Banking
Implementing
Controls
Internal controls are the starting point that lead the way to
efficient and effective operations, decrease in cost of doing
business, prevent frauds, reduce operational losses and
produce reliable reporting.
Introduction
Through its circular BSD 07, dated May 27 2004, the
State Bank of Pakistan has issued “Guidelines on Internal
Controls” for banks. Guidelines aim to provide guidance
to the banks for instituting a sound internal control
system. This is a step taken by SBP to fill the gaps in the
systems and processes, to make them dynamic and
effective and enable the banking sector to increase its
capabilities for robust risk management and get ready for
more sophisticated regulations e.g. Basel II / III.
Guidelines require from the management of the banks to
give a statement in the annual financial statement stating
their responsibility of:
w Establishing and maintaining a sound system of
Internal Controls covering both financial as well as
non-financial;
w It also requires Board of Directors to endorse
management's statement;
w Over and above, external auditors are required to
evaluate that statement and give their independent
opinion. However, opinion of external auditors will be
restricted to the state of internal controls relevant to
Financial Reporting Only.
On the recommendation of the Pakistan Banking
Association (PBA), target date for the Implementation has
May-June 2007
Naveed Aslam, ACA
been deferred by SBP three times i.e. from December
31st 2005 to December 31st 2006 and through a circular
letter # 3 of BSD dated December 30 2006, SBP has
deferred para 7(c) related to the external auditor's
attestation of the statement of internal controls.
What are Internal Controls
Internal controls are the starting point that lead the way to
efficient and effective operations, decrease in cost of
doing business, prevent frauds, reduce operational losses
and produce reliable reporting. In general terms, we can
say that internal controls are nothing but 'Best Practices'-
best practices in governance and best practices in
management.
Let's have a look into the definition of internal controls
given by the COSO framework
Internal control is a process, affected by an entity's board
of directors, management and other personnel, designed
to provide reasonable assurance regarding the
achievement of objectives in the following categories:
w Effectiveness and efficiency of operations;
w Reliability of financial reporting;
w Compliance with applicable laws and regulations;
The Pakistan Accountant 33

Without going into the details we can see that internal
control is not a static, but a continuous process, assisted
by the Board and the management. (Therefore, only
written manuals and drafted policies are not internal
controls. However, they can be regarded as means of
achieving control.)
Unfortunately in the local scenario, management is under
the misconception that internal control is the responsibility
of either Internal Audit or Finance. Business divisions
especially assume that systems and processes are none
of their business, and that they can be built-in to the
organization by internal audit, or finance. This single
misconception is the most challenging one that needs to
be done away with before embarking on the
implementation of the guidelines. A strong buy in from the
board and management is very important for this project.
Requirements of the Guidelines
The main focus of this article is the methodologies and
steps that may be taken by the management of banks to
get these guidelines implemented, i.e. how to begin
implementation, and what steps are required to be taken
by the banks for its implementation. An effort is being
made here to provide guidance so that banks can follow
what suits them keeping in view their internal
organizational structure.
Relevant section of the guidelines is being reproduced
here in italics. For ease of reference paragraphs have
been assigned “A” and “A-1”.
All banks/DFIs are required to include a 'Statement on
Internal Controls' in their annual reports.
A. That statement should include following:
a. A statement of management's responsibilities for
establishing and maintaining adequate internal
controls and procedures followed by management's
evaluation of the effectiveness of the bank's internal
controls;
b. Board of Directors' endorsement of the
management's evaluation; and
c. Statutory Auditors' attestation to, and report on,
Board's endorsement regarding efficacy of
company's internal controls, which are relevant to
the financial reporting only. (Implementation of this
clause is deferred by SBP through its circular dated
30 Dec 2006)
A-1 Management's evaluation of internal controls may
include, but is not limited to;
a. A description of management's responsibilities for
establishing and maintaining a system of internal
control directly related to, and designed to provide
May-June 2007
Banking
reasonable assurance as to the integrity and
reliability of those controls and reports produced
therefrom;
b. An assessment of the effectiveness of the
company's system of internal control that
encompassed material matters; and
c. A statement of how management responded to any
significant recommendations concerning its system
of internal controls made by its internal as well as
external auditors.
