Questionnaire as a Tool for Assessment of Interanal Control System against Coso Internal Control – Integrated Framework

. The article deals with the scientific and practical aspects of the transparency of internal control. The urgency of the topic of this article is caused by the need for analysis and the search for a mechanism for assessing the effectiveness of conducting internal control at the enterprise. The article examines the imperatives of internal control, as well as substantiates the main conceptual foundations of the organization of internal control. The article proposes an approach to assessment of enterprise internal control system against the COSO – Internal Control – Integrated Framework.


Research results.
The COSO model is of the highest importance for the purposes of controlling the activities of economic entities, as it focuses on the basic concepts and definitions of internal control and its key components: internal control (process, i.e. a means to an end, not an end in itself); internal control is carried out by people, so to ensure its execution it is important to have not only (and not so much) the rules, procedures and other governing documents, but also the people at all levels of the organization; the owners and management of the enterprise can expect only a reasonable level of ensuring the achievement of the goal from the internal control, but not an absolute guarantee of error-free operation; internal control ensures the achievement of the goal, or several goals in related areas. According to COSO, internal control is a process carried out by the highest governing body of the enterprise and determines its policy (for example, the board of directors representing the owners of the company), senior management (management) and all other employees who sufficiently and reasonably ensure the achievement of the following purposes by the enterprise: expediency and financial efficiency of activity (including safeguard of assets); reliability of financial statements; compliance with current legislation and regulatory requirements. Given that one of the main tenets of COSO is the direct responsibility of both the board of directors (i.e. the body that represents the interests of the owners and is established based on the general principles of the enterprise) and management (i.e. the executive body of the enterprise and its leaders), that the system of internal control over business transactions can be considered effective only if the following conditions are met: the documents establishing the overall strategy and policy of the enterprise in the field of internal control are approved and periodically reviewed by the owners; approved strategy and policy is in place, which is implemented by management in practice on the basis of risk assessment; the necessary infrastructure has been created to ensure the effectiveness of control over execution of business operations; effective and secure channels for proving information are created; independent monitoring of the effectiveness of the internal control system is carried out (Ilyashenko O., 2013). COSO's risk management process can only be effective if it is continuous, is implemented and monitored by managers at all levels and all eight of these elements exist and function to achieve efficient and effective operations, sound financial reporting and compliance with laws and regulations. The COSO internal control system, shown in Fig. 1, has become a model used worldwide to describe and define internal control. Four vertical columns represent goals and objectives according to the risk management object. Eight horizontal rows relate to the basic elements of internal control. Several levels to describe the structure of any enterprise, from the main "headquarters" to the level of a separate business unit in individual subsidiaries. The eight COSO risk management components contain the previous five components of the COSO Conceptual Internal Control Framework, expanded to meet the growing demand for risk management. The COSO Internal Control -Integrated Framework (the Framework) outlines the components, principles, and factors necessary for an organization to effectively manage its risks through the implementation of internal control. However, it is largely silent regarding who is responsible for specific duties outlined in the Framework. Clear responsibilities must be defined so that each group understands their role in addressing risk and control, the aspects which they are accountable for, and how they will coordinate their efforts with each other. There should be neither "gaps" in addressing risk and control, nor unnecessary or unintentional duplication of effort (The Institute of   These principles are universal, so can be applied across various industries, types of legal entities and companies' sizes. Leading practice companies apply this methodology as top ICS development practice. Companies which claim to comply with COSO -Internal Control -Integrated Framework principles enhance their reputation and status in the market. However, even though COSO -Internal Control -Integrated Framework provides a comprehensive description of each component, principle and its' link to the Three Lines Model, the companies sometimes find it difficult to manage all the principles as it may be challenging to understand which level of principle execution is enough. Although, interpretation of requirements may vary from company to company. COSO -Internal Control -Assessment Questionnaire creation requirements. Considering issues presented above, EY team (Oksana Fedorova, Olena Avanes, Nadiia Bondar) as a leading consultant and practitioner in the fields of Governance, Risk management, Compliance and Internal Audit (GRCA) decided to assist our clients in the ICS assessment by developing a clear unified approach which would be suitable for various industries in the form of an ICS Questionnaire. Before its establishment we summarized the following key requirements to the method, which should:  be applicable to various industries with minor adjustments;  cover all 17 principles;  consist of yes/no questions only;  rely on facts, not subjective opinions. All answers to questions and conclusions must be supported by evidence (policies and procedures, and their execution (risk-based transaction testing));  include benchmarking (in aggregated way) to the leading practice;  represent consultants' and client's opinion;  provide overall score for ICS compliance with COSO -Internal Control and recommendations for ICS improvement towards the Framework and leading practice.

