Plan for internal control over financial reporting. The internal control system as a tool for increasing the reliability of financial reporting (Ostrenko E.V.)

Issues related to building an internal control system to meet the requirements of regulators and financial institutions for the financial reporting of public companies in order to increase the transparency and efficiency of business processes are considered.

Basics of building an internal control system

The architecture of the internal control system (hereinafter - ICS) consists of the following elements:
- control environment (internal conditions of the company’s functioning, determined by the general rules of company management, communications between personnel, document flow and regulations governing the implementation of production functions);
- accounting system (preparation of financial statements in the company, accounting policies, methods, software, operating regulations of the relevant departments, etc.);
- control procedures (systematized measures to prevent or identify distortions in reporting data and data on business transactions).
All of the above elements of the ICS are interconnected and cannot be considered separately. Accordingly, the internal control system in relation to financial reporting should cover not only procedures related directly to the accounting function, maintaining accounting registers and preparing reports, but also all processes and business transactions that result in accounting records.
In order for the internal control system to perform the assigned tasks, it is necessary to work out the main parameters of the system: control design, operational efficiency of control.

Control design

This term refers to the way in which control functions. The main task of the ICS in the preparation of financial statements is to minimize the risks of distortion of the data presented in it. Controls should be designed to ensure that errors are identified and misstatements are prevented.
Accordingly, we can distinguish types of control aimed at preventing distortions (preventive control) and fixing distortions (detective control - from the English detection - detection).
Based on the design, the following main types of preventive control can be distinguished:
- authorization (assumes that any transaction is carried out after physical authorization). For example: a payment order is sent to the bank only if signed by the head of the company and the chief accountant; The supplier's invoice is paid only after approval (endorsement with the signature of the responsible persons). In relation to financial statements, authorization means, in particular, the signing of the statements by the company's directors as confirmation that there are no objections to their performance. Another example: electronic verification of accounting records;
- access control (primarily concerns restricting access to accounting data (systems)). For example, access to viewing and editing the block of the program where payroll is calculated is provided only to the accountant who carries out the calculation. Another example: termination of access to editing data in a closed accounting period for which reporting has already been released;
- division of powers. In particular, the separation of the authorization function and the physical execution of the transaction. For example, a manager has the physical ability to authorize a payment order, but does not have access to accounting registers and cannot enter payment data into the accounting books. And, conversely, an accountant who enters payment data into accounting registers does not have the right to make these payments in the Client-Bank system.
Another type of control - independent verification - assumes that after a transaction has been completed and it is reflected in the accounting records, an independent person checks the accounting records. For example, an accountant creates depreciation records, and the chief accountant (or internal auditor) checks the correctness of depreciation calculations. This type of control is detective, in other words, aimed at identifying errors in already reflected operations.
From a technical implementation point of view, the control design can be “manual” or automated. “Manual” control involves, in particular: endorsement of documents by responsible persons before carrying out a transaction (for example, the signature of the responsible person is placed on the supplier’s invoice before submitting the invoice for payment); examination of the accounting records by an independent person not directly responsible for the preparation of any register; reconciliation of settlements with counterparties, documented in the relevant act.
Automated control includes: regulation of access to accounting systems; authorization of accounting transactions (i.e. the transaction is registered in the system only after authorization by an authorized person); blocking from changing accounting registers for previous reporting periods; creating backup copies of accounting data.
The term "operational effectiveness of controls" means the following: controls work as intended and are performed on a regular basis; there is evidence of the implementation of control procedures in relation to each performer involved in the developed control system; regulated procedures are applied to identify system deficiencies and eliminate them.
Misstatements in reporting data may be the result of errors or intentional actions. Accordingly, controls and the control environment should be designed to minimize the risks of misstatement due to both error and intentional fraud. This means that developing the design of the internal control system will require an analysis of areas where there is a risk of data misstatement. All work on ICS is based on the identification of risks, their analysis in terms of probability (high, medium, low), as well as their materiality based on the volume of possible data distortion (material or intangible distortion).
A material distortion is considered to be a distortion that can affect the decision-making of users of reporting or lead to significant consequences (for example, the collection of fines for incorrect tax assessment, deprivation of a license for some activity due to violation of relevant legislation).
Control must be structured to ensure reliable reporting in all material respects. Typically this means the following characteristics:
- completeness of reflection of transactions in accounting and reporting. This means that all transactions related to the current reporting period are reflected in the financial statements. For example, the work was completed in December of the current year, and the work completion certificate was signed in January of the next year, but it indicates that the work was carried out in December. Accordingly, expenses for the work specified in the act should be reflected in December of the current reporting period;
- presence, real existence of facts of economic activity. This is primarily expressed in the availability of supporting documents for transactions reflected in accounting (agreements, acts, invoices, resolutions of regulatory bodies, etc.);
- correctness and accuracy of calculation of reporting indicators. For example, this may mean that depreciation is calculated in accordance with accounting policies and accounting standards (for example, the depreciation method in proportion to production is applied methodologically correctly, or the estimate of the cost of inventories written off for production is calculated in accordance with the average cost method);
- assessment of reporting indicators. This means that assets, liabilities, income and expenses are reported based on valuations that comply with accounting rules. For example, goodwill is reflected taking into account possible impairment, or financial assets are reflected at fair value, or the provision for tax risks includes a full assessment of possible expenses for paying fines, penalties, etc.;
- obligations and rights, which mean that the reporting takes into account all existing obligations, including contingent ones, and also that the assets are reflected taking into account the rights the company has to them (for example, assets under long-term lease agreements are taken into account as an asset in the reporting ). Also, the company has the corresponding rights to all assets recorded in accounting; for example, assets recorded under leases are finance leases rather than operating leases;
- presentation of indicators in the reporting [all main forms must be presented (Statement of Financial Position, Statement of Comprehensive Income, Statement of Changes in Equity, Statement of Cash Flows) and all explanations to them, as well as disclose all information required by accounting standards].
The listed characteristics are often denoted in specialized literature by the abbreviation CEAVOP.

Organization of the internal control system

Business operations from the point of view of the internal control system are carried out within the framework of certain business processes (functionally interrelated activities carried out by company personnel to achieve its goals). For the effective operation of the internal control system, it is necessary that control be carried out not only at the stage of entering data into the accounting books, but also at all stages of business transactions. It is also necessary to have a transparent and effective control environment in all key business processes. Accordingly, building an internal control system should begin with an analysis of business processes where business transactions are carried out that affect the control environment.

Business process analysis

To do this, it is necessary to identify the main business processes in the company that directly affect the control environment and are the most important for the functioning of the company.
When identifying significant business processes, one should proceed from both material parameters (for example, the number of operations) and their significance for the functioning of the company. For example, for a trading company, inventory management will be important, while for an IT company this business process is not key.
Obviously, the composition of business processes may differ in each company, but there are a number of those that are present in any field of activity: general corporate management, personnel management and payroll settlements, cash management, settlements with suppliers, settlements with buyers and customers, financial reporting preparation, information technology.
Let us dwell in more detail on the business process “general corporate management”. From the point of view of the internal control system, it includes activities that create a control environment, i.e. conditions under which the system in question operates. This includes, in particular, the style and principles of company management; principles of risk management; organizational management structure; distribution of responsibilities and powers; personnel policy and principles of personnel management; issues of ethics, professional conduct; policy in the field of communications within the company (for example, from lower management to senior management).

Risk identification and analysis

Since the main goal of the ICS in the preparation of financial statements is to prevent or reduce the risk of distortion of its indicators, the next stage of building an ICS is the identification and analysis of risks.
Each of the business processes identified at the first stage as significant is analyzed from the point of view of the main risks present in the business process. Next, the degree of influence of the identified risks on the financial statements, as well as the likelihood of an error, is assessed.
To identify risks, a description of the business process is carried out by interviewing employees involved in this business process, as well as an analysis of the documentation that is used in it. In other words, it describes how this process works, who is involved in it, who is responsible for what and what actions it performs, how these actions are documented, and the document flow of the business process is analyzed. For example, when analyzing the “cash management” business process, interviews are carried out with cashiers, the chief accountant, the financial director, and the accountant responsible for accounting in the “cash” section. At the same time, documents generated during transactions with funds are also analyzed.
The next step is to identify existing controls aimed at minimizing or preventing risk.
Types of control are analyzed from the point of view of their design. If the analysis process reveals weaknesses in the control design or risks that are not covered by the control, changes to the design are developed or additional types of control are introduced.
The result of the analysis of risks and existing controls is the construction of the so-called risk and control matrix.
We note that identified control deficiencies need to be examined to determine their significance. So, if the volume of operations in a particular problem area is small and there are no plans to increase it, then there is no point in wasting time on control activities in this area.
After the matrix has been compiled and recommendations for changing existing controls have been developed, measures must be taken to implement the recommendations: development of forms of internal documents provided for in the recommendations; making changes to the IT system (for example, adding new users with rights to view only, i.e. with an “audit” function without the right to make changes to records), to the structure of rights of existing users, to other system settings; redistribution of duties and powers of employees; formalization of procedures for authorizing operations.
In order for control procedures to be carried out regularly (in other words, for the operational efficiency of control to be high), everything must be documented in the form of regulations for each of the analyzed business processes based on functionality.
For example, the “general corporate governance” process should include policies and regulations of the highest and general level: the company’s code of ethics; regulations for the formation and work of the audit committee; regulations on personnel policy, personnel selection; privacy policy; regulations for risk assessment in the company; communication regulations regarding violation of company rules, confidentiality, etc.; documents defining the limits of authority of managers at various levels on financial issues (for example, the limit on approving payment of expenses); regulations defining the powers of management bodies (for example, regulations on the board of directors).
Regulations on the “IT” business process should cover the following issues: access to information; data storage and backup; updating IT systems; protection against unauthorized copying; removing users from the system.
Regulations on the business process “preparation of financial statements” should cover at least such areas as: formation of accounting policies; changing the chart of accounts; procedure for closing accounting books for the reporting period; procedure for analyzing changes in legislation; distribution of responsibilities and powers between financial and accounting services; reconciliation with external counterparties and with group companies (during consolidation); review of reports before their release.
In general, regulations should reflect: the powers and responsibilities of the relevant employees of the relevant departments; document flow; procedure for making changes to regulations; terms and procedure for storing documentation; detailed description of control procedures and frequency of their implementation.

