BAFL – Applying Internal

Controls
PRESENTED BY:

AYESHA SALEEM
JUNAID SALEEM
KAMRAN UL HAQ
MUSTAFA MANSOOR
RABEEA JAWED
CONTROL ENVIRONMENT

MUSTAFA MANSOOR AKHTAR

 What is Control Environment

 It refers to the overall attitude, awareness and actions of the

BoD, the relevant committees of the Board, and the senior
management regarding the internal control system and its
importance in the bank.
 Sub-components of the control environment:
 Integrity, ethical values and competence of personnel
 Commitment to competence and development of people
 Management’s philosophy and operating cycle
 Organizational structure
 Assignment of authority and responsibility (segregation of duties)
 HR policies and procedures
 Participation of those charges with governance (BoD, Board Audit
Committee, Board Risk Management Committee)
 Principles

1. Demonstrates commitment to integrity and ethical values

 Formation of independent committees (Board Audit Committee,
Audit & Inspection Division)
2. Oversight Responsibility
 Delegated to Board Audit Committee
 Charter of the Audit Committee:
 Independent from the members of management
 Responsibilities are clearly defined so that the Committee and Management
understand these responsibilities
 Appropriate level of involvement of the Committee with the external and
internal auditors
 Interaction with key members of financial management on regular basis-CFO
 Committee’s compliance with the local laws and regulations
 Principles

3. Establish structure, authority and responsibility

Board of Directors

Board Audit Committee

Audit & Inspection Division

 Principles

4. Demonstrates commitment to competence

 Personnel policies include recruiting, developing and retaining
competent people
 Responsibility of the senior management to ensure that the line
management fully understands its control responsibilities
 Senior management specifies the level of competence required for
a particular job. It periodically communicates expectations about
the desired characteristics of the people targeted for hiring
5. Enforces Accountability
 Report is given to BoD on quarterly basis and accordingly
reasoning is demanded if there is significant deviations from the
set standards.
RISK ASSESSMENT

RABEEA JAWED
Gearing up for a sprint…….

 The BOD and senior management have implemented a sound risk

management framework, which is in line with internal controls. This
framework is evaluated for effectiveness at least once every two years.
 The board risk management committee and senior management are
responsible for assessing the key business risks and meet on a quarterly
basis to discuss the key risks.
 A dedicated risk management department that maintains close liaison
with the internal audit committee has been set up.
 The concerned HODs are responsible for recognition and assessment of
risks in their business areas. This is then be vetted by HOD of the Risk
Management department, and compiled by him in the form of a Bank-wide
risk inventory. It is reviewed by the General Management Committee and
approved by the Board Risk management Committee on a periodic basis (at
least annually).
 The policy on controllable/uncontrollable risks.
Setting tolerance levels………

 Risk tolerance levels are specified by the risk management

department and vary from process to process. These limits
are reviewed on a periodic basis and revised as required.
On as quarterly basis the Board Audit Committee reports to
the BoD with respect to deviations. The BoD then demands
reasoning for such deviations. Top management is involved
in setting such limits but more importantly, since banks are
highly regulated by SBP, the compliance to the standards
set by the regulators are good enough.
Assessing risks…..

 Bank Alfalah uses RCMs for different business units

to assess the risks inherent in each. The RCMs are a
detailed mapping of the processes of each
department and controls tagged to them.
CONTROL ACTIVITIES

AYESHA SALEEM
 Bank AlFalah’s risk appetite

 Low appetite for risk

 BAFL was one of the top 9 bank’s to adopt COSO, as per SBP
regulation
 Risk philosophy understood but seldom
misinterpreted
 Examples
 Special facilitation to certain high-net worth customers
 Branches often take risk of providing funds earlier to clients
 Risk Mitigation

 BAFL has assumed a top-down risk based approach, placing

emphasis on the Entity Level Controls as a starting point

 Process started with these departments:

 Internal Audit
 Risk Management
 Human Resource
 Compliance
 Anti-Fraud
 Information Technology
 Finance

 Internal Audit & Compliance divisions perform periodic audits to

ensure controls are in place and accordingly adhered to.
 BAFL Policies for “Control Activities”

 Implemented at all levels of personnel and

throughout the bank
 Contain the following controls:
 Preventive
 Detective
 Manual
 Computer
 Management
 BAFL Policies for “Control Activities”

Direct
Top Level Functional or Information Physical
Reviews Activity Processing Controls
Management

Performance Segregation of Reporting Accountability

Indicators duties Lines Mechanism

Sensitive
Compliance Fines & positions or
Framework Litigation Risk-taking
activites
Control Activities at BAFL

Internal codes for each equipment

• Each PC has its own code, linked to its user
• Head count reconciled periodically to ensure PCs are there
• If user resigns, PC taken back into IT’s possession or transferred to
new comer

Banking software Temenos (T24) replaced

Bank Smart
• Used to ensure control activities at every stage
• Fund transfer and withdrawal limits for employees
• Treasury also migrated to this new banking platform

Security management
• Clearance from Administration required if any office material is
taken out of premises
Control Activities at BAFL

Risk Control Matrices

• All significant financial reporting risks be clearly defined, with
assessment of their impact & likelihood
• All relevant financial statement assertions be identified & risks
mapped

Branch Control
• Designated personnel in branches can pass entries
• Each cheque has a unique code

Process Outsourcing
• None of the bank’s activities is outsourced
Control Activities at BAFL

Changes in Organizational Structure

• Centralization of consumer finance &
establishment of consumer finance hubs

Changes in Processes
• Deployment of cash deposit machines to
minimize parallel banking

Internal & External Auditors

• Assess in detail the process of remediation of
gaps and the status thereof
 INFORMATION &
COMMUNICATION

KAMRAN UL HAQ
 Information & Communication

• The Information and Communication

component supports the functioning of other
components of internal control.

