The role of internal audit in enterprise import operations risk management

Summary

risk import activity management

The article highlights the main risks of import activity and its impact on the achievement of the company's business objectives. The functions of internal audit on risk management, control and corporate governance are defined. The main stages of the risk management of import activity, features of risk identification, its estimation and choice of the type of risk response are characterized. A risk register has been modeled and riskappetite of the enterprise has been determined. The relationship between the level of enterprise risk maturity and the methodology of internal audit is highlighted.

Key words: import operation risk, internal audit, risk management, risk response, probability of risk occurrence, risk impact, risk appetite, risk maturity level, risk register.

1. Formulation of the problem

In the conditions of intensification of European integration, there is a deepening of socio-economic and political relations between the states, making new demands on the quality of products, goods and services. Both those that are exported and those that are aimed at satisfying demand in the domestic market. Today the importance of import activity is increasing as market satiety with high-quality consumer goods, expansion of its assortment, introduction of advanced technologies and foreign experience is taking place. Import activity is characterized by the presence of a significant number of risks that affect the achievement of operational and strategic objectives of the enterprise. Implementation of risk-oriented internal audit to assess the effectiveness of enterprise risk management of the specified risks makes it possible to establish the adequacy of their assessment, the risk response and in general is essential for the effective import activity of the enterprise.

Analysis of actual research. The problem of development of theoretical aspects and methodology of internal audit is investigated in the scientific works of S.V. Bardash, V.V. Golovach, N.I. Dorosh, T.O. Ka- menska, O.A. Petryk, N. M. Proskurina, O.Yu. Redko, V.S. Rudnytskyi, L.O. Sukha- reva, N.S. Shalimova, M.M. Shyhun, A.V. Yanchev.

Despite the fact that the importance and attention to risk management process and assessment problems has increased recently, the issue of implementing the concept of internal audit aimed at assessing risk management process to the practical activity of import enterprises, requires further investigation and research.

The purpose of research is to identify the main risks that arise when carrying out import transactions; disclose the risk management process of import operations; model the risk register of import operations; define the internal audit functions for assessing enterprise risk management.

2. Presenting of the main results

The risks that arise in the course of import operations are often related to the complexity of applying tax and customs legislation, the peculiarities of transporting goods and crossing the border, the need to make settlements in foreign currency, and the specifics of these settlements. In accordance with the special characteristics of import activities it is useful in the broad sense to distinguish the risks that are directly related to the goods and that are related to the settlements for them. The different nature of these risks and their possible impact on the activity of the company make it possible to classify risks into different groups: strategic, operational, information risks, which in future determines the peculiarities of risk assessment and risk response.

The main risks that may arise in the course of import operations are: information risks that arise at the stage of market research, related to the analysis of prices and product quality and the conclusion of the foreign economic contract; difficult political or economic situation in the supplier's country, risks of public order violations leading to the impossibility of supplying goods; potential loss or damage of goods during transit; transport delays and potential delays in ports; storage of goods in customs warehouses; currency fluctuations.

The risk management system can be created at the enterprise to manage the risks properly. The main functions of risk management are:

• development and implementation of the general risk management process, which includes an analysis of the financial impact of risks on the enterprise activities;

• risk assessment, analysis of current risks and identification of potential risks;

• determining the level of risk an enterprise is ready to accept;

• calculation of insurance budgets, accounting of insurance policies;

• risk reporting to meet the information needs of stakeholders;

• informing staff of existing and potential risks through support and training;

• communication with auditors when conducting an internal audit of enterprise risk management process [11, p. 58].

In accordance with the International Standard for the Professional Practice of Internal Auditing 2100 «Nature of work» [13, p. 12], the nature of internal audit is that it should evaluate and enhance the efficiency of corporate governance, risk management and control using a risk-based approach. At the same time the value of internal audit increases if the assessment of effectiveness determines the future impact and improves the risk management process. In accordance with the International Standard for the Professional Practice of Internal Auditing 2120 «Risk management» [13, p. 13] an internal audit should assess the impact of risk in terms of strategic management, reliability and integrity of financial information in the management system, asset protection, compliance with laws, internal regulations, policies and terms of contracts.

At the planning stage of the internal audit of risk management assessment the head of the internal audit should develop a plan and program that takes into account the strategic objectives of the enterprise, the risks that affect them and the process of managing those risks [14, p. 286]. Taking into account the specificity of import activities and the continuous increase in the number of risks accompanying it, the internal audit plan needs to be updated and adjusted. In addition, at the planning stage, it is necessary to identify the most risky aspects of the activity based on the strategy of the company, discuss all possible risks with the management of the organization, review the risk register, enterprise risk appetite and corporate risk management approach.

