsproduction functions [2]32.At thesametime, the ICS performs both production and organizational functions. Conse-quently,theICSisengagedinorganizingandcreatingcontrolmechanismsfortheentirespectrumofbankingactivities.Itshouldbenotedthatinternalauditispri-marilyaimedatensuringfollow-upcontrol,inparticular,atidentifyingviolationsafter the operation on the basis of data on its performance. Internal control isaimedatensuringconditionsandalgorithmsfortheimplementationofbankingoperations,allowingtoexcludeorsignificantlyreduceerrorsandabuse.

FromthepointofviewofthegoalsoftheICSandIASactivities,themaintaskoftheICS,asarule,istobuildandmaintainanorganization'sinternalcontrolsys-tem.Inturn,theIASiscalledupontoperformbroadertasksofprovidingguaran-teesandadviceintheareasofinternalcontrol,riskmanagement,andcorporategovernance.

32 Arslambekov-Fedorov A.A. Internal control system of a commercial bank. M.: UNITI-DANA, 2004. 191 s.

65

Accordingtothedefinitionofinternalaudit,whichisgivenbytheinterna-tionalInstituteofInternalAuditors:“internalauditistheactivityofprovidingin-dependentandobjectiveguaranteesandadviceaimedatimprovingtheactivitiesoforganizations.Internalaudithelpsanorganizationachieveitsobjectivesbytak-ingasystematicandconsistentapproachtoassessingandimprovingtheeffective-nessofitsriskmanagement,controlandgovernanceprocesses.”33Takingintoac-counttheabovedefinition,internalauditcanbeconsideredasanintegralpartoftheICS.

Thestructureoftheinternalcontrolservicecanbeorganizedinoneofthefollowingways.Inthefirstcase,theinternalcontrolserviceincludessuchstruc-turesasinternalcontrolandinternalauditdepartments,aswellasadepartmentdealingwithriskmanagementandotheranalyticalandcontrollingdepartmentsofacredit institution. In thiscase,wearedealingwithamultifunctionalstructurecoveringvariousareasofthebank'sactivities.

Inthesecondcase,theinternalcontrolserviceisaseparatestructuralunitthatinteractswithotherunitsperformingcontrolfunctions.Inthiscase,itisnec-essarytoprovidetherelevantrightsandobligationstotheinternalcontrolservice.

Thechoiceofstructureisdeterminedbythespecificsofthebank,theavail-abilityofthenecessaryresources,andestablishedpractice.However,bothinthefirstandinthesecondcase,thefunctionsandmethodsofworkoftheinternalcon-trolserviceinthemainremainidenticalandshouldnotdisruptthetechnologicalprocessesinthecreditinstitution.

Anadvisorybodymaybecreatedunder theboardofdirectors–anauditcommittee,which isnot responsible for specific aspectsof activities,unlike theboardofdirectorsandmanagement,sinceitstasksincludeonlyfacilitatingtheex-changeofinformationbetweenthevariouspartiesinvolvedintheinternalcontrolprocessandprovidingassistingtheboardofdirectors intheperformanceof itsdutiesbythisbody.

Theauditcommitteecanperformthefollowingfunctions34:

33 International Standards for the Professional Practice of Internal Auditing. The Institute of Internal Auditors, 2005 34 Pashkov R.V., Yudenkov Yu.N. Corporate governance in the bank (monograph). M.: RUSAYNS. 2016. 312 p.

66

1)ensurecommunicationbetweentheboardofdirectors,managementandinternalandexternalauditors;

2)monitortheperformanceofinternalauditfunctionsandassessthedegreeofindependence,qualityofworkandthescaleandcost-effectivenessoftheunitperformingtheinternalauditfunctions;

3) conductan independentauditof financial informationcontained in re-portsforexternalusers;

4)makerecommendationsontheappointmentofanexternalauditor;5)checkthecomplianceoftheboardofdirectorsandthebankwithapplica-

blelawsandregulations;6)evaluatethesufficiencyandefficiencyoftheinternalcontrolingeneral.Theauditcommitteeshouldbeabletorequestanynecessarydataandma-

terials,toorderanyinvestigation.Forapprovalbytheauditcommittee,aprovisionontheinternalauditunit,anauditschedule,aswellascalculationsoftheresourcesnecessaryfortheunitmaybesubmitted.

Itisadvisabletocoordinatetheworkofinternalandexternalauditorsattheleveloftheauditcommittee.Thiscommitteeisprovidedwiththeworkplanoftheexternal auditors, their conclusions and recommendations. In addition, internalandexternalauditorscanexchangereports,discussissuesthatareintheirgeneralcompetence.Theheadoftheinternalauditdepartmentiscalledupontoensurethattheworkofhissubordinatesdoesnotduplicatetheactivitiesofexternalau-ditors.

Itisnecessarytoorganizemeetingsoftheauditcommittee,whichmaybeattendedbythechairmanofthebank'sboard,internalauditor,andexternalaudi-torinordertoimproveperformance.

Atmeetingsoftheauditcommittee,thefollowingcanbediscussed:one)thefunctioningoftheinternalcontrolsystem;2)problemsoffunctioningoftheinternalauditdepartment;3)areasofrisktobecoveredbytheinternalandexternalauditorintheana-

lyzedyear;4)dataonthereliability,completenessandaccuracyoffinancialinformation

providedtothebank'smanagementandexternalusers;5)problemsidentifiedduringinternalandexternalaudit;

67

6)prospectiveexternalauditcandidacy35;Theauthorsofthedocument"Conceptualframeworkforriskmanagement

oforganizations"notethattheinternalauditservice(IAS)shouldbeorganizedinsuchawayas toassess theBank'sworkobjectivelyandhaveaccess to the topmanagementandtheauditcommitteeundertheboardofdirectors(BoD).Inaddi-tion,thelevelofsubordinationofthechiefauditorshouldbesuchthattheinternalauditfunctionoperatessmoothlyandefficiently.

AlloftheaboveisachievableduetothefunctionalsubordinationoftheIAStotheboardofdirectorsandtheheadoftheorganization.Thisisalsostatedinthedocument"Conceptualframeworkforriskmanagementoforganizations".Theau-thorsemphasizetheneedfortheheadoftheIAStobeaccountabletotheheadsofthecompany:theheadoftheIASisfunctionallysubordinatetotheboardofdirec-torsandisadministrativelysubordinatetothegeneraldirector.SuchastructureisnecessaryfortheindependenceoftheIASanditsaudits.Issuesrelatedtothesubordinationoftheinternalauditfunctiongeneratealotofdebateincompanies.This is influencedby theprofessionalismofboardmembersandmanagers, thespecificsoftherelationshipbetweentheboardofdirectorsandexecutivemanage-ment,andthespecificsofcorporatecultureinaparticularorganization.

TheroleofwhattheinternalauditserviceisdoingintheBankalsoplaysarole.Ifsheisengagedinaudits,then,logically,sheobeysthetopexecutiveman-agement– in thisway itcontrols theworkofmanagement. If the internalauditserviceisapartofthecorporategovernancesystemthroughwhichtheBoardofDirectorsfulfillsitsobligations.Then,accordingtothesamelogic,theIASissub-ordinatetotheboardofdirectorsinordertobeindependentfromtheBank'sman-agement.Inturn,theIASandexternalauditorscontributetothepreservationoftheindependenceoftheboardofdirectorsfrommanagementintermsofobtainingdataontheactivitiesoftheorganization.IASwillbeabletoprovidetheboardofdirectorswithobjective informationonly if itdoesnotdependontheexecutivemanagement.

IftheIASissubordinatetotheboardofdirectors,isthisacompleteguaran-teeofitsindependenceanddoesitincreasetheusefulnessoftheinternalauditorsattheBank?Theanswertothisquestiondependsontheprofessionalismofthe

35 Utkin E.A., Sukhanov M.S. Banking audit. M.: TEIS, 2003. 223 p.

68

boardofdirectorsanditscomposition.SubmissiontohimoftheCBAisbeneficialonlywhen:

–TheBoardofDirectorsisanindependentbody,notatoolforimplementingtheideasofexecutivemanagement;

–inthecompositionoftheBDincludesonlytheindependentdirectors;–Boardmembersunderstandexactlywhatinternalauditisneededfor.However,eveniftheseconditionsaremet,andtheIASissubordinatetothe

boardofdirectors,notinallcasesitispossibletoachievepositiveresults:1.SometimesthereisalackofconfidenceintheexecutiveleadershipofIAS.

Thisnegativelyaffectsthecourseandresultsoftheauditors'work.2.WhentheIACSisaccountabletotheBoardofDirectors,ratherthantoex-

ecutivemanagement,itcanbecomean“uncontrolled”bodybecausetheBoardcan-notmonitoritsactions.Theeffectivenessoftheresultsinthiscasewillbeinflu-encedbytheprofessionalismandpersonalqualitiesofthechiefinternalauditor.Inmanyinternationalcreditinstitutions,theindependenceandobjectivityofauditassessmentsoftheICSexistsonlybecauseinternalauditorsaresubordinatetotheboardofdirectors,whichisfullyresponsibleforthesafetyandfinancialsuccessofitsorganization.

ThestagesofcreatingaICScanbeasfollows:I.Openingasubdivision,includingamanagerandseveralemployees,draw-

inguparegulationontheformationoftheICS.Atthisstage,thestaffingtableisprepared,theemployeesareassignedtasks.ICSinteractswiththepersonnelde-partmentandtheheadsofthecreditinstitution.

II.AlistofbusinessprocessesthatareimportanttocontrolinaparticularBankiscompiled.Thislistcanvarysignificantlyfromorganizationtoorganization.Thelistofprocessesisformedtakingintoaccountthemostseriousfinancialrisksin the Bank. ICS interacts with the accounting department and back officebranches.

III. ICS interacts with different departments of the credit institution anddrawsupalistofcontrolproceduresnecessarytominimizerisks.Ifyouneedtokeep trackof the limitsof anopenposition, transactionswith clients, limitsoncounterparties,marketquotesoftransactions,theICStalkswiththeemployeesofthedepartmentsinvolved.InorderfortheICStoworkeffectively,itmustemploy

69

auditorswhoareabletoindependentlycopewithinformationprocessing,under-standthedatabasesandothersoftwareoftheBank.

IV.ThelistofbusinessprocessessubjecttocontrolbytheICSisexpanding.Itincludesallareasoftheorganization.

Ifthebankismulti-branch,thenatthefifthstagetheactivitiesoftheinternalcontrolserviceextendtothebank'sdivisions.

Itisrecommendedtocarryoutscheduledinspectionsduringthelastmonthoftheyeartoregularlyassesstherisksassociatedwithbusinessprocesses.Audi-torsanalyzethemainbusinessprocesses,findoutwhichlinksoftheseprocessesareatrisk,askthenecessaryquestionstothe"owners"oftheprocessassociatedwithahighdegreeofrisk.Forexample,inthecaseofissuingplasticcards,theroleofthe"owner"oftheprocessisplayedbytheplasticcardsdepartment.TheICSmeetswiththeheadofthedepartmentandhisstaff,findsoutiftheauditors'as-sumptionsaboutrisksarecorrect,anddiscussespossiblechangestoreducethem.Theinternalcontrolservicemakesitsconclusionsaftercollectingandanalyzingtheopinionsofallparties.

Afterthat,anassessmentoftherisksthemselvesiscarriedout.Personnelturnoversignificantlyincreasesthelevelofoperationalrisk.Ifmanynewemploy-eesappearinacreditinstitution,theyhavetobetrainedandbepreparedforpos-siblemistakesduetotheinexperienceoftheseemployeesorignoranceofthespe-cificsofbusinessprocessesinaparticularbank.

Basedontheresultsoftheriskassessment,thePresidentoftheBankcomestohisownconclusionsandinformstheICS,whichofthemrequireaprioritycheck.Prioritiesareallocatedamongrisksonapointsystem.Basedonthisrating,anau-ditplanisdrawnup,takingintoaccounttheneedforrotation.Iftheinternalcon-trol servicehas already considered the risksof someprocess, for example, lastyear,anddidnotfindseriousviolations,itwillre-assessitinayearortwo.Ifinanybusinessprocessviolationsandrisksarefoundregularly,andtheyareserious,itisrecommendedtoconductanauditannually.

