Description: War Thunder is a next generation military MMO game dedicated to...
![In War Thunder, a large-scale update](https://i2.wp.com/rnns.ru/uploads/posts/2010-02/1266044863_bezimeni-2.jpg)
COSO concept “Organization risk management. Integration with strategy and performance” (COSO ERM) 2017 in Russian went on sale in the online bookstore TOTbook.ru. It is available at the link: https://totbook.ru/catalog/345/1136970/
The COSO ERM concept consists of 3 books:
1. Main book (110 pages)
2. Applications (30 pages)
3. Summary (10 pages)
The COSO ERM concept aims to increase the relationship between risk, strategy and company value. It considers risk in terms of its role in making strategic decisions that ultimately affect the performance of the organization as a whole. The first part of the core book provides an overview of current and evolving concepts and applications of organizational risk management. The second part of the core book, Conceptual Framework, has five components that take into account different perspectives and operational structures and help improve strategy and decision-making.
Exclusive right to publish and distribute (hard copy only) the COSO Concept “Managing Organizational Risks. Integration with strategy and performance” (COSO ERM) 2017 belongs to the Institute of Internal Auditors. The release of this publication and the translation of the text into Russian were carried out with the support of Deloitte, CIS.
The committee of sponsoring organizations of the treadway commission (COSO) has developed general model internal control, in comparison with which companies and organizations, including banks, can evaluate their own management systems. COSO was formed in 1985. supported by the National Fraud Commission in financial reporting(Treadway Commission).
The COSO model defines internal control organizations as a process carried out by the board of directors, top management and other personnel of the organization, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:
The COSO internal control model includes several key concepts:
internal control is a process. It is a means to an end, not an end in itself;
internal control depends on people. It represents not only leadership policies and forms, but also people at all levels of the company;
internal control can provide the management and board of directors of the company with only sufficient confidence, but not absolute guarantees;
internal control aims to achieve objectives in one or more separate but overlapping categories.
The essence of the COSO model can be expressed as follows: you manage when the risk is assessed and managed.
The elements of internal control according to the COSO system include (Table 1):
1) control environment;
2) risk assessment;
3) control measures;
4) collection and analysis of information, as well as its transfer to the destination;
5) monitoring and error correction.
Table 1. Components of the internal control system
Component | Description | Main elements |
---|---|---|
Control environment | Awareness and actions of representatives of the owner and management regarding the organization's internal control system, as well as an understanding of the significance of such a system for the activities of this organization | - reliability, honesty and morality; - competence; - philosophy and management style; - organizational structure; - distribution of rights and obligations; - personnel policy and practice. |
Risk assessment | Identification and assessment of possible risks in the preparation of financial statements | - changes in legislation; - changes in business conditions; - assessment of consequences. |
Information and networks | Ensure that the staff understands the role of their participation in the process of preparing financial (accounting) statements | - recording, processing, summarizing and presenting the operations of organizations; - distribution of duties; - Providing managers of various levels with information. |
Control procedures | Provide policies and procedures that help ensure management's instructions are followed | - checking the execution of the order (reports); - data processing; - checking the presence and condition of objects; - distribution of duties. |
Monitoring | Monitoring whether the controls are functioning properly. It is the process of evaluating the effective functioning of the internal control system over time | - continuous monitoring; - periodic control. |
The model includes eight components:
internal environment. The internal environment is the atmosphere in the organization and determines how the risk is perceived by the employees of the organization and how they react to it. The internal environment includes the philosophy of risk management and risk appetite, integrity and ethical values, as well as the environment in which they exist;
goal setting. Objectives must be defined before management begins to identify events that may affect their achievement. The risk management process provides a reasonable guarantee that the company's management has a properly organized process for selecting and setting goals and that they correspond to the mission of the organization and the level of its risk appetite;
event identification. Internal and external events that affect the achievement of the objectives of the organization should be determined taking into account their separation into risks or opportunities. Opportunities should be taken into account by management in the process of formulating strategy and setting goals;
risk assessment. Risks are analyzed in terms of their likelihood of occurrence and impact in order to determine what actions need to be taken in relation to them. Risks are assessed in terms of inherent and residual risk;
risk response. Management selects a risk response method - risk avoidance, acceptance, reduction or redistribution of risk - by developing a set of activities that bring the identified risk into line with acceptable level risk and risk appetite of the organization;
control activities. Policies and procedures are designed and established in such a way as to provide reasonable assurance that the response to emerging risk is effective and timely;
information and communication. The necessary information is determined, recorded and transmitted in such a form and within such timeframes that allow employees to perform their functional duties. There is also an effective exchange of information within the organization both vertically from top to bottom and bottom up, and horizontally;
monitoring. The organization's entire risk management process is monitored and adjusted as necessary. Monitoring is carried out as part of ongoing management activities or through periodic evaluations.