COSO Framework
SBP circular BSD-01, dated 13 January 2006 in para 3 (ii)
states that “while developing Internal Controls for their
Institutions, the banks/DFI's may seek guidance from any
well-recognized framework/ international best practice to
strengthen their internal controls”.
Therefore, banks have to choose a recognized framework
of internal controls, which is detailed enough and provides
guidance on the subject.
Committee of Sponsoring Organization of Tread way
Commission (COSO) is considered industry best practice
for defining internal control structures. It defines following
five interrelated internal control components.
1. control environment
2. risk assessment
3. control activities
4. information and communication
5. monitoring and controls
COSO framework may be used by the banks as a
benchmark model for defining internal controls.
It is important that as a first step banks should identify
through a careful exercise all controls that are already in
place and map them with the above COSO control
components.
A brain storming exercise is required to be done here in
which major control categories already existed in banks
should be identified.
The next step is to identify the business processes that
satisfy the above derived control categories. The idea is
to standardize as far as possible and identify the business
processes that ensure that each transaction that is
originated is properly approved, accurately captured and
processed and owned by someone. There may be so
many processes e.g. Authorizations, Reconciliations-
both external and internal, front and back office,
automated controls, Valuation controls, period end
controls etc. that ensure actual origination of a transaction
and accurate posting in GL.
The Pakistan Accountant 34

Why Documentation is Important
SBP circular BSD-01, dated 13 January 2006 in para 3 (ii)
states that “The system of internal controls so developed
by the banks/DFI's should be properly documented and
made available to the external auditors and the SBP's
inspectors for their review”.
It is therefore important that system designed and in
use by the management should be documented so
that third party i.e. external auditors and SBP
inspectors can review it and ensure that it is
adequately designed and operating effectively.
External auditors also need to give a separate opinion on
the internal controls in addition to their opinion on the
financial statement, although it is related only to the
internal controls over financial reporting. But they must
have something to review before they can give their
opinion on the internal controls.
The documentation should be detailed enough so that a
layperson can understand what is going on by looking at
the document.
Implementation
Implementation of the guidelines is a challenging task,
which is compounded especially for those banks that
need to make significant improvements in their internal
control systems to make up for deferred maintenance of
those systems.
For ease of implementation, it is recommended that all
controls falling under the component of 'control activities'
be treated at detailed level documentation because it is
the component where most of the day to day controls will
fall, and club the rest of the components in “Entity Level
Controls”.
Following are the recommended steps that can help
management in fulfilling part A-1 of “Management
Evaluation” which includes Management responsibilities
with respect to the Design, Operation and Assessment
of the Internal Controls.
1. Documentation at Detailed Level
The requirement laid down in para-A-1 cannot be fulfilled
by the management without documenting the system,
demonstrating that management has established and
continually maintained a sound system of internal controls
which is designed to provide management with
reasonable assurance that reports produced through that
system are reliable and that the controls ensure effective
and efficient operations.
The key business processes and, especially, the material
transactions and related controls need to be documented.
There are various techniques and documentation styles
for completing the documentation. However, manage-
ment needs to complete documentation that:
May-June 2007
Banking
i) Enables a reasonably knowledgeable individual (this
person does not have to be an expert with experience
in the area but should have some knowledge of the
company or its business) to understand the process.
ii) Provides context for the key controls such that a
reasonable person would understand their function.
iii) Details the operation of controls, identifying the
process, who is performing the control (department /
division), name of the policy requiring this process,
what is the frequency, how the control is performed
(manual/automated), what evidence exists that the
control has been performed (i.e. somebody signed it,
somebody reviewed it, or whether it needs to reconcile
with some other information etc.), what is the level of
effectiveness of the control implemented, (high,
medium, low), whether its mitigation is low or medium,
and what reports are used in the operation of the
control, is there a gap etc.
Management should remember that the external auditor
will be assessing whether management's process for
making its assessment for internal control over financial
reporting is adequate. A significant part of that is whether
there is adequate documentation of the processes and
controls on which to base an assessment.
It is critical to establish a change in management process
to ensure that documentation is kept up to date as
processes and controls change.
