International School of Economics Baldairov Alnur
Kairlyyev Almaz Keulimzhanova Dinara
Tynybekova Karina
Internal controls: auditor's role and relevant competencies
Thesis submitted for the degrees of Bachelor in 6B04101 - Accounting and Audit
6B04104 - Finance
Supervisor: Junisbekova Zaura
Table of contents
1. Prologue………..3
1.1 Abstract………...…….….3
1.2. Introduction………...……...3
1.3. Literature Review………...…….5
1.4 Method of Research……….6
2. Internal Control: Five main components (COSO)……… 7
2.1. Definition of Internal Control……….……….……..….7
2.2. Five Components of Internal Control………....……….8
2.3. The Three Lines Model (COSO, IIA)……….. 17
3. Which competencies an auditor should have?...18
3.1. Theoretical Background and Research Results………....19
4. Conclusion………..….29
5. Reference list………..……….31
1. Abstract
This research paper describes the importance of the internal control system for organizations, and the role of an internal auditor in this system and relevant competencies for working in this field in Kazakhstan. Based on various articles on internal control, research, which is published on the Russian website of the Institute of Internal Auditors, and also international standards, the tasks of this industry and the strategy that is key in companies, as well as the core competencies necessary for internal auditors were identified. So, according to the analyzed data, and according to the “COSO” model (The committee of sponsoring organizations of the treadway commission). The internal control service in organizations has 5 components: "control activities, risk assessment, information and communication, environment, and monitoring". And at the monitoring stage, the “The Three Lines model” is widespread in companies, which carries out 3 different stages of verification and analysis to identify and manage the company's risks, as well as for effective corporate governance. The final audit in this system is handled by an internal auditor. For successful risk management, effective control, as well as high-quality verification of financial statements, the auditor needs to have certain professional skills - competencies. In the study, these competencies were identified, and it was decided to determine their relevance and knowledge among internal auditors in Kazakhstan.
Based on the competence model by IIA’s Internal Audit Framework , a survey of respondents of the Institute of Internal Auditors of Kazakhstan was conducted, and an independent assessment of knowledge in these areas and their relevance at the moment was carried out.
1.1. Introduction
In the modern world, with the development of technology, the concept of internal audit has become widespread in advanced companies. Most large companies create special departments in this area to improve quality control. An internal audit is an internal quality control of the organization's activities, which helps in assessing and reducing the risks of the organization faces, and in verifying the financial condition of the business and the reliability of reporting. The main goals of this area are to improve the
processes of work in the company, identify all kinds of risks, and increase the profitability of business processes. Thus, the internal auditor plays an important role in the further development of the company.
The demand for internal audit specialists in the labor market who have the necessary knowledge and competencies is growing more and more. Due to the responsibility that lies on the shoulders of a specialist in this field, it is necessary to have certain knowledge, qualifications, and competencies.
During the training and study of various spheres of the economy, it was decided to focus on the importance of the topic of internal audit in companies in Kazakhstan, because this area is the key to a successful organizational culture. Since the main purpose of this department is effective risk management, assistance in corporate governance, as well as verification of the company's financial statements, and the basis of this service is employees. For the correct performance of their duties and assistance in the company to address risks, the internal auditor needs to have certain competencies that reflect the effectiveness of this specialist.
The purpose of this thesis is to reveal the importance of the internal control service, the role of the auditor in this system and to determine the necessary competencies for the effective performance of the work. During the study, it was also decided to identify the relevance of the competence model according to international standards The IIA’s Internal Audit Framework, how the survey participants assess knowledge in this area, as well as the respondents' opinion that with the further process of automation and technological progress, the problem of lack of competencies appears in the field of internal audit, as well as their feedback and suggestions for solving this question. Also, one of the interesting questions of the study was to find out from the interviewees the availability of international certification in the field of internal audit or accounting from the study participants, as well as the scope of the organization in which the interviewed auditors work.
In the thesis, the main task is to reveal the importance of internal control for organizations, the role of internal auditors in this service, as well as an explanation of the need for the versatile
development of their competencies to keep up with the times.
Three main steps will be analyzed in this study:
1. Internal Control and its components (based on COSO) 2. The Three Lines Model (COSO and IIA)
3. Competencies and other skills for auditors to impact on Internal Control
1.2. Literature Review
This research is mostly based on IIA (The Institute of Internal Auditors) studies, guidelines and research, and they recognize the modern requirements of the market and, thus, to be more competitive and more successful, auditors should learn more soft skills, acquire new IT skills (due to automation, data analytics, improvement of technologies, etc.). According to Wright (IIA, 2021), there are skills with competency gaps: IT Control Framework, Data Analytics, Security and privacy, Fraud, Risk Management (p. 7-8). Also, he identifies other critical issues that should be developed such as relationship building, reporting and other soft skills (p. 8). To sum up, the Institute of Internal Auditors will use their results from the study in order to create new content which will contain training, best practices, and new paths for auditors to close, or at least minimize the competency gap. The next big sources for the study are the IFAC (International Federation of Accountants), and they describe the importance of code of ethics, and how it impacts accountants and auditors’ work and contribution to Internal Control development. Finally, other literature used in this study contains tendencies about audit and accounting issues from surveys of PwC, EY in collaboration with the IIA (Sonin, Yegorova) and other sources. This study is going to describe the importance of modern competencies for auditors due to the valuable role of auditors in the internal control system development.
