Internal Control and RCSA Programm

7/29/2019 Internal Control and RCSA Programm

1/75

Understanding& Effectivenessof

Internal Controls

& RCSAFramework


2/75

Understanding

&E

ffectivenesso

f

Interna

lControls

What is Control?

Traditional View of Controls

What is Internal Control?

COSO Framework (An Internal ControlFramework) and OversightRepresentative

Components of Internal Control

1- Control Environment 2- Control Activities

3- Risk Assessment

4- Information and Communication

5- Monitoring

Why Controls Dont Always Work

What you can do;

Definition & Objective- Control Self-Assessment

Objectives of RCSA

How to Identify Risk

Condition that Increase Risks

Characteristics- Control Self-Assessment

RCSA the Early days & Internal Audit Involvement

CSA compared with Traditional IA Approach

Core CSA Process

CSA Methodology and Practical Considerations

Advantages / Disadvantages of RCSA

Utility of RCSA

RCSA Reference

Our Beliefs

Limitations


3/75

What is Control -Real life examples COSO Framework Its Oversight, Requirements and Application Internal Controls Who needs them 5 Internal Control Components In detail 5 Types of Risk 5 Types of Controls RCSA Framework Back ground and application RCSA Methodology Advantages and limitation of RCSA

What you can should do as an auditors


4/75


5/75

The combination of many factors

which support people in their effortsto achieve their business objectives.

e.g. skills, culture, information, resources, measurements, policies, cteamwork, procedures.


6/75

A process is the method or task performed to achiev

objective.

A control is a mechanism to ensure the objective of p

achieved.


7/75

Controls seen as the responsibility of auditors and financial per

Controls perceived as limited to financial areas.

Controls seen as bureaucratic & burdensome.


8/75

Committee of Sponsoring Organizations ofthe Treadway

Commission (COSO)

1. AICPA (American Institute of Certified PublicAccountants)

2. AAA (American Accounting Association)3. IIA (The Institute of Internal Auditors)

4. IMA (Institute of Management Accountants5. FEI (Financial Executives Institute)


9/75

Keeping an eye on entitys assets and resourc

Finding ways to make sure people dont do bathingsProtecting the entity from being accused of dbad thingsGood, sound business practiceCommon Sense!


10/75

Think about whatyou do;

Lock you home and vehicle

Keep you ATM, CR/DR Pin number separate from your cardReview bills and credit card statement before paying them

Reconcile your bank statement

Dont leave blank cheques or cash just lying aroundExpect your children to ask permission to do certain things

Other examples


11/75

Vehicles are kept locked when not occupied.

Hierarchies to build the structure and mechanism of accountabComputer Passwords are periodically changed and shouldnt bwritten down or kept by the PCChecking purchase card charges against source documents.

Checking management reports against source documents

Locked cash drawers and secure storage for checksAuthorization required for certain activities

Other Example


12/75

Internal control is broadly defined as a process, effected by an edirectors, management/administration, council and individuals, desig

reasonable assurance regarding the achievement of three objectives:

Which are;

Effectiveness and Efficiency of Operations.

Reliability of Financial Reporting.

Compliance with applicable laws and regulations.


13/75

Intertwined with entitys operating activities.

Built into the entitys infrastructure.

"Built in' Controls support quality

empowerment initiatives avoid unnecessary costs

enable quick response to changing conditions..


14/75

Fairly presented in conformity with (GAAP)

Other relevant / appropriate accounting principles

Regulatory requirements for external purposes

Existence or Occurrence Completeness

Rights and Obligations

Valuation or Allocation

Presentation and Disclosure


15/75

Compliance to applicable laws is the most essential element of any busi

Ensure compliance to

- Entitys Operations / Admin Manual

- Entitys Personnel Policies

- Prudential Regulations

- F.E Manual

- AML & KYC Hand Book

- Operations Manual

- Accounting Manual

- Audit Manual

- Other relevant circulars/manuals i.e. Compliance Newsletters

- Regulatory Guidelines

- Audit Manual


16/75

1. Control environment.

2. Risk assessment.3. Control activities.

4. Information and communication.

5. Monitoring.

Internal control consists of five main interrelated compone

derived from the way management runs a business, and arintegrated with the management process.

The components are:


17/75

Key factors:

Managements attitude:Tone at the Top

Individual attributes: integrity,ethical values, competence,

culture, vision, leadership.

Control Environme

1. Control Environment

The foundation on which everythingrests.


18/75

1. Control Environment

A control environment has:- Appropriate hiring policies- Assignment of authority and responsibility- Up to date job descriptions- Appropriate training

- Meaningful review of performance- Punctuality and discipline- Hierarchical structure


19/75

Anything that could negatively impact the entitys

to meet its operational objectives.