The documentation should cover the total universe of an
entity which includes all business and support functions;
standard templates in MS-Excel or MS Word may be
designed containing at minimum, the attributes defined in
para-3 above; and document major transaction flows from
front office (origination) to GL posting (conclusion).
a. Overview of Businesses: This includes narratives
detailing the nature of business, including its products,
activities, reporting lines, inherent business and control
risk which provide an overall understanding and view
of the nature and risk of that business/function along
with its place in the organizational hierarchy.
It is important that an owner of the document be
assigned that can help to keep this document current.
b. Process Flowcharts: It is convenient to draw
flowcharts that document the business flows by
businesses or products and record the flow of
transactions from origination to the posting in GL.
Major control points should be identified in the
flowcharts. The ITenvironment in which each business
activity is operating (e.g. systems supporting the
business front-to-back transaction activities through to
The Pakistan Accountant 35

the GL and risk systems) must be identified within the
flowchart. The flowchart should preferably be cross-
referenced with the Control checklist. Format can be
designed in MS-Excel or MS-Visio.
c. Control Document: A control document is a
document that must be prepared for every major
activity by using the attributes defined in 1 (iii) above.
Step-wise business process / control for each activity
under each control objective should be carefully
narrated in this document. It must be signed off by the
owner of the activity/process to ensure its
completeness and accuracy.
This will be a major document and before preparing it,
work related to control mapping defined under the
heading of 'COSO framework' should be completed.
This document will help the external auditors/
inspectors to understand the process and test whether
the process written is actually implemented and is in
force in the banking organization.
A by product of this document is Gap report. A Gap
report is a document which will contain instances
where there is no defined owner of a process, there is
a lack of processes, no explicit policy exists for the
process etc.
It is important to mention that banks should first identify
major activities in a function which should be
documented. For this purpose a committee can be
constituted comprising, Chief Financial Officer, Chief
Internal Auditor, and representative of each business
unit. Chief Financial Officer may chair the committee
which should decide the major activities to be
documented.
d. Testing: The testing of the controls needs to be
performed by competent and trained individuals on a
timely basis and ensure that results are reflective of
actual operations.
This additional review and testing might be performed
by internal audit staff to provide additional assurance
to the management that the process they have
implemented is actually in force.
It also depends on what kind of assurance
management wants to obtain from testing starting from
inquiry (least assurance) and goes to the re-
performance (most assurance). Observation and
examination are other levels of assurance that fall in
between the above two extremes.
There are various testing techniques available. Some
of the techniques available include:
May-June 2007
Banking
w Performance of walkthroughs, which confirm the
adequacy of the documentation as well as the
design of the controls to meet the control objectives.
w Inquiry, examination and inspection of related
documents to confirm that the control appears to be
performed consistently as documented.
w Re-performance of a sample of transactions to
confirm that the control is being performed
effectively.
Test scripts showing the results of the testing should
be retained by the management for review by the
external auditors and SBP inspectors.
2. Review and Monitoring by Management
Internal control is a continuous process, it is not a
one time task, it needs to get continuously reviewed
and monitored by the management to keep it
updated and current.
Review and monitoring is one of the key elements of
internal controls. This can be achieved through
regular meetings of the respective departments
which should review their internal control
documentation and make changes in it so that they
always present the latest system and processes.
This can be achieved through constitution of a
Review Committee with responsibility of regular
reviews. Frequency of reviews can be determined
by the committee with mutual consultation. Factors
which effect the review is the growth of the
organization, existing control environment and gaps
in the controls identified during implementation
exercise. But it should not be less than a year, and
every owner of the document should be required to
review the completeness and ensure that they are
current after which committee should signoff.
Conclusion
The above is a humble effort to provide some ideas to the
banks for implementation of the guidelines; the exact
method and methodology might be different and depends
on case to case basis. But a sincere effort is required from
the management to give importance to this subject.
Outsourcing can help but it has limitations, because the
nature of the process is that it is continuous in nature and
some one from the organization has to take the lead.
Following in spirit is the key, just following in letter to
satisfy regulators or with the objective of getting clean
opinion from external auditors is not the end.
The Pakistan Accountant 36