Internal audit is an independent mechanism that operates to review the effectiveness of the risk management systems, control and management procedures of Alfa-Bank, its subsidiaries and related companies.
The purpose of the Internal Audit is to effectively assist the Board of Directors and the Management Board of Alfa-Bank, its subsidiaries and related companies in achieving their goals. To do this, Internal Audit analyzes and evaluates activities and presents its recommendations and conclusions to the relevant persons.
Internal audit checks and evaluates the adequacy and effectiveness of the internal control system and the quality of fulfillment of certain obligations in Alfa-Bank, its subsidiaries and related companies by coordinating the work of different departments internal audit. In particular, internal auditors:
Internal auditors provide an unbiased and objective assessment of the bank's performance.
Internal audit carries out its work in accordance with the orders of the Board of Directors. Administratively, internal auditors report to the Chairman of the Management Board of the Bank.
The External Auditor may receive Internal Audit reports. Similarly, external auditors communicate to internal auditors all material matters that may be relevant to Internal Audit.
Internal audit can and should be helpful in determining the nature, timing and scope of external audits. However, the External Auditor is solely responsible for expressing an opinion on financial reporting.
The presence of additional divisions within the Bank that control certain activities does not relieve the Internal Audit Department from reviewing such activities. These units include, for example, the Risk Management and the Internal Control Department. For purposes of efficiency, the Internal Audit Department may use information prepared by these units in its work.
The Internal Audit Department adheres to the Standards for the Professional Practice of Internal Auditing and the Code of Ethics published by the Institute of Internal Auditors.
The internal control system in the bank performs a protective function. Its task is to minimize external and internal risks and ensure such a procedure for conducting banking operations and transactions that contribute to the achievement of the set goals while complying with the requirements of the law, Bank of Russia regulations, as well as internal procedures, standards and rules.
The legal field of the internal control service is determined by the regulation of the Bank of Russia “On the organization of internal control in banks” dated August 28, 1997 No. 509. Direct actions aimed at minimizing the risks of a bank are determined by a number of instructive acts, such as the Instruction of the Bank of Russia dated July 7, 1997 . 1999 No. 603-U "On the procedure for exercising internal control over the compliance of activities in the financial markets in credit institutions", Resolution of the Federal Commission for the Securities Market dated 19.07.2001 No. 16 “On Approval of the Regulations on the Internal Control of a Professional Market Participant valuable papers", rule (standards) audit activity"Study and evaluation of systems accounting and internal control during the audit” (approved by the audit commission under the President Russian Federation dated December 25, 1996, protocol No. 6) and a number of other acts.
The organizational basis of the internal control system is based on principles that ensure the continuous operation of control mechanisms and functions in all areas banking and levels of decision making. These include, in particular, the principles of:
The efforts of the internal control service (based on the general situation and the creation of a high-tech bank in the future) are mainly aimed at controlling:
To build a unified technological structure in the bank, a number of tasks should be solved.
Speaking of control, one should clearly understand its types. As a rule, this is administrative and financial control. Administrative control consists in checking the compliance of operations and transactions with the powers of officials, determined by the bank's regulations and procedures for making and implementing decisions. As a result financial control the compliance of ongoing operations and transactions with the bank's policy set forth in the regulatory acts, their adequate accounting and reflection in the reporting is checked. It is important that both administrative and financial control determine the effectiveness of the risk management system in place in the bank and the measures taken to identify and minimize risks.
So, the goals and functions of the internal control service are clear. However, the question arises: what is the functional difference between the internal control service and the units involved in internal audit? Indeed, functionally, such units also exercise internal control over the activities of the bank.
To answer it, it is necessary to clearly distinguish between the concepts of "internal control system" and "internal control service". The first covers all types of operations and all hierarchical levels of the bank, and the second controls the work of the first.
Considering a bank as a kind of production (which also includes units that perform control functions - this is their production), we can say that internal audit is a unit that performs production functions. At the same time, the internal control service performs both production and organizational functions (creating control mechanisms).
The structural organization of the internal control service can be carried out in two ways.
The first. The Internal Control Service includes an internal control unit, internal audit, a risk management unit, as well as a number of other analytical and control units of the bank. In fact, we are talking about a multifunctional department, which should cover various aspects of the bank's activities.
Second. The internal control service is created as a separate structural subdivision of the bank, which interacts with other control subdivisions. With this option, the internal control service should be endowed with appropriate powers and rights.
The choice of a structural organization primarily depends on the characteristics of the bank, the availability of appropriate resources in it, and the established practice of activity.
Internal control in the bank.
A number of problems may arise in the activities of the internal control service in connection with the established regulatory framework Bank of Russia. For example, the international practice of exercising control implies the existence of compliance control in all areas of the bank's activities. In principle, compliance controllers carry out inspections in all areas of banking. However, in the Russian banking system regulatory compliance control (activities of the compliance controller) is regulated only in the work of the bank on financial market(Instruction of the Bank of Russia dated July 7, 1999 No. 603-U). It seems that it would be more logical to cancel this Instruction, but to supplement Regulation No. 509, expanding the functions of the internal control service by exercising compliance control over the entire range of bank operations.
A few words on the draft Code of Corporate Conduct developed by the FCSM and internal control issues.
Assessment of the state of corporate governance requires a special multidimensional system of assessments of the activities of the subject of management. In this connection importance occupied by the system of internal control over the financial and economic activities of the subject. The draft Code provides for the creation of a special body - the control and audit service - responsible for conducting daily internal control. However, its main task, according to the project, is the audit support of the subject. In our opinion, this body should first of all create an internal control mechanism that can most effectively ensure the reliability of the activity of the subject of management. And within the framework of this mechanism, the internal audit system should function as an integral, but not the only part of the internal control system.
The draft Code very superficially describes the functions of the control and audit service, the principles of interaction of this body with other divisions of the subject, as well as with external auditors. The functions of the Audit Commission have not been sufficiently developed and new edition Law "On joint-stock companies”, which entered into force on January 1, 2002. Therefore, the regulation of the Bank of Russia “On the organization of internal control in banks” No. 509, in our opinion, more fully reveals the tasks and functions of the service organizing internal control, compared with Ch. 8 "Control over the financial and economic activities of the company" of the draft Code. This concerns, in particular, the absence of such functions of the control and audit service as control over the compliance of the subject's activities with the legislation of the Russian Federation, over the creation of business process control technology, increasing its efficiency, over the possibility of legalizing proceeds from crime, as well as functions within the framework of preliminary, current and subsequent control. The developers of the draft Code did not take into account Regulations of the Bank of Russia No. 509, which is based on international principles for organizing internal control and recommendations Basel Committee. As a suggestion, the authors of the draft can be recommended to adapt some aspects of Regulation No. 509 for Ch. 8 of the draft Code.
Internal control over the network of bank branches.
Operations of branches are carried out within the limits and restrictions established by the parent organization. In particular, the activity of a branch is limited by the regulation on branches and the general power of attorney of the manager in the implementation active operations(by types of activity and counterparties), as well as the cost of funds raised and volumes of transactions (limits). Limits on operations of branches with various types of financial instruments established by the collegiate body of the parent organization. At the same stage, business planning of the activities of branches is carried out. In the future, control over the implementation of business plans by branches should be carried out on an ongoing basis. In addition, the stage of preliminary control implies the mandatory coordination with the interested departments of the bank of all developed regulations that directly affect the activities of branches.
Current control over the operations of branches by the parent organization is not implemented in real time. As a result, the parent organization cannot promptly (in the course of the operation) monitor such violations as exceeding limits on certain types of transactions and the conduct of transactions and operations by branches not authorized by the parent organization.
