Coso internal control integrated model year. Standards

First, it must be said that there are almost no Russian standards for risk management, internal control and internal audit. I think it's bad, because there were a lot of interesting things. But it is quite possible to use bourgeois ones. The key problem lies in their interpretation presented by many experts: for risk management - with an emphasis on financial risks, for directors of internal control and internal auditors - with an emphasis on reporting. That is, you need to remember that each standard contains many components, and by remembering all of them, you can achieve much more usefulness.

The most famous standards are:

• risk management: FERMA standard (Federation of European Risk Managers Associations), COSO ERM standard (COSO - Committee of Sponsoring Organizations of the Treadway Commission, ERM - Enterprise Risk Management), GOST ISO31000;
• for internal control systems - COSO IC IF (Internal Control - Integrated Framework) standard;
• for internal audit - International Foundations professional practice (MOPP).

Where can you read the standards?

Initially, all standards were developed, of course, on English language. However, translations into Russian do exist.

FERMA - once there was both a Russian and an English version in the public domain. Website - http://ferma.eu. Now, alas, it has disappeared, but below the link there is the latest up-to-date one.

During my observation there were several translations. I especially liked that in one translation the phrase

“While risk identification may be carried out by independent consultants, an assessment carried out in-house, with close interaction between its departments, using the presented processes and tools in a consistent and coordinated manner, is likely to be more effective”

has been replaced with a phrase (now corrected on the FERMA website, still hanging on the Rusrisk website)

« Risk identification of the organization is usually carried out by independent consultants.. However, the understanding and analysis of risks “properly” by the organization has great value for a successful risk management process.”

In general, people did not take a steam bath at all. Of course, everyone earns money as best they can, but hints of material support for their loved ones could be more subtle.

GOST ISO31000 is equally easy to find both in Google and Yandex.

COSO standards - only "conceptual foundations" in English and Russian are freely available. Website - www. coso.org. An official translation was published in Russian in 2015, it is sold by the Institute of Internal Auditors, I did not read it, it cost 2000 rubles. From the "shareware" there is an "official" translation (by the way, quite readable and high-quality) of COSO ERM and an "unofficial" part of COSO IC IF. It is located in the closed part of the website of the Institute of Internal Auditors of the Russian Federation, the website is http://iia-ru.ru. Only IVA members can enter the closed part.

MOPP - partially available in the public domain (but not all, the usefulness for setting up begins with practical instructions), the rest is in the closed part of the website of the Institute of Internal Auditors of the Russian Federation (http://iia-ru.ru). I note that MOPP, despite the volume, is a fairly light reading (at least for me), the translation is very high quality.

Total: all the necessary standards can be obtained on the great and mighty for 2500 rubles as a membership fee to the Institute of Internal Auditors. Reasonable price, there are also bonuses in the form of several interesting presentations. To obtain a complete set in Russian, you will also need to purchase a book, the price for members of the Institute is 1800 rubles.

A bit of history.

First in modern form The COSO IC IF standard appeared in 1992. A new version was prepared in 2013.

For some reason, COSO is very fond of all sorts of cubes. I will give a traditional COSO-cube, I specifically found the worst version (turned upside down, as if starting with monitoring).

Much more reasonable is the following representation:

Why is it reasonable. First, the control environment is important for the entire organization, monitoring should cover the entire process of internal control. The process itself is quite banal, namely, it represents the relationship “risks → control procedures” with the corresponding information support. Second, monitoring should cover all other components.

In 2002, the FERMA standard appeared. I like it the most because of its small size. circuit diagram work according to this standard - in the picture.

It can also be noted that the FERMA standard does not include an emphasis on the reporting of the organization as a key component (for example, the nature of the risk). The reason is quite banal: European risk managers (and FERMA is their organization) have grown not from accountants, but from insurers and financiers. The origin, it seems to me, explains the classification:

Bankers and insurers distinguish financial risks and dangers into a separate category. Why - I think it's clear. All the rest (both internal auditors and COSO) grew out of reporting, therefore, both in the internal audit standards and in the COSO standards, there are mandatory goals in the field of reporting reliability and compliance with the law (compliance).

What happened next (version - just my opinion). The COSO creative team, after analyzing the new standard, thought something like this: why does everyone already have a strategy, and we are still chewing snot. And in about a year and a half, they drew another cube by writing the COSO ERM standard (2004):

To make it clear where it grows from - an additional picture:

In my opinion, everything is obvious. You can also compare the components along the vertical axis from the COSO cube and the sequence of actions described in FERMA.

