• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Internal Control and the Russian Environment 
Submitted by:
 
Carl Burch, CMA, CIAFinance and Accounting LecturerMoscow, RussiaCburch@global.t-bird.edu
Introduction
Generally, any discussion about internal controls starts COSO’s (Committee of Sponsoring Organizations of theTreadway Commission) Internal Control – Integrated Framework. This report was the first document that formallyset out what internal control actually is, and what its function is within an organization. Prior to this document it wasdifficult for companies to assess whether their internal controls were effective, or not.The Integrated Framework demonstrated that the basic foundation of any organization’s internal control system arethe five elements of internal control. These elements of internal control exist in every organization, in every country.How well these elements are developed and implemented in a company will play a very important role indetermining the success of the internal control system for the company. Because these elements of internal controlare the basis of IC of a company, we will start our discussion of Internal Controls in Russia by outlining what thesefive elements are.These five elements of internal control are: 1) the control environment, 2) risk assessment, 3) control activities, 4)information and communication, 5) monitoring.
1)
The Control Environment
is the most important of the elements because it lays the foundation for allother components of internal control. The control environment is the atmosphere within the company andthe attitude of individuals in the organization (including top management) to internal controls. A strongcontrol environment makes all of the controls more effective. On the other hand, when there is a poor environment, even the controls that could work often will not because they are not perceived byindividuals to have value. The control environment sets the tone for the rest of the company. Because of its importance, it is critical that management help create the proper environment in the company.Some of the items that are included in control environment include:
The integrity, ethical values and competences of the company’s people.
The way management assigns authority and responsibility, and how it organizes and develops itspeople.
The attention and direction provided by the board of directors.
Management’s philosophy and operating style.Two important ways that top management can do this are to:1)Follow the controls themselves, and2)Make it clear that they expect others to follow the controls and those who don’t follow thecontrols do not have a place in the organization.
2)
Risk Assessment
relates to the company’s own assessments of the risks the organization faces. It isimportant to distinguish that this is the risk assessment of the company’s management, not the riskassessment that is done by the external auditors or by external consultants. This is essentiallymanagement asking itself questions such as: “What could go wrong here?” and, “What assets do weneed to protect?” If management is unable to identify the risks that face the organization, then it is veryunlikely that they will be able to mitigate, or reduce, the dangers that the company faces from theserisks. These risks may be external or internal to the company; the source of the risk is not important.
3)
Control Activities
are all of the different policies and procedures that the company has in place to helpensure that its objectives are met. These controls should all be designed with the intention to mitigate therisks that the company faces and to ensure that the company achieves its objectives. For the controls towork effectively, the control activities not only have to be designed well, but they also actually have to beimplemented. Simply designing controls will do nothing if the controls are not
consistently 
and
 properly 
applied.
 
The most important control activity is the segregation of duties. Certain activities within an organization(and more specifically within a specific transaction cycle) should be performed by different people. Thisperformance of related tasks by different people works as a system of checks and balances makingcertain that no individual person is in a position to perpetrate a fraud. The duties that need to besegregated within a specific cycle are: authorizing a transaction, recording the transaction, keepingphysical custody of the asset and a periodic reconciliation between the amount on hand and therecorded amount that should be on hand. These duties should be segregated in all of the differenttransaction cycles that a business has (cash receipts, cash disbursements, inventory and payroll, for example).For example, a person should not be able to collect cash from the customer (physical custody of theasset) and then have the responsibility of reconciling the bank statement (record keeping). Without aproper segregation of these two duties, this person could take the cash and then adjust the bankreconciliation so that it appears that everything reconciles.
4)
Information and Communication
in the company covers the flow of information within the organization.In any organization, information needs to flow both up the organizational chart and down theorganizational chart (and even across the organizational chart). The most fundamental goal of information and communication is that he right people have the right information in time to make adecision. This means that information needs to be relevant and timely. Without timely information, it’smore difficult for managers to make the right decisions because they may be making decisions todaybased on last month’s information.
5)
Monitoring
is a critical and ongoing part of an internal control system. Monitoring is the means of assessing the quality of internal control’s performance over time. Even the strongest internal controlsystem will need to be changed periodically as a result of a change in the operations of the company, achange in the organization of the company, a change in technology or even a change in personnel. Justbecause the internal control policies and procedures were effective, relevant and working when theywere implemented does not mean that they will continue to be so over time. Management must monitor the controls on an ongoing basis to make certain that they are both still relevant and still beingimplemented correctly.At this point, you may be thinking that there is a lot of time and effort put into establishing and maintaining aninternal control system over time. The next question is whether or not this investment is worth it to the company.While these are good questions, they may not really be looking at the situation from the correct perspective.Instead of asking whether a company can afford a good internal control system, the better question is whether or not the company can afford to not implement something that will help the company achieve its objectives, protectits assets and help ensure that management has the best and most correct information to make decisions with.Clearly, there are a lot of benefits to an internal control system and it is these benefits that are important to keep inmind. While there are a lot of benefits to strong internal controls, the first three that come to mind are:
1)
Better control over the assets of the company.
Better control means knowing where the company’sassets are, and who is responsible for them. Knowing this, there is a better chance that the assets actuallyare retained in the company, are being used productively for the company and are being maintained.Control over assets also reduces the chance of fraud being committed in the company.
2)
Reliable information for the use in decision-making.
Ultimately, the decisions that management makeswill determine the success or failure of the company. Therefore, the more reliable the informationmanagement is receiving, the better chance there is that the right decisions will be made. Internal controlshelp ensure that the information that is given to management is actually correct.
3)
Lower external audit costs
. With strong internal control systems, the numbers that come out of theaccounting system will be more reliable. Because of this, the external auditors are not going to have to doas much work in verifying financial numbers. Because of this reduction in the amount of work that has to bedone by the auditor because of the strong internal control system in the company, the external audit feeswill be reduced in time. (This reduction may not be seen in the year internal controls are implementedbecause the auditor will need to have some assurance that the controls are actually working as they areintended to.)While we have spoken very highly of internal controls and outlined some of the benefits of having a strong internalcontrol system, it also has to be kept in mind that internal controls only help a company achieve their objectives.Unfortunately, they do not provide a guarantee that the company will achieve its operational, financial reporting,and compliance objectives. The term that is used to describe this limitation is that strong internal controls can onlyprovide
reasonable assurance
about the achievement of objectives, not a guarantee.
 
