Object: The object of the article is to consider the issues of building an internal audit and control system based on international standards of internal audit.
Methods: The research used the methods of system analysis, comparative analysis, grouping method, content analysis.
Findings: As a result of the study, the relationship between the goals of the organization, risks and controls in internal audit was determined. The most likely areas of risk during the audit were identified. It has been shown that the most useful for the company are controls that identify and prevent negative events for the company before they occur. Possible directions of use of international standards for the professional practice of internal auditing (International Professional Practices Framework (IPPF) in the development of internal auditing standards of an organization have been identified. A range of standards that can be developed on the basis of the IPPF in the organization is determined. The content and structure of applied standards based on the IPPF for internal audit of an enterprise are proposed.
Conclusions: The application of international standards in auditing allows an organization to implement a systematic and consistent approach to the audit process. The development of internal standards of an organization based on international ones will help to improve the accuracy of the assessment of control procedures at each stage of verification, to solve problems in the field of risk management and to increase the efficiency of business processes.
Auditing practice lags far behind the new requirements for audit quality, which are dictated by modern economic development process. The variety of internal audit organizations' methodologies complicates the task of balancing standardization and elasticity in audit practice. The needs of users and performers of audit services require the development of a methodological framework for standardizing audit activities.
The strengthening of the role of internal audit and risk management in recent years has become a clear trend in all developed economies. This is primarily due to the fact that the creation of a system of internal control, audit and risk management that meets the modern needs of corporate governance is the most important tool for managing a company. In 2013, the Institute of Internal Auditors developed the Three Lines of Defense model, which draws the relationship between management, risk and control. In this model, the third line of defense is the internal audit itself. Audit is gradually turning into a large interconnected system of holistic control activities in the company. In a market economy, the need for audit is felt not only in the field of finance, intellectual property, labor resources, but also in various operations and management processes (Sitenko et al., 2015).
The application of standards in audit practice is necessary for the effective implementation of audit procedures. The standards allow audit organizations to most objectively express an opinion on the reliability of financial statements, on the compliance of these statements with generally accepted principles and rules for their preparation.
In the CIS countries, the issues of internal audit in the professional, legislative, institutional aspects are currently in progress. Methodological aspects of the functioning of internal audit in modern economic conditions were studied by Skobara, 1998; Burtsev, 2006; Sheremet, 2015. Among foreign researchers, the most famous are the works of Goodwin, 2003, Abbott, 2010. A significant contribution to the development of the theoretical base was made primarily by the professional association of internal auditors — the International Institute of Internal Auditors (IIA).
Despite the great interest of researchers, in modern economic science there is no unified methodological approach to the functioning of internal audit, and hence its internal standardization. First of all, this is due to the identification by the majority of scientists of the methodology of internal and external audit, as well as an autonomous study of the activities of its subjects. As a result, the problem of standardization of internal audit remains unresolved both in organizational and methodological aspects.
The study of internal audit as an element of the corporate control system and the development of a methodological approach to its internal standardization is relevant, which is reflected in the works of Smith et al., (2008); Whittington et al., (2006). The CIS works of Gaidarov (2014), A.E. Suglobov (2014), Kochinev (2005), Serebryakova (2015) are devoted to the standardization of audit and adaptation of international standards to domestic practice. Covered the issues of assessing the audit activity and improving its quality R.P. Bulyga (2017), Golubeva & Erokhina (2017).
The existing professional standards of the International Institute of Internal Auditors and the recommendations of other international organizations regarding modern internal audit must be adapted to the Kazakhstan business environment. This is a prerequisite for conducting research in this subject area. The implementation of these directions allows developing a clearer understanding of the object, the internal audit methodology, which allows the formation of audit information that is essential for making decisions in real time, as well as the standardization technology necessary to ensure its quality.
The research is based on the methods of system analysis, comparative analysis, grouping method, content analysis. The methodology of international professional standards of internal audit was used. When analyzing the processes of risk management and internal control, the methodology of the «Three lines of de- fense» model, developed by the International Institute of Internal Auditors, was used.
