Vol. 40 (Issue 38) Year 2019. Page 15
BEGMA, Vitaliy M. 1; LUTSIK, Julia O. 2; SKURINEVSKA, Lesia V. 3; TKACH, Ivan M. 4; TREHUBENKO, Stanislav S. 5 & ULIANOV, Kostiantyn Y. 6
Received: 22/07/2019 • Approved: 28/10/2019 • Published 04/11/2019
ABSTRACT: The Article summarizes arguments and counterarguments within the frame of scientific discussion on events identification and risks evaluation in the process of planning of risks-oriented internal audit. Research of risks-oriented internal audit planning has performed in the following logical sequences: defined general schedule (регламентацію) of mentioned process, conducted analysis of compound parts of risk-oriented planning and proposed risk-oriented planning methods (methodology). The research empirically confirms and theoretically proves that risk-oriented audit planning is an integral element in audit activity. The research results would be useful in the process of audit activity planning for respective period. |
RESUMEN: El artículo resume los argumentos y contraargumentos dentro del marco de la discusión científica sobre la identificación de eventos y la evaluación de riesgos en el proceso de planificación de la auditoría interna orientada a los riesgos. La investigación de la planificación de la auditoría interna orientada a los riesgos se ha realizado en las siguientes secuencias lógicas: programa general definido (регламентацію) del proceso mencionado, análisis realizado de las partes compuestas de la planificación orientada al riesgo y métodos de planificación orientados al riesgo propuestos (metodología). La investigación confirma empíricamente y demuestra teóricamente que la planificación de auditoría orientada al riesgo es un elemento integral en la actividad de auditoría. Los resultados de la investigación serían útiles en el proceso de planificación de la actividad de auditoría para el período respectivo. |
One of the main goals of the government-approved Strategy for the Reform of the Public Financial Management System for 2017-2020 (2017) is to increase the efficiency of public financial control. An effective indicator of its effectiveness is the number of controlled objects, selected on the basis of a risk-oriented (risk-based) approach. One of the important international practices of internal audit is the use of risk-oriented planning in selecting objects and subjects of audit. A quality sign of its efficiency is the dynamics of the indicator's change: the increase of the indicator notes its efficiency and the decrease - on the contrary, the reduction of its efficiency.
The novelty and the relevance of the solution of this scientific problem is that the existing audit service is being under reform, both at the Ministry of Defense of Ukraine and at the state level (Decree of the President of Ukraine No. 240/2016, 2016; Resolution No. 1062, 2018, Cabinet of Ministers of Ukraine). The Service of the Internal Audit lacks the personnel to conduct a thorough audit of all military units, institutions and organizations of the Ministry of Defense of Ukraine. Thus, there is an urgent need for high-quality audit planning of objects with the highest number of threats and risks.
Analysis of recent studies and approaches to solving the problem of risk-oriented planning, considering goals of the mentioned-above Strategy and international experience in internal audit (Order No. 1247, 04.10.2011, Ministry of Finance of Ukraine), shows that the planning of activities in the Ministry of Defense of Ukraine based on risk assessment requires further research and improvement.
The role of the internal audit and its significance in the context of the reform of the State Internal Financial Control was studied by following Ukrainian experts: M. Barynina (2018), I. Tkach (2018), I. Drozd (2012), A. Mamyshev (2008), V. Malikov (2015), L. Knyzhnyk (2015), T. Kopotiyenko (2017), M. Nezhyva (2017), I. Stefanyuk (2011), Y. Futoranska (2007) and others.
The methodological tools of the study included the methods of analysis, synthesis, induction and deduction. The period of the study (starting with 2011 to present days) covers the period of the audit service functioning in the Ministry of Defense of Ukraine (Resolution No. 1001, 28.09.2011, the Cabinet of Ministers of Ukraine; Order No.1217, 29.09.2011, the Ministry of Finance Of Ukraine; Order No. 753, 14.11.2012, the Ministry of Defense of Ukraine). The object of the study is the system of internal audit in state bodies and the Ministry of Defense of Ukraine.
The objectives of the study are following: to conduct an analysis of the current legal framework and hands-on experience in implementing the risk-oriented planning of audit activities; to justify a set of theoretical and practical recommendations for improving this process in the Ministry of Defense of Ukraine.