1.3. Method of Research
In the course of work on this project, goals and objectives were identified that determine the further course of events, namely the hypothesis based on the fact that in connection with the important role of internal auditors within the companies, there is a need for the versatile development of their competencies, which also keep up with the leg time. In view of this approach, the most acceptable research method is a mixed method consisting of a quantitative and qualitative approach.
On the one hand, a quantitative method is presented, since in the process of accumulating information about internal audit and the relevance of competencies a survey was created in which the respondents of the Institute of Internal Auditors of Kazakhstan took part. Respondents had access to multiple choice questions, the answer options of which were prepared in advance. All collected data after, were statistically analyzed and presented in the form of graphs.
On the other hand, a qualitative method, since, in addition to closed issues, there are also open ones, which analyzes the personal experience of respondents in the field of internal audit, self -esteem of their knowledge about competencies, as well as their opinion on improving and increasing the necessary competencies for this profession, and ways to solve this problem.
The number of participants, including auditors of the Institute of Internal Audit, are equated to 36 respondents with different areas of activity and a different number of employees within the departments.
So, most of the participants, namely 44.4% are representatives of financial institutions while the following representatives of 11.1% are enterprises in the field of mining, as presented below:
By the number of employees, 41.7% of respondents in the Department of Internal Audit have from 2 to 5 auditors. The remaining results are presented below:
2. Internal Control and its Components 2.1. Definition of Internal Control
Nowadays there are many enterprises with their own goals and business processes inside and every day these corporate structures face different challenges. In the ever-changing age of innovation, challenges come both internally and externally. The multifaceted economic environment, competitive market conditions, and changing consumer preferences are all reasons to develop controls to minimize exposure to unexpected risks and anticipate a future course of action. Internal control is such a solution.
Summarizing the essence of internal controls - it is a system controlled by the board of directors, management, and other structural subdivisions with the provision of at least three basic goals. Firstly, the creation of an effective working field and reasonable use of resources, by means of imposing the basic goals of the organization on its available assets. Second, ensuring the reliability of financial reporting, including important elements such as financial performance. Third, promoting the company's actions in compliance with legal requirements. The internal controls exercised by people are not simply
its flexibility to prevent all possible situations in one way or another, and to achieve the aforementioned and most significant goals.
2.2. Five components of Internal Control
The system itself consists of five main components, the use of which varies from one organization to another for the simple reason that small and medium-sized enterprises, due to their structure, do not always use absolutely all components, unlike large businesses. It is worth noting that a less formalized and structured format of internal control in such situations does not lead to a loss of its effectiveness, but on the contrary, if the necessary components are successfully integrated, it only improves it. Thus, the components of internal control include the following: control environment, risk assessment, controls, information and communication and monitoring. For each of the components, a mandatory performance evaluation is conducted with the participation of internal auditors, who are required to prepare the necessary materials for this procedure. However, this process and the persons responsible for it will be described in more detail later.
Starting with the first control, the control environment, it is important to reach a common understanding of the term. First, the control environment is everything that is directly related to the activities of the company and attitudes of employees within it. This component, more than any other, serves as the basis for understanding the importance of internal control processes and sets the basic discipline within any organization. As with any other component, the control environment has its own elements, the general interpretation of which may differ, but in general provide a more detailed understanding of what any professional should look for in assessing the control environment.
The first element is undoubtedly the integrity of the company and the existing ethical standards within it. Subsequent employee decisions regarding management and monitoring processes, based on any ethical standards, play an important role in building the corporate environment. To integrate and raise awareness of ethical principles, the company can actively implement the Code of Business Ethics and Professional Conduct as a basic tenet for each employee. Any offenses related directly to the integrity of
the company's policies should have consequences in the form of disciplinary action against the employee involved in the situation. The process for discovering such violations should also be well considered by management. An example of such practices are the company hotlines, which, if any violations are detected, make it possible, in an anonymous form, to become a complainant and initiate an investigation process to further eliminate such situations. In addition to the above-mentioned, it is important to conduct annual testing to maintain the level of knowledge of ethical norms of the company, as well as to identify any shortcomings of employees and possible improvement of their understanding to the perfect level.
The second element is the organizational structure of the company. It is here that there is an interconnection of each component of the structural unit in the overall system, through which the process of implementation and verification of activities passes for the subsequent achievement of the tasks set for the company. Each unit of the company and its further formation into larger conglomerates, as well as the monitoring of the subsequent provisions, must be monitored by the governing bodies of the company and be justified for the functioning within. If take the Audit Committee as an example, when considering it as part of the overall structure, it is possible to notice that this body most often reports directly to the board of directors and this is not for nothing. The main reason is that in this type of organizational structure, many companies link the Audit Committee directly to the governing body in order to achieve their objectivity and independence in the process of internal controls assessment. Continuing the discussion on the example of the Audit Committee, it is also important to note that their composition should include at least 2/3 independent individuals. It is thanks to this organizational structure that companies strengthen their control environment.