Most violations are usually detected during follow-up monitoring. This is the control of accounting and operational work, including cash. It is carried out by the employees of the branch divisions themselves on the basis of part 3 of the Accounting Rules No. 61 in two directions: complete control over the correctness of the reflection of all transactions made during business day operations in accounting registers and checking the work of employees on the basis of quarterly plans. At the same time, based on the results of the inspections, the branches send certificates to the internal control service. These are audits of the activities of branches, which are carried out by the internal audit unit, including verification of the elimination of deficiencies identified by previous audits. One time in reporting year internal audit units should conduct comprehensive audits of branches.
In addition, in the course of subsequent control, all acts of inspections of the activities of branches by state control bodies (territorial institutions of the Bank of Russia, the State Tax Service, funds), copies of which branches are required to send to the internal control service, are taken into account.
In addition to the above, it is desirable to have subsidiaries of the internal control service in the branches of the internal control group, whose task is to regularly thematic checks of the activities of the branches, as well as, at the stage of preliminary control, participate in the coordination of internal regulations of the branches. The reports of these groups are sent to the internal control service of the parent organization.
If the branch carries out its activities on a self-supporting basis, then the control over its activities by the parent organization should be stricter. It should cover the execution by branches of limits on transactions, counterparties and financial instruments, balance sheet accounting (its compliance with actually completed transactions and payments, i.e. compliance with synthetic and analytical accounting data, as well as accounting (compliance with the requirements of the Central Bank of the Russian Federation and other controlling state organs).
In order to minimize risks, limits are set for all unsecured transactions of a bank branch with counterparties: for unsecured transactions in the financial market, when lending corporate clients, for transactions with financial instruments (bills, bonds, etc.), for the issuance of guarantees, guarantees and trust services for customer funds, as well as individual limits for authorized persons of branches. Branch internal control services should carry out subsequent supervision over the implementation of limit discipline, and
also for the correct and effective operation of the mechanisms of current control in this area.
The internal control service of the head organization of the bank must organize interaction with the territorial divisions of internal control, develop internal regulations governing the procedure for such interaction. It is necessary that the territorial internal control groups be independent from the management of the branch. This will eliminate the possibility of the influence of the branch management on their activities, however, the above also applies to the internal control service of the parent organization. It is desirable that she has the opportunity to "go to" the Supervisory Board of the bank.
A separate problem is the organization of control over separate structural subdivisions of bank branches (additional offices and operating cash desks outside the cash center). This is the prerogative of managers, branches. At the same time, managers are guided by the provisions of regulations governing the procedure for carrying out operations in various areas of banking activities and organizing control over their conduct, as well as internal documents that take into account the specifics of a particular branch in relation to the activities of separate structural divisions. All procedures described in these documents must comply with the requirements of Part 3 of the Rules for Accounting in Credit Institutions Located on the Territory of the Russian Federation, No. 61 dated June 18, 1997.
Control over the activities of separate structural subdivisions of branches should be carried out both by employees of these subdivisions and by and from the side of the branch by employees of the territorial divisions of the internal control service.
In separate structural divisions of branches, subsequent control of accounting and operational, including cash, work should also be carried out, which provides for regular checks by employees of accounting and operational divisions of the activities of other employees. It is carried out by employees of subdivisions of the internal control service of branches, and in the absence of such in branches - by employees of branches - in the areas of their activities.
In the latter case, certain difficulties arise due to the likelihood, on the one hand, of a biased assessment, and on the other hand, possible errors due to an increase in the employment of employees.
Current control is carried out by heads of separate structural divisions, as well as heads of specialized departments in the course of banking operations. At the same time, the main problem of organizing effective control is the fuzzy division of functions and the inability to minimize the risk of a conflict of interest due to a shortage of personnel in a separate structural unit.
Internal control at the stage of strategic planning and forecasting.
Strategic planning and forecasting are also the field of activity of the internal control service.
The main object of the internal control system at this stage is the state of intra-bank analytical work: taking into account the impact on the efficiency of the current and perspective development bank of possible changes in the macro environment, external risks (political, country, regional, sectoral, etc.).
At the stage of preliminary control, supervision is carried out over the completeness, composition and timeliness of updating the initial databases, on the basis of which the analytical and functional divisions of the bank carry out a prospective assessment and forecast of the situation. The subject of preliminary control is also the existing procedure for promptly and systematically informing the governing bodies of the bank about the conclusions and proposals of analytical services on the current situation, about forecasts for the development of the situation in the relevant market segments and in the economy as a whole, in the field of regulatory support for banking activities.
For this purpose, comprehensive and thematic checks of these units are carried out for the availability of the necessary tools, procedures and technical means for conducting an adequate analysis and bringing it to the attention of the responsible persons involved in the preparation and adoption of relevant decisions.
Current control requires periodic inspections of the fulfillment of the tasks of analyzing and forecasting the situation and the timeliness of informing the governing bodies of the bank.
In the process of current control, the system for monitoring the competitiveness of the quality and cost of the products offered by the bank is checked in the functional divisions of the bank. In addition, the timeliness of the response of these divisions to the actions of competitors, as well as to changes in the economic situation in the non-financial sector, is assessed.
Follow-up control is reduced to a comparative analysis of the conclusions and recommendations of analytical units and the actual development of the situation, as a result of which an appropriate assessment is given.
A separate function of the internal control service is participation in the coordination of intra-bank regulations and procedures with interested bank departments. This work precedes the preliminary control, since it determines the algorithm of actions of employees and control mechanisms designed to prevent violations in these actions.
At the same time, the internal control service should pay attention to the sufficiency of such control mechanisms. It is clear that all intra-bank regulatory documents must be checked for compliance regulations legislation of Russia, the Central Bank and international acts and documents.
In conclusion, I would like to note that the result of the functioning of the bank's internal control system should be the organization of continuous and constant control over banking and administrative activities. The list of the above problems that arise in the course of such an organization is far from complete. For example, the problems of corporate governance and the control exercised within its framework have not yet been resolved for a number of reasons (lack of relevant state legislation and corporate governance experience in Russia, poor transparency of accounting (due to the fact that the transition to IFRS standards will take place only in 2004). d.) and the tradition of wide provision of it to third parties, etc.).
A.A. ARSLANBEKOV-FEDOROV,
expert of the Internal Control Service of Vneshtorgbank, candidate economic sciences, Master of Business Administration.
Taxi Plane Taxi call? Today it is not a problem! Thanks to the well-established service of the Airplane Taxi company, you can call a taxi in Lyubertsy, md. Krasnaya Gorka, Lyubertsy 2015-2016, Tomilino, Lytkarino, Nekrasovka, Kozhukhovo, Zhulebino and other surroundings at any time of the day - simply and quickly.
Internal control - a process carried out by a bank (bank management bodies, structural divisions and employees) in order to ensure safe and liquid banking in accordance with the requirements of the legislation of the Republic of Belarus and local regulatory legal acts of the bank (local acts of the bank);
Internal control system - a set of organizational structure, procedures and methods adopted by the bank as a means for the orderly and efficient conduct of banking activities, risk reduction, cost minimization and asset safety.
The purpose of the internal control system is to ensure:
efficiency and effectiveness of financial and economic activities in the course of banking operations and other transactions, management efficiency banking risks, assets and liabilities, including ensuring the safety of assets;
reliability, completeness, objectivity and timeliness of the preparation and presentation of financial, accounting, statistical and other reporting (for external and internal users), as well as information security;
compliance with the requirements of regulatory legal acts of the Republic of Belarus, local acts of the bank;
exclusion of the bank's involvement in financial operations illegal, including the prevention and suppression of acts related to the legalization of illegally obtained income.
Internal audit is part of an integral internal control system aimed at improving the bank's performance.
Internal audit means independent control and evaluation of the bank's activities, carried out by conducting regular inspections of the bank's structural divisions by the internal control department.
The purpose of the internal audit is to assess the adequacy of the functioning system of internal control in the bank to the operations carried out and the risks assumed.
The Internal Audit Service monitors, checks, evaluates the effectiveness of the functioning of the bank's internal control system, makes its proposals to improve its efficiency and controls their implementation.