The achievement of the goal of the research requires:
1. to analyze the structure of risk-oriented planning of internal audit activities and to identify existing problematic issues;
2. to conduct the analysis of the first and second stages of risk-oriented planning;
3. to justify recommendations for practical implementation of the developed methodological approaches of the risk-oriented internal audit planning in the Ministry of Defense of Ukraine in order to meet the international standards.
According to the Article 26 of the Budget Code of Ukraine (2010) and the Procedure for the implementation of internal audit and the establishment of internal audit units (Resolution No. 1001, 28.11.2011, the Cabinet of Ministers of Ukraine), the Department of the Internal Audit of the Ministry of Defense issued the Provisional Guidelines (№ 42, 04.12.2017) on risk-oriented planning (hereinafter - the Guidelines).
The purpose of the publication of this document is to regulate a number of important issues in the system of internal audit, in particular:
-to define the complex of actions to form, agree and approve risk-oriented plans of the Internal Audit Service of the Armed Forces of Ukraine (hereinafter - the Service);
-to implement in the Service, consisting of the Department of Internal Audit of the Ministry of Defense of Ukraine (hereinafter - the Department) and territorial departments of internal audit (hereinafter - territorial departments), common approaches to risk-oriented planning;
-to provide auditors with methodological and practical guidelines (recommendations) on risk-oriented planning.
The Analysis of the Guidelines (2017) showed that the responsibility for quality planning at the Service level lies on the heads of the structural units of the Department, the heads of territorial departments according to the functional-sectoral and territorial principles. The section of organization and quality assurance of the internal audit of the Department (hereinafter - the section of the organization) is responsible for the overall coordination of the planning and control process.
The planning process is divided into 5 stages, in particular:
Stage 1 - Compilation of the audit universe and determination of the quantitative capabilities of the Service;
Stage 2 - Event Identification and Risk Assessment;
Stage 3 - Consultation with the management and responsible ones for activities;
Stage 4 - Prioritization, preparation and approval of plans;
Stage 5 - Announcement of annual plans, sending of copies to the Ministry of Finance of Ukraine and territorial departments.
It is worth of mentioning that the Clause 1.5 of the Guidelines (2017) specifies the frequency and schedule of audits of one object (subordinate unit), depending on the audit universe, priorities, results of risk assessment and capabilities of the Service.
The study covers first two stages, which are considered by authors of the study the most important and require additional research.
Responsible persons during planning use a database - the document that is prepared and maintained by the unit of the Service, approved by its head and contains:
-the name of the subordinate unit, its code in the Unified State Register of Enterprises and Organizations of Ukraine and the location;
-the name and code of the program classification of expenditures and lending of all budget programs (subprograms);
-administrative services provided by the subordinate units; control and supervision functions;
-the subject and dates of previous audit tasks and the period of their conducting;
-information on the reaction of subordinate units to conclusions and recommendations (proposals) on results of the audit.
The database may, if necessary, contain additional information, depending on the particularities of the Service activities. The Department is developing and maintaining a consolidated database that includes data from all units of the Service. Peculiarities of maintaining databases and consolidated database are determined by the Director of the Department in accordance with the Standards of Internal Audit (2011), orders of the Ministry of Defense, and other legal regulations.
It should be noted that the above mentioned information is not sufficient to conduct activities on identification and risk assessment for each subordinate unit. In the future, it is necessary to carry out a well-grounded and reliable analysis, which requires some effort and a considerable amount of time.
The analysis of the first stage of planning must be focused on the composition of the audit universe and the determination of the quantitative capabilities of the Service. The Audit universe, according to the Guidelines (2017), is a set of audit objects and subordinate units that can be individually assessed during an audit, which consists of two parts:
-audit objects - activities of entities in all or certain types of activities, functions, general processes (purchase, construction of housing, maintenance of military facilities, accounting of military property, accounting and financial reporting, management of state-owned objects, management of accounts receivable and payable, personnel management, etc.) that are included in the audit universe on the basis of the functional analysis of the Ministry ? of Defense and the Armed Forces’ activities (horizontal analysis);
-subordinate units - departments and other structural units of the Ministry of Defense and the General Staff, military command and control bodies, military units, institutions, organizations, enterprises, associations of enterprises, separate structural units of enterprises, etc., which are included in the audit universe on the principle of organizational structure (vertical analysis).