Risks are things that will stop an organization from

meeting its objectives.

What could keep your entity from reaching its goa

What keeps you up at night?

What is Risk?


20/75

Strategic risk that would prevent a department from accomplishingobjectives (meeting its goals).

Financial risk that could result in a negative financial impact to the E(waste or loss of assets).

Regulatory (Compliance) risk that could expose the Entity to fines apenalties from a regulatory agency due to non-compliance with laws anregulations.

Reputational risk that could expose the Entity to negative publicity

Operational risk that could prevent the department from operating

most effective and efficient manner or be disruptive to other Entity ope


21/75

Understanding objectives Identification of Risks Assessing Risks

Significance Likelihood Risk Assessmen

2. Risk Assessment


22/75

For content, three factors will assist you in determining thesignificance of the risks you have identified:

Managements risk appetite and risk capacity

The magnitude of the impact of the risks

The likelihood of occurrence

2. Risk Assessment


23/75

Variety of risks from external and internal sources

Pre-condition to risk assessment - establishment of objectives

The broad categories of objectives used for risk assessment are:

Operations objectives. Financial Reporting Objectives. Compliance Objectives.

2. Risk Assessment


24/75

Business RiskFramework

IntegrityGovernance

Authority Leadership Performance Incentives Limits

Management Fraud Employee Fraud Illegal Acts Unauthorized Use Reputation

Taxa Envir Healt Lega Regu

Information Management Financial Management Hu

Technology Quality Customer

Satisfaction Customer

Accept./Credit

Obsolescence Shrinkage Efficiency Capacity Pricing Cycle Time

Sourcing Product Development

& Life Cycle Mgmt. Product Failure Business Interruption Strategic Alliances

Contracting Performance

Measures Health and Sa Trademarks/B Marketing

Management Info. System Dependence on IT Reliability External IT Access/Availability Completeness/Assurance Relevance

Sufficiency

Budgeting & Planning Cash Flow Investment Evaluation Financial Reporting Financial Instruments Funding Accounting Information

Cost control

HR M Com Recr Reco

Com Perfo Lead

Train

Operational

External Risks

Internal Risks

Legal (regulation, legislation, etc) Economic (interest rates, currencies,

inflation, GDP, unemployment, etc) Social (trends, values, population growth,

consumer psychology, etc)

Technology New Entrants Suppliers Substitutes Competition

C P D R T


25/75

Insignificant No impact on reputation

Minor

Consequences can be absorbed undenormal operating conditions

Potential impact on reputation

Moderate There is some impact on reputation

Major Reputation is impacted in the short t

Catastrophic Serious damage to reputation

2. Risk Assessment - Magnitude of Impact


26/75

Rare or Remote Event may only occur in exceptional circums

Unlikely Event could occur in rare circumstances

Possible Event could occur at some time

Likely Event will probably occur in most circumsta

Almost Certain Event is expected to occur in most circumsta

2. Risk Assessment - Likelihood of Occurrence


27/75

2. Risk Assessment

Quantitative Assessment

gathers data in numerical form which can beput into categories, or in rank order, ormeasured in units of measurement. This typeof data can be used to construct graphs andtables of raw data.

Examples:DepositsAdvancesActual Reported FraudsFinancial StatementsSystem DowntimeUn-reconciled Transactions (Amount)Un-reconciled Transactions (days)

Qualitative Assessment

gathers information that is not in nuform. For example, diary accounts, questionnaires, unstructured interviunstructured observations.

Examples:Internal AuditExternal AuditSBP Audit (where applicable)Customer ServiceComplexity of OperationsCore Banking Systems / ERP ApplicEntitys operating software


28/75

Like

lihoodofOccurrence

Magnitude of Impact

Almost

Certain

Likely

Possible

Unlikely

Rare

Insignificant Minor Moderate Major Catastroph

2. Risk Assessment


29/75

Policies Procedures Safeguards

Authorities

ControlActivities

Actions supported by

assure management directives toaddress risks are carried outproperly and timely.


30/75

Controls can be automated or manual;

To be effective, control activities must be:

Directly related to the Control objective

Appropriate

Functioning consistently according to plan throughout the pCost effective

Comprehensive

Reasonable


31/75

Information Technology Control Activities

-General Controls are the structure, policies and

proceduresthat apply to the information systems and

help to ensure proper operation.

-Application Controls are Programmed procedure in

application softwaredesigned to ensure completenes

and accuracy of information..