When planning an internal audit the risk maturity level is important, that is how effective an enterprise manages risks. The conducted researches have shown that the following levels of maturity are mainly determined: primary risk; determined risk; implemented risk; managed risk; optimized risk [11, p. 51]. Such maturity levels characterize the gradual increase in the level of risk management at the enterprise. In terms of risk management the primary level assumes that there is no formal risk management approach; determined risk - the approach to risk management is partially determined; implemented risk - the strategy for identifying and managing risks is carried out locally; managed risk - risk management policy is developed and implemented through discussion; optimized level - risk management and monitoring are embedded in the operations, and therefore the understanding of the process is quite high and experienced.

Internal auditor's actions under different maturity levels are described below but it is considered that an effective internal audit of risk management assessment can be conducted only if there is a risk register created and a corporate risk management model.

Primary risk - internal audit is aimed only at controls. Planning can be undertaken but not documented.

Determined risk - the work of internal audit mainly focuses on controls and risks, but not on corporate governance. Planning is carried out and documented.

Realized risk - internal audit focuses on control, risk and corporate governance. Planning and documentation of internal audit is carried out and interested parties are not involved to the planning process.

Managed risk - internal audit work aimed at control, risk and corporate governance. Internal auditors use in their work the risks identified in the risk register, but do not use a defined concept of control, although the internal audit plan is also subject to periodic adjustments.

Optimized risk - internal audit aimed at controls, risks and corporate governance. At the same time in the internal audit plan there is a clear link with the risks identified by the enterprise, which are reflected in the corporate risk register. Once the risk is optimized, the internal audit plan is periodically subject to adjustments depending on the specific circumstances that arise, and the internal audit uses its defined concept of control in its work. Internal audit planning is carried out with the involvement of all stakeholders, because in the case of optimized risk the risk register reflects the priorities of the board of directors of the company and other stakeholders.

The risk management process is cyclical and consists of the following stages: identification of risk, its assessment, implementation of response measures and monitoring. Risk identification is the first stage in the risk management process and involves all individuals who have appropriate experience and influence on the part of the enterprise where the risks are identified. For example, managers of foreign economic activity, customs brokers can be involved to the process of identifying risks that characterize import activity. Considerable attention is needed to be given to the identification process in order to identify all potential risks, from those with the maximum exposure and ending up with the lowest exposure. At the same time it is important to identify the main risks that can have a significant impact on the successful enterprise activity and its achievement of strategic and operational goals. Some risks can be so unpredictable that there are difficulties not only with their identification, but also with determining of their level of influence.

The next step is the assessment of the identified risks. It has to deal with two aspects - the level of influence and probability. The main purpose of this stage is to determine what losses would have the enterprise in the event of this risk by means of quantitative and qualitative methods. As a result of the assessment the company receives a list of potential risks. The assessment of identified risks can be carried out in several ways: the setting of the score and expert probability.

When using a score assessment, the probability of occurrence of a risk is determined using scores, for example, from 1 to 9. In this case score 1 is given to risk, which is practically impossible to occur, score 9 - if the manager is sure that the risk will occur. Grades from 2 to 8 are assigned to risks depending on how possible the risk manager considers its occurrence. A graphic representation of risks (risk map) can be a logical extension of the indicated method, which is an effective form of information visualization from the point of view of its perception and enables to identify the risks that constitute the greatest threat to the enterprise. In this regard it should be noted that the application of the method of score assessments is appropriate if the number of risks is insignificant and their probability and level of impact can be determined unambiguously.

The method of expert probability for risk assessment is used if the company identified a significant number of risks, and therefore the probability of their occurrence and the level of influence on the company's activity is more appropriate to determine by using twodigit numbers from 0,01 to 0,99 [1]. In order to establish the significance of each risk the magnitude of the

Identification and risk assessment further implies the need for appropriate responses to it. It is important to create a reliable internal control system integrated into the corporate governance system and corporate culture. Until recently the internal control model COSO ERM, developed in 2004, was the most common. It includes eight components: internal environment, objective setting, event identification, risk assessment, control activities, information and communication, monitoring. These components are integrated into the corporate governance system and should be consistent with the company's strategic purposes. However, it should be noted that the described components are more focused on the risk management process and are separated from their practical implementation and integration into the current needs of enterprise activity. In this regard in 2017 the COSO ERM system has been substantially improved. The main components of the updated concept are: management and culture; strategy and objective setting; efficiency of activity; monitoring and implementation of changes; information, communication and reporting. At the same time risk management is not just a function or a specially organized department, it is first of all a culture, competencies, practices that are integrated into the process of developing a strategy and managing enterprise efficiency [9].

