Where Angels Prey

Where Angels Prey is a novel by Ramesh S Arunachalam. Please refer to www.whereangelsprey.com for more information

Friday, April 29, 2011

Building The Internal Audit Function at MFIs: The Need For Independence, Authority and Competence For Internal Auditors…

Ramesh S Arunachalam
Rural Finance Practitioner  

Internal auditors (at MFIs as well as other entities) must be independent of the activities they audit so that they can carry out their work freely and objectively. They must render impartial and unbiased judgments. The internal auditor or the manager (director) of internal audit should report directly and regularly to the board of directors.

While many MFIs still have very nascent internal audit operations, in some large MFIs, the internal audit function is made a part of a group that manages or controls the MFI’s risk management activities. This arrangement may be satisfactory as long as the audit function functionally reports directly to the board and retains its independence. If the internal audit manager reports to a senior executive on day-to-day administrative issues, then, the board must take extra and special measures to ensure that the relationship does not impair the auditor’s independence or unduly influence the auditor’s work. And in micro-finance as well other fields, this has proved difficult and therefore ensuring that the internal audit department head reports directly to the board or a board sub-committee (like audit committee) is perhaps the best option.

In reality, the board should be and is responsible for delegating the authority necessary to effectively allow internal auditors to perform their job. Thus, internal auditors must have the power to act on their own initiative in all departments, functions and units in the MFI; to communicate directly with any MFI personnel; and to gain access to all records, files, or data necessary for the proper conduct of the audit. Clear communication between the board, the internal auditors, and management is critical to timely identification and correction of weaknesses in internal controls and operations.

Internal audit staff should also possess the necessary knowledge, skills, and disciplines to successfully implement the audit program at the MFI in a proficient and professional manner. The evolving roles of internal auditors require that they expand their skills in analysis, technology, decision-making, and communication. At a minimum, members of the audit staff should:
·         Have appropriate education and/or experience, relevant to micro-finance and social development
·         Have organizational and technical (financial) skills commensurate with the responsibilities assigned and they should be familiar with micro-finance models and operations
·         Be skilled in oral and written communication
·         Understand accounting and auditing standards, financial principles, and related techniques
·         Recognize and evaluate the materiality and significance of deviations from sound micro-finance practices, and 
·         Recognize existing or potential problems and expand procedures as applicable

Thus, it is important for each member of the internal audit staff, including the audit manager or director, to commit to a program of continuing education and development, especially in line with the new developments in micro-finance. Hence, deputing them to courses and seminars offered by special institutions like CGAP (and others), industry associations or audit industry groups is a must and should afford them the required opportunities for maintaining audit skills and proficiency, especially with regard to the evolving micro-finance industry. In-house training programs, work experience in various departments and field areas at the MFI, and reviewing current literature on auditing and micro-finance/banking are also means to maintain and enhance auditing skills.

To summarise, internal auditors play a very fundamental role in ensuring the integrity of the various systems at MFIs and therefore, it is important that they are given the necessary authority, independence and skills/knowledge to effectively perform their crucial tasks.

Have a Nice Day!

Who is An Independent Director and Who Should be Treated As An Independent Director: Some Suggested Standards For Adoption by MFIs…

Ramesh S Arunachalam
Rural Finance Practitioner

The issue of independence of “independent directors” is a very critical one with regard to Corporate Governance and the same applies to MFIs as well. How to make this determination of a director’s independence? What criteria are used globally and what can be effectively used in micro-finance and especially in India.

Some suggestions are provided in this post and I also provide a comparative analysis of what top global corporate governance frameworks suggest with regard to director independence in a separate accompanying post. Read on…

For an MFI Director to be considered independent, it must affirmatively be determined that the Director has no material[i] relationship (whether financial, business, personal or otherwise) with the MFI or any of its sister concerns or subsidiaries or affiliates, either directly or as a partner, shareholder or officer or employee of an organization which in turn has a relationship with them.  This is very critical.

In my opinion, in making the determination of independence, a Director’s relationships can be deemed immaterial as long as the following standards are met: 

1.      The Director is not, and has not been within the previous three years, an employee of the MFI or any of its subsidiaries or affiliates or sister concern.

2.      No member of the Director’s immediate family[ii] is, or has been within the previous three years, an executive officer of MFI or any of its subsidiaries or affiliates or sister concerns

3.      Neither the Director nor any member of his or her immediate family has received, during any twelve-month period within the previous three years, more than INR 1.2 Million[iii] in direct compensation from the MFI or any of its sister concerns or subsidiaries or affiliates (including, without limitation, any consulting, advisory or other compensatory fees) except (a) fees which the MFI pays to its Directors for their services as members of the Board and members or Chairs of Board Committees and (b) fixed amounts of deferred compensation for prior service, which is not contingent in any way on continued service; provided that compensation paid to an immediate family member for service as an employee other than an executive officer will not be considered in determining the Director’s independence so long as the compensation is comparable to the compensation paid to other similarly situated employees.

