Internal Control and Compliance: Policy, Organization Structure and Process Guidelines

Speaker
Atul Chandra Pandit Assistant Professor, BIBM

November 27, 2012

Concept of Control
Control is a three step process
1. 2.

3.

Setting standard for a particular task. Comparing actual performance with the standard Taking corrective action

Internal Control

Internal control indicates the whole system of controls, whether financial or otherwise, established by the management to carry out business in line the established policies and objectives of the organization.

Concept of Internal Control

Internal control is the process, effected by the entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the management in the effectiveness and efficiency of operations, the reliability of financial reporting and compliance with applicable laws,regulations, and internal & external policies.

Concept of Internal Control?

Internal control consists of the plan of organization and all the related methods and measures adopted within a business to:

1.

Safeguard its assets from employee theft, robbery, and unauthorized use.

2. Enhance the accuracy and reliability of accounting records.

Academicians:Weygandt, Kieso, Kimmel

Why Internal Control?

1. It is designed to achieve management objective effectively and efficiently. 2. It provides reasonable assurance regarding the reliability of financial reporting by ensuring accuracy and completeness in recording transactions.

3. It ensure compliance with relevant laws, regulations, and policies (both internal and external).

Why Internal Control?

4. IC helps to detect and prevent errors, frauds and malpractice. 5. IC safeguards assets from unauthorized use or disbursement. 6. IC protects against the incurrence of improper liabilities. 7. It facilitates internal and external audit. 8. It reduces the control risk.

Components of Internal Control

1. Control Environment 2. Risk Assessment

3. Control Activities 4. Information and Communication

5. Monitoring

Principles of Internal Control

Establishment of responsibility:
most effective when only one person is responsible for a given task

Segregation of duties:
the work of one employee should provide a reliable basis for evaluating the work of another employee

Documentation procedures:
documents provide evidence that transactions and events have occurred

Physical, mechanical, and electronic controls:

safeguarding of assets and enhancing accuracy and reliability of the accounting records.

Physical, Mechanical and Electronic control

Principles of Internal Control

Independent internal verification:

the review, comparison, and reconciliation of information from two sources.

1.
2.

Other controls may include the followingBonding employees who handle cash Rotating employees duties and requiring employees to vacations etc.

Limitations of Internal Control

1.

Implementation of internal control system is very costly. Effectiveness of the internal control system depends mostly on the human element and their fatigue and carelessness may make the costly system worthless.

1.

1.

Collusion among the employees may make the system worthless.

Policy Guidelines for Internal Control

Responsibility of the Board of Directors Responsibility of the Senior Management Risk Recognition and Assessment Control Activities and Segregation of Duties Management Reporting System Monitoring Activities & Correcting Deficiencies Role of External Auditors in Evaluating Internal Control System Regulatory Compliance Establishment of a Compliance Culture

Responsibility of the Board of Directors

Board has overall responsibility for

Establishing broad business strategy, significant policies and understanding significant risks. Monitoring the effectiveness of ICS through Audit Committee. Ensuring that all audit reports will be sent to the board without any intervention of the bank management. Holding periodic review meetings with the senior management to discuss the effectiveness of the internal control system

Responsibility of the Senior Management(SM)

SM will form MANCOM which will be responsible for the overall management of the bank. MANCOM will put in place policies and procedures to identify, measure, monitor and control various risks.

MANCOM will put in place an I/C structure which will assign clear responsibility, authority and reporting relationship.

Cont.

MANCOM will monitor the adequacy and effectiveness of ICS according to banks established policy & procedure. MANCOM will review on a yearly basis the overall effectiveness of the control system and provide a certification to the Board on the effectiveness of internal control policy, practice and procedure.

Risk Recognition and Assessment

An effective ICS continually recognizes and assesses all of the material risks that could adversely affect the achievement of the banks goals. Effective risk assessment must identify and consider both internal and external factors. Internal factors include complexity of the organization structure, the nature of a banks activities, the quality of personnel, organization changes and also employee turnover. External factors include fluctuating economic conditions, changes in the industry, socio-political realities and technological advances. Risk assessment by ICS(Compliance) differs from the business risk management process (Business Strategy)

Control Activities and Segregation of Duties

Control activities involve two steps: (1) the establishment of control policies and procedures and (2) verification that the control policies and procedures are being complied with. ICS requires that there is appropriate segregation of duties and personnel are not assigned conflicting responsibilities. Employees must also be provided with necessary authority which will ensure segregation of duties.

Cont.
Each employee should have appropriate job description. Areas of potential conflicts of interest should be identified, minimized and subject to careful independent monitoring.

Management Reporting System

Effective ICS requires that there is an effective reporting system of information that is relevant to decision making. The information should be reliable, timely accessible and provided in a consistent format. Information should include external market information & internal information. There should be appropriate committees within the organization that would evaluate data received through various information systems. This will ensure supply of accurate information to the management.

Monitoring Activities & Correcting Deficiencies

Key risk factors & ICS should be monitored on an ongoing basis. The significant deficiencies identified by the audit team should be reported to board and be corrected. Material internal control deficiencies should be reported to senior management and board of directors with recommendations where necessary.

Role of External Auditors in Evaluating ICS.

External Auditors by dint of their independence from the management of the bank can provide unbiased recommendation on the strength and weakness of the internal control system of the bank. They can examine the records, transactions of the bank and evaluate its accounting policy, disclosure policy and methods of financial estimation made by the Bank; this will allow the board and the management to have an independent overview on the overall control system of the bank.

Regulatory Compliance
The Central Bank is the primary regulator of banks. In addition Tax Authority, Registrar of Joint Stock Company, Finance Ministry etc. are different types of regulatory bodies whose directives have significant impact on banks business. ICS must be designed in such a manner that the compliance with regulatory requirements are recognized in each activity of the bank.