The subjects of internal audit are included into the audit universe according to their level (strategic, operational, operational and tactical), functional, sectoral and territorial principles.
The Department’s Audit Universe covers:
objects (subjects) of the strategic level,
territorial departments - of operational level, as well as operational-tactical level;
audit services - all three levels (the initial level of detailing is determined by the Director of the Department with further specification during the risk assessment).
The quantitative capabilities (the number of audits that can be conducted during the planning period) and the audit period (the number of years during which audits can cover the entire audit universe) are also defined during the Phase 1 of planning.
The overall planned working time (staff time) for audits is calculated for the Department and territorial departments on the basis of:
the actual number of servicemen, state employees and employees of the Armed Forces of Ukraine, which are authorized to conduct an audit (hereinafter - auditors);
the overall fund of working time of each auditor (220 working days a year);
the rate for each category of auditors.
The events are identified and risk assessments are carried out at the second planning stage.
Strategic and annual plans are formed on the basis of an assessment of the risks of the activities of the Ministry of Defense, the General Staff, in terms of elements of the audit universe (objects and controlled entities), which defines the topics of audits.
The audit risk assessment is preceded by the analysis of documentary sources that will help to identify audit changes in the audit universe and individual risks (e.g. legal regulations, strategic plans, reporting, previous audit reports and other control activities conducted by internal and external guarantee providers)., It is also necessary to carry out a comprehensive assessment and updating of all elements of the audit universe.
It is necessary to identify all the events of each element of the audit universe (external and internal) that may affect the achievement of goals and which, depending on their impact (influence), are divided into opportunities (positive impact) and risks (negative impact). Events, creating risks, are grouped and added to the list (see Table 1).
Table 1
Risk grouping option
Risks |
|||||
Influence on personnel |
IT and communication |
Legal and regulatory |
Financial |
Operational |
Reputational |
1 |
2 |
3 |
4 |
5 |
6 |
Events that create risks |
|||||
Loss of qualified personnel due to staff turnover, retirement, organizational changes, staff reduction |
loss of Internet connection |
absence, inconsistency or unprecise regulation of the law |
funding, or revenues reduction |
loss or inability to access the premises |
negative public information |
Discontent of personnel |
loss of telephone connection |
divergences in the positions of the interested bodies, which must agree the draft regulatory (legal) act |
trust funds revenues and / or charitable assistance reduction, loss of grants |
utility networks malfunctions |
servicemen and their families dissatisfaction (complaints, complaints) |
long-term vacancies |
leak of information |
breach of contracts (agreements) |
immobilization of funds into long-term debt |
lack of transport |
negative information from the law enforcement agencies |
high turnover of management and personnel |
virus attacks |
violation of the legislation |
lack of working capital to make payments |
important mechanisms, devices malfunctioning |
negative discussion in political circles |
work or military injuries |
Hardware malfunctioning |
lawsuits, suspension of important activities |
Fines and penalties |
Non-conformity (discrepancy) of equipment |
negative information about management |
deaths |
Destruction of the most important data or its inaccessibility |
low level of claim related work |
loss of funds or assets |
lack of material stock |
negative impact on the reputation of the Ministry of Defense and the Armed Forces |
It should be noted that the Guidelines (2017) give warning about risks formulations, in particular, it is proposed to prevent:
-listing of risks that do not affect the achievement of goals;
-definitions, which are the reciprocal formulations of goals (e.g., if the goal of the enterprise is gaining profit, then the wrong formulation of risk is –“loss of profit”);
-determining the consequence as a risk (for example, a "risk of bankruptcy" is not a risk but a consequence of the illegal actions of the acting head of the enterprise).
Since then, the risks list update is required. In this case, the number of risks that can be identified is not specified and not limited, which complicates further risk assessment work. In the process of risk-oriented planning, it is proposed to identify only the most relevant (not more than seven risks), which is definitely very important for the planning of the internal audit.