Internal audit is one of the ways to control the effectiveness of the links in the structure of an economic entity. Sheremet, 2004, notes that «conducting an internal audit has informational and consulting value for the management and (or) owners of an economic entity since it is designed to help optimize the activities of an economic entity and fulfill the responsibilities of its management».
Internal audit, as defined by the International Institute of Internal Auditors, is the activity of providing independent and objective guarantees and advice aimed at improving the organization's activities. It helps an organization achieve its goals by taking a systematic and consistent approach to assessing and improving the effectiveness of its risk management, control, and governance processes. The role of the internal audit service is currently changing: now it not only evaluates the control procedures of the company's activities but also helps its management to solve problems in the field of risk management and improve the efficiency of business processes.
The main peculiarities of internal audit
The main stages of internal audit are similar to the external one. Both of them include planning activities, documenting actions, preparing results reports, adhering to standards/rules, etc. However, there are a number of significant differences.
Object and result of the audit. The object of the external audit is the financial (accounting) statements of the organization, as a result of the audit of which a conclusion is drawn on its reliability. A conclusion can also be formed on the effectiveness of the use of budgetary funds (in-state bodies) (Sitenko et al, 2019). At the same time, the actions of external audit specialists are aimed at obtaining confirmations or refutations of the reliability of the indicators of financial (accounting) statements. The opinion of the external auditor can be positive, negative, with a qualification. The object of the internal audit is any process, functional direction and system in the organization's activities in order to assess the efficiency and economy of operations, as well as compliance with legal requirements. These operations can be:
- – purchase of inventory items, selection of main suppliers, inventory management in the warehouse (receipt of materials, issuance to production), etc.;
- – personnel movement management, professional development issues, material and non-material incentives for employees;
- – preparation of financial (accounting), as well as management reporting, control of completeness, timeliness, and accuracy of reflection in the accounting of performed operations;
- – information security of management and accounting processes;
- – the efficiency of individual sections of the enterprise;
- – corporate culture, ranging from employees' adherence to the principles and rules of work and behavior established in the organization, up to business ethics and control of conflicts of interest.
The result of the work of internal audit is to increase the efficiency of the proven process, functional direction, system, and, through this, the organization as a whole (Utkin, 2019).
Frequency of work and specificity. An external audit is a retrospective audit and checks the completed transactions for a certain period when there is still an opportunity to make adjustments to the accounting registers and change the reporting indicators, but there is no way to correct the management decisions already made and their impact on processes and efficiency/results of the activity.
Internal audit performs work on an ongoing basis in the course of the organization's activities and operations. Accordingly, there is still an opportunity to make adjustments to the adopted management decisions in order to ensure the proper efficiency and results of the activity.
Main users. The users of the results of the external audit (reports on the reliability of the reporting) are mainly external users to the organization: tax authorities, shareholders, investors, creditors, etc.
The users of the results of the internal audit work are the organization's managers, specialists who are directly involved in the processes, and the owners (through the Board of Directors).
Internal auditors constantly work with risks and controls, recommending measures to improve the efficiency of corporate governance processes for the organization. Risks can negatively affect the achievement of goals, therefore, an established control system is a guarantor of the non-occurrence of risky events.
Risks and controls are most effective in the following areas (Table 1).
Table 1. Areas of presence of risks and controls
Risk and control area
Achieve the organization's operational and financial objectives, including safeguarding assets
Reliability and completeness of financial statements
Formation of reliable and reliable financial statements
Compliance with applicable laws and regulations
Compliance with laws and regulations that apply to the organization's operations.
Note: composed by authors from the source (Gorlov, 2019)
The most useful are controls that detect and prevent negative events for the company before they happen. Such controls are called proactive, or preventive, for example, the division of duties between employees or checking the credit history of the buyer before shipping products on credit.
