Ramesh S Arunachalam
From a larger perspective, internal audits
are perhaps the first means for well-meaning MFI boards to get regular feedback on whether the concept of responsible
microfinance is being implemented on the ground. In other words, a rigorous, independent
and objective internal audit system can provide useful feedback on how
processes and procedures (to promote responsible microfinance) are supposedly
being implemented on the ground. Therefore, even before credit/social ratings
and/or any established code of compliance assessments point out any
discrepancies, it is the internal audit system that can provide and will provide
useful early warning signals for the MFIs and their boards. Without question,
just as charity begins at home, the first step in responsible microfinance is
to ensure that MFIs have a rigorous, independent and objective internal audit system
in the first place. That is yet to happen at many places in India and within many
MFIs in real time even as on date…If that had happened, then, the agent led model of
microfinance would not have flourished, as it has in Indian Microfinance - unless of course,
the MFI boards themselves supported and incentivized the agent led of
microfinance!
So, what do I mean by a rigorous, independent
and objective internal audit system? Let me first set out the strategic context
of internal audits from which it will be apparent that their rigor, independence
and objectivity are critical and necessary. This strategic context clearly
determines the extent to which internal audits can become a powerful and
independent tool that boards of MFIs can use to ensure responsible microfinance
on the ground and in real time.
Essentially, according to The Institute of
Internal Auditors (www.theiia.org), internal auditing is
defined as:
“An independent, objective assurance...
activity designed to add value and improve an organization’s operations. It
helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.”
This definition is critical because it sets
forth the parameters on which an internal audit system can be designed at the
MFIs.
First and foremost, an internal audit
system must be independent of the MFI activities being audited. This
implies that internal auditors at MFIs do not report to line
management and/or senior management. Often, at some
MFIs, which had an elaborate internal audit function, the independence of this
function was hugely compromised because the internal audit department came
under the (VERY SAME) senior management, whose very activities were also to be
assessed.
Tell me, how can an internal audit
department that reports to the CEO or CFO (or anyone else who is part of the
line/operational management) accurately assess and provide objective feedback
on the working of processes, procedures and operations? Therefore, MFI boards must ensure that there is an internal audit
department that reports directly (and independent of senior management) to the
board or its audit subcommittee. This is
mandatory and this independence in functioning will facilitate greater
objectivity in the working of the internal audit department. It will also
position the internal audit department appropriately within the MFI, in terms
of its strategic context.
Second, an additional caveat is in order
here. Many organizations including MFIs may find it tempting to get internal
auditors to design their risk management, control, and governance systems.
While it is true that internal auditors have GREAT intimate knowledge of what
systems work on the ground and why, if they are asked to design these MFI
systems, then, it is unlikely that they would be able to assess the functioning
of these systems dispassionately and objectively. This means that at no
time should MFIs use their internal auditors to design the risk management,
control, and governance systems and processes. At best, feedback—through
discussions with the internal auditors and/or studying of their internal audit reports—could
be taken with regard to these systems so that appropriate on-course corrections
are made. This again will ensure that the internal auditors are truly
independent of the activities and operations that they are auditing.
A third issue is relevant here. That is the
scope of internal audits and this again is critical to understanding the
reality across the organization (i.e., MFI). Very often, the activities of the
senior management are excluded from internal audits for various reasons. That should not be the case. If only
this had perhaps been done at Sahayata Microfinance,[1]
much of the damage could have been avoided.
Fourth, senior management in MFIs preach
extensively about internal audits but they forget one important aspect—ensuring
its independence. Take a look at what Mr Ajay Verma, MD of Sahayata
Microfinance (in 2011), said in a promotional video for a global microfinance
consulting company:
“The Internal Audit (IA) function is designed to
check, whether the internal controls in the MFI are functioning as intended?
Internal controls are designed to provide reasonable assurance regarding the
efficiency and effectiveness of operations, the reliability and completeness of
financial and operational information, and the compliance with applicable laws
and regulations.
Ajay
Verma, CEO, and Sahayata:
In terms of internal audit and controls, you need to very clearly define what
is auditable and what is not auditable. Like what we have done, we have three
types of audit. One is the process audit which happens in the field, then
second is the branch audit. We audit all the branch documentation, which the
loan officers have to do and the branch manager has to do; and third one is the
cash and the finance audit which happens on the branch and the head office
levels.”[2]
All of these sound good to hear but the
Sahayata Microfinance case[3]
demonstrates that senior management do not
necessarily practice what they preach. And if only the internal audit function
had been independent, the Sahayata board would perhaps have got some early
warning signals of the impending crisis in 2011. Sadly, this independence is
never permitted by senior management, and then, internal audits become useless.
This is the case in many MFIs even in 2016 sadly!
In short, internal audits must
(independently) cover each and every activity at the MFI with the objective of
evaluating (but not limited to) the following:
· Integrity,
reliability, and effectiveness (including the relevance, accuracy, and
comprehensiveness) of risk management, control, and governance processes and
related systems;
· Monitoring of legal
compliances—with extant laws and regulations—including any changing requirements from regulator/supervisors; and
· Safeguarding of all assets
of the MFI.
Without question, the need for strong, rigorous,
independent, and objective internal audits has never been more important in the
Indian microfinance sector. I certainly hope that the boards (in MFIs)
recognize this and facilitate the adoption of well-functioning independent internal audit systems that can go a long way in protecting their MFIs and
enhancing their reputation as real
practitioners of responsible microfinance in India. And this again is something that the regulatory architecture can seek
to promote as part of the minimum standards required for accreditation as an MFI,
whether NBFC, small finance bank, payment bank or microfinance bank!
[1]Award winning Sahayata Microfinance is the latest to
go astray
(http://moneylife.in/article/award-winning-sahayata-microfinance-is-the-latest-to-go-astray/21549.html),
by Ramesh S Arunachalam, November 18, 2011 and What is said at conferences
is very different from what is implemented in practice
(http://www.moneylife.in/article/what-is-said-at-conferences-is-very-different-from-what-is-implemented-in-practice/22124.html),
by Ramesh S Arunachalam, December 12, 2011.
[3]Award winning Sahayata Microfinance is the latest to
go astray
(http://moneylife.in/article/award-winning-sahayata-microfinance-is-the-latest-to-go-astray/21549.html),
by Ramesh S Arunachalam, November 18, 2011 and What is said at conferences
is very different from what is implemented in practice
(http://www.moneylife.in/article/what-is-said-at-conferences-is-very-different-from-what-is-implemented-in-practice/22124.html), by Ramesh S Arunachalam,
December 12, 2011.
No comments:
Post a Comment