In five years international organization standardization (ISO) released its risk management standard. ISO documents are developed from the point of view of business (and not sales of consulting services), therefore, in my understanding, ISO31000:2009 is the optimal standard in terms of volume / utility ratio, although it requires translation from Russian into Russian. By the way, ISO introduced the principle of risk management into the ISO9000 standard, the most well-known in Russia, which caused a certain panic in the ranks of quality management system directors.

Internal audit standards have evolved significantly over the past 50 years. It all started with accounting and compliance. The current version is an assessment of risks and effectiveness of control in terms of:

• reliability and integrity of information on financial and economic activity;
• efficiency and effectiveness of activities;
• safety of assets;
• compliance with the requirements of laws, regulations and contractual obligations.

As you can see, the three components coincide with COSO IC IF (I can’t say where they first appeared, not a historian), and the safety of assets, apparently, has been going on since 1957 (or since 1947?). I don’t know why it should be singled out separately: I don’t think that the activity can be recognized as effective and efficient in the presence of theft or loss of assets due to improper storage.

Brief comments on the standards.

It is desirable to read everything. Relatively simple standards in terms of readability are FERMA, ISO31000 and MOPP. FERMA is just small in volume, for MOPPs it can be limited to standards (MPSVA), practical guidelines are just recommendations (albeit strict ones). Readability is explained simply: FERMA and ISO wrote standards for risk managers, the Institute of Internal Auditors - for internal auditors. It is highly desirable for both of them to speak the same language, including ensuring the uniformity of approaches. Accordingly, it was better to avoid very complex structures and uncertainties, which was done.

COSO is a fundamental, multi-volume work, for COSO ERM thanks have been expressed to as many as 30 PwC partners. In my opinion, if there were fewer partners involved, then the document would have turned out better - as it happens, "synergy in reverse" has emerged. Peculiarity COSO standards: from the "conceptual foundations" nothing is clear at all, the understandable begins in the very last document (using the example of COSO ERM - "Application"). You need to understand that the authors are auditors and consultants. They do not need to make a clear standard: why lose revenue. Therefore, it is necessary that the reader's "hand reaches for the phone" of a Partner of a Large Consulting Company. In my opinion, it worked. Also note that, unlike this site, there is no “end-to-end” approach: there is no logic “here we take a set of risks, here we evaluate them, here we manage them, here we can audit”. The set of examples is definitely not bad. But if you try to apply them to one business, most likely, little will work. By the way, in general, I personally have an absolutely even attitude towards COSO documents. There are useful things, but it's really not worth talking about these standards with a breath, like some women in the presence of foreigners.

When setting up risk management, I recommend using FERMA and ISO31000, if something is not written in FERMA. Internal control is a special topic, traditionally COSO IC IF can only be used to generate not very useful documents. The problem with COSO IC IF is in its interpretation, which is either a philosophy about the control environment or about reporting, which is commented on. And internal audit - there are supported standards, I signed the code of ethics (as a member of the IVA), so there is nothing else left but the MOPP.

Why don't I mention SOX?

I heard about the Sarbanis-Oxley law. By the way, Sarbanis is a Greek, so that's why, not Sarbanes. So, my opinion is that now the most brilliant salespeople work in big4.

Let's remember how SOX appeared. It appeared as a result of absolutely fictitious reporting of a bunch of companies. As to why this happened, our opinions with an expert colleague do not agree. I think that this is absolute unprofessionalism and greed: it is clear that someone else from big5 could well take on reporting, coupled with consulting contracts for the same money. Yes, and the destruction of the auditor's papers says a lot.

The colleague points out that there are at least a few systemic deficiencies in audit management and makes several arguments that the verification of accounts could have taken place without major dealings with conscience:

• short time for the audit. The exchange demands "come on, come on", the topic with the acceleration of the closing of the period - interesting topic for counselling. The thing, it seems to me, is the most harmful, because it actually contributes to the unreliability of reporting and does not leave time for the usual control procedures for checking documents (“below” all documents must be completed in 1-2 days);
• staff qualifications. Everything is checked by the interns, each is assigned to the site. The flows are large, business with inflated financial results should be caught by forensics rather than just auditors. Given the time allotted for the audit, it is likely that the statements will be confirmed without malicious intent. And the senior comrade, who was supposed to confirm the ICS, did this through formal compliance tests, which all auditors have in abundance. The result of quality control is that the working papers are filled out, and it’s good, no one could really go into non-standard operations: the internal control system is at the level, the sample is random;
• partner requirements. Yes, of course, there were mistakes and inconsistencies. Was it enough to admit that the reporting was fake and quarrel with the client? Each individual flaw, given the small sample, perhaps not. And they did not look at the totality.

