Govt. Titumir College Term Paper On "Application of Controlling Process in Banking Sector in Bd. " Prepared By Supervised by Name: Md. Golap Mia Rita Khandoker Roll:181 Year: BBA (2nd year) Lecturer Session: 2011-12 Department of Management NU Roll No: 9613648 Govt.

Titumir College Department of Management Dhaka. Govt. Titumir College, Dhaka. Date of Preparation: 26. 01. 2012 Letter of Transmittal To Lecturer Department of Management Govt. Titumir College, Dhaka. Sub: Letter of transmittal. Dear Sir. I would like to draw your kind attention that we are submitting our report about the topic of “Application of Controlling Process in Banking Sector in Bd. ” We have tried our best to prepare this report which will fulfill our requirement.

We believe all these new ideas from this “Term Paper” will help us in our future practical life. We will be highly grateful to your honor if you would kindly accept our “Term Paper” and obliged thereby. Thanking you Name: Golap Mia Year: BBA (2nd year) Session: 2011-12 NU Roll No: 9613648 Department of Management Govt. Titumir College,Dhaka. Table of contents and counts: ChapterTopic namePage count 1 Introduction4 2Conceptual issues5-6 3Database7 4Findings of study8-24 5Conclusion& recommendations25-27 1. Internal Control Policy 1. 1) Overview Banking has a diversified and complex financial activity which is no longer limited within the geographic boundary of a country. Since its activity involves high risk, the issue of effective internal controls system, corporate governance, transparency, Accountability has become significant issues to ensure smooth performance of the banking industry throughout the world. In many banks internal control is identified With internal audit; the scope of internal control is not limited to audit work.

It is an Integral part of the daily activity of a bank, which on its own merit identifies the risks associated with the process and adopts a measure to mitigate the same. Internal Audit on the other hand is a part of Internal Control system which reinforces the control system through regular review. According to an IMF publication Internal Control refers to the mechanism in place on a permanent basis to control the activities in an organization, both at a central and at a departmental divisional level.

A key component of effective internal control is the operation of a solid accounting and information system. In Bangladesh analysis on the performances of the banks has pointed out that an effective internal control system could have contributed significantly in improving the performance of the Commercial banks if the control culture is brought in through policy guidelines and structural changes at these banks and procedural controls. (1. 2) Objective of Internal Control

The primary objective of internal control system in a bank is to help the bank perform better through the use of its resources. Through internal control system bank identifies its weaknesses and takes appropriate measures to overcome the same. The main objectives of internal control are as follows: • Efficiency and effectiveness of activities (performance objectives). • Reliability, completeness and timelines of financial and management information (information objectives) • Compliance with applicable laws and regulations (compliance objectives) .

Accountability to the Board. (2) STANDARDS OF INTERNAL CONTROL Internal control policies set forth some standards that departments must establish and incorporate in an internal control structure: (I)Cover all activities: All financial institutions should develop internal controls which have coverage over all their functions, in general, and the key risk areas (KRA) in particular. Key Risk Areas include those core activities, the break down of which may render a financial institutions unable to meet its obligations; to its customers, regulators and the sponsors.

Further, the risk originating from such activities is of the type that it may cause in systemic failure of other financial institutions. Examples of key risk areas are Liquidity Risk, Interest Rate Risk, Foreign Exchange Risk, Credit Risk, Operational Risk, etc. (II) Regular Feature: Control activities should be an integral part of the daily activities of a financial institutions / DFI in such a manner that it becomes ingrained in their ongoing processes rather than a year-end “fire drill” to satisfy documentation requests from auditors and supervisors. III) Separation of Duties: Duties should be divided so that no one person has complete control over a key function or activity. (IV) Authorization and Approval: All transactions should be authorized before recording and execution. (V) Custodial and Security Arrangements: Responsibility for custody of assets needs to be separated from the related record keeping. (VI) Review and Reconciliation: Records should be examined and reconciled to regularly determine that transactions are properly processed, approved and booked. VII) Physical Controls: Equipment, inventories, cash and other assets should be secured physically, counted periodically and compared with amounts shown on control records. (VIII) Training and Supervision: Qualified, well-trained and supervised employees always help ensure that control processes function properly. (IX) Documentation: Documented policies and procedures promote employee understanding of duties and help ensure continuity during employee absences or turnover. Therefore, policies and procedures (in the form of operations manuals and desk instructions) should exist in all financial institutions / DFI. X) Communication of importance of Internal Controls: Setting standards of professional integrity and work ethics and ensuring that all levels of personnel in their organization know the importance of internal controls and understand their role in the internal controls process and be fully engaged in the process. (XI) Cost/Benefit: It is for the financial institutions to assess the costs associated with control processes commensurate with the expected benefits. The controlling process data are collected in a standardized way.

To start, the controlling process team, with academic advisers, designs a questionnaire. The questionnaire uses a simple control case to ensure comparability across economies and over time—with assumptions about the legal form of the control, its size, its location and the nature of its operations. Questionnaires are administered through more than 28 local experts, including lawyers, banker, business consultants, accountants, freight forwarders, government officials and other professionals routinely administering or advising on legal and regulatory requirements.

