Formalization of theoretical tools for risks of internal audit system identification

Methodological principles formalization and practical tools development for risks of internal audit system identification is the subject of this study. The purpose of paper is to develop scientifically substantiated proposals for improving the methods for entrepreneurial risk assessing in internal audit system. Achievement of the goal set in the article was carried out with help of general and special research methods, namely: dialectical approach, analysis and synthesis, systematization and generalization. Article presents the categorical and terminological interpretation of risks of internal audit system and substantiates the basic characteristics of business risk. Study tested general audit risk components and influence of the controlled environment internal factors on risk of internal audit system. It was established in the article the place of business risk and internal audit risk in the entity’s controlled environment. With purpose of risks systematization for taking them into account in management process algorithms of entity’s controlled environment risks identification was developed. As a result, developed scientifically-based risk identification tool in internal audit system allowed identification and timely elimination of risky business operations consequences.


Introduction
The need for a separate thorough risk analysis is explained by: unstable business environment; permanent changes in tax and economic legislation governing the procedure of conducting an economic activity; high cost of credit resources; rapid changes in market conditions; growth of competition due to globalization of the economic space; changes on currency, stock and commodity markets. Appropriate risk management will allow to predict possible negative consequences and, yet at the stage of planning an economic activity, to develop a number of measures that will minimize risk probability or significantly reduce negative consequences of occurrence thereof [1]. Therefore, the key task of the supervisory board, owners and executives of all structural units of a business entity is to create an efficient internal control system capable of tracking the risks of economic activity and developing the control procedures that can withstand these risks. The most adapted and focused on the improvement of the efficiency of methods to manage various risks inherent to the activities of business entities involved in the trade sector is modern internal audit practice. This is due to the fact that the risks hinder not only the achievement of key business objectives of economic activities, but also appropriate and professional work of the internal audit service, which requires the creation of risk management system that will contribute to proper achievement of the objectives of the internal audit service. V. Illiuk said: "... management related to risk control and forecasting currently belongs to the best tools of preventive control [2, с.9].
Approximately prior to the beginning of the XVIII century a scope of risk was determined using the probability theory methods; in the XVII-XIX centuries scholars substantiated the law of large numbers and basic statistical procedures, and the concept of "uncertainty" became the key to the theory of risk [3]. In 1900-1930, the term "risk" became widely used in scientific world and scientific literature; it was recognized as an integral part of any entrepreneurial activity conducted in the conditions of uncertainty [4]. The first attempts to manage risks based on scientifically substantiated methods of their analysis and monitoring appeared in early 30s of the last century. The turning point in the development of risk methodology within the framework of the utility concept became work of J. von Neumann and O. Morgenstern "Game Theory and Economic Conduct", which suggested a qualitatively new tool for assessment of risk utility [5; 6].
Since then there have been repeated attempts to put the scientific research results into practice. In 1955 W. Snyder, a professor in the area of insurance of Temple University, offered the term "risk management", and in 1956 Russell Gallagher described the profession "risk manager" for the first time in Vol. 34 of Harvard Business Review. Studying the phenomenon of human errors has begun [7]. In domestic research, the appearance of a new scientific direction of risk science or risk management was proclaimed at the conference held in October 1998 [8, с. 36].
The results of studying the issues of theoretical substantiation and methodology of audit risk assessment are disclosed in the works of foreign scholars: A. Thus, scientific and practical knowledge of risk, development of risk theory, as well as study of the possibilities of efficient management thereof in various aspects of manifestation and economy sectors are at the initial stage of development and require the development of scientifically substantiated proposals to improve the methods for assessing an entrepreneurial risk, determining the measures for mitigation thereof and developing the efficient mechanisms of active impact thereon, that was identified as an objective of this research.