4.      The Director is not a partner or an employee with a firm that is the internal or external auditor for MFI or any of its sister concerns or subsidiaries or affiliates; nor is any member of the Director’s immediate family a partner with such a firm or an employee who participates in the firm’s audit and/or tax compliance practice (as well as similar tasks); nor has the Director or any member of the Director’s immediate family within the previous three years been a partner or employee with such a firm who within that time has personally worked on the audit of MFI or any of its sister concerns or subsidiaries or affiliates.
5.      Neither the Director nor any member of his or her immediate family is employed, or has been employed within the previous three years, as an executive officer of any company whose compensation committee at the same time included an individual who currently serves as an executive officer of MFI or any of its sister concerns or subsidiaries or affiliates.

6.      The Director is not an employee, nor is any member of his or her immediate family an executive officer, of another company as to which payments by MFI to that company, or from that company to MFI, including their respective subsidiaries and affiliates or sister concerns, for property or services have exceeded more than 2% of the other company’s consolidated gross revenues, in any of the other company's past three fiscal years.

However, notwithstanding anything to the contrary in the standards #1 through #5 above, any MFI shall not treat as categorically immaterial, but instead will discuss case by case and will disclose, (i) any relationship between a Director and MFI or any of its sister concerns or subsidiaries or affiliates that is required to be disclosed under the relevant section of the Indian Companies Act, 1956 (and other SEBI/RBI directives from time to time) and (ii) any contributions made by MFI or any of its sister concerns or subsidiaries or affiliates to any tax-exempt organization of which a Director serves as an executive officer if, within the preceding three years, such contributions in any single fiscal year exceeded 2% of the tax-exempt organization’s consolidated gross revenues.

Likewise, an MFI Director will be deemed to meet special independence standards required of Audit Committee members if the Board of Directors determines that the Director qualifies as independent under the above-described standards and that the Director meets the following additional criteria:

A.      The Director has received no direct compensation from MFI or any of its sister concerns or subsidiaries or affiliates (including, without limitation, any consulting, advisory or other compensatory fees) except (a) fees which MFI pays to its Directors for their services as members of the Board and members or Chairs of Board Committees and (b) fixed amounts of deferred compensation for prior service, which are not contingent in any way on continued service.

B.     The Director is not an affiliate of MFI (i.e., not controlling, controlled by, or under common control with, the MFI), such as a 2% plus shareholder.

C.     The Director is not providing simultaneous service as an Audit Committee member in audit committees of more than 3 companies (or MFIs) at any point in time

I hope that the industry associations in India (Sa-Dhan and MFIN), regulators, supervisors, lenders, investors and other stakeholders provide due thought to this very critical aspect of director independence. They would also need to establish guiding benchmarks for the various compensations issues given above and ensure the implementation of these standards on the ground as only “real” independent directors can enhance the quality of Corporate Governance (in Indian MFIs), which is certainly at a low ebb...

Have A Nice Day!

[i] "Materiality" is to be considered from the standpoint of the Director and that of each person or organization with which the Director is affiliated, including organizations of which the Director is a partner, shareholder or officer. The determination that, as to each Director individually, there is no material relationship (whether financial, business, personal or otherwise) will have to be made after due consideration of the information provided by the Director and any other information that may be known to the Board. The purpose is ultimately to determine whether a Director has any relationship with the MFI that may interfere with the exercise of the Director’s independence with regard to the MFI and its management.
[ii] "Immediate family" means a Director's spouse, parents, stepparents, children, stepchildren, siblings, mothers- and fathers-in-law, sons- and daughters-in-law, brothers- and sisters-in-law, and any person (other than a tenant or employee) who comprise the Director’s household but not the physical space necessarily
[iii] This is a suggested number and has to be debated further and decided accordingly, as per consensus.

Defining Independence of Directors in Boards: What Micro-Finance Can Learn From Four Global Corporate Governance Frameworks?

Ramesh S Arunachalam
Rural Finance Practitioner

The topic of independent directors in any organization (especially, companies) has been long debated globally for several reasons: (1) Conflicts of interest hinder judgment and affect decision-making; (2) Judgment and decision-making are what directors are asked to do; and (3) Directors must feel free to think, express, question and decide in the interest of those they represent. And all of these apply very much to micro-finance institutions as well, where the last year or so, especially seen a lot of (negative) publicity with regard to Corporate Governance and role of independent directors at MFIs.

In his now famous EPW article, Prof Sriram (2010) raises several critical issues with regard to conflicts of interest and enforcing independence. The debate has widened to encompass not only the role of independent directors but also that of nominee directors from institutions like SIDBI and several questions continue to be raised regarding real and potential conflicts of interest as well as enforcement of independence on the ground. Some of the key issues that the micro-finance industry continues to grapple with are: (a) Does a board need to have clear guidelines with regard to conflicts of interest that must be disclosed?; (b) Who discloses conflicts?; (c) To whom are conflicts disclosed?; (d) What happens if conflicts are not disclosed?; (e) What if conflicts are disclosed later?; and (f) What if, not all is disclosed to the Board and/or to shareholders?

