Internal Control and the Russian Environment

Submitted by: Carl Burch, CMA, CIA

Finance and Accounting Lecturer
Moscow, Russia
Cburch@global.t-bird.edu

Introduction
Generally, any discussion about internal controls starts COSO’s (Committee of Sponsoring Organizations of the
Treadway Commission) Internal Control – Integrated Framework. This report was the first document that formally
set out what internal control actually is, and what its function is within an organization. Prior to this document it was
difficult for companies to assess whether their internal controls were effective, or not.
The Integrated Framework demonstrated that the basic foundation of any organization’s internal control system are
the five elements of internal control. These elements of internal control exist in every organization, in every country.
How well these elements are developed and implemented in a company will play a very important role in
determining the success of the internal control system for the company. Because these elements of internal control
are the basis of IC of a company, we will start our discussion of Internal Controls in Russia by outlining what these
five elements are.
These five elements of internal control are: 1) the control environment, 2) risk assessment, 3) control activities, 4)
information and communication, 5) monitoring.
1) The Control Environment is the most important of the elements because it lays the foundation for all
other components of internal control. The control environment is the atmosphere within the company and
the attitude of individuals in the organization (including top management) to internal controls. A strong
control environment makes all of the controls more effective. On the other hand, when there is a poor
environment, even the controls that could work often will not because they are not perceived by
individuals to have value. The control environment sets the tone for the rest of the company. Because of
its importance, it is critical that management help create the proper environment in the company.
Some of the items that are included in control environment include:
 The integrity, ethical values and competences of the company’s people.
 The way management assigns authority and responsibility, and how it organizes and develops its
people.
 The attention and direction provided by the board of directors.
 Management’s philosophy and operating style.
Two important ways that top management can do this are to:
1) Follow the controls themselves, and
2) Make it clear that they expect others to follow the controls and those who don’t follow the
controls do not have a place in the organization.

2) Risk Assessment relates to the company’s own assessments of the risks the organization faces. It is
important to distinguish that this is the risk assessment of the company’s management, not the risk
assessment that is done by the external auditors or by external consultants. This is essentially
management asking itself questions such as: “What could go wrong here?” and, “What assets do we
need to protect?” If management is unable to identify the risks that face the organization, then it is very
unlikely that they will be able to mitigate, or reduce, the dangers that the company faces from these
risks. These risks may be external or internal to the company; the source of the risk is not important.

3) Control Activities are all of the different policies and procedures that the company has in place to help
ensure that its objectives are met. These controls should all be designed with the intention to mitigate the
risks that the company faces and to ensure that the company achieves its objectives. For the controls to
work effectively, the control activities not only have to be designed well, but they also actually have to be
implemented. Simply designing controls will do nothing if the controls are not consistently and properly
applied.
 The most important control activity is the segregation of duties. Certain activities within an organization
(and more specifically within a specific transaction cycle) should be performed by different people. This
performance of related tasks by different people works as a system of checks and balances making
certain that no individual person is in a position to perpetrate a fraud. The duties that need to be
segregated within a specific cycle are: authorizing a transaction, recording the transaction, keeping
physical custody of the asset and a periodic reconciliation between the amount on hand and the
recorded amount that should be on hand. These duties should be segregated in all of the different
transaction cycles that a business has (cash receipts, cash disbursements, inventory and payroll, for
example).
For example, a person should not be able to collect cash from the customer (physical custody of the
asset) and then have the responsibility of reconciling the bank statement (record keeping). Without a
proper segregation of these two duties, this person could take the cash and then adjust the bank
reconciliation so that it appears that everything reconciles.
4) Information and Communication in the company covers the flow of information within the organization.
In any organization, information needs to flow both up the organizational chart and down the
organizational chart (and even across the organizational chart). The most fundamental goal of
information and communication is that he right people have the right information in time to make a
decision. This means that information needs to be relevant and timely. Without timely information, it’s
more difficult for managers to make the right decisions because they may be making decisions today
based on last month’s information.
5) Monitoring is a critical and ongoing part of an internal control system. Monitoring is the means of
assessing the quality of internal control’s performance over time. Even the strongest internal control
system will need to be changed periodically as a result of a change in the operations of the company, a
change in the organization of the company, a change in technology or even a change in personnel. Just
because the internal control policies and procedures were effective, relevant and working when they
were implemented does not mean that they will continue to be so over time. Management must monitor
the controls on an ongoing basis to make certain that they are both still relevant and still being
implemented correctly.

At this point, you may be thinking that there is a lot of time and effort put into establishing and maintaining an
internal control system over time. The next question is whether or not this investment is worth it to the company.
While these are good questions, they may not really be looking at the situation from the correct perspective.
Instead of asking whether a company can afford a good internal control system, the better question is whether or
not the company can afford to not implement something that will help the company achieve its objectives, protect
its assets and help ensure that management has the best and most correct information to make decisions with.
Clearly, there are a lot of benefits to an internal control system and it is these benefits that are important to keep in
mind. While there are a lot of benefits to strong internal controls, the first three that come to mind are:
1) Better control over the assets of the company. Better control means knowing where the company’s
assets are, and who is responsible for them. Knowing this, there is a better chance that the assets actually
are retained in the company, are being used productively for the company and are being maintained.
Control over assets also reduces the chance of fraud being committed in the company.
2) Reliable information for the use in decision-making. Ultimately, the decisions that management makes
will determine the success or failure of the company. Therefore, the more reliable the information
management is receiving, the better chance there is that the right decisions will be made. Internal controls
help ensure that the information that is given to management is actually correct.
3) Lower external audit costs. With strong internal control systems, the numbers that come out of the
accounting system will be more reliable. Because of this, the external auditors are not going to have to do
as much work in verifying financial numbers. Because of this reduction in the amount of work that has to be
done by the auditor because of the strong internal control system in the company, the external audit fees
will be reduced in time. (This reduction may not be seen in the year internal controls are implemented
because the auditor will need to have some assurance that the controls are actually working as they are
intended to.)
While we have spoken very highly of internal controls and outlined some of the benefits of having a strong internal
control system, it also has to be kept in mind that internal controls only help a company achieve their objectives.
Unfortunately, they do not provide a guarantee that the company will achieve its operational, financial reporting,
and compliance objectives. The term that is used to describe this limitation is that strong internal controls can only
provide reasonable assurance about the achievement of objectives, not a guarantee.
It doesn’t matter where your business is, whether it’s in the U.S, or Russia, or China, or Brazil or Germany, without
good strong controls companies will have a harder time making it then companies with strong controls. Each day
this becomes even truer as global competition increases and the scope of who a company’s competitors are
increases to company in other countries and other parts of the world.