The choice of the risk response type depends on the probability of its occurrence and the level of impact on the enterprise. In general, there are different views on identifying types of risk response. Thus, most foreign risk-management scholars, in particular P. Hopkin [11, p. 173], argue that there are four main types of risk occurrence probability should be multiplied by a probabilistic indicator of the consequences of this risk for the enterprise. Risk ranking on the basis of this overall risk assessment makes it possible to distinguish those risks that are the greatest threat to achieving strategic and operational objectives of the company. At the same time it should be noted that the overall assessment of risk, determined on the basis of the probability of its occurrence and the severity of impact, may not always be able to characterize the actual situation, therefore it is expedient to deepen it with the cost value of risk.

Table 1 Ranking of the risk severity levels for the enterprise

Source: developed by the authors on the basis of [5]

In general the assessment of each risk component - the probability of occurrence and impact, as well as its impact on separate goals or general purpose of the enterprise is a complex process, however, we can distinguish five levels of significance, which are given in Table. 1 response: risk acceptance, risk transfer, risk mitigation, risk avoidance as non-implementation of the business transaction. P.V. Strelnikov [17, p. 132] believes that four main methods of response should be distinguished: the method of refusal (the rejection of excessively risky activity), the method of reduction (prevention or diversification), the method of transfer (outsourcing of costly risk functions), the method of adoption (formation of reserves or stocks). L.M. Cherchyk [3, p. 181] proposes to divide all types of response into external (risk-sharing, insurance) and internal (limitation, diversification, reserve creation, obtaining additional information). V.V. Hlushchevskyi [10, p. 121] highlights the following types of response: risk avoidance, risk prevention, risk acceptance (saving), risk reduction (optimization). According to O.V. Smetanko [15, p. 139] it is necessary to distinguish such methods of response as: outsourcing; diversification; control; freighting; limitation; localization; absorption; search of guarantors; asset reservation; self-insurance; insurance; risk aversion; hedging. K. Spencer [16, p. 183] identifies ten types of risk response, which include: termination of the operation, increased control, risk transfer, making contingency, risk taking, forced risk acceptance, communication, risk analysis, compliance checking, transfer of information about risk. We see that despite a large number of views on the identifying of the main types (methods) of risk response, their nature is generally boiled down to four main: the acceptance of risk, its transmission, risk mitigation and its avoidance, while other methods are branching the previous ones, supplementing them, detailing and enable

the enterprise to choose the type that is most suitable for it and depends on the specific circumstances that have arisen at the enterprise.

The described risk management process is simple and logical, it enables to identify risks, adequately assess them and ensure that clear decisions are made on choosing the appropriate type of response.

The risk register is an important attribute of risk management maturity. The risk register is a tool for mapping risk assessments and making decisions about identified risks, including for internal audit needs. The maintenance of the risk register makes it possible to record the risks associated with the processes and determine their importance. The register should be continuously updated and adjusted to take into account enterprise objectives, internal and external risks, control measures. At the same time it is necessary to consider that there is a need to create a risk register «before» and «after» the adoption of internal control measures. It should be noted that before taking appropriate measures we are dealing with an inherent risk, after taking measures - the residual. We will demonstrate the process of determining the residual risk of an enterprise in figure 1. The results of the analysis of the response types to various types of risks that arise when carrying out the import operations at the enterprise, are given in Table. 2.

Table 2 Risks responses of the enterprise that carries out import operations

Source: developed by the authors

Figure 1 Determination of the enterprise residual risk Source: developed by the authors

The identifying of risk assessment as significant or insignificant in the register depends on its perception by the enterprise, its risk appetite. Risk appetite is the level of risk an enterprise is ready to take in accordance with its strategic and operational objectives. The concept of risk appetite aims at improving the effectiveness of internal control, while risk management should be carried out in such way that according to the results of risk management they do not exceed the defined risk appetite. Risk appetite shows how company sees the residual risk after its disclosing through an appropriate strategy, whether it is acceptable or whether more measures are needed to maintain it [5, p. 18]. Measurement of risk appetite can be carried out both qualitatively (from the position of risks classification to high, medium and low) and quantitatively (from the point of view of cost value of the risk impact on the achievement of the enterprise purposes). The definition of risk appetite is generally associated with certain subjective features that characterize managers who make decisions about risk management, since the risk appetite does not always depend on objective factors, but may be determined subjectively. The described subjectivity useful to consider from the position of two investors. The first investor prefers an investment with very low risk, but usually with a low profitability or low stock index, while the other - can invest in a startup stake of high-tech low-capital companies, but with the expectation of a very high profitability. The latter investor may be characterized as having a high risk profile [14, p. 125].