Whatever it was, the result is simply amazing. Instead of "fucking up", as the President of the Republic of Belarus A.G. Lukashenka about his parliament, the entire audit community, there are additional requirements not for the auditors who covered the fraud, but for the companies themselves (including those that lived honestly). And these requirements are formulated, oddly enough, by the auditors themselves. It is clear that the requirements are formulated in such a way that auditors are needed again (well, that is, they are called consultants, but they are territorially located in a neighboring department of an audit company). Further everything is obvious.

Bottom line: in addition to a formal audit of financial statements, each public company had to order the establishment of internal control according to SOX (well, or hire staff, which is also not cheap). At the same time, the cost of an external audit increased, as the standard hours increased by the assessment of the ICS over the preparation of reports. At the same time, as far as I know, even if the system of internal control over the preparation of reports is tested up and down by internal audit, there is no fundamental reduction in the cost of external audit services.

By the way, now Big4 does not provide audit and consulting services to the same organization. That is, in fact, the cost of consulting services for business has increased (the principle of "wholesale cheaper" has been cancelled).

In general, the key result of an audit scandal caused by auditors is an increase in auditors' revenues. "It's great, isn't it?" (© Zaitsev sisters, Comedy Club). Therefore, I try not to use the word SOX.

If you find an error, please highlight a piece of text and click Ctrl+Enter.

The committee of sponsoring organizations of the treadway commission (COSO) has developed general model internal control, in comparison with which companies and organizations, including banks, can evaluate their own management systems. COSO was formed in 1985. supported by the National Fraud Commission in financial reporting(Treadway Commission).

The COSO model defines internal control organizations as a process carried out by the board of directors, top management and other personnel of the organization, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories:

• efficiency and productivity of operations;
• reliability of financial reporting;
• compliance with laws and regulations.

The COSO internal control model includes several key concepts:

internal control is a process. It is a means to an end, not an end in itself;

internal control depends on people. It represents not only leadership policies and forms, but also people at all levels of the company;

internal control can provide the management and board of directors of the company with only sufficient confidence, but not absolute guarantees;

internal control aims to achieve objectives in one or more separate but overlapping categories.

The essence of the COSO model can be expressed as follows: you manage when the risk is assessed and managed.

The elements of internal control according to the COSO system include (Table 1):

1) control environment;
2) risk assessment;
3) control measures;
4) collection and analysis of information, as well as its transfer to the destination;
5) monitoring and error correction.

Table 1. Components of the internal control system

The model includes eight components:

internal environment. The internal environment is the atmosphere in the organization and determines how the risk is perceived by the employees of the organization and how they react to it. The internal environment includes the philosophy of risk management and risk appetite, integrity and ethical values, as well as the environment in which they exist;

goal setting. Objectives must be defined before management begins to identify events that may affect their achievement. The risk management process provides a reasonable guarantee that the company's management has a properly organized process for selecting and setting goals and that they correspond to the mission of the organization and the level of its risk appetite;

event identification. Internal and external events that affect the achievement of the objectives of the organization should be determined taking into account their separation into risks or opportunities. Opportunities should be taken into account by management in the process of formulating strategy and setting goals;

risk assessment. Risks are analyzed in terms of their likelihood of occurrence and impact in order to determine what actions need to be taken in relation to them. Risks are assessed in terms of inherent and residual risk;

risk response. Management selects a risk response method - risk avoidance, acceptance, reduction or redistribution of risk - by developing a set of activities that bring the identified risk into line with acceptable level risk and risk appetite of the organization;

control activities. Policies and procedures are designed and established in such a way as to provide reasonable assurance that the response to emerging risk is effective and timely;

information and communication. The necessary information is determined, recorded and transmitted in such a form and within such timeframes that allow employees to perform their functional duties. There is also an effective exchange of information within the organization both vertically from top to bottom and bottom up, and horizontally;

monitoring. The organization's entire risk management process is monitored and adjusted as necessary. Monitoring is carried out as part of ongoing management activities or through periodic evaluations.