Next step proposed is to evaluate each risk with the determination of the probability of occurrence of events and of their consequences, which are likely to have a negative impact on:
-fulfilling the tasks (by the Ministry of Defense, the General Staff and subordinate entities) defined in strategic and annual plans;
-efficiency of planning and implementation of budget programs (subprograms), and on the results if its implementation;
-he quality of administrative services, monitoring and control functions, and the execution of tasks defined by legislation;
-the status of preserving of assets and information by the subjects;
-the status of the management of state (military) property by the subjects;
-the control of the accounting and the reliability of financial and budgetary reporting.
The following step is to evaluate the probability of the identified (inherent) risks according to the following criteria:
-High probability of the event (it is already taken place or is expected soon, probability - 67-100%) -the high rating that equals 3 points;
-it is likely that the event will take place in 1-2 years (with a probability - 34-66%) - the average rating that equals 2 points;
-unlikely or in the distant future (probability - 0-33%) – low rating that equals to 1 point.
As an example, it is proposed to consider the assessment of one of the risks: "frequent management changing, interim management and its changing". This risk has an impact on all six proposed events. Correspondingly, it can affect:
-the achievement of goals and tasks;
-the effectiveness of planning, execution and performance of budget programs (subprograms);
-the quality of administrative services, monitoring and control functions;
-the status of preserving of assets and information by the subjects;
-the status of the management of state (military) property by subjects;
-the correctness of the accounting of controlled subject and the reliability of financial and budgetary reporting.
Thus, the next assessment is to be conducted for the six risks. Accordingly, for each risk event, it is necessary:
to identify whether they were taken into account by the system of internal control of the subordinate unit;
to assess the relevance of the chosen measures in order to prevent risks;
to assess the final (inherent) risk.
In addition, if the internal control system is absent, an identified risk is taken into account for the calculation.
Next, each of the six risk events is estimated on the probability of occurrence of these events (selecting the rating from 1 to 3). It is proposed to collectively specify the probability in percentage by applying subjective assessments of performers ("brainstorming").
The following step is to assess the impact of certain risk events using the criteria:
financial impact;
influence on personnel;
impact on combat capability;
influence on reputation, ethical issues, accountability.
That is, the six identified risk events must be evaluated by four criteria. The total number of applied risk assessments (made by using subjective judgments through discussions, consultations and other actions) is already twenty-four.
It should be noted that each person has a personal perception of risk and it is not recommended to determine the risks by applying the average risk assessment level (score). It is proposed to assess the impact through negotiations and reach a certain consensus. (see Table 2).
It should be noted that the approximate number of controlled objects and subordinate units is 1,500. The application of a minimum number of risks (7 per one object), results in almost 252,000 required operations. The calculations did not take into account the needed time to collect information for risk assessment.
The study attempts to calculate the average number of man / days spent on risk assessment for all controlled objects and subjects.
Taking into account the caution, regarding the need for a collegial discussion, and the assumption that most of the personnel of the organizational section (4 officials), has never conducted an audit independently, then, spending of 10 minutes for the evaluation of one operation results into 2100 man / days. This must be considered while planning other functional activities.
Table 2
An example of the proposed impact assessment
Estimation of the level of influence of identified risks on the activity of the object.
Level (rating) |
Examples of rating points for impact criteria: |
|||
Financial impact |
Influence on personnel |
Influence on combat capabilities |
Reputational impact |
|
Low (1) |
Financial and material impact below 100 thousand UAH. |
Unplanned absence (illness, deficiency) of several key persons, which may lead to some failures in work |
Limited or minimal reduction of capabilities, quick recovery |
Events (incompetency, inappropriate management, or serious violation of rules or legislation) that lead to a reduction in the trust of a small group of individuals (in a separate group, local community, groups of experts, etc.). The recovery period is short |
Medium (2) |
Financial and material impact is above 100 thousand UAH, but below 500 thousand UAH. |
Unplanned absence (illness, marriage) of several key persons, which can lead to significant failures in work |
Significant decrease / loss of capability, which interrupts the execution of tasks in one or more areas of activity |
Events (incompetency, inappropriate management or non-systemic fraud or small-scale corruption, other events) that lead to a decline in a public confidence at the interregional or central level or loss of confidence of key partners. |
High (3) |
Financial and material impact is above 500 thousand UAH, but below 1 million UAH. |
Serious injuries or death |
Significant decrease / loss of capabilities, that interrupts the execution of assigned tasks, failures in several areas of activity |
Events (incompetency, inappropriate management, one-time fraud or large-scale corruption, one-time large-scale or systemic fraud or corruption, other events), which lead to a drastic decline in public confidence at the international and regional levels and at the level of important partners. The period of confidence recovery is moderate or prolonged |
Very high (4) |
Financial and material impact is above 1 million UAH. |
Serious injuries or death |
Inability to continue the execution of assignment tasks, significant loss of capabilities, failures in all areas of activity, slow recovery |
Events (incompetency, inappropriate management, large-scale fraud or corruption, other events) that lead to a loss of public confidence at the international and regional levels and fat the level of key partners. |
It is worth of mentioning that in accordance with the requirements of the Internal Audit Standards (2011), when planning an internal audit, the auditors has to take into account the risk management system used in the institution.