Cont.
The bank must obtain regular information on regulatory changes and distribute among the concerned department, so that they can take necessary action to adapt to such changes. The bank must develop an effective communication process that will allow smooth distribution of relevant regulations among different departments and personnel.

Ensuring a Compliance Culture

For establishing a compliance culture within the bank the board of directors and the senior management must maintain and promote high level of integrity and ethical standard. Bank should avoid policies and practices that provide inadvertent incentive for inappropriate activities. Such as undue emphasis on performance targets or operational results, particularly short term ones that ignore long-term risks and compensation schemes that overly depend on short-term performance. The BOD and the senior management may establish a Code of Ethics that all levels of personnel must sign and adhere to.

Organization Structure

Structure for Internal Control System

Structure of the Internal Control Unit

Structure for Internal Control System

The essence of the ideal organizational structure is the segregation of duties. The bank should, depending on the structure, size, location of its branches and strength of its manpower try to establish an organizational structure which allow segregation of duties among its key functions such as marketing, operations, credit, financial administration etc. Where such segregation is not possible, there must be certain monitoring mechanism that should be independently reviewed to ensure all policies and procedures are followed at the branch level

Structure of the Internal Control Unit

A separate organizational structure is preferable for this unit. The head of internal control unit should have a reporting line with the banks board and MD. The unit should be adequately staffed so that it can perform its duty properly.

Managing Director

Board of Directors

Head of internal Control and Compliance

Head of Audit & Inspection

Head of Compliance

Head of Monitoring

Regional Compliance Officer

Regional Officers

Zonal Audit or Special Audit

Organization Structure

Cont.
The compliance unit will be responsible to ensure that bank complies with all regulatory requirement while conducting its business. The monitoring unit will be responsible to monitor the operational performance of various branches. The audit team will perform periodic and special audit.

3. Process Guidelines

Credit Policy Manual/Guideline

Operations Manual
Finance & Accounting Manual Treasury Manual

HR Policy Manual
Internal Control Manual

Credit Policy Manual / Guideline

This manual should highlight the process of credit proposals, obligor risk rating, approving credit limit, disbursement of loans, monitoring of credit risk etc. Risk classes, lending limits and credit authorities Lending guidelines Approval processes Documentations Secured loans and collaterals

Operations Manual

This manual should contain the role of credit administration, trade finance, reconciliation, cash, clients service, treasury back office etc. It should also reflect a clear guideline regarding Anti-Money Laundering activity in order to protect banks interest. Credit administration will be responsible for monitoring of limits and outstanding as per credit approval.

The basic content of operations manuals are: Account opening and closing Check clearing Cash & teller operations Payment monitoring procedures Nostro account reconciliation Payment monitoring procedures Letters of credit, collection Loan administration Treasury operations Anti-money laundering procedures

Finance & Accounting Manual

This manual should provide all financial activities regarding income and expenditure of a bank. They will look after if there is any exaggeration of expenditure where it is necessary to get control. They will also ensure the profitability of the bank by projection of income, expenditure and thereby achieve ultimate target profit. Various types of management reports are to be submitted from this Dept. as per time schedule.

Cont.
Treatment of land, building & equipment Capital adequacy and shareholders equity Treatment of expenditures Commission, fees and revenues Income tax procedures Write-off procedures

Treasury Manual
The manual should include the guideline so that they may manage the banks fund properly and profitably. Liquidity Investments Capital management Dealing room activity ALCO

HR Policy Manual
They will, at first, ensure the proper distribution of available human resources in the inter structure of the bank. They will ensure staff welfare that will ultimately encourage people and create a healthy working atmosphere.

Cont.
Recruitment policy Background checking policy Leave policy Compensation policy Reward and recognition policy Termination & retirement policy Promotion and increment policy Training guidelines

Internal Control Manual

This manual should contain three parts internal control over the operating activities of bank (here, audit means the internal audit). They will monitor the functions of various departments of the bank periodically on regular basis. Depending on the requirement, they should carry out inspection, surprise inspection in order to help avoiding any fraudulent activities that in turn would strengthen the bank to set up sound structural base. Know your customer policy Code of conduct/Ethics Gift giving and acceptance Monitoring procedures Audit guidelines

Internal Control Process

Departmental Control Function Checklist Loan Documentation Checklist Quarterly Operations Report Risk Analysis of Control Functions Monitoring & follow-up Reporting Compliance Process Audit Procedure

Departmental Control Function Checklist

The guideline/procedure deals with matters relating to review/verifications of departmental functions to ensure that prescribed procedures are being followed by each department. b) All departments are required to check that prescribed controls are being observed and laid down procedures are not overlooked & relaxed.

Departmental Control Function Checklist

c) Departmental Managers, Line Managers, Branch Managers will review the DCFCL to ensure that control functions are performed and documented in the control sheets (Appendix 1) at the prescribed frequencies i.e. Daily, weekly, monthly and quarterly. d) The DCFCL Checklist should be retained with the branch/departments for future inspection by Internal Control and Senior Management.

Departmental Control Function Checklist

c) Departmental Managers, Line Managers, Branch Managers will review the DCFCL to ensure that control functions are performed and documented in the control sheets (Appendix 1) at the prescribed frequencies i.e. Daily, weekly, monthly and quarterly. d) The DCFCL Checklist should be retained with the branch/departments for future inspection by Internal Control and Senior Management.

Quarterly Operations Report

c) Departmental Managers, Line Managers, Branch Managers will review the DCFCL to ensure that control functions are performed and documented in the control sheets (Appendix 1) at the prescribed frequencies i.e. Daily, weekly, monthly and quarterly. d) The DCFCL Checklist should be retained with the branch/departments for future inspection by Internal Control and Senior Management.

Thanks