Improving Internal Control

1
Improving Internal Control

• Anita Campion, Director
• MicroFinance Network

2
What is internal control?

• According to the Basle Committee on Banking
  Supervision, the primary objectives of internal
  control are to
• Verify the efficiency and effectiveness of the
  operations
• Assure the reliability and completeness of
  financial and management information
• Comply with applicable laws and regulations.

3
(No Transcript)
4
Definitions

• Risk management is a systematic approach to
  identifying, measuring, monitoring and managing
  business risks in an institution.
• Internal control comprises the institutions
  mechanisms to monitor risks before (ex-ante) or
  after (ex-post) operations.
• Internal audit is a systematic ex-post
  appraisal of an institutions operations and
  financial reports.

5
RISK MANAGEMENT FEEDBACK LOOP
Identify, assess and prioritize risks
Revise policies and procedures as necessary
Develop strategies to measure risks

Develop operational policies and procedures to
mitigate risks
Test effectiveness of internal controls and
evaluate results
Implement controls into operations and assign
responsibility for oversight
6
Common MFI Branch-level Risks

• Credit risk - risk to earnings due to a clients
  failure to meet the terms of the loan agreement.
• Liquidity risk - risk to earnings or capital from
  an MFIs inability to meet obligations when they
  come due.
• Interest rate risk - risk of financial loss from
  changes in market interest rates.
• Transaction risk - risk of loss resulting from
  mismanagement, employee or systems error.
• Fraud risk - risk of loss resulting from
  intentional deception by a client or employee.

7
Six Elements of Effective Risk Management

• 1) Risk management within the methodology
• peer lending
• character assessment
• forced savings or co-signature requirements
• small loan sizes and limits on increases
• varied loan terms
• loan approval process
• center collections

8

• 2) Conducive Environment - create a culture of
  low risk tolerance
• 3) Transparency - use clear accounting and MIS
  systems
• 4) Simplicity - develop simple products and
  procedures, clearly written operations manual
• 5) Accountability - use cost and profit centers,
  clear job descriptions, employee incentive
  systems
• 6) Security - install safes/guards/locks, back-up
  files, purchase insurance

9
Selecting Cost-effective Internal Controls

• 1. Identify key risks to the institution.
• 2. For each key risk, evaluate the potential loss
  to the MFI by considering the likelihood and
  frequency of that loss.
• 3. Identify potential controls to reduce or
  eliminate the risk.
• 4. Assess the direct and indirect costs of the
  control.
• 5. Compare costs with benefits of control.
• 6. Select and implement those controls that add
  the most value relative to the composite costs.

10
Common Internal Controls

• Limits - eg. BRI limits cash to 4 of savings
• Signature requirements - manager signs loans
• Physical controls - eg. count cash in vault
• Crosschecks - client visits to reconcile balances
• Dual controls - eg. use credit committee
• Computer related controls
• integrity risk controls - access levels and codes
• MIS risk controls - storing back-up files

11
Integrating Controls into Operations

• Solicit feedback from employees and clients
• improves quality of the internal control system
• helps build employee commitment to internal
  control system
• Assign responsibility
• branch managers should be responsible for
  implementing controls and monitoring adherence
• determine and communicate chain of command for
  responses to control issues

12
Test Effectiveness of Internal Control

• Ten branch audit areas
• 1) Cash 6) Transfers
• 2) Loans 7) Computer Systems
• 3) Provisions 8) Fixed Assets
• 4) Write-offs 9) Interest Rate Setting
• 5) Savings 10) Financial Statements

13
Example Auditing Cash

• Count cash and compare to register
• Check cash adequacy
• Check authorized access to safe
• Verify proper signatures - usually requires two
  signatures to verify the cash count
• Check all cash transactions were conducted and
  recorded according to policy
• Reconcile cash transfer vouchers to register

14
Common Errors Identified by Auditors

• Transposed numbers - changing 39 into 93
• Dropped zeros - changing 1000 into 100
• Misplaced numbers - recording a withdrawal as a
  deposit or vice versa
• Poor business analysis by loan officers -
  overestimation of growth to result from loan
• Miscalculations - interest payment errors.