Summing up, we note that:

At COSO great importance attached to the internal environment.

COSO is much greater value is given to the monitoring of internal control as a form of follow-up control. Monitoring is one of the main elements of the COSO model.

At COSO, great importance is attached to the work of the Board of Directors.

Literature:

1. Kakovkina T.V. The internal control system as a means of identifying the risks of the organization // International accounting. 2014, №36
2. Kalacheva O.N. Problems of internal control in organizations of small and medium business // Auditor. 2015, №10
3. Krainova V.V. Substantiation of directions for the development of internal control in organizations of inland water transport // International Accounting. 2014, №46
4. Koske M.S., Mishuchkova Yu.G., Voyutskaya I.V. Internal control as a labor function of the chief accountant // International Accounting. 2015, №6
5. Puchkova A.O. The need to assess the internal control system and its elements during the audit // Auditorskie Vedomosti. 2012. №1/2
6. Pashkov R. Monitoring of the internal control system // Accounting and banks. 2015. №1
7. Yanova Ya.Yu. The concept of risk-oriented internal control - an ideal to strive for // Internal control in a credit institution. 2014. №4
8. Internal Control - Integrated Framework (2013)

document status: materials for the CPT meeting

developer organization: PJSC Megafon

Clarification X/2013

"Organization of the internal control system"

1. General provisions

1.1 This Policy defines the procedure for organizing and functioning of the internal control system (hereinafter referred to as the ICS) in the Company, including describing the purpose and tasks of the ICS, as well as the roles and responsibilities of its subjects.

1.2 This Policy has been developed taking into account the requirements and recommendations:

• current legislation Russian Federation(including Article 19 of Law No. 402-FZ “On Accounting”);
• internal regulatory documents of the Company;
• Code of Corporate Conduct of the Federal Financial Markets Service of the Russian Federation;
• leadership of the Committee of Sponsoring Organizations of the Treadway Commission “Internal control. Integrated Model" (1992).

2. Definition and objectives of internal control

2.1 Internal control is a continuous process carried out by all employees and management of the Company at all levels of management, aimed at providing conditions for achieving the goals of the Company in the following areas:

• efficiency and effectiveness of the financial and economic activities of the Company;
• safety of assets;
• compliance with legal requirements, regulations, internal documents of the Company and other applicable requirements of regulators;
• reliability of financial reporting.

2.2 Internal control system(SMC) - a system of organizational measures, policies, instructions, as well as control procedures, corporate culture norms and actions taken by the Board of Directors, management and employees of the Company to ensure the proper conduct of business activities: to ensure the financial stability of the Company, to achieve an optimal balance between its growth cost, profitability and risks, for the orderly and efficient conduct of business activities, ensuring the safety of assets, identifying, correcting and preventing violations, timely preparation of reliable financial statements and, thereby, increasing investment attractiveness.

2.3 Organization of the internal control system in the Company is based on a risk-oriented approach. It means the close integration of the internal control system with risk management processes, which ensures timely and effective application risk management methods using effective mechanisms of the internal control system. At the same time, the management of the Company and its employees concentrate their efforts on building and improving the internal control system, first of all, in those areas of activity that are characterized by the highest level of risks.

2.4 The system of internal control over the financial reporting process(SVKFO) - a system of organizational measures, policies, instructions, as well as control procedures, corporate culture norms and actions taken by the Board of Directors, management and employees of the Company to achieve goals in the field of preparing reliable financial statements.

2.5 The objectives of the functioning of the internal control system in the Company are:

• Assistance in protecting the interests of shareholders, investors and clients, preventing and eliminating conflicts of interest, supporting the effective management of the Company and achieving strategic goals in the most efficient way;
• Creation of conditions to protect the Company from internal and external risks arising in the course of its activities, as well as the risks of preparing the Company's financial statements;
• Assistance in ensuring compliance by the Company with the requirements of the legislation and regulatory documents of the Company;
• Creation of conditions for timely preparation and provision of reliable financial, accounting, statistical, managerial and other reporting for external and internal users;
• Assistance in ensuring the safety of assets and effective use resources and potential of the Company.