While the above issues need to be addressed squarely and fairly and there can be no compromise with regard to that, some guidance for this can also be had from the definition of independence as per four major global corporate governance frameworks – in fact, they should serve to better guide the micro-finance industry where corporate governance is still rather nascent and independence of directors at MFIs has come under serious scrutiny. Read on…

The salient features from the four global Corporate Governance frameworks, witrh regard to the definition of independence, are summarized as under:

Sarbanes-Oxley, (USA):
An independent director is a member who, other than in his capacity as a board member may not (a) accept any consulting, advisory; or other' compensatory fee from the company; or (b) be an affiliated person of the company or any subsidiary thereof and other advisers, as it determines necessary to carry out its duties.

India-SEBI Amended-Clause 49:
An independent director is a non executive director of the company who:
a.      apart from receiving directors' remuneration does not have any material pecuniary relationships or transactions with the company... which may affect independence of the director;
b.      is not related to the promoters or persons occupying management positions at the board level or at one level below the board;
c.      has not been an executive of the company in the immediately preceding three financial years;
d.      is not a partner or an executive or was not partner or an executive during the preceding three years, of any of the following: (i) the statutory audit firm or the internal audit firm that is associated with the company, and (ii) the legal firm(s) and consulting firms(s) that have a material association with the company;
e.      is not a material supplier, service provider or customer or a lessor or lessee of the company, which may affect independence of the director; and
f.        is not a substantial shareholder of the company, i.e., owning two percent or more of the block of voting shares. (Note: Nominee directors appointed by an institution which has invested in or lent to the company shall be deemed to be independent directors[i])

OECD Principles:
The OECD principles have no prescribed definition of independence. Boards are required to ensure that non- executive board members are capable of exercising independent judgment to tasks where there is a potential conflict of interest and declare the criterion for judging a board member to be independent.

King II, South Africa:
An independent director is one who:
a.      is not a representative of a shareowner who has the ability to control or significantly influence management,
b.      has not been employed by the company or the group in any executive capacity for the preceding three financial years,
c.      is not a member of the immediate family of an individual who is or was in the past three years, employed by the company or the group in an executive capacity,
d.      is not a professional advisor to the company or group other than in a director capacity,
e.      is not a significant supplier to, or customer of the company or group,
f.        has no significant contractual relationship with the company or group,
g.      is free from any business or other relationship which could be seen to materially interfere with the individual's capacity to act in an independent manner.

As evident from above, most global frameworks define independence in terms of ownership of shares, contracts and services rendered, relationships, family ties and the like. While this is indeed important, we also need to pay attention to two other aspects of effective independence – in terms of directors being “independent minded” and also showing the necessary “commitment” in terms of time, knowledge and effort invested in carrying out their duties. And one final aspect that also needs attention is the issue of selection of independent directors in terms of: (a) Who selects directors?; (b) How are they selected (pool, resources, interviews)?; (c) Who determines their independence?; (d) Who elects directors?; (e) Who evaluates directors?; and (f) Who removes directors?. And unless MFIs consciously attempt to be transparent in these aspects, as Mr Damodaran, former SEBI chairman, has said, ‘promoters, founders and CEO’s are likely to fill their boardrooms with people who are more of nodders and often older than the furniture in the boardrooms’ and Corporate Governance will remain an elusive dream at best

I sincerely hope that the micro-finance industry in general and MFI associations (sa-Dhan and MFIN) in particular, are able to draw on the above comparative analysis and critical issues to establish appropriate governance standards for “independent directors” at MFIs and also facilitate their adoption in real time…That alone will prevent Satyam[ii] like situations in Indian micro-finance in the future…

Have A Nice Day!

[i] This is taken up in a separate post
[ii] The Satyam referred to here is the former IT Corporate Group under (the now disgraced) Mr Ramalinga Raju

Thursday, April 28, 2011

Risk Management Systems in MFIs: Three Critical Aspects For Supervisory Examiners, Regulators, Bankers, Investors and Other Stakeholders…

Ramesh S Arunachalam
Rural Finance Practitioner  

Please recall that the Malegam committee report has recommended on-site supervision of large NBFC MFIs (although it is yet be accepted by the RBI). The key issue is that if the MCR proposals are accepted, then, supervisors will have to carry on examinations in such large NBFC MFIs, which would be some kind of a first for them. This post seeks to highlight some critical risk management issues for such supervisory/examination missions as well as the monitoring visits undertaken by bankers, investors and others including credit rating agencies. Read on…    

First, when examiners or other stakeholders assess risk management systems, they need to consider the MFI’s policies, processes, personnel, and control systems. If any of these areas is deficient, so is the MFI’s risk management. 

