Improving Internal Control by Levone


									Improving Internal Control

    Anita Campion, Director
    MicroFinance Network
  What is internal control?
According to the Basle Committee on
Banking Supervision, the primary
objectives of internal control are to:
• Verify the efficiency and effectiveness of the
• Assure the reliability and completeness of
  financial and management information;
• Comply with applicable laws and regulations.
Relationship between Risk Management and Internal Control

                  Risk Management

                               Internal Control

• Risk management is a systematic approach to
  identifying, measuring, monitoring and managing
  business risks in an institution.
• Internal control comprises the institution’s
  mechanisms to monitor risks before (ex-ante) or
  after (ex-post) operations.
• Internal audit is a systematic “ex-post” appraisal
  of an institution’s operations and financial reports.
                             RISK MANAGEMENT FEEDBACK LOOP
                                   Identify, assess and prioritize risks

 Revise policies                                                             Develop strategies to
and procedures as                                                               measure risks

                                                                              Develop operational
                                                                             policies and procedures
                                                                                 to mitigate risks

     Test effectiveness of
     internal controls and
        evaluate results

                                                   Implement controls into
                                                    operations and assign
                                                      responsibility for
Common MFI Branch-level Risks:
• Credit risk - risk to earnings due to a client’s
    failure to meet the terms of the loan agreement.
•   Liquidity risk - risk to earnings or capital from
    an MFI’s inability to meet obligations when they
    come due.
•   Interest rate risk - risk of financial loss from
    changes in market interest rates.
•   Transaction risk - risk of loss resulting from
    mismanagement, employee or systems error.
•   Fraud risk - risk of loss resulting from
    intentional deception by a client or employee.
 Six Elements of Effective Risk Management

1) Risk management within the methodology:
  –   peer lending
  –   character assessment
  –   forced savings or co-signature requirements
  –   small loan sizes and limits on increases
  –   varied loan terms
  –   loan approval process
  –   center collections
2) Conducive Environment - create a culture of
  low risk tolerance
3) Transparency - use clear accounting and MIS
4) Simplicity - develop simple products and
  procedures, clearly written operations manual
5) Accountability - use cost and profit centers,
  clear job descriptions, employee incentive systems
6) Security - install safes/guards/locks, back-up
  files, purchase insurance
Selecting Cost-effective Internal Controls
1. Identify key risks to the institution.
2. For each key risk, evaluate the potential loss to
   the MFI by considering the likelihood and
   frequency of that loss.
3. Identify potential controls to reduce or eliminate
   the risk.
4. Assess the direct and indirect costs of the control.
5. Compare costs with benefits of control.
6. Select and implement those controls that add the
   most value relative to the composite costs.
Common Internal Controls:
•   Limits - eg. BRI limits cash to 4% of savings
•   Signature requirements - manager signs loans
•   Physical controls - eg. count cash in vault
•   Crosschecks - client visits to reconcile balances
•   Dual controls - eg. use credit committee
•   Computer related controls:
    – integrity risk controls - access levels and codes
    – MIS risk controls - storing back-up files
Integrating Controls into Operations
• Solicit feedback from employees and clients
  – improves quality of the internal control system
  – helps build employee commitment to internal
    control system
• Assign responsibility
  – branch managers should be responsible for
    implementing controls and monitoring
  – determine and communicate chain of command
    for responses to control issues
Test Effectiveness of Internal Control
Ten branch audit areas:
  1) Cash         6) Transfers