3. Principles of operation and components of the ICS

3.1 The organization and functioning of the ICS in the Company is based on the following key principles:

• Integration- ICS is an integral part of the Company's corporate governance and is built into its processes and daily operations. The ICS includes procedures for informing the management of the appropriate level of management of any significant violations of financial and economic activities, shortcomings and weak points the controls that have been found, together with an analysis of their causes, details of the corrective actions that have been taken or should be taken;
• Continuity- ICS operates on an ongoing basis, continuously and at all levels of management, which allows the Company to timely identify deviations in the internal control system and prevent their occurrence in the future;
• Methodological unity - ICS processes are implemented on the basis of uniform requirements and approaches for all divisions of the Company;
• Integrity/complexity- ICS operates at all levels and in all divisions of the Company, covers all subjects of internal control and activities and, accordingly, all risks:
  • The duty to build and maintain a reliable and efficient ICS lies with the heads of all levels of the Company's management;
  • Control procedures exist in all business processes and at all levels of management;
  • Each employee of the Company knows, understands and performs his role in the internal control system

• A responsibility- all employees and management at all levels of the Company are responsible for the functioning of the ICS within their powers;
• Risk orientation- ICS in the Company is in close interaction with the risk management system, which contributes to the timely and effective implementation of measures to influence risks. When analyzing control procedures, it is necessary to evaluate the magnitude and likelihood of risks occurring, the degree of their impact on the results of financial and economic activities and the achievement of the Company's goals, which allows us to conclude that existing control procedures are sufficient, or that new ones need to be developed and implemented.
• Optimality - the volume and complexity of control procedures used in the Company are necessary and sufficient for effective risk management and achievement of the Company's goals. Resources and costs for the implementation and subsequent operation of control procedures should not exceed the consequences of risk realization (cost-to-economic effect ratio), and the total level of residual risk should correspond to the Company's risk appetite.
• Segregation of duties- the Company delimits the rights and obligations of subjects of internal control depending on their attitude to the processes of development, approval, application and monitoring of the ICS. It is not allowed that one employee/unit is simultaneously entrusted with the powers to:
  • approving transactions with assets;
  • carrying out operations with assets;
  • accounting/registration of operations;
  • checking the correctness, completeness and fact of the operation and ensuring the safety of assets.

• Formalization- ICS should be formalized:
  • describes the risks and controls for all significant business processes that affect the achievement of the Company's goals;
  • the results of the implementation of control procedures are documented and stored (primary documents, reports, transaction logs, etc.);

3.2 Relevance and development- all documentation on the ICS (description of risks, controls, and other information) should be updated in a timely manner, as well as constantly improved in order to improve the efficiency of risk management. Top management provides conditions for the continuous development of the internal control system, taking into account the need to solve new problems that arise as a result of changes in internal and external operating conditions. The basis for the organization and functioning of the internal control system in the Company are the following components:

• Control environment;
• Risk assessment;
• Means of control;
• Information and communications;
• SVK monitoring.

A detailed description of the components of the ICS is given in Appendix 1 of this Policy.

4. Subjects of internal control and their functions

4.1 The Company's internal control system is determined by a set of objects and subjects. The objects of the ICS are the financial and economic activities of the Company's divisions. The subjects of internal control are determined by this Policy and other regulatory documents of the Company in the field of internal control.

4.2 The composition of the subjects of internal control is determined organizational structure Society and includes:

• Board of Directors;
• Audit Committee;
• General Director;
• Internal control division;
• Heads of structural subdivisions and employees of the Company.

4.3 Board of Directors- determines the general directions of the organization of the internal control system in the Company, analyzes the overall efficiency and compliance of the ICS with the nature, scale and conditions of the Company's activities in case of their change - considers the results of assessing the effectiveness of the ICS, identified significant shortcomings and recommendations for their elimination. Approves the internal control policy and amendments to it.

The functions and tasks of the Board of Directors in relation to the internal control system are enshrined in the Regulations on the Board of Directors of the Company.

4.4 Audit Committee of the Board of Directors- evaluates compliance with the principles of internal control and risk management and the overall effectiveness of the ICS in the Company (including on the basis of reports from internal audit and internal control units), gives recommendations for improving the ICS.

The functions and tasks of the Audit Committee of the Board of Directors are fixed in the relevant regulation on the Company's Audit Committee.

4.5 CEO- is responsible for organizing and maintaining the functioning of an effective internal control system in the Company and monitoring the functioning of the ICS, including:

• Determines the directions of development and improvement of the ICS in the Company;
• Approves the Regulations on the internal control system, the Regulations for the diagnosis and improvement of the ICS and other regulatory documents in the field of the ICS;
• Considers the results of the work of the internal control structural unit, including the results of the ICS diagnostics;
• Establishes responsibility for the implementation of decisions of top management in the field of internal control;
• Considers and approves an action plan to eliminate deficiencies in the ICS.