·         Policies are statements of actions adopted by the MFI to pursue certain results. Policies often set standards (on risk tolerances, for example) and should be consistent with a MFI’s underlying mission, values, and principles. A policy review should always be triggered when a MFI’s activities or standards change. The burgeoning growth experienced by the large Indian MFIs from April 2007 onwards should have prompted this…

·         Processes are the procedures, programs, and practices that impose order on the MFI’s pursuit of its objectives. Processes define how daily activities are carried out. Effective processes are consistent with the underlying policies and are governed by appropriate checks and balances (e.g., internal controls). Again, the phenomenal growth and the kind of results achieved in expanding client and portfolio outreach during the period April 2007 to March 2009 in India should certainly have caused the micro-finance industry (all stakeholders) to closely look (inward) at key processes. In fact, this would have clearly shown that the desire for faster growth and greater efficiency perhaps resulted in MFIs adopting short cuts in the various processes. Much of the process mapping and re-engineering done during this period achieved one impact very successfully – it reduced client level interaction and simply eliminated client relationship building in several places, to help MFIs gain efficiencies. Soon MFIs were just talking to various kinds of intermediaries (call them agents or business correspondents and the like) to add more clients and get them quicker than competition

·         Personnel are the MFI staff and managers that execute or oversee processes. Personnel should be qualified and competent, and should perform as expected. They should understand the MFI’s mission, values, policies, and processes. MFIs should design compensation programs to attract, develop, and retain qualified personnel. In addition, compensation programs should be structured in a manner that encourages strong risk management practices. Transformation (a key happening in Indian micro-finance) and consolidation present complicated personnel challenges. Any MFI transformation plan should lay out strategies for adding/retaining staff essential to risk management. Now, the huge growth in the aforementioned period coupled with fast rapid transformation meant that staff turnover was very high and all and sundry were hired and put into positions, without requisite training and orientation. In fact, because the staff were not committed to the original mission, in many MFIs, the mission that percolated to the field got hugely diluted and was focused on mindless and reckless growth, without considering the risks. Frauds and related strategies (like agency micro-finance model) were increasingly used to add more clients in a short time. Overall, the above factors again led to critical risk management issues being given a go by – in many cases, they existed on paper at the headquarters or regional offices but were hardly evident during implementation.

·         Control systems are the tools and information systems (e.g., internal/external audit programs) that MFI managers use to measure performance, make decisions about risk, and assess the effectiveness of processes. Feedback should be timely, accurate, and pertinent.  Now, when policies, processes and personnel are out of tune and literally perpetuate risk management, control systems will not work on the ground and that is what happened from April 2007 onwards in many MFIs

Thus, as noted above, it is critical for stakeholders to look at MFI policies, processes, personnel and control systems to come to a proper conclusion with regard to the MFI’s risk management system. 

Second, because market conditions and MFI structures vary, no single risk management system may work for all kinds of MFIs. The sophistication of risk management systems should be proportionate to the risks present and the size and complexity of an MFI, its operational environment and the like. As an MFI grows more diverse and complex in terms of its products, delivery models, capital sourcing, client demographics and the like, the sophistication of its risk management must also keep pace. Thus, risk management systems of large MFIs must be sufficiently comprehensive to enable senior management to identify and effectively manage the risk throughout the MFI’s diverse operations. Two other aspects deserve special mention here: a) In large MFIs, the focus of (examination) would have to be on the overall integrity and effectiveness of risk management systems; and b) Periodic validation must be a vital component of such large MFI examinations as only then can the integrity of these risk management systems over time be assessed. 

Third, sound risk management systems should be able to identify the key risks, measure them appropriately, monitor it continuously and control them where possible and necessary. These aspects are described below:

·         Identify risk: To properly identify risks, an MFI must recognize and understand existing risks and risks that may arise from new business initiatives, including risks that originate in sister institutions (subsidiaries in case of MFI holding companies) and/or affiliates, and those that arise from external market forces, or regulatory or statutory changes. Risk identification should be a continuing process, and should occur at both the transaction and portfolio level. A MFI must also identify interdependencies and correlations, across portfolios and lines of business, that may amplify risk exposures. Proper risk identification is critical for MFIs undergoing transformation (from one legal form to another) and consolidations to ensure that risks are appropriately addressed. Risk identification in transforming and consolidating MFIs begins with the establishment of uniform definitions of risk; a common language helps to ensure the success of transformation and consolidation.

·         Measure risk: Accurate and timely measurement of risk is essential to effective risk management. A MFI that does not have risk measurement tools has limited ability to control or monitor risk levels. Further, more sophisticated measurement tools are needed as the complexity of the risk increases. An MFI should periodically test to make sure that the measurement tools it uses are accurate. Sound risk measurement tools assess the risks of individual transactions and portfolios, as well as interdependencies, correlations, and aggregate risks across portfolios and lines of business. During MFI transformations and consolidations, the effectiveness of risk measurement tools is often impaired because of the technological incompatibility of the transforming systems or other problems of integration – I have seen this in some of the largest India MFIs that transformed activities from a society/MBT to an NBFC and the MIS and related integration was simply out of tune. Consequently, the resulting (new) company must make a concerted effort to ensure that risks are appropriately measured across the consolidated entity. Larger, more complex MFIs must assess the effect of increased transaction volume across all risk categories.