Audit trail in control

It is important to have an audit trail in control (the term used means that control procedures are documented). In addition to the usual primary documents that the accounting department works with and which contain the signatures of authorized persons confirming the authorization of the transaction, internal documents will be required that will record the implementation of procedures. Such documents may be checklists containing control questions about the implementation of the procedures provided for by the regulations, as well as the signatures of the performer and the person checking this checklist.
The control sheets must indicate the performer and the person who checked the control sheet, the date of filling out and checking the sheet.
Internal control regulations and all internal forms of documents thereto must be approved by management. For this purpose, there must be a separate regulation for the approval of regulations and the adoption of changes to them. Also, all regulations must be brought to the attention of the relevant departments; it is advisable to formalize this with the signatures of the relevant employees of the departments.

Automated control

An important component of the ICS is the IT system used by the company.
After developing the design of the ICS and its implementation, it is important to ensure the operational efficiency of the ICS and the continuous implementation of control procedures. To do this, it is necessary to document the procedures performed and carry out monitoring activities.
As a rule, monitoring is performed by the internal audit service. In its absence, certain monitoring activities may be carried out by the financial service. Monitoring should include both the completeness and consistency of implementation of control procedures, and periodic analysis of the compliance of existing procedures with current risks and business processes, since business processes and risks may change over time.
To summarize, we can highlight the following main points that affect the efficiency of the internal control system.
Firstly, the system must cover all key business processes of the company, and not just the reporting preparation process itself. Accordingly, the construction of an internal control system should begin with an analysis of business processes.
Secondly, control is built on the basis of a risk matrix and is designed in such a way as to reduce the risks of reporting distortion. This should take into account which reporting characteristics are affected by a specific risk and a specific business process.
Thirdly, each type of control must be thought out from the point of view of its design, i.e. the inherent ability to minimize risks, provided that all control procedures are carried out as intended. Where possible, preference should be given to preventive automated control.
Fourth, the control design must be documented in regulations, which must contain a detailed description of control procedures, the powers and responsibilities of the persons involved, the forms of documents used in control procedures, as well as a document flow schedule.
Fifthly, to ensure the operational efficiency of the internal control system, all control procedures must be documented. Monitoring activities aimed at verifying the consistency of implementation of control procedures are necessary.
Sixthly, monitoring should include periodic analysis of the internal control system for design obsolescence, i.e. determining the degree of compliance of existing types of control with current business processes.

Literature

1. National intstrument 52-109 - Certification of Disclosure in Issuers" Annual and Interim Filings // http://www.osc.gov.on.ca (accessed October 27, 2015).
2. Sarbanes-Oxley Act // http://www.soxlaw.com (accessed October 27, 2015).
3. International standard on auditing 240 “The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements” // https://www.frc.org.uk (accessed October 27, 2015).

document status: materials for the CPT meeting

developer organization: PJSC Megafon

Explanation X/2013

"Organization of the internal control system"

1. General provisions

1.1 This Policy determines the procedure for organizing and functioning of the internal control system (hereinafter referred to as the internal control system) in the Company, including describing the purpose and objectives of the internal control system, as well as the roles and responsibilities of its subjects.

1.2 This Policy has been developed taking into account the requirements and recommendations of:

• the current legislation of the Russian Federation (including Article 19 of Law No. 402-FZ “On Accounting”);
• internal regulatory documents of the Company;
• Code of Corporate Conduct of the Federal Financial Markets Service of the Russian Federation;
• leadership of the Committee of Sponsoring Organizations of the Treadway Commission “Internal Control. Integrated Model" (1992).

2. Definition and objectives of internal control

2.1 Internal control is a continuous process carried out by all employees and management of the Company at all levels of management, aimed at providing conditions for achieving the Company’s goals in the following areas:

• efficiency and effectiveness of the financial and economic activities of the Company;
• safety of assets;
• compliance with legal requirements, regulations, internal documents of the Company and other applicable regulatory requirements;
• reliability of financial statements.

2.2 Internal control system(SVK) - a system of organizational measures, policies, instructions, as well as control procedures, norms of corporate culture and actions taken by the Board of Directors, management and employees of the Company to ensure proper conduct of business activities: to ensure the financial stability of the Company, achieving an optimal balance between its growth cost, profitability and risks, for the orderly and efficient conduct of business activities, ensuring the safety of assets, identifying, correcting and preventing violations, timely preparation of reliable financial statements and, thereby, increasing investment attractiveness.

2.3 The organization of the internal control system in the Company is based on a risk-based approach. It means the close integration of the internal control system with risk management processes, which ensures the timely and effective application of risk management methods using effective mechanisms of the internal control system. At the same time, the Company's management and its employees are concentrating efforts to build and improve the internal control system, primarily in those areas of activity that are characterized by the highest level of risks.

2.4 Internal control system over the process of preparing financial statements(SVKFO) - a system of organizational measures, policies, instructions, as well as control procedures, norms of corporate culture and actions taken by the Board of Directors, management and employees of the Company to achieve goals in the field of preparing reliable financial statements.

2.5 The objectives of the functioning of the internal control system in the Company are:

• Assistance in protecting the interests of shareholders, investors and clients, preventing and eliminating conflicts of interest, supporting effective management of the Company and achieving strategic goals in the most effective way;
• Creation of conditions to protect the Company from internal and external risks arising in the course of its activities, as well as the risks of preparing the Company’s financial statements;
• Assistance in ensuring compliance by the Company with the requirements of legislation and regulatory documents of the Company;
• Creating conditions for the timely preparation and provision of reliable financial, accounting, statistical, management and other reporting for external and internal users;
• Assistance in ensuring the safety of assets and efficient use of the Company's resources and potential.

3. Operating principles and components of the ICS

3.1 The organization and functioning of the ICS in the Company is based on the following key principles:

• Integration- The ICS is an integral part of the Company’s corporate governance and is integrated into its processes and daily operations. The ICS includes procedures for informing management at the appropriate level of management about any significant violations of financial and economic activities, deficiencies and control weaknesses that have been discovered, along with an analysis of their causes, details of the corrective actions that have been taken or that should be taken;
• Continuity- The internal control system operates on an ongoing basis, continuously and at all levels of management, which allows the Company to promptly identify deviations in the internal control system and prevent their occurrence in the future;
• Methodological unity - ICS processes are implemented on the basis of uniform requirements and approaches for all divisions of the Company;
• Integrity/complexity- The ICS operates at all levels and in all divisions of the Company, covering all subjects of internal control and areas of activity and, accordingly, all risks:
  • The responsibility for building and maintaining a reliable and effective internal control system lies with managers at all levels of management of the Company;
  • Control procedures exist in all business processes and at all levels of management;
  • Each employee of the Company knows, understands and fulfills his role in the internal control system

• Responsibility- all employees and management at all levels of the Company are responsible for the functioning of the internal control system within the limits of their powers;
• Risk-oriented- The ICS in the Company is in close cooperation with the risk management system, which contributes to the timely and effective implementation of measures to influence risks. When analyzing control procedures, one should assess the magnitude and likelihood of risks occurring, the degree of their influence on the results of financial and economic activities and the achievement of the Company’s goals, which allows one to draw a conclusion about the sufficiency of existing control procedures, or the need to develop and implement new ones.
• Optimality - the volume and complexity of control procedures used in the Company are necessary and sufficient for effective risk management and achievement of the Company’s goals. Resources and costs for the implementation and subsequent operation of control procedures should not exceed the consequences of risk implementation (cost-economic effect ratio), and the total level of residual risk should correspond to the Company’s risk appetite.
• Segregation of duties- the Company differentiates the rights and responsibilities of subjects of internal control depending on their attitude to the processes of development, approval, application and monitoring of the internal control system. It is not allowed for one employee/unit to simultaneously be entrusted with the following powers:
  • approval of transactions with assets;
  • carrying out transactions with assets;
  • accounting/registration of transactions;
  • checking the correctness, completeness and fact of the transaction and ensuring the safety of assets.

• Formalization- ICS should be formalized:
  • risks and controls for all significant business processes affecting the achievement of the Company’s goals are described;
  • the results of control procedures are documented and stored (primary documents, reports, transaction logs, etc.);

3.2 Relevance and development- all documentation on the internal control system (description of risks, controls, and other information) must be updated in a timely manner and constantly improved in order to increase the efficiency of risk management. Top management provides conditions for the continuous development of the internal control system, taking into account the need to solve new problems arising as a result of changes in internal and external operating conditions. The basis for the organization and functioning of the internal control system in the Company are the following components:

• Control environment;
• Risk assessment;
• Controls;
• Information and communications;
• ICS monitoring.

A detailed description of the components of the ICS is given in Appendix 1 of this Policy.

4. Subjects of internal control and their functions

4.1 The Company’s internal control system is determined by a combination of objects and subjects. The objects of the ICS are the financial and economic activities of the Company's divisions. Subjects of internal control are determined by this Policy and other regulatory documents of the Company in the field of internal control.

4.2 The composition of subjects of internal control is determined by the organizational structure of the Company and includes:

• Board of Directors;
• Audit Committee;
• General Director;
• Internal control division;
• Heads of structural divisions and employees of the Company.

4.3 Board of Directors- determines the general directions of organizing the internal control system in the Company, analyzes the overall effectiveness and compliance of the internal control system with the nature, scale and conditions of the Company’s activities in the event of their change - considers the results of assessing the effectiveness of the internal control system, identified significant deficiencies and recommendations for their elimination. Approves the internal control policy and changes to it.

The functions and tasks of the Board of Directors in relation to the internal control system are set out in the regulations on the Board of Directors of the Company.

4.4 Audit Committee of the Board of Directors- evaluates compliance with the principles of internal control and risk management and the overall effectiveness of the internal control system in the Company (including based on reports from the internal audit and internal control departments), makes recommendations for improving the internal control system.

The functions and tasks of the Audit Committee of the Board of Directors are set out in the relevant regulations on the Audit Committee of the Company.

4.5 CEO- is responsible for organizing and maintaining the functioning of an effective internal control system in the Company and monitoring the functioning of the internal control system, including:

• Determines the directions for development and improvement of the internal control system in the Company;
• Approves the Regulations on the internal control system, the Regulations for diagnosing and improving the internal control system and other regulatory documents in the field of internal control systems;
• Reviews the results of the work of the internal control structural unit, including the results of diagnostics of the internal control system;
• Establishes responsibility for implementing senior management decisions in the area of ​​internal control;
• Reviews and approves an action plan to eliminate deficiencies in the internal control system.