4.6 Internal Audit Division- carries out an independent assessment of the effectiveness of individual components of the ICS, the ICS of the audited objects and the ICS of the Company as a whole and develops recommendations for improving its reliability and efficiency, including:

• Checks the compliance of the activities of departments and employees with regulatory documents that determine the procedure for the organization and functioning of the ICS;
• Carries out an assessment of the compliance of the content of regulatory documents regulating the organization and functioning of the ICS, the nature and scope of the Company's activities;
• Identifies the facts of violations, analyzes the reasons for their commission and develops recommendations for improving existing and / or introducing new control procedures to prevent the recurrence of violations;
• Monitors the timely and complete elimination of identified violations and shortcomings;
• Carries out quality control of the process of diagnosing the internal control system in the Company, carried out by the management and employees;
• Advises on the improvement of internal control.

4.7 Tasks Internal Control Units are:

Coordination of activities to form and maintain the effectiveness of the internal control system;

• Methodological support of the ICS;
• Organization of the ICS diagnostic process in the Company:
• Preparation of plans for the development and improvement of the ICS in the Company;
• Maintenance and maintenance of the ICS infrastructure (registers of risks, control procedures and business processes) up to date;
• Monitoring the implementation of the action plan to eliminate deficiencies and improve the ICS, incl. quality control to eliminate deficiencies;
• Informing all ICS participants about changes in approaches, documentation and other requirements in the field of ICS;
• Organization of the preparation of training programs for personnel on the organization and improvement of the internal control system.

The functions, tasks and powers of the structural subdivision for coordination of the Company's ICS are defined in the relevant Regulations.

4.8 Heads and employees of structural divisions are responsible for the formation, maintenance and constant monitoring of the internal control system in the relevant functional areas of activity of units throughout the management vertical, and also carry out control procedures in accordance with their official duties, including:

• timely identification and analysis of the risks of the financial and economic activities of the Company;
• development, formalization, as well as subsequent execution and ensuring the effectiveness and sufficiency of control procedures within their business processes;
• updating the description of the ICS and timely informing the internal control unit about changes;
• monitoring the functioning of the ICS, as well as an independent assessment of the effectiveness of the control procedures that they perform;
• informing the management of any mistakes/deficiencies made or possible that have led or may lead to potential negative events;
• passing training in the field of internal control and risk management in accordance with the approved training program.

4.9 The Company ensures the creation of effective channels for the exchange of information, including both vertical and horizontal communications, in order to form an understanding among all subjects of internal control adopted in the regulatory documents on the organization and functioning of the internal control system and ensure their implementation.

4.10 Information about the work of the internal control system, about the deficiencies found and other significant circumstances is provided to the Board of Directors, the Audit Committee of the Board of Directors, to CEO, the Management Board or other bodies in accordance with the existing requirements of the legislation and regulatory documents of the Company.

5. Roles

5.1 To ensure the effective functioning of the ICS, the following roles are distributed among the managers and other employees of the Company:

• Process/risk owner
• ICS Coordinator

• Control executor

5.2 Process/risk owner- the head of the subdivision/department who is responsible for:

• for the effective functioning of all components of the ICS ( see ICS components in Appendix 1) in terms of covering business risks and preparing financial statements as part of their business processes/risks;
• for the appointment of control executors and fixing in job descriptions appropriate employees responsible for the implementation of these procedures;

• for ensuring the execution and documentation of controls by the performers of controls in accordance with the documentation for the ICS;
• for identifying changes in processes, risks or controls that require changes to the ICS documentation and informing the employees of the Internal Control Unit / ICS Coordinator in the relevant unit about this;
• for timely approval of ICS documentation (detailed description of risks, unified and adapted controls and other information);
• for the elimination of deficiencies in the ICS identified as a result of testing or monitoring.

5.3 Control executor- an employee at any level who is responsible for:

• for the timely and high-quality implementation of control procedures in accordance with the documentation of the ICS;
• for notifying, if necessary, the deputy control executor and an employee of the Internal Control Unit of the need to perform the relevant control procedure instead of the executor;
• for timely approval of ICS documentation (detailed description of risks, controls and other information);
• for the implementation of procedures for self-assessment of the effectiveness of the ICS;
• for identifying changes in processes, risks or controls that require changes to the ICS documentation and informing the owner of the risk/process, the ICS Coordinator in the relevant unit and employees of the Internal Control Unit about this;
• for the elimination of ICS deficiencies identified as a result of testing and monitoring.