ItisnecessarytostriveforcomplianceoftheICSactivitieswiththeaddvalueprinciple.Thatis,thedivisionmustactinsuchawayastobeusefultotheBankandincreaseitsmarketvalue.Alloftheaboveappliestothisprinciple:

–prioritizingrisks;–collectionofopinionsofthe"owners"ofthebusinessprocess;–estimatesfromtheSLEandthePresidentoftheBank.

70

"Prioritychecks"oftheICSareauditsthatareinitiatedbythebusiness,thatis,theywerenotplannedintheannualplanandwerenotapprovedbytheauditcommittee.Forexample,inregionsthecostforthesameservicesdiffers,andtheBankstartedworkingwithanewsupplier,andthereisinformationthattheBankpayslessforthesameservices,butinanotherregion.Insuchcases,theICScon-ductsanindependentinvestigationandestablishesthereasons.Forexample,suchreasonscanbeattributedtotheilliterateconductofatender,violationoftheprin-ciple of "conflict of interest" (acquaintances or contacts used for personal pur-poses),theremayalsobeanelementarymistakeofabankemployee–lackofthenecessaryknowledgeofpricesandservicesinaparticularregion.

The third area of ICS activity is risk and advisory services (RAS), whichmeansbusinessconsultingatthestagesofdevelopingnewdirectionsandintro-ducingnewprojects,consultingwhenissuingnewinternalguidancedocuments.

Thus,theroleoftheICSintheproposedriskmanagementmodelistoperi-odicallyanalyzeandassessrisks in thebank'sbusinessprocesses,aswellas toprovideconsultingservicesatthestageofdevelopingandimplementingnewpro-jects.

Fromthepointofviewoftheeffectivenessoftheorganizationoftheinternalcontrolsystem,thedivisionscanbedividedasfollows.

Firstly,itisadvisabletoseparateaunitthatisnotentitledtoconductbank-ingoperations–arepresentativeoffice.

Secondly, it makes sense to divide the rest of the geographically remotestructuraldivisionsofthebankinto2groupsaccordingtothedegreeofriskinessoftheiractivities.Group1–remotesubdivisions,whichusuallycarryoutall,mostorasignificantpartoftheoperations(transactions)accordingtothebank'slicenseandalsocarriedoutbytheheadofficeofthebank.Branchesaresuchsubdivisions.Therisksofbranchactivitiesarealwaysquitehigh. Inaddition,significantcashflowscanpassthroughthem.Itshouldalsobeborneinmindthatthebranchmain-tainsitsownbalancesheet.

Group2includesallotherremotesubdivisions,whichusuallyprovidealim-itedrangeofbankingservices,and,asarule,arenothigh-risk,andthroughwhich,asarule,insignificantcashflowspass.Thatis,therisksoftheactivitiesofthesedivisionsinthestandardcasearerelativelysmall.

ThemostexperiencedemployeesofICSshouldworkinthebranchesoftheBank.Perhapsthemanagerofeachbranchshouldappointacontrollerfromamong

71

theemployeesof the ICS.Thisemployeewillbeaccountable to theheadof theBank'sICS.

Ifthereisnowaytochooseacontroller,oneofthebranchemployeeswillhavetoperformhiswork.Forthis,anorderisissuedtothemanagerofthebranch.Theemployeeshouldnotbelongtothebusinessunit,becausehisactivitieswillmostlikelybeauditedbytheICS.Thecontroller'scandidacymustbecoordinatedwiththeheadoftheBank'sICS.

Inorderforthecontrollertotakeuphisduties,hisstatusandsubordinationmustbeapprovedinthecorrespondingposition.Thespecifieddocumentstipu-latestheindependenceofthestafffromthemanagementofthebranch,thedatatransfertothemainofficeoftheBankwithouttheconsentoftheleadershipofthebranch, freeaccesstoalldocuments(including–electronic)andthedataofthebranch. The controllermust be independent from the administration in all re-spects.Itisunacceptablefortheheadofabranchtobeallowedtodismissthecon-troller,demote,orreducetheamountofwages.Everythingrelatedtothecontrol-ler'sincentivesshouldbedecidedbytheheadoftheUCWU.

Thecontrollermustbeprovidedwithadescriptionofhisdutiesandtherulesfortheirimplementation.Themeaningofhisworkistocontroltheactivitiesofthebranchintheprovisionofbankingservices,providedthattheBankismanagedbyemployeesoftheheadoffice.Theemployeepreparesandsendstotheheadofficestandardizedreportsontheprocedures.Thesereportswillbeprocessedautomat-ically.Inouropinion,itisadvisabletousespecialsoftware.

The formationof the ICS is inmanywaysdifferent from the formationofotherservicesincreditinstitutions:

Theemployeesoftheinternalcontrolservicefindthemselves"above"thebusiness processes. Therefore, they are obliged to know about everything thathappensintheBank.Thisisalwaysduetotheircloseattentiontoemployeesofotherpartsoftheorganization.EmployeesoftheICSarerequiredtohaveprofes-sionalqualificationsandexperiencenolessthanthatofemployeesoftheauditedunits.Suchahighqualificationimpliesahighreward.

EmployeesoftheICSwillbeinoppositionwiththosewhoworkinthein-spectedsubdivisions.Mostoften,divisionsformallyagreeontheneedforregularinspections,but implyatthesametimeconductinginspectionsinallotherdivi-sions,exceptfortheirown.

72

IncombinationwiththefactthatthecostsofmaintainingtheICSaretangibleforanycreditinstitution,theabovecircumstancesmayentailoppositionbetweentheBank'semployeesatthestageofICSformation.Inorderforthisoppositiontoceasetointerferewiththewell-coordinatedworkoftheBank,it isnecessarytoeliminatetheuncertaintyassoonaspossible,identifyingthespecificgoalsandob-jectivesofcreatingtheICS.

3.3. Methodological approaches to the

formation of the auditor's report

ThisdocumentwasdevelopedinadditiontothecurrentRegulationontheIAS,aswellasinadditiontothe"ProcedureforinteractionoftheInternalAuditServicewithauditedunitsduringtheaudit"(documentunderdevelopment)anddefinesalistofrequirementsfortheformation/writingofauditreports,includ-ing:

-Coverpage,includingthesection“Mainresultsoftheaudit”;-AuditReportStructures;-Sectionintroductoryinformation;-Auditresults;-Auditareaassessments;-Formation/writingofauditobservationsandrecommendations;-Coordinationofauditobservationsandrecommendations;-Formationofworkingpapers/Documentingtheresultsofthecheck;-Makingrecommendationsinthedatabase“PrescriptionsoftheICSandIAS.TITLEPAGEThecoverpageoftheauditreportcontainsthefollowingelements:2.1.Banknameintheheader.2.2.Besuretoindicatethe“Confidential”stampintheheaderontheright

oppositetheinscriptionindicatedinclause2.1.2.3.DocumentTitle–AuditReport2.4.Audittopic:Inthecaseofascheduledaudit,thetopicoftheauditcoincideswiththetopic

specifiedintheIASworkplanforthecurrentyear.Incaseofanunscheduledaudit,thefollowingmustbeindicated:

73

–Specialinvestigationintothefact/s…–Analysisofthecausesandfactorsoftheformationofaproblemasset…–Auditoftheprocess/functionalofthedepartment…2.5.Subdivisionstobechecked:Whenlistingthedepartmentstobechecked,themaindepartmentsrespon-

siblefortheprocess/functionality,thefactsanalyzedduringtheunscheduled/plannedcheckwillbeindicatedfirst.

2.6.Dateofissueofthereport:indicateintheformatDD.MM.YEARThedateofissueofthereportmustcoincidewiththedateoftheSZofthe

releaseofthereport.Beforethereleaseofthereport,itisnecessarytoclarifywiththeHeadofthe

IAS thepossibilityof issuing thereportby thecurrentdate (relevant forauditscompletedattheendofthecalendarmonth).

2.7.Audittype:

Audittype СommentProcess Indicatedduringtheprocessaudit.Functional Indicatedwhenanalyzingthefunctionalityoftheauditedunit.Compliance ItisindicatedduringtheauditofthecomplianceofthecurrentIRRwith

therequirementsoftheregulators.PAanalysis Indicatedwhenanalyzingthecausesandfactorsoftheformationofa

problemassetInvestigation Indicatedduringtheinvestigation.

2.8.Overallauditscore:Theauditorchoosesoneofthefollowingoptions,whichisformedontheba-

sisoftheoverallauditassessment,formedonthebasisoftheassessmentsoftheauditareas(seesection5ofthedocument).

EvaluationUnoptimalorUnsatisfactorymustbeagreedwiththeHeadoftheDirectorateandtheHeadoftheIAS.

2.9.Headsofdepartments:Thiscolumnindicates(inthenominativecase):position,surname,initialsof

theheadsoftheauditeddivisions,dependingontheinvolvementintheprocess(fromhighesttolowest)withintheframeworkoftheaudit.

74

Overallassessment/

Assessmentoftheauditarea

Optimally

Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Duringtheaudit,effectivemethodswereestablishedtoreducerisksinallaspects.Atthesametime,thedisadvantagesarein-significantorabsent.Correctiveactionisnotrequiredorisminor.

Satisfactorily

Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Duringtheaudit,sufficientlyeffectivemethodsofriskreductionwereidentified.However,thedeficienciesidentifiedareminorandcanbecorrectedinthenormalcourseofbusiness;however,somecorrectiveactionwillberequired.

Suboptimal

Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Inthecourseoftheaudit,insufficientlyeffectivemethodsofriskreductionwereidentified.Atthesametime,theidentifiedshortcomingsarequitesignificant.Thesituationrequiresmakingchangesbyadoptingrecommendedmeasureswiththerequirementsforadditionalmonitoringofthesitua-tion.

Unsatisfactory

Assessmentofriskmanagementrelatedtoauditedprocesses/depart-ments/auditareas.Theauditrevealedineffectiveriskmitigationmeth-ods.Atthesametime,theidentifiedshortcomingsaresignificant.Thesituationcanbecorrectedbytakingimmediateandeffectivemeasurestoeliminatesignificantrisksthatcouldaffectthequalityoftheprocesses.

2.10.Ontherightintheadjacentfieldareindicated(inthenominativecase,

incaseofamatch,thereisnoneedtoduplicate):FullnameoftheHeadofInternalAuditServiceFullnameofthesupervisorofthecheck(HeadoftheDirectorate)FullnameoftheInspectorNameoftheauditor/auditors2.11.ProcedureforWritingtheMainAuditResultssection:

75

!!!THISSECTIONOFTHEAUDITREPORTISTHEMOSTIMPORTANTPART

OFIT,ITSUMMARIZESTHERESULTSOFTHEAUDITTEAM.!!!ONTHEBASISOFTHISSECTION,THEHEADOFTHEIASPREPARESONA

QUARTERLYBASISAPRESENTATIONFORSUBMISSIONTOTHEBANK'SMAN-AGEMENTBOARD,THERISKANDSTRATEGYAUDITCOMMITTEEANDTHESU-PERVISORYBOARD.

!!!THISSECTIONSHOULDNOTEXCEEDONETOONEANDAHALFPAGES.Thefirstpartofthesectiononthemainauditfindingsprovidesanoverall

assessmentintwothreeparagraphs:Forinstance:Asaresultoftheaudit,theIASnotestheexistenceofagenerallyorganized,

streamlinedandregulatedprocessofcounteringonmoney-launderingandcoun-teringthefinancingofterrorism(hereinafterCoPoC/FoC).

The SFM pays special attention tominimizing the Bank's involvement intransitoperations,whichisconfirmedbyadecreaseinthevolumeoftheseopera-tions,accordingtotheregulator.Accordingtotheresultsof1stquarterof2017thevolumeoftransitoperationsamountedto18.10billionrubles.(528clients);attheendofthe2ndquarter.2017turnoverof8.5billionrubles(279clients).

Inthispart,itisnecessarytoreflectboththenegativeaspectsandindicatetheobjective"achievements"ontheauditedtopicoftheaudit,itispossibletopre-senttheanalyticalinformationobtainedduringtheaudit(minimum,forexample,theloanportfolioforcorporateclients,thelevelofdelinquencyandtheamountoftheformedreserve),incl.onthedynamicsintheauditedperiod,forexample,giveacutatthebeginningoftheauditedperiod,andatthelastreportingdatebeforethestartoftheaudit.

