Ru

Operational audit under Bank of Russia Regulations

Operational audit under Bank of Russia Regulations

RAEX recognises FBK as the market leader in audit and advisory for financial institutions. For many years, we have successfully performed operational audits for various non-credit financial institutions. The firm has been ranked 1st annually since 2019 in audit of banks and has dominated audit of investment institutions for the fourth year running.

Pursuant to Bank of Russia Regulations No. 437-P dated 17 October 2014 and No. 556-P dated 11 November 2016, as well as Bank of Russia Ordinances No. 6428-U dated 29 May 2023 and No. 6863-U dated 26 September 2024, trade organisers, central counterparties, central depositories and operators of the Automated Insurance Information System (AIS) should conduct an operational audit at least once every two years and submit the audit results to the Bank of Russia.

An operational audit is an independent assessment of the effectiveness of an entity's operational activities. Its primary goal is to identify weaknesses, potential risks, and opportunities for improving process management. It serves as a key tool for internal control and risk management.

While the specific focus varies by organisation, the audit always aims to assess the compliance of key processes with all applicable requirements—including Russian legislation, national and international standards, and the entity's own internal documents.

  • For trade organisers: The audit covers processes for the creation, operation, and information security of automated systems that are part of the trading infrastructure.
  • For central counterparties: The audit assesses the effectiveness of risk management processes, procedures for determining dedicated capital and recovering financial stability, the sufficiency of resources and the compliance of processes for the creation, operation, and information security of automated systems with the relevant requirements.
  • For central depositaries: The audit evaluates processes, procedures, and measures related to:
    • development, updating, and operation of software/hardware supporting critical technological processes;
    • risk management;
    • ensuring operational reliability.
  • For AIS insurance operators: The audit covers processes, procedures, and measures for:
    • risk management;
    • ensuring operational reliability;
    • business continuity and uninterrupted functioning of the AIS of insurance;
    • information protection, including personal data.

The operational audit must be conducted by an external auditor (the only exception is for the AIS insurance operator, which may use both an external auditor and an authorised internal officer or unit).

During the operational audit (as agreed with the client):

  • Operations of the audited entity are analysed and the audit scope is defined.
  • Audit methodology is designed.
  • Regulatory documents and standards for compliance assessment are identified.
  • Comprehensive evaluation of the effectiveness, management, and security of core processes for developing and operating automated systems within the audit scope is performed. Assessment is based on the COBIT 2019 process model and ISO 2700x series standards.

When conducting operational audits, FBK employs its in-house system to assess the effectiveness of processes, procedures, measures, and implemented controls within the audit's scope.

Upon operational audit’s completion, the client receives:

  • Report containing:
    • audit scope description and a list of assessed regulations and standards against which the audit was conducted;
    • audit results (findings), identified non-conformities in IT processes, controls, and associated risks;
    • recommendations to improve IT process effectiveness.
  • Assessment of implementation progress for deficiencies identified in previous operational audits (if applicable).
  • Better risk management and internal control, increased operational reliability, and a reduced probability of failures in the software and hardware supporting the licensed activities.

Operational audit is not just a regulatory compliance assurance, it’s an integral part of effective operational risk management

Our advantages
Expert Team
FBK consultants hold international certifications (CISA, CISM, and CISSP), validating their expertise in information security, risk and project management.
Long-term Collaboration
FBK’s purpose is to establish long-term partnerships, enabling service delivery tailored to your business nuances.
Expertise
FBK’s team has accumulated significant experience in almost all sectors and industries and is well-versed in trends and challenges within specific industries.
Key Persons
Managing Partner, Financial Services Industry
Karpushkin Alexey Mikhailovich
Head of IT Audit and Advisory Practice
RAEX
Kommersant
TOP 1000 Russian managers
Pravo.RU
Rossiyskaya Gazeta
Forbes
Expert RA