4.6 Internal Audit Division- carries out an independent assessment of the effectiveness of individual components of the ICS, the ICS of the audited objects and the Company’s ICS as a whole and develops recommendations to improve its reliability and efficiency, including:

• Checks the compliance of the activities of departments and employees with regulatory documents that determine the procedure for organizing and functioning of the internal control system;
• Assesses the compliance of the content of regulatory documents regulating the organization and functioning of the internal control system with the nature and scale of the Company’s activities;
• Identifies facts of violations, analyzes the reasons for their occurrence and develops recommendations for improving existing and/or introducing new control procedures to prevent recurrence of violations;
• Monitors the timely and complete elimination of identified violations and shortcomings;
• Carries out quality control of the diagnostic process of the internal control system in the Company, carried out by management and employees;
• Advises on improving internal control.

4.7 Tasks Internal control units are:

Coordination of activities to form and maintain the effectiveness of the internal control system;

• Methodological support for internal control systems;
• Organization of the process of diagnostics of SVC in the Company:
• Preparation of plans for the development and improvement of the internal control system in the Company;
• Maintaining and keeping the ICS infrastructure up to date (registers of risks, control procedures and business processes);
• Monitoring the implementation of the action plan to eliminate deficiencies and improve the internal control system, incl. quality control of elimination of deficiencies;
• Informing all ICS participants about changes in approaches, documentation and other requirements in the field of ICS;
• Organization of preparation of personnel training programs on organizing and improving the internal control system.

The functions, tasks and powers of the structural unit for coordinating the Company's internal control system are defined in the relevant Regulations.

4.8 Managers and employees of structural divisions are responsible for the formation, maintenance and constant monitoring of the internal control system in the relevant functional areas of activity of divisions throughout the management vertical, and also carry out control procedures in accordance with their official responsibilities, including:

• timely identification and analysis of risks in the financial and economic activities of the Company;
• development, formalization, as well as subsequent execution and ensuring the effectiveness and sufficiency of control procedures within the framework of their business processes;
• updating the description of the internal control system and timely informing the internal control unit about changes;
• monitoring the functioning of internal control systems, as well as independent assessment of the effectiveness of the control procedures they perform;
• informing management about any committed or possible errors/deficiencies that have led or may lead to potential negative events;
• completion of training in the field of internal control and risk management in accordance with the approved training program.

4.9 The Company ensures the creation of effective channels for information exchange, including both vertical and horizontal communications, in order to form among all subjects of internal control an understanding of the normative documents adopted in the organization and functioning of the internal control system and ensuring their implementation.

4.10 Information about the operation of the internal control system, about deficiencies found and other significant circumstances is provided to the Board of Directors, the Audit Committee of the Board of Directors, the General Director, the Management Board or other bodies in accordance with existing legal requirements and regulatory documents of the Company.

5. Roles

5.1 To ensure the effective functioning of the internal control system, the following roles are distributed among the managers and other employees of the Company:

• Process/Risk Owner
• ICS Coordinator

• Control executor

5.2 Process/Risk Owner- head of the unit/department who is responsible for:

• for the effective functioning of all components of the ICS ( see ICS components in Appendix 1) in terms of covering the risks of business activities and preparing financial statements within the framework of their business processes/risks;
• for appointing control executors and assigning responsibility for the implementation of these procedures in the job descriptions of the relevant employees;

• for ensuring the execution and documentation of controls by control executors in accordance with the documentation on the internal control system;
• for identifying changes in processes, risks or controls that require changes to the ICS documentation and informing the employees of the Internal Control Unit / ICS Coordinator in the relevant department about this;
• for timely approval of documentation on internal control systems (detailed description of risks, unified and adapted controls and other information);
• for eliminating deficiencies in the internal control system identified as a result of testing or monitoring.

5.3 Control executor- an employee of any level who is responsible for:

• for timely and high-quality implementation of control procedures in accordance with the ICS documentation;
• for notifying, if necessary, the deputy control executor and an employee of the Internal Control Division about the need to perform the relevant control procedure instead of the executor;
• for timely approval of documentation on the internal control system (detailed description of risks, controls and other information);
• for performing procedures for self-assessment of the effectiveness of the internal control system;
• for identifying changes in processes, risks or controls that require changes to the ICS documentation and informing the risk/process owner, the ICS Coordinator in the relevant department and the employees of the Internal Control Unit about this;
• for eliminating the shortcomings of the internal control system identified as a result of testing and monitoring.

5.4 ICS Coordinator An employee in each department who is responsible for:

• for organizing and coordinating the process of functioning of the internal control system within the relevant department;
• for monitoring the quality of implementation and documenting control procedures in terms of controls performed in the relevant department;
• for the relevance of documentation on the internal control system in relation to the relevant structural unit;
• for informing the Internal Control Unit about the need to change the ICS documentation (changes in processes, risks or controls, including proposing new wording regarding risks, controls and other information).

6. Requirements and responsibilities in ensuring the effectiveness of the internal control system

6.1 Internal control is an integral part of the functioning of any division of the Company.

6.2 All employees are responsible for the functioning and ensuring the effectiveness of the Company’s internal control system.

6.3 The Company’s management must convey to employees the importance of having and ensuring the effective functioning of the internal control system, as well as the role of each employee in this system, including the following basic requirements:

• No employee, directly or indirectly, may allow or cause the intentional falsification of accounting, management or other reporting data.
• No changes can be made to accounting data if it is known that these changes may distort the essence of the relevant transactions.
• No amounts/accounts/transactions may be concealed for the purpose of underreporting.
• All employees of the Company are obliged to preserve the Company's assets and ensure their effective use.

6.4 If an employee of the Company has information about the shortcomings or ineffectiveness of internal control procedures, he must immediately report this to his immediate supervisor, as well as the heads of the internal control and internal audit departments.

6.5 If an employee intentionally fails to comply with this Policy and does not comply with control procedures for which he is responsible, disciplinary action will be applied to this employee, up to and including dismissal, in accordance with the requirements of current legislation.

7. Monitoring the effectiveness of the internal control system

7.1 The purpose of monitoring is to assess the effectiveness of the Company’s internal control system, including its ability to ensure the fulfillment of its goals and objectives, as well as to determine the significance of the system’s deficiencies.

7.2 Monitoring the system of internal control over financial reporting includes:

• the implementation by the management of divisions of constant monitoring of the implementation of control procedures in the divisions reporting to them;
• Conducting a self-assessment of the internal control system in the Company;
• carrying out periodic checks of the implementation of control procedures and checks of compliance of operations with legal requirements and the provisions of the organization’s regulatory documents by the internal audit unit;
• assessing the effectiveness of the internal control system over the process of preparing financial statements by an external auditor
• timely communication of information about identified deficiencies in the internal control system over financial reporting to stakeholders within the management vertical.

7.3 Self-assessment of the effectiveness of the internal control system (hereinafter referred to as self-assessment of the internal control system) is carried out directly by the subjects of the internal control system by:

• Distribution of questionnaires - used to collect information about the efficiency of the internal control system and changes in business processes from employees and managers of the Company's departments.
• Monitoring the status of the internal control system is the process of checking the completeness, timeliness of implementation and correctness of documentation of the control system.
• Assessing the effectiveness of control procedures - analysis of the effectiveness of the description and execution of control, as well as analysis of the sufficiency of control procedures (assessment of the extent to which control, subject to its effective implementation, can effectively reduce the risks associated with it).

7.4 Regular assessment of the ICS helps improve its effectiveness by:

• timely identification of changes in business processes, design or stages of control procedures;
• increasing the motivation of Control Performers and their Managers through direct participation in improving the internal control system and constant monitoring of the quality of control implementation;
• providing an information base to the Company’s management to confirm the effectiveness of the internal control system.
  

7.5 The results of the ICS assessment must be documented and presented to the management of the Company and the Audit Committee of the Board of Directors:

• The internal audit unit prepares a report based on the results of the internal control system assessment;
• The external auditor prepares a letter to management about significant deficiencies identified based on the results of an external independent assessment of the internal control system;
• The internal control division prepares a report based on the results of self-assessment of the internal control system carried out by the structural divisions of the Company.

8. Making additions and changes to the Policy

8.1 When changes and additions are made to legislative acts, regulatory requirements and regulatory documents of the Company regulating the functioning of the internal control system, changes and additions to this Policy can only be made by duly executed decisions of the Board of Directors of the Company. The Board of Directors of the Company may also decide to approve a new version of the Policy.

Annex 1. ICS components according to the COSO methodology

Internal control, according to the COSO Internal Control-Integrated Framework, consists of five interrelated components that come from the way business is conducted and are associated with the process of its management. The five components include:

Control medium: The control environment creates an atmosphere in the organization that influences staff's awareness of the importance of performing controls. It is the basis for all other components of internal control, providing orderliness and discipline. Control environment factors include integrity, ethical values, management style, the distribution of authority and responsibilities, as well as the management and development processes of the organization's personnel. Also, the effectiveness of the control environment depends on the attention to this issue on the part of the Board of Directors.

Risk assessment: Every organization faces different external and internal risks that need to be assessed. A prerequisite for risk assessment is the definition of goals, therefore risk assessment implies the identification and analysis of relevant risks associated with achieving established goals. Risk assessment is a prerequisite for risk management.

Controls: Controls are the policies and procedures that ensure management's decisions are carried out. They help ensure that necessary actions are taken against risks that may prevent the organization from achieving its goals. Controls are implemented throughout the organization, at all levels and across all functions. They include a range of activities such as approvals, permits, inspections, reconciliations, reports on ongoing activities, asset preservation and segregation of duties.

Information and communication: All necessary information must be identified, formulated and promptly communicated to the appropriate employees so as to ensure that they are able to fully perform their job duties. Information systems also play an important role in internal control because they contain financial, operational and compliance information to help manage and control the business. The issue is not only in terms of disseminating internal company information, but it is also important to inform employees about external events and activities that are necessary to make various decisions. Effective communication in a broader sense must ensure information flows down and up and between departments throughout the organization. It is important that company personnel receive a clearly articulated position from senior management about the importance of fulfilling their responsibilities regarding internal control. It is also important that each employee clearly understands his role in the internal control system, and how the result of his work is related to the activities of other employees. Personnel must be aware of the need to communicate all important information to company management. Effective communication on matters related to the interests of the company must also be ensured with external parties, for example, customers, suppliers, regulators and shareholders.