Forinstance:Asaresultoftheaudit,theIASnotes,ingeneral,thattheremunerationsys-

temmeetstherequirementsofInstructionNo.154-I.TheBankistakingmeasurestoensurethattheremunerationsystemmeetsthelegalrequirements.Atthesametime,theIASwithintheframeworkoftheauditnotedthefollowingshortcomingsthatrequirefurtheractiononthepartoftheBank'semployees:

76

Asaresultoftheaudit,theIASnotesthatthebuilt-inprocesscontrolsystemisnoteffectiveenoughdueto:lackoftheproperlevelofprocessautomation,in-correctdistributionof functionsbetween theunits involved in theprocess andshortcomingsintheregulationofthecurrentprocess.

Aspartofthisaudit,IAScarriedoutacomparativeanalysisoftheBank'sin-ternalregulatoryframeworkdevelopedbytheBankofRussiaOrdinanceNo.3624-U(hereinafterreferredtoas3624-U),aswellastheCentralBankquestionnaireused by the Bank for self-assessment. IAS believes that the Bank's regulatoryframeworkmustcomplywithboththe3624-UnormsandthequestionsoftheCen-tralBankquestionnaire.

Basedontheresultsoftheaudit,theIASconfirmsthattheBankhasdevel-opedanddulyapproveddocumentsrequiredinaccordancewiththerequirementsof3624-U.Nevertheless,theIASdrawsattentiontotheneedfortheirinsignificantrevisioninordertoeliminatetheexistinginconsistencieswiththerequirementsoftheBankofRussia,whichisreflectedinthecorrespondingobservationsoftheIASnotedinthisreport.Herearethemainones:…

BypointsofsaleAsaresultoftheaudit,theIASnotestheexistenceofagenerallyorganized,

streamlined,regulatedandefficientprocessoforganizingtheworkofthe___addi-tionalofficeofthe___BranchofBANKURALSIBPJSC___(hereinafter–AO).

Ingeneral, theplannedandbudgetary indicatorsof subsidiaries for2017weremet.Accordingtotheindicators"Operatingexpensesinrelationtoincome"and"Operatingprofitperemployee"during4quartersof2017,AOswereassessedas"Highlyeffective"and"Highlyproductive",respectively.

Next,itisnecessarytoreflectthemainmostsignificant/riskyobservationsmadebytheReviewTeamaspartoftheaudit.

YoucanstartwithanintroductoryphraselikeIASduringtheaudit,thefol-lowingobservationsorsimilarcontentweremade:

Thelistofobservationsmustbestructuredbysubject(ITsystems.Process,Reporting,etc.),byanalogywiththesectionsoftheaudit.Thissectionisfinalizedaftertheapprovalofobservationsandrecommendationsonthedraftauditreport.

Intermsofthespecificsofregionalaudits,itisworthnotingtheneedtore-flectaggregatedinformationonsimilarshortcomingsinquantitativetermsinthecontextofthesectionsoftheaudit:

Forinstance:

77

Lendingtoindividuals'clients–IASfoundaviolationofthedeadlinesforthetransferofcreditdossiersfor

support to the Credit Controller (mortgage – 3 facts, consumer loans – 4 facts,creditcards–2facts);

–aviolationoftheestablishedrequirementsforthecertificationofcopiesofdocuments for the Credit Dossier provided by borrowing clients was revealed(mortgage–1fact,consumerloans–6facts,creditcards–5facts,carloans–1fact).

–the absence of a credit dossier was established on the issued car loan,whichhasanoverduedebtof238.10thousandrubles.(1fact);

Intheconclusionofthissectionoftheauditreport, therecommendationsgivenbytheIAStotheresponsibledivisionsarebrieflyaggregated,herethefol-lowingoptionsarepossible:

Forexample,iftherearefewrecommendationstogivethemostimportantInordertoeliminatethenotedshortcomingsandreducetheidentifiedrisks

ofIAS,thefollowingrecommendationsweregiven:–RegulatethemissingissuesintermsofconductingprojectsofcategoriesA

andB;–Considerthepossibilityofintroducinganagileprojectmanagementpro-

cedure;–ImprovetheSD-Mini-projectsportal intermsofreflectingmissinginfor-

mationfortheuser,systematizingtestresults;–Considerthepossibilityofdevelopingaresourceplanningtoolforthepur-

poseofoperationalworkandexclusionofpossibleoperationalerrors.OrmakeashortsummarybydirectionsInordertoeliminatetheidentifieddeficienciesandreducetherisksofIAS,

recommendationsweremadeontherevisionoftheexistingCompanyRegulatorydocumentation(CRD),reportingforms,strengtheningtheinternalcontrolsystem,andonincludingrequirementstocovertherisksidentifiedduringtheauditinthePre-project“Implementationofthesystemofmarketrisklimits”.

STRUCTUREOFTHEAUDITREPORTWhenconductingascheduledaudit,thestandardstructureofthereportas-

sumesthefollowingsections:PurposeandscopeoftheauditIntroductoryinformation

78

AuditresultsWhengeneratingareportontheresultsoftheinvestigationandanalysisof

thecausesoftheproblemasset,thefirsttwofirstsectionsarenotdrawnup!!!Inthesectionauditresults,thereflectionoftheresultsoftheinvestigation/

analysisofthecausesoftheproblemassetbeginsimmediately!!!Theauditordoesnotassesstheauditareas!!!Thistitleisnotreflected.3.1.PurposeandscopeoftheauditThissectionoftheauditreportreflectsthegeneralinformationontheaudit,

atleastduplicatestheinformationreflectedintheOrderandtheNoticeontheau-dit.Itispossibletomakesomechangesinrelationtotheoriginalobjectivesandareasoftheauditspecifiedintheabovedocuments.

Itismandatorytoindicate:verificationmethods (interviews, solid checks, spot checks, documentary

checks,workwithautomatedsystems);verificationperiod;checkedperiod:auditbudgetinman-daysForinstance:Theauditwascarriedoutinordertoanalyzetheprocessofmanagingmod-

elsforcalculatingeconomiccapitaltocovermarketrisk,aswellasassessingthecorrectnessoftheirimplementation,includingthecomplianceoftherelevantin-ternalregulatoryframeworkwiththerequirementsofBankofRussiaOrdinanceNo.3624-U.

Themainareasofauditare:–auditofthemodeldevelopmentprocess;–auditoftheprimarymodelvalidationprocess;–auditofthemodelapprovalprocess;

79

–auditofthemodelimplementationprocess;–auditofthemodelmonitoringprocess;–auditoftheprocessofregularandunscheduledmodelvalidation;–verificationofcompliancewiththerequirementsofOrdinanceoftheBank

ofRussiaNo.3624-U.Verificationmethods:interview,documentaryverification.Verificationperiod:from22.11.2017to15.12.2017.Periodunderreview:modelsforcalculatingeconomiccapitaltocovermar-

ketriskasof01.11.2017.Forinstance:Purpose:Evaluationoftheeffectivenessoftheorganizationofworkatthe

pointofsale,developmentofrecommendationsfortheoptimizationofbusinessprocessesandtheorganizationofcontrolprocedures.

Auditareas:–fulfillmentofplannedandbudgetaryindicatorsintheauditedperiod;–lendingtosmallbusinessclients;–lending to retail customers, including mortgage lending, car loans, con-

sumerlendingandissuanceofcreditbankcards;–settlementandcashservicesforlegalentitiesandindividualentrepreneurs

(includingdepositoperations);–settlementandcashservicesforindividuals(includingdepositoperations

andtransfersofindividualswithoutopeninganaccount);–organizationofcashwork;–organizationofthedivision'sworkwithintheframeworkofCoPoC/FoC;–organizationofworkintermsofinformationsecurity;–generalorganizationofworkinthedepartment(includingexternal,inter-

nalappearance,equipmentofthepointofsale,physicalsecurity,availabilityofjobdescriptionsforemployees);

Verificationmethods:interviews,analyticalprocedures,documentaryveri-fication.

Checkperiod:from12.03.2018to20.04.2018.Checkedperiod:from01.01.2017to01.03.2018.

80

IntroductoryinformationThissectionof theaudit reportprovidesconcise information thatmaybe

usefultotheuserinordertobetterunderstandtheorganization/processbeingaudited.

Thissectionmayreflectthefollowing:–importantinternalinformationandchangesduringtheyear(forexample,

newproducts, newprojects, changes inmarketing strategy, personnel changes,changesininherentrisk,changesintheprocess,significantitemsofincome/ex-penses);

–importantexternalinformationandchanges(egcompetition,population,lawsandregulations,taxes,suppliersupport,globalmarketconditions);

–changes in the structure and volume of risks (for example, new rules,changes inbusinessvolumes, changes inregulatorydocuments;volatility inex-changerates;crisis,changesincustomerexpectations);

–financialindicators(forexample,fortwoyears);–descriptionofITsystems,equipmentrelatedtotheaudit(insimplebusi-

nesslanguage)(forexample,newsystemimplementations, listofequipmentaf-fectedbythisaudit);

–other“interesting”informationaboutthebusiness,technologyorrisks(forexample,descriptionofthetechnologyplatform,numberofjobs,numberofem-ployees,privacyinformation).

Forinstance:ThekeypriorityoftheBank'sstrategicdevelopment,inaccordancewiththe

currentDevelopmentStrategyof theBank for2016-2018, isbuilding long-termrelationshipswithcustomersbasedonanunderstandingoftheirneedsandmutualbenefits.Themostimportantcomponentofsucharelationshipisthehighqualityofcustomerservice.

In this regard, the creation of an effective quality control system for cus-tomer service to individuals in theBank'sbranches isbecomingoneof thekeytasksoftheRetailBusinessandRetailBusinessDivision,inparticular.

Inaccordancewiththe"Businessprocessformanagingthequalityofserviceinservicingindividuals"approvedbytheBoard,thefollowingtoolswerechosentoassessthequalityofcustomerserviceforindividuals:

pollingsystem:

81

-telephonesurveyofcustomers'opiniononthelevelofserviceinthelastservicedepartment;

-e-mail-survey,whichisasurvey-questionnaireonthequalityofserviceintheBank'sbranches;

anelectronicqueuesystemusedtoorganizeservicesanddistributetheflowofvisitors, increase the throughputof thepointof sale, aswell as collect infor-mationforsubsequentstatisticalanalysis;

marketingresearch:-"MysteryShopper"–astudyaimedatcheckingthecomplianceof front-

officeemployeeswiththestandardsofcommunicationwithclientsandstandardsofappearance;

-"AuditoftheexternaldesignoftheBank'sbranches"–astudyaimedatcheckingthestandardsofmaintenanceofoffices,workplaces,theappearanceofemployees;

"Loyaltybutton"locatedontheservicequalityassessmentpanelandallow-ingtoassesscustomersatisfactionwiththeserviceprovided.

During2017,RetailBusinessDivisionreplacedthetelephonesurveyofcus-tomerswithanSMSsurvey,whichallowsyoutoquicklygettheopinionofcustom-ersaboutthequalityofserviceataparticularpointofsaleona10-pointscaleim-mediatelyaftertheendofthevisittotheoffice,andalsorefusedthe“loyaltybut-ton”inconnectionwithalowpercentageofopinionsreceivedduringthereportingperiod.

AuditresultsTheauditresultsreflectinformationontheassessmentsoftheauditareas

(seethetableinclause2.8ofthisCRD)Aspartoftheaudit,theAuditGroupisobligedtoverifythefollowingareas

providedforbyBankofRussiaRegulationNo.242-P,withthemandatoryreflec-tionoftheauditresultsintheauditreport(ifrelevantwithintheframeworkoftheaudit):

Checkingandevaluatingtheeffectivenessoftheinternalcontrolsystemasawhole,theimplementationofdecisionsofthemanagementbodiesofthecreditin-stitution(generalmeetingofshareholders(participants), theboardofdirectors(supervisoryboard),executivebodiesofthecreditinstitution).

82

Thetablebelowisused:Auditareas Optimally Satisfactorily Suboptimal Unsatisfactory

1strategyandbudget 2.Assessmentoftheprocess/functional-ityofthedepartment

3.Analysisofinternalregulatoryandorgan-izationalandadminis-trativedocuments

4.Assessmentoftheadequacyofinternalcontrolandriskman-agementprocedures

5.Accountingandre-porting

6.ITsystems 7.Staff 8.Otherquestions Overallscore

Checkingtheeffectivenessof themethodologyforassessingbankingrisks

andbankingriskmanagementproceduresestablishedbytheinternaldocumentsofthecreditinstitution(methods,programs,rules,proceduresandproceduresforbankingtransactionsandtransactions,bankingriskmanagement),andthecom-pletenessoftheapplicationofthesedocuments.

