Understanding & Effectiveness of Internal Controls & RCSA Framework

What is Control? Traditional View of Controls What is Internal Control? COSO Framework (An Internal Control Framework) and Oversight Representative Components of Internal Control

Definition & Objective- Control Self-Assessment

Understanding & Effectiveness of Internal Controls

Understanding & Effectiveness of RCSA Framework

Objectives of RCSA How to Identify Risk Condition that Increase Risks

Characteristics- Control Self-Assessment

RCSA the Early days & Internal Audit Involvement

CSA compared with Traditional IA Approach

Core CSA Process

1- Control Environment 2- Control Activities 3- Risk Assessment

CSA Methodology and Practical Considerations

Advantages / Disadvantages of RCSA Utility of RCSA RCSA Reference Our Beliefs Limitations

4- Information and Communication

5- Monitoring

Why Controls Dont Always Work What you can do;

What is Control -Real life examples COSO Framework Its Oversight, Requirements and Application Internal Controls Who needs them 5 Internal Control Components In detail 5 Types of Risk 5 Types of Controls RCSA Framework Back ground and application RCSA Methodology Advantages and limitation of RCSA

What you can should do as an auditors

1. Power To Direct Or Determine 2. The Activity Of Managing Or Exerting Control Over Something "The Control Of The Mob By The Police Was Admirable" 3. Dominance, ascendance, the state that exists when one person or group has power over another 4. Discipline in personal and social activities 5. Command, control, mastery(noun) - A mechanism that controls the operation of a machine 6. Control (verb) - the economic policy of controlling or limiting or curbing prices or wages etc., "they wanted to repeal all the legislation that imposed economic controls" 7. Exercise authoritative control or power over - "control the budget"; "command the military forces" 8. Control, hold in, hold, contain, check, curb, moderate(verb) 9. Verify by using a duplicate register for comparison "control an account"

The combination of many factors which support people in their efforts to achieve their business objectives.
e.g. skills, culture, information, resources, measurements, policies, communication, teamwork, procedures.

A process is the method or task performed to achieve an objective.

A control is a mechanism to ensure the objective of process is achieved.

Controls seen as the responsibility of auditors and financial personnel. Controls perceived as limited to financial areas. Controls seen as bureaucratic & burdensome.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

1. AICPA (American Institute of Certified Public Accountants) 2. AAA (American Accounting Association) 3. IIA (The Institute of Internal Auditors) 4. IMA (Institute of Management Accountants 5. FEI (Financial Executives Institute)

Keeping an eye on entitys assets and resources Finding ways to make sure people dont do bad things Protecting the entity from being accused of doing bad things Good, sound business practice Common Sense!

Think about what you do;

Lock you home and vehicle Keep you ATM, CR/DR Pin number separate from your card Review bills and credit card statement before paying them Reconcile your bank statement Dont leave blank cheques or cash just lying around Expect your children to ask permission to do certain things Other examples

Vehicles are kept locked when not occupied. Hierarchies to build the structure and mechanism of accountability Computer Passwords are periodically changed and shouldnt be written down or kept by the PC Checking purchase card charges against source documents. Checking management reports against source documents Locked cash drawers and secure storage for checks Authorization required for certain activities Other Example

Internal control is broadly defined as a process, effected by an entity's board of directors, management/administration, council and individuals, designed to provide reasonable assurance regarding the achievement of three objectives: Which are; Effectiveness and Efficiency of Operations. Reliability of Financial Reporting. Compliance with applicable laws and regulations.

Intertwined with entitys operating activities.

Built into the entitys infrastructure.

"Built in' Controls support quality empowerment initiatives avoid unnecessary costs

enable quick response to changing conditions..

 Fairly presented in conformity with (GAAP) Other relevant / appropriate accounting principles Regulatory requirements for external purposes

Existence or Occurrence Completeness Rights and Obligations Valuation or Allocation Presentation and Disclosure

Compliance to applicable laws is the most essential element of any business function.

Ensure compliance to
-

Entitys Operations / Admin Manual Entitys Personnel Policies Prudential Regulations F.E Manual AML & KYC Hand Book Operations Manual Accounting Manual Audit Manual Other relevant circulars/manuals i.e. Compliance Newsletters Regulatory Guidelines Audit Manual

Internal control consists of five main interrelated components, which derived from the way management runs a business, and are integrated with the management process.
The components are:
Control environment. 2. Risk assessment. 3. Control activities. 4. Information and communication. 5. Monitoring.
1.