Suppose that PLC «Genesis», a distributor of medical goods, carries out their import from India. It is possible to modify the risk register of the company foreign- economic activity, which is part of the overall corporate risk register, actually defines the risks that arise in the process of enterprise resourcing and is shown in the table 3. Assessing the probability of risk occurrence and its impact we will use scores from 1 to 5, since the number of risks is insignificant, and therefore the use of the expert probability method is inappropriate. We will calculate the significance (general assessment) of risk for an enterprise by multiplying the estimated level of impact by the probability of risk occurrence.

Table 3 Risk register of foreign economic activity department

1. Bedford T. Probabilistic risk analysis: foundations and methods / T. Bedford, R. Cooke. - Cambridge: Cambridge University Press, 2001. - 414 p.

2. Benes V. Internal audit and it's approach to the risk mitigation / Adalta: Journal of Interdisciplinary Research. - 2012. - Issue 2.

3. Cherchyk L.M. System of enterprise risk management: essence and components / L. M. Cherchyk, I. Ivashkevych, S. Behun // Economic forum. - 2017. - № 1. - P. 178-184.

4. Crouhy M. The essentials of risk management / M. Crouhy, D. Galai, R. Mark. - NewYork: McGrawHill, 2014. - 672 p.

5. Dorosh N.I. Assessment of risk management as a function of internal risk-oriented audit / N. I. Dorosh // Bulletin of the Taras Shevchenko National University of Kyiv. Economy. - 2017 - Issue 5. - P. 13-21.

6. Dorosh N.I. Internal control and audit in enter prise risk management / N. I. Dorosh // Visnyk of Lviv Commercial Academy. Series: Economic. - 2014. - Issue. 44. - P. 148-152..

7. Dorosh N.I. Risk assessment in audit / N. I. Dorosh / / Scientific bulletin of the National Academy of Statistics, Accounting and audit - 2017. - Issue 5.

8. Dorosh N.I. Internal audit functions on assessment of enterprise risk management / N. I. Dorosh, A. S. Shapoval // Trade, commerce, entrepreneurship. - 2014. - Issue 16. - P. 164-167. - Access mode: http://nbuv.gov.ua/UJRN/Torg_2014_16_38.

9. Enterprise Risk Management - Integrated Framework // [Electronic resource]. - Access mode: https ://www. coso. org/

10. Hlushchevskyi V.V. Methodological basis of the risk management concept of entrepreneurial activity / V.V. Hlushchevskyi // Finance of Ukraine. - 2009. - № 10. - P. 116-124.

11. Hopkin P. Fundamentals of risk management: understanding, evaluating and implementing effective risk management / P. Hopkin. - 5th. ed. - Kogan Page. - 2018 - 441 p.

12. International Standard on Auditing (ISA) 315 «Identifying and assessing the risks of material misstatement through understanding the entity and its environment» // [Electronic resource]. - Access mode: http://www.ifac.org/system/files/downloads/a017- 2010-iaasb-handbook-isa-315.pdf

13. International Standards for the Professional Practice of Internal Auditing 2017 Edition. Copyright © 2018 The Institute of Internal Auditors. All Rights Reserved. // [Electronic resource]. - Access mode: https://na.theiia.org/standards-guidance/Pub- lic%20Documents/IPPF-Standards-2017 .pdf

14. Moeller R. Brink's modern internal auditing: a common body of knowledge / R. Moeller. - 8th ed. - JohnWiley & Sons, Inc. - 2016 - 832 p.

15. Smetanko O. V. Improving of the process of risk identification and response by the internal audit service / O.V. Smetanko // Economic Journal-XXI. - 2014 - № 11-12. - P. 135-139.

16. Spencer K. The internal auditing handbook / K. Spencer. - 3rd ed. - JohnWiley & Sons, Inc. - 2010- 1088 p.

17. Strelnikov P.V. Risk Management / P.V. Strelnikov, D.P. Strelnikova // Mathematical Machines and Systems. - 2017. - № 1. - P. 131-133.

Размещено на Allbest.ru