COSO implementation and the role of compliance function : a practical case

Presented by: Syed Liaquat Ali,FCA Chief Compliance Officer ,Union Bank Limited and Co Chairman Accounting & Taxation SubCommittee- Pakistan Banks Association
1

Todays Objective
To introduce and explain the requirements and the Implementation of the COSO Framework for the evaluation of internal controls, and the role of Compliance Function

Compliance Defined: Compliance is defined as adherence with applicable legal and regulatory requirements, management policies and internal control system to ensure quality conduct of business.
Compliance is a vital element of an organizations internal controls system which within itself caters for that systems effectiveness and efficiency from an independent managerial perspective.

Compliance and overall control environment

Entity level controls-tone at the top, corporate governance -fundamental objectives of openness and disclosure , ethical value -integrity, accountability, and leadership Anti fraud and anti money laundering Whistle blowing
4

Importance of Compliance Function

In the aftermath of the major corporate and banking collapses, there has been a rising demand of the investors to make major changes in corporate risk assurance, corporate governance and audit practices. Boards, management and their professional services providers world over are facing unparalleled levels of scrutiny from regulators, investment community and media. What was once business as usual is now deemed unacceptable, and improper. In almost all jurisdictions, new regulations on corporate governance have been formulated to restore confidence. Hence, making Compliance a vital function of any Bank/Organization 5

 An effective Compliance function of a Bank may have following functions: Legal ,regulatory and corporate matters Internal control and its framework-largely to do with tone at the top as well as the overall framework Self assessment Compliance with the policies AML/KYC and fraud control program Whistle blowing Regulatory reporting Compliance of internal, external auditors and SBP report Chief Compliance Officer (CCO) report directly to the CEO Board may have access to the CCO Compliance is proactive whereas audit is reactive 6 Compliance is also audited

BSD Circular Number Seven

Applies to ALL Banks/DFIs operating in Pakistan Requires the Banks/DFIs to adopt a framework that will aid in:
Implementing an effective internal control system Evaluation of existing controls Reporting on the effectiveness of internal controls around financial reporting

Holds BOD and management responsible for operating and maintaining effective, efficient and appropriate system of internal controls Requires the external auditors to evaluate and report on the effectiveness of controls around financial reporting

Internal Control Defined:

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with applicable laws and regulations

Controls can be preventive or detective. An internal control can be thought of as anything that prevents or detects errors or omissions.
8

Limitations of Internal Controls

Sometimes may be costly
Management must do a cost/benefit analysis

Provide reasonable assurance not absolute assurance Minimize the instances of frauds/errors not eliminate it

Who is responsible for Maintaining Internal Controls?

Internal Controls are a responsibility of every individual within the organization however, management is ultimately responsible for having effective systems of Internal Controls Others include:
Board of Directors Audit Committee Internal Auditors External Auditors- to the extent of their work
10

BSD Circular Seven Vs. Sarbanes Oxley Two of a same - in a nut shell!
BSD Circular Seven Requires management to establish and maintain effective controls over financial reporting Issue a report on the effectiveness of controls, to be endorsed by the Board. External auditors must attest to this report Sarbanes Oxley Act Requires management to establish and maintain effective controls over financial reporting Issue a report on the effectiveness of controls External auditors must attest to this report
11

Managements Responsibilities
Internal Controls Over Financial Reporting: Management is responsible for the companys internal controls over financial reporting for evaluating the effectiveness of the companys internal controls over financial reporting using suitable framework supporting its evaluation with sufficient evidence, including documentation presenting a written assessment about the effectiveness of the companys internal controls over 12 financial reporting .

Managements responsibilities

ANTI FRAUD PROGRAM Management should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud including: Controls restraining the inappropriate use of company assets Companys risk assessment process Code of ethics/conduct provisions, and the monitoring of the code by management and the audit committee Adequacy of the companys procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.

13

It

What is Internal Control over financial reporting? is a process to help ensure financial statements are prepared in accordance with generally accepted accounting principles. It includes policies and procedures providing reasonable assurance that: Transactions are properly recorded and reported ; Records accurately and fairly reflect the transactions and dispositions of company assets; Receipts and expenditures of the company are authorized by management or the board of directors; and Unauthorized acquisition, use or disposition of the companys assets are prevented or detected in a timely manner Adequate Controls are in place to support required Financial Assertions 14

What are financial statement assertions? Financial statement assertions have a meaningful bearing to ensure the accounts and disclosures are fairly presented: Completeness All transactions are accounted for Existence Transactions are real and recorded only once Accuracy Amounts are properly calculated Valuation Valuation methodology is correct Ownership Rights to assets and obligations of liabilities are recognized Presentation Properly posted, summarized,15

Selection of Integrated Framework of Internal Controls over Financial Reporting

Criteria for managements assessment must be based on a suitable, recognized control framework. COSO satisfies SOX requirements and is most widely adopted world wide COSO stands for Committee Of Sponsoring Organizations. Originally formed in 1985, voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance. Studied the causal factors that can lead to fraudulent financial reporting and developed recommendations for public companies and their independent auditors.
16

Internal Control Framework under COSO

COSO defines internal control as a Process to achieve the following objectives:(Section 404 / BSD Focus,). Effectiveness and efficiency of operations. Reliability of financial reporting Compliance with applicable laws and regulations
17

COSO Control Framework Overview

The process to determine

whether internal control is adequately designed, executed effective and adaptive
Management Analysis