Results and Discussions
A significant growth of enterprises, scope of their activity and complication of their business transactions, which took place in the mid-80's of the XX century, led to widespread application of selective audit methods, which contributed to the emergence of the audit risk concept in the audit theory. In the context of audits, the concept of audit risk involves not only organization and methodology of accounting, financial reporting and the assessment of the internal control system at the enterprise, but also taking consideration of various risks that the auditors have to deal with.
The need for more rapid information about actual and potential risks and their consequences has emerged among the owners of business structures due to the increased competition both on the world markets and on domestic ones, in connection with European integration, Ukraine's accession to the World Trade Organization, expansion of foreign companies, which caused the appearance of a significant number of various threats to sustainable development and financial position of particular business entities and the economy as a whole. This requires the substantiation of categorical and terminological interpretation of risks arising in economic activities of business entities (entrepreneurial risks) and audit risk, in particular, identification and analysis of the factors affecting the scope and behavior of risks, forming the auditor's risk, and risk impact on the content and scope of audit procedures and on the activities of the internal audit service as a whole (Fig. 1).
The studies of theoretical substantiation of economic content of the risk concept allowed us to conclude that risk in any manifestation thereof is a complex multidimensional phenomenon, and according to the most common definitions it is a probability of hazard, failure and, as a result, loss. As stated in the Ukraine 2020 Sustainable Development Strategy, achievement of 17 sustainable development goals is primarily associated with the adherence to the principle of continuity on which any accounting system should be based. In modern economic conditions, when enterprises are forced to operate in changing market environment, which is characterized by severe competition, entrepreneurial risk becomes decisive for profit gaining. According to the Law of Ukraine On Entrepreneurship, entrepreneurship is an independent, systematic, conducted at own risk activity which is related to production of goods, performance of works, provision of services for the purpose of profit gaining and conducted by individuals and legal entities registered as subjects of entrepreneurial activity in accordance with legally prescribed procedure [9]. Therefore, any entrepreneurial activity is characterized by significant risks associated with "... production of goods, products, services, sale thereof, commodity-money and financial transactions, commerce, implementation of socioeconomic as well as scientific and technical projects" [10]. The approaches to the definition of risk which are most commonly used in the economic literature include: probability of unpredictable adverse consequences of activity [11]; ability of a business entity to move from usual operation to unpredictable condition under the influence of external and internal factors [12]; probability of loss of resources or insufficient income [13]; danger of unforeseen losses [14]; situational characteristics of activity [15]. As can be seen, most authors in determining the entrepreneurial risk emphasize the economic performance of a business entity. However, a significant threat to sustainable development of the enterprise can also be caused by the shortcomings available in socio-reputational sphere, environmental management and HR policy. Therefore, we consider it necessary to apply the broader notion of "business risk", suggesting to interpret any risks of in practice of leading scientific schools -ISSN 2313-7525 insufficient income or loss of benefits associated with the uncertainty of external and internal factors affecting socio-ecological and economic activities of a business entity.

Fig. 1. Categorical and terminological interpretation of risks in the internal audit system
Basic characteristics of business risk include, in particular: -probabilistic nature (business risk affects all business processes and non-core business activities of business formation); -socio-ecological and economic nature (business risk affects not only an economic activity, but also the nature of social relations and environmental consequences of activity conducted by a business entity); -uncertainty (business risk is the result of a choice with negative or positive impact); -objectivity (business risk accompanies practically all aspects of socio-ecological and economic activity of a business entity); -inherency (is close to objective characteristics of business risk, inherent to all aspects of socio-ecological and economic activity of a business entity); -action/activity (business risk arises as a result of certain action/activity (omission)).
According to T.Yu. Kompotienko, business risks often arise in the activity of business entities as a result of development of new products or services, failure to take into account the specifics of customers localization in the course of business expansion, improperly selected concept of enterprises, etc. [16, с. 394]. At the same time, emergence of business risks leads to certain losses for business entity whose executives may present claims to the internal audit service against poor quality of the audit, i.e. business risk is directly related to the level of audit risk.
According to paragraph 3 of ISA 400, Risk Assessment and Internal Control: "audit risk" is the risk that the auditor will provide inadequate auditor's opinion if the financial statements contain materially distorted information [17]. Such distortions may appear as a result of fraud or error. According to the results of study conducted by the Institute of Internal Auditors, auditors assist in identification of fraud (44%) and investigation thereof (26%). ISA 400 defines three components of audit risk, according to which audit risk is usually considered in the domestic practice of auditing: inherent risk, control risk and disclosure risk. ISA 400 also gives recommendations as to assessment of general audit risk components (Fig. 2).