The cost of implementing controls is also important. It should not exceed the cost of potential losses from the realization of risks. A low-cost plastic product business could attract a large international company, but the cost of such controls would exceed the profit the company would be able to generate from the sale of the new product.
Effective control can be implemented without detailed descriptions of regulations. An example of such oversight is the oral reports of employees to the manager at weekly meetings. In order for control to be effective, it must consist of three parts: setting a goal, comparing fact with expectations, and taking corrective action. In our example, before the meetings, the leader set goals. During the meeting, he compared the fact with his expectations and, as a result, took corrective actions.
The formation of an internal audit system with the linking of audit procedures, risks, and controls can be best done taking into account the methodology of international standards of internal audit.
Internal standards are created by an audit organization to ensure the effectiveness of practical work and its adequacy to the requirements of the rules of auditing. Internal standards allow auditing organizations to significantly reduce the time spent on conducting an audit, attract assistants who do not have an auditor's certificate to participate in the audit, and ensure a high level of results (Mikheyev & Chaikovskaya, 2011).
Generalization and systematization of experience in the development and use of internal standards is a methodologically important and practically demanded task. All standards are developed in accordance with certain principles. There are four levels in the system of auditing standards:
- standards of auditing associations;
- internal standards of audit organizations (Mikheyev & Chaikovskaya, 2011).
Not all audit organizations in Kazakhstan develop their own internal audit standards. This is connected both with the specialization of audit organizations and with the desire to reduce the labor intensity of specific audits, highlighting in the standard their most important areas and errors on which the auditor should focus. In the absence of scientific and methodological developments on the procedure for the formation of internal standards, audit organizations must independently develop models for their formation. Using internal standards, they solve the problem of the quality and reliability of audit services, reduce audit risk, provide an evidence base, and regulate ethical conflicts.
Standards for the Professional Practice of Internal Auditing (or International Professional Practices Framework (IPPF) are divided into two groups:
- Attribute Standards.
- Performance Standards.
Quality standards are essential prerequisites for effective audit. They are created for the development of this institution as the main element of the control system in order to improve the quality of auditors' work, including ensuring uniform approaches to the content, forms, and methods of its implementation.
The application of standards in audit practice is necessary for the effective implementation of audit procedures. The standards allow audit organizations to most objectively express an opinion on the reliability of financial statements, on the compliance of these statements with generally accepted principles and rules for their preparation. Although there is a debate among internal audit professionals about the mandatory application of standards, Chambers and Odar emphasize that the standards developed by IIA are often invariably ahead of much of actual practice (Chambers & Odar, 2015). The first group of international standards of the internal audit includes provisions on the characteristics of the organization and persons carrying out audit activities: independence and objectivity, professionalism and professional attitude to work, the existence of a program to guarantee and improve the quality of internal audit. Performance standards determine the procedure for conducting internal audit and the criteria by which its effectiveness is assessed. Such principles are used in the course of a specific audit, and can also be applied in the provision of audit-related services. These include the principles of independence, honesty, objectivity, and confidentiality, as well as the rules of professional conduct, determined in accordance with the code of professional ethics of auditors.
The weakest side of internal standards of audit organizations is their insufficient linkage with control, despite the fact that control over the actual application of internal standards should be the main goal of the management of the audit organization. It is imperative to develop control standards, the presence of which arises from the requirements of the IPPF.
For example, International Standard for Internal Auditing (Standard) 2130 «Control» requires that «In- ternal audit should help an organization maintain an effective internal control system by assessing its effectiveness and efficiency and contributing to continuous improvement of the system». Also, requirements are imposed on internal audit to assess the adequacy and effectiveness of control over risks in corporate governance, operational activities of the organization and its information systems, in terms of:
- reliability and integrity of information on financial and economic activities;
- efficiency and effectiveness of activities;
- the safety of assets;
- compliance with laws, regulations, and contractual obligations.
The role of the internal audit service is currently changing: now it not only evaluates the control procedures of the company's activities but also helps its management to solve problems in the field of risk management and improve the efficiency of business processes.