The Resolution (No.1062, 12/12/18) of the Cabinet of Ministers of Ukraine "Basic Principles for the Implementation of Internal Control by Budget Administrators and Amendments to the Resolution of the Cabinet of Ministers of Ukraine No. 1001 (28.09.2011) (2018), has divided the internal control and the internal audit, and empowered one of the functions of internal audit to assess the effectiveness of the functioning of the internal control system.
Besides, the Order of the internal control and risk management organization in the system of the Ministry of Defense of Ukraine (The Order of the Minister of Defense of Ukraine No.145, 02.04.2019) (2019) approved formalized forms (Risk Management Plan for the relevant year and Structure of the risk management database), in which the information on the size of residual risks is indicated, after the institution takes appropriate measures.
However, it must be recognized that most of the risk factors are determined by subjective assessments, assumptions that are not based on absolute values. The nature of the risk-based approach lies in the fact that the planning of the internal audit activity should be organized in early defined areas of significant risk and on the basis of residual risks. Therefore, the internal audit activity should be directed at the assessment of the residual (final) risks during the risk-based planning.
It should also be noted that the current methodological approaches to risk assessment in the planning of internal audit activities are based on one of the COSO (n./d.) Internal control model elements - risk assessment. This assessment of risks in the institution is assessed relative to the probability of their occurrence and influence. The risk assessment is also made in order to determine actions to be taken. Risks are evaluated in terms of inherent and residual.
At the time, the units of the Audit Service are already using the developed sets of common risk indicators ("risk factors") in the risk-oriented planning. Typically, these sets of risk indicators (risk factors) do not have big differences, though they give an opportunity to evaluate each object and subject of audit and to determine the main risks of their activities and determine their priority.
The following risk indicators (factors) are the most often used to identify risk factors:
financial significance (the main risk factor is the amount of the financial activity covered by the audit object);
the complexity of the activity (complex activities are more difficult to perform well, so the probability that they are to be executed poorly or not in time increases);
the general policy of internal control (well-organized policy of internal control significantly decreases, the probability of violations and mistakes);
the reputational sensitivity (some areas of activity can create significant risks for the reputation of the organization as a whole);
the inherent risk (the presence of a high inherent risk demands the effective control processes in order to reduce this risk. The internal audit is to check these control mechanisms on a regular basis);
the scale of change (high staff turnover can reduce the effectiveness of control, since employees are less experienced);
the confidence in management (experienced executives usually resolve problems more effectively and get better results than the executives with no relevant experience. More experienced executives are more likely to identify risks and make appropriate decisions);
opportunities for violations (some systems and functions are more prone to violations and even to fraud and corruption);
the date of the last audit (from time to time, audits should take place even at low risk objects, and those objects that have not been audited for several years may represent a high level of risk).
However, the Service does not possess the formalized forms (regarding the generalization of the information) to reflect qualitatively the results of risk assessment activities.
Thus, the heads of the Internal Audit Service units should organize work to collect information on: the state of internal control, risk assessment processes, state of financing, analysis of information in the media. regarding the activities of the Ministry of Defense of Ukraine and the General Staff of the Armed Forces of Ukraine. The above listed, allow to predict future risks and to define "bottlenecks" in the implemented internal control system.
Subsequently, the specialists of the Audit Service should research the peculiarities and specifics of the activities of the structural units of the Ministry of Defense and to identify risk indicators (risk factors), basing on the available information.