5.4 ICS coordinator an employee in each department who is responsible for:

• for organizing and coordinating the process of functioning of the ICS within the framework of the relevant unit;
• for monitoring the quality of implementation and documenting control procedures in terms of controls performed in the relevant unit;
• for the relevance of the documentation on the ICS in terms of the relevant structural unit;
• for informing the Internal Control Division of the need to change the ICS documentation (changing processes, risks or controls, including the proposal of new wording in terms of risks, controls and other information).

6. Requirements and responsibilities in the field of ensuring the effectiveness of the ICS

6.1 Internal control is an integral part of the functioning of any division of the Company.

6.2 All employees are responsible for the functioning and efficiency of the Company's ICS.

6.3 The management of the Company must communicate to employees the importance of having and ensuring the effectiveness of the functioning of the ICS, as well as the role of each employee in this system, including the following basic requirements:

• No employee, directly or indirectly, can allow or cause deliberate falsification of accounting, management or other reporting data.
• No changes may be made to accounting data if it is known that these changes may distort the essence of the corresponding operations.
• No sums of money/accounts/transactions may be hidden for the purpose of their incomplete reporting.
• All employees of the Company are obliged to preserve the assets of the Company and ensure their efficient use.

6.4 If an employee of the Company has information about a lack or inefficiency of internal control procedures, he must immediately inform his immediate supervisor, as well as the heads of internal control and internal audit units about this.

6.5 If an employee deliberately fails to comply with this Policy and does not follow the control procedures for which he is responsible, the employee will be subject to disciplinary action up to dismissal in accordance with the requirements of current legislation.

7. Monitoring of ICS efficiency

7.1 The purpose of monitoring is to evaluate the effectiveness of the Company's internal control system, including its ability to ensure the fulfillment of its goals and objectives, as well as to determine the materiality of the system's shortcomings.

7.2 Monitoring of the system of internal control over financial reporting includes:

• implementation by the management of the units of constant control over the implementation of control procedures in the units accountable to them;
• conducting a self-assessment of the internal control system in the Company;
• implementation of periodic checks of the implementation of control procedures and checks of compliance of operations with the requirements of the legislation and the provisions of the regulatory documents of the organization by the internal audit unit;
• assessing the effectiveness of the internal control system over the process of preparing financial statements by the external auditor
• timely communication of information on identified deficiencies in the system of internal control over financial reporting to stakeholders within the vertical of control.

7.3 Self-assessment of the effectiveness of the ICS (hereinafter - self-assessment of the ICS) is carried out directly by the subjects of the ICS by:

• Distribution of questionnaires - is used to collect information about the effectiveness of the functioning of the ICS and changes in business processes from employees and heads of divisions of the Company.
• Monitoring the state of the ICS is the process of checking the completeness, timeliness of implementation and correctness of documentation of the CP.
• Evaluation of the effectiveness of control procedures - analysis of the effectiveness of the description and execution of control, as well as analysis of the sufficiency of control procedures (assessment of how much control, subject to its effective implementation, is able to effectively reduce the risks corresponding to it).

7.4 Regular evaluation of the ICS helps to improve its effectiveness by:

• timely detection of changes in business processes, design or stages of implementation of control procedures;
• increasing the motivation of Control Executors and their Managers through direct participation in the improvement of the Internal Control System and constant control over the quality of CP implementation;
• providing an information base to the management of the Company to confirm the effectiveness of the functioning of the ICS.
  

7.5 The results of the ICS assessment must be documented and submitted to the Company's management and the Audit Committee of the Board of Directors:

• The internal audit division prepares a report based on the results of the ICS assessment;
• The external auditor forms a letter to the management about significant shortcomings identified based on the results of an external independent assessment of the ICS;
• The internal control division prepares a report based on the results of the ICS self-assessment conducted by the Company's structural divisions.

8. Making additions and changes to the Policy

8.1 When changing and supplementing legislative acts, requirements of regulators and regulatory documents of the Company regulating the functioning of the internal control system, changes and additions to this Policy can only be made by duly executed decisions of the Board of Directors of the Company. The Board of Directors of the Company may also decide to approve a new version of the Policy.