. General audit risk components
The audit risk is defined in scientific literature as "permissible audit risk of incorrect conclusion upon completion of all audit procedures" [18, с. 110]. T.O. Kamenska points out that during the audit there is a risk that fraud or error will not be discovered, and that the material misstatement of the financial statements may remain undisclosed [19]. V.V.Skobara notes that the audit risk is a subjectively established level of risk that the auditor is ready to assume [20]. According to S.V. Didenko, the audit risk is the risk or danger that the auditor will make incorrect conclusion about financial statements upon completion of audit procedures, i.e. for incorrect financial statement the auditor will present an auditor's opinion without reservations and vice versa [21]. K.O. Nazarova clarifies this definition and defines audit risk as the probability that the auditor will express false opinion about the accuracy of financial statements that contain material distortions that may affect the decision made by the users [22]. The position of N.I. Dorosh is similar, who considers the audit risk as a threat that, based on the results of the audit procedures, the auditor will make incorrect opinion about the accuracy of financial statements, i.e. when for incorrectly compiled in the essential aspects financial statements the auditor will provide a modified auditor's opinion and vice versa [23, с. 171]. In addition, the scholar also describes possible consequences of the audit risk, namely: emergence of substantiated complaints against quality of the audit results and reliability of the auditor's opinion, which emphasizes the auditor's or audit firm's responsibility for quality of the audit.
All of the above-mentioned approaches to interpretation of the audit risk describe it in terms of the external audit, since financial statements are the main subject of the external audit in accordance with the law and generally accepted practice of auditing. The list of subjects audited by the internal auditor is much broader, and the internal audit service does not discharge solely the control functions, but also has to provide the executives with recommendations for improvement of activities in all areas. No approaches to determining the internal audit risk have been developed in scientific research, therefore we propose to interpret the concept of "internal audit risk" as the probability of failure to detect as a result of the audit the evidence of inability of accounting and internal control systems to promptly identify and remove significant errors that will lead to adverse events resulting from the adoption of managerial decisions based on inaccurate or insufficient for achievement of goals and managerial objectives information of the internal audit.
Basic characteristics of the internal audit risk include those having a similar nature with characteristics of business risk (uncertainty, probability, inherence, occasionality), and in terms of specific internal audit risks they include: -subjectivity (unlike business risk, the internal audit risk is the risk precisely from the position of the auditing entity, which affects the information risk of management system that may lead to claims against audit results and require the auditor's responsibility); -dissatisfaction (the level of the internal audit risk is directly proportional to the degree of satisfaction of the information needs of management entities as a result of making managerial decisions based on inadequate or insufficient information); -distortion of financial performance (monitoring of the probability of bankruptcy is one of the main functions of the internal audit, which makes the reliability of assessing the financial position of a business entity dependent on the internal audit risk).
The ultimate purpose of the internal audit is to assess the probability of further sustainable development of a business entity on the basis of expert examination of financial statements, analysis of financial and economic activity, formation and monitoring of implementation of anti-crisis plans. In order to achieve this purpose, the internal auditors shall assess the prerequisites of occurrence and the possibility of minimizing the internal audit risk to an acceptable level. At the same time, it is also necessary to take into account possible conflicts of interest on the part of internal auditors who, while exercising their official duties, must adhere to the code of ethics, and on the part of structural units of a business entity who may be willing to falsify information about financial and economic activity. Therefore, an assessment of the scope of internal audit risk, as well as search for approaches to mitigation thereof shall be the primary objective of the internal audit service, rather than of the management system of a business entity in general. The internal auditor should achieve maximum confidence of the absence of any kind of distortion and misstatements in the audited information, as well as consider in the methodology of assessing the internal audit risk primarily those components that to the greatest extent affect the prevention of the probability of bankruptcy of a business entity, and also allow it to be reduced to the most acceptable minimum, which corresponds to the basic principles of risk-based management. From the standpoint of risk-based management, the internal auditors should take into account all business risks that affect the sustainable development of a business entity; develop scientific and practical recommendations for their elimination or measures for leveling thereof; assess the internal audit risk related to incorrect submission of information or inaccurate perception thereof by stakeholders.

Fig. 3. Place of business risk and internal audit risk in the controlled environment of a business entity
Business risk and internal audit risk arise as a result of permanent transformation of the external and internal environment factors [24]. The level of business risk is primarily affected by the external factors, which almost do not depend on a business entity. Therefore, the internal audit service should develop measures to identify the internal reserves of a business entity to minimize the impact of external factors, which complicates the development of risk management measures. As compared to the external factors, internal factors are significantly influenced by the management system and more controlled (Fig. 3).
External factors affecting the controlled environment risks are sufficiently studied in scientific sources [25; 26; 27]. In addition, their action is largely uncontrolled by management system of a business entity. The action of internal factors on the contrary is decisive. They are mostly exposed to managerial influence and should be taken into account when determining the level of internal audit risk and developing measures for leveling and minimization thereof. Therefore, we will focus on the characteristics of the influence of internal factors of the controlled environment on the internal audit risk. The internal audit risk is the result of action of two groups of factors related to HR policy (competency, professional judgments, psychological) and accounting policy (methodological, technological, organizational) of the enterprise. Factors of HR policy are subject to immediate identification, since the subject of the internal audit has a significant impact on the control risk in general. The main place among them is taken by competency factor, because it is competency that characterizes the process of development of the internal auditor's identity from knowledge to skills and professional values. The competency factor characterizes the awareness and ability of the internal auditor to exercise his abilities in the control activity owing to the availability of professional experience that enables to achieve high results in the audit activity and the ability to effectively interact with employees of the internal audit service and representatives of structural units of the enterprise as well as to effectively address the tasks.