Monitoring: The internal control system requires monitoring - a process of periodic assessment of the quality of its work. This is achieved through constant monitoring of the quality of execution of certain operations, through separate checks to assess the effectiveness of a particular process, or through a combination of these two options. Continuous monitoring is carried out on a daily basis, incl. activities for the management and management of relevant processes, as well as other activities within the framework of personnel performance of their duties. The scope and frequency of individual audits depends on the level of assessment of the relevant risks, as well as the results of ongoing monitoring of these operations. Internal control deficiencies identified during monitoring should be brought to the attention of management, and the most significant observations should be communicated to senior management and the Board of Directors.

The close relationship of these components ensures the formation of an integrated system that is able to quickly respond to emerging challenges. The internal control system is an integral part of operating activities. The most effective internal control system is if controls are built into the organization's infrastructure and are part of its essence. Built-in controls enhance the quality and effectiveness of activities, and also help to avoid additional costs and allow you to respond more quickly to certain events.

“COSO - The Committee of Sponsoring Organizations of the Treadway Commission, USA”

Committee of Sponsoring Organizations of the Treadway Commission(English) The Committee of Sponsoring Organizations of the Treadway Commission, COSO) is a voluntary, private, organization established in the United States and designed to provide appropriate advice to corporate management on critical aspects of organizational governance, business ethics, financial reporting, internal controls, corporate risk management and anti-fraud.

The procedure for organizing and conducting internal financial control in an institution must be enshrined in its accounting policies. The article uses an example to examine the structure and main sections of the regulations on internal control in an organization.

By virtue of Art. 19 of the Federal Law of December 6, 2011 No. 402-FZ “On Accounting” and paragraph 6 of Instruction No. 157n, law enforcement agencies are required to organize internal control of the facts of economic life. Internal financial control is aimed at creating a system of compliance with the legislation of the Russian Federation in the field of financial activities, internal procedures for drawing up and executing the budget, improving the quality of preparation and reliability of budget reporting and maintaining budget accounting, as well as increasing the efficiency of using federal budget funds. The procedure for exercising such control must be approved when the institution forms its accounting policy. We will talk about what such a provision should contain in the article.

Let us note once again that the procedure for organizing and conducting internal financial control in an institution must be enshrined in its accounting policies. In this case, the institution can formulate its accounting policy by issuing separate regulations.

The procedure for organizing and conducting financial control may be issued by a separate order.

Internal financial control can be carried out in the following ways:

• a structural unit is created in the institution (internal financial control department reporting to the head of the institution) or the position of an auditor is introduced (also with direct reporting to the head of the institution);
• a permanent commission is created in the institution, which will be entrusted with the implementation of this control;
• the implementation of internal financial control is entrusted to employees of the institution’s structural divisions (for example, employees of financial and personnel services). In such a situation, internal control will be carried out within the framework of preliminary and ongoing control activities.

The choice of control structure option depends on the expected scope of work, the financial and organizational capabilities of the institution (it is not always possible to introduce additional rates), the structural features of the institution, the competence of specialists, etc.

In this case, internal financial control should include the following types.

Thus, preliminary and current control will be carried out directly by employees of the institution as part of their official duties, and subsequent control can be carried out both by the control department (auditor) and by the internal control commission.

Ideally, it is necessary to ensure that the institution exercises all types of control:

• establish procedures for coordinating certain documentation both with legal services and other interested departments, and with the relevant deputy heads of the institution;
• assign to employees of financial and other services the obligation to carry out ongoing control over the financial documentation compiled by them;
• create a financial control department in the institution (introduce the position of an auditor) or a commission for the implementation of financial control.

The structural divisions of the institution organize internal financial control at the following levels:

• employee level - control functions are performed within the framework of job responsibilities in accordance with the principles of consistency, continuity, efficiency and mass participation;
• structural unit level - regular operations and internal financial control procedures are carried out by department employees, senior employees, and department heads.

The chosen method of exercising control must be fixed in the regulations on the procedure for implementing internal financial control, while the activities of the internal control department (auditor) will also be regulated by the regulations on the internal control department.

For your information

This document is approved by order of the head of the institution and is an important legal act that determines the formation procedure, legal status, responsibilities, and organization of the work of the internal control department (auditor).

The division of powers and responsibilities of the bodies involved in the functioning of the internal control system is determined by the internal documents of the institution, including regulations on the relevant structural divisions, as well as the organizational and administrative documents of the institution and job descriptions of employees.

When developing these documents, it is necessary to establish the rights and responsibilities of inspectors and department employees who will be affected by the inspections.

I approve

Head of the institution

________________ / I. I. Ivanov /

Regulations on internal financial control

1. General Provisions

1.1. This Regulation has been developed in accordance with the legislation of the Russian Federation (Federal Law dated December 6, 2011 No. 402-FZ “On Accounting”, Order of the Ministry of Finance of the Russian Federation dated December 1, 2010 No. 157n “On approval of the Unified Chart of Accounts for public authorities (state bodies) , local government bodies, management bodies of state extra-budgetary funds, state academies of sciences, state (municipal) institutions and Instructions for its application") and the charter of the institution. The Regulations on Internal Financial Control establish common goals, rules and principles for organizing and conducting internal financial control activities in an institution.

1.2. The goals of internal financial control are to confirm the reliability of budget accounting and reporting of the institution, compliance with the current legislation of the Russian Federation regulating the procedure for carrying out financial and economic activities. The internal control system is designed to ensure:

• accuracy and completeness of accounting documentation;
• timely preparation of reliable financial statements;
• prevention of errors and distortions;
• execution of orders and instructions of the head of the institution;
• implementation of financial and economic activity plans (budget estimates) of the institution;
• safety of the institution's property.

1.3. The objectives of internal control are:

• establishing compliance of ongoing financial transactions in terms of financial and economic activities and their reflection in budget accounting and reporting with the requirements of regulatory legal acts;
• establishing compliance of ongoing operations with regulations and the powers of employees;
• compliance with established technological processes and operations when carrying out functional activities;
• analysis of the institution’s internal control system, allowing to identify significant aspects affecting its effectiveness.

1.4. Internal control in an institution should be based on the following principles:

• the principle of legality - strict and precise compliance by all subjects of internal control with the norms and rules established by the regulatory legislation of the Russian Federation;
• principle of independence – subjects of internal control, when performing their functional duties, are independent of the objects of internal control;
• principle of objectivity - internal control is carried out using actual documentary data in the manner established by the legislation of the Russian Federation, through the use of methods that ensure the receipt of complete and reliable information;
• principle of responsibility - each subject of internal control is responsible for improper performance of control functions in accordance with the legislation of the Russian Federation;
• the principle of consistency - carrying out control measures of all aspects of the activity of the object of internal control and its relationships in the management structure.

1.5. When implementing internal control measures, those conducting it may use:

• general scientific methodological methods of control (analysis, synthesis, induction, deduction, reduction, analogy, modeling, abstraction, experiment, etc.);
• empirical methodological methods of control (inventory, control measurements of work, test runs of equipment, formal and arithmetic checks, counter checks, counting back method, method of comparing homogeneous facts, internal investigation, examinations of various types, scanning, logical checks, written and oral surveys, etc. .);
• specific techniques of related economic sciences (techniques of economic analysis, economic and mathematical methods, methods of probability theory and mathematical statistics).

1.6. Internal control in an institution can be carried out by:

2. Organization of internal financial control

2.1. Internal financial control in an institution is carried out in the forms of preliminary, current and subsequent control.

2.1.1. Preliminary control is carried out before the start of a business transaction. It allows you to determine how appropriate and legal a particular operation will be. Preliminary control is carried out by the head of the institution, his deputies, and employees of the legal department. As part of preliminary control, the following actions are carried out:

• control over the preparation of financial planning documents (calculations of the need for financial resources, financial and economic activity plan, etc.). These actions are carried out by the manager, chief accountant;
• their approval, coordination and settlement of disagreements;
• verification and approval of draft agreements (contracts) by legal service specialists and the chief accountant;
• preliminary examination of documents (decisions) related to the expenditure of financial and material resources, carried out by a financial and economics consultant, chief accountant, heads of departments, and the internal control commission.

2.1.2. Current control consists of conducting day-to-day analysis of compliance with procedures for budget execution, drawing up budget (accounting) reporting and maintaining budget (accounting) records, monitoring the targeted expenditure of funds from the regional (federal or municipal) budget by subordinate institutions, assessing the efficiency and effectiveness of spending budget funds to achieve goals, objectives and target forecast indicators of management units and subordinate institutions.

During current control, the following activities are carried out:

• checking expense documents before payment (settlement and pay slips, payment orders, invoices, etc.). The fact of control is the authorization of documents for payment;
• checking the availability of funds in the cash register;
• checking the completeness of the posting of cash received from the bank;
• checking the availability of accountable persons with funds received on account and (or) supporting documents;
• control over the collection of receivables and repayment of accounts payable;
• reconciliation of analytical accounting with synthetic accounting (turnover sheet);
• checking the actual availability of material resources.

Current control is carried out on an ongoing basis by specialists from the accounting and reporting departments of the institution, the economic department, the deputy head of the institution responsible for the financial and economic block, and the internal control commission.

2.1.3. Subsequent control is carried out based on the results of business transactions. It is carried out by analyzing and checking accounting documentation and reporting, conducting inventories and other necessary procedures. To carry out subsequent control, an internal control commission is created in the institution, the composition of which is determined in the appendix to this Regulation. The composition of the commission may change.

Follow-up control methods are:

• sudden audit of the cash register;
• checking the receipt, availability and use of funds in the institution;
• documentary checks (audits) of completed operations of the financial and economic activities of the institution.

The budget (accounting) accounting monitoring system includes checking:

• compliance with the requirements of the legislation of the Russian Federation regulating the procedure for carrying out financial and economic activities;
• accuracy and completeness of preparation of documents and accounting registers;
• preventing possible errors and distortions in accounting and reporting;
• execution of orders and instructions from management;
• safety of financial and non-financial assets of the institution.

