COSO implementation and the role of compliance function : a practical case - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

COSO implementation and the role of compliance function : a practical case

Description:

Chief Compliance Officer ,Union Bank Limited and Co Chairman Accounting ... In the aftermath of the major corporate and banking collapses, there has been a ... – PowerPoint PPT presentation

Number of Views:540
Avg rating:3.0/5.0
Slides: 40
Provided by: icap5
Category:

less

Transcript and Presenter's Notes

Title: COSO implementation and the role of compliance function : a practical case


1
COSO implementation and the role of compliance
function a practical case
  • Presented by Syed Liaquat Ali,FCA
  • Chief Compliance Officer ,Union Bank Limited and
    Co Chairman Accounting Taxation Sub-Committee-
    Pakistan Banks Association

2
Todays Objective
  • To introduce and explain the requirements and the
    Implementation of the COSO Framework for the
    evaluation of internal controls, and the role of
    Compliance Function

3
Compliance Defined
  • Compliance is defined as adherence with
    applicable legal and regulatory requirements,
    management policies and internal control system
    to ensure quality conduct of business.
  • Compliance is a vital element of an
    organizations internal controls system which
    within itself caters for that systems
    effectiveness and efficiency from an independent
    managerial perspective.

4
Compliance and overall control environment
  • Entity level controls-tone at the top, corporate
    governance -fundamental objectives of openness
    and disclosure , ethical value -integrity,
    accountability, and leadership
  • Anti fraud and anti money laundering
  • Whistle blowing

5
Importance of Compliance Function
  • In the aftermath of the major corporate and
    banking collapses, there has been a rising demand
    of the investors to make major changes in
    corporate risk assurance, corporate governance
    and audit practices.
  • Boards, management and their professional
    services providers world over are facing
    unparalleled levels of scrutiny from regulators,
    investment community and media.
  • What was once business as usual is now deemed
    unacceptable, and improper.
  • In almost all jurisdictions, new regulations on
    corporate governance have been formulated to
    restore confidence.
  • Hence, making Compliance a vital function of any
    Bank/Organization

6
  • An effective Compliance function of a Bank may
    have following functions
  • Legal ,regulatory and corporate matters
  • Internal control and its framework-largely to do
    with tone at the top as well as the overall
    framework
  • Self assessment
  • Compliance with the policies
  • AML/KYC and fraud control program
  • Whistle blowing
  • Regulatory reporting
  • Compliance of internal, external auditors and SBP
    report
  • Chief Compliance Officer (CCO) report directly
    to the CEO Board may have access to the CCO
  • Compliance is proactive whereas audit is
    reactive
  • Compliance is also audited

7
BSD Circular Number Seven
  • Applies to ALL Banks/DFIs operating in Pakistan
  • Requires the Banks/DFIs to adopt a framework that
    will aid in
  • Implementing an effective internal control system
  • Evaluation of existing controls
  • Reporting on the effectiveness of internal
    controls around financial reporting
  • Holds BOD and management responsible for
    operating and maintaining effective, efficient
    and appropriate system of internal controls
  • Requires the external auditors to evaluate and
    report on the effectiveness of controls around
    financial reporting

8
Internal Control Defined
  • Internal control is broadly defined as a process,
    effected by an entity's board of directors,
    management and other personnel designed to
    provide reasonable assurance regarding the
    achievement of objectives in the following
    categories
  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting.
  • Compliance with applicable laws and regulations
  • Controls can be preventive or detective. An
    internal control can be thought of as anything
    that prevents or detects errors or omissions.

9
Limitations of Internal Controls
  • Sometimes may be costly
  • Management must do a cost/benefit analysis
  • Provide reasonable assurance not absolute
    assurance
  • Minimize the instances of frauds/errors not
    eliminate it

10
Who is responsible for Maintaining Internal
Controls?
  • Internal Controls are a responsibility of every
    individual within the organization however,
    management is ultimately responsible for having
    effective systems of Internal Controls
  • Others include
  • Board of Directors
  • Audit Committee
  • Internal Auditors
  • External Auditors- to the extent of their work

11
BSD Circular Seven Vs. Sarbanes Oxley Two of a
same - in a nut shell!
  • BSD Circular Seven
  • Requires management to establish and maintain
    effective controls over financial reporting
  • Issue a report on the effectiveness of controls,
    to be endorsed by the Board.
  • External auditors must attest to this report
  • Sarbanes Oxley Act
  • Requires management to establish and maintain
    effective controls over financial reporting
  • Issue a report on the effectiveness of controls
  • External auditors must attest to this report

12
Managements Responsibilities
  • Internal Controls Over Financial Reporting
    Management is responsible
  • for the companys internal controls over
    financial reporting
  • for evaluating the effectiveness of the
    companys internal controls over financial
    reporting using suitable framework
  • supporting its evaluation with sufficient
    evidence, including documentation
  • presenting a written assessment about the
    effectiveness of the companys internal controls
    over financial reporting .