Checkingthereliabilityofthefunctioningoftheinternalcontrolsystemovertheuseofautomatedinformationsystems, includingmonitoringtheintegrityofdatabasesandtheirprotectionfromunauthorizedaccessand(or)use,takingintoaccountmeasurestakenincaseofnon-standardandemergencysituationsinac-cordancewiththeactionplanaimedatensuringcontinuityactivitiesand(or)res-torationof theactivitiesofacredit institution intheeventofnon-standardandemergencysituations.

83

Verificationandtestingoftheaccuracy,completenessandtimelinessofac-countingandreporting,aswellasthereliability(includingaccuracy,completenessandtimeliness)ofthecollectionandpresentationofinformationandreporting.

Verificationofthemethods(methods)usedtoensurethesafetyoftheprop-ertyofthecreditinstitution.

Assessmentoftheeconomicfeasibilityandefficiencyofoperationsandothertransactionsperformedbythecreditinstitution.

Reviewofinternalcontrolprocessesandprocedures.Verificationoftheactivitiesoftheinternalcontrolserviceofthecreditinsti-

tutionandtheriskmanagementserviceofthecreditinstitution9intheeventthatitscompetenciesareaffected(includingforidentifieddeficienciesthatentailreg-ulatoryrisk).

Otherissuesstipulatedbytheinternaldocumentsofthecreditinstitution.Followingtheexampleofthetablebelow.Theauditreportreflectstheiden-

tifiedobservations:

OBSERVATIONLIST

THECODE

OBSERVATIONRATINGOBSER-VATIONS

RESPONSI-BLEUNIT

DATEOFREMOVAL

NO.OFPAGESINTHERE-PORT

1. Smallbusinesslending1.1. Theinventoryofdocuments

ontheloanprovidedbyLLC"RAMProfessional"hasnotbeenformed

Moder-ately

OKMB(RogozhinS.N.)

31.07.2018 6-7

2 Lendingtoindividuals'clients2.1. Violationsofcertificationof

copiesofdocumentsandex-ecutionofcreditdocuments.

Moder-ately

AO(KovalevS.V.)

05/31/2018 8

2.2 Providingaloanontermsthatdonotcorrespondtothedecisionmadeintermsoftheloanterm.

Important

DCC(Ar-duvanovaY.R.)

05/31/2018 9

3 Settlementandcashservicesforindividuals3.1. Violationsoftheprocedure

forscanningandplacingcopiesoftheCPCintheABS"CFT"

Moder-ately

AO(KovalevS.V.)

31.07.2018 12

84

OBSERVATIONLIST

THECODE

OBSERVATIONRATINGOBSER-VATIONS

RESPONSI-BLEUNIT

DATEOFREMOVAL

NO.OFPAGESINTHERE-PORT

3.2. Violationsoftheprocedureforclosingsavingsaccountsofclientsoflegalentities

Moder-ately

AO(KovalevS.V.)

31.07.2018 12

4 Settlementandcashservicesforindividuals4.1. Failuretomonitorforthe

presenceandcompletenessofLegalAffairsontheac-countofthedepositandthecorrectnessoftheexecutionofdocumentswithafre-quencyofatleasttwiceayear.

Moder-ately

AO(KovalevS.V.)

31.07.2018 14

4.2. Failuretocarryoutsubse-quentcontroloftheproce-dureforconnectingclientstotheRBSystemandchang-ingtheparametersofacli-ent'saccount.

ImportantAO(KovalevS.V.)

06/30/2018 16

5. Organizationofcashwork5.1. Lackofanup-to-dateOrder

ontheappointmentofare-sponsibleofficerforthestor-ageofdocumentationonthetechnicalstrengtheningofthepremisesoftheDirec-torate,inwhichoperationswithvaluablesareperformed

Important

TDMos-cow-North(KhapilovaN.A.)

06/01/2018 18

5.2. Therequisitesaffixedbystampimprintdonotcom-plywiththerequirementsoftheCentralBankoftheRussianFederationRegula-tionNo.318-P.

ImportantAO(KovalevS.V.)

06/01/2018 18

5.3. ViolationsofthestorageofActsofacceptanceandtransferofvaluesbetweenshifts.

Moder-ately

AO(KovalevS.V.)

06/01/2018 19

85

OBSERVATIONLIST

THECODE

OBSERVATIONRATINGOBSER-VATIONS

RESPONSI-BLEUNIT

DATEOFREMOVAL

NO.OFPAGESINTHERE-PORT

5.4. AbsenceofanOrderontheprocedurefororganizingthetemporarystorageofdiscoveredbanknotes

ImportantAO(KovalevS.V.)

06/01/2018 21

ifoneobservationistwo,threerecommendations,thenitisnecessarytoin-

dicatealltherecommendationsintheformat:

5.3. ViolationsofthestorageofActsofacceptanceandtransferofvaluesbetweenshifts.

Important

AO(KovalevS.V.)

06/01/2018nine-teen

AO(Ivanov)

06/01/2018nine-teen

AssessmentofauditareasAplanned/unscheduledauditofaprocess/departmentfunctionalalways

aimstocorroboratetheassessmentofasubsectionwithidentifiedobservations.Thesubsectionshouldalwaysbeginwith“assessmentsummary”.

1strategyandbudget Optimally Satisfactorily SuboptimalUnsatisfac-tory

Theauditorchoosesoneoffourassessments,thecharacteristicsofwhichare

reflectedinclause2.8ofthisdocument.Formation/writingofauditobservationsandrecommendationsWritingauditobservations:Observationshouldbeintwoparts:

86

“Problem”–asummaryoftheessenceoftheobservationinafewwords(upto3-4linesoftext).

"Confirmation"–theanalyticalpartoftheobservation,indicatingafulllistofthecircumstancesofthedetectedobservation.

Basicrulesforwritingrevealed"Problems":The“problem”shouldbeclearlyformulatedinthefirstsentence(inthefu-

ture,thissentencecanbecopiedtotheObservationList(seesection5).Theproblem(firstsentence)inwhichtheessenceofobservationshouldbe

reflectedintheformat"speakinginsimpleterms":–"WHODOESNOTDOWHAT";–"WHATISWRONGintheBank."Iftheidentified"problem"isthattheprocessisnotdevelopedand/ornot

formalized,theheadoftheauditmust,inthesecondsentence,indicatehowatthetimeoftheaudittheprocessbeingauditedisactually/inreality.

The "Problem" should not reflect any analytical data (numbers, dates,amounts,etc.).Iftheyexist,thenthisisalreadya"Confirmation",nota"Problem".

Thebasicrulesforwriting"Confirmation"arereflectedinclause7.1.1Colleagues,thewordsProblemandConfirmationdonotneedtobewritten

inthereport!!!Belowaresomeexamples:Forinstance:Examplesofproblemsinthe"WHODOESNOTDOWHAT"format:Problem:TheAuditandSecurityDepartmentdidnotimplementaconsistent

passageofmandatorychecks, includingpaidservices, forallparticipants in thetransaction. Inpractice, thechecksof themainborrowerandco-borrowersarecarriedoutsimultaneously.Atthesametime,IASnotesthepresenceofadditionalfinancialcoststopayforeachcalltoexternalservices.

Confirmation:Havingmadeadecisiontorefusetheapplicationduetotheidentificationofnegativeinformationonthemainborrower,theBankhasalreadyincurredadditionalcostsforcheckingtheco-borrowers(ifany).Thetotalamountof unnecessarily incurred expenses amounted to 1million rubles. 1000 creditseach.

87

Problem: SCM, when considering a loan application from a client ofNEFTERESURSLLCinAugust2015,didnotasktheguarantorofTerminal-AZSLLCfor official documentary confirmation other credit institutions of theGVZ com-pany)ofthefactofrepaymentofthecreditlineshehadfromthecreditorbank,andAuthorizedPersonsandtheUnderwriters,inturn,didnotdouble-checkthecorrectnessof theGCM'sactions,whichviolates therequirementsof theBank'sCRD.

Confirmation:Asaresult,SCM,inviolationoftheCDRrequirements, indi-catedinthecreditreportinformationontheclosureofcreditlinesattheLenderBankonthebasisofaccountingdata(trialbalanceonaccount66)receivedfromtheclient.At thesametime, IASnotesthattheclientprovidedinaccurate infor-mation.

B.Examplesofproblemsintheformat"WHATISWRONGintheBank":Problem:TheCRDoftheBankdoesnotdefinetheneedtoupdatereports

from the credit card information on the borrower and participants in the loantransactionintheeventofalongreviewoftheloanapplication(over2months).Asaresult,theupdatedReportfromtheCreditReferenceBureauonthetransac-tionwithNEFTERESURSLLCwasnotrequestedeitherfortheborrowerorfortheparticipantsinthetransactionCM,AuthorizedPersonsandtheunderwriter.TheIASnotesthatonlyanemployeeofDAKOMBrequestsanup-to-datereportfromtheBKIontheborrowerimmediatelybeforetheissuanceoffundstotheborrowerwiththeexistingdecisionoftheCCRB.

Confirmation: CC RB made a Decision on the transaction with LLCNEFTERESURSbasedonanirrelevantReportfromtheCreditRecordsBaseontheborrowerandparticipantsinthetransactionreceived3.5monthsago.

7.1.1.Methodoffivequestions(Who?What?Why?When?Where?)5Ws.

The five-question method is a very convenient way to identify all circumstances by observation.

This method is often used by journalists and police officers. In order to reflect correct information in the audit report, we strongly recommend

using this method. The auditor must answer five questions in the observation text !!!

88

Whoisresponsible(indicationofdepartment,personnel)Whathappened?(descriptionofthesituation,indicationoftheamountofloss/amountatrisk,howmanycasesoutofhowmanyverified).Wheredidithappen?(placeofevent,pointofsale/address,etc.)Whendidithappen?(timedependingonthesituationdate/month.year/year)Whydidithappen?(foranindicationofthereasonsfortheobservation,seethesection"Analysisofthereasonsforobservation").OBSERVATIONWILLBECONSIDEREDCOMPLETEONLYIFTHEABOVEQUESTIONSAREANSWERED

7.1.1.1.The"5Whys"methodtoidentifythe"problem"The5Whysmethodallowsyoutolookattheproblemidentifiedduringthe

observationfromdifferentangles.Sometimestheunderlyingreasonsfortheob-servedobservationsarenot"obvious"andmaybeduetoacombinationofcircum-stances.

Inthiscase,theauditorshouldtrytothinkoutoftheordinaryandbuildforhimselftheunderstandingthatheshouldaskhimselfthequestion“Why”atleastfivetimesandansweritwithoutrepeating:

Forinstance:

Obser-vation

Aspartoftheaudit,factsofincorrectcalculationofinterestonemployeeloanswereestablished,affectingtheamount

ofincomereceivedbythebranch.Why? Incorrectdeterminationoftheleveloftheinterestrate.Mosprime3months,

insteadofMosprime1month.Why? ITprogramincorrectlyloadstheMosprimeinterestrateWhy? TheITprogramusedthepreviouslyvalidrateanddidnotchangeitwhen

upgrading.Why? Thetermsoftheloanproductforemployeesintermsoftheinterestrate

werechangedandtheITapplicationwiththerateswasnotpilottestedbe-forelaunchingintotheindustrialenvironment.

Why? Lackofasubdivisionresponsibleforcarryingoutthecompletenessofmak-ingITsettingsinaccordancewiththechangesinloanrates

7.1.2.AnalysisofreasonsforobservationThemaingoaloftheauditoristoclearlyidentifythemaincause/reasons

forthe"rootcause"oftheobservation,withtheaimoffurtherdevelopinganup-

89

to-daterecommendationonmakingchangestotheprocess/CRD/functionality,tothemaximumcoveringthepossiblerisksofsubsequentidentificationofsimilarobservationsinthefuture.