When starting to develop internal standards based on IPPF, the internal audit service must first of all determine their content. The main organizational and methodological provisions for the implementation of this task:
- the purpose of the standard;
- characteristics of the standard as part of the organizational and administrative documentation and the internal control system of the audit organization;
- expediency of methodological and methodological support (instructions, methodological developments, manuals, other documents);
- approximate form;
- an approximate procedure for preparing a standard.
Internal standards, as a rule, should contain:
- introduction (a reference to national, international standards, requirements);
- general provisions (the purpose and the need for the development of this standard, the object of standardization, scope, and definition of basic principles are justified);
- relationship with other internal standards.
To ensure the organization of the audit, it is important to develop the Planning standard (based on the Standard 2010 — Planning), which is a part of the standards containing general provisions. In this standard it is necessary to provide for the requirements, in accordance with which the activities of an economic entity are considered. In this case, special attention should be paid to regulations, failure to comply with which may cause the termination or suspension of the entity's activities. The responsibilities of the auditor should include:
- study of the available information and legal framework related to the economic entity;
- obtaining information about the techniques and methods they use from the heads of an economic entity to ensure compliance with the requirements of regulatory enactments;
- consideration of controversial issues that are ambiguously resolved in regulatory enactments and are essential for the audit;
- testing of registration documents, licenses, and other documents, without which the audited economic entity is not entitled to carry out economic activities, etc.
A standard for internal audit quality control is also being developed, the purpose of which is to determine the establishment and maintenance of an internal system of quality control of work, so that the audits conducted by the organization are fully compliant with regulatory documents. It can be based on the international standard «2500 — Monitoring progress». The chief audit executive should establish and maintain a system for monitoring executive management's response to the engagement.
It is impossible to standardize the process of conducting all existing types and subspecies of management audit within its three main areas due to the wide variety of objects. In this regard, when forming standards, it is advisable to single out enlarged objects. In a commercial organization, internal management audit standards can be developed in those areas of internal audit that are most relevant to the organization and are aimed at achieving its goals and the successful implementation of the strategy. The set of management audit standards should disclose methodological approaches to audit technology, regulate the activities of employees, and determine basic approaches to documenting services in order to improve the quality of services provided. It is advisable to develop the necessary layouts of documents for the most popular areas of internal management audit in order to unify and reduce the complexity of work and reduce working time, accelerate the process of conducting inspections.
We recommend the following unified structure of the standard for proposed standard for the effectiveness of business process management at the organization (Table 2). The standard should establish audit procedures to assess the effectiveness of business process management. During the assessment of the effectiveness of the management system, the following should be assessed: the results of the implementation of the organization's strategy; compliance with the methodology and procedures for the implementation of the management process, enshrined in the internal regulations of the organization; efficiency of activities in the following areas: effectiveness, efficiency, productivity.
The internal auditor uses a variety of methods to obtain evidence when conducting an audit of the performance of an organization. As noted above, analytical procedures are most often used to confirm the performance of a commercial organization as a substantive test. They should be designed to reduce the risk of non-detection of material misstatements at an acceptable level.
Standardization is a prerequisite for the effectiveness of internal audit in a commercial organization, including in the area of management audit.
Table 2. Recommended framework for applied standards of business processes’ internal audit
1. General Provisions
Objectives and foundations of the standard.
Scope of the standard.
The validity period of the standard.
2. Basic concepts and definitions
The list of basic concepts that characterize the audit object.
3. The area of risks of the business process
The main areas of risk inherent in the business process, and the method of their assessment
4. Audit technology
Basic requirements, principles of auditing.
An overview of the scope of the business process being audited.
Business process validation methodology.
Requirements for the formulation of the test results.
Requirements for the quality and efficiency of work on the audit of the business process.
5. List of regulations used during the audit
Documents include internal regulations and external regulations.