Disclosure Committee Internal Audits

The process which ensures that relevant information is identified and communicated in a timely manner
Messages from Senior Management Policies and Procedures Training Code of Ethics

The policies and procedures that help ensure that actions are identified to manage risk are executed and timely
Delegation of Authority Approvals Common Processes and Systems Segregation of Duties Account Reconciliations Information Technology Controls

The evaluation of internal and external factors that impact an organizations performance
Business Risk Management Process Risk Management Internal Audit Risk Assessment

The control conscience of an organization. The tone at the top

Code of Ethics Documented Policies and Procedures

Cultural Assessment

18

Components of Internal Control Under COSO Framework

According to the COSO framework Internal control consists

of five interrelated components: Control Environment

Risk Assessment Control Activities Information and Communication Monitoring

19

Control Environment: Foundation of all other COSO components

Conscious of the organization Sets the tone of the organization Peoples individual attributes, including

integrity, ethical values, and competence

Attitude of management
20

Risk Assessment
Identification and analysis of relevant risks to

the achievement of business objectives

Understanding the impact risks will have on

business objectives and the likelihood of risk occurrence

Determining how risks should be managed
21

Control Activities
Policies and Procedures that help to ensure that

actions identified to manage risks are executed and performed in a timely manner Controls below are used to manage risks to reasonable levels:
Approvals,

Authorizations & Verifications Reconciliations Performance reviews Security of Assets Segregation of duties Controls over information systems

22

Information & Communication

Enables people to capture and exchange the

information needed to conduct, manage, and control operations

Employee duties & responsibilities continuously

communicated
Communication across the organization should

be fluid-both up and down as well laterally across the organization

Open channels of communication with

customers, suppliers and other external parties

23

Monitoring
Determines whether the internal control

system is adequately designed, executed, effective & adaptive

Assesses the quality of the systems

performance over time

24

Company-Level Controls
Company-Level Controls have a pervasive effect on the organization. They include: Effective oversight by board and audit committee Management tone at the top Corporate governance policies Employment and compensation practices Expenditure authority limits General IT controls Security of facilities and other assets Business continuity plan Monitoring operating performance Monitoring of controls, including activities of the Internal Audit function and self-assessment programs
25

Process-Level Controls are more specific to processes/applications/transactions which generate information included in financial reporting. Significant processes include: Sales (order fulfillment, billing, cash receipts) Procurement (purchasing, A/P, cash disbursements) Inventory Management ( RM, WIP, FG) Fixed Asset Management (projects,CWIP,FA) Compensation (payroll processing) Treasury (cash, investment and debt management) Tax Compliance (Income, property, sale tax) Financial Reporting (closing, consolidation, financial statements) 26 Information Processing (access, backup, change mgmt.)

Process-Level Controls

27

28

29

30

31

Phase One Plan the Project

Identi fy &

Plan the Project

Assess & Define

Docu ment Contr ols

Perform Tests

Monitor

Project Team Organization and Training Identify and organize project team Train project team Internal Control Readiness Planning Assess internal controls- Entity level Understand banks business and operations Assess internal controls- Process level
32

Project Team Organization

Board/Audit Committee

Team Leader

Steering Committee (CEO, CFO, CCO, HO IT, HO A, HO O)

Internal Control Implementation Team ( Departmental heads and private consultants)

33

Identi fy & Plan the Project Asse ss & Define Docu ment Contr ols

Phase Two: Assess and Define

Perform Tests & Remed iate

Monitor

Control Environment Assessment (conducted by the steering committee)

Assess existing controls
Survey, Observation, Questionnaire, Re-performance, Confirmation

Remediate control environment (entity level) Develop on-going control environment assessment (entity level)
Continuously monitor and evaluate by means of questionnaire, observation, survey and interviews
34

Phase Three: Identify and Document Controls

Ident ify & Plan the Project Asse ss & Define Docu ment Cont rols

Perform Tests & Remed iate

Monitor

Involve the Implementation Team in identifying and documenting controls

o Use of workshops to gather information regarding current processes and systems focus workshop on one process o Gain participation from all relevant parties o Include subject matter experts (i.e. department heads, external auditors, private consultants) o Process flowcharts, narratives and control matrices

Regularly schedule meetings with the steering committee to help identify and resolve issues
35

Identify and Document Controls (continued)

Ensure Consistency
Clear description of controls

What control is being documented What does the control achieve (why is it performed) How often does the control occur Who is responsible for performing (job title) How is the control activity performed Where in the sub process does the control occur

36

Ident ify &

Phase Four: Test and Remediate

Plan the Project

Asse ss & Define

Control Activities Testing and Gap Remediation Perform initial testing of control activities Internal Audit will assist in testing the controls Identify and document control testing deficiencies All the deficiencies noted should be critically evaluated and must be documented Prioritize control design and testing deficiencies based on risk and cost/benefit The steering committee will prioritize and evaluate the cost/benefit in lieu of banks objectives Develop control deficiency remediation plan
37

Docu ment Cont rols

Perform Tests & Remed iate

Monitor

Ident ify & Plan the Project Asse ss & Define Docu ment Cont rols

Phase Five: Monitor

Perform Tests & Remed iate

Monitor

Monitoring Program The steering committee is here to stay! They will continuously monitor the controls by conducting regular and periodical questionnaires, surveys, testing, observations and meetings

38

Resources
www.coso.org www.theiia.org www.aicpa.org www.internalcompliance.com www.ey.com www.deloitte.com WWW.sbp.org.pk
39