2.2. Subsequent control is carried out through both scheduled and unscheduled inspections. Scheduled inspections are carried out at intervals established by the inspection plan approved by the head of the institution.

The main objects of scheduled inspection are:

• compliance with the legislation of the Russian Federation governing accounting procedures and accounting policies;
• correctness and timeliness of reflection of all business transactions in budget accounting;
• completeness and accuracy of documentation of transactions;
• timeliness and completeness of inventories;
• reliability of reporting.

During an unscheduled inspection, control is carried out on issues in relation to which there is information about possible violations.

2.3. Persons responsible for conducting the inspection analyze the identified violations, determine their causes and develop proposals for taking measures to eliminate them and prevent them from happening in the future.

The results of preliminary and current control are formalized in the form of memos addressed to the head of the institution, which may contain a list of measures to eliminate shortcomings and violations, if any, as well as recommendations for avoiding possible errors.

2.4. The results of the subsequent control are drawn up in the form of an act, which is signed by all members of the commission and sent with an accompanying memo to the head of the institution. The inspection report must include the following information:

• inspection program (approved by the head of the institution);
• the nature and condition of accounting and reporting systems;
• types, methods and techniques used in the process of carrying out control activities;
• analysis of compliance with the legislation of the Russian Federation regulating the procedure for carrying out financial and economic activities;
• conclusions about the results of control;
• a description of the measures taken and a list of measures to eliminate shortcomings and violations identified during subsequent monitoring, recommendations for avoiding possible errors.

Employees of the institution who have committed shortcomings, distortions and violations provide written explanations to the head of the institution on issues related to the results of the control.

2.5. Based on the results of the inspection, the chief accountant of the institution (or a person authorized by the head of the institution) develops an action plan to eliminate identified deficiencies and violations, indicating the deadlines and responsible persons, which is approved by the head of the institution.

Upon expiration of the established period, the chief accountant immediately informs the head of the institution about the implementation of measures or their non-fulfillment, indicating the reasons for non-fulfillment.

3. Subjects of internal control

3.1. The system of internal control subjects includes:

• the head of the institution and his deputies;
• Internal Control Commission;
• managers and employees of the institution at all levels;
• third-party organizations or external auditors engaged to audit the financial and economic activities of the institution.

3.2. The division of powers and responsibilities of the bodies involved in the functioning of the internal control system is determined by the internal documents of the institution, including regulations on the relevant structural divisions, as well as the organizational and administrative documents of the institution and job descriptions of employees.

4. Rights and obligations of subjects of control

4.1. During the implementation of internal financial control, subjects of control have the right:

• access to documents, databases and registers directly related to the issues of conducting control activities;
• to receive information on issues included in the control program;
• to receive written explanations from officials of the institution on issues included in the control program;
• to have unhindered access (in compliance with the established procedure) to all office premises of the subject of internal control;
• to expand the range of areas (issues) of the inspection if such expansion is necessary when performing the main task.

4.2. Subjects of control are obliged to:

• have the necessary professional knowledge and skills;
• perform the duties provided for by job descriptions and regulations on the structural unit;
• comply with the requirements of the legislation of the Russian Federation when carrying out their activities;
• ensure the safety and return of original documents received at the internal control facility;
• maintain the confidentiality of information received in connection with the performance of official duties;
• prepare inspection materials in accordance with established requirements.

5. Responsibility

5.1. Subjects of internal control, within the framework of their competence and in accordance with their functional responsibilities, are responsible for the development, documentation, implementation, monitoring and development of internal control in the areas of activity entrusted to them.

5.2. Responsibility for the organization and functioning of the internal control system rests with the deputy head of the institution responsible for the financial and economic block.

5.3. Persons who have committed shortcomings, distortions and violations bear disciplinary liability in accordance with the requirements of the Labor Code of the Russian Federation.

6. Assessment of the state of the financial control system

6.1. Assessment of the effectiveness of the internal control system in an institution is carried out by subjects of internal control and is considered at special meetings held by the head of the institution.

6.2. Direct assessment of the adequacy, sufficiency and effectiveness of the internal control system, as well as monitoring of compliance with internal control procedures is carried out by the internal control commission.

Within the framework of these powers, the internal control commission submits to the head of the institution the results of audits of the effectiveness of existing internal control procedures and (if necessary) proposals for their improvement developed jointly with the chief accountant.

7. Final provisions

7.1. All changes and additions to these Regulations are approved by the head of the institution.

7.2. If, as a result of changes in the current legislation of the Russian Federation, certain articles of this Regulation come into conflict with it, these articles lose force and the provisions of the current legislation of the Russian Federation shall prevail.

Annex 1

Internal Control Commission

Appendix 2

to the Regulations on Internal Financial Control

Plan for conducting audits and inspections of financial and economic activities

Instructions for the application of the Unified Chart of Accounts for public authorities (state bodies), local governments, management bodies of state extra-budgetary funds, state academies of sciences, state (municipal) institutions, approved. By Order of the Ministry of Finance of the Russian Federation dated December 1, 2010 No. 157n.

Size: px

Start showing from the page:

Transcript

1 Internal control and reliability of financial reporting Speech by Anastasia V. Firsova, Head of Corporate and Open Programs Why internal control in many companies is ineffective Who is responsible for the effectiveness of the internal control system in relation to financial reporting? Who influences the formation of an internal control system in relation to the f/o? How and when do companies typically implement and maintain an internal control system? What do staff and managers need to maintain effective control over financial reporting? What do staff lack to maintain effective internal control? What does “fairly stated” financial statements mean? This means: with regard to the information presented in the reporting, management assertions are true in all material respects: Existence/occurrence Completeness Valuation or distribution Rights and obligations Presentation and data disclosure (presentation) HOCK Training

2 Internal control system objectives Control environment Assessment Control risk activities Control environment Information and communications Control environment Monitoring Control environment Operations Financial reporting Compliance The internal control system is the people, process and methodology for providing reasonable assurance that the company's objectives will be achieved What is risk? This is a probable event, an action that could negatively impact the company's ability to achieve goals and implement strategy. Goal/objective RISK Risk trigger Risk trigger Risk trigger Risk assessment - prioritization Impact medium high E I A C B H F G D M K low J L low average high Probability of occurrence HOCK Training

3 Goal - risk assessment control GOALS operational financial Risk identification => Risk assessment compliance => Actions of people or systems Supported by Policies and procedures Prevent problems in business processes that may prevent the achievement of goals and reduce associated risks financial Manual preventive business compliance automation roved detective Fraud-preventing operational Risks and controls. Inherent and residual risks. How is the risk reduced? Inherent risk ACCEPTABLE residual risk Effective controls Acceptable level of “residual” risk Inherent risk risk inherent in the business (susceptibility of the business to risks in the absence of controls) Residual risk degree of risk that remains after the implementation of control procedures HOCK Training

4 Control environment The control environment is the basis (foundation) of the internal control system Who is responsible for the quality of the control environment? Information and communications Getting the right information to the right people at the right time Internal events Information about internal work Financial information information External events Non-financial information Monitoring Effective monitoring Daily monitoring of operations (scorecards, KPIs, etc.) + Individual assessments ( testing of key controls) + Regular self-assessment Deviations are communicated in a timely manner to: - those responsible for corrective actions - HOCK Training top management

5 Control at the company level and at the operations level CONTROL Company level (priority) Operations level control environment risk management process monitoring of operating results monitoring of other controls (internal audit, Audit Committee, self-assessment programs) financial reporting process in at the end of the reporting period, policies approved by the Board regarding significant risk management and control general control over computer data processing approval, authorization (i.e. delegation of responsibility) review of execution (e.g. KPI) asset protection (i.e. physical control, inventory) separation of duties (storage authorization-accounting) reconciliations Level of operations. Business process parameters STRATEGY, standards, rules task Operational Financial Compliance Measurement: KPI input Business process Operation 1 Operation 2 Operation 3 result Analysis of the result RESOURCES (people, equipment, systems, premises) Process matrix. Format and content. Example Design of control procedures Management assumptions Control objectives Control description Link to process description COSO component Type of control (preventive/detective) Manual, combined, automatic Program Existence Business process Corresponding balance sheet Completeness Rights and responsibilities Assessment HOCK Training

6 Assessment of internal control in relation to financial reporting Business process 1 Business process 2 Business process 3... Business process N Information (source documents) Accounting register 1... Accounting register N Account 1... Account N Trial balance sheet Balance sheet Report on financial statements Management reporting Tax reporting during the reporting period As of the reporting date Assessment of the internal control system in relation to the financial statements Financial reporting Significant accounts f/o Main classes of transactions Significant processes Relevant management assumptions Control tasks / risks Audit of the Internal Control System in relation to Financial Reporting Assessing the effectiveness of control procedures Design assessment Functional assessment Review of documented procedures Walk-through testing program Testing identification of control deficiencies Report of results Remediation plan Identification of control deficiencies implementation Remediation plan implementation HOCK Training

7 Competence in the field of internal control. Why is it important. Knowledge volume of information and information (I am aware) Knowledge Skills Abilities competence Abilities and skills the ability to effectively perform certain activities based on existing knowledge in changed and new conditions. Skill is characterized primarily by the ability, with the help of knowledge, to comprehend available information, draw up a plan for achieving a goal, regulate and control the activity process. The skill includes and uses all related personality skills. Skill automated skill Why we are introducing a new direction “Corporate and open programs” To ensure competence in matters of internal control, risk management, corporate governance What we offer in the direction “Corporate and open programs” Corporate programs Integrated solutions for companies in the field of developing competence in VC, SD, CG Open programs in VC, SD, CG Our expertise: - knowledge of best practices (certification programs and experience of professionals) - experience of experts in the field of personnel development in internal control, risk management and corporate governance from Big4 HOCK Training

8 Integrated solutions for companies in the field of VC, SD, CG Integrated solutions: - are developed for the client’s task or problem - represent a set of tools for developing competence in the field of VC, SD, CG - are accompanied by the generation of a report for further development Knowledge transfer tools Individual coaching ( for top managers) Facilitated round table Work in groups (consideration of specific situations) Awareness session Open programs Our Open programs are workshop programs Topics: - Risk management system: how and when it works (2 days) - Internal control for reliable financial reporting (2 days) Tools: - Presentation - Facilitated discussion - Development of skills through work in groups Result: the program participant KNOWS, UNDERSTANDS, IS ABLE (can apply in practice) THANK YOU! HOCK Training