Summing up, we note that:
At COSO great importance attached to the internal environment.
COSO is much greater value is given to the monitoring of internal control as a form of follow-up control. Monitoring is one of the main elements of the COSO model.
At COSO, great importance is attached to the work of the Board of Directors.
Literature:
First, it must be said that there are almost no Russian standards for risk management, internal control and internal audit. I think it's bad, because there were a lot of interesting things. But it is quite possible to use bourgeois ones. The key problem lies in their interpretation presented by many experts: for risk management - with an emphasis on financial risks, for directors of internal control and internal auditors - with an emphasis on reporting. That is, you need to remember that each standard contains many components, and by remembering all of them, you can achieve much more usefulness.
The most famous standards are:
Initially, all standards were developed, of course, on English language. However, translations into Russian do exist.
FERMA - once there was both a Russian and an English version in the public domain. Website - http://ferma.eu. Now, alas, it has disappeared, but below the link there is the latest up-to-date one.
During my observation there were several translations. I especially liked that in one translation the phrase
“While risk identification may be carried out by independent consultants, an assessment carried out in-house, with close interaction between its departments, using the presented processes and tools in a consistent and coordinated manner, is likely to be more effective”
has been replaced with a phrase (now corrected on the FERMA website, still hanging on the Rusrisk website)
« Risk identification of the organization is usually carried out by independent consultants.. However, the understanding and analysis of risks “properly” by the organization has great value for a successful risk management process.”
In general, people did not take a steam bath at all. Of course, everyone earns money as best they can, but hints of material support for their loved ones could be more subtle.
GOST ISO31000 is equally easy to find both in Google and Yandex.
COSO standards - only "conceptual foundations" in English and Russian are freely available. Website - www. coso.org. An official translation was published in Russian in 2015, it is sold by the Institute of Internal Auditors, I did not read it, it cost 2000 rubles. From the "shareware" there is an "official" translation (by the way, quite readable and high-quality) of COSO ERM and an "unofficial" part of COSO IC IF. It is located in the closed part of the website of the Institute of Internal Auditors of the Russian Federation, the website is http://iia-ru.ru. Only IVA members can enter the closed part.
MOPP - partially available in the public domain (but not all, the usefulness for setting up begins with practical instructions), the rest is in the closed part of the website of the Institute of Internal Auditors of the Russian Federation (http://iia-ru.ru). I note that MOPP, despite the volume, is a fairly light reading (at least for me), the translation is very high quality.
Total: all the necessary standards can be obtained on the great and mighty for 2500 rubles as a membership fee to the Institute of Internal Auditors. Reasonable price, there are also bonuses in the form of several interesting presentations. To obtain a complete set in Russian, you will also need to purchase a book, the price for members of the Institute is 1800 rubles.
First in modern form The COSO IC IF standard appeared in 1992. A new version was prepared in 2013.
For some reason, COSO is very fond of all sorts of cubes. I will give a traditional COSO-cube, I specifically found the worst version (turned upside down, as if starting with monitoring).
Much more reasonable is the following representation:
Why is it reasonable. First, the control environment is important for the entire organization, monitoring should cover the entire process of internal control. The process itself is quite banal, namely, it represents the relationship “risks → control procedures” with the corresponding information support. Second, monitoring should cover all other components.