ThereasonistheanswertothequestionWHYtherewasaproblem:–WHY"SOMEONEdidn'tdoSOMETHING"–WHY"SOMETHINGISWRONG"attheBankToindicatethereasonfortheobservation,inmostcases,theauditorshould

receivecommentsfromtheresponsibleemployees/departments.Examplesofreasonsbasedoncommentsfromtheresponsibledepartment:AccordingtothecommentsofRetailBusinessDivision,thequalitycontrol

systemofcustomerserviceforindividualsinthenetworkdivisionsisinthepro-cessofformation,andtherefore,theRetailBusinessDivisionisstill insearchofoptimalresearchmethods.

AccordingtotheRetailBusinessDivisioncomments,inconnectionwiththeprioritization of tasks and the launch of the networkmotivation system, RetailBusinessDivisionplannedtointroduceconsolidated(forallinspections)regularmanagementreportinganda“qualityshowcase”reportinQ1.2018year.

ThemanagementoftheCollateralDivisiondidnotconsideritnecessarytoformalizetherequirementsforphotographingcollateral,consideringthemunnec-essary.

Themanagementof theCollateralDivisionconsideredtheexistingwayoforganizing the storage of documents accompanying the assessment to be suffi-cient.

AccordingtothecommentsoftheDepartmentofSmallBusinessDevelop-mentandSales,theprocedureforinteractionwiththeICisplannedtobedevel-opedafterthecompletionofthedevelopmentofthe"Insurance"moduleintheISSUGARCRMsoftware.

Theworkshouldusethefollowingcategoriesofreasons(examples,thelist

isnotlimited):

90

Strategy

Definitionofstrategy:Incorrectstrategydefinition Communicationstrategy:ineffectivecommunicationofstrategyinformationtostaff Understandingandimplementingthestrategy:Shortcomingsintermsoftimelinessandcompletenessoftakingmeasuresfortheimplementationofthestrategybytheresponsibleperson/unit incorrectdeterminationofthetimingoftheimplementationofthestrategy misunderstanding/misunderstandingoftheorganizationalgoalsofthestrategy

Internalregula-tions

DisadvantagesintermsofCRDlackofGNIdeterminingtheprocess(partialorcompleteabsenceofCRD) ineffectiveCRD outdated/outdated processisnotwelldefined difficulttounderstand/conflictingCRD KPI/KRInotincludedinCRD IncorrectreportingofCRDtotheresponsiblepersons:staffnotnotifiedofnewCRD irrelevantdocumentsareusedinthework

Functional

Incorrectfunctionalityandresponsibility:unitstructure,lineofaccountability,authorityand/orfunctionalitydoesnotcorrespondtounitobjectives/functionalresponsibilities uncertain/ambiguous/conflicting(conflicting)powersandresponsibili-ties indefinite/ambiguous/contradictory(conflicting)distributionofrespon-sibility performingfunctionsnotassignedtotheemployee failuretofulfilltheircontrolfunctionsassignedtotheemployee/depart-ment incorrectassignment/delegationofauthoritytoanemployee inadequateorganizationalstructureoftheunit

Controls

Controls:theimplementationofthecontrolisnotinaccordancewithitsintendedde-sign excessiverelianceon"manual"control/lackofautomation Monitoring:ineffectivemonitoringprocess ineffectiveITmonitoringsolution ineffectivemonitoringindicators(KPI,KRI,etc.) Changemanagement:untimelyentryintothecontrolprocess

91

ITinfra-structure

Shutdown(unavailability)ofsystems:•absenceorpartialimplementationofmaintenanceplanstopreventsys-temfailures•businesssupportinappropriatetotherequiredIncident/problem/availabilitymanagement:•unavailablehelpdesk•noactivityincaseofapplication/systemfailures•delaysinresolvingproblemsChange/releasemanagement:•poorqual-itychanges(i.e.failureafterchange)•delaysinpreparationoftherelease/problemswithreleases•changesarenotapprovedbybusinessownersIn-effectivesoftware/database•complexities/impossibilityofdevelopingnewfunctionalityofapplications•delays/errorsinapplications/data-baseintegrationIneffectivemaintenance:•lackorineffectivemaintenanceplan(unsupportedsoftware/platforms)•lackofITexperiencesystemsEquipment:•inconsistencyofITequipment/technologieswithindustrialorinternalstandards•inconsistencyofITequipmentcapacitytomeetbusinessrequirementsNetwork:•inconsistencyofnetworkinfrastructurewithindustrialorinternalstandards•inconsistencyofnetworkinfrastruc-turetomeetbusinessrequirements

ITapplica-tions/functionalsupport

Missingfunctionality:•weakdesignofcontrolsinITapplications(includingconfidentiality)•inconsistencyofthefunctionalityofITapplicationswithbusinessrequire-mentsLackofaccessrightsmanagement:•lackorinadequateaccountmanagement•lackorinadequatemanagementofrights/accessprofilesCrashesinsystems:•failuresinapplicationsandtoolsthatsupporttheoperationoftheprocess•lackoftesting(eguseracceptancetesting)Weakusersupport:•insufficientdocumentation/manuals•lackofusertrainingExceedingthereactiontime:•Reactiontime,whichdoesnotallowtocarryoutcontrolsinatimelyman-nerWeakdatavalidation:•ineffectiveintegritycheckcontrols•weakautomationofdataqualitycontrol

ITsecurity BusinessContinuityPlan:

92

•poorqualityriskassessment•absenceorformalplan•theplanisnotimplemented,orispartiallyimplementedDisasterrecoveryplan:•poorqualityriskassessment•absenceorformalplan•theplanisnotimplemented,orispartiallyimplementedPhysicalsecurity:•poorelaborationofphysicalsecuritycontrols•poor-qualityimplementationofphysicalsecuritymeans•lackorineffectiveaccesscontrolstobuildings/premisesTechnologicalsafety:•non-complianceofsecuritytechnologies(forexample,firewalls,proxyservers,authorizationsystems,…)withinternalorindustrystandards•ineffectivenessofsecuritytechnologies(egfirewalls,proxyservers,au-thorizationsystems,…)tomeetbusinessrequirementsVulnerabilityandThreatManagement:•lackofinstallationofsecurityupdates(patches)/lackofcustomizationofsystems;•lackofsecuritytoolsatthesoftwaredevelopmentstage;•absenceorpoorqualitymonitoringandcorrelationofinformationsecu-rityeventsDisadvantagesofLogicalSecurityControls:•ineffectivelogicalsecuritycontrols(egweakpasswords,…)•absenceorineffectiveelaborationoflogicalsecuritycontrols(forexam-ple,privilegeescalationisnotblocked)•absenceorweakcontrolsonthedivisionofaccessrights,theprincipleofminimumprivileges,abuseofprivilegesDatasecurity:•lackorweaksecurityofunuseddata(stored,archived,…)•lackorweaksecurityofthedataused(onlocalmachines,mobiledevices,duringcomputation,…)•lackorweaksecurityoftransmitteddata(viaalocalnetwork,viatheIn-ternet,e-mail,…)Securityofservicesprovidedbythirdparties:•absenceorweaklevelofsecurityofservicesprovidedbyoutsourcers•absenceorweaklevelofsecurityofproductsprovidedbyoutsourcers

Personnel–staffingtable

Thestaffingtabledoesnotcorrespondtothelistofperformedtasks:inadequateanalysisofpersonneladequacy staffingdoesnotmatchtheneedsofthedepartment

93

QualitystaffandHRtrain-ings

Staff:lackofstaffskillsandcompetencies Thequalityofthetrainingprovided:Ineffectivetraining/insufficienttraining Trainingdoesnotcorrespondtothelevelofcompetenceofthestaff

Humanfactor

Controlnotimplemented:thecurrentcontroldoesnotcorrespondinwholeorinparttoitsdesign Failuretocomplywithcontrolrequirements:instructionfromthemanualnottocarryout/partiallynottocarryoutcon-trolprocedures non-compliancebyemployeeswithcontrolprocedures(intentional/unin-tentional) Unethicalbehaviorofemployees:theuseofprocessflawsforpersonalgain(e.g.forthepurposeofobtainingareward) Misunderstanding/misunderstandingbyemployeesoftheconsequencesoftheiractions Lack/inadequatetrainingofstaff Fraud:lackofproperinteractionbetweendepartmentsintermsofcombatingfraud deficienciesinCRDregulatingtheprocessofcombatingfraudinabank Theanti-fraudCRDisnotworking/hasnotbeencommunicatedtostaff Incorrectpersonnelmanagement:Incorrect/incorrectexamplefromthemanagementside Inadequateleadership Insufficientcontrolbymanagementoversubordinates Lackofstaffmotivation:Correctperformanceiscriticized Unreasonablepressurefrommanagement Insufficientfeedback Inadequatedisciplinaryprocess Lackofrecognitionandrewardsforoutstandingperformance

Inassessingthereasonsfortheobservation,theauditorcanbeguidedbythe

followingmethods,whichmakeitpossibletoidentifywithahighprobabilitythe“true”reasonsfortheobservationestablishedbytheauditor.

7.1.2.1.Fish-boneDiagramThistypeofdiagramisalsocalled"causeandeffect"(causeandeffect)isused

toidentifyallpossiblecausesthatservedasthebasisfortheidentifiedproblem.

94

Categoriesofcausesinclude:Management(governance/riskmanagement)Humanfactor(sufficiencyofstaff/skills)Method(Procedures/CRD)ByQuantitativedetermination(KPIsriskindicators,etc.).AutomationDataTheresultisthefollowinggraphThose.sometimesacombinationofreasonsmaybethecauseoftheproblem

identified.Forinstance:Alowlevelofautomationandlowqualificationofpersonnel,manuallygen-

eratingacontrolreport,entailssignificantoperationalerrors.Thelackofup-to-dateCRDandjobdescriptionsincombinationwithincor-

rectdecisionsofthedepartment'smanagemententailstheinabilitytolegallybringthemtojustice.

7.2.Writingauditrecommendations:7.2.1.SMARTprinciple:SpecificWhenwritingarecommendation,theauditorshouldadheretotheprinciple

of"brevityisthesisteroftalent."Itisnecessarytopresenttherecommendationwith aminimum "set ofwords",while themain "idea of the recommendation"shouldbecleartotheexecutor.

MeasurableTherecommendationshouldbewritteninsuchawaythatlateritwouldbe

possible to check its implementation, in no case should the recommendationssoundlike:

Ensurethattherequirementsaremet…Monitorasrequired…

95

Thesearerecommendations"nowhere",infacttheydonotcovertherisksandtellthepersonbeingtested"workasyoushouldwork,nomore",inthiscasethevalueofsucharecommendationisinsignificant.

AchievableTherecommendationshouldcovertheidentifiedrisksasmuchaspossible,

theproposedcontroloptionsshouldtakethisintoaccount.Relevant(comparable,relevant).Therecommendationshouldfully“cover”theobservedobservations.Ifthe

auditorhasclearlyidentifiedtheproblem,thentherecommendationisrelativelyeasytoformulate.

Didn'tknow–teachNoautomation–automateKnew,didnotdo–retrain/communicate/intentionallydid–disciplinary

action,escalatetomanagementforaction.Nocontrol–regulatecontrolNoKPI–defineaKPIInsufficientstaff–transferfunction/initiatestaffexpansionUnfortunately, all possible combinations of correlation of problems and recom-

mendations are difficult to reflect in the document. The author relies on the adequacy and professionalism of the IAS staff. If it is difficult for the auditor to determine the recommendation, please contact a

colleague / head of directorate / head of the IAS for advice. Do not be afraid to ask during the period of writing the report, correcting what

was written is more difficult than formulating at the stage of writing a draft report. Time-bound(definedintime)Thetermfortheimplementationoftherecommendationshouldbesufficient

toimplementtherecommendationinfull.Forexample:itisimpossibletogivearecommendationtomakechangesto

the"globaldocument"withaperiodofonemonth–atleastthreeormoremonths.

96

Seethematrixonthetimingofrecommendationsdependingontheobser-vationratinginsection7.3…

7.2.2.TheformatforreflectingtherecommendationintheauditreportAfterreflectingtheobservationwiththereasons,theauditorshouldissue

therecommendationusingthefollowingtemplate:

Recommen-dation

Room1.2 Rating Important

Risk StrategicOperating

Erroneousmanagementdecisionsbasedonincorrectin-formationprovidedoronthebasisofthelackofacom-pletevolumeofreportinginformation.

