Ramesh S Arunachalam
Rural Finance Practitioner
Monitoring the quality of internal control at (NBFC) MFIs would become a key task, if the Malegam Committee Report is accepted. And an earlier post already provided a draft suggested questionnaire by which supervisors and examiners can collect basic information on the internal control system at MFIs (http://microfinance-in-india.blogspot.com/2011/04/monitoring-quality-of-internal-control.html)
While that post would enable collection of general information, supervisors/examiners should use appropriate mechanisms/tools to judge the adequacy of internal controls at MFIs and this must be done for each of the components (see post: http://microfinance-in-india.blogspot.com/2011/04/critical-internal-control-components-in.html) of the internal control system given below. This post attempts to provide some practical guidance in this regard:
A) Control Environment
Supervisory Objective: Determine whether the institution’s (MFI’s) control environment embodies the principles of strong internal control. For this, supervisors and examiners need to closely look at:
1. Assess the effectiveness of the control environment. For this, they should look at:
- The integrity, ethics, and competence of personnel at the MFI
- The organizational structure of the institution and its reporting structure
- Management’s philosophy and operating style and especially that of senior and line management
- External influences affecting operations and practices including the lending and equity environment
- Personnel policies and practices and the entire HR system with the kinds of incentives provided
- The attention and direction provided by the board of directors and its committees, especially the audit or risk management committees.
2. Determine whether the board periodically reviews policies and procedures to ensure that proper risk assessment and control processes have been instituted at the MFI.
3. Determine whether there is an audit or other control system in place at the MFI to periodically test and monitor compliance with internal control policies/procedures and to report to the board instances of noncompliance.
- Does the board review the qualifications and independence of internal and external auditors?
- Do auditors report their findings directly to the board or its audit committee?
- Does the board take appropriate follow-up action when instances of noncompliance are reported?
4. Determine whether management provides the board and its representatives complete access to bank records and this is a critical issue
5. Determine whether board decisions are made collectively or whether dominant individuals control those decisions. This again is crucial
6. Determine whether management information systems provide the board with accurate and reliable information that they need to make informed and timely decisions.
7. Determine whether the board receives adequate information about the MFI’s own (internal) risk assessment process and this would applicable for systemically important and large MFIs
8. Determine whether the board and/or management communicate policies regarding the importance of internal control and appropriate conduct to all MFI employees.
9. Determine whether codes of conduct or ethics policies exist at the MFI. This could even by the regulators’ suggested code (like that of RBI) or the codes provided by the various associations (Sa-Dhan or MFIN)
· Do audit or other control systems exist to periodically test for compliance with codes of conduct or ethics policies?
· Do audit or other control system personnel routinely review policies and training regarding ethics or codes of conduct?
B) Risk Assessment[i]
Supervisory Objective: Determine whether the MFI’s risk assessment system allows the board and management to plan for and respond to existing and emerging (including political) risks in the MFI’s activities. For this, supervisors and examiners need to:
1. Determine whether the board and management of the MFI involve audit personnel or other internal control experts in the risk assessment and risk evaluation process.
2. Determine whether the risk assessment/evaluation process involves sufficient staff members who are competent, knowledgeable, and provided with adequate resources.
3. Determine whether the board and management at the MFI discuss and appropriately evaluate risks and consider control issues during the preplanning stages for new products and activities.
4. Determine whether audit personnel or other internal control experts are involved when the MFI is developing new products and activities.
5. Determine whether the board and management of the MFI consider and appropriately address technology issues including for new product development and introduction
C) Control Activities
Supervisory Objective: Determine whether the board and senior management at the MFI have established effective control activities in all lines of business. For this, supervisors and examiners need to:
1. Determine whether policies and procedures exist at the MFI to ensure that decisions are made with appropriate approvals and authorizations for transactions and activities.
2. Determine whether processes exist at MFI to ensure that
- The performance and integrity of each function are independently checked and verified using an appropriate sample of transactions.
- Accounts are reconciled continually, independently, and in a timely manner and that outstanding items, both on- and off-balance-sheet, are resolved and cleared.
- Policy overrides are minimal and exceptions are reported to management.
- Employees in sensitive positions or risk-taking activities do not have absolute control over areas. For example,
Ø Is there segregation or rotation of duties to ensure that the same employee does not originate a transaction, process it, and reconcile it to the general ledger account?
Ø Is there periodic unannounced rotation of duties for employees or vacation requirements that ensure their absence for at least a two-week period?
Ø Are safeguards in place for access to and use of sensitive assets and records?
Ø Is there dual control or joint custody over access to assets (e.g., cash, negotiable collateral, official checks etc)?
3. Determine whether reporting lines within a business unit (branch or regional or state headquarters) or functional area at the MFI provide sufficient independence of the control function.
- Is separation of duties emphasized in the organizational structure?
- Are systems in place to ensure that personnel abide by separation of duty requirements?
- Is there an internal review of employee accounts and expense reports?
- Are personnel accountable for the actions they take and the responsibilities/authorities given to them?
4. Determine whether operating practices at the MFI conflict with established areas of responsibility and control. Examiners should
- Interview line and management personnel.
- Review policies delineating responsibilities.
- Review reconciliations and transaction origination.