Auditors in the course of their activities must be guided by the current legislation of the Republic of Belarus and local acts of the bank, as well as adhere to generally accepted moral rules, moral standards and observe the following principles:
independence;
professionalism;
ethics of conduct.
The main structure of the internal audit workflow includes the following steps: planning an audit, conducting an audit, and implementing audit recommendations.
The planning of the activities of the internal audit service should determine the most important areas of control based on the risk approach and contribute to the most effective distribution of responsibilities among auditors.
Planning should be carried out in accordance with the following principles:
Complexity, which involves ensuring the interconnectedness and consistency of all stages of planning;
continuity, which is expressed in the relationship of planning stages in terms of timing and structural units subject to verification;
optimality, which lies in the fact that in the planning process the auditor should be able to choose best option verification procedures for its timely and high-quality implementation.
The planning of the activities of the internal audit service is carried out taking into account the requirements of the current legislation of the Republic of Belarus and the strategic objectives of the bank.
When planning, increased attention is paid to structural units and banking products that have the greatest risk. To this end, auditors carry out preliminary monitoring and analysis of information on the activities of structural units. Monitoring is aimed at studying key risks and the likelihood of their occurrence in a particular structural unit of a bank or a banking product.
Annually, 10 days before the start of the planning period, the head of the internal audit service submits for approval to the Chairman of the Board of the bank or the curator of the internal audit service annual plans work and inspections.
The Internal Audit Service plans its work in such a way that a certain (at least once every three years) frequency of audits of structural units is ensured. The audit cycle is determined based on the analysis and risk assessment of the audited object.
The process of conducting an internal audit includes: preparing an audit, conducting an audit in a structural unit, agreeing on deficiencies and a draft report with those being audited, drawing up working documentation and a final report based on the results of the audit.
The Internal Audit Service performs the following checks:
financial checks economic activity(branches of the bank, areas of banking business or divisions of the Central office of the bank);
verification of certain issues of financial and economic activities of structural divisions;
thematic checks of structural divisions;
verification of the implementation of measures based on the results of previous audits;
unscheduled inspections on the instructions of the bank's management.
An audit of financial and economic activities involves a full-scale exercise of control in all areas of banking activities of the audited object in order to identify banking operations that are most at risk, inefficient banking, violations of banking legislation, establishing the facts of theft and embezzlement, etc.
Checking certain issues of financial and economic activity involves the exercise of control in several areas of banking activity.
Thematic check is carried out on one, specific issue. When conducting a thematic audit, a specific issue of the financial and economic activities of the structural unit of the bank is analyzed and verified, banking product or compliance with the policy of the bank in a particular area of banking.
Checking the implementation of measures based on the results of previous checks is carried out in order to assess the completeness and effectiveness of the measures taken by the management of the structural unit to eliminate and prevent further shortcomings and violations identified by checks.
Unscheduled inspections may be initiated by the Chairman or Member of the Management Board of the bank, or a collegial management body of the bank.
Checks of the bank's subsidiaries are carried out on the basis of decisions of the collegial management bodies of the bank or the Chairman of the Board of the bank.
The audit preparation process consists of the following steps:
determination of the goals and methods of conducting an audit, taking into account risk areas in the activities of the audited structural unit;
familiarization with information about the object to be checked, available at the disposal of the internal audit service and its analysis;
determination of the period covered by the audit and preliminary dates for the audit;
determining the scope of the audit;
determination of the required composition of the audit team to perform the audit;
development and approval of the verification program.
Familiarization with information about the object to be checked is carried out on the basis of:
materials of previous audits conducted both by specialists of the internal control department and other divisions of the bank;
materials of inspections carried out by external regulatory bodies;
Measures to eliminate violations identified by inspections and information on the progress of their implementation;
Information about the activities of the object of verification received from structural divisions Central office jar;
information about the activities of the object of verification obtained through software products used in the bank;
decisions of the collegial bodies of the bank regulating the activities of the object of verification;
accounting and statistical reports (balance sheets, accounts receivable and accounts payable etc.), information about changes in the organizational structure and other materials related to the activities of the audited entity.
In order to fulfill their duties within the approved assignment, auditors have the right to have free access to review and verify all documents related to the bank's activities (books, records, reports, business correspondence, application software operating in the bank's system). Copies from received documents, records with transcripts stored in local computer networks and autonomous computer systems, employees of the department can make in accordance with the procedure established by the bank. Auditors determine the compliance of actions and operations carried out by bank employees with the requirements of current legislation, regulations of the National Bank of the Republic of Belarus, and local acts of the bank.
The timing of audits is determined by the head of the internal audit service, depending on the scope of the planned audit and the composition of the working group.
The term for conducting an audit of the financial and economic activities of a structural unit should not exceed 30 calendar days. The extension of the inspection period is carried out by the Chairman of the Management Board of the bank on the basis of the application of the head of the inspection.
The term for conducting inspections of certain issues of banking activities, the implementation of activities, thematic and unscheduled inspections, is set individually in each individual case, depending on the volume and complexity of the issues being checked, but not more than the period established for conducting an audit of financial and economic activities.
Compound working group for the audit is determined based on its nature, complexity, expected amount of working time, the level of professionalism of auditors and their specialization. It is possible to involve specialists of structural subdivisions of the bank in the working group for the audit based on the decision of the Chairman of the Board or a Member of the Board of the bank.
To conduct an audit of financial and economic activities, a working group consisting of at least 3 specialists is appointed. As a rule, the Chief Auditor of the Internal Control Department is appointed as the head of the working group. AT individual cases, another specialist from the staff of the Internal Control Department may be appointed as the head of the working group. During the inspection period, all members of the working group report directly to the head of the working group, regardless of the performance of their direct official duties.
To determine the main issues to be checked, the head of the check, in agreement with the head of the internal audit service, develops and submits for approval to the Chairman of the Board of the bank or the curator of the internal audit service an audit program. Changes to the verification program must be agreed with the person who approved it.
When conducting audits of the implementation of measures based on the results of previous audits, thematic and unscheduled audits (except for complex ones), drawing up an audit program is not required.
Carrying out verification and ensuring audit. The basis for conducting an audit conducted by the internal audit service is an order or instruction (written or oral) of the Chairman of the Board of the bank to conduct it.
The verification consists of two stages:
preliminary assessment of the activities of the structural unit of the bank for the scheduled period;
comparative assessment of preliminary data with the actual state of affairs in the structural unit.
At the first stage, the members of the working group preliminarily collect and analyze information in order to determine the most risky areas in the activities of the structural unit identified for verification. On the basis of an order (instruction) to conduct an audit of a structural unit, the Department of Automation and Information Technology provides members of the working group with access to automated resources used by the audited unit for the period of the audit. Based on the data obtained from automated banking systems, based on the results of interviews and other sources, a preliminary analysis of the activities of the audited unit is carried out, and the most risky areas are determined.
From the collected information and analysis, preliminary conclusions and proposals are made for more detailed control and preparation of recommendations at the second stage.
The analysis of the activities of the structural divisions of the bank should be carried out on an ongoing basis.
At the second stage, an assessment of previously received information is carried out with the actual state of affairs in the structural unit directly with access to its location.
The head of the facility to be inspected is notified of the inspection the day before and must be familiarized with the inspection program on the day the inspection begins. Unannounced inspections on the instructions of the bank's management are carried out without prior notice to the management of the bank's structural subdivision to be inspected.
The head of the audited structural unit during the audit is obliged to:
ensure the creation of auditors working conditions, satisfying the effective conduct of the audit and prompt submission of all necessary documentation and information, as well as to give, at their oral or written request, explanations and explanations in oral or written form on the facts of violations identified by the audit;
facilitate the conduct of the audit, that is, not allow any actions aimed at limiting the range of issues to be clarified during the audit;
not influence the auditors in order to change their conclusions based on the results of the audit.