Attachment 1. ICS components according to the COSO methodology

Internal control, according to the COSO "Internal Control-Integrated Framework" model, consists of five interrelated components that come from the way business is conducted and are associated with the process of its management. The five components include:

Control environment: The control environment creates an atmosphere in an organization that influences the awareness of personnel about the importance of performing controls. It is the basis for all other components of internal control, providing order and discipline. Control environment factors include integrity, ethical values, management style, system of distribution of powers and responsibilities, as well as the processes of management and development of personnel in the organization. Also, the effectiveness of the control environment depends on the attention to this issue on the part of the Board of Directors.

Risk assessment: Every organization faces various external and internal risks that need to be assessed. A prerequisite for risk assessment is the definition of goals, so risk assessment involves the identification and analysis of relevant risks associated with the achievement of established goals. Risk assessment is a prerequisite for risk management.

Controls: Controls are policies and procedures that ensure that management decisions are enforced. They help ensure that the necessary actions are taken in relation to risks that may prevent the organization from achieving its objectives. Controls are exercised throughout the organization, at all its levels and in all functions. They include a range of activities such as approvals, permits, checks, reconciliations, activity reports, asset preservation and segregation of duties.

Information and communication: All necessary information must be identified, formulated and communicated to the relevant employees in a timely manner so as to enable them to fully perform their duties. Information systems also play an important role in the internal control system, as they contain financial information, as well as information on operations and compliance with the law, which allows you to manage and control the business. The question is not only about the dissemination of internal company information, but it is also important to inform employees about external events and activities that are necessary for making various decisions. Effective communication in a broader sense should ensure the flow of information up and down and between departments throughout the organization. It is important that company personnel receive a clearly articulated position from senior management on the importance of fulfilling their responsibilities in terms of internal control. It is also important that each employee clearly understands his role in the internal control system, and how the result of his work is related to the activities of other employees. Personnel must be aware of the need to communicate all important information to company management. Effective communication on matters related to the interests of the company must also be ensured with external parties such as customers, suppliers, regulators and shareholders.

Monitoring: The internal control system requires monitoring - a process of periodic assessment of the quality of its work. This is achieved by continuous monitoring of the quality of execution of certain operations, by separate checks to evaluate the effectiveness of a particular process, or by a combination of these two options. Constant monitoring is carried out on a daily basis, incl. activities for the management and management of relevant processes, as well as other activities in the framework of the performance of staff duties. The scope and frequency of individual audits depends on the level of assessment of the relevant risks, as well as on the results of ongoing monitoring of these operations. Internal control deficiencies identified during monitoring should be brought to the attention of management, and the most significant comments should be brought to senior management and the Board of Directors.

The close interconnection of these components ensures the formation of an integrated system that is able to quickly respond to emerging challenges. The internal control system is an integral part of operating activities. The most effective ICS is if the controls are built into the infrastructure of the organization and are part of its essence. Built-in controls enhance the quality and effectiveness of events, as well as help to avoid additional costs and allow faster response to certain events.

“COSO - The Committee of Sponsoring Organizations of the Treadway Commission, USA”

Committee of Sponsoring Organizations of the Treadway Commission(English) The Committee of Sponsoring Organizations of the Treadway Commission, COSO) - is a voluntary, private, organization created in the United States and designed to develop appropriate recommendations for corporate management on critical aspects organizational management, business ethics, financial reporting, internal controls, corporate risk management and fraud prevention.

COSO concept “Organization risk management. Integration with strategy and performance” (COSO ERM) 2017 in Russian went on sale in the online bookstore TOTbook.ru. It is available at the link: https://totbook.ru/catalog/345/1136970/

The COSO ERM concept consists of 3 books:

1. Main book (110 pages)

2. Applications (30 pages)

3. Summary (10 pages)

The COSO ERM concept aims to increase the relationship between risk, strategy and company value. It considers risk in terms of its role in making strategic decisions that ultimately affect the performance of the organization as a whole. The first part of the core book provides an overview of current and evolving concepts and applications of organizational risk management. The second part of the core book, Conceptual Framework, has five components that take into account different perspectives and operational structures and help improve strategy and decision-making.

Exclusive right to publish and distribute (hard copy only) the COSO Concept “Managing Organizational Risks. Integration with strategy and performance” (COSO ERM) 2017 belongs to the Institute of Internal Auditors. The release of this publication and the translation of the text into Russian were carried out with the support of Deloitte, CIS.