13
Managements responsibilities
  • ANTI FRAUD PROGRAM
  • Management should set the proper tone create and
    maintain a culture of honesty and high ethical
    standards and establish appropriate controls to
    prevent, deter, and detect fraud including
  • Controls restraining the inappropriate use of
    company assets
  • Companys risk assessment process
  • Code of ethics/conduct provisions, and the
    monitoring of the code by management and the
    audit committee
  • Adequacy of the companys procedures for handling
    complaints and for accepting confidential
    submissions of concerns about questionable
    accounting or auditing matters.

14
What is Internal Control over financial reporting?
  • It is a process to help ensure financial
    statements are prepared in accordance with
    generally accepted accounting principles. It
    includes policies and procedures providing
    reasonable assurance that
  • Transactions are properly recorded and reported
  • Records accurately and fairly reflect the
    transactions and dispositions of company assets
  • Receipts and expenditures of the company are
    authorized by management or the board of
    directors and
  • Unauthorized acquisition, use or disposition of
    the companys assets are prevented or detected in
    a timely manner
  • Adequate Controls are in place to support
    required Financial Assertions

15
What are financial statement assertions?
  • Financial statement assertions have a meaningful
    bearing to ensure the accounts and disclosures
    are fairly presented
  • Completeness All transactions are accounted for
  • Existence Transactions are real and recorded
    only once
  • Accuracy Amounts are properly calculated
  • Valuation Valuation methodology is correct
  • Ownership Rights to assets and obligations of
  • liabilities are recognized
  • Presentation Properly posted, summarized,
  • categorized and disclosed
  • Relevant for all accounts.

16
Selection of Integrated Framework ofInternal
Controls over Financial Reporting
  • Criteria for managements assessment must be
    based on a suitable, recognized control
    framework.
  • COSO satisfies SOX requirements and is most
    widely adopted world wide
  • COSO stands for Committee Of Sponsoring
    Organizations.
  • Originally formed in 1985, voluntary
    private-sector organization dedicated to
    improving the quality of financial reporting
    through business ethics, effective internal
    controls, and corporate governance.
  • Studied the causal factors that can lead to
    fraudulent financial reporting and developed
    recommendations for public companies and their
    independent auditors.

17
Internal Control Framework under COSO
  • COSO defines internal control as a Process to
    achieve the following objectives(Section 404 /
    BSD Focus,).
  • Effectiveness and efficiency of operations.
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations

18
COSO Control Framework Overview
The process to determine whether internal
control is adequately designed, executed
effective and adaptive
  • Management Analysis
  • Disclosure Committee
  • Internal Audits

The process which ensures that relevant
information is identified and communicated in a
timely manner
The policies and procedures that help ensure that
actions are identified to manage risk are
executed and timely
  • Messages from Senior Management
  • Policies and Procedures
  • Delegation of Authority
  • Approvals
  • Training
  • Code of Ethics
  • Common Processes and Systems
  • Segregation of Duties
  • Account Reconciliations

The evaluation of internal and external factors
that impact an organizations performance
  • Information Technology Controls

The control conscience ofan organization. The
tone at the top
  • Business Risk Management
  • Process Risk Management
  • Code of Ethics
  • Internal Audit Risk Assessment
  • Documented Policies and Procedures
  • Cultural Assessment

19
Components of Internal Control Under COSO
Framework
  • According to the COSO framework Internal control
    consists
  • of five interrelated components
  • Control Environment
  • Risk Assessment
  • Control Activities
  • Information and Communication
  • Monitoring

20
Control Environment Foundation of all other COSO
components
  • Conscious of the organization
  • Sets the tone of the organization
  • Peoples individual attributes, including
    integrity, ethical values, and competence
  • Attitude of management


ENVIRONMENT
CONTROL
21
Risk Assessment
  • Identification and analysis of relevant risks to
    the achievement of business objectives
  • Understanding the impact risks will have on
    business objectives and the likelihood of risk
    occurrence
  • Determining how risks should be managed

22
Control Activities
  • Policies and Procedures that help to ensure that
    actions identified to manage risks are executed
    and performed in a timely manner
  • Controls below are used to manage risks to
    reasonable levels
  • Approvals, Authorizations Verifications
  • Reconciliations
  • Performance reviews
  • Security of Assets
  • Segregation of duties
  • Controls over information systems

