Title: COSO implementation and the role of compliance function : a practical case
1COSO implementation and the role of compliance
function a practical case
- Presented by Syed Liaquat Ali,FCA
- Chief Compliance Officer ,Union Bank Limited and
Co Chairman Accounting Taxation Sub-Committee-
Pakistan Banks Association
2Todays Objective
- To introduce and explain the requirements and the
Implementation of the COSO Framework for the
evaluation of internal controls, and the role of
Compliance Function
3Compliance Defined
- Compliance is defined as adherence with
applicable legal and regulatory requirements,
management policies and internal control system
to ensure quality conduct of business. - Compliance is a vital element of an
organizations internal controls system which
within itself caters for that systems
effectiveness and efficiency from an independent
managerial perspective.
4Compliance and overall control environment
- Entity level controls-tone at the top, corporate
governance -fundamental objectives of openness
and disclosure , ethical value -integrity,
accountability, and leadership - Anti fraud and anti money laundering
- Whistle blowing
5Importance of Compliance Function
- In the aftermath of the major corporate and
banking collapses, there has been a rising demand
of the investors to make major changes in
corporate risk assurance, corporate governance
and audit practices. - Boards, management and their professional
services providers world over are facing
unparalleled levels of scrutiny from regulators,
investment community and media. - What was once business as usual is now deemed
unacceptable, and improper. - In almost all jurisdictions, new regulations on
corporate governance have been formulated to
restore confidence. - Hence, making Compliance a vital function of any
Bank/Organization
6- An effective Compliance function of a Bank may
have following functions - Legal ,regulatory and corporate matters
- Internal control and its framework-largely to do
with tone at the top as well as the overall
framework - Self assessment
- Compliance with the policies
- AML/KYC and fraud control program
- Whistle blowing
- Regulatory reporting
- Compliance of internal, external auditors and SBP
report - Chief Compliance Officer (CCO) report directly
to the CEO Board may have access to the CCO - Compliance is proactive whereas audit is
reactive - Compliance is also audited
7BSD Circular Number Seven
- Applies to ALL Banks/DFIs operating in Pakistan
- Requires the Banks/DFIs to adopt a framework that
will aid in - Implementing an effective internal control system
- Evaluation of existing controls
- Reporting on the effectiveness of internal
controls around financial reporting - Holds BOD and management responsible for
operating and maintaining effective, efficient
and appropriate system of internal controls - Requires the external auditors to evaluate and
report on the effectiveness of controls around
financial reporting
8Internal Control Defined
- Internal control is broadly defined as a process,
effected by an entity's board of directors,
management and other personnel designed to
provide reasonable assurance regarding the
achievement of objectives in the following
categories - Effectiveness and efficiency of operations.
- Reliability of financial reporting.
- Compliance with applicable laws and regulations
- Controls can be preventive or detective. An
internal control can be thought of as anything
that prevents or detects errors or omissions.
9Limitations of Internal Controls
- Sometimes may be costly
- Management must do a cost/benefit analysis
- Provide reasonable assurance not absolute
assurance - Minimize the instances of frauds/errors not
eliminate it
10Who is responsible for Maintaining Internal
Controls?
- Internal Controls are a responsibility of every
individual within the organization however,
management is ultimately responsible for having
effective systems of Internal Controls - Others include
- Board of Directors
- Audit Committee
- Internal Auditors
- External Auditors- to the extent of their work
11BSD Circular Seven Vs. Sarbanes Oxley Two of a
same - in a nut shell!
- BSD Circular Seven
- Requires management to establish and maintain
effective controls over financial reporting - Issue a report on the effectiveness of controls,
to be endorsed by the Board. - External auditors must attest to this report
- Sarbanes Oxley Act
- Requires management to establish and maintain
effective controls over financial reporting - Issue a report on the effectiveness of controls
- External auditors must attest to this report
-
12Managements Responsibilities
- Internal Controls Over Financial Reporting
Management is responsible - for the companys internal controls over
financial reporting - for evaluating the effectiveness of the
companys internal controls over financial
reporting using suitable framework - supporting its evaluation with sufficient
evidence, including documentation - presenting a written assessment about the
effectiveness of the companys internal controls
over financial reporting .