The third element is the style of management, as well as its delegation of responsibilities to various sub-levels within the company. For the most part, it is about the participation of companies in the development of approaches to internal control systems, risks, etc. The company should have basic regulations, accounting or investment policies detailing all roles and obligations to ensure that the internal structure is regulated.
The last element of the control environment is the human resources policy and its rules. This includes everything that has to do with hiring, training, developing, rewarding and disciplining staff. The company, in particular the human resources department, is responsible for hiring highly qualified personnel and their further advancement within the walls of the company. Personnel testing must be conducted on an ongoing basis to monitor employee performance, as well as to develop systems to improve the level of competence within. The organization is required to have hiring policies and procedures for process transparency.
Thus, the interrelation of these 4 elements ensures the stability of the control environment and allows us to find ways to evaluate and improve it.
The next internal control is the company's risk assessment. When considering this control, it is important to understand what factors can affect the risk matrix within the company, so in this paper the explanation of the above control will begin by dividing the risks into external and internal factors that form them. To the former it is possible to refer to changes in the environment, the market, and its driving forces, which further influence the pressure from the competitors and actions to prevent this threat. Also, changes in any international standards and regulations with respect to financial reporting belong to this category of risks. No less important factor can be an expansion of the company internationally if the Company has an increase in turnover in foreign currencies or its new activities are supported by new legislative provisions, which will affect the methods of work in the organization. Regarding the internal factors, the following can be mentioned: reorganization, hiring new personnel, the rapid growth of the company, as well as the emergence of new technologies and approaches within the company. It is the above-mentioned factors that cause the assessment of potential risks of the company. However, this control does not do without preparatory phases, namely the process of risk identification and their further systematization in the general register.
In the process of identification, the Company must have its own developed techniques and procedures, which should combine both potential future events and considered earlier moments of the past. Below are 5 methodologies and procedures to identify risks of the Company.
Risk Detection of Set Goals and Objectives: Once the organization has agreed its set goals, the risk owners step in. These employees are responsible for all processes on definition and management of risks. They estimate probable events, the outcome of which may further become a risk to the goals and objectives set by the Company.
Comparative analysis of similar industries: this method is one of the most widespread, but not inferior in its efficiency. As it can be understood from the name, the essence is to make a risk register on the basis of similar operational, financial or other activities of the companies.
A roundtable discussion: representatives from the various business units of an organization can brainstorm about potential events that they think could affect risks within the company. The data from the different sublevels is then gathered into a common list and goes through a further stage of grouping them together.
Conducting interviews: at this stage, the key role is played by the heads of structural divisions from whom the risk owners take target interviews. Thus, based on their professionalism and a deeper understanding of this or that unit of the company, potential risks are formed.
Monitoring of losses, listed in a common database: with the help of risks that have already once affected the company, potential risks, and new ways to identify them are considered.
After detection of potential risks, there comes the stage of their systematization according to 4 main categories: risks of strategic, financial, legal, and operational character. Strategic risks are the risks associated, for example, with changes in the political environment, recessions in the industry sector and other risks, which somehow correlate with the key strategic indicators of the company. The latter include possible fluctuations in interest rates or exchange rates, changes in the Company's capital structures, as well as the effects on profitability. Legal risks are the risks associated with non-compliance with or changes to a country's legal or regulatory framework. The latter risks, namely operational risks, consist of risks arising from the personnel due to improper internal processes within the organization and technological risks, which depend on the functioning of information systems and technologies within the organization. The result of the systematization in this phase is an overall risk register, which is further
discussed by management and those responsible for risk management and detection for further adjustment.
After the above phases, the company proceeds to assess the risks detected, in order to have a potential picture of how their impact may affect the achievement of objectives. The assessment process itself also has several methodologies, which combines both qualitative and quantitative assessment methods. It is worth noting that not to each risk can be applied simultaneously to 2 methods, at the beginning to each risk the qualitative method is applied, and after allocation of the most significant risks, the company has the right to apply quantitative methods of an assessment.
Beginning with a method of a qualitative assessment of risk, with three basic indicators characteristic for it-the frequency or probability of risk, time of effect of risk and its size. Most often in the companies, based on the above-mentioned indicators, a special scale is introduced, in which according to the point system the interviewed person evaluates this or that risk. It takes place for the subsequent grouping of results and calculation of coefficients of importance of risks, and then they are imposed on a map of risks and the most critical of them are allocated.
Critical level risks are evaluated by a quantitative method, by means of various methods and models. Thus, an estimation by the given method of the company subdivides on gross and net basis, where the first designates an estimation of risk, not including existing methods of management by it, and the second considers residual risk with a condition of the barriers preventing them. In general, the quantitative assessment method is based on the damage that each of the risks can provoke. So, for example, there is a method of estimation on the basis of statistical models, comparative analysis, calculation of the unreceived income and many others, which choice depends on specifics of the company and risk detected by them on its nature and significance.
