Академический Документы
Профессиональный Документы
Культура Документы
Implementing
Controls Naveed Aslam, ACA
Internal controls are the starting point that lead the way to
efficient and effective operations, decrease in cost of doing
business, prevent frauds, reduce operational losses and
produce reliable reporting.
Introduction been deferred by SBP three times i.e. from December
Through its circular BSD 07, dated May 27 2004, the 31st 2005 to December 31st 2006 and through a circular
State Bank of Pakistan has issued “Guidelines on Internal letter # 3 of BSD dated December 30 2006, SBP has
Controls” for banks. Guidelines aim to provide guidance deferred para 7(c) related to the external auditor's
to the banks for instituting a sound internal control attestation of the statement of internal controls.
system. This is a step taken by SBP to fill the gaps in the
systems and processes, to make them dynamic and What are Internal Controls
effective and enable the banking sector to increase its Internal controls are the starting point that lead the way to
capabilities for robust risk management and get ready for efficient and effective operations, decrease in cost of
more sophisticated regulations e.g. Basel II / III. doing business, prevent frauds, reduce operational losses
and produce reliable reporting. In general terms, we can
Guidelines require from the management of the banks to
say that internal controls are nothing but 'Best Practices'-
give a statement in the annual financial statement stating
best practices in governance and best practices in
their responsibility of:
management.
w Establishing and maintaining a sound system of
Internal Controls covering both financial as well as Let's have a look into the definition of internal controls
non-financial; given by the COSO framework
w It also requires Board of Directors to endorse
management's statement; Internal control is a process, affected by an entity's board
w Over and above, external auditors are required to of directors, management and other personnel, designed
evaluate that statement and give their independent to provide reasonable assurance regarding the
opinion. However, opinion of external auditors will be achievement of objectives in the following categories:
restricted to the state of internal controls relevant to
Financial Reporting Only. w Effectiveness and efficiency of operations;
On the recommendation of the Pakistan Banking w Reliability of financial reporting;
Association (PBA), target date for the Implementation has w Compliance with applicable laws and regulations;
Without going into the details we can see that internal reasonable assurance as to the integrity and
control is not a static, but a continuous process, assisted reliability of those controls and reports produced
by the Board and the management. (Therefore, only therefrom;
written manuals and drafted policies are not internal
controls. However, they can be regarded as means of b. An assessment of the effectiveness of the
achieving control.) company's system of internal control that
encompassed material matters; and
Unfortunately in the local scenario, management is under
the misconception that internal control is the responsibility c. A statement of how management responded to any
of either Internal Audit or Finance. Business divisions significant recommendations concerning its system
especially assume that systems and processes are none of internal controls made by its internal as well as
of their business, and that they can be built-in to the external auditors.
organization by internal audit, or finance. This single
misconception is the most challenging one that needs to COSO Framework
be done away with before embarking on the SBP circular BSD-01, dated 13 January 2006 in para 3 (ii)
implementation of the guidelines. A strong buy in from the states that “while developing Internal Controls for their
board and management is very important for this project. Institutions, the banks/DFI's may seek guidance from any
well-recognized framework/ international best practice to
Requirements of the Guidelines strengthen their internal controls”.
The main focus of this article is the methodologies and
steps that may be taken by the management of banks to Therefore, banks have to choose a recognized framework
get these guidelines implemented, i.e. how to begin of internal controls, which is detailed enough and provides
implementation, and what steps are required to be taken guidance on the subject.
by the banks for its implementation. An effort is being
made here to provide guidance so that banks can follow Committee of Sponsoring Organization of Tread way
what suits them keeping in view their internal Commission (COSO) is considered industry best practice
organizational structure. for defining internal control structures. It defines following
five interrelated internal control components.
Relevant section of the guidelines is being reproduced
1. control environment
here in italics. For ease of reference paragraphs have
2. risk assessment
been assigned “A” and “A-1”.
3. control activities
4. information and communication
All banks/DFIs are required to include a 'Statement on
5. monitoring and controls
Internal Controls' in their annual reports.
COSO framework may be used by the banks as a
A. That statement should include following:
benchmark model for defining internal controls.
a. A statement of management's responsibilities for
establishing and maintaining adequate internal It is important that as a first step banks should identify
controls and procedures followed by management's through a careful exercise all controls that are already in
evaluation of the effectiveness of the bank's internal place and map them with the above COSO control
controls; components.
b. Board of Directors' endorsement of the A brain storming exercise is required to be done here in
management's evaluation; and which major control categories already existed in banks
should be identified.
c. Statutory Auditors' attestation to, and report on,
Board's endorsement regarding efficacy of The next step is to identify the business processes that
company's internal controls, which are relevant to satisfy the above derived control categories. The idea is
the financial reporting only. (Implementation of this to standardize as far as possible and identify the business
clause is deferred by SBP through its circular dated processes that ensure that each transaction that is
30 Dec 2006) originated is properly approved, accurately captured and
processed and owned by someone. There may be so
A-1 Management's evaluation of internal controls may many processes e.g. Authorizations, Reconciliations-
include, but is not limited to; both external and internal, front and back office,
a. A description of management's responsibilities for automated controls, Valuation controls, period end
establishing and maintaining a system of internal controls etc. that ensure actual origination of a transaction
control directly related to, and designed to provide and accurate posting in GL.
the GL and risk systems) must be identified within the w Performance of walkthroughs, which confirm the
flowchart. The flowchart should preferably be cross- adequacy of the documentation as well as the
referenced with the Control checklist. Format can be design of the controls to meet the control objectives.
designed in MS-Excel or MS-Visio.
w Inquiry, examination and inspection of related
c. Control Document: A control document is a documents to confirm that the control appears to be
document that must be prepared for every major performed consistently as documented.
activity by using the attributes defined in 1 (iii) above. w Re-performance of a sample of transactions to
confirm that the control is being performed
Step-wise business process / control for each activity effectively.
under each control objective should be carefully
narrated in this document. It must be signed off by the Test scripts showing the results of the testing should
owner of the activity/process to ensure its
be retained by the management for review by the
completeness and accuracy.
external auditors and SBP inspectors.
This will be a major document and before preparing it,
work related to control mapping defined under the 2. Review and Monitoring by Management
heading of 'COSO framework' should be completed. Internal control is a continuous process, it is not a
one time task, it needs to get continuously reviewed
This document will help the external auditors/ and monitored by the management to keep it
inspectors to understand the process and test whether updated and current.
the process written is actually implemented and is in
force in the banking organization. Review and monitoring is one of the key elements of
internal controls. This can be achieved through
A by product of this document is Gap report. A Gap
regular meetings of the respective departments
report is a document which will contain instances
which should review their internal control
where there is no defined owner of a process, there is
a lack of processes, no explicit policy exists for the documentation and make changes in it so that they
process etc. always present the latest system and processes.
It is important to mention that banks should first identify This can be achieved through constitution of a
major activities in a function which should be Review Committee with responsibility of regular
documented. For this purpose a committee can be reviews. Frequency of reviews can be determined
constituted comprising, Chief Financial Officer, Chief by the committee with mutual consultation. Factors
Internal Auditor, and representative of each business which effect the review is the growth of the
unit. Chief Financial Officer may chair the committee organization, existing control environment and gaps
which should decide the major activities to be in the controls identified during implementation
documented.
exercise. But it should not be less than a year, and
every owner of the document should be required to
d. Testing: The testing of the controls needs to be
performed by competent and trained individuals on a review the completeness and ensure that they are
timely basis and ensure that results are reflective of current after which committee should signoff.
actual operations.