IncluderealestateobjectsofZPIF"Montferrand"inthereportsoftheOfficeforSupportofRealEstateOperations,whiletheNon-CoreAssetsServiceisengagedintheleaseoftheseobjects.Responsibleunit RealEstateOperationsSupportDepartment(Koroleva

P.V.)Executionstartdate 05/01/2018Eliminationdate 31.07.2018Commentsoftheresponsibledepartment

Agreed

Recommendationrating–seeobservationratingsectionNumber–indicatesthenumberofthesectionontheauditreportand,ac-

cordingly,theserialnumberoftheobservation,forexample,3.2-1,3.2-2,etc.Risk:it isnecessarytoindicateoneofthefollowingrisks(possiblytwoor

more,ifnecessary,inaddition,itisnecessarytodiscloseinmoredetailthetextontherisk,forwhichanadditionalfieldisgiven):

Responsibledepartment–indicatethefullname,oranabbreviationgener-allyrecognizedinthebank(youcanaddthefullnameoftheperformer)

Executionstartdate–byagreementwiththeresponsibledepartment,theexecutionstartdateisdetermined.Basically,thisdatecoincideswiththereleasedateofthereport,orthenearestreportingdateisindicated.

Sometimes,thoseresponsiblewillbeabletostartimplementingtherecom-mendationaftermeetingcertainconditions,andthestartdatefortheimplemen-tationmaybeshiftedbyseveralmonths.

97

Risktype DefinitionCreditrisk theriskofthecreditinstitutionincurringlossesasaresultofnon-perfor-

mance,untimelyorincompleteperformancebythedebtoroffinancialobli-gationstothecreditinstitutioninaccordancewiththetermsoftheagree-ment.Thesefinancialliabilitiesmayincludethedebtor'sobligationsunder:loansreceived,includinginterbankloans(deposits,loans),otherplacedfunds,includingclaimsforreceipt(return)ofdebtsecurities,sharesandpromissorynotesprovidedunderaloanagreement; billsdiscountedbythecreditinstitution; bankguaranteesforwhichthefundspaidbythecreditinstitutionhavenotbeenreimbursedbytheprincipal; financingtransactionsagainsttheassignmentofamonetaryclaim(factor-ing); rights(claims)acquiredbyacreditinstitutionunderatransaction(assign-mentofaclaim); mortgagesacquiredbyacreditinstitutioninthesecondarymarket; transactionsofsale(purchase)offinancialassetswithadeferredpayment(deliveryoffinancialassets); lettersofcreditpaidbythecreditinstitution(includinguncoveredlettersofcredit); returnofmonetaryfunds(assets)underatransactionfortheacquisitionoffinancialassetswiththeobligationoftheirre-alienation; therequirementsofthecreditinstitution(lessor)forfinanciallease(leasing)operations.

Marketrisk Theriskofthecreditinstitutionincurringlossesduetounfavorablechangesinthemarketvalueoffinancialinstrumentsinthetradingportfolioandde-rivativefinancialinstrumentsofthecreditinstitution,aswellasforeignex-changeratesand(or)preciousmetals.Marketriskincludesequity,foreignexchangeandinterestraterisks.Stockrisk–theriskoflossesduetounfavorablechangesinmarketpricesforstockvalues(securities,includingthosesecuringtherightstoparticipateinmanagement)ofthetradingportfolioandderivativefinancialinstrumentsundertheinfluenceoffactorsrelatedbothtotheissuerofstockvaluesandderivativefinancialinstruments,andgeneralfluctuationsinmarketpricesforfinancialinstruments. Currencyrisk–theriskoflossesduetounfavorablechangesintheratesofforeigncurrenciesand(or)preciousmetalsonpositionsopenedbyacreditinstitutioninforeigncurrenciesand(or)preciousmetals. Interestrateriskistheriskoffinanciallosses(losses)duetounfavorablechangesininterestratesonassets,liabilitiesandoff-balancesheetinstru-mentsofacreditinstitution.

98

Risktype DefinitionLiquidityrisk theriskoflossesduetotheinabilityofthecreditinstitutiontoensurethe

fulfillmentofitsobligationsinfull.Liquidityriskarisesasaresultofanim-balanceinfinancialassetsandfinancialliabilitiesofacreditinstitution(in-cludingduetountimelyfulfillmentoffinancialobligationsbyoneorseveralcounterpartiesofacreditinstitution)and(or)theemergenceofanunfore-seenneedforimmediateandone-timefulfillmentbyacreditinstitutionofitsfinancialobligations.

Businessrisk thisistheprobabilityoflossesasaresultofadeteriorationinbusinessreputationandnegativechangesintheorganizationalandmanagerialsphereoftheorganization,whichmayaffectthedebtor'sabilitytofulfillitsobligationsandthelikelihoodoflossesduetothedebtor'sdefaultonitsobligations

Strategicrisk theriskoflossesforthecreditinstitutionasaresultoferrors(shortcomings)madewhenmakingdecisionsthatdeterminethestrategyfortheactivityanddevelopmentofthecreditinstitution(strategicmanagement)andexpressedinneglectorinsufficientconsiderationofpossibledangersthatmaythreatentheactivitiesofthecreditinstitution,incorrectorinsufficientlysubstantiateddeterminationofpromisingareasofactivityinwhichacreditinstitutioncanachieveanadvantageovercompetitors,thelackorincompleteprovisionofthenecessaryresources(financial,materialandtechnical,human)andor-ganizationalmeasures(managementdecisions)thatshouldensuretheachievementofthestrategicgoalsofthecreditinstitution.

Operationalrisk

theriskoflossesasaresultofinconsistencywiththenatureandscaleoftheactivitiesofthecreditinstitutionand(or)therequirementsofthecurrentlegislationoftheinternalproceduresandproceduresforconductingbankingoperationsandothertransactions,theirviolationbyemployeesofthecreditinstitutionand(or)otherpersons(duetoincompetence,unintentionalorde-liberateactionsorinaction),disproportion(inadequacy)ofthefunctionalca-pabilities(characteristics)ofinformation,technologicalandothersystemsusedbythecreditinstitutionand(or)theirfailures(malfunctions),aswellasasaresultofexternalevents.

Reputationrisk

Theriskoflosingthebusinessreputationofacreditinstitution(reputationalrisk)istheriskofacreditinstitutionincurringlossesasaresultofadecreaseinthenumberofcustomers(counterparties)duetotheformationinsocietyofanegativeperceptionofthefinancialsta-bilityofthecreditinstitution,thequalityofitsservicesorthenatureofitsactivitiesingeneral.

99

Risktype DefinitionLegal/regu-latoryrisk

theriskofthecreditinstitutionincurringlossesdueto:non-compliancebythecreditinstitutionwiththerequirementsofregulatorylegalactsandconcludedagreements; legalerrorsmadeintheimplementationofactivities(incorrectlegaladviceorincorrectpreparationofdocuments,includingwhenconsideringcontro-versialissuesinthejudicialauthorities); imperfectionofthelegalsystem(inconsistencyoflegislation,lackoflegalnormstoregulatecertainissuesarisinginthecourseofacreditinstitution'sactivities); violationbycounterpartiesofregulatorylegalacts,aswellasthetermsofconcludedcontracts.

ITrisk thepossibilityofnegativeconsequencesassociatedwiththeemergenceofvariousthreats.Theyarepresentedintheformofviruses,variousmethodsofstealinginformation,hackerattacks,varioustypesofspecialdestructionofequipment.Examplesofrisks:LowalignmentofITstrategywithbusinessgoals; Obsolescenceofthetechnologicalinfrastructureandthelackofclearinfor-mationontheparametersofthefunctioningandefficiencyofIT; LowITefficiencyandlackofcontributiontothesuccessoftheorganization; Failuretoanticipatepotentialincidents,useofinsufficientlyeffectivepro-cessesforidentifyingandassessingrisks; InsufficientconsiderationofITrisksandtheconsequencesoftheirimple-mentationforthebusinessinthedecision-makingprocess.

Eliminationdate–thedateagreedwiththeresponsibledepartmentisindi-

cated.Comments of the responsible department – it is mandatory to indicate

"agreed",orthefullcommentoftheresponsibledepartment.7.2.3.ObservationAssessment:Basedontheresultsoftheaudit,theAuditTeamidentifiescontroldeficien-

ciesthatarisewhenthedesignofcontroland/ortheeffectivenessofitsoperationdoesnotadequately“cover”theidentifiedrisk,and,therefore,theresidualriskisnotreducedtoanacceptablelevel.TheIEAnotesthisfactasanobservationandgivesanappropriateassessment.

100

7.2.3.1.ThestageofassessingtheeffectivenessofcontrolAtthisstage,theemployeemustunderstandwhycontrolisineffective.There

aretwocriteriathatneedtobeassessed:Effectivenessofcontroldesign;Effectivenessofcontrolfunctioning:Basedontheassessmentofthesecriteria,theauditorarrivesatoneofthree

assessmentsinascendingorderofmateriality.

Controlisineffectiveorundefined(controlobjectivesarelargelynotachieved)Controlispartiallyeffective(controlobjectivesarepartiallyachieved)Controlisgenerallyeffective(controlobjectivesarelargelyachieved)

7.2.3.2.Assessmentofthelevelofriskinfluence

Impactofrisk

Low

Theriskinthiscaseisminimalortoagreaterextent"theoretical".Severaltensofthousands/hundredsofthousandsofrubles.Orone-timeimplementedcasesofanon-systemicnature.

Theaver-age

Theriskhasthelikelihoodofbeingrealizedorhasal-readybeenrealized,butits"cost"hasaverageindica-tors(fromseveraltenstoseveralmillionrubles,itcanbeofasystemicnature.

Signifi-cant

Theriskisofasystemicnature,theamountoflossesissignificantfromseveralmillionrubles,orthelikeli-hoodofregulators'claimsisfrom25to50%andtheamountoftheorderwillbefromseveralmillionru-blestotenmillionrubles.

HighTheriskofrevocationoftheBank'slicenseorpenal-tiesfromregulatorsamounttotens/hundredsofmil-lionrubles.

7.2.3.3.FinalassessmentofobservationAsaresult,theauditor,basedonthematrixbelow(seetable1),bycompar-

ingthe twocriteria"controleffectiveness"and"risk impact"shouldcometoanunderstandingofthefinalassessmentofobservation(seetable2)

101

Effective-nessofcon-trol

Controlisin-effectiveorundefined

Moderately Substan-tially

Critical Critical

Controlispar-tiallyeffective

Moderately Important Substan-tially

Critical

Controlisgenerallyef-fective

Norecom-mendationgiven

Moder-ately

Moder-ately

Important

Low Theaver-age

Significant High

RiskImpactLevel

Observa-tionrat-ing

Description

Critical

Aviolationisassignedaratingof"critical"ifaninsufficientlevelofcontrolex-posestheCompanytoanextremelyhighdegreeofriskandcansignificantlyaf-fecttheeffectivenessoftheinternalcontrolsystemoftheprocesses/divisions/areasofactivitythattheviolationconcerns.

Substan-tially

Aviolationisassigneda“material”ratingifaninsufficientlevelofcontrolex-posestheCompanytoasignificantdegreeofriskandmaypartiallyaffecttheef-fectivenessoftheinternalcontrolsystemoftheprocesses/divisions/areasofactivityaffectedbythisviolation.

Im-portant

Aviolationisassignedan“important”ratingifaninsufficientlevelofcontrolex-posestheCompanytoamoderatelevelofriskandmayhavealimitedimpactontheeffectivenessoftheinternalcontrolsystemoftheprocesses/divisions/ar-easofactivityaffectedbytheviolation.

Moder-ately

Aviolationisassignedaratingof"moderate"ifaninsufficientlevelofcontrolex-posestheCompanytoalowdegreeofriskandhasaninsignificanteffectontheeffectivenessoftheinternalcontrolsystemoftheprocesses/divisions/areasofactivitythattheviolationconcerns;Implementationofrecommendationsforthisviolationwillincreasetheeffectivenessofprocessesandcontrolsorensurethatactivitiesarecarriedoutinaccordancewithbestpractice.

7.3.Thespecificsofwritingauditreportsoverthenetwork.Onaperiodicbasis (at leastonceaquarter), theHeadof theAuditDirec-

torateoftheregionalnetworkinformscolleaguesoftheupdated"template"ofthe

102

draftauditreport,whichreflectsthemostrelevant"formatforpresentinganalyt-icalandintroductoryinformationbysections"oftheauditreport.AnemployeeoftheDirectorateispresentedinaconvenientformwiththestructureoftheauditreportforcompletion.