It is the above-mentioned elements of risk assessment that influence the reliability of this component of internal control.
The third key component of the internal control system is control procedures, which can be divided into both general and transactional controls. General level control procedures include examples such as
whether a company has its own accounting, information and other policies that form the general environment of the company. While transaction level controls include, for example, an algorithm for calculating taxes or production costs, that is, something that is directly related to specific postings within the system. Due to the huge range of control procedures, this paper will consider the most common of them, namely authorization, segregation of duties, arithmetic controls, physical and managerial.
Authorization, by definition, involves restricting access to the exercise of any authority within the company. The level of permission to authorize a particular operation in a company may be related to the total limits or to the official position. If, for example, the purchasing department plans to purchase a huge amount of equipment for a sum material enough for the company, then its purchase order cannot be approved only by a junior employee but must necessarily be considered by the director of this department or sometimes even by the general director himself. The authorization process allows the company to control the legitimacy of decisions and reduce the risk of unwanted transactions.
Segregation of duties is as effective a method of eliminating human risks as authorization. This tool allows not only to reduce the load on each department and staff, but also to detect fraudulent schemes or a simple mistake. An example of the effective use of segregation is the recording of inventory receipts, when the person who receives this inventory and the person who enters the quantity of receipts are completely different employees.
Arithmetic controls allow you to track the correctness of the amounts deposited and their sequence to eliminate the possibility of a missed transaction. Some companies have special systems that monitor the correctness of filling out documentation forms. So, when issuing an act of completed work with one amount, the system, when generating an electronic invoice for this implementation, will not allow fixing another.
Examples of physical controls are most seen in inventory or equipment accounting, where a company can place limits on a warehouse by embedding an access card or code at the warehouse entrance.
Another example would be securing equipment to prevent theft.
The last tool is managerial control, owned primarily by management, who can shape their own oversight procedures as well as analyze potential gaps through benchmarking. For example, to reconcile the planned and actual results of the work of employees and identify the reasons that had such a result.
Thus, control procedures form part of the whole system of internal control.
Speaking about controls, it should also have been kept in mind that a very important component is also information and communication within the company, because only through correct information flow, mutual communication and timely and correct information processing it will be possible to maintain the functioning of the Internal Control System. This component also makes it possible to communicate potential problems and threats affecting the organization's internal control, as well as to transfer the necessary information about the tasks and responsibilities of everyone involved in the process to support the internal control systems. In this component, the auditor must also have knowledge of information systems relating to the preparation of financial statements. For example, the procedures that are carried out either in the accounting system of the entity (automated or manual), through which transactions are recorded and processed and included in the financial statements (systems such as 1C, SAP), the related accounting documentation or information about specific items in the financial statements, which relate to a specific transaction. It should also be mentioned that in large organizations this control should also carry out well-established information channels between parent and subsidiaries, as well as to track the treatment of customers, suppliers and other stakeholders, consider them and give a timely response to their questions.
In the Information component, it is possible to identify the main functions of information systems, which will be described in detail below.
The first element is the identification and registration of all transactions, which involves complete information about the transaction, and its subsequent entry into the accounting system. As a check, a review can be made to see if the data obtained from external sources of information is consistent with the internal data, if the information has been processed correctly and entered into the accounting system.
The second element is the timely and detailed recording of transactions, which allows the classification of transactions for further inclusion in the financial statements. As part of this element, authorized persons should note that all information received from external sources (transactions) and previously processed according to the first element must be correctly classified for further inclusion in the financial statements in accordance with IFRS and other accounting and financial reporting standards.
The third element is the valuation of accounting items so that the relevant information can be included in the financial statements in summarized terms. For this element, there should also be a correlation between the transaction information and the validation of the underlying data (e.g., by a supervisor) for acceptance into the processing and inclusion in the financial statements.
The fourth element is to determine the period of the transaction, allowing it to be attributed to the appropriate accounting period.
The fifth element is the proper presentation of transactions and related disclosures in the financial statements. The last two elements involve comparing external documentation with internal data, reviewing performance by area, analyzing the consistency of primary documentation with what has been recorded in the accounting system, and disclosure of certain transactions/items in the financial statements that may be material and affect the reliability of the financial statements.
In addition to information related to financial reporting and operations, companies can also consider the level of satisfaction of their customers and employees, which is also important information for the management of the organization, and further development management will consider all available data, both from external and internal sources.
Consequently, in order to understand that the controls are really effective enough, it is necessary to get feedback and conduct regular monitoring to make sure that everything is actually going well within the organization's internal controls. The purpose of this monitoring is to verify that controls are functioning properly and to take the necessary actions to prevent deficiencies in internal controls.