APPROVED by the decision of the Board of Directors of Gazprom Neft PJSC on February 10, 2017 (Minutes PT-0102/09 dated February 10, 2017) Internal control policy of Gazprom Neft PJSC 2017 1. GENERAL PROVISIONS

APPROVED by the Decision of the Board of Directors of JSC IDGC Holding dated December 29, 2011. (minutes 72) Internal control policy of JSC IDGC Holding Moscow 2011 Contents 1. General provisions.... 3 2. Main

APPROVED by the Decision of the Board of Directors of Kubanenergo JSC, minutes dated August 24, 2012 142\2012 Internal control policy of Kubanenergo JSC (new edition) 2012 Contents 1. General provisions... 3

APPROVED by the Decision of the Board of Directors of PJSC TGC-1 Minutes 3 dated October 3, 2016 Regulations on the internal control system of PJSC TGC-1 1. General provisions 1.1. Regulations on the internal control system

APPROVED: by decision of the Board of Directors of OJSC Uralkali Minutes of the meeting of the Board of Directors 179 dated April 16, 2007. REGULATIONS on the system of internal control of financial and economic activities of open

Interaction of subjects in the system and Common terms System System Audit function Compliance compliance system Audit commission Division Division System monitoring scheme: participants

1 Appendix 2 to the decision of the Audit Committee of the Board of Directors of IDGC of Volga PJSC on 02/16/2016 (minutes dated 02/18/2016 69) APPROVED by the Decision of the Board of Directors of IDGC of Volga PJSC on 03/10/2016 (minutes

Approved by the Board of Directors of JSC INTER RAO UES on April 29, 2011. Minutes dated May 3, 2011. 41 INTERNAL CONTROL POLICY OF JSC INTER RAO UES MOSCOW 2011 INTERNAL CONTROL POLICY OF JSC INTER

Public Joint Stock Company "Interregional Distribution Grid Company of the North-West" APPROVED by the Board of Directors of PJSC "IDGC of the North-West" dated 02/29/2016 (minutes 197/12) Management system

APPROVED by the decision of the Board of Directors of OJSC RTI dated December 05, 2014 (Minutes 4/2014-41, date of the minutes 08.12.2014) Chairman of the Board of Directors of OJSC RTI p/n E.M. Primakov REGULATIONS on the Internal System

Approved by the decision of the Board of Directors of OJSC Gazprom on February 25, 2014. 2315 REGULATIONS on the internal control system of OJSC Gazprom 1. GENERAL PROVISIONS 1.1. Regulations on the internal control system of OJSC Gazprom

APPROVED by the Decision of the Board of Directors of the Public Joint Stock Company "Mobile TeleSystems" on September 09, 2015, Minutes 238 REGULATIONS ON THE INTERNAL CONTROL SYSTEM OF THE PUBLIC JOINT STOCK COMPANY

Page 1 of 14 page 2 of 14 page 3 of 14 1. Subject. Goals and objectives of the course The subject of the course is in-depth special programs in certain areas of knowledge and sectors of the economy: regulatory and legal

1 Appendix 5 to the decision of the Board of Directors of IDGC of Centre, PJSC Minutes dated 03/01/2016 04/16 Internal control policy of IDGC of Centre, PJSC (new edition) P BP 1/03-02/2016 2016 Information about the document

APPROVED by the Decision of the Board of Directors of OJSC MTU Saturn dated 14/15/2015. (Minutes 9 of 04/16/15) Chairman of the Board of Directors of MTU Saturn OJSC /A.E. Podolsky/ REGULATIONS on the Internal Control System

APPROVED by the Board of Directors Minutes 176 December 16, 2014 REGULATIONS ON INTERNAL CONTROL OVER THE FINANCIAL AND ECONOMIC ACTIVITIES OF PJSC SIBUR HOLDING (version 4) Tobolsk 2014 1 CONTENTS

Approved by the decision of the Board of Directors of JSC Rosseti dated April 28, 2014 (minutes 151) Risk management policy of JSC Rosseti (new edition) Moscow, 2014 Contents 1. General provisions... 3 2. Terms

Internal control system in OJSC Bank BelVEB and the banking holding company, the parent organization of which is OJSC Bank BelVEB In accordance with the requirements of the legislation of the Republic of Belarus in OJSC

Testing the effectiveness of the internal control system Rakhmankulov I.Sh. Doctor of Economics, Professor of the Department of Production Organization of the Kazan State Financial and Economic Institute

APPROVED by the Decision of the Board of Directors of PJSC NK "RussNeft" on December 24, 2018 (Minutes 19 of December 25, 2018) PUBLIC JOINT STOCK COMPANY OIL AND GAS COMPANY "RUSSNEFT" INTERNAL CONTROL POLICY Moscow, 2018

REGULATIONS ON THE INTERNAL CONTROL SYSTEM OF PJSC GAZPROM 1. GENERAL PROVISIONS APPROVED by the decision of the Board of Directors of OJSC Gazprom dated February 25, 2014 2315 as amended by the decision of the Board of Directors

Appendix 8 to the decision of the Board of Directors of JSC Tyumenenergo (Minutes dated September 15, 2014 13/14) Risk management policy of JSC Tyumenenergo, Surgut, 2014 Contents 1. General provisions... 3 2. Terms

ORGANIZATION STANDARD CORPORATE INTEGRATED MANAGEMENT SYSTEM OF IDGC OF URAL OJSC POLICY Revision 3 Total pages 26 2016 page 2 of 26 APPROVED by the Minutes of the Board of Directors of IDGC of Urals OJSC

APPROVED by the Decision of the Board of Directors of Mechel Open Joint Stock Company Minutes w/n dated August 19, 2013 Chairman of the Board of Directors / I.V. Zyuzin / Regulations on internal control

“APPROVED” by the decision of the Board of Directors of PJSC FGC UES on May 31, 2017 (Minutes 369 dated June 02, 2017) Regulations on the internal control system of the Public Joint Stock Company “Federal Grid

Open Joint Stock Company "Uralkali" APPROVED by the Decision of the Board of Directors of OJSC "Uralkali" (Minutes 269 dated September 11, 2012) for risk management and internal controls of OJSC "Uralkali"

APPROVED by the Board of Directors of OJSC NOVATEK (Minutes 170 dated September 1, 2014) with additions and changes approved by the Board of Directors (Minutes 173 dated March 12, 2015, Minutes 184 dated 10

CONTENTS: 1. GENERAL PROVISIONS... 3 2. OBJECTIVES OF THE INTERNAL CONTROL SYSTEM... 4 3. PRINCIPLES OF OPERATION OF THE INTERNAL CONTROL SYSTEM... 5 4. PROCESSES OF THE INTERNAL CONTROL SYSTEM... 6 5. SYSTEM STRUCTURE

APPROVED by the decision of the Board of Directors of the joint stock company “KazTransOil” Minutes 3 dated March 1, 2011 RISK MANAGEMENT POLICY of JSC “KAZTRANSOIL” Astana 2011 1. General provisions 1. Activities

APPROVED by the decision of the Board of Directors of PJSC "TZA" dated 12/29/2016 (minutes 7(176)) POLICY of the Public Joint Stock Company "Tuymazinsky Concrete Truck Plant" in the field of risk management and internal

GENERAL PROVISIONS 1.1. These Regulations on internal control over financial and economic activities (hereinafter referred to as the “Regulations”) of OJSC “Company M.video” and a group of subsidiaries and dependent companies (hereinafter referred to as the “Company(s)”)

F M ] Meeting of the working group on improving internal financial control (May 31, 2017) ON CONCEPTUAL APPROACHES TO THE DEVELOPMENT OF RISK-BASED INTERNAL FINANCIAL SYSTEMS

“APPROVED” by Order of the General Director of TKK LLC 1 dated August 18, 2015 REGULATIONS ON INTERNAL CONTROL of the Limited Liability Company “Tver Concession Company” Tver region, Selizharovsky

APPROVED by the Decision of the Board of Directors of the Public Joint Stock Company "Mobile TeleSystems" on December 15, 2017, Minutes 265 POLICY "INTEGRATED RISK MANAGEMENT" OF THE PUBLIC JOINT STOCK COMPANY

APPROVED by the Board of Directors of the Open Joint Stock Company United Chemical Company URALCHEM (Minutes _1_ dated September 17, 2008) REGULATIONS ON THE POLICY OF INTERNAL CONTROL FOR FINANCIAL

Internal control policy of PJSC TransContainer 2016 2 1. General provisions 1.1. The internal control policy of PJSC TransContainer (hereinafter referred to as the Policy) was developed in accordance with the legislation of the Russian Federation

Practice and regulation. Risk management and internal control Key points. Identification of risks Concepts of “risk”, “risk management” Relationship between goals, risk events, factors and consequences of implementation

Theory and latest developments in the EU SVILENA SIMEONOVA, Director, Directorate of Internal Control, Ministry of Finance, Bulgaria MANFRED Model of state internal control in the EU PIFC State

Approved by the decision of the Board of Directors on December 27, 2016 (minutes dated December 28, 2016 28/16) INTERNAL CONTROL POLICY OF MOSENERGOSBYT PJSC Responsible for the application of IRR: General Director Document owner:

Practice and regulation. Risk management Existing practice, topics discussed Concepts of “risk”, “risk management” Relationship between goals, risk events, factors and consequences of risk implementation

Faculty of Economics, National Research University Higher School of Economics-Nizhny Novgorod, direction “Finance”, trajectory “Audit and Consulting” REQUIREMENTS FOR ORGANIZING AN INTERNAL CONTROL SYSTEM Completed by: students of group 17AiK Victoria Aleksandrova

APPROVED by the Board of Directors of OJSC "TGC-9" on December 21, 2012 Minutes 11(228) dated December 24, 2012 Chairman of the Board of Directors of OJSC "TGC-9" / REGULATIONS ON INTERNAL CONTROL OF THE OPEN JOINT STOCK COMPANY "TERRITORIAL"