When conducting an audit of a structural subdivision of a bank located outside the Central Office of the bank, the head of the inspected subdivision must provide auditors with jobs, if possible, in an office isolated from unauthorized persons. The working group should also be provided with computers with software that allows viewing transactions and reporting on financial and economic activities. When conducting inspections outside the mountains. Minsk, the head of the working group is provided with mobile communications.
Documents and other materials requested by the auditors are transferred to the workplaces of the members of the working group in the manner and within the time limits established by them. Documents not submitted before the completion of the verification will not be taken into account.
The head of the audited facility is responsible for the reliability of the information provided, in respect of which the audit is being carried out.
Scope of work. When conducting an audit, the auditor should be aware of the specific objectives of the audit and independently determine the methods of audit through which these objectives can be best achieved. The application of verification methods depends on the nature and volume of operations performed by the audited unit, the level of the internal control system, the volume and results of previous audits.
The verification can be carried out by a selective or continuous method.
The professional level of the auditor does not require detailed control of all transactions (operations), but allows for inspections to the extent necessary. In a random audit, auditors cannot give an absolute guarantee that there are no violations or compliance with established standards.
Sampling is a method of conducting an audit, in which the auditor checks the activities of the bank's structural unit not in a continuous manner, but selectively. The most important requirement that must be met when making a sample is to ensure that it is representative. The representativeness of the sample is a property of the sample that allows the auditor to draw the right conclusions about the entire population being checked on its basis. The requirement of representativeness assumes that all elements of the tested population (the totality of all elements of the documentation of the structural subdivision of the bank checked at a given site) must have an equal probability of being selected in the sample.
The scope of the sample and the need for its reflection in the audit materials is determined by the auditor or the head of the audit. In determining the sample size, the auditor should take into account the margin of error and the risk of spot testing, which is the possibility that conclusions and suggestions based on a study of the sample may differ from the conclusion that would be drawn if the auditor checked the entire set of data, using the same analytical procedures.
If, during a random check, the facts of theft, embezzlement, abuse are established, all documents relating to the issue on which these facts were revealed must be checked in a continuous manner. Documents on the write-off of losses and damages are subject to complete verification.
Internal audit reports and documentation. In the materials of the audit, the auditor must reflect all the facts known to him and confirmed by the relevant documents that led to a violation of the requirements of the current legislation, local acts of the bank, distortion of reporting, other information or concealment of illegal actions.
In the case of establishing the facts of violations, the auditor is obliged to find out their essence, namely: what is violated, in what period and how.
When identifying shortcomings and violations, it is also necessary to establish the causes of the violation, their consequences and the perpetrators.
When conducting audits, auditors should evaluate the sufficiency and effectiveness of the internal control system of the audited unit.
Based on the results of the audit, the auditors should give appropriate recommendations to eliminate the identified violations and strengthen internal control.
The head of the working group is personally responsible for the entire course of the audit. Members of the working group are personally responsible for the timely and high-quality conduct of the audit within the limits of the duties assigned to them and the rights granted.
The results of the audit of a structural unit are documented in a report on the results of the audit. The report on the results of the audit provides generalized final data and facts, as well as recommendations for eliminating identified shortcomings in further work.
Comments of the internal audit service on the activities of the audited unit and recommendations for improving its work are also included in the audit materials. If the auditor has a dissenting opinion on the results of his audit, when drawing up the report, he has the right to make a reservation about this. The head of the audit does not have the right to insist that the auditor change his conclusions or assessment based on the results of the audit.
The structure of the report on the results of the audit includes a title page, a general presentation, a table of results and a report in detail.
The title page contains general information about the object of the audit and the officials to whom the report is sent; the general presentation includes all the main results of the audit and contains a generalized opinion of the audit on the state of affairs in the audited structural unit, the main shortcomings and risks; the results table contains recommendations based on the results of the audit; the report contains a detailed description of the shortcomings and violations and recommendations for their elimination and prevention in further work, the period for the audit and approval, the audited period and the composition of the working group.
Based on the results of the check (audit) of cash desks, exchange offices, an act is drawn up in the form established by the relevant regulatory legal acts of the National Bank, which are attached to the report.
Materials of unscheduled inspections on the instructions of the bank's management may be drawn up with a deviation from the established procedure and the standard form of the report.
All evidence supporting audited violations should be documented as part of audit working papers, including using worksheets. If necessary, copies of documents or extracts from various accounting registers, as well as certificates and calculations drawn up on the basis of verified documents, certified in the prescribed manner, may be attached to the report.
The worksheets attached to the report document the violations and indicate all the necessary data for each fact: the period during which the violations were committed and their nature, dates and numbers of documents, the perpetrators and other necessary information. Worksheets are compiled in two copies. One copy of the worksheets remains in the structural unit until the signing of the final version of the report on the results of the audit.
Coordination of worksheets with the heads of the audited departments (responsible executors) should be carried out no later than one working day before the deadline for completing the audit.
On the day of completion of the audit, the head of the audit systematizes the materials based on its results and forms a preliminary version of the report. Information is brought to the attention of the management of the audited unit on recommendations to eliminate deficiencies in the work, which will be given by the internal audit service.
One copy of the preliminary report remains with the audited unit for approval of recommendations. Within 3 working days after the completion of the audit, the materials must be agreed with the head of the internal audit service, its curator, and, if necessary, with the heads of interested departments of the Bank's Central Office. After the expiration of the specified period, the final version of the agreed report in two copies is signed by the head of the audit, registered by the Secretariat in accordance with the local acts of the bank and sent to the structural unit subjected to the audit for review.
Head and Chief Accountant of the inspected division, within one working day, are obliged to familiarize themselves with the materials of the inspection, about which the relevant signatures are made in the final part of the report, and send the first copy of the final version of the report, together with worksheets, to the internal control department for storage.
Within the time frame indicated in the table of results, the management of the audited structural unit must inform the internal audit service about the implementation of the recommendations based on the results of the audit. Control over the implementation of the recommendations rests with the head of the audit.
Responsibility for the elimination of deficiencies and violations identified by inspections and the implementation of audit recommendations rests with the heads of the audited departments.
After the implementation of the audit materials, the preliminary versions of the report are subject to destruction.
Based on the results of the audit, specific recommendations can be offered to the structural unit to eliminate the shortcomings reflected in the audit materials. These include:
organizational measures aimed at increasing the efficiency of interaction between structural units in order to reduce costs, as well as improving the control system at all stages of transactions;
measures aimed at developing specific actions to eliminate the identified violations and shortcomings, as well as to review or improve the functional control system.
In addition, based on the results of inspections by the internal audit service, recommendations can be given to the heads of departments of the Central Office on changing the local acts of the bank, finalizing or developing software, revising the procedures governing banking operations or other recommendations. Recommendations are recorded in the report based on the results of the audit and drawn up as a memorandum addressed to the head of the structural unit signed by the head of the internal audit service or its curator.
Realization of materials. Materials of checks after receiving the final report are considered by the curator. The Chairman of the Board and the chief accountant of the bank must be informed of the results of the verification. Information on the results of inspections may also be sent to the Members of the Board of the bank. After reviewing the materials, together with the head of the internal audit service, a method for their implementation is determined. Depending on the volume and materiality of the identified violations, one of the forms of implementation will be applied:
consideration of materials by the Chairman of the Board of the bank;
consideration at meetings of the collegial bodies of the bank;
consideration of the results of the audit at a workshop with the curator;
an information letter (memorandum) to the management of the inspected object.
Materials are sold no later than 30 days from the date of signing the report on the results of the audit. Consideration of materials can be carried out both with the participation of the management of the audited structural unit, and without its participation. Heads of interested structural subdivisions can also take part in the consideration of materials, who, in advance, get acquainted with the materials of the audit.
After 6 months from the end of the audit, the internal audit service checks the implementation of measures to eliminate the shortcomings recorded in the report based on the results of the audit of financial and economic activities. This check is carried out in accordance with the approved procedure. The audit should reflect the completeness and effectiveness of the measures taken by the structural unit to eliminate and prevent further shortcomings and violations identified by the previous audit. In addition, the progress and degree of implementation of the recommendations, the presence of violations similar to those previously identified are recorded. Checks on the implementation of measures based on the results of thematic audits, audits of individual issues and unscheduled audits on the instructions of the bank's management can be carried out both with access directly to the structural unit of the bank, and by correspondence.