Taking into account the results of the study, it is proposed to carry out risk assessment in conducting risk-oriented planning based on the use of risk indicators (risk factors), which is intended to indicate problem areas and potential risks in the process of drawing up and developing risk-oriented plans (strategic and operational) .
Risk indicators (risk factors) can be determined during discussions in the Internal Audit Service units (collegial body). It should be noted that risk indicators (risk factors) may differ depending on the activity of subordinate unit.
The study proposes risk indicators (risk factors) that can be used to conduct risk assessments in the public sector institutions and state-owned enterprises.
As an example, the following risk indicators (risk factors) are proposed to assess the public sector institutions:
-amount of financing);
-the status of the implemented internal control system, the results of the risk assessment work and the measures taken to prevent risks;
-the date of the last control activity;
-the level of implementation of proposals and auditor’s recommendations;
-auditor's report on the results of the previous control activity;
-confidence in the management of the subordinate unit;
-information from public and other sources information regarding the activities of the subordinate unit, which could become the basis to predict future risks and to define "bottlenecks" in the implemented system of internal control.
The following risk indicators (risk factors) are proposed to assess the state-owned enterprise:
-the reduction of the net income in comparison with the previous year;
-the reduction of the gross income (long losses);
-the annual financial performance indicator;
-growing debts (with creditors, with the budget, on wages payments)
-the status of the implemented internal control system, the results of the risk assessment work and the measures taken to prevent risks;
-the date of the last control activity;
-the level of implementation of auditor’s proposals and recommendations;
-auditor's report on the results of the previous control activity;
-confidence in the management of the subordinate unit;
-information from public and other sources of information regarding the activities of the subordinate unit, which could become the basis to predict future risks and to define "bottlenecks" in the implemented system of internal control.
The assessment of potential risks with the help of the proposed (determined) risk indicators (risk factors) gives an opportunity to evaluate and predict the existence of problematic areas of activity of controlled entities (subordinate units), to identify possible (present) risks of violations that prevent the institution from carrying out the planned tasks, obtaining qualitative results and achieving the desired goals.
The practical application of previously studied scientifically-based risk indicators (risk factors) gives prospects for further research activities. This will definitely improve the quality of risk-oriented planning of internal audit activities in the process of functioning of the internal audit system, both within the system of the Ministry of Defense of Ukraine and the Armed Forces of Ukraine.
The results of this research can be used at the national level on the results of their approbation in the system of the Ministry of Defense of Ukraine.
Resolution of the Cabinet of Ministers of Ukraine of December 12, 2018. № 1062. (2018). On approval of the Basic principles for the implementation of internal control by budget administrators and making changes by Resolution of the Cabinet of Ministers of Ukraine by 28 September 2011 р. № 1001. Retrieved May 25, 2019 from https://zakon.rada.gov.ua/laws/show/1062-2018-п
Solution of the Sake of national security and defense about strategic defense of Ukraine of May 20, 2016, the Decree of the president of Ukraine №240/2016 by 6 June 2016 № 240/2016. (2016). About a strategic defense bulletin of Ukraine. Retrieved April 28, 2019 from http://www.president.gov.ua/documents/2402016-20137.
Barinina M. & Ulianov K. (2018) Evolution of views on the appointment of financial and control bodies of the Ministry of Defense of Ukraine. Social development & Security. 2(4), 59–68. DOI: http://doi.org/10.5281/zenodo.1237042
Shpytal O. & Tkach I. (2018). Justification of the validity of development internal control’s indicators in the Ministry of Defense of Ukraine and the Armed Forces of Ukraine. Social development & Security, 6(8), pp. 27–42. DOI: http://doi.org/10.5281/zenodo.2539655.
Drozd I. (2012). Vnutrishniy audyt u sektori derzhavnoho upravlinnya . Kazna Ukrayiny, 2. pp. 6-8. Retrieved April 28, 2019 from https://economic-vistnic.stu.cn.ua/index.pl?task=arcls&id=969
Mamyshev А. (2008). Audit performance: implementation phase. Financial control 3(32), pp. 43–45.
