Ramesh S Arunachalam
Rural Finance Practitioner
I was recently talking to an MFI manager and he said that there is lack of clarity with regard to some of the concepts of internal control systems at MFIs. I attempt to highlight key issues in this post…in a simple and practical manner…
The formality of any control system will depend largely on a MFI’s size, the complexity of its operations, and its risk profile. Less formal and structured internal control systems at community MFIs can be as effective as more formal and structured internal control systems at larger and more complex MFIs. That said, every effective (internal) control system should have the following:
A. A control environment.
B. Risk assessment.
C. Control activities.
D. Accounting, information, and communication systems.
E. Self-assessment or monitoring.
A) The control environment reflects the board of directors’ and management’s commitment to internal control. It provides discipline and structure to the control system. Elements of the control environment include:
1) The organizational structure of the institution. Here, one would look at issues such as:
o Is the MFI’s organization centralized or decentralized?
o Are authorities and lines of responsibilities clear?
o Is there commensurate authority with responsibility to ensure that things get done?
o Are reporting relationships well designed?
o Are there any conflicts of interest
2) Management’s philosophy and operating style. Likewise, the key aspects here are:
Ø Is the MFI’s business strategy formal or informal?
Ø Is its philosophy and operating style conservative or aggressive?
Ø Does it have risk strategies and have they been successful?
3) The integrity, ethics, and competence of personnel.
4) The external influences that affect the MFI’s operations and risk management practices (e.g., independent audits).
5) The attention (time, effort and resources) and direction provided by the board of directors and its committees, especially the audit or risk management committees.
6) The effectiveness (including implementation) of human resources policies and procedures.
B) Risk assessment is the identification, measurement, and analysis of risks, both internal and external, controllable and uncontrollable, at individual unit levels and for the MFI as a whole. Management must assess all risks (including political risk) facing the MFI because uncontrolled risk-taking can prevent the MFI from reaching its objectives or can jeopardize its operations. Effective risk assessments help determine what the risks are, what controls are needed, and how they should be managed. This is something that was, by and large, ignored by many MFIs and it is one of the main reasons for the problems in the ground in Indian micro-finance
C) Control activities are the policies, procedures, and practices established to help ensure that MFI personnel carry out board and management directives at every business level throughout the MFI. These activities help ensure that the board and management act to control risks that could prevent a MFI from attaining its objectives. They should typically include:
· Reviews of operating performance and exception reports. For example, senior management regularly should review reports showing financial results to date versus budget amounts, and the loan department manager should review weekly reports on delinquencies or documentation exceptions.
· Approvals and authorization for transactions and activities. For example, an appropriate level of management should approve and authorize all transactions over a specified limit, and authorization should require dual signatures.
· Segregation of duties to reduce a person’s opportunity to commit and conceal fraud or errors. For example, assets should not be in the custody of the person who authorizes or records transactions. Please see following post on increasing frauds at MFIs: http://microfinance-in-india.blogspot.com/2010/11/has-burgeoning-growth-caused-increasing.html and related post: http://microfinance-in-india.blogspot.com/2011/04/mfi-staff-srinivasi-agent-amulu-and.html
· The requirement that officers and employees in sensitive positions be absent for at least two to three consecutive weeks each year.
· Design and use of documents and records to help ensure that transactions and events are recorded. For example, using pre-numbered documents (receipts) facilitates monitoring.
· Safeguards for access to and use of assets and records. To safeguard data processing areas, for example, a MFI should secure facilities and control access to computer programs and data files.
· Independent checks on whether jobs are getting done and recorded amounts are accurate. Examples of independent checks include account reconciliation, computer-programmed controls, management review of reports that summarize account balances, and user review of computer-generated reports.
In reality, some MFIs have written internal control procedures in all areas but having them (on paper) is not enough. Staff and personnel at various levels must understand control procedures and follow them conscientiously in practice. That is what was missing at some Indian MFIs in the present crisis
D) Accounting, information, and communication systems capture and impart pertinent, timely and reliable/valid (accurate) information in a form that enables the board, management, and employees to carry out their responsibilities. Accounting systems are the methods and records that identify, assemble, analyze, classify, record, and report a MFI’s transactions. Information and communication systems enable all personnel to understand their roles in the control system, how their roles relate to others, and their accountability. Information systems produce reports on operations, finance, and compliance that enable management and the board to run the MFI. Communication systems facilitate dissemination of this information throughout the MFI and to external parties such as shareholders, lenders, investors, regulators, supervisors and clients
E) Self-assessment or monitoring is the MFI’s own oversight of the control system’s performance. Self-assessments are evaluations of departmental or operational controls by persons within the area. Ongoing monitoring should be part of the normal course of daily operations and activities. Internal and external audit functions, as part of the monitoring system, may provide independent assessments of the quality and effectiveness of a control system’s design and performance. All MFI personnel should share responsibility for self-assessment or monitoring; everyone should understand his or her responsibility to report any breaches of the control system.
Thus, a strong control culture at an MFI would typically incorporate qualified personnel, effective risk identification and analysis, clear designation and appropriate separation of responsibilities, accurate and timely flow of reliable/valid information, and established monitoring and follow-up processes[i]. And I hope that Indian MFIs start to review their control systems, using the above (simple) framework and work towards building a better internal control system that is not only appropriate to their operational environment but also the size and complexity of their overall micro-finance operations
Have A Nice Day!
[i] For example, the lending area should have (1) a board of directors active in approving and monitoring loan policies and practices; (2) a loan review function that evaluates the risk and quality of loan portfolios; (3) policies and procedures governing, among other things, types of loans, loan approvals, maturity limits, rate structures, and collateral requirements (if the MFI is using individual lending and is delivering larger livelihood loans); and (4) information systems that allow for proper management and monitoring of the lending area.