32/75

Reviews of processes and

Numerical sequence of ensure completeness;

Exceptions reporting reviews;

Performance indicators;

Information system contapplication controls);

System Access;

System Configuration Mapping;

Exception/Edit Reports;

Authorization and approvalprocedures;

Reviews of operating performances;

Supervision (assigning,reviewing/approving, guidance,training);

Segregation of duties (authorizing,

processing, recording, reviewing);

Controls over access to resources andrecords;

Reconciliations;

Verifications;


33/75

General Controls:

- Access security- Data and program security- Physical security- Software development and

program change controls- Data center operations-Service continuity (disasterrecovery)

Application Controls :

- Designed to prevent, detecorrect errors and irregularinformation flows throughinformation systems:

Input controls (data entryauthorization; validation; enotification and correctionProcessing controlsOutput controls


34/75

Directive Controls

Entity Operation, Admin Manual;Personnel Policies; Policy on

Sexual Harassment; Govt.Accounting Standards Board

(GASB), UCP 600, Manuals,Instructions, Regulations,Circulars , public notices, CDD /

AML Procedures Hand Book andOps Manual, AML / CFT

Regulations / AML Act 2010,FATF (40) , SECP Guidelines ,

FMU Regulations, Symbols usermanuals, CTR user manuals

Preventive Controls

- Annual budget

- Inventory of assets

- Periodic performance evaluation

- Segregation of incompatible

duties ( a person is not in aposition to both commit andconceal), Limits to authority (link

to specific dollar levels)

Original documents to support atransaction, Security Access(CCTV and Guards), point

Custodianship, Physical controlsover assets (Lock and Key),

Authorized signers (Smart Cards)

Detective Controls

Review of computer/applicationuser access log

Periodic (annual) inventory count

Account reconciliations (HO andBank Statements)

Physical inventories (Stock Reports )

Card logging, and approval (Layers,Review of reports, Card and Pin

Checking)

Internal auditors, RCSA

Corrective Controls

Adjusting Journal Entries;terminations; training,

Documentation systems orprocesses (Gap Analysis)

Improvement i nitiatives (Serviceweeks)

Discipline actions (Demotionsand Transfers), Error

communication and reporting(Issue Resolution and P & V)


35/75

Pertinent and reliable information should beidentified, captured and communicated in form andtimeframe that enables staff to carry out theirresponsibilities.

o Managements ability to make appropriatedecisions is affected by the quality of information;

that implies that the information should beappropriate, timely, current, accurate andaccessible.

o Information systems need to produce reportsthat contain operational, financial and non-

financial, and compliance-related information.

4 - Information and Communication


36/75

Right information Right place Right time Frankness Openness

4 - Information and Communication

Cost Effective controls are madepossible by the right information

Communication of Plans,

Performance Indicators, and

Expectations.


37/75

Transactions and events must be recordedpromptly when they occur if information is toremain relevant and valuable to managementin controlling operations and making decisions.

Documentation should be updatedpromptly, including policies andprocedures.

Information is the basis forcommunication.

Information


38/75

Effective communication should occur in alldirections flowing down, across and up theorganization, throughout all departments anddivisions.

Management should be kept up-to-date on

performance, development, risks and otherrelevant events and issues.

Management should communicate to its staffwhat information it needs to be effective; andprovide feedback and direction.

Communication


39/75

Monitoring ensures that the Internal controls operateas intended over time, and is accomplished through

routine (on-going) activities, separate evaluations or

a combination of both.

Ongoing monitoring activities cover each of the

Internal control components, and involve action

against irregular, unethical, uneconomical, inefficientand ineffective Internal controls.

Separate evaluations are conducted by Internaland/or external auditors; findings/recommendations

are reported to the appropriate level of management

for resolution.

5 - Monitoring

Monitoring


40/75

Benchmarking Exceptions Analysis of results Effective change Internal & External Audits

5- Monitoring

5 - Monitoring


41/75

Supervision

Observations

Raising queries

Exception Reports

Inspections

Reviews of Reconciliations/ Variance Analysis

Performance Data

Trend Analysis

Audits

Self-assessments

Communication from Customers, Regulators, etc.