APPROVED by the General Meeting of Shareholders of the Joint Stock Company "Uzbektelecom" Minutes 34 dated June 29, 2016 REGULATIONS ON INTERNAL CONTROL OF THE JOINT STOCK COMPANY "UZBEKTELECOM" Tashkent 2016 REGULATIONS

APPROVED by the decision of the Board of Directors of IDGC of Volga, JSC on June 18, 2010 (minutes dated June 22, 2010 20) Internal control policy of the Open Joint Stock Company Interregional Distribution Grid

APPROVED by the Decision of the Board of Directors of OJSC "Pharmacy Chain 36.6" on January 14, 2012 (Minutes 165 dated January 14, 2013) REGULATIONS ON INTERNAL CONTROL OVER THE FINANCIAL AND ECONOMIC ACTIVITIES OF THE OPEN

APPROVED by the Board of Directors of OJSC TGC-5 Minutes of 2008 Chairman of the Board of Directors of OJSC TGC-5 M.Yu. Slobodin REGULATIONS ON INTERNAL CONTROL OF JSC TGC-5 Kirov 2008 1. General provisions 1.1. The present

APPROVED BY THE Board of Directors of PAO TMK on November 18, 2015 TMK GROUP INTERNAL AUDIT POLICY 1. GENERAL PROVISIONS, BASIC TERMS AND DEFINITIONS 1. 1. GENERAL PROVISIONS This policy defines

Approved by the decision of the Board of Directors of Shardarinskaya HPP JSC dated February 26, 2016, (minutes 1) Regulations on the internal control system of Shardarinskaya HPP JSC, Shardara, 2016. Contents 1. Purpose

Private institution of additional professional education "Corporate Training Center "PricewaterhouseCoopers Expert" APPROVED by the Order of the Director of the Private Educational Institution of Further Professional Education "Central Educational Institution "PvK Expert" 39/ - 07 - OGC/PICPE

MAGNITOGORSK METALLURGICAL PLANT Open Joint Stock Company "Magnitogorsk Iron and Steel Works" (OJSC MMK) APPROVED by the Decision of the Board of Directors of OJSC MMK Minutes dated August 30, 2013 4 Chairman

Program: “Internal audit. Effective controlling" 23 October 27, 2018; London, UK Dear colleagues, GBS Group invites you to take part in an international specialized

CENTER FOR RESEARCH OF BUDGET RELATIONS IMPROVING AND INCREASING THE EFFICIENCY OF THE SYSTEM OF FINANCIAL CONTROL AND INTERNAL AUDIT IN THE PUBLIC GOVERNMENT SECTOR, INCLUDING ISSUES OF IMPROVEMENT

Approved by the Decision of the Board of Directors of OJSC Yantarenergosbyt Minutes of June 22, 2012 12 Internal control policy of OJSC Yantarenergosbyt Kaliningrad 2012 Contents 1. BASIC TERMS,

RUSSIAN INITIATIVES IN THE FIELD OF RMICS, INTERNAL AUDIT MOSCOW 2014 1 TASKS OF THE SHAREHOLDER State program of the Russian Federation “Federal Property Management”, approved by the Decree of the Government of the Russian Federation

Program: “Internal audit. Effective controlling" October 3 7, Florence, Italy Dear colleagues, GBS Group invites you to take part in the international specialized program "Internal

APPROVED: By the decision of the Board of Directors of OJSC "Chelyabinsk Pipe Rolling Plant" Minutes of the Board of Directors, uncapped, dated April 24, 2008. REGULATIONS ON INTERNAL CONTROL OF THE OPEN JOINT STOCK COMPANY "CHELYABINSKY"

APPROVED: by the decision of the Board of Directors of PJSC "MOSTOTREST" (minutes dated December 14, 2015, w/n) REGULATIONS ON THE INTERNAL AUDIT OF THE PUBLIC JOINT STOCK COMPANY "MOSTOTREST" Moscow 2015 Contents 1. GENERAL

APPROVED by the Board of Directors of OJSC "TGC-6" Minutes dated July 27, 2007 10/76 REGULATIONS on internal control procedures of the Open Joint Stock Company "Territorial Generating Company 6" (OJSC

Approved by the decision of the Board of Directors of PJSC Inter RAO dated September 29, 2016 (minutes dated October 3, 2016 180) INTERNAL CONTROL POLICY OF PJSC INTER RAO MOSCOW 2016 Contents 1. General

Regulations on the internal control system of Kazpost JSC “APPROVED” by the Board of Directors of Kazpost JSC Minutes dated “31” 09.2009 10/09 Regulations on the internal control system of Kazpost JSC Contents

54 CONSTELLATION OF THE URAL / REPORT ON THE RESULTS OF ACTIVITIES OF IDGC OF URAL, OJSC FOR 2015 INTERNAL CONTROL SYSTEM The internal control system is an element of the general management system of the Company. SVK covers all areas

APPROVED by Minutes of the Board of Directors of PJSC "PIK Group of Companies" 3 dated July 30, 2015 POLICY IN THE FIELD OF INTERNAL CONTROL AND RISK MANAGEMENT OF PJSC "PIK GROUP OF COMPANIES" Policy PT1001.0100.006.01-2015

A. A. NOVOSELTSEV 121 FUNCTIONS OF INTERNAL CONTROL AND INTERNAL AUDIT AT THE ENTERPRISE A. A. NOVOSELTSEV This article discusses the concepts of internal control and internal audit used

APPROVED by the Board of Directors of Mechel OAO Minutes dated December 18, 2006 Chairman of the meeting AGREED BY the Chairman of the Audit Committee of the Board of Directors of Mechel OAO REGULATIONS on the Service

APPROVED by the Decision of the Board of Directors of the Limited Liability Company "Archer Finance" Minutes 6 dated September 22, 2014 REGULATIONS on the internal audit of the Limited Liability Company

ISO 18295 NEW INTERNATIONAL STANDARD IN THE FIELD OF CUSTOMER SERVICE Yuri Melnikov. International Institute for Contact Center Certification CEO Lead Auditor ISO18295 / EN15838 Satisfaction

APPROVED: By the Board of Directors of the Public Joint Stock Company "Severstal" on September 30, 2016 (MINUTES 15/2016 dated September 30, 2016) Regulations on the internal audit of the Public Joint Stock Company

Recently, a pressing issue is the formation of reliable, transparent and neutral accounting (financial) reporting. This article examines the content of the Sarbanes-Oxley Act and its application for the preparation of reliable accounting (financial) statements; it shows the influence of the Sarbanes-Oxley Act on the formation of the internal control system (ICS) of American companies. The article analyzes the requirements imposed by the legislation of the Russian Federation on the internal control system. In connection with the need to organize and implement internal control of transactions, accounting and reporting, as well as to reduce the costs of creating an internal control system, the authors proposed the use of management accounting data as a tool of the internal control system for the purpose of increasing the reliability and transparency of accounting (financial) organization reporting.

internal control

financial statements

Sarbanes–Oxley Act

Management Accounting

1. Audit and consulting [site] Sarbanes-Oxley Act (SOX) in Russian / translation. - URL: http://www.as-audit.ru/consult/show/2821/ (access date: 04/03/2015).

2. BMC [Official website] Explanation X/2013 “Organization of an internal control system.” - URL: http://bmсenter.ru/Files/R_2013_Organizaсiya_vnutrennego_kontrolya (access date: 04/03/2015).

3. Committee of Sponsoring Organizations of the United States (COSO) [Official website]. - URL: http://www.coso.org (access date: 04/03/2015).

4. Koptelov A.K., Shmataluk A.E. Business process management technologies [Electronic resource] // Corporate finance management. – 2004. - No. 5. - URL: http://businessproсess.narod.ru/index2.htm (access date: 04/03/2015).

6. On approval of the Regulations on accounting and financial reporting in the Russian Federation: Order of the Ministry of Finance of the Russian Federation dated July 29, 1998 N 34n (as amended on December 24, 2010).

7. On approval of accounting regulations (together with the “Accounting Regulations “Accounting Policy of the Organization” (PBU 1/2008)”, “Accounting Regulations “Changes in Estimated Values” (PBU 21/2008)”): Order of the Ministry of Finance Russia dated October 6, 2008 N 106n (as amended on December 18, 2012).

8. On accounting: Federal Law of December 6, 2011 N 402-FZ (as amended on November 4, 2014).

The reliability of financial reporting has a significant impact on the adoption of management decisions by business entities, and, consequently, on the efficiency of their activities and future development. Over the past twenty years, confidence in the financial statements of both Russian and international companies has decreased significantly.

The most famous case in international practice is the bankruptcy of the energy corporation Enron and its contractor, Arthur Andersen, which audited Enron. As a result of unreliable financial reporting, a large number of small shareholders suffered, which led to the bankruptcy of previously reliable and quite profitable companies.

In connection with numerous corporate scandals caused by dishonest behavior of managers of large companies, namely falsification of financial statements, on July 30, 2002, US President D. Bush signed the Sarbanes-Oxley Act, or SOX.

The purpose of the law is to restore investor confidence and ensure transparency of corporate accounting and financial reporting of companies that have or plan to do business with commercial partners and their foreign subsidiaries whose securities are listed on the US open market. The law strictly defines the need to implement internal control systems. Since July 2005, SOX applies to resident and non-resident companies whose securities have stable ratings on the US stock market. In accordance with the law, company managers are required to evaluate the internal control system, disclosing in the appendices to the financial statements all its significant deficiencies and proposing measures to eliminate them.

The global practice of more than ten years of its application dictates the need to restructure the commercial organization of its business processes in order to increase investment attractiveness and conduct activities in the international market.

The legislative act imposes serious requirements on internal control procedures, business organization, incl. to management accounting and budgeting. Its main provisions are aimed at regulating the work of financial services, transparency of banking operations and independence of auditors, introducing new certification standards for external auditors and certification rules for financial and executive directors, which ultimately increases the responsibility of management, audit committees and increases fines for non-compliance - Company directors bear personal responsibility. For example, if it turns out that the company’s reporting was deliberately distorted, then its manager faces a fine of up to $5 million.

The SOX law contains 11 chapters regulating the activities of public companies and auditors, ensures the independence of auditors and audit committees, indicates the responsibility of management for organizing the internal control system at the enterprise, and the audit committee for certified reporting, establishes both additional liability of the board of directors and criminal sanctions in the field of company document flow and financial reporting.