The materials of inspections are documents for official use and are registered according to special office work.
Any unauthorized reproduction and distribution of inspection materials is prohibited. Responsibility for unauthorized duplication and distribution of the materials of the audit during the period of its conduct is borne by the head of the audit, while they are in the audited unit - the head of this unit, and after entering the department of internal control and registration - the person responsible for conducting special office work.
Familiarization with the materials of inspections of the heads of structural divisions of the bank is carried out only with the permission of the head of the internal audit service. Submission of materials to third parties is made in agreement with the Chairman of the Board of the bank or the curator.
The internal audit service studies, generalizes and systematizes the shortcomings and violations identified as a result of the inspections of the structural divisions of the bank carried out by the department. In agreement with the Chairman of the Board or the curator, the generalized materials of inspections are brought to the structural divisions of the bank.
Coordination of actions. The Internal Audit Service organizes and coordinates the work in the field of control and audit with the National Bank of the Republic of Belarus, external regulatory bodies, and the external audit of the bank. The head of the internal audit service is the official representative of the bank in work with members of the bank's audit commission, external audit and contributes to the implementation of their plans and actions.
The Internal Audit Service has the right to request all bank documents and information necessary for conducting inspections by the National Bank of the Republic of Belarus, external regulatory bodies and external audit. Requests for the provision of information and documents are sent to the departments signed by the curator or head of the internal audit service.
Structural subdivisions of the bank are obliged to fulfill these requests within the time limits established by the internal audit service. Branches of the bank send information (documents) by ownership to the divisions of the Central Office in charge of these areas of banking activity. The information received from the branches is analyzed and verified by the responsible executors of the relevant divisions of the Central Office for its compliance with balance sheet data, reporting (and other requirements) and submitted to the internal audit service in a timely manner. The requested information is submitted by the bank's structural subdivisions to in electronic format, and if necessary - with subsequent confirmation of it on paper signed by the head or his deputy.
Verified and properly formed information received from the structural divisions of the bank is presented by the internal audit service to the applicants, in accordance with their requests. The heads of the structural subdivisions of the bank are responsible for the accuracy, completeness and timeliness of the provision of information.
All structural subdivisions of the bank must agree with the internal audit service plans for inspections and submit materials of inspections of the structural divisions of the bank (except for the materials of follow-up inspections) no later than 5 days from the date of their execution.
If there are deficiencies and violations in the materials of inspections carried out by external regulatory bodies, copies of these materials are sent to the address of the internal audit service. The curator and the head of the internal audit service should be immediately informed about the facts of applying financial sanctions to the bank by external regulatory bodies.
In preparation for approval by the bank's management bodies, all local regulatory legal acts of the bank go through the procedure of coordination with the internal audit service. In accordance with the principles of independence, the internal audit service does not participate in the development of local acts of the bank (except for those regulating the process of organizing internal audit).
After approval by the collegial body of the bank, a copy of the local regulatory legal act of the bank must be submitted to the internal audit service of the bank.
Employees of all departments of the bank should assist the specialists of the internal audit service in the performance of their direct duties.
My first audit took place a week after I became an employee of the ICS. And not just anywhere, but in the northernmost branch of our bank, beyond the Arctic Circle. And not anything, but taxation. Can you imagine the impressions of moving (on a rotational plane!) From "Indian summer" and apples still hanging on trees in central Russia, to a snowstorm and meter-long snowdrifts of the Yamalo-Nenets Autonomous Okrug, combined with an almost complete lack of understanding of how audit, and taxation? “More and more wonderful,” as Alice used to say (I often remembered her then). The burden of responsibility pressed almost physically.
It was a long time ago, and then there were no textbooks on auditing, no auditing standards, no internal banking normative documents, not even Regulations No. 242-P. But even now, oddly enough, many freshly minted internal auditors, especially in small banks, have the same problems. Where to begin? Where to run? What to grab onto?
Let's start with the theory - oh, how I missed it then - and consider the methods of auditing. As for those auditors who have been baked for a long time and managed to become stale, it may be interesting for them to compare how the methods they use during checks differ from what is now taught in universities to students (further information is partially borrowed from educational literature).
Methods for conducting audits.
In textbooks, the following methods of organizing an audit are usually distinguished:
In terms of importance:
Solid check;
Custom scan;
By way of doing:
Documentary verification;
actual check;
Analytical verification;
Combined check.
Solid check, of course, is more suited to revision than to audit. But since, as already mentioned in Part 3, internal audit in a bank is actually a cross between an audit and an audit, sometimes this method has to be applied.
Continuous verification can be documentary or factual.
At spot check an acceptable sample percentage must be determined. External auditors never check absolutely everything business transactions the entity being audited; their conclusions regarding the correctness of accounting transactions may be based on judgments or procedures carried out in a selective manner.
Analytical verification is the use of various methods and techniques of business analysis, mathematics, statistics to identify problems and inconsistencies in the accounting and reporting of the bank. In some cases, the audit may be limited to an analytical review only.
Combined check involves a combination of different methods of audit organization.
Technology for obtaining information.
In a nutshell, the audit activity (both internal and external audit) can be described as follows. You need to get certain information, process it, draw conclusions and present them in a certain form. Everything is very simple.
But how to do that?
Rule (standard) No. 5 “Audit evidence” (Decree of the Government of the Russian Federation of September 23, 2002 No. 696 “On approval of federal regulations(Standards) of Auditing”) calls audit evidence information obtained by the auditor during the audit, and the result of the analysis of this information, on which the auditor's opinion is based.
Audit evidence can be obtained by performing the following procedures:
Inspection;
Observation;
Request;
Confirmation;
Recalculation;
analytical procedures.
When collecting audit evidence, the auditor may apply one or more of these procedures.
Inspection is a review of records, documents or tangible assets.
Inspection (verification) of records and documents provides audit evidence (information) of varying degrees of reliability.
Verification of documents is that the auditor must be convinced of the reality (reliability) of a particular document. To do this, you can select certain entries in accounting and trace the reflection of the operation up to that primary document that can confirm the reality and expediency of this operation.
Documents can be checked in the following areas:
BUT) formal verification, that is, checking:
Correctness of filling in all details;
The presence of unspecified corrections, erasures, additions in the text and figures;
Authenticity of signatures of officials and financially responsible persons;
B) arithmetic check, that is, checking the correctness of calculations in documents (including totals in primary documents, accounting registers and reporting forms);
AT) substantive verification of documents, that is, checking:
Legality and expediency of the operation;
The correctness of attributing amounts to accounts and articles.
To obtain more convincing evidence of the information being verified, a procedure can be applied tracing. At the same time, the auditor selects the source documents and browses sequentially related to them accounting registers to check the correctness of the reflection of the transaction in accounting.
The procedure is often used scanning- cursory viewing, scrolling through a stack of documents. Scanning is used when using random checks, when there is a risk of not detecting errors and making an erroneous decision. But this, of course, is not a method for beginners. It takes a solid professional background to bring out something interesting in a scan.
Tracking and scanning allows you to study atypical articles and events reflected in the documents of the bank.
Inspection of tangible assets ( inventory) provides reliable audit evidence as to their existence (but not necessarily as to their ownership or valuation). However, indicative information about the condition and value of the property during the inventory can be obtained.
Observation is the auditor's tracking of a process or procedure performed by others. This may be, for example, the auditor's observation of the cash count. Money when auditing the cash register.
Using this method allows the auditor to examine the procedures or processes performed by bank employees. If the information is obtained directly at the time of observation, it can be considered reliable.
Request - it is seeking information from knowledgeable persons. It can be both formal written and informal oral. Answers to requests (questions) provide the auditor with information that he did not previously have, or confirmation (refutation) of information already available.