·         Monitor risk: MFIs should monitor risk levels to ensure timely review of risk positions and exceptions. Monitoring reports should be timely, accurate, and informative and should be distributed to appropriate individuals to ensure action, when needed. In many cases, I have seen reports being generated but gathering dust. Further, for large and complex MFIs, monitoring is essential to ensure that management’s decisions are implemented for all geographies, products, and legal entities (including Mutual Benefit Trusts – MBTs, that are a part of many Indian MFIs).

·         Control risk: MFIs should establish and communicate risk limits through policies, standards, and procedures that define responsibility and authority. These limits should serve as a means to control exposures to the various risks associated with the MFI’s activities. The limits should be tools that management can adjust when conditions or risk tolerances change. MFIs should also have a process to authorize and document exceptions or changes to risk limits when warranted. In MFIs transforming or consolidating, the transition should be tightly controlled; business plans, lines of authority, and accountability should be clear. Large, complex MFIs should have strong risk controls covering all geographies, products, and legal entities to prevent undue concentrations of risk.

Again, while the field of risk management is at its nascent best in Indian micro-finance, that should not deter us from asking the right questions during monitoring and supervisory examinations and I hope that various stakeholders involved in this crucial aspect recognize and seek to redress this on the ground in real time…

Have A Nice Day!

Monitoring The Quality of Internal Control in MFIs: Suggested Guiding Questions for Bankers, Investors, Regulators, Supervisors and Other Stakeholders…

Ramesh S Arunachalam
Rural Finance Practitioner  

As part of Malegam committee recommendations, micro-finance NBFCs are likely to come under supervision of the RBI, although the recommendations are as yet to be accepted by the Central Bank. Likewise, the RBI appointed working group on NBFC supervision, headed by former RBI deputy governor, Mrs Usha Thorat should also be recommending strategies for supervision of NBFCs (including NBFC MFIs).

In both cases, supervisors (examiners) would have to look at the formal/informal internal control and monitoring procedures at NBFC MFIs. That said, the key issue here is what questions should such supervisors and/or examiners ask to get appropriate information with regard to the quality of internal controls when they visit these NBFC MFIs. Please that these same questions are equally valid for bankers and investors who want to understand the quality of internal controls at NBFC MFIs. Likewise, these questions can also be suitably modified and used for MFIs incorporated as section 25 companies, cooperatives and the like.

Accordingly, this post provides a basic DRAFT questionnaire and it should assist supervisors (as well as regulators, examiners, bankers, investors and others) obtain critical information about an MFI’s formal/informal internal control and monitoring procedures. Depending on the specific characteristics and size of the MFI including legal form, the various stakeholders can also add and/or delete questions as appropriate.

Before moving on to the draft questionnaire, two specific issues deserve to be highlighted here. First, supervisors (or other stakeholders intending to judge quality of internal control) should preferably meet with the MFI’s chief executive officer (CEO), or the person most directly responsible for internal control (if it is not the CEO), to first conduct discussions on several aspects including board and management oversight, segregation of duties, dual control, employee policies, audit functions and the like. Second, they must also obtain and review appropriate reports and other information that substantiate management’s assertions on internal control (e.g., audit engagement letters, internal and external audit reports and management letters/responses, board reports, organizational charts, and policy/procedural manuals).  And to assist them in the above tasks, a set of key questions are given below:

Board and Management Oversight
  1. What goals and objectives have you (CEO or person directly responsible for internal control) and the board established for internal control (e.g., management oversight, dual control, rotation of duties, timing/frequency or reconciliations, internal control reviews, risk assessments, and frequency and scope of internal control audits)? Who is chiefly responsible for ensuring that those controls are adhered to? Does any one individual significantly influence board decisions or control activities?
  2. What accounting and information systems are in place to account for transactions, assets, and liabilities and ensure that risk-taking activities are within policy guidelines?
  3. What type of operational, financial, managerial, and compliance-related reports does the board receive concerning risk assessments and internal control? How frequently does it receive them? Who is involved in their preparation?
  4. What written board-approved policies and procedures addressing internal control, risk assessments, and ethics/conduct are in place?
  5. Who monitors compliance with internal control policies and procedures? Who performs risk assessments? What issues have been noted within the last 12 months?
  6. Do the board and its representatives have complete access to MFI records?
  7. How do you establish what are the proper controls for new or significantly revised products, services, or operational procedures? How do you evaluate the risks associated with planned or potential new products or activities or changes to existing products or activities? Are audit or other control review personnel involved when discussing, designing and implementing such products or activities? How are technology issues and risks considered and addressed?
  8. What new or significantly revised products, services, or operational procedures have you introduced since the last examination (will not apply when examination it happens first time)? What do you anticipate introducing within the next 12 months?
  9. What are the most significant risks facing the MFI today? What processes do you have in place to assess and control those risks?
Control Policies, Procedures, and Activities
  1. In general, describe your internal control process for ensuring segregation and rotation of duties. Are these applied MFI-wide, to all operational areas?  If not, why not?
  2. How do you ensure that the same employee does not originate a transaction, process it, and reconcile the general ledger account? How are approval authorities put in place, communicated to employees, and periodically tested?
  3. How often does someone independent of a specific function or department review reconciliations and other pertinent internal control to ensure that (1) reconciliations are timely and performed by an appropriate person, (2) out of date items are being researched for disposition, and (3) old items are charged off in a timely manner?
  4. In general, describe your dual control process over the MFI’s cash, cash collateral, official checks, and other such items.
  5. How do you ensure you have trained and qualified employees, including back-up employees, for all risk-taking activities and positions in the MFI?
  6. Do you have employee policies/procedures that assist in detecting breaches of internal control (e.g., pre-employment criminal background investigation, vacation policies, rotation of duty policies, frequency of obtaining employee credit reports, sampling employee accounts, and reporting of policy overrides/exceptions)?
  7. How do you communicate to employees, and do they understand, their roles in the control system, how their activities relate to others, and their accountability for the activities they conduct?
  1. How does the board review qualifications and independence of internal and external auditors?
Internal Audit
  1. Does the MFI have an internal audit or other control review function?
  2. Are any internal audit activities outsourced to another party? If yes, to whom? How are outsourced arrangements and activities supervised and managed?
  3. Describe the internal auditor’s educational background and experience. Who approves the hiring of key internal audit personnel?
  4. What other duties does the internal auditor perform?
  5. To whom does the internal auditor report? Who completes the internal auditor’s annual evaluation?
  6. Describe the scope and frequency of internal audits.
  7. Does the audit scope include an assessment of risk and internal control? Is compliance with established ethics/conduct policies periodically tested?
  8. Who reviews the internal audit report (department head, line manager, senior management, audit committee, board)? How frequent are reports and follow-up reviews? How do you ensure that the board or management is able to understand and act on findings? Who follows up on deficiencies (department head, line manager, internal auditor, Audit Committee)? What tests ensure that corrective action has been implemented? Who does the testing?
External Audit
  1. Which of the following types of external audits does the MFI receive:
  • Opinion audit (full financial statements).
  • Attestation report on internal control.
  • Opinion audit (balance sheet only).
  • Agreed-upon procedures (i.e., director’s exam).
  1. Who performs the MFI’s external audit (independent chartered accountant or other independent party) and how long have they been doing the MFI’s audit work? What was the cost of the most recent audit? What non-audit services does the external auditor or other outside party provide for the MFI? What are the fees for these services?
  2. Describe the scope and frequency of external audits and non-audit services.
  3. Is the opinion audit performed accounting to nationally (and globally) accepted accounting standards? Is the report on internal control performed to attestation standards? For non-opinion audits or internal control attestation engagements, does the scope specifically include an assessment and testing of financial reporting controls or other internal control? If so, who decides which control functions will be tested and validated?
  4. Who receives and reviews the external audit report or other reports issued by the external auditor (audit committee or board)?  How frequent are reports and follow-up reviews? Are reports sufficiently detailed to allow the board or management to understand and act on findings? Who follows up on deficiencies (department head/line manager, auditor, audit committee, etc.)? What tests ensure that corrective action has been implemented? Who does the testing?
  5. Who determines whether the external audit scope and frequency are adequate? Who ensures that the MFI received what they contracted for? In other words, who ensures that the audit embodies what is in the engagement letter, specifically in the statement of scope?
General Assessment
  1. How do you (the CEO or person in charge of the internal controls at the MFI) rate your overall internal control and monitoring procedures at the MFI - strong, satisfactory, or weak?
  2. What areas do you think exhibit the most operational risk given the MFI’s internal control environment, culture, and characteristics including size and growth strategy?
  3. What areas do you think exhibit the least operational risk given the MFI’s internal control environment, culture, and characteristics including size and growth strategy?

    The above starter’s and other questions can be used to get critical information on an MFIs internal control systems across a range of activities by supervisors, examiners and other stakeholders. And depending on the information received, further examination can be conducted and assessments made…

    And before I sign off, I would like to reiterate that we need to build up greater awareness in the entire micro-finance industry with regard to having (high) quality and appropriate internal controls, in real time (and not just on paper) and on the ground. That alone can perhaps be the long term insurance against AP like crisis situations in the future…
Have A Nice Day!

Wednesday, April 27, 2011

Board and Management Oversight in Internal Controls: That is Where The Buck Really Stops…

Ramesh S Arunachalam
Rural Finance Practitioner  

I recently heard a few commercial bankers mention that much of the problems in India micro-finance can be attributed to the consistent failure of the board and senior management of MFIs to create a strong and positive control environment. I told them that I felt the same way and had in fact written about it in a small measure in a previous blog post (http://microfinance-in-india.blogspot.com/2010/11/strengthening-internal-controls-during.html.

