ROP IN INTERNAL CONTROL OF AUTONOMOUS INSTITUTIONS.
By virtue of Art. 19 of the Federal Law of December 6, 2011 No. 402-FZ “On Accounting”, autonomous institutions, like other economic entities, are obliged to organize and carry out internal control of the facts of economic life. At the same time, AUs can carry out internal control using the ROP model, which will increase the efficiency of the internal control service due to a more correct selection of control objects. Without reiterating the advantages of the ROP, let us focus on two factors that enhance the importance of the ROP in the internal control of an autonomous institution.
Firstly, taking into account the stated state policy in the field of supervision, EPR appears to be a preferable option compared to the traditional control model. Supervisory authorities, when applying ROP, include the quality of internal control of the audited organization in the risk assessment criteria. If the control models coincide, it is easier for the regulatory authority to make sure that it is a bona fide business entity. In turn, the formation of an opinion on the part of supervisory authorities about the AU as a bona fide person will bring the institution a reduction in the administrative burden.
Secondly, ROP is justified for large multidisciplinary autonomous institutions and (or) those that have an extensive branch network. The traditional approach assumes that divisions and branches will be checked one after another in order of priority. The irregularity of inspections is difficult to justify within the framework of the usual control model; as a result, increased control is applied after an incident (for example, an accident, theft, a sanction from a supervisory authority). ROP allows you to formulate criteria for the frequency and depth of inspection, make them public for your structural units and exercise control primarily in relation to dysfunctional branches, while reducing attention to exemplary units and without causing accusations of bias.
When drawing up an inspection plan for branches (divisions) based on the ROP, a “heat” risk map can be used. This is a visual tool, formed in the form of a matrix, to identify areas of increased (decreased) risks. Low risks are reflected in the “cold” zone (usually shown in green), medium risks in the “warm” yellow zone, and high risks in the “hot” red zone.
For example, let’s build a risk map based on two indicators: the level of potential threats and the quality of preventive measures. At the first stage, a specialist from the internal control service identifies threats and ranks them depending on the degree of danger (one of the criteria may be the amount of potential damage in rubles). Next, the quality of preventive measures is assessed, which is influenced, in particular, by the professionalism of the staff, safety precautions, and the availability of insurance. The risk heat map is then completed. If an institution has a large branch with low quality management, it will be included in zone 3D (special control), a small successful branch, accordingly, will be placed in zone 1A (lack of control).
| Potential threat | Quality of preventive measures | |||
| A (high) | B (moderate high) | C (moderately low) | D (low) | |
| 3 (high) | 3A | 3B | 3C | 3D |
| 2 (average) | 2A | 2B | 2C | 2D |
| 1 (low) | 1A | 1B | 1C | 1D |
Note. When drawing up a heat map of risks, a different color scale was chosen, but the map also has a gradation corresponding to cold, warm and hot zones.
As you can see, the following zones are highlighted on the heat map:
- high risk – 3D, 3C, 2D;
- medium risk – 3A, 3B, 2B, 2C, 1C, 1D;
- low risk – 1A, 2A, 1B.
Modes for monitoring branch activities based on a risk heat map range from minor intervention (zones 3A, 3B, 2B, 2C, 1C, 1D) to urgent intervention, when all possible measures are used to reduce the risk (zones 3D, 3C, 2D). Branches in the reduced risk categories (Zones 1A, 2A, 1B) are reviewed either as circumstances arise or when included in a selective case study.
ESSENCE OF ROP.
The main objective of the risk-based approach, regardless of the area of its application, is to achieve set goals by reducing risks. The high popularity of EPR (compared to traditional control) is ensured by its focus on high-risk areas, which makes it possible to take preventive measures in a timely manner, identify and eliminate weaknesses, and thereby avoid the negative consequences of risk occurrence. ROP is based on several principles.
| ROP principle | Nature of manifestation |
| Resource Allocation | Resources are not distributed evenly, but taking into account the size of the risk (this applies to both frequency and depth of inspection) |
| Proportionality | The measures taken by the controller are adequate to the calculated risk |
| Flexibility | Regular reassessment of risk based on new factors and threats |
| Legality | The action (inaction) of the controller is based on a documented risk assessment system |
| Openness | Evaluation criteria and risk classes are open to supervised persons |
The basis of the ROP is a risk assessment, designed to ensure that the controller understands the vulnerability to risk of the inspected object. As noted above, assessing risks is not necessarily difficult (using electronic systems), but in any case, the assessment must be adequate to the nature and scope of activities of the organization (division, work area) being audited. For example, ROP in state control will manifest itself in the fact that in relation to a small autonomous institution, the supervisory authority during an inspection may limit itself to the simplest risk assessment procedure. And vice versa: a more complex, comprehensive risk assessment procedure will be applied to a multi-branch AC.
Below in tabular form is an approximate description of enhanced (weakened) verification depending on the level of risk.
| Risk assessment | Risk level | |
| Elevated | Reduced | |
| Nature of monitoring | Daily monitoring, manual monitoring, frequent analysis of information, identification of warning signs, communication of monitoring results to management | Establishing threshold values, lower frequency of monitoring, use of automated systems |
| Nature of the test | Obtaining and studying additional information, using it to assess risk | Obtaining less information and/or conducting a less in-depth inspection, later inspection |
HISTORY OF ROP.
The risk management system owes its birth to the financial sector, which (unlike other areas of the economy) regularly takes on risks in order to receive a reward for bearing them. This specific nature of activity encourages banks, insurers, and investment fund management companies not to avoid risks, to minimize them, but to manage and measure them in order to establish adequate prices for their financial services (which affects loan rates, the cost of securities, and the size of insurance premiums). Professional risk assessment in financial companies is carried out by specialized units whose task is exclusively risk management.
The similarity of the work of risk management departments and internal audit services (internal control) led to the fact that ROP gradually penetrated into traditional auditing, and from there into other types of control and supervision, including state control. In parallel (since in the field of control (supervision) precise measurement methods turned out to be clearly redundant), there was a simplification of risk assessment methods, a reorientation from economic and mathematical models to others (for example, expert ones), accessible to most specialists. Thus, if the accuracy of risk assessment by professional financiers reaches tenths, hundredths of a percent, in ordinary control (supervision) it is enough to rank the risks into groups (for example, high, medium or low risk). In a sense, there was a “desacralization” of knowledge about risks, which allowed them to penetrate into all areas of control.