  2) Loans        7) Computer Systems

  3) Provisions   8) Fixed Assets

  4) Write-offs   9) Interest Rate Setting

  5) Savings      10) Financial Statements
Example: Auditing Cash
• Count cash and compare to register
• Check cash adequacy
• Check authorized access to safe
• Verify proper signatures - usually requires
  two signatures to verify the cash count
• Check all cash transactions were conducted
  and recorded according to policy
• Reconcile cash transfer vouchers to register
Common Errors Identified by Auditors:
• Transposed numbers - changing $39 into
• Dropped zeros - changing $1000 into $100
• Misplaced numbers - recording a
  withdrawal as a deposit or vice versa
• Poor business analysis by loan officers -
  overestimation of growth to result from loan
• Miscalculations - interest payment errors.
             Types of Fraud
• Ghost loans - the creation of loans in the
  name of a fictitious person or former client
• Kickbacks - the issuance of loans to
  ineligible borrowers in exchange for money
• Misappropriation of client funds -
  registration of a loan payment or deposit in
  another person’s account.
 How can an MFI minimize fraud?
               Client Visits
• Visiting groups:
  – verify group’s existence and proper functioning
  – check group records to ensure proper
    calculations and reporting
  – verify that groups only issue loans to group
  – check existence of and adherence to group’s
    bylaws and determine for adherence to MFI’s
    norms and standards of operation
• Visiting individual borrowers:
  – verify that all transactions have been recorded
  – check the MFI’s information against client’s
     •   name of borrower
     •   loan amount
     •   loan payments - how many, how much, any missed?
     •   loan term
     •   use of loan
     •   previous loan - amount, when paid off?
     •   condition of business
• Visiting depositors:
  – check the MFI’s information against client’s
     • name and address of saver
     • date and amount of opening deposit
     • date and amount of subsequent deposits and
     • reconcile savings transactions recorded in branch
       with those in the passbook or client receipts.
              Audit Sampling
• Random sampling - selecting clients to audit in
  a haphazard manner, with no attempt to influence
  the list of clients.
• Selective sampling - selecting clients based on
  predetermined criteria, e.g. purposely selecting a
  higher percentage of high risk clients.
> BRI uses a combination, with 40% of loan
  portfolio and 6% of savings accounts.
                        Audit Reporting
• For each finding, the auditor should write
  up an audit finding sheet

Condition         Criteria      Cause              Impact                Recommendation
Interest          Interest on   The loan officer   The MFI lost $2       Remind loan officers
calculation for   this loan     used an outdated   per month over the    that interest rates are
loan #101 was     should be     interest rate to   past three months,    updated at the
short $2/per      $10/per       make the           for a total loss of   beginning of each
month.            month.        calculation.       $6.                   month.
• The Audit Team Leader compiles the
  findings into a summary audit report.
• The Audit Team Leader discusses the report
  with the branch manager.
• If fraud is suspected, a special report is sent
  directly to the Internal Audit Manager and
  not discussed with the branch manager.
• Upon conclusion, the Team Leader reports
  to management, including a letter of
  opinion, findings and recommendations.
Institutionalizing Internal Control
Depends on:
  • Scale of operations
  • Regulatory Status
  • Savings Mobilization
           Evaluation Tools
• Management Spot Checks - e.g. ASA
• Internal Auditors - e.g. ABA
• Internal Audit Department - e.g. Mibanco
          Spot Checks at ASA
Management Hierarchy:
• 16 Division Managers
    4-6 Regional Managers
       10 Unit Managers
          4 Field Officers

Unit managers visit all groups every 2-3 months
       ABA’s Internal Auditor
• ABA has one internal auditor who monitors
  work of 224 employees in its 10 branches’
• Visits 3-5 clients per loan officer
• Reports to the Executive Director who takes
  proper action
 CGAP suggests 100+ employee MFIs have in-
  house internal audit function
Mibanco’s Internal Inspections Div.

• Internal Audit - evaluates internal control of
  operating, administrative and financial
  activities of the bank
• Internal Control - protects assets of bank
  against unnecessary loss
• Systems Audit - ensures proper control
  mechanisms exist within computer and MIS
       Internal Audit Manager
• Oversees the work of the internal audit staff -
  audit work is properly planned and
  conducted in timely manner, audit evidence
  is adequate, and audit meets legal standards
• Ensures cost-effective evaluation of risk
• Should report directly to the Board and
  communicate regularly w/ management
   Responding to Control Issues
• Control violations - employees or clients do
  not adhere to policy or procedure.
• Uncontrolled risk - new or previously
  unidentified risk that requires new policies,
  procedures or controls to prevent loss.
 Immediate response, communicate to
 management, management takes action.
                             RISK MANAGEMENT FEEDBACK LOOP
                                   Identify, assess and prioritize risks

 Revise policies                                                             Develop strategies to
and procedures as                                                               measure risks

                                                                              Develop operational
                                                                             policies and procedures
                                                                                 to mitigate risks

     Test effectiveness of
     internal controls and
        evaluate results

                                                   Implement controls into
                                                    operations and assign
                                                      responsibility for
• MFIs should link internal control to risk
  management, and involve their board in the
• MFIs need to accept fraud as a reality,
  identify and implement controls, including
  client visits!
• Industry needs to learn more about internal
  controls for savings operations

To top