Fig. 4. Algorithms of business entity controlled environment risks identifying
In order to level the influence of competency factors on the internal audit risk of the enterprise, it is advisable to develop a matrix of competencies of the internal auditor, which will allow to plan the development of professional skills and knowledge of employees of the internal audit service. In addition, for the efficient implementation of the internal audit functions, based on the developed matrix of competencies, it is necessary to determine the evaluation criteria by each competency that should be expressed in the form of internal regulations of the internal audit service. The factor of professional judgments of the internal auditor is directly related to the competency factor and represents the process of applying the professional competency characteristics in solving the audit tasks in the conditions of uncertainty to formulate an opinion on the professional issues [29]. Professional judgments of the internal auditor has a discursive nature, since it is a manifestation of logical considerations and obtaining of appropriate evidence in the process of conducting the audit procedures, rather than intuition, even if it is based on the experience and expertise of an expert. The level of disclosure risk depends on professional judgments of the internal auditor.
Characteristics of psychological factors are the most subjective among factors of HR policy, since psychological characteristics of experts are, first of all, difficult to assess, and, secondly, have a bilateral nature. On one hand, the internal auditor should have personal qualities that will ensure adherence to code of ethics of the internal auditor. On the other hand, the internal auditor should be able to assess the potential inclination of the controlled environment elements to fraud and corruption. Within the scope of his powers, the internal auditor should develop and control the implementation of measures aimed at correction and improvement of organizational structure of the company, its corporate culture and solving problems related to human resources, identifying potential risks of conflict situations, labor disputes or claims.
The factors affecting the internal audit risk related to the accounting policy of the enterprise actually form the control risk, which consists of accounting system risk and internal control system risk. In our opinion, the accounting policy risks can be divided into three groups that correspond to a sustainable approach to formation of accounting policy sections at the enterprise -methodological, technical and organizational. The presence of methodological factors can lead to distortions of indicators of sustainable development and the probability of bankruptcy of the enterprise due to incorrectly selected methods of accounting for particular items, which will be considered in the next paragraph of this section of thesis. Technical and organizational factors affecting the level of the internal audit risk are directly related to the use of modern information and communication technologies in the fulfillment of the internal audit functions, information protection and preservation of commercial secrecy, what will be discussed in the next section.
One of the main objectives of risk analysis and assessment is to inform the executives of the risk areas in which measures should be taken to prevent or restrict such risks, as well as to determine the priority of such measures. Therefore, the internal audit risks should be identified in a clear causal relationship with determination of risk nature, the degree of control, the level of exposure to the controlled environment, the probability of occurrence and the ability to identify and assess. To systematize the risks in order to take them into account in the management system when making managerial decisions, we suggest to use algorithms for identification of risks of the controlled environment of a business entity (Fig. 4). Using the proposed algorithm will allow to develop efficient risk management tools, to identify the circumstances that may serve as signals of probable bankruptcy, to take prompt measures to reduce the scope of possible adverse consequences, that will significantly improve the enterprise's economic performance as a whole.

Conclusions
The theoretical substantiation of the economic essence of business risk and internal audit risk as well as the developed algorithms of identifying the risks of the controlled environment of a business entity correspond to the principles of risk management system and, in particular, enable the internal audit service to develop and implement the following measures to identify risky business operations: -identify the most priority and suitable risks for the internal audit service; -to conduct integrated assessment of identified risks by applying the coefficients of their significance, the criteria of probability of their occurrence, the level of reliability of information about risk and/or its elements; -to assess the level of "risk" of the audited entities by the magnitude and significance of the identified risks, psychological behavior of risk owners, indicators of financial and property status and other factors of influence; -to adopt managerial decisions regarding selection of the method of management of identified and assessed risks depending on the parameters of their influence and risk degree; -to conduct peer review and permanent monitoring of measures for leveling and minimizing the identified risks; -to standardize the methodology and develop the internal regulations on anti-crisis management.