COSO Implementation and The Role of Compliance Function: A Practical Case
COSO Implementation and The Role of Compliance Function: A Practical Case
COSO Implementation and The Role of Compliance Function: A Practical Case
Presented by: Syed Liaquat Ali,FCA Chief Compliance Officer ,Union Bank Limited and Co Chairman Accounting & Taxation SubCommittee- Pakistan Banks Association
1
Todays Objective
To introduce and explain the requirements and the Implementation of the COSO Framework for the evaluation of internal controls, and the role of Compliance Function
Compliance Defined: Compliance is defined as adherence with applicable legal and regulatory requirements, management policies and internal control system to ensure quality conduct of business.
Compliance is a vital element of an organizations internal controls system which within itself caters for that systems effectiveness and efficiency from an independent managerial perspective.
An effective Compliance function of a Bank may have following functions: Legal ,regulatory and corporate matters Internal control and its framework-largely to do with tone at the top as well as the overall framework Self assessment Compliance with the policies AML/KYC and fraud control program Whistle blowing Regulatory reporting Compliance of internal, external auditors and SBP report Chief Compliance Officer (CCO) report directly to the CEO Board may have access to the CCO Compliance is proactive whereas audit is reactive 6 Compliance is also audited
Applies to ALL Banks/DFIs operating in Pakistan Requires the Banks/DFIs to adopt a framework that will aid in:
Implementing an effective internal control system Evaluation of existing controls Reporting on the effectiveness of internal controls around financial reporting
Holds BOD and management responsible for operating and maintaining effective, efficient and appropriate system of internal controls Requires the external auditors to evaluate and report on the effectiveness of controls around financial reporting
Controls can be preventive or detective. An internal control can be thought of as anything that prevents or detects errors or omissions.
8
Provide reasonable assurance not absolute assurance Minimize the instances of frauds/errors not eliminate it
BSD Circular Seven Vs. Sarbanes Oxley Two of a same - in a nut shell!
BSD Circular Seven Requires management to establish and maintain effective controls over financial reporting Issue a report on the effectiveness of controls, to be endorsed by the Board. External auditors must attest to this report Sarbanes Oxley Act Requires management to establish and maintain effective controls over financial reporting Issue a report on the effectiveness of controls External auditors must attest to this report
11
Managements Responsibilities
Internal Controls Over Financial Reporting: Management is responsible for the companys internal controls over financial reporting for evaluating the effectiveness of the companys internal controls over financial reporting using suitable framework supporting its evaluation with sufficient evidence, including documentation presenting a written assessment about the effectiveness of the companys internal controls over 12 financial reporting .
Managements responsibilities
ANTI FRAUD PROGRAM Management should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud including: Controls restraining the inappropriate use of company assets Companys risk assessment process Code of ethics/conduct provisions, and the monitoring of the code by management and the audit committee Adequacy of the companys procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters.
13
It
What is Internal Control over financial reporting? is a process to help ensure financial statements are prepared in accordance with generally accepted accounting principles. It includes policies and procedures providing reasonable assurance that: Transactions are properly recorded and reported ; Records accurately and fairly reflect the transactions and dispositions of company assets; Receipts and expenditures of the company are authorized by management or the board of directors; and Unauthorized acquisition, use or disposition of the companys assets are prevented or detected in a timely manner Adequate Controls are in place to support required Financial Assertions 14
What are financial statement assertions? Financial statement assertions have a meaningful bearing to ensure the accounts and disclosures are fairly presented: Completeness All transactions are accounted for Existence Transactions are real and recorded only once Accuracy Amounts are properly calculated Valuation Valuation methodology is correct Ownership Rights to assets and obligations of liabilities are recognized Presentation Properly posted, summarized,15
The process which ensures that relevant information is identified and communicated in a timely manner
Messages from Senior Management Policies and Procedures Training Code of Ethics
The policies and procedures that help ensure that actions are identified to manage risk are executed and timely
Delegation of Authority Approvals Common Processes and Systems Segregation of Duties Account Reconciliations Information Technology Controls
The evaluation of internal and external factors that impact an organizations performance
Business Risk Management Process Risk Management Internal Audit Risk Assessment
Cultural Assessment
18
19
Risk Assessment
Identification and analysis of relevant risks to
Control Activities
Policies and Procedures that help to ensure that
actions identified to manage risks are executed and performed in a timely manner Controls below are used to manage risks to reasonable levels:
Approvals,
Authorizations & Verifications Reconciliations Performance reviews Security of Assets Segregation of duties Controls over information systems
22
communicated
Communication across the organization should
23
Monitoring
Determines whether the internal control
24
Company-Level Controls
Company-Level Controls have a pervasive effect on the organization. They include: Effective oversight by board and audit committee Management tone at the top Corporate governance policies Employment and compensation practices Expenditure authority limits General IT controls Security of facilities and other assets Business continuity plan Monitoring operating performance Monitoring of controls, including activities of the Internal Audit function and self-assessment programs
25
Process-Level Controls are more specific to processes/applications/transactions which generate information included in financial reporting. Significant processes include: Sales (order fulfillment, billing, cash receipts) Procurement (purchasing, A/P, cash disbursements) Inventory Management ( RM, WIP, FG) Fixed Asset Management (projects,CWIP,FA) Compensation (payroll processing) Treasury (cash, investment and debt management) Tax Compliance (Income, property, sale tax) Financial Reporting (closing, consolidation, financial statements) 26 Information Processing (access, backup, change mgmt.)
Process-Level Controls
27
28
29
30
31
Perform Tests
Monitor
Project Team Organization and Training Identify and organize project team Train project team Internal Control Readiness Planning Assess internal controls- Entity level Understand banks business and operations Assess internal controls- Process level
32
Team Leader
33
Identi fy & Plan the Project Asse ss & Define Docu ment Contr ols
Monitor
Remediate control environment (entity level) Develop on-going control environment assessment (entity level)
Continuously monitor and evaluate by means of questionnaire, observation, survey and interviews
34
Ident ify & Plan the Project Asse ss & Define Docu ment Cont rols
Monitor
Regularly schedule meetings with the steering committee to help identify and resolve issues
35
Ensure Consistency
Clear description of controls
What control is being documented What does the control achieve (why is it performed) How often does the control occur Who is responsible for performing (job title) How is the control activity performed Where in the sub process does the control occur
36
Control Activities Testing and Gap Remediation Perform initial testing of control activities Internal Audit will assist in testing the controls Identify and document control testing deficiencies All the deficiencies noted should be critically evaluated and must be documented Prioritize control design and testing deficiencies based on risk and cost/benefit The steering committee will prioritize and evaluate the cost/benefit in lieu of banks objectives Develop control deficiency remediation plan
37
Monitor
Ident ify & Plan the Project Asse ss & Define Docu ment Cont rols
Monitor
Monitoring Program The steering committee is here to stay! They will continuously monitor the controls by conducting regular and periodical questionnaires, surveys, testing, observations and meetings
38
Resources
www.coso.org www.theiia.org www.aicpa.org www.internalcompliance.com www.ey.com www.deloitte.com WWW.sbp.org.pk
39