- Reviews internal audit work papers.
- Review external audit reports.
5. Determine whether the MFI internal audit or other control review functions are sufficiently independent. Consider:
- Where the function reports, administratively, within the organization.
- To whom, or to what level, the function reports the results of work performed.
- Whether practices conform to established standards.
- Whether management unduly influences the timeliness of risk analysis and control processes.
6. Determine whether the board and senior management at the MFI has established adequate procedures for ensuring compliance with applicable laws and regulations. Examiners should
- Determine the frequency of testing and reporting for compliance with laws and regulations by reviewing:
Ø Audit schedules, scopes, and reports.
Ø Minutes of senior management and board committees.
Ø The payment of any fines or liabilities arising from litigation against the institution or its employees. There have been some such cases with regard to some of the MFIs in India in the past
- Determine whether appropriate attention and follow-up are given to violations of laws and regulations. Consider:
Ø The significance and frequency of the violations.
Ø The willingness and ability to prevent reoccurrence.
D) Accounting, Information, and Communication Systems
Supervisory Objective: Determine whether the MFI’s accounting, information, and communication systems ensure that risk-taking activities are within policy guidelines and that the systems are adequately tested and reviewed. For this, supervisors and examiners need to:
1. Assess the adequacy of accounting systems by determining whether
- The systems properly identify, assemble, analyze, classify, record, and report the institution’s transactions in accordance with national and international standards.
- The systems account for all assets and liabilities involved in transactions.
2. Assess the adequacy of information systems by determining
- The type, number, and depth of reports generated for operational, financial, managerial, and compliance-related activities.
- Whether reports are based on accurate and timely data and sufficient to properly run and control the MFI.
- Whether access to information systems is properly restricted.
3. Assess the adequacy of communication systems by determining whether
- Significant information is imparted throughout the MFI (from the top down and from the bottom up in the organizational chain), ensuring that personnel understand:
Ø Their roles in the control system.
Ø How their activities relate to others.
Ø Their accountability for the activities they conduct.
- Significant information is imparted to external parties such as regulators, shareholders, customers, lenders, investors and others.
4. Assess how frequently and thoroughly the accounting, information, and communication systems are verified. Consider:
- The frequency of testing given the level of risk and sophistication of the systems.
- The sufficiency of ongoing reviews of the systems’ accuracy.
- The competency, knowledge, and independence of the personnel doing the testing.
- The sufficiency of contingency planning.
E) Self-assessment and Monitoring
Supervisory Objective: Determine whether senior management and the board of the MFI properly oversee internal control, control reviews, and audit findings. For this, supervisors and examiners need to:
1. Determine whether the MFI board or a designated board committee has reviewed management’s actions to deal with material control weaknesses and verified that corrective actions are objective and adequate. Consider:
- Minutes of appropriate board and committee meetings.
- Audit or other control review reports and follow-up reports.
2. Determine the frequency and comprehensiveness of reports to the MFI board or board committee and senior management:
- Review the minutes of appropriate board or committee meetings.
- Determine whether the reports are sufficiently detailed.
- Determine whether reports are presented in a timely manner to allow for resolution and appropriate action.
3. Determine the adequacy of the board’s or board committee’s review of audit and other control functions. Consider whether the MFI board or its committee
- Reviewed the qualifications and independence of personnel evaluating controls (e.g., external auditors, internal auditors, or line managers).
- Approved the overall scope of control review activities (e.g., audit, loan review, etc.).
- Reviewed the results of control evaluations.
- Approved the system of internal control.
- Periodically reviews the adequacy of audit or other control systems.
4. Assess the adequacy and independence of the audit or other control review function. Consider:
- Results of audit’s or other control review function’s control evaluation and supporting work papers.
- The function’s organizational structure and reporting lines.
- The scope and frequency of audits or reviews for all activities across the organisation.
- Audit or control review reports, management responses, and follow-up reports.
5. Determine whether MFI management responses to audit or other control review findings are fully documented and tracked for adequate follow-up. Consider whether
· Documentation detailing the coverage, findings, and follow-up of control weaknesses is adequate.
· Management gives appropriate and timely attention to material control weaknesses once identified.
· Line management is held accountable for unsatisfactorily or ineffectively following up on control weaknesses. This is very critical indeed.
When after the above, substantive supervisory concerns about the adequacy of internal control or the integrity of financial reporting controls still exist, supervisors/examiners should consider performing more detailed and additional examination procedures, for those areas of concern. If, after completing those additional procedures, examiners still remain concerned about internal control adequacy or financial reporting control integrity, they should perform appropriate verification procedures to confirm the existence and description of assets.
As an alternative, examiners may require the MFI to expand its own verification program to include the areas of weakness or deficiency; however, this alternative will be used only if management has demonstrated a capacity and willingness to address regulatory problems, if there are no concerns about management’s integrity, and if management has initiated timely corrective action in the past. Use of this alternative must result in timely resolution of each identified supervisory problem. If examiners use this alternative, supervisory follow-up must include a review of work papers in areas where the MFI’s verification program was expanded.
The above aspects should be taken as a starter set and supervisors/examiners, will need to build on these using the day-to-day experience in supervising MFIs…
Have A Nice Day!