In 2002, the FERMA standard appeared. I like it the most because of its small size. circuit diagram work according to this standard - in the picture.
It can also be noted that the FERMA standard does not include an emphasis on the reporting of the organization as a key component (for example, the nature of the risk). The reason is quite banal: European risk managers (and FERMA is their organization) have grown not from accountants, but from insurers and financiers. The origin, it seems to me, explains the classification:
Bankers and insurers distinguish financial risks and dangers into a separate category. Why - I think it's clear. All the rest (both internal auditors and COSO) grew out of reporting, therefore, both in the internal audit standards and in the COSO standards, there are mandatory goals in the field of reporting reliability and compliance with the law (compliance).
What happened next (version - just my opinion). The COSO creative team, after analyzing the new standard, thought something like this: why does everyone already have a strategy, and we are still chewing snot. And in about a year and a half, they drew another cube by writing the COSO ERM standard (2004):
To make it clear where it grows from - an additional picture:
In my opinion, everything is obvious. You can also compare the components along the vertical axis from the COSO cube and the sequence of actions described in FERMA.
In five years international organization standardization (ISO) released its risk management standard. ISO documents are developed from the point of view of business (and not sales of consulting services), therefore, in my understanding, ISO31000:2009 is the optimal standard in terms of volume / utility ratio, although it requires translation from Russian into Russian. By the way, ISO introduced the principle of risk management into the ISO9000 standard, the most well-known in Russia, which caused a certain panic in the ranks of quality management system directors.
Internal audit standards have evolved significantly over the past 50 years. It all started with accounting and compliance. The current version is an assessment of risks and effectiveness of control in terms of:
As you can see, the three components coincide with COSO IC IF (I can’t say where they first appeared, not a historian), and the safety of assets, apparently, has been going on since 1957 (or since 1947?). I don’t know why it should be singled out separately: I don’t think that the activity can be recognized as effective and efficient in the presence of theft or loss of assets due to improper storage.
It is desirable to read everything. Relatively simple standards in terms of readability are FERMA, ISO31000 and MOPP. FERMA is just small in volume, for MOPPs it can be limited to standards (MPSVA), practical guidelines are just recommendations (albeit strict ones). Readability is explained simply: FERMA and ISO wrote standards for risk managers, the Institute of Internal Auditors - for internal auditors. It is highly desirable for both of them to speak the same language, including ensuring the uniformity of approaches. Accordingly, it was better to avoid very complex structures and uncertainties, which was done.
COSO is a fundamental, multi-volume work, for COSO ERM thanks have been expressed to as many as 30 PwC partners. In my opinion, if there were fewer partners involved, then the document would have turned out better - as it happens, "synergy in reverse" has emerged. Peculiarity COSO standards: from the "conceptual foundations" nothing is clear at all, the understandable begins in the very last document (using the example of COSO ERM - "Application"). You need to understand that the authors are auditors and consultants. They do not need to make a clear standard: why lose revenue. Therefore, it is necessary that the reader's "hand reaches for the phone" of a Partner of a Large Consulting Company. In my opinion, it worked. Also note that, unlike this site, there is no “end-to-end” approach: there is no logic “here we take a set of risks, here we evaluate them, here we manage them, here we can audit”. The set of examples is definitely not bad. But if you try to apply them to one business, most likely, little will work. By the way, in general, I personally have an absolutely even attitude towards COSO documents. There are useful things, but it's really not worth talking about these standards with a breath, like some women in the presence of foreigners.
When setting up risk management, I recommend using FERMA and ISO31000, if something is not written in FERMA. Internal control is a special topic, traditionally COSO IC IF can only be used to generate not very useful documents. The problem with COSO IC IF is in its interpretation, which is either a philosophy about the control environment or about reporting, which is commented on. And internal audit - there are supported standards, I signed the code of ethics (as a member of the IVA), so there is nothing else left but the MOPP.
I heard about the Sarbanis-Oxley law. By the way, Sarbanis is a Greek, so that's why, not Sarbanes. So, my opinion is that now the most brilliant salespeople work in big4.