Monitoring controls allow auditors to continuously monitor internal control systems and give them performance ratings. Companies should identify and bring to the attention of authorized persons when
deficiencies in an organization's internal control system are detected, including reporting to senior management and governing bodies. In the case of prescriptive recommendations from government authorities, external auditors and other authorized organizations, the company must promptly comply with these prescriptive recommendations, and internal audits must monitor the implementation and execution of the prescriptive recommendations. The same is accounted for by individual departments within the company, for example, the department of accounting and reporting should promptly observe the changes in IFRS and other accounting standards, the department of tax issues - the changes in the Tax Code of the country. It is necessary to understand the importance of feedback and monitoring within the company to be sure of the quality of this control and to give an assessment of the effectiveness of the entire system of internal control over a period of time.
There are many activities to conduct successful monitoring of controls, and some of them will be detailed below.
The first activity may be management's monitoring of timely settlements with banks, suppliers, and other entities for arrears. This is done primarily to make sure that employees are settling debts to creditors and whether a certain amount is simply removed from the system.
The second activity can be the evaluation by internal auditors of the staff that deals with the conclusion of contracts with customers and suppliers. It is necessary to understand that the employees really concluded the contracts of purchase and sale with the customers, whether it was done in accordance with the internal policy of the company, whether there were no violations in the process of conclusion of the contract.
The third activity is to observe personnel in terms of professional ethics and practices. Every employee in the organization should have sufficient knowledge of ethics and business practices so that there are no further problems within the company and when negotiating with customers.
The fourth activity is the regular evaluation of the organization and application of controls and the overall internal control system. The internal audit function should evaluate the effectiveness of controls
throughout the organization and if necessary, make necessary corrections and take actions to correct deficiencies.
The fifth activity can also be considered external auditors' instructions to management on weaknesses in the internal control system and recommendations on how to correct any deficiencies. Thus, the role of the internal auditor in the development of the internal control system is big since he prepares the opinion about each control and gives recommendations in order to fix and improve it. In addition, there is The Three Lines model where the internal audit committee plays a huge role as a part of this model. The Three Line Model helps organizations identify processes that best help achieve goals and contribute to effective corporate governance and risk management. The three-line model represents three different stages of verification to resolve the company's risks.
2.3. The Three Lines Model
Proper corporate governance is an important aspect for the successful growth of a company, but due to external changes, as well as the unstable situation in the world, in every company striving for success there is an urgent issue of minimizing risks and loss of income. That is why, according to the Institute of Internal Auditors, more than 20 years ago, a Model of three lines of defense was proposed, and each time it was modernized, which leads the company to success in effective corporate governance and helps in effective risk management. It should be mentioned that earlier, when creating this model, it was called "Three Lines of Defense", now it is already "Three lines", to increase efficiency, expand opportunities and in connection with the variable situation in the world. The essence of this model, which is tailored to modern realities, is the optimal distribution of roles and responsibilities to increase the likelihood of achieving the goals set for the organization on the path to success.
The three-line model represents three different stages of verification to resolve the company's risks.
According to sources from the Institute of Internal Auditors, "The first line represents the business functions that managers and middle managers of companies are engaged in, as well as self-
control of employees when performing operations, who are responsible for assessing, regulating and minimizing risks, as well as for ensuring the effective functioning of the internal control system.
Structural divisions identify process risks, develop, implement and perform control procedures, including taking measures to counter negative events, thereby creating the first protective line of internal control. Based on the results of the work carried out, control and risks, management reporting is formed.
The second line of defense is a monitoring function. These are Support, constant monitoring of risk management, internal control, compliance with legislation and administrative rules, internal regulations, and investigation of facts of unfair actions on the part of the company's employees.
The third line of defense is the internal audit of the company itself. That is, providing objective information on risk management, and assessing the reliability of the internal control system. Internal audit conducts process audits based on the results of which it prepares reports with conclusions about control and risks on the first and second lines. It should be noted that internal audit in the corporate governance system is an integral part of the company's internal control system, which is a key part in the effective management of the company.
Also, it should be noted that in order to maximize the result, the fourth stage is carried out, this is control by an external audit. Serious shortcomings of the internal control system noted during the audit, as well as recommendations for their elimination, are reflected by external auditors in audit reports and inform the management of the audited organization” (2020, p. 1-13).
Qualified and correct projection of the internal control system, high-quality development of methodology and regulations, and implementation, taking into account the use of modernized procedures, effectively helps the organization in successful risk management on the way to achieving the goals set for organizations.
3. Which competencies an auditor should have?
The previous parts of this paper outlined the five core elements of internal control and their specifications, where the role of internal auditors in this process was addressed at the monitoring level.
However, what competencies do internal auditors need in order to perform such a meaningful role at the level of the whole company?
The following will review the required competencies and requirements for internal auditors as spelled out in the Institute of Internal Auditors (IIA) competency model and assess the current level of competencies among respondents. The purpose of this approach is designed to analyze this broad field and provide a generalized view of the skills and required knowledge of the internal auditor. In addition, this thesis will include research, in the form of a survey, on the importance of current competencies and their level of development.
