In today’s business environment, characterized by high volatility and complex regulatory demands, the internal control system (ICS) has evolved beyond a routine compliance-checking function. It now serves as a strategic corporate asset, and its effectiveness is a reliable indicator of an organization’s overall health.
A well-designed ICS assessment does more than minimize risks; it uncovers hidden opportunities to enhance operational efficiency. A compelling illustration of this transformational potential is the experience of several Russian companies that have adopted tax monitoring regimes.
To be effective, an internal control assessment cannot be one-dimensional. Experts from these organizations emphasize that a complete picture emerges from integrating three complementary approaches:
- Reliability assessment. This is the foundational level addressing the issue of whether the control procedures function as planned. This approach verifies if the existing control mechanisms truly mitigate the stated risks and if they are performed in a timely and proper manner. Essentially, this is a stress test, the bedrock of the entire system.
- Effectiveness assessment. This next, more in-depth level of analysis questions whether there is too much control. It focuses on optimizing the costs associated with control activities. Effectiveness evaluates whether the system is excessive or, on the contrary, insufficient. Perhaps five procedures can handle the task as well as twenty, and manual operations can be successfully replaced by automated ones, freeing up resources.
- Maturity assessment. This is the strategic level, determining how well the ICS is integrated into the company’s management culture. A mature system is not a set of disparate procedures but a living organism capable of self-learning and adaptation. It requires an active role for top management, continuous process improvement, and a focus on risk management rather than on correcting past errors.
Tax monitoring as a catalyst for development
It is the assessment of ICS maturity that has come to the forefront with the introduction of tax monitoring in Russia. This progressive form of interaction with the Federal Tax Service (FTS) has replaced conventional on-site audits with continuous online dialogue. In exchange for transparency and granting access to data, companies receive significant benefits: accelerated refund of overpayments, no desk or field audits, and the ability to promptly consult on complex tax matters.
The key condition for entering this mode is a high level of ICS maturity. The Tax Service, based on international principles (the COSO framework), has developed a detailed assessment methodology comprising 20 criteria grouped into five components: control environment, risk assessment, control activities, information and communication, and monitoring.
In practice, this means a company must not only have control procedures but also provide documented evidence of their functionality, effectiveness, and integration into business processes. This requires meeting the following parameters:
- Management is genuinely involved, not just formally, in assessing and developing the ICS.
- All key processes are formalized, and employees are trained and understand their role within the control system.
- The company is actively progressing to automation, reducing dependence on manual labor and the human factor.
- There is continuous monitoring and an action plan for improving the ICS.
This approach transforms the ICS from a burdensome necessity into a tool for genuine business improvement. Companies that have undergone this “reboot” note that the forced comprehensive process review allowed them to identify duplicate functions, eliminate redundant approvals, and consequently, increase decision-making speed and reduce operational costs.
From control to efficiency
The experience accumulated under tax monitoring clearly demonstrates that the scope of the internal control system has long extended beyond accounting and finance. Today, it is a universal model applicable for diagnosing the overall health of a company.
Reliability assessment shows how well the business is protected from operational failures and fraud. Effectiveness assessment reveals hidden losses and bottlenecks hindering development. Maturity assessment, in turn, speaks to strategic resilience — the management’s ability to build transparent and manageable processes capable of adapting to change.
Therefore, a comprehensive assessment of the internal control system is a vital tool for evaluating a company’s operational effectiveness. It provides shareholders and top management not merely with a compliance report but with a detailed diagnosis of the entire business organism. Internal control ceases to be just a function and becomes a management philosophy, where every process is meaningful, every risk is accounted for, and every resource is utilized to its maximum potential. Ultimately, a company with a mature, reliable and effective ICS is not just a company that avoids problems. It is a company confidently moving towards its strategic goals.
By Anastasia Rusakova, General Director of the National Association of Internal Auditors and Controllers (NAIAC) Association, member of the Public Council of the Russian Ministry of Finance