Practical applications as needed (tables, questionnaires, tests, flow charts). Classifier of typical mistakes and violations
Note — compiled by the authors based on the source (Le, 2016)
In Kazakhstan, up to now, internal audit is historically perceived as control and audit work. That is why internal audit is faced with difficulties today. Even in those companies where the «internal audit» function is developing according to international examples, one of the significant risks of an audit project is a biased perception of the work of internal auditors.
The development of internal audit in Kazakhstan is seriously hampered by the lack of available information, the lack of interest of owners in internal audit. Another problem is the lack of adapted certification for internal auditors. Upon request, the internal auditor must have the obligatory presence of an «auditor» qualification certificate obtained in accordance with the Law of the Republic of Kazakhstan «On Auditing», or a CIA (Certified Internal Auditor) certificate in the field of internal audit, or an ACCA (Association of Certified Chartered Accountants), or a Diploma of DipIFR (Diploma in International Financial Reporting), or a certificate of an international professional accountant CIPA (Certified International Professional Accountant), or a certificate of a professional accountant obtained in accordance with the Law of the Republic of Kazakhstan «On accounting and financial reporting». But for the majority of Kazakhstani internal auditors, they are not available, because training is conducted mainly in English (Tleubaeva, 2014).
Thus, internal standards are created by an audit organization in order to ensure the effectiveness of practical work and its adequacy to the requirements of the rules of auditing. The main problem faced by all internal auditors is the most effective allocation of limited internal audit resources, i.e., how to choose the audit areas. To do this, it is necessary to conduct a risk assessment on all issues that the auditor can check, and use risk-based planning.
The article proposes the formation of the organization's internal audit standards based on the International Standard for Internal Auditing. When forming standards, it is advisable to single out the largest objects. In a commercial organization, internal management audit standards can be developed in those areas of internal audit that are most relevant to the organization and are aimed at achieving its goals and the successful implementation of the strategy. The set of management audit standards discloses methodological approaches to audit technology, to regulate the activities of employees, to determine basic approaches to documenting services in order to improve the quality of services provided.
The proposed unified structure of standards can be taken as a basis for the formation of a set of internal audit standards based on international standards for any commercial organization. In turn, standardization is a key condition for the effectiveness of internal audit in a commercial organization, including in the field of management audit.
- Abbott, L.J., Parker, S., & Peters, G.F. (2010). Serving two masters: The association between audit committee internal audit oversight and internal audit activities. Accounting Horizons, 24(1), 1–24.
- Chambers, A. D., & Odar, M. (2015). A new vision for internal audit. Managerial Auditing Journal, 30 (1), 34–55
- Goodwin, J. (2003). The relationship between the audit committee and the internal audit function: Evidence from Australia and New Zealand. International Journal of Auditing, 7(3), 263–278.
- International standards for the professional practice of internal auditing. Retrieved from: https://www.pwc.kz/en/services/internal_audit/internal-audit-standards.pdf
- Sitenko D.A., Vasa L. & Gartsuyeva Ye.V. (2015). Theoretical approaches to the formation and development of the concept of social audit. Bulletin of the Karaganda University. Economy series. 2(78), 48–54.
- Smith, M., Sagafi-Nejad, T., & Wang, K. (2008). Going international: Accounting and auditing standards. Internal Auditing, 23(4), 3–12.
- The three lines of defense in effective risk management and control (2013). Institute of Internal Auditors.
- Whittington, R., Graham, L., Fischbach, G., & Ahern, J. (2006). Advancing the audit documentation standard. Journal of accountancy, 201(6), 64.
- Bulyga, R.P. (2017). Transformatsiia professii bukhgaltera i auditora pod vliianiem «faktora informatizatsii» [Transformation of the professions of an accountant and an auditor under the influence of the «factor of informatization»]. Uchet. Analiz. Audit. [Accounting. Analysis. Audit], 1, 6–23 [in Russian].