23
Information Communication
  • Enables people to capture and exchange the
    information needed to conduct, manage, and
    control operations
  • Employee duties responsibilities continuously
    communicated
  • Communication across the organization should be
    fluid-both up and down as well laterally across
    the organization
  • Open channels of communication with customers,
    suppliers and other external parties

24
Monitoring
  • Determines whether the internal control system is
    adequately designed, executed, effective
    adaptive
  • Assesses the quality of the systems performance
    over time

25
Company-Level Controls
  • Company-Level Controls have a pervasive effect on
    the organization. They include
  • Effective oversight by board and audit committee
  • Management tone at the top
  • Corporate governance policies
  • Employment and compensation practices
  • Expenditure authority limits
  • General IT controls
  • Security of facilities and other assets
  • Business continuity plan
  • Monitoring operating performance
  • Monitoring of controls, including activities of
    the Internal Audit function and self-assessment
    programs

26
Process-Level Controls
  • Process-Level Controls are more specific to
    processes/applications/transactions which
    generate information included in financial
    reporting. Significant processes include
  • Sales (order fulfillment, billing, cash receipts)
  • Procurement (purchasing, A/P, cash disbursements)
  • Inventory Management ( RM, WIP, FG)
  • Fixed Asset Management (projects,CWIP,FA)
  • Compensation (payroll processing)
  • Treasury (cash, investment and debt management)
  • Tax Compliance (Income, property, sale tax)
  • Financial Reporting (closing, consolidation,
    financial statements)
  • Information Processing (access, backup, change
    mgmt.)

27
(No Transcript)
28
(No Transcript)
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
Phase One Plan the Project
Plan the Project
Assess Define
Identify Document Controls
Perform Tests
Monitor
  • Project Team Organization and Training
  • Identify and organize project team
  • Train project team
  • Internal Control Readiness Planning
  • Assess internal controls- Entity level
  • Understand banks business and operations
  • Assess internal controls- Process level

33
Project Team Organization
Board/Audit Committee
Team Leader
Steering Committee (CEO, CFO, CCO, HO IT, HO A,
HO O)
Internal Control Implementation Team (
Departmental heads and private consultants)
34
Phase Two Assess and Define
Assess Define
Plan the Project
Identify Document Controls
Perform Tests Remediate
Monitor
  • Control Environment Assessment (conducted by the
    steering committee)
  • Assess existing controls
  • Survey, Observation, Questionnaire,
    Re-performance, Confirmation
  • Remediate control environment (entity level)
  • Develop on-going control environment assessment
    (entity level)
  • Continuously monitor and evaluate by means of
    questionnaire, observation, survey and interviews

35
Identify Document Controls
Phase Three Identify and Document Controls
Plan the Project
Assess Define
Perform Tests Remediate
Monitor
  • Involve the Implementation Team in identifying
    and documenting controls
  • Use of workshops to gather information regarding
    current processes and systems focus workshop on
    one process
  • Gain participation from all relevant parties
  • Include subject matter experts (i.e. department
    heads, external auditors, private consultants)
  • Process flowcharts, narratives and control
    matrices
  • Regularly schedule meetings with the steering
    committee to help identify and resolve issues

36
Identify and Document Controls (continued)
  • Ensure Consistency
  • Clear description of controls
  • What control is being documented
  • What does the control achieve (why is it
    performed)
  • How often does the control occur
  • Who is responsible for performing (job title)
  • How is the control activity performed
  • Where in the sub process does the control occur

37
Phase Four Test and Remediate
Perform Tests Remediate
Plan the Project
Assess Define
Identify Document Controls
Monitor
  • Control Activities Testing and Gap Remediation
  • Perform initial testing of control activities
  • Internal Audit will assist in testing the
    controls
  • Identify and document control testing
    deficiencies
  • All the deficiencies noted should be critically
    evaluated and must be documented
  • Prioritize control design and testing
    deficiencies based on risk and cost/benefit
  • The steering committee will prioritize and
    evaluate the cost/benefit in lieu of banks
    objectives
  • Develop control deficiency remediation plan

38
Monitor
Plan the Project
Assess Define
Identify Document Controls
Perform Tests Remediate
Phase Five Monitor
  • Monitoring Program
  • The steering committee is here to stay!
  • They will continuously monitor the controls by
    conducting regular and periodical questionnaires,
    surveys, testing, observations and meetings

39
Resources
  • www.coso.org
  • www.theiia.org
  • www.aicpa.org
  • www.internalcompliance.com
  • www.ey.com
  • www.deloitte.com
  • WWW.sbp.org.pk
Write a Comment
User Comments (0)
About PowerShow.com