5Monitoring - Examples


42/75

CONTROL ENVIRONMENT

RISK ASSESSMENT

CONTROL ACTIVITIES

MONITORING Ongoing Monitoring Separate Evaluations Reporting Deficiencies

Policies Procedures Hard control activities

Organisation-wide Objectives Activity-level Objectives Risk Management Managing Change

Integrity & Ethical Values Commitment to Competence Board of Directors & Audit Committee Management Philosophy & Operating Style

Organisational Structure Assignment of Authority & Responsibil Human Resource Policies & Practices

Downwards Upwards Horizontal Departmental External

M P In


43/75

1. Inadequate knowledge of policies or governing regulations. I didnt kn

2. Inadequate segregation of duties. We trust A who does all of those th

3. Inappropriate access to assets. Passwords shared, cash not secured

4. Form over substance. You mean Im supposed to do something besidesit?

5. Control override.I know thats the policy, but we do it this way. Just gdont care how!

6. Inherent limitations. People are people and mistakes happen. You cannoeliminate all risk.


44/75

When thinking about Internal controls, consider the following:

Compliance with policies and government regulationsare you folestablished procedures/instructions?

Propriety of transactionsisthis legal and right? Does it feel or lookWould someone else think so?

Reliability and integrity of informationis the information/form/daaccurate and complete?

Safeguarding assetscould anyone take or gain access to items undcontrol without being observed?

Economy and efficiency of operationsis there a better way to do t


45/75

o Make sure they have up-to-date policies and procedures;

o Ensure authorization limits are communicated within the departm

o Ensure all assets (especially cash) are safeguarded at all times;o Establish document control (especially for spreadsheets);

o Ensure approval signatures are visible (legible) on all requireddocumentation;

o Make sure data is only accessible by authorized personnel;

o

Understand the department/functions risks;o Ensure adherence to Entity's policy and Entity's code;o Establish objectives and measures for your department/function

major programs; and

o Evaluate performance to gauge the efficiencies


46/75


47/75


48/75

C t l S lf A t S D fi iti


49/75

Control Self Assessment Some Definitions

A CSA programme is a process which allows individual line maand staff to participate in reviewing existing controls for adequ

and recommending, agreeing and implementing improvemen

A formalised, documented and committed approach to the refundamental and open review by managers and staff of the strcontrol systems designed and operated to achieve business oband guard against risks within their sphere of influence (CIPFA

..would one day completely replace the traditional audit as thprimary assurance tool in the auditors toolkit (Gulf Canada)

A process through which any entitys Internal Control effectiveexamined and assessed.


50/75

For each department/division objective, ask:

What could go wrong? How could we fail? What must go right to succeed? What decisions require the most judgment? What activities are most complex? What activities are regulated?

On what do we spend the most money? How do you bill/collect related revenue? On what information do we most rely? What assets do we need to protect? How could someone or something disrupt our operations?


51/75

Lack of segregation of duties Too much trust

- Approval of documents without review - Lack of verification of transactions after they have

entered in the system

- Lack of reconciliations

No follow-up when things appear questionable or no

reasonable Lack of control over physical assets / inventories

Lack of control over logical access, system/application a

Lack of control over purchasing of materials/supplies

Lack of knowledge of policies and procedures

RCSA Objectives


52/75

The objective is to provide reasonable assurance that all busiobjectives will be met. (Institute of Internal Auditors)

Proactive management of risk

Problems identification and its correction

Awareness of risk and control

Upward timely communication to the senior management fo Significant risks and control issues

Remedial action plans

RCSA- Objectives

RCSA Objectives


53/75

RCSA Objectives

Assist employees in assuming responsibility for effectiverisk and control management

Teach staff to analyse, evaluate and report on theapplication and effectiveness of control mechanisms

Improve control awareness and the cost effectiveness ofproducts/services

Complements performance reporting regimes

Enables managers to certify corporate governancestatements with more certainty

CHARACTERISTICS Control Self Assessment


54/75

An ongoing process to ensure controls are adequate and funcorrectly.

A process to notify management timely, when things are go

A mechanism to record and monitor issues and the status ofactions.

CHARACTERISTICS- Control Self-Assessment

RCSA-The Early days


55/75

RCSA The Early days

Perceived as a threat to Internal Audit

Sluggish start even in the US (only 17% of

bodies were using it by 1995) Seen as exporting systems based audit to staff

Less than 30% of processes/functions usedRCSA and most of the applications were drivenby Directors of Finance

Supporters saw it as a useful control awarenessinitiative

Audit critics believed it could be a new injectionof life into flagging tick and turn auditing

Potential Internal Audit Involvement


56/75

Potential Internal Audit Involvement

Advice on design, implementation & maintenance of riskmanagement system

Advice on risk, control and governance

Undertake audits of business unit schedules using COSO model

Review periodic reports of business units

Membership of Risk & Control Panel

Reporting on its own plans, activities and outcomes Contribute to overall assessment on Corporate Governance

Other Considerations


57/75

Other Considerations

Few organisations cover more than 30% of risk functions

70% of sponsors are Internal audit After implementation, 60% of Internal audit functions

remain involved

50% use COSO, 50% use proprietary software or Internalaudit designed documentation (US experience)