Chapter 4 of SOX requires companies to present as much financial information as possible in their reports, which must be prepared in accordance with generally accepted accounting principles and disclose all material transactions, arrangements and obligations.

In addition, information on off-balance sheet transactions, transactions involving management and major shareholders of the company, as well as additional information on significant changes in the financial condition or activities of the company (presentation and development trends, qualitative analysis, graphical data) is subject to disclosure.

From the point of view of organizing internal control, sections 302 and 404 deserve special attention. They establish the personal responsibility of senior and middle management of the company, as well as the need to implement an internal control system and ensure the safety of all corporate correspondence.

Section 302 “Corporate Responsibility for Financial Statements” states that the officers signing the financial statements are personally responsible for the organization and implementation of internal control, reflecting in the report their conclusions about its effectiveness, according to their assessment as of the date of its implementation . The company's management (general, executive, financial directors, line managers in areas) is required to include their own reports in the audit protocols in order to confirm the accuracy of the information contained in these protocols. Managers who intentionally present unreliable financial indicators in reporting documents bear serious administrative and criminal liability. Under Section 802, Criminal Alteration of Records, destruction, alteration, or falsification of records may result in a fine or up to 20 years in prison.

Section 404, Management's Evaluation of Internal Control, establishes the need to implement a system of internal control and establishes management's responsibility for establishing and maintaining an adequate structure and procedures for internal control over financial reporting, which is subject to five basic requirements: existence or occurrence, completeness and measurement, and accuracy. , rights and obligations, representation and disclosure.

This section of the law is the most difficult to apply, since most companies managed their financial flows without using detailed reporting. Companies are advised to develop a system of internal indicators when preparing financial data and periodically test it.

Section 404 is directly related to internal auditing, which evaluates a company's internal controls. In international practice, there are several generally accepted principles for constructing this system. The Sarbanes-Oxley Act refers to the internal control model developed by The Committee of Sponsoring Organizations of the Treadway Commission (COSO). The CCSO Internal Control - Integrated Framework model includes several interconnected blocks, each of which relates to all categories of business goals (strategic, operational, reporting and compliance goals). These are five key components: control environment, risk assessment, control activities, internal communications, monitoring. In October 2004, the COSO ERM - Integrated Framework (ERM - enterprise risk model) model was published, which, in fact, combined both elements of the internal control system and elements of the risk management system.

In 2005, International Standard on Auditing 315, “Identifying and Assessing the Risk of Material Misstatement in Financial Statements by Obtaining an Understanding of the Business and the Environment in which the Entity Operates,” was adopted. Understanding the activities of an organization also includes such a component as the internal control system, which, in turn, includes the control environment, the risk assessment process in the organization, the information system, control procedures and control actions and monitoring of controls. Thus, risk assessment is linked to an analysis of the reliability of the organization's internal control system from the point of view of the risk of possible unintentional misstatement or error, as well as falsification of financial statements as a result of fraud.

According to ISA 315, “the internal control system is a set of means and methods used by an organization to reduce business risks that threaten the achievement of such organizational goals as compliance of financial reporting data with the actual state of affairs, achieving efficiency and productivity of ongoing operations, as well as compliance with legal requirements.”

In Russia, by 2016, the final transition to IFRS is planned, knowledge of which and the ability to apply them competently is the key to the success of drawing up reliable accounting (financial) statements that will attract potential investors.

In the Russian Federation, on January 1, 2013, a new version of the law on accounting came into force. In accordance with Article 19 of the Federal Law of December 21, 2011 No. 402-FZ “On Accounting,” the organization is obliged to “organize and carry out internal control of the facts of economic life. An organization, the accounting (financial) statements of which are subject to mandatory audit, is obliged to organize and exercise internal control over accounting and preparation of accounting (financial) statements (except for cases where its head has assumed the responsibility for maintaining accounting records).

The introduction of an internal control system into an organization and compliance with the requirements governing the accounting procedure will increase the reliability and reliability of reporting, strengthen investor confidence in accounting (financial) reporting and lead to increased efficiency of the organization and sustainable economic growth of the organization.

According to clause 4 of the Regulations on accounting and financial reporting in the Russian Federation, approved by Order of the Ministry of Finance of Russia dated July 29, 1998 No. 34n (as amended on December 24, 2010 N 186n), when maintaining accounting records, the organization must provide information to internal and external users accounting reports for the purpose of monitoring compliance with the legislation of the Russian Federation when carrying out business transactions and their feasibility, the availability and movement of property and liabilities, the use of basic, material, labor and monetary resources in accordance with approved norms, regulations, tariffs and estimates.

In accordance with PBU 1/2008 “Accounting policy of the organization”, approved by Order of the Ministry of Finance of Russia dated 06.10.2008 N 106n, the organization forms in its accounting policy the rules of document flow, technology for processing accounting information, the procedure for monitoring business transactions and the final synthesis of facts of economic activity, and others decisions necessary for organizing accounting, and, consequently, the internal control system.

The internal control system can also be considered as a set of organizational structure, methods and procedures adopted by the management of the organization as a means for the orderly and efficient conduct of financial and economic activities, to ensure sufficient confidence in achieving goals in terms of the reliability and reliability of financial (accounting) reporting, efficiency and effectiveness of business operations and compliance of the organization's activities with regulatory legal acts.

The organization and functioning of the internal control system is aimed at reducing the risks of the organization's economic activities. The implementation of an internal control system requires the availability of tools that will allow you to monitor internal control processes in real time, optimize document flow, introduce personal responsibility for sections of internal control, assess the degree of reliability of the resulting reports, identify and evaluate the influence of various factors on the reliability of financial statements. Thus, the internal control system introduced by Law 402-FZ is aimed at reducing risks when making management decisions and is designed to ensure the reliability of the information contained in the financial statements of companies.

The organization and functioning of the internal control system in a company is most often based on the following key principles.

1. Integration - consists of informing management at the appropriate level of management about detected significant violations of financial and economic activities with an analysis of their causes, deficiencies and weaknesses in control, and about corrective measures that have either been taken or should be taken.

2. Continuity - consists of implementing internal control on an ongoing basis at all levels of management, which allows the company to promptly identify and analyze deviations in the internal control system, as well as prevent their occurrence in the future.

3. Methodological unity - lies in the unity of requirements and approaches for all divisions of the company.

4. Comprehensiveness - means that the control system operates at all levels and in all divisions of the company, covers all objects of internal control and areas of the company’s activities and, accordingly, all emerging risks.

5. Responsibility means that all employees and management at all levels of the company are responsible for the functioning of the internal control system within the limits of their authority.

6. Focus on risk management - internal control should be in close interaction with the risk management system in the company, which contributes to the timely and effective implementation of measures to influence risks. When carrying out control procedures, both the magnitude and likelihood of risks occurring, as well as the degree of their impact on financial results, should be assessed.

7. Optimality - means that the volume and complexity of control procedures used in the company are necessary and sufficient for effective risk management and achievement of set goals, i.e. The cost-economic effect ratio must be met. The costs of implementation and subsequent operation of control procedures should not exceed the consequences of risks arising, and the total level of residual risk should correspond to the acceptable levels established by the company.

8. Relevance and development - means that all documentation on the internal control system (risk description, control results, etc.) must be updated in a timely manner and constantly improved in order to increase the efficiency of risk management. For the continuous development of the internal control system, the company's management must create certain conditions, since it is necessary to solve new problems arising as a result of changes in internal and external operating conditions.

The objectives of the internal control system are:

1. Establishing the compliance of ongoing financial transactions in terms of financial and economic activities and their reflection in accounting and reporting with the requirements of regulatory legal acts.

2. Establishing compliance of the operations carried out with regulations and the powers of employees.

3. Compliance with established technological processes and operations when carrying out functional activities. For this purpose, the institution must develop and approve a regulation on internal financial control.

Currently, many organizations in the Russian Federation maintain management accounting, the purpose of which is to provide information for in-production planning, management and control. Therefore, it is advisable to organize an internal control system in such organizations within the framework of management accounting in order to avoid serious costs for creating this system. After the introduction of the SOX law, companies experienced a 30% increase in audit costs, and significant costs were also required for the implementation of an internal control system, checking its effectiveness and vulnerability.

The internal control system can be built on the basis of responsibility centers already created within the framework of the management accounting system. Centers are structural units headed by managers who are responsible for the results of their work. At the same time, department heads are responsible only for those indicators that they can actually influence. The main evaluation indicator is usually the financial result, which is reflected in the accounting and management reporting.

Management accounting must clearly regulate and ensure compliance with the rules and deadlines for the preparation and presentation of management reporting and directly related benchmark indicators of external financial (accounting) reporting (income, expenses, financial results).

It is known that management accounting provides:

• formation of a system of reliable and complete information about the business processes and financial results of the company for managing the business as a whole, on the basis of which management makes operational and strategic decisions;
• assessment of the efficiency of the company, its structural divisions and functional blocks, planning (budgeting) and control of economic activities, ensuring optimal use of basic, material, labor and monetary resources and in accordance with approved norms, standards and estimates;
• decentralization of management, i.e. distribution of powers and responsibilities in decision-making between different levels of management, delegation of responsibility between managers in terms of management, planning and control of costs and performance of the unit, which will allow timely warning and prevention of negative phenomena in the economic and financial activities of the company and identification of internal reserves;
• adjustment of control influences on the processes of production and sale of products, goods and services, reduction of subjectivity in making management decisions at all levels, analysis and assessment of analytical indicators of internal control, revealing identified reserves for economic growth of the company's efficiency.

Thus, the approach to organizing the internal control system within the framework of management accounting will make it possible to prepare reliable, reliable and high-quality accounting (financial) reporting.

Reviewers:

Makarova L.G., Professor, Doctor of Economics, Professor of the Department of Accounting, Analysis and Audit, National Research University Higher School of Economics, Nizhny Novgorod.

Plekhova Yu.O., Professor, Doctor of Economics, Professor of the Department of Economics of the Federal State Autonomous Educational Institution of Higher Education "Nizhny Novgorod State University named after. N.I. Lobachevsky", Nizhny Novgorod.

The law takes its name from the names of its creators, Senator Paul Sarbanes (Democratic Party, Maryland) and Representative Michael Oxley (Republican Party, Ohio).

Bibliographic link