15
Types of Fraud

• Ghost loans - the creation of loans in the name
  of a fictitious person or former client
• Kickbacks - the issuance of loans to ineligible
  borrowers in exchange for money
• Misappropriation of client funds - registration
  of a loan payment or deposit in another persons
  account.
• How can an MFI minimize fraud?

16
Client Visits

• Visiting groups
• verify groups existence and proper functioning
• check group records to ensure proper calculations
  and reporting
• verify that groups only issue loans to group
  members
• check existence of and adherence to groups
  bylaws and determine for adherence to MFIs norms
  and standards of operation

17

• Visiting individual borrowers
• verify that all transactions have been recorded
  correctly
• check the MFIs information against clients
  information
• name of borrower
• loan amount
• loan payments - how many, how much, any missed?
• loan term
• use of loan
• previous loan - amount, when paid off?
• condition of business

18

• Visiting depositors
• check the MFIs information against clients
  information
• name and address of saver
• date and amount of opening deposit
• date and amount of subsequent deposits and
  withdrawals
• reconcile savings transactions recorded in branch
  with those in the passbook or client receipts.

19
Audit Sampling

• Random sampling - selecting clients to audit in a
  haphazard manner, with no attempt to influence
  the list of clients.
• Selective sampling - selecting clients based on
  predetermined criteria, e.g. purposely selecting
  a higher percentage of high risk clients.
• BRI uses a combination, with 40 of loan
  portfolio and 6 of savings accounts.

20
Audit Reporting

• For each finding, the auditor should write up an
  audit finding sheet

21

• The Audit Team Leader compiles the findings into
  a summary audit report.
• The Audit Team Leader discusses the report with
  the branch manager.
• If fraud is suspected, a special report is sent
  directly to the Internal Audit Manager and not
  discussed with the branch manager.
• Upon conclusion, the Team Leader reports to
  management, including a letter of opinion,
  findings and recommendations.

22
Institutionalizing Internal Control

• Depends on
• Scale of operations
• Regulatory Status
• Savings Mobilization

23
Evaluation Tools

• Management Spot Checks - e.g. ASA
• Internal Auditors - e.g. ABA
• Internal Audit Department - e.g. Mibanco

24
Spot Checks at ASA

• Management Hierarchy
• 16 Division Managers
• 4-6 Regional Managers
• 10 Unit Managers
• 4 Field Officers
• Unit managers visit all groups every 2-3 months

25
ABAs Internal Auditor

• ABA has one internal auditor who monitors work of
  224 employees in its 10 branches
• Visits 3-5 clients per loan officer
• Reports to the Executive Director who takes
  proper action
• CGAP suggests 100 employee MFIs have in-house
  internal audit function

26
Mibancos Internal Inspections Div.

• Internal Audit - evaluates internal control of
  operating, administrative and financial
  activities of the bank
• Internal Control - protects assets of bank
  against unnecessary loss
• Systems Audit - ensures proper control mechanisms
  exist within computer and MIS

27
Internal Audit Manager

• Oversees the work of the internal audit staff -
  audit work is properly planned and conducted in
  timely manner, audit evidence is adequate, and
  audit meets legal standards
• Ensures cost-effective evaluation of risk
  exposure
• Should report directly to the Board and
  communicate regularly w/ management

28
Responding to Control Issues

• Control violations - employees or clients do not
  adhere to policy or procedure.
• Uncontrolled risk - new or previously
  unidentified risk that requires new policies,
  procedures or controls to prevent loss.
• Immediate response, communicate to management,
  management takes action.

29
RISK MANAGEMENT FEEDBACK LOOP
Identify, assess and prioritize risks
Revise policies and procedures as necessary
Develop strategies to measure risks

Develop operational policies and procedures to
mitigate risks
Test effectiveness of internal controls and
evaluate results
Implement controls into operations and assign
responsibility for oversight
30
Conclusions

• MFIs should link internal control to risk
  management, and involve their board in the
  process
• MFIs need to accept fraud as a reality, identify
  and implement controls, including client visits!
• Industry needs to learn more about internal
  controls for savings operations