1. Control Environment
The foundation on which everything rests.

Key factors: Managements attitude: Tone at the Top Individual attributes: integrity, ethical values, competence, culture, vision, leadership.
Control Environment

1. Control Environment

A control environment has: - Appropriate hiring policies - Assignment of authority and responsibility - Up to date job descriptions - Appropriate training - Meaningful review of performance - Punctuality and discipline - Hierarchical structure

What is Risk? Anything that could negatively impact the entitys ability to meet its operational objectives.
Risks are things that will stop an organization from meeting its objectives. What could keep your entity from reaching its goals?

What keeps you up at night?

Strategic risk that would prevent a department from accomplishing its objectives (meeting its goals).
Financial risk that could result in a negative financial impact to the Entitys (waste or loss of assets).

Regulatory (Compliance) risk that could expose the Entity to fines and penalties from a regulatory agency due to non-compliance with laws and regulations.
Reputational risk that could expose the Entity to negative publicity. Operational risk that could prevent the department from operating in the most effective and efficient manner or be disruptive to other Entity operations.

2. Risk Assessment Understanding objectives Identification of Risks Assessing Risks Significance Likelihood

Risk Assessment

2. Risk Assessment

For content, three factors will assist you in determining the significance of the risks you have identified:

Managements risk appetite and risk capacity The magnitude of the impact of the risks

The likelihood of occurrence

2. Risk Assessment

Variety of risks from external and internal sources Pre-condition to risk assessment - establishment of objectives
The broad categories of objectives used for risk assessment are: Operations objectives. Financial Reporting Objectives. Compliance Objectives.

Business Risk Framework

External Risks

Legal (regulation, legislation, etc) Economic (interest rates, currencies, inflation, GDP, unemployment, etc) Social (trends, values, population growth, consumer psychology, etc)

Technology New Entrants Suppliers Substitutes Competition

Capital Markets Political Disasters Rating Agencies Terrorism

Internal Risks Governance

Integrity

Compliance

Business Risk Framework

Authority Leadership Performance Incentives Limits

Management Fraud Employee Fraud Illegal Acts Unauthorized Use Reputation Operational Sourcing Product Development & Life Cycle Mgmt. Product Failure Business Interruption Strategic Alliances

Taxation Environmental Health & Safety Legal Regulatory

Technology Quality Customer Satisfaction Customer Accept./Credit

Obsolescence Shrinkage Efficiency Capacity Pricing Cycle Time

Contracting Performance Measures Health and Safety Trademarks/Branding Marketing

Repair & Maintenance Security Systems Acquisition Integration

Information Management

Financial Management

Human Resources

Management Info. System Dependence on IT Reliability External IT Access/Availability Completeness/Assurance Relevance Sufficiency

Budgeting & Planning Cash Flow Investment Evaluation Financial Reporting Financial Instruments Funding Accounting Information Cost control

HR Management Competencies Recruitment Recognition/Retention/ Compensation Performance Management Leadership Development Training

2. Risk Assessment - Magnitude of Impact

Insignificant
Minor

No impact on reputation
Consequences can be absorbed under

normal operating conditions Potential impact on reputation

There is some impact on reputation Reputation is impacted in the short term
Serious damage to reputation

Moderate Major
Catastrophic

2. Risk Assessment - Likelihood of Occurrence

Rare or Remote Unlikely Event may only occur in exceptional circumstances Event could occur in rare circumstances

Possible
Likely

Event could occur at some time

Event will probably occur in most circumstances

Almost Certain

Event is expected to occur in most circumstances

2. Risk Assessment
Quantitative Assessment gathers data in numerical form which can be put into categories, or in rank order, or measured in units of measurement. This type of data can be used to construct graphs and tables of raw data. Examples: Deposits Advances Actual Reported Frauds Financial Statements System Downtime Un-reconciled Transactions (Amount) Un-reconciled Transactions (days) Qualitative Assessment gathers information that is not in numerical form. For example, diary accounts, open-ended questionnaires, unstructured interviews and unstructured observations. Examples: Internal Audit External Audit SBP Audit (where applicable) Customer Service Complexity of Operations Core Banking Systems / ERP Applications Entitys operating software

2. Risk Assessment
Likelihood of Occurrence
Almost Certain

Likely

Possible

Unlikely

Rare Insignificant Minor Moderate Major Catastrophic

Magnitude of Impact

Actions supported by
Policies Procedures Safeguards Authorities assure management directives to address risks are carried out properly and timely.
Control Activities

Controls can be automated or manual; To be effective, control activities must be:

Directly related to the Control objective Appropriate Functioning consistently according to plan throughout the period Cost effective Comprehensive Reasonable

Information Technology Control Activities

-General Controls are the structure, policies and procedures that apply to the information systems and help to ensure proper operation.