The results of oral surveys should be drawn up in the form of a protocol or a brief summary, which indicates the name of the auditor who conducted the survey, as well as the last name, first name, patronymic of the interviewed person (as they write in textbooks, but in practice I have not seen this with any internal auditors, neither from outside).
Confirmation represents a response to a request for information contained in accounting records. For example, the auditor may request confirmation of receivables directly from debtors.
Recalculation- this is a check of the accuracy of arithmetic calculations in primary documents and accounting records (say, recalculation of depreciation), or the performance of independent calculations by the auditor.
Recalculation is one of the most common ways to obtain audit evidence. As a rule, it is carried out selectively.
To analytical procedures include the analysis and evaluation of the information received by the auditor, the study of financial and economic indicators activities of the audited object (in the case of internal audit - a unit or type of activity). aim analytical procedures is the identification of unusual or incorrectly reflected in the accounting transactions, as well as the identification of the causes of such errors and distortions.
At Bank of Russia has its own view on the methods of carrying out inspections by the internal control service. It is set out in Appendix 3 to the Regulation of the Central Bank of the Russian Federation of December 16, 2003 No. 242-P "On the organization of internal control in credit institutions and banking groups." The Appendix provides the following methods (methods) for carrying out checks:
Financial verification;
Verification of compliance with the law;
Checking compliance with internal documents credit institution;
operational check;
Checking the quality of management.
The purpose of a financial audit is to assess the reliability of accounting and reporting.
Verification of compliance with the legislation of the Russian Federation should affect all types of legislation: banking, securities market, taxes and fees, and especially - on countering the legalization (laundering) of proceeds from crime and the financing of terrorism. This also includes checking “other acts of regulatory and supervisory bodies”.
Checking the internal documents of the bank includes checking the methods, programs, rules, procedures and procedures established by them. Its purpose is to assess the quality and compliance of the systems created in the credit institution to ensure compliance with the requirements of the legislation of the Russian Federation and other acts.
The purpose of the operational audit is to assess the quality and conformity of systems, processes and procedures, to analyze organizational structures and their sufficiency to perform the assigned functions.
And the most interesting thing is, of course, checking the quality of management. Its purpose is to assess the quality of the approaches of management bodies, departments and employees of the bank to banking risks and methods of controlling them within the framework of the goals of the credit institution.
Details and descriptions of the listed methods of carrying out checks are given by the Bank of Russia at the mercy of credit institutions. So, you can use for this purpose the techniques described here from textbooks and the Rules (standards) of auditing.
Simple truths.
This section contains statements that may seem trivial to you. However, if neither textbooks nor even Auditing Standards neglect them, then it probably makes sense for us to remember them. Moreover, they can be applied, with some amendments, not only in internal audit, but also in almost any other type of activity, including raising your own children and negotiating with the ZhEK.
Information obtained from external sources (from third parties) is more reliable than information obtained from internal sources.
The more effective the existing system of accounting and internal control, the more reliable the information obtained from internal sources.
Information collected directly by the auditor is more reliable than that obtained from the audited entity (division).
Information in the form of documents and written statements is more reliable than information presented orally.
Information about the same object or fact is more convincing if they are obtained from different sources, have different content and do not contradict each other (or, even better, confirm each other).
If information obtained from one source does not match information obtained from another, additional procedures must be identified and carried out to determine the reasons for the discrepancy.
It is necessary to compare the costs associated with obtaining information and the usefulness (value) of the information received.
The complexity of the work is not a sufficient reason for refusing to perform the necessary procedure. This, I believe, is the Golden Rule. Nothing is impossible for a person with intelligence, so never be afraid to take on an unfamiliar topic. Meet in the process.
If there are serious doubts about the reliability of the reflection of transactions in accounting and reporting, you should try to obtain sufficient information to eliminate such doubts. If it is impossible to obtain this information, the auditor must express his opinion with the appropriate reservation or refuse to express an opinion.
Moral code of the auditor.
Here we touch upon a delicate subject. On the one hand, the ethical requirements for auditors are still probably more wishes than requirements - well, like ten commandments; and parameters such as "honesty" or "professional behavior" are difficult to quantify. On the other hand, they are established by the Code of Ethics for Auditors of Russia. In order to avoid moralizing and civic pathos (I really don’t like this), we simply list the ethical requirements for auditors:
Honesty;
Objectivity;
professional competence;
due diligence;
Preservation of the confidentiality of available information;
professional conduct;
Independence.
In accordance with Rule (Standard) No. 7 “Quality control of audit engagements”, the audit leader must monitor compliance with these requirements by members of the audit team. If he learns about non-compliance with ethical requirements by group members, then he must consult with appropriate individuals within the firm's staff and ensure that appropriate disciplinary action is taken against individuals who fail to comply with ethical requirements. But here we are talking about external auditors.
For internal auditors, compliance with ethical requirements is no less important, if not more important than for external ones. Unless, of course, they are concerned about the attitude of the team towards them (and there are not so many people who do not care about this, agree). The status of the controller, although internal, rarely arouses sympathy in the ranks of those being checked. And if a person is still dishonest, incompetent and rude, then everything, write, is gone.
Well, it wasn't without moralizing. L
Internal Control Service according to the Bank of Russia.
The purpose of creating the internal control service of a credit institution is to implement internal control and assist the bank's management bodies in ensuring the effective functioning of the credit institution entrusted to them.
The main internal document regulating the activities of the internal control service (Regulations on the internal control service) must determine:
Purpose and scope of the service;
Principles (standards) and methods of activity of the service that meet the requirements of Regulation No. 242-P;
Service status in the organizational structure of the credit institution;
Tasks, powers, rights and duties of the service;
The relationship of the service with other divisions of the credit institution, including those performing control functions;
Subordination and accountability of the head of the service;
The duty of the head of the service to inform about violations (shortcomings) revealed during inspections on issues determined by the credit institution:
Board of Directors (Supervisory Board);
Sole and collegiate executive body;
Head of the structural unit in which the audit was carried out;
The obligation of all employees of the service to inform the bank's management bodies of all cases that prevent the service from carrying out its functions;
The order of participation of the service in the development of internal documents;
Responsibility of the head of the service in cases of failure to inform or untimely informing on issues determined by the credit institution, the board of directors (supervisory board), the sole and collective executive body.
The regulation on the internal control service is approved by the board of directors (supervisory board) of the credit institution, unless otherwise provided in the charter of the credit institution.
Functions of the internal control service.
The Internal Control Service performs the following functions:
Checking and evaluating the effectiveness of the internal control system;
Verification of the completeness of the application and effectiveness of the methodology for assessing banking risks and banking risk management procedures;
Checking the reliability of the functioning of the internal control system for the use of automated information systems;
Verification of the reliability, completeness, objectivity and timeliness of accounting and reporting and their testing, as well as the reliability and timeliness of the collection and presentation of information and reporting;
Checking the reliability, completeness, objectivity and timeliness of submission of other information in accordance with regulatory legal acts to state authorities and the Bank of Russia;
Verification of the methods (methods) used to ensure the safety of the property of a credit institution;
Assessment of the economic feasibility and efficiency of operations performed by the credit institution;
Verification of compliance of internal documents of the credit institution with regulatory legal acts, standards of self-regulatory organizations (for professional participants in the securities market);
Review of internal control processes and procedures;
Checking systems established to comply with legal requirements, professional codes of conduct;
Evaluation of the work of the personnel management service of the credit institution;
Other issues stipulated by the internal documents of the credit institution.
“Other issues” sometimes out of habit include the development (or participation in the development) of intrabank regulatory documents. This is not entirely correct - after all, in this case, the quality, relevance and adequacy of internal documents will have to be assessed by the same people who developed them.
But to coordinate such documents - please.
It is also not a good idea to include a unit or person responsible for risk management in the internal control service. For the same reasons: the functions of the service include checking the completeness and effectiveness of the banking risk assessment methodology and banking risk management procedures.