• Information about objectives are gathered

from board and senior management activities
and summarized in a way that every
employee clearly understand objectives and
their role.

• Information requirements is an iterative and

ongoing process.
 Information Sources
 1. Internal Sources
a. Audit Inspections
b. Bank Instruction Circular Portal
c. SPM/SOP documents
d. BAFL Information Systems (T-24 / SAP)
e. Employees one-to-one meetings & their feedback
f. Inter Departmental Meetings

2. External Sources
a. Economic & industry trends
b. Peer Banks review Reports (Competitors)
c. Regulatory Body (SBP)
d. Social / Print / Electronic Media
e. Shareholders
Processing Data through Information Systems

Bank Alfalah has acquired an information system (i.e T-24 & SAP) to
capture, and process large volumes of data from internal and external
sources into meaningful, information in form of Reports to meet
defined information requirements.

Information Quality
Maintaining quality of information is necessary to an effective internal
control system

The quality of information depends on whether it is:

1. Sufficient
2. Timely
3. Current
4. Correct
5. Accessible
6. Protected
7. Verifiable
 COMMUNICATION

Internal Communication
• Communication with Personnel's — Employee Orientations, Periodic
Employee Awareness Programs, Weekly inter Departmental Meetings and Self
assessment Reviews.

• Communication with the Board of Directors—official board meetings

held on quarterly basis between management and the board of directors so
that both have information needed to fulfill their roles with respect to the
bank’s objectives and provide supervisory guidance to improve bank’s internal
control process.

• Separate Communication Lines— there are separate communication

channels that are confidential and when normal channels are inoperative or
ineffective.
 External Communication
The organization communicates with external parties regarding matters affecting
the functioning of other components of internal control.

• Outbound Communications— AGM held every year with external parties

including shareholders, and financial analysts and other external parties.

• Inbound Communications— Open communication channels allow input from

shareholders, external auditors, regulator (SBP) , financial analysts, and others,
providing management and the board of directors way to improve internal
processes.
 Monitoring: An Integral Component of
Internal Control
• Monitoring activities assess whether
each of the five components of internal
control are present and functioning.

• The organization uses ongoing and

separate evaluations to ascertain
whether controls to effect principles
across the entity are functioning.

• Monitoring activities identify and

examine gaps and deficiencies
relating to anomalies and abnormalities.
Monitoring activities generally identify
root causes of such breakdowns.
 Fundamentals of Effective Monitoring

Banks usually have strong monitoring policies, BAFL have strong monitoring
structure (like Credit Monitoring, Risk Monitoring, Bank Operations
Monitoring) to perform monitoring of controls.

Monitoring can be done in two ways:

1. On-going Monitoring
a. Often closer to business operations (Day-to-Day monitoring)
b. Offers earliest opportunity to identify weakness
2. Separate Evaluations
a. Often more objective (conducted periodically)
b. Re-validates results of on-going monitoring.

• BAFL uses Ongoing evaluations, which are done by supervisors, internal

audit, self-assessment reviews and compliance reviews; and are performed on
a real-time basis, to react to any change.
RESPONSIBILITIES & LIMITATIONS

JUNAID SALEEM
 Limitations

 Human failures such as simple errors or mistakes can lead to

inadequate responses to risk.
 Internal involves control human action, which introduces the
possibility of errors in processing or judgment. Internal control can
also be overridden by collusion among employees (separation of duties)
or coercion by top management.
 It has been widely reported that companies are struggling to apply the
complex model provided by COSO. Many organizations are creating
their own risk-and-control matrix by taking the COSO model and
altering it to focus on the components that relate directly to them.
 Limitations

 Enterprise risk management is dependent on human judgment

and therefore susceptible to decision making.
 Roles and Responsibilities

 Bank Alflah’s Chief Executive Officer has overall responsibility

for the management of the company, including the design,
implementation, and monitoring of Internal controls more
broadly. While the Chief Financial Officer or the Chief Risk
Officer and his or her staff have day-to-day responsibility for
Internal controls and includes policies and procedures that:
 pertain to the maintenance of records that, in reasonable detail, accurately
and fairly reflect the transactions and dispositions of the assets of the bank;
 provide reasonable assurance that transactions are recorded as necessary to
permit preparation of financial statements in accordance with approved
accounting standards as applicable in Pakistan, and that receipts and
expenditures of the bank are being made only in accordance with
authorizations of management and directors of the bank; and
 Roles and Responsibilities

 Provide reasonable assurance regarding prevention or timely

detection of unauthorized acquisition, use, or disposition of the
bank’s assets that could have a material effect on the financial
statements.
 The management is also responsible for the design and implementation of
programs and controls to prevent and detect fraud, and for informing the
auditors (i) about all known or suspected frauds affecting the entity
involving the (a) management, (b) employees who have significant roles in
ICFR, and (c) others where the frauds could have a material effect on the
financial statements; and (ii) of its knowledge of any allegations of fraud or
suspected fraud affecting the entity received in communications from
employees, former employees, analysts, regulators, short sellers or others.
The management is also responsible for identifying and ensuring that
adequate controls exist to ensure that the Bank complies with the laws and
regulations applicable to its activities.
 Roles and Responsibilities

 The management is responsible for making available all of the records

and related information, and the personnel to whom the auditors may
direct our inquiries;
 The management of the bank is also responsible for:
 Notifying the auditors of all deficiencies in the design or operation of ICFR reporting
identified as part of the management’s assessment, including separately disclosing all
such deficiencies that it believes to be significant deficiencies or material weaknesses
in ICFR; and
 Supporting its evaluation of ICFR with sufficient evidential matter, including
documentation

The review of the internal controls does not relieve management of

their entire set of responsibilities.
Thank You…!