I am writing this post because these bankers wanted me to highlight the key issues in detail pertaining to the roles of the board and senior management with regard to control environment…especially, based on happenings from the field during the last 6 months

At the outset, let me clarify that the hallmark of a positive control environment is a commitment by the board of directors and senior management to strong controls. And that is where the buck really stops and I hope MFIs will learn from the present Indian crisis and ensure this in real time…Read on…and here are some practical suggestions…

First, as noted above, an MFI’s board of directors and management are mainly responsible for establishing and maintaining an effective internal control system that meets statutory and regulatory requirements and responds to changes in the MFI’s environment and conditions. Thus, they must ensure that the system operates as intended and is modified appropriately when circumstances dictate – as is presently the case in India and especially given the multiple lending, use of agents, frauds and other happenings (of not-so-good processes). I hope that MFI boards and management have begun looking at various field realities in this regard

Second, the board and management must also ensure that the MFI’s information systems produce pertinent, timely and reliable/valid information in a form that will enable staff, auditors, and others stakeholders (as appropriate) to carry out their respective responsibilities. This is a very vital aspect and again, the MIS of many MFIs falls short of required standards on several facets and I again hope that MFI boards and management have started to address the various deficiencies in an honest manner. Please see following post in this regard - http://microfinance-in-india.blogspot.com/2010/11/understanding-state-of-management.html

Third, the board (of directors), which oversees the control system in general, approves and reviews the business strategies and policies that govern the system. They are therefore also responsible for: (a) understanding risk limits and setting acceptable ones for the MFI’s major business activities; (b) establishing the organizational control structure; and (c) making sure that senior management identifies, measures, monitors, and controls risks as well as monitors internal control effectiveness. I really hope that the MFI boards, especially with nominee directors from institutions like SIDBI and other investors, begin to perform these functions seriously

Among other things, this would require MFI boards to: (1) discuss periodically the internal control system’s effectiveness with management; (2) review internal control evaluations conducted by management, auditors, and other stakeholders in a timely manner; (3) monitor management’s actions on auditor and other third party reviewers’ (like staff of rating companies or supervisors, if the Malegam Committee Report is implemented) internal control recommendations and concerns; and (4) periodically review the MFI’s strategy and risk limits. If the board lacks the time, it could also consider delegating these duties and responsibilities to an audit committee, risk committee, or both – this of course would depend on the size and structure of the MFI in question. I would strong recommend that MFI boards have a separate risk committee other than the audit committee

Fourth, senior management oversees operations and provides leadership and direction for the communication and monitoring of control policies, practices, and processes. In effect, they (are to) implement the board’s strategies and policies by establishing effective internal control and delegating or allocating control duties and responsibilities to appropriate personnel. Senior management is also responsible for performing background checks on staff members before they are hired and ensuring that they are qualified, experienced, trained, and compensated to effectively conduct control activities. I hope that senior management in MFIs start to focus on these tasks with utmost seriousness and urgency. Much of the problems that have occurred in Andhra Pradesh relates to lack of appropriate and trained personnel with regard to maintaining effective internal controls and that needs to be addressed at various (MFI) levels immediately

Fifth, organizations grow and the environment changes and therefore the board and management must continually evaluate whether the control system’s methods, records, and procedures are proper in relation to the MFI’s changing asset size, organizational and ownership characteristics, business activities, operational and environmental complexity, risk profile, methods of processing and maintaining data, legal and regulatory requirements and the like. Assuming that the world of tomorrow or today is the same as that of yesterday is a serious flaw that was committed by many MFIs with regard to their control environment and this needs to be addressed immediately

Last but not the least, the board of directors must ensure that management properly considers the risks and control issues of emerging MIS and related technologies, enhanced information systems, and various of electronic/mobile banking. These issues typically include: more users with access to information systems; less segregated duties; a shift from paper to electronic audit trails; a lack of appropriate standards and controls for end-user systems; and, more complex contingency planning and recovery planning for information systems.

Thus, board and senior management can play a very useful and positive role in continually shaping the control environment and they must do so on a regular basis – I really wish that the enthusiasm to serve on MFIs boards is also accompanied by the drive and desire to work with MFIs to enable them to improve their somewhat nascent (control) systems in comparison to their burgeoning growth and complex operational environment. This is undoubtedly a priority task for most MFIs, especially in the crisis ridden Indian micro-finance industry…

Have A Nice Day!

Critical Internal Control Components in MFIs: Some Simple Ideas…

Ramesh S Arunachalam
Rural Finance Practitioner 

I was recently talking to an MFI manager and he said that there is lack of clarity with regard to some of the concepts of internal control systems at MFIs. I attempt to highlight key issues in this post…in a simple and practical manner…

The formality of any control system will depend largely on a MFI’s size, the complexity of its operations, and its risk profile. Less formal and structured internal control systems at community MFIs can be as effective as more formal and structured internal control systems at larger and more complex MFIs. That said, every effective (internal) control system should have the following:
A.      A control environment.
B.     Risk assessment.
C.     Control activities.
D.     Accounting, information, and communication systems.
E.     Self-assessment or monitoring.