It seems that in my practice there were no other cases of assigning functions unusual to the internal control service.
Mandatory conditions for the operation of the internal control service in a credit institution.
The normative ethical requirements for internal audit, established by Regulation No. 242-P, are somewhat different from the ethics of external audit.
According to clause 4.5. of Regulation No. 242-P, a credit institution must ensure that the following requirements for the activities of the internal control service are met:
Permanence of activity;
Independence;
Impartiality;
Professional competence of the manager and employees;
Conditions for the unimpeded and effective implementation of the functions of the service.
Persistence of activity internal control service means, without hesitation, that the internal control service must operate on an ongoing basis.
To do this, the bank must establish (determine) the number, structure and level of technical support of the service in accordance with the scale of activity, as well as the nature of banking operations and transactions. Employees of the internal control service must be part of the staff of the credit institution.
Transfer of functions of the internal control service third party organization not allowed, except for credit institutions that are members of banking groups.
Independence internal control services are not so easy to provide. Despite the presence of relevant recommendations in Regulation No. 242-P, in fact, the one you check pays you the salary.
The Auditor's Code of Ethics (see above), as well as Regulation No. 242-P (see below) will help to avoid conflicts in such a situation (or at least minimize them).
Clause 4.7. Regulations No. 242-P determines, in particular, that the internal control service:
Operates under direct control board of directors of the bank (supervisory board);
Does not carry out activities subject to audits (except when the activities of the service are subject to independent verification by an audit organization or the board of directors (supervisory board), if such verification is provided for by the charter of the bank);
Reports on its own initiative to the board of directors (supervisory board) on issues arising in the course of performance of its functions by the service and proposals for their resolution, and also discloses this information to the executive body of the credit institution (individual and collegiate).
The head of the internal control service must be accountable to the board of directors (supervisory board) of the credit institution.
The head of the internal control unit of a bank branch or an employee of the branch performing internal control functions must report to the head of the bank's internal control service.
The head of the internal control service of the bank should have the right to interact with the relevant heads of the bank to promptly resolve issues. The procedure for such interaction should be provided for by the internal documents of the bank.
The head of the internal control service or his deputies should not be functionally subordinate to other divisions of the credit institution.
Employees of the internal control service, including the head and his deputies, cannot combine their activities with activities in other divisions of the credit institution.
The internal control service must participate in the development of internal documents of the credit institution.
The Internal Control Service cannot participate in banking operations and other transactions.
The head and employees of the internal control service do not have the right to sign payment (settlement) and accounting documents, as well as other documents in accordance with which the credit institution accepts banking risks, or endorse such documents on behalf of the bank.
All of the above should be detailed in the bank's internal documents.
Impartiality internal control services - the concept, in my opinion, is even more ephemeral than independence. A completely impartial person is no longer a person, but some kind of monster. However, pronounced addictions still need to be disposed of, and here Regulation No. 242-P also offers some tricks.
The bank must ensure the solution of the tasks assigned to the internal control service without interference from the management bodies, divisions and employees of the credit institution who are not employees of the internal control service. In short, to protect the service from external influences.
Employees of the internal control service, including the head and his deputies, who previously held positions in other structural divisions of the bank, should not participate in the audit of the activities and functions that they carried out during the audited period and within 12 months after the completion of such activities and the implementation of functions. I don't really understand the meaning of this restriction. If the relations of the employee who has gone to the field of control with the former team have remained good and ties are maintained, then by the thirteenth month they are unlikely to break off at once. If they are bad, then the very first check by a new employee of the service of his former unit will give a rich harvest. If none, then there is no difference whether a year has passed since the end of the activity or not.
Although, of course, from the point of view of ensuring impartiality, the situation looks dangerous.
The bank may establish a procedure for the transfer (frequency, validity) of the head (his deputies) and employees of the internal control service to other positions in the event of a change in the nature and scale of activities, the emergence of new types or areas of activity, etc. I really hope that "etc." includes such factors as the personal desires and ambitions of these employees - otherwise it turns out not an internal control service, but a link to places not so remote.
And, finally, it is not recommended to appoint a person working part-time as the head of the internal control service. That is, the head of the SVK should belong to his service undividedly.
Professional Competence the head of the service, his deputies and other employees, there is no doubt about its necessity (in my case, however, everything was exactly the opposite, but then Regulation No. 242-P was not yet in effect; now this number will no longer work).
All employees of the service must have sufficient knowledge of banking activities and methods of internal control and collection of information, its analysis and evaluation in connection with the performance of official duties.
The internal control service should be staffed by employees who have high level vocational training and qualifications.
For the head (his deputies) of the internal control service, it is recommended to establish requirements for having experience in managing a structural unit of a credit institution related to banking operations and other transactions (but what about impartiality?).
Training (retraining) of the head (his deputies) and employees of the internal control service is recommended to be carried out on an ongoing basis.
Features of the implementation of inspections by the internal control service of the bank.
We have already talked about the methods for carrying out inspections by the internal control service provided by the Bank of Russia and specified in Appendix No. 3 to Regulation No. 242-P. In addition to the methods, the Appendix describes some of the rights that belong to the heads and employees of the bank's internal control service, as well as the features of the service's workflow.
Employees of the internal control service they have a right:
Enter the premises of the inspected unit, archives and cash vaults, computer rooms, etc. At the same time, the access procedures defined by the internal documents of the bank must be observed;
Receive documents, copies of documents, other information, as well as any information available in information systems credit institution necessary for the exercise of control. At the same time, the requirements of the legislation of the Russian Federation and the requirements of the credit institution for working with information of limited distribution must be observed;
Involve employees of the credit organization in the course of inspections and require them to provide access to documents and other information necessary for conducting inspections.
Documenting inspections by the internal control service.
The document flow in the activities of the internal control service should contain a description of the procedure for compiling and moving the following main documents:
Inspection plan (including inspection schedule);
Work plan of the internal control service;
Reports on the implementation of the inspection plan;
Inspection programs for each area of the bank's activities;
Work documents;
Reports and proposals based on the results of inspections.
There are also special types of reporting on the internal control system, but we will talk about them another time.
Inspection plan carried out by the internal control service, should include a schedule for the implementation of inspections. It is compiled on the basis of the methodology adopted by the bank for assessing banking risk management, which should take into account:
Changes in the internal control system;
New directions of activity of the credit organization.
When drawing up the schedule, the frequency of inspections established in the bank in the areas of activity of structural divisions and the bank as a whole should be taken into account.
Work plans internal control services are developed by the internal control service and approved by the board of directors (supervisory board) of the credit institution. These plans may be coordinated with the executive body of the bank (sole or collegiate).
Reports on the implementation of inspection plans submitted by the internal control service at least twice a year to the board of directors (supervisory board) of the bank.
Inspection programs are developed separately for each direction (issue) of the bank's activities.
The verification program must:
Identify key banking risks;
Determine the mechanisms for ensuring the completeness and effectiveness of control in the audited area of banking activities.
AT working papers audits of the internal control service, the stages of the audit and the audit procedures performed, data on the documents reviewed and other information obtained during the audit are reflected.
Reports and proposals based on the results of inspections represented by the internal control service:
Board of Directors (Supervisory Board);
Sole executive body (its deputies);
collegial executive body;
Heads of audited structural subdivisions of the credit institution (branch).
Reports must contain:
Description of the purpose of the audit;
Description of the work performed;
Description of the identified violations;
Description of errors and shortcomings in the activities of a credit institution that may pose a threat to the interests of creditors and depositors or affect financial stability a credit institution (for some reason, this item is often forgotten and written in a report about ALL identified errors and shortcomings);
Now, armed to the teeth with theory, we can safely move on to the practice of carrying out audits in various areas of the bank's activities.
To be continued.