-Application Controls are Programmed procedure in application software designed to ensure completeness and accuracy of information..

 Authorization and approval procedures; Reviews of operating performances;

Supervision (assigning, reviewing/approving, guidance, training); Segregation of duties (authorizing, processing, recording, reviewing); Controls over access to resources and records;

Reviews of processes and activities; Numerical sequence of documents to ensure completeness; Exceptions reviews; reporting & top level

Performance indicators; Information system controls (general & application controls); System Access; System Configuration and Account Mapping; Exception/Edit Reports;

Reconciliations; Verifications;

General Controls:
- Access security - Data and program security - Physical security - Software development and program change controls - Data center operations -Service continuity (disaster recovery)

Application Controls :
- Designed to prevent, detect and correct errors and irregularities as information flows through information systems: Input controls (data entry) authorization; validation; error notification and correction Processing controls Output controls

Directive Controls
Entity Operation, Admin Manual; Personnel Policies; Policy on Sexual Harassment; Govt. Accounting Standards Board (GASB), UCP 600, Manuals, Instructions, Regulations, Circulars , public notices, CDD / AML Procedures Hand Book and Ops Manual, AML / CFT Regulations / AML Act 2010, FATF (40) , SECP Guidelines , FMU Regulations, Symbols user manuals, CTR user manuals

Preventive Controls
- Annual budget - Inventory of assets - Periodic performance evaluation - Segregation of incompatible duties ( a person is not in a position to both commit and conceal), Limits to authority (link to specific dollar levels) Original documents to support a transaction, Security Access (CCTV and Guards), point Custodianship, Physical controls over assets (Lock and Key), Authorized signers (Smart Cards)

Detective Controls
Review of computer/application user access log Periodic (annual) inventory count Account reconciliations (HO and Bank Statements) Physical inventories (Stock Reports ) Card logging, and approval (Layers, Review of reports, Card and Pin Checking) Internal auditors, RCSA

Corrective Controls
Adjusting Journal Entries; terminations; training, Documentation systems or processes (Gap Analysis) Improvement initiatives (Service weeks) Discipline actions (Demotions and Transfers), Error communication and reporting (Issue Resolution and P & V)

Recovery Controls
Disaster recovery and business continuation plans

4 - Information and Communication

Pertinent and reliable information should be identified, captured and communicated in form and timeframe that enables staff to carry out their responsibilities.

o Managements ability to make appropriate decisions is affected by the quality of information; that implies that the information should be appropriate, timely, current, accurate and accessible. o Information systems need to produce reports that contain operational, financial and nonfinancial, and compliance-related information.

4 - Information and Communication Right information Right place Right time Frankness Openness

Cost Effective controls are made possible by the right information

Communication of Plans, Performance Indicators, and Expectations.

Information
Transactions and events must be recorded promptly when they occur if information is to remain relevant and valuable to management in controlling operations and making decisions.

Documentation should be updated promptly, including policies and procedures.

Information is the basis for communication.

Communication
Effective communication should occur in all directions flowing down, across and up the organization, throughout all departments and divisions. Management should be kept up-to-date on performance, development, risks and other relevant events and issues. Management should communicate to its staff what information it needs to be effective; and provide feedback and direction.

5 - Monitoring
Monitoring ensures that the Internal controls operate as intended over time, and is accomplished through routine (on-going) activities, separate evaluations or a combination of both.

Ongoing monitoring activities cover each of the Internal control components, and involve action against irregular, unethical, uneconomical, inefficient and ineffective Internal controls.
Separate evaluations are conducted by Internal and/or external auditors; findings/recommendations are reported to the appropriate level of management for resolution.

Monitoring

5- Monitoring
5 - Monitoring

Benchmarking Exceptions Analysis of results Effective change Internal & External Audits

5 Monitoring - Examples
Supervision
Observations Raising queries

Exception Reports Inspections

Reviews of Reconciliations/ Variance Analysis

Performance Data Trend Analysis Audits

Self-assessments
Communication from Customers, Regulators, etc.