It doesn’t matter where your business is, whether it’s in the U.S, or Russia, or China, or Brazil or Germany, withoutgood strong controls companies will have a harder time making it then companies with strong controls. Each daythis becomes even truer as global competition increases and the scope of who a company’s competitors areincreases to company in other countries and other parts of the world.From my own experience having worked in Russia for the past twelve years for and with many different companiesin many different positions (i.e., financial analyst, business development, financial controller, corporate controller),they have all had a weakness in internal control in common. Some of the more common weaknesses (and the riskor difficulty that they cause the company) that existed in these companies are:
Planning and budgeting are weak. Without knowing what the company is trying to achieve, it is very difficultto measure success and identify areas of the business that are not performing well.
Financial and accounting reports lacked transparency. This means that data presented could not be reliedupon. This makes any kind of analysis difficult and also causes higher external audit and financing costs tothe company.
Reports were not timely. If reports and information are delivered late to the decision maker, good decisionscannot be made.
Lack of understanding what reports were actually needed to improve operations. Often times reports wereprepared that were not relevant to the decisions that needed to made. This means that not only aredecision makers making decisions without the needed information, but also that time and efforts are beingwasted preparing something that is not needed.
Management was not held responsible for results. While there are always factors outside the influence of management that impact operations, management needs to be held accountable for the results of their area. This does not mean only top management, but a manager on an assembly line needs to be heldresponsible for the results and production of their part of the assembly line.
Lack of segregation of duties. As discussed above, this is absolutely critical for a company, but lacking or underdeveloped in many of the companies that I have worked with in Russia.These are the main weaknesses that I have encountered in internal control systems in Russia. However, while it isclear that the internal control environment and systems in many Russian companies need to be improved, it isimportant to keep in mind two things:1)These weaknesses are not unique only to Russia, and2)The majority of Russian businesses are still fairly young and, in essence, still going through their growing pains. As they grow, hopefully they will develop their internal control environments andsystems and they will become better and stronger in this area. The risk for these companies is that if they do not develop their internal control systems, it is more and more likely that they will be competingagainst a company that does have a strong internal control system. And in this competition, thecompany with the internal control system is operating with better information, better utilized assets andmore efficiently because of their internal controlsThe extent to which an internal control system works, will depend largely (but not entirely) on management. It doesnot matter where the company is (Russia, U.S., China, or somewhere else), it will be the mangers who decidewhether improvements in the controls systems are to be made or not and it is management who is mostresponsible for setting the control environment for the organization.The effectiveness of an internal control system is not 100% dependent upon management because there areothers in the organization who follow and implement the controls. Because everyone in the organization comes intocontact with controls during the performance of their duties, every person in the organization shares responsibilityfor the effective operation of the internal controls system. (For example, even the newest member of theaccounting team has a duty to follow the controls and to report situations in which the controls are not followed.)
What can be done to improve an organization’s internal control system?
It’s important to remember that every organization can improve their internal control systems. It does not matter whether we are talking about multibillion-dollar companies like Wal-Mart or G.E., or Gazprom, internal controls canalways be made tighter and stronger.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...