A) The control environment reflects the board of directors’ and management’s commitment to internal control. It provides discipline and structure to the control system. Elements of the control environment include:
1)      The organizational structure of the institution. Here, one would look at issues such as:
o       Is the MFI’s organization centralized or decentralized?
o       Are authorities and lines of responsibilities clear?
o       Is there commensurate authority with responsibility to ensure that things get done?
o       Are reporting relationships well designed?
o       Are there any conflicts of interest
2)      Management’s philosophy and operating style. Likewise, the key aspects here are:
Ø      Is the MFI’s business strategy formal or informal?
Ø      Is its philosophy and operating style conservative or aggressive?
Ø      Does it have risk strategies and have they been successful?
3)      The integrity, ethics, and competence of personnel.
4)      The external influences that affect the MFI’s operations and risk management practices (e.g., independent audits).
5)      The attention (time, effort and resources) and direction provided by the board of directors and its committees, especially the audit or risk management committees.
6)      The effectiveness (including implementation) of human resources policies and procedures.

B) Risk assessment is the identification, measurement, and analysis of risks, both internal and external, controllable and uncontrollable, at individual unit levels and for the MFI as a whole. Management must assess all risks (including political risk) facing the MFI because uncontrolled risk-taking can prevent the MFI from reaching its objectives or can jeopardize its operations. Effective risk assessments help determine what the risks are, what controls are needed, and how they should be managed. This is something that was, by and large, ignored by many MFIs and it is one of the main reasons for the problems in the ground in Indian micro-finance

C) Control activities are the policies, procedures, and practices established to help ensure that MFI personnel carry out board and management directives at every business level throughout the MFI. These activities help ensure that the board and management act to control risks that could prevent a MFI from attaining its objectives. They should typically include:
·         Reviews of operating performance and exception reports. For example, senior management regularly should review reports showing financial results to date versus budget amounts, and the loan department manager should review weekly reports on delinquencies or documentation exceptions.
·         Approvals and authorization for transactions and activities. For example, an appropriate level of management should approve and authorize all transactions over a specified limit, and authorization should require dual signatures.
·         Segregation of duties to reduce a person’s opportunity to commit and conceal fraud or errors. For example, assets should not be in the custody of the person who authorizes or records transactions. Please see following post on increasing frauds at MFIs: http://microfinance-in-india.blogspot.com/2010/11/has-burgeoning-growth-caused-increasing.html and related post: http://microfinance-in-india.blogspot.com/2011/04/mfi-staff-srinivasi-agent-amulu-and.html
·         The requirement that officers and employees in sensitive positions be absent for at least two to three consecutive weeks each year.
·         Design and use of documents and records to help ensure that transactions and events are recorded. For example, using pre-numbered documents (receipts) facilitates monitoring.
·         Safeguards for access to and use of assets and records. To safeguard data processing areas, for example, a MFI should secure facilities and control access to computer programs and data files.
·         Independent checks on whether jobs are getting done and recorded amounts are accurate. Examples of independent checks include account reconciliation, computer-programmed controls, management review of reports that summarize account balances, and user review of computer-generated reports.

In reality, some MFIs have written internal control procedures in all areas but having them (on paper) is not enough. Staff and personnel at various levels must understand control procedures and follow them conscientiously in practice. That is what was missing at some Indian MFIs in the present crisis

D) Accounting, information, and communication systems capture and impart pertinent, timely and reliable/valid (accurate) information in a form that enables the board, management, and employees to carry out their responsibilities. Accounting systems are the methods and records that identify, assemble, analyze, classify, record, and report a MFI’s transactions. Information and communication systems enable all personnel to understand their roles in the control system, how their roles relate to others, and their accountability. Information systems produce reports on operations, finance, and compliance that enable management and the board to run the MFI. Communication systems facilitate dissemination of this information throughout the MFI and to external parties such as shareholders, lenders, investors, regulators, supervisors and clients

E) Self-assessment or monitoring is the MFI’s own oversight of the control system’s performance. Self-assessments are evaluations of departmental or operational controls by persons within the area. Ongoing monitoring should be part of the normal course of daily operations and activities. Internal and external audit functions, as part of the monitoring system, may provide independent assessments of the quality and effectiveness of a control system’s design and performance. All MFI personnel should share responsibility for self-assessment or monitoring; everyone should understand his or her responsibility to report any breaches of the control system.

Thus, a strong control culture at an MFI would typically incorporate qualified personnel, effective risk identification and analysis, clear designation and appropriate separation of responsibilities, accurate and timely flow of reliable/valid information, and established monitoring and follow-up processes[i]. And I hope that Indian MFIs start to review their control systems, using the above (simple) framework and work towards building a better internal control system that is not only appropriate to their operational environment but also the size and complexity of their overall micro-finance operations

Have A Nice Day!

[i] For example, the lending area should have (1) a board of directors active in approving and monitoring loan policies and practices; (2) a loan review function that evaluates the risk and quality of loan portfolios; (3) policies and procedures governing, among other things, types of loans, loan approvals, maturity limits, rate structures, and collateral requirements (if the MFI is using individual lending and is delivering larger livelihood loans); and (4) information systems that allow for proper management and monitoring of the lending area.