Malicov В. В. (2015). Internal audit: problem analysis and organization at the enterprises. Problems of economy 2 (2015), pp. 147– 152. Retrieved April 28, 2019 from http://www.nbuv.gov.ua/node/2116
Cnyzhnik L. (2015). Audit of Ukraine: challenges and prospects in the context of eurointegration. Collection of scientific works. Efficacy public administration. 44, pp. 58–63. Retrieved April 28, 2019 from http://www.nbuv.gov.ua/node/2116
Кonotienco Т. & Nezhiva М. (2017). Theoretical and methodical aspects of realization of the concept of materiality in the audit. Economy and society, 10(2017), pp. 761-769. Retrieved April 26, 2019 from http://economyandsociety.in.ua/journal/10_ukr/129.pdf.
Stephanyk І. (2011). Methodical principles of functioning of the state internal financial control of Ukraine. Finances of Ukraine, 6(2011). Retrieved April 20, 2019 from http://www.ac-rada.gov.ua/doccatalog/document/16738269/Stefanuk.pdf
Futoranskaya Yu. (2007). Preconditions and ways of reforming the system of the state internal financial control of Ukraine. Finances of Ukraine, 9, pp. 151-158. Retrieved April 26, 2019 from http://nbuv.gov.ua/UJRN/Fu_2007_9_17
Resolution of the Cabinet of Ministers of Ukraine of February 08, 2017 № 142-р. (2017). Approving the strategy of reforming the public finance management system 2017-2020. Retrieved April 23, 2019 from https://zakon.rada.gov.ua/laws/show/142-2017-%D1%80
Resolution of the Cabinet of Ministers of Ukraine of May 24, 2017 № 415-р. (2017). About the shuffling of the plan of measures for realization of the system of management public finance management 2017-2020. Retrieved April 28, 2019 from https://zakon.rada.gov.ua/laws/show/415-2017-%D1%80.
Decree Cabinet of Ministers of Ukraine of 28.09.2011 № 1001. (2011). Some issues of implementation of internal audit and the establishment of internal audit units. Retrieved May 11, 2019 from http://zakon.rada.gov.ua/laws/show/1001-2011-п.
Order of the Ministry of Finance of Ukraine of 04.10.2011 № 1247. (2011). Standards of internal audit. Retrieved May 2, 2019 from https://zakon.rada.gov.ua/laws/show/z1219-11.
Order of the Ministry of Finance of Ukraine of 29.09.2011 № 1217. (2011). On Approval of the Code of Ethics of Internal Audit Division staff. Retrieved May 4, 2019 from http://www.mil.gov.ua/diyalnist/vnutrishnij-audit/normativno-pravova-baza.html.
Order of the Ministry of Defense of Ukraine of 14.11.2012 № 753. (2012). About the organization of the activities of internal audit and approval of the procedure for conducting internal audit by the units of the Internal Audit Service of the Armed Forces of Ukraine. Retrieved May 1, 2019 from http://www.mil.gov.ua/diyalnist/vnutrishnij-audit/normativno-pravova-baza.html.
Order of the Department of the Internal Audit of the Ministry of Defense of Ukraine of 04.12.2017 № 42. Provisional Guidelines on risk-oriented planning.
COSO. (n./d.). The Committee of Sponsoring Organizations. Retrieved May 2, 2019 from https://www.coso.org/Pages/aboutus.aspx
Order of the Minister of Defense of Ukraine of 02.04.2019 №145 (2019). Order of the organization of the Ministry of Defense of Ukraine internal control and risk management. Retrieved May 2, 2019 from http://www.mil.gov.ua/diyalnist/vnutrishnij-kontrol.html.
1. National Institute for Strategic Studies, Ukraine, Kyiv, Ukraine, Contact e-mail: begma@niss.gou.ua
2. Ivan Chernyakhovsky National Defense of University of Ukraine, Kyiv, Ukraine, Contact e-mail: julia.Lutsik@gmail.com
3. Ivan Chernyakhovsky National Defense of University of Ukraine, Kyiv, Ukraine, Contact e-mail: olesya201205@gmail.com
4. Ivan Chernyakhovsky National Defense University of Ukraine, Kyiv, Ukraine, Contact e-mail: Contact e-mail: tim68@ukr.net
5. Central Research Institute of the Armed Forces of Ukraine, Kyiv, Ukraine, Contact e-mail: stas.trigub@icloud.com
6. Independent auditor, Kyiv, Ukraine, Contact e-mail: uluanov132@gmail.com