Control Policies, Procedures, and Activities
Ramesh S Arunachalam
Rural Finance Practitioner
As part of Malegam committee recommendations, micro-finance NBFCs are likely to come under supervision of the RBI, although the recommendations are as yet to be accepted by the Central Bank. Likewise, the RBI appointed working group on NBFC supervision, headed by former RBI deputy governor, Mrs Usha Thorat should also be recommending strategies for supervision of NBFCs (including NBFC MFIs).
In both cases, supervisors (examiners) would have to look at the formal/informal internal control and monitoring procedures at NBFC MFIs. That said, the key issue here is what questions should such supervisors and/or examiners ask to get appropriate information with regard to the quality of internal controls when they visit these NBFC MFIs. Please that these same questions are equally valid for bankers and investors who want to understand the quality of internal controls at NBFC MFIs. Likewise, these questions can also be suitably modified and used for MFIs incorporated as section 25 companies, cooperatives and the like.
Accordingly, this post provides a basic DRAFT questionnaire and it should assist supervisors (as well as regulators, examiners, bankers, investors and others) obtain critical information about an MFI’s formal/informal internal control and monitoring procedures. Depending on the specific characteristics and size of the MFI including legal form, the various stakeholders can also add and/or delete questions as appropriate.
Before moving on to the draft questionnaire, two specific issues deserve to be highlighted here. First, supervisors (or other stakeholders intending to judge quality of internal control) should preferably meet with the MFI’s chief executive officer (CEO), or the person most directly responsible for internal control (if it is not the CEO), to first conduct discussions on several aspects including board and management oversight, segregation of duties, dual control, employee policies, audit functions and the like. Second, they must also obtain and review appropriate reports and other information that substantiate management’s assertions on internal control (e.g., audit engagement letters, internal and external audit reports and management letters/responses, board reports, organizational charts, and policy/procedural manuals). And to assist them in the above tasks, a set of key questions are given below:
Board and Management Oversight
- What goals and objectives have you (CEO or person directly responsible for internal control) and the board established for internal control (e.g., management oversight, dual control, rotation of duties, timing/frequency or reconciliations, internal control reviews, risk assessments, and frequency and scope of internal control audits)? Who is chiefly responsible for ensuring that those controls are adhered to? Does any one individual significantly influence board decisions or control activities?
- What accounting and information systems are in place to account for transactions, assets, and liabilities and ensure that risk-taking activities are within policy guidelines?
- What type of operational, financial, managerial, and compliance-related reports does the board receive concerning risk assessments and internal control? How frequently does it receive them? Who is involved in their preparation?
- What written board-approved policies and procedures addressing internal control, risk assessments, and ethics/conduct are in place?
- Who monitors compliance with internal control policies and procedures? Who performs risk assessments? What issues have been noted within the last 12 months?
- Do the board and its representatives have complete access to MFI records?
- How do you establish what are the proper controls for new or significantly revised products, services, or operational procedures? How do you evaluate the risks associated with planned or potential new products or activities or changes to existing products or activities? Are audit or other control review personnel involved when discussing, designing and implementing such products or activities? How are technology issues and risks considered and addressed?
- What new or significantly revised products, services, or operational procedures have you introduced since the last examination (will not apply when examination it happens first time)? What do you anticipate introducing within the next 12 months?
- What are the most significant risks facing the MFI today? What processes do you have in place to assess and control those risks?
- In general, describe your internal control process for ensuring segregation and rotation of duties. Are these applied MFI-wide, to all operational areas? If not, why not?
- How do you ensure that the same employee does not originate a transaction, process it, and reconcile the general ledger account? How are approval authorities put in place, communicated to employees, and periodically tested?
- How often does someone independent of a specific function or department review reconciliations and other pertinent internal control to ensure that (1) reconciliations are timely and performed by an appropriate person, (2) out of date items are being researched for disposition, and (3) old items are charged off in a timely manner?
- In general, describe your dual control process over the MFI’s cash, cash collateral, official checks, and other such items.
- How do you ensure you have trained and qualified employees, including back-up employees, for all risk-taking activities and positions in the MFI?
- Do you have employee policies/procedures that assist in detecting breaches of internal control (e.g., pre-employment criminal background investigation, vacation policies, rotation of duty policies, frequency of obtaining employee credit reports, sampling employee accounts, and reporting of policy overrides/exceptions)?
- How do you communicate to employees, and do they understand, their roles in the control system, how their activities relate to others, and their accountability for the activities they conduct?
- How does the board review qualifications and independence of internal and external auditors?
- Does the MFI have an internal audit or other control review function?
- Are any internal audit activities outsourced to another party? If yes, to whom? How are outsourced arrangements and activities supervised and managed?
- Describe the internal auditor’s educational background and experience. Who approves the hiring of key internal audit personnel?
- What other duties does the internal auditor perform?
- To whom does the internal auditor report? Who completes the internal auditor’s annual evaluation?
- Describe the scope and frequency of internal audits.
- Does the audit scope include an assessment of risk and internal control? Is compliance with established ethics/conduct policies periodically tested?
- Who reviews the internal audit report (department head, line manager, senior management, audit committee, board)? How frequent are reports and follow-up reviews? How do you ensure that the board or management is able to understand and act on findings? Who follows up on deficiencies (department head, line manager, internal auditor, Audit Committee)? What tests ensure that corrective action has been implemented? Who does the testing?
- Which of the following types of external audits does the MFI receive:
- Opinion audit (full financial statements).
- Attestation report on internal control.
- Opinion audit (balance sheet only).
- Agreed-upon procedures (i.e., director’s exam).
- Who performs the MFI’s external audit (independent chartered accountant or other independent party) and how long have they been doing the MFI’s audit work? What was the cost of the most recent audit? What non-audit services does the external auditor or other outside party provide for the MFI? What are the fees for these services?
- Describe the scope and frequency of external audits and non-audit services.
- Is the opinion audit performed accounting to nationally (and globally) accepted accounting standards? Is the report on internal control performed to attestation standards? For non-opinion audits or internal control attestation engagements, does the scope specifically include an assessment and testing of financial reporting controls or other internal control? If so, who decides which control functions will be tested and validated?
- Who receives and reviews the external audit report or other reports issued by the external auditor (audit committee or board)? How frequent are reports and follow-up reviews? Are reports sufficiently detailed to allow the board or management to understand and act on findings? Who follows up on deficiencies (department head/line manager, auditor, audit committee, etc.)? What tests ensure that corrective action has been implemented? Who does the testing?
- Who determines whether the external audit scope and frequency are adequate? Who ensures that the MFI received what they contracted for? In other words, who ensures that the audit embodies what is in the engagement letter, specifically in the statement of scope?
Have A Nice Day!
- How do you (the CEO or person in charge of the internal controls at the MFI) rate your overall internal control and monitoring procedures at the MFI - strong, satisfactory, or weak?
- What areas do you think exhibit the most operational risk given the MFI’s internal control environment, culture, and characteristics including size and growth strategy?
- What areas do you think exhibit the least operational risk given the MFI’s internal control environment, culture, and characteristics including size and growth strategy?
The above starter’s and other questions can be used to get critical information on an MFIs internal control systems across a range of activities by supervisors, examiners and other stakeholders. And depending on the information received, further examination can be conducted and assessments made…
And before I sign off, I would like to reiterate that we need to build up greater awareness in the entire micro-finance industry with regard to having (high) quality and appropriate internal controls, in real time (and not just on paper) and on the ground. That alone can perhaps be the long term insurance against AP like crisis situations in the future…