Let's remember how SOX appeared. It appeared as a result of absolutely fictitious reporting of a bunch of companies. As to why this happened, our opinions with an expert colleague do not agree. I think that this is absolute unprofessionalism and greed: it is clear that someone else from big5 could well take on reporting, coupled with consulting contracts for the same money. Yes, and the destruction of the auditor's papers says a lot.
The colleague points out that there are at least a few systemic deficiencies in audit management and makes several arguments that the verification of accounts could have taken place without major dealings with conscience:
Whatever it was, the result is simply amazing. Instead of "fucking up", as the President of the Republic of Belarus A.G. Lukashenka about his parliament, the entire audit community, there are additional requirements not for the auditors who covered the fraud, but for the companies themselves (including those that lived honestly). And these requirements are formulated, oddly enough, by the auditors themselves. It is clear that the requirements are formulated in such a way that auditors are needed again (well, that is, they are called consultants, but they are territorially located in a neighboring department of an audit company). Further everything is obvious.
Bottom line: in addition to a formal audit of financial statements, each public company had to order the establishment of internal control according to SOX (well, or hire staff, which is also not cheap). At the same time, the cost of an external audit increased, as the standard hours increased by the assessment of the ICS over the preparation of reports. At the same time, as far as I know, even if the system of internal control over the preparation of reports is tested up and down by internal audit, there is no fundamental reduction in the cost of external audit services.
By the way, now Big4 does not provide audit and consulting services to the same organization. That is, in fact, the cost of consulting services for business has increased (the principle of "wholesale cheaper" has been cancelled).
In general, the key result of an audit scandal caused by auditors is an increase in auditors' revenues. "It's great, isn't it?" (© Zaitsev sisters, Comedy Club). Therefore, I try not to use the word SOX.
If you find an error, please highlight a piece of text and click Ctrl+Enter.
document status: materials for the CPT meeting
developer organization: PJSC Megafon
Clarification X/2013
"Organization of the internal control system"
1. General provisions
1.1 This Policy defines the procedure for organizing and functioning of the internal control system (hereinafter referred to as the ICS) in the Company, including describing the purpose and tasks of the ICS, as well as the roles and responsibilities of its subjects.
1.2 This Policy has been developed taking into account the requirements and recommendations:
2. Definition and objectives of internal control
2.1 Internal control is a continuous process carried out by all employees and management of the Company at all levels of management, aimed at providing conditions for achieving the goals of the Company in the following areas:
2.2 Internal control system(SMC) - a system of organizational measures, policies, instructions, as well as control procedures, corporate culture norms and actions taken by the Board of Directors, management and employees of the Company to ensure the proper conduct of business activities: to ensure the financial stability of the Company, to achieve an optimal balance between its growth cost, profitability and risks, for the orderly and efficient conduct of business activities, ensuring the safety of assets, identifying, correcting and preventing violations, timely preparation of reliable financial statements and, thereby, increasing investment attractiveness.
2.3 Organization of the internal control system in the Company is based on a risk-based approach. It means the close integration of the internal control system with risk management processes, which ensures timely and effective application risk management methods using effective mechanisms of the internal control system. At the same time, the management of the Company and its employees concentrate their efforts on building and improving the internal control system, first of all, in those areas of activity that are characterized by the highest level of risks.
2.4 The system of internal control over the financial reporting process(SVKFO) - a system of organizational measures, policies, instructions, as well as control procedures, corporate culture norms and actions taken by the Board of Directors, management and employees of the Company to achieve goals in the field of preparing reliable financial statements.
2.5 The objectives of the functioning of the internal control system in the Company are:
3. Principles of operation and components of the ICS
3.1 The organization and functioning of the ICS in the Company is based on the following key principles:
3.2 Relevance and development- all documentation on the ICS (description of risks, controls, and other information) should be updated in a timely manner, as well as constantly improved in order to improve the efficiency of risk management. Top management provides conditions for the continuous development of the internal control system, taking into account the need to solve new problems that arise as a result of changes in internal and external operating conditions. The basis for the organization and functioning of the internal control system in the Company are the following components:
A detailed description of the components of the ICS is given in Appendix 1 of this Policy.