Colleagues special attention !!! When using the "audit report template", be careful, all analytical information on

the audited department, the dates and period of the audit, the name of the department must match YOURS !!! verified point of sale.

If operational errors are detected by the verification team, the information will be escalated to the attention of the IAS head. This information will be taken into account during the annual employee assessment.

7.4.Determinationofthetimeframefortheimplementationofrecommen-

dationsandthetimingoftheirprolongation,determinationofpowerstorenew

Activity/WatchingRating Critical Substan-tially

Important Moder-ately

Maximumtermforimplementationoftherecommendation**

6months* 9months 12months 12months

Firstprolongationoftherecommen-dationimplementationperiod(maxi-mumperiod)

6months 6months 9months 12months

Decisionlevel

Manage-ment

BoardoftheBank

Supervis-ingmem-beroftheManage-mentBoard

HeadM2,M3 HeadM2,

M3

Secondandsubsequentprolongationofthedeadlinefortheimplementa-tionoftherecommendation

3months 6months 6months 6months

Decisionlevel Supervi-soryBoard

Manage-ment

BoardoftheBank

SupervisingmemberoftheManagement

Board

HeadM2,M3

103

*TheinitialdeadlinefortheimplementationoftherecommendationwiththeCriticallevelissubjecttoagreementwiththeBank'sManagementBoard

**Thedeadlinefortheimplementationoftherecommendation,regardlessofthelevelofseverity,isinitiallysetbytheInternalAuditServiceandagreedwiththeowneroftherecommendation

WORKINGPAPERS:Uponcompletionoftheaudit,theAuditLeadershouldensurethatthestruc-

tureoftheauditworkingfolderisasfollows:Inthefolder"administrativedocuments"mustbeplacedtheOrderandthe

Noticeonverificationandotheradministrativedocuments(ifany).Thefolder"preparation"fortheauditcontainstheauditprogram,regulatory

documentsobtainedatthestageofpreparationandotherdocuments.The"check"foldercontainsalldocumentsreceivedduringthe"fieldwork",

thecompletedauditprogram,aswellaschecklistsandtheresultsoftheircheck.Thefollowingshouldbeplacedinthe"approval"folder:SZsavedinelectronicforminagreementwithallresolutionsasagreed.if the approval tookplace bymail to LotusNotus, then all the letters are

postedasagreedinelectronicform,indicatinginthefilename,therecommenda-tionnumberandthecoordinator(responsibleemployeeordepartment).

Allversionsofthedraftauditreportareplacedinthe"Report"folder.ThefinalversionofthereportsenttotheBank'smanagementisplacedinaseparatefolder.

Alsointhefolder"Report/Auditevidence"allauditevidenceisplacedon

identifiedobservations.Itisnecessarytocreateaseparatefolderforeachobser-vationandplace in itadocument that isauditevidence,ablockdiagram,workcorrespondence,anexcerptfromachecklist,etc.,anincorrectreport,ascanofadocument,minutesofmeetings,etc.

ESTABLISHMENTOFRECOMMENDATIONSINTHEDATABASE"PRESCRIP-TIONSOFTHEIASANDIAS"BASEDONTHERESULTSOFINTERNALAUDITSOFIASANDMONITORINGTHEIRIMPLEMENTATION

9.1.Basedontheresultsofinternalaudits,allrecommendationsrecordedin

theauditreportsmustberegisteredinthedatabase"ICSandIASprescriptions"forsubsequentcontroloftheirimplementation.

104

Toplacearecommendation/instruction,gotothedatabase"RegulationsoftheSVKandSVA":

Pressthebutton"Neworder":Next,westartarecommendation/instructionwiththefollowinginput(ex-

ampleinthescreenshotbelow):1."Order"sheet:Company:PJSC"BANKURALSIB"Author:RifatExecutors:Everyonewhomtherecommendationconcerns(bothresponsi-

blemanagersanddirectexecutors),whiletickingoffonlyresponsibleleaders!WhenmakingrecommendationsontheSecurityCouncil, it isnecessaryto

addthefollowingsecurityofficerstotheexecutors:MikhailBelokon,IrinaSobolev,andAlexandraKorobkinawithouttickingthemoff(responsible).Itisnotneces-sarytoindicateemployeesasdatacontrollers(thisfieldisonlyforIAS).

Control:weindicateourselves,aswellasLenaZheleznyakov.Subject:…\SVACheckname:fill inthechecknamethesameforeachorderrelatedtoone

check(forexample,through"copy/paste")Verifiedperiod:…No.ofActclause/Prescriptionclause:…Recommendation:PastefromthereportHigh-levelrisk:fillinthetypeofrisk(accordingtotheclassificationinclause

7.2.2credit,market, liquidity,operational(including legal), reputationand indi-catetheobservationratinginaccordancewiththetypologybelow:

Critical Substantially Important Moderately

Low-levelrisk:detailedriskdescriptionfromtherecommendationtableForinstance:Erroneousmanagementdecisionsbasedonincorrectinformationprovided

oronthebasisofthelackofacompletevolumeofreportinginformation.Riskamount:fillintheamountifthereisanestimateInformationaboutthefactofriskrealization:potentialrisk,realizedrisk,po-

tentialsavingsReasonforviolation:copyingfromthereport

105

Violation–Observationiscopiedfromthereport.Markofpartialexecutionoftheorder:weaddacommentiftherecommen-

dationispartiallyexecutedduringthecheckDate:dateofestablishmentoftherecommendationTimelineforImplementation:Agreedtimelineforimplementationoftherec-

ommendation2.Sheet"Control":Checkoutdate:dateoffillingExecutorsshouldnotbefilledinall,butonlytheonewhoisresponsiblefor

theorderandismarkedwithatickonthe"Orders"tab,i.e.towhomtowriteSZ.Itismoreconvenienttodoitthroughthebutton"tocontroleveryone"and

deletingthosewhoarenotcheckedontheprevioussheet.Timelineforimplementation:theagreedtimeframefortheimplementation

oftherecommendationNotifications:10daysbeforetheduedate,aswellasthe1stofeachmonth.9.2.Toclosetherecommendations,itisnecessaryto"accept"theexecution

accordingtothereceivedexecutionreport(bythebuttonatthetopofthereport),or,ifthereisnosuchreport,andthematerialsforclosingwerereceivedinadif-ferentway(forexample,sentfromthecontractor),closeusingthe"executed"but-ton:

Itisnecessarytomakesurethatwhentheorderisclosed(i.e.afterthere-sponsibleexecutorputsexecutedand/orthecontrollerputstheexecution)onthe"Control"tab,theexecutorsfrom"placingoncontrol"movedto"execution"(fromtheleftsidetotheright):

Fileswithsupportingmaterialscanbeattachedrightthere,asaresult,aftertheorderiscompletelyclosed,thefollowingpictureisobtained.

9.3.Openrecommendationsaremonitoredonamonthlybasis,incl.overdue.

Todothis,usetheunloadingofthereport"UCSorders–ExecutionofUCSorders(extended)4.1"fromthe"Reports4.3"database.

Whengeneratingareport,itisnecessarytoindicatetheauthor(Oleg),thedatesoftheorderandtheduedate(wechooseawiderangeofdatestocovereve-rything). The report is uploaded to Ms Excel format. It is advisable to sort

106

theresultingtablebyordernumber,andthenaddacalculationcolumntofilterout"duplicates"(=IF(B2=B3;1;0)):

Note:Intheunloading,the"Executor"fieldistakenfromthe"Order"tab(anddu-

plicatedforeach),andthe"Responsibleexecutor"–fromthe"Control"tab.Those.forexecutioncontrol,onlythe"Responsibleexecutor"fieldisinteresting,inwhichonlythosewhohavenotyetexecutedtheorderremain.

107

Conclusion

Differentareasofbankingareassociatedwithdifferentrisks.Itisalmostim-

possible to completely get rid of risky operations. Therefore, it is important toidentifyrisksintimeandorganizeinternalcontrolsothattheyarereducedtoasatisfactorylevel.Internalcontrolisthemaintoolfortransferringallriskstotheresiduallevel.Andtheinternalcontrolserviceisthebodythatisresponsibleforeffectiveriskmanagement.

Themonograph“Organizationofaneffectivesystemof internalcontrol inthebankingsector”revealstheessenceoftheconceptofinternalcontrolofacom-mercialbankfromthepointofviewofRussianlegislationandworldbankingprac-tice.Theauthorprovidesaclassificationofformsofinternalcontrolandshowstherelationshipbetweenexistingcontrolproceduresandbankingrisks:avarietyofinternalcontrolproceduresallowsyoutoexpandtheareaofbankingriskmanage-ment.

Thefirstchapteroftheworkanalyzestheroleandplaceoftheinternalcon-trolserviceintheinternalcontrolsystemofthebankingeneral,inthemanage-mentofbankingrisks,inparticular.Forminganeffectiveinternalcontrolserviceisthekeytominimizingbankingrisks.TheInternalControlServicecarriesoutanindependentassessmentofbankingbusinessprocesses,possiblerisksassociatedwiththeirimplementation,whichisespeciallyimportantinthecontextoftheon-goingglobalfinancialcrisis.Inpractice,themainfunctionoftheinternalcontrolserviceasabodyinthebank'sinternalcontrolsystemistomonitortheavailabilityandqualityofcontrol(anti-crisis)mechanisms,thetimelyandprofessionalcom-petent use ofwhich by other departments, services andmanagers of the bankshouldminimizetherisksofitsactivities.Deficienciesintheorganizationofinter-nalcontrolleadtothefactthatthebankceasestobestable,goesintothecategoryofproblembanks,which,inturn,reducestheattractivenessofthecreditinstitu-tionintheeyesofpotentialclientsandinvestors.

Thepaperdiscussesthemainwaysofcarryingoutchecks.Attentionispaidtofinancialauditasakeymethodofinternalaudit.Theresultofthefinancialaudit

108

shouldbetherecommendationsoftheinternalauditortoimprovethecurrentin-ternalcontrolsystem.Also,theinternalauditormustgenerateareport,whichin-dicatestheerrorsidentifiedasaresultoftheauditandhowtosolvethem.

Theauthorassessescompliancecontrolasan integralpartof the internalcontrolsystemincreditinstitutions.Ensuringcompliancecontrolisaprerequisiteforminimizing the reputation and image risks of a credit institution. In turn, abank'sreputationisanintangibleassetthatincreasesthevalueofacreditinstitu-tion.Thepaperprovidestwopracticalexampleswhencompliancecontrolallowsyoutoavoidadditionalcostsofacreditinstitution,and,therefore,increasestheefficiencyofitsactivities.

Thepapershowstheversatilityofoperationalcontrolasacategory:opera-tionalcontrolcanbeconsideredasanintegralpartoffinancialauditandasanin-dependentprocedurethatdirectlyevaluatesthequalityoftheinternalcontrolsys-teminacreditinstitution.Threeapproachestoassessingthequalityoftheinternalcontrolsystemincreditinstitutionshavebeenidentified:theCOSOconcept,theSACconceptproposedbytheInstituteofInternalAuditors,andtheCOBITmodelrecommendedbytheInformationSystemsAuditandControlAssociation.Accord-ingtotheauthor,theinternalcontrolsystemiseffectiveonlyifthegoalsofbuildingtheinternalcontrolsystemareachieved.Consequently,theorganizationaleffec-tivenessoftheinternalcontrolservicecanonlybetalkedaboutiftheroleoftheinternalcontrol, internalauditandriskserviceinbankingriskmanagementbe-comesobvious.

Aneffectiveinternalcontrolserviceis,firstofall,anindependentsubdivi-sionofacreditinstitution,which:

hasanideaoftheactualorganizationofbusinessprocessestakingplaceinthebank;

–assessestheavailabilityofcontrolprocedureswithineachbusinesspro-cess;

–analyzes thepossiblerisks inherent ineachbusinessprocess inacreditinstitution;

–conductsregularinspectionsofthemostriskyprocessesinordertofor-mulatereasonableconclusionsabouttheeffectivenessoftheinternalcontrolsys-tem;

–generatesareportfortheBoardofDirectors,whichpresentstheidentifiedshortcomingsofthecurrentinternalcontrolsystem,offersrecommendationsand

109

measurestoimprovetheefficiencyoftheinternalcontrolsystem,and,therefore,measurestominimizepossiblerisksofthecreditinstitution.