From my own experience having worked in Russia for the past twelve years for and with many different companies
in many different positions (i.e., financial analyst, business development, financial controller, corporate controller),
they have all had a weakness in internal control in common. Some of the more common weaknesses (and the risk
or difficulty that they cause the company) that existed in these companies are:
 Planning and budgeting are weak. Without knowing what the company is trying to achieve, it is very difficult
to measure success and identify areas of the business that are not performing well.
 Financial and accounting reports lacked transparency. This means that data presented could not be relied
upon. This makes any kind of analysis difficult and also causes higher external audit and financing costs to
the company.
 Reports were not timely. If reports and information are delivered late to the decision maker, good decisions
cannot be made.
 Lack of understanding what reports were actually needed to improve operations. Often times reports were
prepared that were not relevant to the decisions that needed to made. This means that not only are
decision makers making decisions without the needed information, but also that time and efforts are being
wasted preparing something that is not needed.
 Management was not held responsible for results. While there are always factors outside the influence of
management that impact operations, management needs to be held accountable for the results of their
area. This does not mean only top management, but a manager on an assembly line needs to be held
responsible for the results and production of their part of the assembly line.
 Lack of segregation of duties. As discussed above, this is absolutely critical for a company, but lacking or
underdeveloped in many of the companies that I have worked with in Russia.

These are the main weaknesses that I have encountered in internal control systems in Russia. However, while it is
clear that the internal control environment and systems in many Russian companies need to be improved, it is
important to keep in mind two things:
1) These weaknesses are not unique only to Russia, and
2) The majority of Russian businesses are still fairly young and, in essence, still going through their
growing pains. As they grow, hopefully they will develop their internal control environments and
systems and they will become better and stronger in this area. The risk for these companies is that if
they do not develop their internal control systems, it is more and more likely that they will be competing
against a company that does have a strong internal control system. And in this competition, the
company with the internal control system is operating with better information, better utilized assets and
more efficiently because of their internal controls

The extent to which an internal control system works, will depend largely (but not entirely) on management. It does
not matter where the company is (Russia, U.S., China, or somewhere else), it will be the mangers who decide
whether improvements in the controls systems are to be made or not and it is management who is most
responsible for setting the control environment for the organization.
The effectiveness of an internal control system is not 100% dependent upon management because there are
others in the organization who follow and implement the controls. Because everyone in the organization comes into
contact with controls during the performance of their duties, every person in the organization shares responsibility
for the effective operation of the internal controls system. (For example, even the newest member of the
accounting team has a duty to follow the controls and to report situations in which the controls are not followed.)

What can be done to improve an organization’s internal control system?

It’s important to remember that every organization can improve their internal control systems. It does not matter
whether we are talking about multibillion-dollar companies like Wal-Mart or G.E., or Gazprom, internal controls can
always be made tighter and stronger.
So how do we do this? I see four things that people within any organization can do to improve their company’s
internal control systems. These four things can be done in Russia and are:
1) Getting management on board about wanting to improve their control systems. While this might
sound easy, it is often not easy. It helps management to present the benefits of tight controls in a numerical
and clear manner (for example, effectiveness and efficiency of operations and transparency of financial
reports). Given the basic business culture in Russia of avoiding taxes this is a great challenge, but the
change of this attitude of people within the organization must be made and it must be started.
2) Getting management to sign off on operating and financial management reports. It has to be
management’s reports, not the accountant’s. I found that management takes a lot more interest in the
reports if they have to sign off on them. While this is absolutely necessary for any improvement to be made
in the internal control system, but they will also quickly find out that they actually have a better
understanding of the reports and thus, can make better decisions.
3) Doing what you can to improve the ‘Ethical Culture” of the company. This is part of the control
environment that we discussed earlier. For example, does your company have a ‘Code of Ethics’? Does it
follow the Code? Do people understand the ‘Code’? Surprisingly, just having a Code does make a
difference in the company. If your company does not have a ‘Code,’ you can help to get one adopted. Try
to be the person of change in the company.
4) Do not be afraid to report unethical behavior even if this means having to quit the organization. It
should not matter what position you have within the company, if there is unethical behavior being
conducted, then it has to be reported. Does your company have a hot line, or is there some other way of
reporting unethical behavior? If there’s not a program, start such a program? It is very easy to say that an
individual should report unethical behavior, but much harder for that person to actually do it. However, in a
strong control environment and in an organization where management supports internal controls, it is
much easier to report unethical behavior.

As anyone who has worked in Russia will verify, doing business here is not always easy and presents certain
challenges. One of these challenges is changing the attitude towards internal controls. But, one thing that I have
learned about working here is that a person can be successful if they are patient and persistent in pursuing their
goal.