The implementation of international standards has always been a prerequisite for all auditing activities, since their introduction makes it possible to create a structured and systematic environment that can be evaluated at the appropriate level. In addition, it makes it possible to determine the degree of penalties and fines in case of deviation from common norms. Companies that actively develop a policy on the use of International Standards have a tremendous opportunity in the future to enter the international marketplace without changing their internal policies. International standards can also serve as an example of quality business conduct, eliminating the possibility of survivor error. One such standard is the competency model developed by the Institute of Internal Auditors. This model includes 4 areas of knowledge, each of which contains inherent requirements and skills, as well as specific functions necessary for compliance. For example, these areas include professionalism, task performance, environment, and leadership and collaboration.
3.1. Theoretical Background and Survey Results
Theoretical background. Starting from the first area of knowledge, namely professionalism, it is worth mentioning that this definition implies the ability to demonstrate best practices typical of internal auditing, namely professional skepticism, professional judgment, knowledge of the objectives and the internal audit charter and principles of professional ethics. It is worth noting that every auditor, whether external or internal, is bound directly to fundamental ethical standards (principles) to guide them throughout their career path. Fundamental ethical standards for the auditor are the measure of necessity
that will allow one to understand the correctness of decisions when faced with conflicting choices.
Examples of this behavior include the ACCA Code of Conduct, International Code of Ethics by IFAC, and other standards. The basic tenets of ethical principles are as follows:
1. Integrity
This term can be seen in the above-mentioned role of the auditor in the three-line model, where he is the guarantor in providing information and assessment of the overall state of the company's processes to the board of directors, to whom he reports directly. Honesty is the main attribute at this stage. A clear picture, which the specialist can provide to the board of directors, facilitates further development and the identification of primary objectives and risks.
2. Objectivity
Objectivity is the ability to follow one's professional principles without allowing outside opinions to influence decisions and the representation of facts. This term should accompany every professional in the performance of his or her task. Omissions due to bias can entail strategic and financial risks.
3. Professional Competence and Due Care
The auditor should continuously improve his or her professional knowledge and skills in order to maintain the proper quality of the audit and audit-related services. The auditor is also obliged to understand the technical, industrial, and professional particularities of the company at the required level and to be aware of professional standards and to apply them in a timely manner. Speaking of due care is the care with which decisions must be made to ensure everyone's safety and satisfaction.
4. Confidentiality
Due to the work that requires processing a huge amount of confidential information, the auditor is obliged to strictly follow the principle of non-disclosure of company-specific issues. In this case, this measure must be taken into account not only during a conversation with somebody who is a potentially undesirable subject for disclosure of the specifics of the audited companies, but also when the same documents are kept on the desktop, cell phone or any other information device. The auditor must distinguish between situations in which he is expressly forbidden to disclose confidential information and
those in which he is legally permitted to do so. He must understand that the responsibility and penalties for disclosure will be on his shoulders, and that the company may suffer enormous losses or image damage in general.
5. Professional Behavior
This includes the calm and restraint that the auditor must exercise during audits, as well as respect for the laws and regulations of the states within which he operates.
Research Results. According to the results of the survey of 36 respondents, the most significant skills in this area of knowledge are the following options: individual objectivity, ethical behavior and professional discretion due to the fact that 75% of respondents gave each of the mentioned skills a score of 5. At the same time, the same score, but already 63.8% of respondents received the skill of knowledge of internal audit tasks and charter, as well as the skill of having organizational independence. Regarding the last item of professionalism, namely competency development, it should be noted that about 56%
marked the importance of 5 points, about 19.4% rated it at 4 points and the rest gave their scores of 1, 2 and 3 points at 5.5%, 5.5% and 14% respectively.
In the case of self-assessment, each respondent developed expert knowledge in almost all options
competence in the field of ethical behavior, while the not so far away option of 69.4% of respondents is expert knowledge of individual objectivity. Self-assessment of the remaining skills is presented below. It is worth noting that according to the respondents' answers, the greatest lack of expert knowledge, they feel in the field of professional development, and some of them believe that this competence requires improvement, because this process should be constant, otherwise it will lead to a lack of qualified specialists.
Theoretical background. The second area, in the form of task performance, also has its own set of required competencies. This can include such paramount things as the auditor's understanding of fraud risks and other risks, knowledge of the management of the organization, that is, tracking its operations or structural formation. As mentioned in the previous parts of the paper, the skills needed to improve and assess the organization's internal control system at each of the 5 elements are also considered here. The internal audit function is also responsible for the regularity of the internal audit activity in the public sector. In the planning stage, it is important for the auditor to be able to define the key objectives, evaluation criteria and anticipated scope of work, to analyze the risks that may hinder the work, and to prepare an audit program with appropriate staffing. During the assignment, the key skills are the ability to gather information, generate samples for audit procedures for each financial statement line, analyze the data, and conduct the appropriate process to document them. The internal auditor here is important to
have an analytical mindset and understand what could serve as a potential source of audit evidence. Also, due to the growth of automation in companies, it is important for these professionals to be familiar with modern computerized tools. After completing the previous two steps, comes the stage of analyzing the work done by the internal auditor. It is important for the specialist to be able to monitor the results, formulate conclusions that have been reached in the processes of the assignment and send the appropriate communications (for example, in the form of a report on the work done or recommendations) on the risks detected, to the board of directors or other structural units.