4. Subjects of internal control and their functions
4.1 The Company's internal control system is determined by a set of objects and subjects. The objects of the ICS are the financial and economic activities of the Company's divisions. The subjects of internal control are determined by this Policy and other regulatory documents of the Company in the field of internal control.
4.2 The composition of the subjects of internal control is determined organizational structure Society and includes:
4.3 Board of Directors- determines the general directions of the organization of the internal control system in the Company, analyzes the overall efficiency and compliance of the ICS with the nature, scale and conditions of the Company's activities in case of their change - considers the results of assessing the effectiveness of the ICS, identified significant shortcomings and recommendations for their elimination. Approves the internal control policy and amendments to it.
The functions and tasks of the Board of Directors in relation to the internal control system are enshrined in the Regulations on the Board of Directors of the Company.
4.4 Audit Committee of the Board of Directors- evaluates compliance with the principles of internal control and risk management and the overall effectiveness of the ICS in the Company (including on the basis of reports from internal audit and internal control units), gives recommendations for improving the ICS.
The functions and tasks of the Audit Committee of the Board of Directors are fixed in the relevant regulation on the Company's Audit Committee.
4.5 CEO- is responsible for organizing and maintaining the functioning of an effective internal control system in the Company and monitoring the functioning of the ICS, including:
4.6 Internal Audit Division- carries out an independent assessment of the effectiveness of individual components of the ICS, the ICS of the audited objects and the ICS of the Company as a whole and develops recommendations for improving its reliability and efficiency, including:
4.7 Tasks Internal Control Units are:
Coordination of activities to form and maintain the effectiveness of the internal control system;
The functions, tasks and powers of the structural subdivision for coordination of the Company's ICS are defined in the relevant Regulations.
4.8 Heads and employees of structural divisions are responsible for the formation, maintenance and constant monitoring of the internal control system in the relevant functional areas of activity of units throughout the management vertical, and also carry out control procedures in accordance with their official duties, including:
4.9 The Company ensures the creation of effective channels for the exchange of information, including both vertical and horizontal communications, in order to form an understanding among all subjects of internal control adopted in the regulatory documents on the organization and functioning of the internal control system and ensure their implementation.
4.10 Information about the work of the internal control system, about the deficiencies found and other significant circumstances is provided to the Board of Directors, the Audit Committee of the Board of Directors, to CEO, the Management Board or other bodies in accordance with the existing requirements of the legislation and regulatory documents of the Company.
5. Roles
5.1 To ensure the effective functioning of the ICS, the following roles are distributed among the managers and other employees of the Company:
5.2 Process/risk owner- the head of the subdivision/department who is responsible for:
5.3 Control executor- an employee at any level who is responsible for:
5.4 ICS coordinator an employee in each department who is responsible for:
6. Requirements and responsibilities in the field of ensuring the effectiveness of the ICS
6.1 Internal control is an integral part of the functioning of any division of the Company.
6.2 All employees are responsible for the functioning and efficiency of the Company's ICS.
6.3 The management of the Company must communicate to employees the importance of having and ensuring the effectiveness of the functioning of the ICS, as well as the role of each employee in this system, including the following basic requirements:
6.4 If an employee of the Company has information about a lack or inefficiency of internal control procedures, he must immediately inform his immediate supervisor, as well as the heads of internal control and internal audit units about this.
6.5 If an employee deliberately fails to comply with this Policy and does not follow the control procedures for which he is responsible, the employee will be subject to disciplinary action up to dismissal in accordance with the requirements of current legislation.
7. Monitoring of ICS efficiency
7.1 The purpose of monitoring is to evaluate the effectiveness of the Company's internal control system, including its ability to ensure the fulfillment of its goals and objectives, as well as to determine the materiality of the system's shortcomings.