As already noted, specialized (professional) control bodies should be formed and operate in the bank. These bodies can be primarily:
The internal control service (hereinafter referred to as the ICS) of the bank is created specifically for the purpose of monitoring the process of functioning of the internal control system in the bank, identifying and analyzing problems associated with its functioning, ensuring that all employees of the organization comply with the requirements of the law in the performance of their official duties, as well as ensuring control for minimizing banking risks, including risks associated with conflicts of interest arising in the course of the bank's life.
The main function of the ICS in a bank, speaking in general terms, there should be a function of creating, debugging and maintaining all internal control mechanisms in the bank at the required level. At the same time, it is inappropriate to reduce the functions of the ICS to only methodological work (formulation of requirements for the internal control system), but they should not replace the functions of other internal control bodies in the bank.
At the same time, the ICS should ensure control over:
For the efficient operation of the bank's ICS, it is necessary to ensure a special status for its employees (controllers). The controller must have unconditional access to all accounting and other documentation, to electronic databases data and data on paper. At the same time, the mode of access to information should be such that the possibility of correcting the data by the controller is excluded.
The controller must be independent of the activity it is checking. The dependence of the controller on the audited activity, due to the fact that he previously worked in the audited unit, is unacceptable. It is also unacceptable to have less obvious connections: current or past work in the inspected division of relatives, the ability to use any services of the inspected division, etc.
The controller should also not be administratively dependent on the executive bodies of the bank. This is a very important principle, non-compliance with which leads to the creation of an incapacitated ICS.
The controller must have the authority to suspend the operations (transactions) of the bank in case of detection of gross violations in them, which may lead to losses or additional risks for the bank. This right should be fixed in the Regulations on the ICS and internal bank job descriptions.
When conducting administrative-legal, managerial, organizational, managerial and financial control due regard must be paid at all times to the implementation of the following principles.
Analytical control, as already noted, involves the identification of deviations of actual parameters, primarily financial activities bank from due (expected) and finding out their reasons. For this, financial and economic indicators, various coefficients, methods of their calculation, as well as the required (normative, planned) values of these indicators and coefficients are used. At the same time, special employees of the bank should regularly monitor the values and dynamics of these indicators and ratios and, if they deviate from the proper values, immediately report this to the bank's managers, including collegiate management bodies that have the right, due to their position in the organization, to make management decisions that will have to "enter" the values of such indicators in the required framework.
The ICS is obliged to selectively check compliance with the specified due indicators, bearing in mind, first of all, the most significant financial and economic indicators for the bank (for example, the correctness of the accrual of reserves for certain risky assets), as well as to conduct regular control monitoring of how the departments set and analytical control is carried out.
Each employee of the ICS in the course of his work periodically finds himself in "opposition" to the employees of the units being audited. This unavoidable circumstance carries the germ of a conflict, which can result in hostility and rejection by the bank's staff of employees of controlling units, which can greatly complicate the implementation of control measures and reduce the effectiveness of the internal control system as a whole. To prevent this from happening, it is necessary to create a climate in the bank team that unites everyone, including employees of regulatory services, around a single goal (goals).
A separate function of the ICS is participation in the coordination of intra-bank regulations and procedures. This work is actually a preliminary control, since in the course of it, on the one hand, the algorithms for the actions of employees are determined, on the other hand, the algorithms for the functioning of control mechanisms designed to prevent violations of the specified rules for the actions of employees.
The ICS, participating in the approval of draft intra-bank regulations and procedures, should study the availability and sufficiency of these control mechanisms, and then the compliance of the bank employees' actions described in the projects with the requirements of regulations, i.e. thereby perform the functions already mentioned (check for compliance and control the presence of proper control). It is clear that all agreed documents must be checked for compliance with the norms of laws, legal acts of the Bank of Russia, as well as international acts.
An important role in the bank's internal control system can and should be occupied by audit. The audit of banks (external) has a number of features that require the presence of specialized audit organizations. The point is that at audits banks and other KOs, a variety of parties should be considered economic activity both the banks themselves (NCOs) and their clients. This imposes a special responsibility on bank auditors, requires them to have special qualifications, objectivity and, accordingly, the reliability of the final conclusions.
The practice of bank audits shows that an important condition for the successful activity of auditors is the mutual interest of both the audited bank and the auditors in ensuring the reliability of accounting and reporting, in identifying and eliminating the reasons that prevent the bank from achieving better performance. The auditor is a person with special knowledge, he must be characterized not only by high professionalism, but also by such qualities as objectivity and honesty, the ability to keep trade secrets, goodwill and loyalty to those being audited, and a number of other features.
Auditors may, in particular:
As for the responsibilities of auditors, they are determined on the basis of the tasks assigned to them (within the framework of the legislation). Their main duty is to ensure that when facts of improper banking operations, violations of the established accounting procedure, abuses, etc. are revealed. accurately determine the amount of damage caused to the bank or the state (budget), find out the reasons for the revealed violations, officials or responsible persons guilty of these violations. In this regard, the auditor is also responsible for incorrect coverage of the actual state of affairs in the surveyed bank, deliberate distortion of facts or concealment of identified violations or errors committed by employees.
In principle, the same applies to the activities of internal auditors, although their main task is to identify moments of inconsistency between the actual activities of the organization and the requirements of laws and regulations, as well as monitoring the progress of correcting this type of inconsistencies during inspections. Certain functions of internal auditors are also performed by audit groups at the accounting departments of large banks, subordinate to the chief accountant or financial director, but the functions of internal auditors are wider.
Some functions of internal audit are called business audit. Economic audit consists in a systematic analysis of the economic activities of the CO and is carried out for specific purposes. It usually has three goals:
The internal audit of a bank is, in fact, an audit of the bank's internal control system and, as such, is part of the internal control system itself. The audit function of the internal control system should be accountable to the top management of the bank, represented by the board. To do this, the council (or a special committee within it) should be informed in a timely manner about the identified shortcomings in this system and submit recommendations for improving its work for its consideration.
For regular monitoring of risk factors and values within the bank, it is expedient to create within the framework of corporate governance internal control and audit committee. The creation of such a committee makes it possible for detailed and regular consideration and discussion of issues related to internal control and audit, and allows them to give them the necessary attention. At the same time, it is recommended to include in the committee, along with bank employees responsible for key business areas, non-bank specialists who are well versed in financial reporting and internal control issues.
The overall result of the functioning of the bank's internal control system should be a rational organization of continuous and constant monitoring of its own banking and administrative activities, meaning its different levels - from the workplace of an individual employee and from the production of a separate product (provision of a separate service) to the final parameters of the organization as a whole.
The place, role and functions of the controlling divisions of the bank should be determined: in the concept of organizing internal control in the bank; in the regulations on these divisions; in the internal regulatory documents of the bank, which, along with a description of the procedures for work and interaction between co-executors, if necessary, indicate the procedure for monitoring this area of work.
In particular, ICS in a bank can be structurally organized in two ways. In the first case it may include internal control, internal audit, risk management units, as well as a number of other analytical and control units of the bank. In this case, in fact, we are talking about a multifunctional department, which should cover various aspects of the activities of the entire organization.
In the second case ICS can be created as a separate structural unit within the bank, interacting with other controlling units. With this option, the ICS should be endowed with appropriate powers and rights.
It is expedient, as is formally the case in most Russian banks, to combine the two subsystems - control and audit - into a single system and a single organizational structure of internal control, but subject to a clear division of responsibilities between them. With this approach, the functions of organizing and exercising control proper should be entrusted to control subsystem(ICS in the narrow sense of this body), and the assessment of its quality on an ongoing basis could be carried out by the internal audit subsystem (hereinafter - IAS). the main task At the same time, IAS is an assessment of the quality (efficiency) of the internal control system. For this this service should be organized in such a way as to limit its impact on the creation of an internal control system only by assessing its quality.
The choice of a variant of a structural organization depends primarily on the characteristics of the bank, the availability of appropriate resources in it, and the established practice of its activities. However, in both cases, the goals, functions and methods of work of the ICS should be basically identical and should not violate the technological structure of the bank.