Research results. In the case of this field of knowledge, the competencies required at the stage of task results are the most important, which were given a score of 5 by more than 55% of the
respondents. In second place are the competencies at the stage of planning and executing the task, which were given a score of 5 by about 53% of the respondents. Next in importance are skills in internal control and risk management, where 18 of 36 respondents gave a high score. Competencies in corporate governance and fraud prevention, on the other hand, had the lowest number of “5”.
In the self-assessment of the tasks, the following was revealed: about 64% of the respondents have only applied knowledge in risk management and corporate governance, as well as in fraud prevention, and it is these, according to the answers of some participants, that require the most improvement. The
most predominant amount of expert knowledge is characteristic of skills at the planning and execution stage, while the others are provided in the chart below:
Theoretical background. The third area of knowledge - environment. As far as everyone knows, every organization has its own environment within which certain policies, risks, and other key points are shaped. Each auditor must have a good understanding of the environment in which he or she operates. It relates to the fact that the business field of the company itself is closely connected with the potential risks that become the objects for each auditor. However, when considering this standard from the perspective of internal and external auditors, there are some inherent differences. For example, the external auditor should understand the specifics of business of various industry companies because the variety of clients of this type of specialists varies a lot. Whereas the internal auditor acts within a specific, single environment, which he must be very well aware of. Auditors need this knowledge in order to assess potential risks that may arise in the course of their work and which they can readily identify. Such as the risks of organizational structures, business processes and information technology. For example, for business processes, a high area of responsibility may be procurement processes, logistics, human resources and their compensation. In information systems, this area of responsibility may be imposed, for example, on cybersecurity risks. Equally important in this area of expertise is the skill of strategic
planning, in which organizational structure, organizational behavior, and performance criteria can be built through improvements.
Research results. For the environment, one of the most needed skills (score of 5 points) is knowledge of accounting and finance, which is confirmed by 14 out of 36 participants, as well as knowledge in the field of strategic planning and information technology, which is equally confirmed by 13 out of 36 respondents. The rest of the results are shown below:
According to the assessment of the level of competence in this area, most of the respondents have only applied knowledge in almost all the options below. It should be noted a very important observation that it is competences in the field of information technology, in accordance with the answers of respondents, that require the greatest improvement, because less than 20% of participants have expert knowledge, and about 36% have applied skills, while most of them have only general understanding of IT.
Theoretical background. Last, but not least, the area of expertise is leadership and communication, which implies the ability to correctly delegate roles in audit processes, as well as an effective relationship with all possible parties to the process. The auditor's area of expertise should include several of the following important items: strategic planning, coordination of assurance activities, and interaction with all interested parties.
During strategic planning, the auditor should evaluate the importance of the built plan, determine the direction of current processes, delegate authority and manage possible conflict situations that may arise during the construction or its implementation. The need to conduct quality oversight of the audit process in fulfilling the objectives of the current audit plan is also an integral part of the competence of the internal auditor.
The internal control auditor should be competent in coordinating an assurance plan that analyzes the sources of potential risks, both external and internal. This is due to the constantly changing needs of the organization, after analyzing which, the internal auditor is responsible for this communication to the board of directors.
During the interaction, the auditor will have to communicate on an ongoing basis with various parties in the process, whether it be the aforementioned board of directors, the internal audit client or another interested party. At this stage, it is important to understand the value of dialogues focused on
communication, oratory and persuasion. Similarly, the auditor must be able to competently present information in various media, whether it be emails or oral presentation work.
Research results. According to the results of the survey and analysis of this area of competence, research paper conclude that the majority of respondents prefer the skill of Internal Audit Planning and Assurance. It is also possible to notice a correlation between the sphere of activity and answers of respondents. In this competency area, the greatest emphasis is on the relationship both between other internal control auditors and with stakeholders outside of auditing. Such dependence can be explained by the number of people in the respondent's department. For example, a person working in a team is more predisposed to acquire the skills of interpersonal relations. Here it is worth noting that this
conclusion comes from the analysis of the self-assessment for this section, where respondents answered the question about their personal opinion about themselves. The largest number of responses "expert knowledge" was shown in the interaction with stakeholders. This proves the need to develop and maintain communication skills both inside and outside of audit projects.
With the knowledge areas in the Institute of Internal Auditors model, it became clear how multitasking auditors need to be in order to be a guarantor of integrity, honesty and quality to the board of directors above. Insignificant idea that in the conditions of technological progress and automation of processes, new competences for auditors are being introduced, was also confirmed during the survey among the respondents of the "Institute of Internal Auditors".
According to the survey results, absolutely all respondents are confident in this idea, and the majority of them spoke about the necessity to develop such new competences as data analysis, risk assessment, programming and IT competencies.