Inthethirdchapterofthework,thepracticalaspectsoforganizingtheinter-nalcontrolsysteminbanksareconsidered:acomparativecharacteristicisgivenfortwohypotheticalbanks.

Thepaperconsiderspossibleoptionsfororganizinganinternalcontrolser-viceinabank,emphasizingtheneedtoensuretheindependenceofinternalaudit.Theroleofinternalcontrolinthemanagementofbankingrisksistosubsequentlymonitortheeffectivenessofthecurrentcontrolsystemandriskmitigationmech-anisms.Theinternalauditorshouldnotbedirectlyinvolvedinorganizingthein-ternal control system, as this may threaten his independence. To achieve theabove,theauthorhasproposedapossiblesequenceforcreatinganinternalcon-trolservice.

Inconclusion,wenotethatthestateofmodernregulatorydocumentsisanobstacletounderstandingtheroleandfunctionsoftheinternalcontrolsystemincredit institutions.Thecurrentregulatorydocumentsdonothighlight theplaceandroleofauditcommitteesinthesystemofinternalcontrolbodies;requirementsforanexternalassessmentofthequalityofworkofdepartmentscarryingoutin-ternalcontrolandinternalaudit;theresultsofsuchanassessment,etc.Thus,theissueofdevelopingamethodologyforassessingtheinternalcontrolsystematthelegislativelevelisoneofthepriorities.

110

List of references

1.TheFederalLaw"OnBanksandBankingActivities"dated02.12.1990.No.

395-1-FZ2.FederalLawofJuly10,2002No.86-ФЗOntheCentralBankoftheRussian

Federation(BankofRussia)3.FederalLawofDecember26,1995No.208-FZOnJoint-StockCompanies4.FederalLawof08.02.1998,No.14-FZ"OnLimitedLiabilityCompanies",5.Federal rules (standards) of audit activity, approved byDecrees of the

GovernmentoftheRussianFederationNo.696of09/23/2002;6.DecreeoftheGovernmentoftheRussianFederationof January8,2003

No.6"Ontheprocedureforapprovingtherulesofinternalcontrolinorganizationsengagedinoperationswithcashorotherproperty";

7.LetteroftheCentralBankoftheRussianFederationof10/07/1999No.289-T"Onmeasurestoincreasethelevelofinternalcontrolinbanks";

8.LetteroftheCentralBankoftheRussianFederationofJuly10,2001No.87-T“OntherecommendationsoftheBaselCommitteeonBankingSupervision”;

9.LetteroftheCentralBankoftheRussianFederationdatedMarch24,2005No.47-T“OnMethodologicalRecommendations for theAuditandEvaluationoftheOrganizationofInternalControlinCreditOrganizations”

10.LetteroftheBankofRussiadated30.06.2005No.92-T“Ontheorganiza-tionoflegalriskmanagementandtheriskoflossofbusinessreputationincreditorganizationsandbankinggroups”

11.LetteroftheCentralBankoftheRussianFederationdated02.11.2007No.173-T“OntherecommendationsoftheBaselCommitteeonBankingSupervi-sion”

12.Regulationof theCentralBankof theRussianFederationofDecember16,2003No.242-P"OntheOrganizationofInternalControl inCreditOrganiza-tionsandBankingGroups"

13.Adams R. Fundamentals of Auditing: Per. from English / Ed. Ya.V.Sokolova.M.:Audit,UNITY,1995.398s.

111

14.Arslanbekov-FedorovA.A.Thesystemofinternalcontrolofacommercialbank.M.:UNITY-DANA,2004.191s.

15.BankAudit: Textbook /Ed.BeloglazovaG.N.,Krolivetskoi L.P.M.: "Fi-nanceandStatistics",2005–216p.

16.Banking: Textbook / Ed. BeloglazovaG.N., Krolivetskoi L.P. St. Peters-burg:Peter,2009.400s.

17.GamzaV.A.Riskmanagement in commercialbanks: an integrativeap-proach.M.:CJSCPublishingHouseEconomics.2006–208s.

18.MakeevR.V.Settingupinternalcontrolsystems:fromreportingauditstobusinessperformance.St.Petersburg:Peak,2008.287s.

19. PashkovR.V. Yudenkov Yu.N. Internal control as amodel and system(monograph).M.:RUSINS,2016.312p.

20.PashkovR.V.,YudenkovYu.N.Corporategovernanceinthebank(mono-graph).M.:RUSINS,2016.301p.

21.PivovarovV.V.Organizationof internalcontrol increditorganizations.St.Petersburg:PublishingHouseofSt.PetersburgStateUniversityofEconomicsandEconomics,2006–32p.

22.ProdanovaN.A. Internal audit, control and audit.M: IIA Info Tax LLC,2006.292s.

23.ReznikovA.V.Strategyandtacticsofdevelopmentoftheinternalcontrolsystem in credit organizations. Khabarovsk: Publishing house of the Pa-cific.gos.tech.University,2006.220s.

24.Ripol-ZaragoосiF.B. Internalaudit:organizationandplanning.Rostov-on-Don.:Phoenix,2006.189p.

25.SokolovB.N.Internalcontrolsystems(organization,methodology,prac-tice).M.:CJSC"PublishingHouse"Economics",2007–442p.

26.SoninA.M.Internalaudit:amodernapproach.M.:FinanceandStatistics,2007.60p.

27. Sotnikova L.V. Assessment of the status of internal audit. M.: UNITY-DANA,2005-143p.

28.TavasievA.M.Crisismanagementof creditorganizations–M.:UNITY-DANA,2006.480s.

29.TavasievA.M.Thebasicsofbanking.M.:MarketDS,2006–568p.30.UtkinE.A.,SukhanovM.S.Auditofbankingactivities.M.:TEIS,2003

112

31.YudenkovYu.N.Managementaccountingandinternalcontrolinacom-mercialbank.M.:Investsvyazizdat,2008–216s.

32.AkulovA.V.,MalykhinD.V.,MalyutaN.E.,RyzhikhN.N.Onthestandardi-zation of riskmanagement and internal control processes //Management in acreditorganization.2007.No.1.

33.Bortnikov G. “Compliance risk (risk of non-compliance): internationalstandardsandtheirapplicabilitytobanksintheCIScountries”.//http://www.iia-ru.com/publication/foreign_mass_media_articles/bortnikov/

34.BorsukM.Forecasting thenet interestmarginofbanksandtheprovi-sioningratioforloanlossesinvariouseconomicscenarios:datafromPoland//–Moneyandcredit.2019.№1.p.89-106.

35.VasilievaN.E.Internalaudit.Somewaysofitsdevelopment.//Internalcontrolinacreditinstitution.2009.No.1

36.Giniyatov R. Risk and control (COSO model) // Based on materialshttp://www.iia-ru.com/publication/member_articles/risk_and_control_gniyatov

37.DanilovaE.,RumyantsevE.,ShevchukI.OverviewofthejointseminaroftheBank of Russia and the IMF “Recent Innovations inMacroprudential StressTesting”//–Moneyandcredit.2018.No.4.p.60-83.

38.DudaevaE.S.Qualitative audit:myth or reality? // IFRS and ISAs in acreditinstitution.2008.№2.

39.ZadorozhnayaK.A.Featuresofcompliancewithauditrules(standards)intheRussianFederation//Scientificjournal"Polymatis".2018.№9.p.25-34

40.ZemskovV.V.Methodologicalfoundationsofbuildinganinternalcontrolsystem//VestnikIEAU.2016.No.12.

41.IvanovaN.,AndreevM.,SinyakovA.,ShevchukI.ReviewoftheConfer-enceoftheBankofRussia“EfficiencyofMacroprudentialPolicy:TheoryandPrac-tice”//–Moneyandcredit.2019.№3.p.89-121.

42.KozlovaT.V.Legalaspectsofthepreparationandcontentofdocumentsofacreditorganizationoninternalcontrolissues.//Moneyandcredit.2009.No.2.

43.LotobaevaG.G.Methodological foundations of building and improvingtheinternalcontrolsystemofaRussiancreditorganization:dissertation…ofacan-didateofeconomicsciences:08.00.10.Novosibirsk,2002.191p.

44.MartynovaT.Servicesofinternalcontrolandaudit.//Bankingreview.2007.No.8(98)

113

45.MalykhinD.,TikhomirovA.Featuresofthefunctioningofinternalcontrolandauditinbanks.//http://www.iia-ru.ru/publication

46.MalykhinD.V.BaselIIandtheincreasingroleofinternalauditinbanks.//Banking.2005.No.10.p.34-37.

47.MiroshnikovaA.Yu.ComplianceControlinCommercialBanks//ScienceAlley.2017.No.9,volume2.p.141-146.

48.NovikovYu.I.,IvlevaD.S.Revisionasthemainmethodoffinancialcon-trol//ElectronicscientificandmethodologicaljournaloftheOmskStateAgrarianUniversity.2018.№4(15)https://elibrary.ru/item.asp?id=36745058

49.PestelM.A.,KostyashkinaO.G.Theeffectiveoperationofcredit institu-tions is a factor in the systemic stability of the banking sector. // Finance andcredit.2009.No.17(535).

50.PronskayaN.S. Internalauditandcontrol in thebankingriskmanage-mentsystem.//Financeandcredit.2007.№42.

51.SkogorevaA.Bankprotection,orwhydoweneedcompliancecontrol.//Bankingreview.2008.No.4(106).

52.SmirnovA.A.Internalcontrolandinternalauditincreditorganizations.//Economicsciences.2007.No.12(37)

53.SokolovB.Organizationofinternalauditservices//Auditandtaxation.2009.No.1(157).

54.TarasovI.T.Essayonthescienceoffinanciallaw[Electronicresource].Access mode: https://knigogid.ru/books/839559-ocherk-nauki-finansovogo-prava.

55.FominL.Dohighinterestratesonloansanddepositsandreducedadver-tisingcostsserveas indicatorsofbankbankruptcy?DataforRussia//–Moneyandcredit.2019.№2.p.94-112.

56.YashkovaN.V.,TimofeevaL.V.Personnelauditinthepersonnelmanage-mentsystem//BasicResearch.2019.No.2.P.55-59.

57.BankforInternationalSettlementswww.bis.org58.ChiuT.,JansMJProcessMiningofEventLogs:ACaseStudyEvaluating

Internal Control Effectiveness // 2017. [Electronic resource] – - Access modehttp://dx.doi.org/10.2139/ssrn.3136043

59. Committee of SponsoringOrganizations of theTreadwayCommissionwww.coso.org

60.ComptrolleroftheCurrencywww.occ.gov

114

61.InaamAl-Zwyalif,TheRoleofInternalControl inEnhancingCorporateGovernance:EvidencefromJordan//InternationalJournalofBusinessandMan-agement; Vol. 10, No. 7; 2015. [Electronic resource] – Access mode:https://www.researchgate.net/publication/281391322_The_Role_of_Inter-nal_Control_in_Enhancing_Corporate_Governance_Evidence_from_Jordan

62.Information Systems Audit and Control Association (ISACA)www.isaca.org

63.LoewE.,MollenhauerT.AnEmpiricalAnalysisofKeyAuditMattersintheFinancialIndustry//EuropeanBankingInstituteWorkingPaperSeries2019– no. 40. (April 28, 2019). [Electronic resource] – Access mode:http://dx.doi.org/10.2139/ssrn.3379324

64.MelvinA.Eisenber,TheboardofdirectorsandInternationalcontrol//CARDOZOLAWREVIEW;vol.19;2019.P.237.[Electronicresource]–Accessmode:https://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1363&con-text=facpubs

65.NNKhakhonova,TAKoltsova,LFShilova,ASKovalevDevelopmentofIn-ternalControlMethodologybyUsingStatisticalMethodsofVariabilityAssessmentofMaterialFlowBusinessProcesses//EuropeanResearchStudiesJournalVolumeXXI,SpecialIssue1,2018.Pp/178-186

66.BankofRussiawww.cbr.ru67.Bankinginformationsystemshttps://bis.ru/.68.CorporateManagementwww.cfin.ru69.InstituteofInternalAuditorswww.iia-ru.ru70.Theoryandpracticeofmanagementaccountingwww.gaap.ru