Time involvement may have to be rationed

68% of audit functions claim RCSA is one of its products

CSA compared with Traditional Audit Approach


58/75

CSA compared with Traditional Audit Approach

Traditional Approach RCSA Approach

Assign duties, supervise staff Empowered, accountable employees

Policy/rule-driven Continuous improvement/learning curve

Limited employee participation Extensive employee participation and trai

Narrow stakeholder focus Broad stakeholder focus

Auditors and other specialists Staff at all levels, in all functions, as prima

Core RCSA Process


59/75

Core RCSA Process

Identify and document all significant processes of the bank/entity,

Evaluate risks (inherent/ specific) in each process,

Assess controls used to manage / mitigate risks,

Pointed out gaps & make Actions plans to correct weaknesses,

RCSA Methodology


60/75

To begin a process assessment, appoint someone who isknowledgeable about the process but not the process owneevaluate if adequate controls exist.

Do a walk through of the process and verify controls exist to v

Existence or occurrence

Completeness

Valuation or allocation

Rights and obligations

Presentation and disclosure

RCSA Methodology

RCSA Methodology


61/75

Evaluate if there are:

Enough controls to mitigate key risks there may be a gap

Controls that essentially do the same thing it is possible tover-control a risk

RCSA Methodology

RCSA Methodology


62/75

Evaluate the design of eachcontrol.

Does it mitigate a key risk?

Can it do what it is supposed todo every time without fail?

Does it prevent or detect errorsor fraud?

RCSA Methodology

RCSA Methodology


63/75

Evaluate the effectiveness of each control.

Does it operate as it was designed?

Is it efficient?

Ways to evaluate controls:

Observation

Re-performance

Inspection Knowledge assessment

Corroborative inquiry

gy

Practical Considerations


64/75

Must set objectives

Decide on most appropriate approach

What topics, processes, systems should be covered

Amount of time to be invested

COSO model or your own model

Facilitation skills available

Outputs from the workshop

Reporting protocols

Ongoing application

RCSA S f W k h A M d l t Sh !


65/75

Profile of the System(key stages)

Objectives Risks Controls

Expected

Controls

Actual

Opinion Testing Evaluation/

Improvemen

1.

2.

3.

4. Etc.

Objectives of the Activity/Process:Strategy/Control Environment:Policies, Laws, Plans, Budgets, Procedures, Standards, Responsibilities, Structures, APolicies, market conditions, training, guidance, management information, IT systems, interfaces, monitoring arrangemen

regimes, performance measurement, external factors, best practice etcOperations:

RCSA Scope of Workshops A Model to Show!


66/75

Line management becomes fully involved in risk & control

Ownership creates greater awareness

Corrective action can be taken more speedily

The concept fits with neatly with empowerment models

Facilitates embedding and reporting requirements

Cheaper than employing more auditors


67/75

Helps employees to understand and assume responsibility focontrol,

Places front line responsibility with management fooperational risk management,

More effective corrective actions because participants ownthe results,

Improve communication at all levels,

Increase control consciousness of the entire institution,

Cultural change embedding operational risk management aall levels.

Possible RCSA Disadvantages


68/75

g

Relies too much on honesty

May be too subjective (not related to business objectives)

In practice, applied to traditional financial areas

Time consuming

Does not lend itself easily to cross functional systems

Could become unreliable as an add on to normal duties

Filling in documentation could become an end in itself

RCSA References


69/75

Still the best UK publication (in my opinion)

Control Self Assessment edited by Keith Wade and Andy W1999 (published by Wiley)

In addition to explaining the reasons for RCSA and the varioapproaches, it examines about 20 different public and private

practices which are written by different experts and practitio

Utility of RCSA


70/75

Utility of RCSA

IC

BOD & Senior. Management

Oversight

Frequent & comprehensive reporting ofcontrol deviations to the BOD / Senior

Management

Effectiveness of existing controls

Adequacy of controls

(Operational, Financial Reporting & Compliance)

COSODocumentation

ITAMProcess

Our Beliefs


71/75

People are more important than systemsas;

They can make bad systemsworkable,

They can make good systems fail, They make the difference in the midst

of change, Understanding how controls work

leads to better change management,

Shared information leads to fasterimprovement and lower risks.

Limitations


72/75

Internal controls cannot ensure success when there are

Bad

Governance

WrongDecisions

Poor

managers

Unethicalbehavior

Collusion /

Conflicts

Override /Breach ofcontrols


73/75


74/75


75/75

Name: Ms. Saima Riaz

Email Address: [email protected]

Documents

Internal Control and RCSA Programm