In addition, the survey revealed which of the following innovative areas of competence auditors have enough to review over the next year. According to the survey, 77.8% of respondents were able to audit extended enterprise risk management and 58.3% business continuity and crisis management. While the lowest number of competencies is sufficient for cybersecurity, innovative technologies and cloud and virtual computing environment, which also confirms the need for IT skills on top of other competencies.
4. Conclusion
Summarizing the thesis in which 5 important elements of internal control were investigated, where the multifaceted role of internal auditors was considered on the level of monitoring, as well as indicating their importance in the three line model, this thesis was aimed at identifying and evaluating the necessary competencies in the current realities. The IIA’s Internal Audit Competency Framework was taken as the basis of this work, on the basis of which the survey among the respondents of the Institute of Internal Audit of Kazakhstan was constructed.
For a clearer understanding of the competencies required by the auditor, the research work considered and delineated the scope of the internal auditor's work into 5 elements and outlined his role.
Each of the elements of Internal control system was described in detail and sequential analysis, the role of the internal auditor was defined.
The internal control auditor is only present during the monitoring phase, where he or she is responsible for the quality of each of the elements in the internal control system. During the research work, the main tools that the internal control auditor uses to assess the quality of the work and to measure the risks of all stages of the business process were identified.
The outcome of this research work was the internal auditor's competencies needed to perform their role in the 5 elements. The thesis used the IIA’s Internal Audit Framework model to represent the international standards of competencies required of an internal control auditor. It was used to conduct a survey together with the "Institute of Internal Audit of Kazakhstan". According to the results of the analysis, the survey showed to what extent the respondents assessed a particular competence. General data were also collected, describing respondents' self-assessment, the scope of their work and their opinion on the emergence of new competencies. Collecting all the above, the research paper shows the relevance and quality of competencies in the current realities of a progressive world.
Based on the results of the survey, it is also concluded that a greater percentage of respondents choose to study the following competencies in depth: IT knowledge, general qualifications improvement, fraud (Detection), risk management, and internal audit tasks. This is due to the fact that there is a gap between the importance of relevant competencies in respondents’ opinion and their level of proficiency in these competencies. In this study, the idea was formed that innovative trends encourage auditors to
continuously improve and adapt to new realities. Most organizations today in accordance with the survey results, around 64 percent, address the issue of insufficient competence of their auditors, using either third-party organizations or hiring new employees, and in some cases do not address the issue at all. Thus, forming the main recommendation of the survey, namely, to increase resources for staff training within organizations
Reference list:
1. Douglas J. Anderson (2015). Leveraging COSO across the three lines of defense model. The Institute of Internal Auditors. Retrieved from: https://www.coso.org/Documents/COSO-2015- 3LOD.pdf
2. Handbook of International Education Pronouncements 2010 Edition. - International Federation of Accountants (IFAC). Retrieved from:
https://www.ifac.org/system/files/publications/files/IESBA-English-2021-IESBA- Handbook_Web.pdf
3. Code of Ethics for Professional Accountants - International Federation of Accountants (IFAC).
4. Internal Control - Integrated Framework. Executive Summary (2013). Committee of Sponsoring Organizations of the Treadway Commission. The Institute of Internal Auditors. Retrieved from:
https://www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf 5. M. Rizvanova (2014). Internal Control System within organization. Retrieved from:
https://www.cfin.ru/finanalysis/risk/internal_control_system.shtml
6. Sonin A., Egorova E. (2021). Issledovaniye tekushchego sostoyaniya I tendentsii razvitiya vnutrennego audita v Rossii [Study of the current state and trends of development of internal audit in Russia]. EY & IIA. Retrieved from: https://assets.ey.com/content/dam/ey-sites/ey- com/ru_ru/topics/consulting/ey-internal-audit-study-2021-v3.pdf?download
7. State of the Internal Audit Profession (2019). PwC & IIA
8. Charlie T. Wright (2021). Future ready. The Institute of Internal Auditors.
9. Optimizing Talent Management in a Changing Audit Landscape (2019). The Institute of Internal Auditors. Retrieved from: https://www.theiia.org/GPI
10. Internal Audit’s Digital Transformation Imperative: Advances Amid Crisis (2021). The Institute of Internal Auditors. Retrieved from: https://www.iia-
ru.ru/upload/documents/applied_materials/it/2021%20IAs%20Dig%20Transf%20Imperative%2 0Report_AuditBoard.pdf
11. The Three Lines Model – An Important Tool for the Success of Every Organization (2021) The Institute of Internal Auditors. Retrieved from: https://www.iia-
ru.ru/upload/documents/professional_practice/position_papers/GPAI-Three-Lines-Model-An- Important-Tool-for-the-Success-of-Every-Organization.pdf
12. The IIA’s Three Lines Model: An update of the Three Lines of Defense. (2020) The Institute of Internal Auditors. Retrieved from: https://www.iia-
ru.ru/upload/documents/professional_practice/position_papers/Three-Lines-Model-Updated.pdf