- Burcev, V.V. (2006). Problemy organizatsii vnutrennego kontrolia v kommercheskoi firme [Problems of organizing internal control in a commercial firm]. Auditor [Auditor]. 7, 27–34 [in Russian].
- Erokhina, E. I. & Golubeva, N. A. (2017). Puti postroeniia effektivnoi sistemy vnutrennego kontrolia auditorskoi firmy [Ways of building an effective system of internal control of an audit firm]. Konkurentosposobnost v globalnom mire: ekonomika, nauka, tekhnologii [Competitiveness in the global world: economics, science, technology]. 8–2 (55), 38–43 [in Russian].
- Gajdarov, K.A. (2014). Sravnenie federalnykh standartov auditorskoi deiatelnosti i MSA [Comparison of Federal Auditing Standards and ISA]. Auditorskie dokazatelstva [Audit evidence], 11, 36–42 [in Russian].
- Gorlov, A. (2019). Riski i kontroli [Risks and controls]. Introduction to internal audit: a series of articles. Institute of Internal Auditors. Retrieved from: http://www.audit-it.ru/articles/audit/a104/981493.html [in Russian].
- Kochinev, Yu.Yu. (2005). Audit [Audit]. Saint Petersburg: Piter [in Russian].
- Le, T.T.Kh. (2016). Metodika vnutrennego audita na osnove risk-orientirovannogo podkhoda v kreditnykh organizatsiiakh Vetnama. [Internal audit methodology based on a risk-based approach in credit institutions in Vietnam]. Doctoral dissertation. Rostov-na-Donu [in Russian].
- Mikheev, M.V., & Chaikovskaya, L.A. (2011). Vnutrennie standarty audita kak uslovie kachestva auditorskoi proverki [Internal audit standards as a condition for the quality of an audit] Finansovyi zhurnal [Financial Journal], 3, 105– 112 [in Russian].
- Serebryakova, T.Yu. (2015). Mezhdunarodnye standarty audita kak ob»ekt issledovaniia [International audit standards as an object of research]. Mezhdunarodnyi bukhgalterskii uchet [International accounting]. 4 (346), 37–49 [in Russian].
- Sheremet, A.D., & Ljubimceva, E.V. (2015). Mezhdunarodnyi i otechestvennyi opyt standartizatsii analiticheskikh protsedur v audite [International and domestic experience in standardization of analytical procedures in audit]. Audit i finansovyj analiz [Audit and Financial Analysis], (4), 167–176. [in Russian]
- Sitenko, D.A., Shakirova, G.A. & Vasa, L. (2019). Audit effektivnosti ispolzovaniia byudzhetnykh sredstv v protsesse provedeniia gosudarstvennogo audita [Audit of the efficiency of using budgetary funds in the process of conducting a state audit]. Bulletin of the Karaganda University. Economy series. 2 (94), 262–273 [in Russian].
- Skobara, V.V. (1998). Audit. Metodologiia i organizatsiia [Audit. Methodology and organization]. Moscow: Delo i servis [in Russian].
- Suglobov, A.E., Drachena, I.P., & Muzalev, S.V. (2014). Metodologicheskie i kontseptualnye osnovy standartizatsii auditorskoi deiatelnosti v Rossii [Methodological and conceptual foundations of standardization of audit activity in Russia]. Auditor [Auditor], 12, 1–14 [in Russian].
- Tleubaeva, S.A. (2014). Aktualnye problemy vnutrennogo audita v Kazakhstane [Actual problems of internal audit in Kazakhstan]. Aktualnye problemy gumanitarnykh i estestvennykh nauk [Actual problems of the humanities and natural sciences], 12–1 [in Russian].
- Utkin, S. (2019). Razlichie mezhdu vneshnim i vnutrennim auditom [The difference between external and internal audit]. Introduction to internal audit: a series of articles. Institute of Internal Auditors. Retrieved from: https://www.iia-ru.ru/inner_auditor/publications/articles/member_articles/tsikl-statey-vvedenie-vo-vnutrenniy-audit/ [in Russian].