13Managements responsibilities
- ANTI FRAUD PROGRAM
- Management should set the proper tone create and
maintain a culture of honesty and high ethical
standards and establish appropriate controls to
prevent, deter, and detect fraud including - Controls restraining the inappropriate use of
company assets - Companys risk assessment process
- Code of ethics/conduct provisions, and the
monitoring of the code by management and the
audit committee - Adequacy of the companys procedures for handling
complaints and for accepting confidential
submissions of concerns about questionable
accounting or auditing matters.
14What is Internal Control over financial reporting?
- It is a process to help ensure financial
statements are prepared in accordance with
generally accepted accounting principles. It
includes policies and procedures providing
reasonable assurance that - Transactions are properly recorded and reported
- Records accurately and fairly reflect the
transactions and dispositions of company assets - Receipts and expenditures of the company are
authorized by management or the board of
directors and - Unauthorized acquisition, use or disposition of
the companys assets are prevented or detected in
a timely manner - Adequate Controls are in place to support
required Financial Assertions
15What are financial statement assertions?
- Financial statement assertions have a meaningful
bearing to ensure the accounts and disclosures
are fairly presented - Completeness All transactions are accounted for
- Existence Transactions are real and recorded
only once - Accuracy Amounts are properly calculated
- Valuation Valuation methodology is correct
- Ownership Rights to assets and obligations of
- liabilities are recognized
- Presentation Properly posted, summarized,
- categorized and disclosed
- Relevant for all accounts.
16Selection of Integrated Framework ofInternal
Controls over Financial Reporting
- Criteria for managements assessment must be
based on a suitable, recognized control
framework. - COSO satisfies SOX requirements and is most
widely adopted world wide - COSO stands for Committee Of Sponsoring
Organizations. - Originally formed in 1985, voluntary
private-sector organization dedicated to
improving the quality of financial reporting
through business ethics, effective internal
controls, and corporate governance. - Studied the causal factors that can lead to
fraudulent financial reporting and developed
recommendations for public companies and their
independent auditors.
17Internal Control Framework under COSO
- COSO defines internal control as a Process to
achieve the following objectives(Section 404 /
BSD Focus,). - Effectiveness and efficiency of operations.
- Reliability of financial reporting
- Compliance with applicable laws and regulations
18COSO Control Framework Overview
The process to determine whether internal
control is adequately designed, executed
effective and adaptive
The process which ensures that relevant
information is identified and communicated in a
timely manner
The policies and procedures that help ensure that
actions are identified to manage risk are
executed and timely
- Messages from Senior Management
- Delegation of Authority
- Approvals
- Common Processes and Systems
The evaluation of internal and external factors
that impact an organizations performance
- Information Technology Controls
The control conscience ofan organization. The
tone at the top
- Internal Audit Risk Assessment
- Documented Policies and Procedures
19Components of Internal Control Under COSO
Framework
- According to the COSO framework Internal control
consists - of five interrelated components
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring
20Control Environment Foundation of all other COSO
components
- Conscious of the organization
- Sets the tone of the organization
- Peoples individual attributes, including
integrity, ethical values, and competence - Attitude of management
ENVIRONMENT
CONTROL
21Risk Assessment
- Identification and analysis of relevant risks to
the achievement of business objectives - Understanding the impact risks will have on
business objectives and the likelihood of risk
occurrence - Determining how risks should be managed
22Control Activities
- Policies and Procedures that help to ensure that
actions identified to manage risks are executed
and performed in a timely manner - Controls below are used to manage risks to
reasonable levels - Approvals, Authorizations Verifications
- Reconciliations
- Performance reviews
- Security of Assets
- Segregation of duties
- Controls over information systems
23Information Communication
- Enables people to capture and exchange the
information needed to conduct, manage, and
control operations - Employee duties responsibilities continuously
communicated - Communication across the organization should be
fluid-both up and down as well laterally across
the organization - Open channels of communication with customers,
suppliers and other external parties
24Monitoring
- Determines whether the internal control system is
adequately designed, executed, effective
adaptive - Assesses the quality of the systems performance
over time
25Company-Level Controls
- Company-Level Controls have a pervasive effect on
the organization. They include - Effective oversight by board and audit committee
- Management tone at the top
- Corporate governance policies
- Employment and compensation practices
- Expenditure authority limits
- General IT controls
- Security of facilities and other assets
- Business continuity plan
- Monitoring operating performance
- Monitoring of controls, including activities of
the Internal Audit function and self-assessment
programs
26Process-Level Controls
- Process-Level Controls are more specific to
processes/applications/transactions which
generate information included in financial
reporting. Significant processes include - Sales (order fulfillment, billing, cash receipts)
- Procurement (purchasing, A/P, cash disbursements)
- Inventory Management ( RM, WIP, FG)
- Fixed Asset Management (projects,CWIP,FA)
- Compensation (payroll processing)
- Treasury (cash, investment and debt management)
- Tax Compliance (Income, property, sale tax)
- Financial Reporting (closing, consolidation,
financial statements) - Information Processing (access, backup, change
mgmt.)