MONITORING

Ongoing Monitoring Separate Evaluations Reporting Deficiencies

CONTROL ACTIVITIES

Downwards Upwards Horizontal Departmental External

Policies Procedures Hard control activities

Management Information Systems Performance Information Instructions & Guidance

RISK ASSESSMENT

Organisation-wide Objectives Activity-level Objectives Risk Management Managing Change

CONTROL ENVIRONMENT

Integrity & Ethical Values Commitment to Competence Board of Directors & Audit Committee Management Philosophy & Operating Style

Organisational Structure Assignment of Authority & Responsibility Human Resource Policies & Practices

1. Inadequate knowledge of policies or governing regulations. I didnt know that! 2. Inadequate segregation of duties. We trust A who does all of those things. 3. Inappropriate access to assets. Passwords shared, cash not secured 4. Form over substance. You mean Im supposed to do something besides initial/sign it? 5. Control override. I know thats the policy, but we do it this way. Just get it done; I dont care how!

6. Inherent limitations. People are people and mistakes happen. You cannot foresee or eliminate all risk.

When thinking about Internal controls, consider the following: Compliance with policies and government regulationsare you following established procedures/instructions?

Propriety of transactionsis this legal and right? Does it feel or look wrong? Would someone else think so? Reliability and integrity of informationis the information/form/data/report accurate and complete?
Safeguarding assetscould anyone take or gain access to items under your control without being observed? Economy and efficiency of operationsis there a better way to do the job?

o o o o o o o o o

Make sure they have up-to-date policies and procedures; Ensure authorization limits are communicated within the departments; Ensure all assets (especially cash) are safeguarded at all times; Establish document control (especially for spreadsheets); Ensure approval signatures are visible (legible) on all required documentation; Make sure data is only accessible by authorized personnel; Understand the department/functions risks; Ensure adherence to Entity's policy and Entity's code; Establish objectives and measures for your department/function and for major programs; and Evaluate performance to gauge the efficiencies

Control Self Assessment Some Definitions

A CSA programme is a process which allows individual line managers and staff to participate in reviewing existing controls for adequacy, and recommending, agreeing and implementing improvements (IIA)
A formalised, documented and committed approach to the regular, fundamental and open review by managers and staff of the strength of control systems designed and operated to achieve business objectives and guard against risks within their sphere of influence (CIPFA)

..would one day completely replace the traditional audit as the primary assurance tool in the auditors toolkit (Gulf Canada)
A process through which any entitys Internal Control effectiveness is examined and assessed.

For each department/division objective, ask:

What could go wrong? How could we fail? What must go right to succeed? What decisions require the most judgment? What activities are most complex? What activities are regulated? On what do we spend the most money? How do you bill/collect related revenue? On what information do we most rely? What assets do we need to protect? How could someone or something disrupt our operations?

 Lack of segregation of duties Too much trust - Approval of documents without review - Lack of verification of transactions after they have been entered in the system - Lack of reconciliations No follow-up when things appear questionable or not reasonable Lack of control over physical assets / inventories Lack of control over logical access, system/application access Lack of control over purchasing of materials/supplies Lack of knowledge of policies and procedures

RCSA- Objectives

The objective is to provide reasonable assurance that all business objectives will be met. (Institute of Internal Auditors)

Proactive management of risk Problems identification and its correction

Awareness of risk and control Upward timely communication to the senior management for: Significant risks and control issues Remedial action plans

RCSA Objectives

Assist employees in assuming responsibility for effective risk and control management

Teach staff to analyse, evaluate and report on the application and effectiveness of control mechanisms
Improve control awareness and the cost effectiveness of products/services

Complements performance reporting regimes Enables managers to certify corporate governance statements with more certainty

CHARACTERISTICS - Control Self-Assessment

An ongoing process to ensure controls are adequate and functioning correctly. A process to notify management timely, when things are going wrong. A mechanism to record and monitor issues and the status of corrective actions.