7.2 Monitoring of the system of internal control over financial reporting includes:
7.3 Self-assessment of the effectiveness of the ICS (hereinafter - self-assessment of the ICS) is carried out directly by the subjects of the ICS by:
7.4 Regular evaluation of the ICS helps to improve its effectiveness by:
7.5 The results of the ICS assessment must be documented and submitted to the Company's management and the Audit Committee of the Board of Directors:
8. Making additions and changes to the Policy
8.1 When changing and supplementing legislative acts, requirements of regulators and regulatory documents of the Company regulating the functioning of the internal control system, changes and additions to this Policy can only be made by duly executed decisions of the Board of Directors of the Company. The Board of Directors of the Company may also decide to approve a new version of the Policy.
Attachment 1. ICS components according to the COSO methodology
Internal control, according to the COSO "Internal Control-Integrated Framework" model, consists of five interrelated components that come from the way business is conducted and are associated with the process of its management. The five components include:
Control environment: The control environment creates an atmosphere in an organization that influences the awareness of personnel about the importance of performing controls. It is the basis for all other components of internal control, providing order and discipline. Control environment factors include integrity, ethical values, management style, system of distribution of powers and responsibilities, as well as the processes of management and development of personnel in the organization. Also, the effectiveness of the control environment depends on the attention to this issue on the part of the Board of Directors.
Risk assessment: Every organization faces various external and internal risks that need to be assessed. A prerequisite for risk assessment is the definition of goals, so risk assessment involves the identification and analysis of relevant risks associated with the achievement of established goals. Risk assessment is a prerequisite for risk management.
Controls: Controls are policies and procedures that ensure that management decisions are enforced. They help ensure that the necessary actions are taken in relation to risks that may prevent the organization from achieving its objectives. Controls are exercised throughout the organization, at all its levels and in all functions. They include a range of activities such as approvals, permits, checks, reconciliations, activity reports, asset preservation and segregation of duties.
Information and communication: All necessary information must be identified, formulated and communicated to the relevant employees in a timely manner so as to enable them to fully perform their duties. Information systems also play an important role in the internal control system, as they contain financial information, as well as information on operations and compliance with the law, which allows you to manage and control the business. The question is not only about the dissemination of internal company information, but it is also important to inform employees about external events and activities that are necessary for making various decisions. Effective communication in a broader sense should ensure the flow of information up and down and between departments throughout the organization. It is important that company personnel receive a clearly articulated position from senior management on the importance of fulfilling their responsibilities in terms of internal control. It is also important that each employee clearly understands his role in the internal control system, and how the result of his work is related to the activities of other employees. Personnel must be aware of the need to communicate all important information to company management. Effective communication on matters related to the interests of the company must also be ensured with external parties such as customers, suppliers, regulators and shareholders.
Monitoring: The internal control system requires monitoring - a process of periodic assessment of the quality of its work. This is achieved by continuous monitoring of the quality of execution of certain operations, by separate checks to evaluate the effectiveness of a particular process, or by a combination of these two options. Constant monitoring is carried out on a daily basis, incl. activities for the management and management of relevant processes, as well as other activities in the framework of the performance of staff duties. The scope and frequency of individual audits depends on the level of assessment of the relevant risks, as well as on the results of ongoing monitoring of these operations. Internal control deficiencies identified during monitoring should be brought to the attention of management, and the most significant comments should be brought to senior management and the Board of Directors.
The close interconnection of these components ensures the formation of an integrated system that is able to quickly respond to emerging challenges. The internal control system is an integral part of operating activities. The most effective ICS is if the controls are built into the infrastructure of the organization and are part of its essence. Built-in controls enhance the quality and effectiveness of events, as well as help to avoid additional costs and allow faster response to certain events.
“COSO - The Committee of Sponsoring Organizations of the Treadway Commission, USA”
Committee of Sponsoring Organizations of the Treadway Commission(English) The Committee of Sponsoring Organizations of the Treadway Commission, COSO) - is a voluntary, private, organization created in the United States and designed to develop appropriate recommendations for corporate management on critical aspects organizational management, business ethics, financial reporting, internal controls, corporate risk management and fraud prevention.