COSO -Internal Control -Assessment Questionnaire application case.
For this assignment EY consultants worked in close cooperation with the employees of the Company A (the Client) responsible for the following areas: Internal Audit, Compliance, Risk Management, Methodology and Internal Control as well as with some representatives of business lines. Overall, the Project timeline consisted of two stages, including:  Internal Control System diagnostics  Development of a Roadmap of recommendations for ICS improvement The final step of each stage was to hold meetings and discussions. The main objectives of meetings were to ensure effective communication during the Project, discuss key project deliverables.
First, we created and adapted the questionnaire to the Client and its industry ( fig. 2).

Fig. 2. An example of Internal Control System Assessment Questionnaire template Source: Developed by EY team
We conducted a series of interviews with the key Client's stakeholders to discuss their expectations from the Project and main risk areas they wanted to focus on within ICS assessment and also to initially confirm their understanding and application of the governance and internal control processes and practices being applied by the Company After that, we sent an information request matching the Questionnaire to the Client. After receiving internal methodological documents from the Client, we analyzed them and assessed towards developed questions. We reviewed both policies and procedures as well as their execution. We reviewed if internal regulative documents included requirements set up in the COSO Framework and also were designed according to the leading practices. For this purpose, we used EY Discoverinternal EY global knowledge database to compare Client's internal methodology to other leading companies' policies e.g. Internal control System Policy, Code of Conduct etc. Also, we requested and reviewed Client's organizational structure and documents that regulate activities of Compliance, Risk Management and Internal Audit and their interaction, communication and cooperation to make sure that that Three Lines Model is also in place.
Within this process we reviewed if the Client also published important information on its official site, such as: appeal from top management on zero tolerance to Corruption and Code of Conduct violations, anonymous electronic form for reporting on the compliance issues etc. Next, we held a series of interviews with the middle-level management and C-level personnel to perform a walkthrough of the processes to confirm whether the actual processes are executed according to developed methodology.
For the selected key risk areas based on consultants' opinion and key stakeholders recommendations we also performed a transactional testing to prove that the process is performed accurately and in line with developed policies and procedures. And as a result we developed a list of exceptions with EY team's and the Client's employees' comments for each of them. Based on the performed analysis we filled the Questionnaire and calculated the overall score for the Client's ICS. At the same time, we have sent the Questionnaire to the Client to perform a self-assessment.
The answers to proposed questions should be assessed against a 5-tier scale, where: 1no internal regulatory documents and/or process identified; 2internal regulatory documents and/or process are identified. Internal documents which regulate the process require significant improvement towards COSO Framework. The process is performed with significant deficiencies (less than 60% of testing samples performed without deficiencies); 3there are internal documents which regulate the process but these require update and/or some improvement towards COSO Framework. The process is performed according to internal documents with deficiencies (a least 60% of testing samples performed without deficiencies); 4there are updated internal documents which regulate the process. The process is performed according to internal documents with some deficiencies (at least 80% of testing samples performed without deficiencies); 5there are updated internal documents which regulate the process. The process is performed according to internal documents with no deficiencies. According to the ICS assessment by EY consultants and the Client's self-assessment we have developed a radar chart to compare our scores ( fig. 3). For the ICS areas with a score of 1-4, we provided recommendations for their improvement towards leading practices. Our recommendations for improvement included not only review and update of policies and their execution, but also suggestions on the following areas: organizational structure, business processes, data, technologies, people, performance assessment. As a result, we provided the Client with a report on the Internal Control System diagnostics which included the overview of the current internal control practices, сomparison of the current governance and internal control with the leading practices (COSO Framework) and with practices of the peer companies, recommendations on improvement of Client's governance and internal control practices. Also, we conducted meetings with key Project stakeholders to discuss the results of the stage. Finally, on the second stage, we developed a detailed Roadmap for the implementation of recommendations. An example of the Roadmap is provided on the Fig. 4 below. The Roadmap included the following: a list of recommendations, implementation steps for each recommendation, timeline, employees responsible for the steps execution, key results (milestones). In the provided MS Project file, the Client could monitor progress of execution per each recommendation, assign/change employees responsible for their establishment and modify timeline e.g. to streamline or postpone tasks.

Conclusions
The effective conduct of business transactions can be carried out on the basis of control of such transactions by segments, in the framework of compliance with business agreements, which establishes responsibility for individual indicators of the transaction based on the concept of COSO. COSO's risk management process can only be effective if it is continuous, implemented and monitored by managers at all levels and all eight of these elements exist and function to achieve efficient and effective operations, sound financial reporting and compliance with laws and regulations.