27(No Transcript)
28(No Transcript)
29(No Transcript)
30(No Transcript)
31(No Transcript)
32Phase One Plan the Project
Plan the Project
Assess Define
Identify Document Controls
Perform Tests
Monitor
- Project Team Organization and Training
- Identify and organize project team
- Train project team
- Internal Control Readiness Planning
- Assess internal controls- Entity level
- Understand banks business and operations
- Assess internal controls- Process level
33Project Team Organization
Board/Audit Committee
Team Leader
Steering Committee (CEO, CFO, CCO, HO IT, HO A,
HO O)
Internal Control Implementation Team (
Departmental heads and private consultants)
34Phase Two Assess and Define
Assess Define
Plan the Project
Identify Document Controls
Perform Tests Remediate
Monitor
- Control Environment Assessment (conducted by the
steering committee) - Assess existing controls
- Survey, Observation, Questionnaire,
Re-performance, Confirmation - Remediate control environment (entity level)
- Develop on-going control environment assessment
(entity level) - Continuously monitor and evaluate by means of
questionnaire, observation, survey and interviews
35Identify Document Controls
Phase Three Identify and Document Controls
Plan the Project
Assess Define
Perform Tests Remediate
Monitor
- Involve the Implementation Team in identifying
and documenting controls - Use of workshops to gather information regarding
current processes and systems focus workshop on
one process - Gain participation from all relevant parties
- Include subject matter experts (i.e. department
heads, external auditors, private consultants) - Process flowcharts, narratives and control
matrices - Regularly schedule meetings with the steering
committee to help identify and resolve issues
36Identify and Document Controls (continued)
- Ensure Consistency
- Clear description of controls
- What control is being documented
- What does the control achieve (why is it
performed) - How often does the control occur
- Who is responsible for performing (job title)
- How is the control activity performed
- Where in the sub process does the control occur
37Phase Four Test and Remediate
Perform Tests Remediate
Plan the Project
Assess Define
Identify Document Controls
Monitor
- Control Activities Testing and Gap Remediation
- Perform initial testing of control activities
- Internal Audit will assist in testing the
controls - Identify and document control testing
deficiencies - All the deficiencies noted should be critically
evaluated and must be documented - Prioritize control design and testing
deficiencies based on risk and cost/benefit - The steering committee will prioritize and
evaluate the cost/benefit in lieu of banks
objectives - Develop control deficiency remediation plan
38Monitor
Plan the Project
Assess Define
Identify Document Controls
Perform Tests Remediate
Phase Five Monitor
- Monitoring Program
- The steering committee is here to stay!
- They will continuously monitor the controls by
conducting regular and periodical questionnaires,
surveys, testing, observations and meetings
39Resources
- www.coso.org
- www.theiia.org
- www.aicpa.org
- www.internalcompliance.com
- www.ey.com
- www.deloitte.com
- WWW.sbp.org.pk