RCSA-The Early days

Perceived as a threat to Internal Audit

Sluggish start even in the US (only 17% of bodies were using it by 1995)
Seen as exporting systems based audit to staff

Less than 30% of processes/functions used RCSA and most of the applications were driven by Directors of Finance Supporters saw it as a useful control awareness initiative Audit critics believed it could be a new injection of life into flagging tick and turn auditing

Potential Internal Audit Involvement

Advice on design, implementation & maintenance of risk management system Advice on risk, control and governance
Undertake audits of business unit schedules using COSO model Review periodic reports of business units

Membership of Risk & Control Panel Reporting on its own plans, activities and outcomes
Contribute to overall assessment on Corporate Governance

Other Considerations

Few organisations cover more than 30% of risk functions

70% of sponsors are Internal audit After implementation, 60% of Internal audit functions remain involved

50% use COSO, 50% use proprietary software or Internal audit designed documentation (US experience)
Time involvement may have to be rationed 68% of audit functions claim RCSA is one of its products

CSA compared with Traditional Audit Approach

Traditional Approach
Assign duties, supervise staff Policy/rule-driven Limited employee participation Narrow stakeholder focus

RCSA Approach
Empowered, accountable employees Continuous improvement/learning curve Extensive employee participation and training Broad stakeholder focus

Auditors and other specialists

Staff at all levels, in all functions, as primary control analysts

Core RCSA Process

Identify and document all significant processes of the bank/entity,

Evaluate risks (inherent/ specific) in each process,

Assess controls used to manage / mitigate risks,

Pointed out gaps & make Actions plans to correct weaknesses,

RCSA Methodology

To begin a process assessment, appoint someone who is knowledgeable about the process but not the process owner to evaluate if adequate controls exist.
Do a walk through of the process and verify controls exist to verify: Existence or occurrence Completeness Valuation or allocation Rights and obligations Presentation and disclosure

RCSA Methodology

Evaluate if there are:

Enough controls to mitigate key risks there may be a gap Controls that essentially do the same thing it is possible to over-control a risk

RCSA Methodology

Evaluate the design of each control.

Does it mitigate a key risk? Can it do what it is supposed to do every time without fail?
Does it prevent or detect errors or fraud?

RCSA Methodology

Evaluate the effectiveness of each control. Does it operate as it was designed? Is it efficient? Ways to evaluate controls: Observation Re-performance Inspection Knowledge assessment Corroborative inquiry

Practical Considerations

Must set objectives

Decide on most appropriate approach

What topics, processes, systems should be covered Amount of time to be invested COSO model or your own model

Facilitation skills available Outputs from the workshop Reporting protocols

Ongoing application

RCSA Scope of Workshops A Model to Show!

Objectives of the Activity/Process: Strategy/Control Environment: Policies, Laws, Plans, Budgets, Procedures, Standards, Responsibilities, Structures, Accountabilities, HR Policies, market conditions, training, guidance, management information, IT systems, interfaces, monitoring arrangements, reporting, payment regimes, performance measurement, external factors, best practice etc Operations:

Profile of the System (key stages)

Objectives

Risks

Controls Expected

Controls Actual

Opinion

Testing

Evaluation/ Improvement

Report/ Action

1.

2.

3.

4. Etc.

Line management becomes fully involved in risk & control

Ownership creates greater awareness Corrective action can be taken more speedily

The concept fits with neatly with empowerment models Facilitates embedding and reporting requirements Cheaper than employing more auditors

Helps employees to understand and assume responsibility for control, Places front line responsibility with management for operational risk management,
More effective corrective actions because participants own the results,

Improve communication at all levels, Increase control consciousness of the entire institution, Cultural change embedding operational risk management at all levels.

Possible RCSA Disadvantages

Relies too much on honesty

May be too subjective (not related to business objectives)

In practice, applied to traditional financial areas Time consuming Does not lend itself easily to cross functional systems
Could become unreliable as an add on to normal duties Filling in documentation could become an end in itself

RCSA References

Still the best UK publication (in my opinion)

Control Self Assessment edited by Keith Wade and Andy Wynne in 1999 (published by Wiley)

In addition to explaining the reasons for RCSA and the various approaches, it examines about 20 different public and private sector

practices which are written by different experts and practitioners

Utility of RCSA

IC

BOD & Senior. Management

ITAM Process

Oversight Frequent & comprehensive reporting of control deviations to the BOD / Senior Management

RCSA Process

COSO Documentation

Effectiveness of existing controls

Adequacy of controls

(Operational, Financial Reporting & Compliance)

Our Beliefs
People are more important than systems as; They can make bad systems workable, They can make good systems fail, They make the difference in the midst of change, Understanding how controls work leads to better change management, Shared information leads to faster improvement and lower risks.

Limitations
Internal controls cannot ensure success when there are
Losses/ Frauds

Bad Governance

Poor managers

Collusion / Conflicts

Forgeries

Wrong Decisions

Unethical behavior

Override / Breach of controls

Name: Ms. Saima Riaz Email Address: [email protected]