Mobile Edition
Print
Get the Mag
Weekly UpdatesPOST-SOVIET COUNTRIES IN EASTERN EUROPE have faced significant business transformations and challenges as they shifted from a centrally planned Communist economy to a market economy. Although two decades have passed since these countries began to move to the free market, a business environment with roots going back to Soviet times is still present. These old ways frequently affect the operations of organizations doing business in the region.
The presence of global corporations in Eastern Europe is no longer exotic due to low costs, high return on investments, an attractive market, and other business motives (see "Eastern European Outlook" on page 60). Internal audit activity in these countries is no longer an exception either. The challenges internal auditing faces in Eastern Europe are similar to those auditors encounter globally--straggling to add value by helping their organization increase its survival chances under severe competition, unfavorable financial conditions, or unpredictable macroeconomic factors. On top of that, auditors must consider the different business environment, distinctive internal controls with a unique tone at the top, and economic conditions in the region.
GAPS IN THE SOFT SIDE
The unique business environment in the former Soviet countries is mostly based on cultural differences and historical factors. Business practices developed over many years under a centrally planned economy could not be changed overnight. Rapid economic transformation in these countries is illustrated by an incredible leap in local entrepreneurship in the short run, as these nations implemented the forms of business and modern technologies in a few years that businesses in North America, Western Europe, and Asia took decades to build. Yet, these developments are only part of the story. More important are the main drivers of business--management's point of view, tone at the top, and the way business is conducted. Here, despite impressive business and technological progress, the softer side of the business, such as management's mind-set, demands much more time to change.
PERCEPTIONS AND EXPECTATIONS OF INTERNAL AUDITING Business in the former Soviet republics is not as mature as in Western countries; the same is true of internal auditing. Therefore, perceptions and expectations of internal auditors are also different. For example, audit stakeholders--especially the elder generation--see internal auditors as "revisers" who represent the Soviet system of audit and control based. purely on compliance checks. To counter this perception, auditors should emphasize the additional value their recommendations can bring beyond compliance.
Moreover, audit clients often fear internal auditors who might produce a negative audit report. In practice, such fear could be overcome by highlighting auditors' role as consultants, rather than police officers. Similarly, management often considers internal auditing to be a watchdog to find those who are "guilty and need to be punished." Auditors could change this view through management training sessions that focus on management style and corporate culture.
DISTINCTIVENESS OF THE CONTROL ENVIRONMENT The influence of the Soviet-era control system and the uniqueness of business in Eastern Europe, which has an impact on the control environment, can be illustrated by an over-reliance on a precise, extensive, and all-inclusive documented control framework. Some internal audit units in Eastern Europe have audit charters of 16 pages or more and audit manuals exceeding 200 pages for departments with 20 auditors. Because business reality is changing so fast in the region, audit clients rarely comply fully with extensive, frequently inflexible, and even conflicting written policies or procedures.
Underestimation of soft controls, such as ethical conduct, competency, awareness, and knowledge, is another aspect of the control environment that is impacted by the legacy of the Soviet system, where major decisions were based solely on the potential economic benefits for specific individuals, rather than the organization, ignoring ethical dilemmas. Real-life examples include management's tolerance of unethical behavior, hiring or promoting inexperienced employees, involvement in bribery schemes, or participation in the unofficial "gray economy," despite official declarations of ethical values.
Finally, the control environment in Eastern Europe relies on a high number of judgmental decisions. For example, at first glance auditors might consider the decision to nominate a vendor that did not submit the best proposal to be a clear shortcoming to be reported. However, on closer inspection auditors may focus attention on the relationship between the vendor and the local government, which issues all necessary permits and has the power to stop the business. Such dilemmas are closely linked with business conduct and demand auditors' judgment and awareness of the local business environment.
REPORTING LINES It took a long time for the internal audit function to gain autonomy and recognition of its status in a corporate governance structure globally. However, internal audit independence empowered by dual reporting lines--administrative and functional, with a direct channel to the board of directors--still is not the norm in Eastern Europe. Instead, it is common for the audit function's reporting lines to be limited to the CEO or even to the chief financial officer only, without a direct and open channel to the board. A possible exception is the banking sector, which is heavily regulated. Moreover, an audit committee within the corporate governance structure is still rare in these countries, and even if an audit committee exists, its independence is frequently uncertain. As a result, internal audit independence may be impaired and the objectivity of audit findings endangered.
IT CONTROLS ON THE SPOT
Examination of IT controls is more and more emphasized by today's internal auditors. However, Eastern European auditors rarely include complex and sophisticated audit tests of these controls in their audit programs, because audited companies frequently have not implemented even basic (general) IT controls. A gap in control awareness has emerged due to the rapid implementation of technology by Eastern European countries. Auditors have reported major IT control observations including poor password management, unrestricted access to data, failure to deactivate user accounts of inactive users, lack of usage and review of change logs, no segregation of duties reviews within enterprise resource planning systems, inappropriate change management, and absence of disaster recovery planning. Moreover, it is still difficult to find an information security officer or policy among Eastern European companies.
EXTERNAL FACTORS
Internal auditing is influenced not only by the business specifics themselves, but also by external environmental factors that auditors need to consider. The current era of business uncertainty, marked by the global crisis in the mortgage markets and drastic fluctuations in commodity markets, is affecting the behavior of companies and their risk assessment results. In particular, internal auditors working in Eastern Europe need to include three risks in their audit universe:
* Threat of devaluation of national currencies. For example, the Russian ruble and Ukrainian hryvnia have lost 30 percent to 40 percent of their value against the U.S. dollar since mid 2008. Internal auditors should question the company's sales and purchase strategy linked to certain currencies as well as involvement of hedging operations.
* Political risk, as the outcome of state intervention into the business. Although practical assessment of political risk is quite complicated and problematic, recent nationalization of private businesses and aggressive policies of the state governments in the region require internal audit attention on the macro level of risk assessment.
* Tax risk. This risk is an extension of prevailing political risk. In an environment where the state regulatory requirements are changed often and are incomprehensible, each company may become subject to tax investigations by local regulatory bodies.
Auditors must reconsider and revise their risk maps to ensure that all major macroeconomic factors that impact the company's survival chances are appropriately evaluated and ranked.
OUTCOME OF THE INTERACTION
No internal audit activity is an island. On the contrary, internal auditing cannot be separated from the business itself or the external business environment factors that affect the business. This is particularly true in Eastern Europe, where audit planning and fieldwork need to be tailored in accordance with existing IT controls and prevailing business practices.
To maximize the value of internal auditing, practitioners should ask questions such as:
* What do the audit clients and management expect of internal auditors?
* What is the general image of internal auditors in the organization?
* What are the underlying assumptions for business decisions, which may not be visible at first glance?
How mature are IT controls?
Is there room to improve overlooked soft controls?
Is everything done to ensure the independence of internal auditing?
On a macro level, auditors should inquire during the planning stages about external environmental factors, such as the company's exposure to a potential devaluation of the national currency, the likelihood that its business and assets could be nationalized due to political intervention, and the possibility of tax investigations.
To comment on this article, e-mail the author at rolandas.rupsys@theiia.org.
ROLANDAS RUPSYS, PHP, CIA, CFE
FEED