These experts have several rounds of interaction with the controlling process team, involving conference calls, written correspondence and visits by the team. For Controlling process 2012 team members visited 4 economies to verify data and recruit respondents. The data from questionnaires are subjected to numerous rounds of verification, leading to revisions or expansions of the information collected. It is not a statistical survey, and the texts of the relevant laws and regulations are collected and answers checked for accuracy. The methodology is inexpensive and easily replicable, so data can be collected in a large sample of economies.

Because standard assumptions are used in the data collection, comparisons and benchmarks are valid across economies. Finally, the data not only highlight the extent of specific regulatory obstacles to business but also identify their source and point to what might be reformed. Limits to what is measured The Controlling process methodology has 5 limitations that should be considered when interpreting the data. First, the collected data refer to businesses in the economy’s largest business city and may not be representative of regulation in other parts of the economy. To address this limitation, sub national

Controlling process indicators were created (see the section on sub national controlling process indicators). Second, the data often focus on a specific business form—generally a commercial bank (or its legal equivalent) of a specified size—and may not be representative of the regulation on other businesses, for example, Islami Bank Third, transactions described in a standardized case scenario refer to a specific set of issues and may not represent the full set of issues a banking encounters. Fourth, the measures of time involve an element of judgment by the expert respondents.

When sources indicate different estimates, the time indicators reported in Controlling process represent the median values of several responses given under the assumptions of the standardized case. Finally, the methodology assumes that a business has full information on what is required and does not waste time when completing procedures. In practice, completing a procedure may take longer if the business lacks information or is unable to follow up promptly. ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE PRINCIPLES FOR ASSESSING THE SYSTEM (A)Elements of Internal Controls

An effective internal control system consists of following interrelated components: 4. 1. Management oversight & Control environment; 4. 2. Risk assessment & management ; 4. 3. Control activities & segregation of duties; 4. 4. Accounting, information & communication; and 4. 5. Self assessment & monitoring 4. 1 Control Environment: The environment in which internal control operates has an impact on the effectiveness of the control procedures. In fact it is institution’s control environment which embodies the principles of strong internal control. Besides giving structure to the internal control system, it provides iscipline and protocol. The success of control environment is judged according to the integrity, ethics, and competence of personnel; the organizational structure of the institution; oversight by the board of directors and senior management; management’s philosophy and operating style; attention and direction provided by the board of directors and its committees, especially the audit and risk management committees; personnel policies and practices and; external influences affecting operations and practices. In order for internal controls to be effective, an appropriate control environment should demonstrate following behaviors:

Board of directors reviews policies and procedures periodically and ensures their compliance; Board of directors determines whether there is an audit and control system in place to periodically test and monitor compliance with internal control policies/procedures and to report to the board instances of noncompliance; Board of directors ensure independence of internal and external auditors such that internal audit directly reports to the audit committee of the board which is responsible to the board and that external auditor interacts with the said committee and presents management letter to the board directly; Board ensures that appropriate remedial action has been taken when instance of noncompliance are reported and that system has been improved to avoid recurring errors/mistakes; Management information systems provides adequate information to the board and that the board can have access to financial institutions records, if need arises; Board and management ensure communication of conduct or ethics policies and compliance thereof down the line within the organization; In short, a strong control environment and an effective internal audit function, can significantly complement specific control procedures.

However, constitution of internal control environment at a point-of-time does not, by itself, ensure the effectiveness of the overall system of internal control but it is the continuous supervision by management to ensure if it is functioning as prescribed and is modified as appropriate. Many internal control failures that resulted in significant losses for financial institutions could have been substantially lessened or even avoided if the board and senior management of the organizations had established strong control cultures. Weak control cultures often had two common elements: First, senior management failed to emphasis the importance of a strong system of internal control through their words and actions, and most importantly, through the criteria used to determine compensation and promotion.

Second, senior management failed to ensure that the organizational structure and managerial accountabilities were well-defined. For example, senior management failed to require adequate supervision of key decision makers and reporting of the nature and conduct of business activities in a timely manner. Senior management may weaken the control culture by promoting and rewarding managers who are successful in generating profits but fail to implement internal control policies or address problems identified by internal audit. Such actions send a message to others in the organization that internal control is considered secondary to other goals in the organization, and thus diminish the commitment to and quality of the control culture. 4. 2 Risk assessment and management:

Every financial institutions activity involves some kind of risk and this creates a compulsion for the financial institutions that, as part of an internal control system, these risks are being identified, assessed and mitigated. From an internal control perspective, risk assessment involves; identification and evaluation of factors, both internal and external, that could adversely affect performance, information and compliance objectives of a financial institutions. Internal factors include: complexity, nature and size of operations; quality of personnel and employee turnover; objectives and goals, etc. External factors include: fluctuating economic conditions, changes in the industry and technological advances, degree of aggressiveness of the market and competition faced by the market participants, etc.

It may be noted that it differs from the risk management process, which typically focuses more on the review of business strategies and plans developed to maximize the risk/reward trade-off within the different areas of the financial institutions. This risk identification should be done across the full spectrum of activities addressing both measurable and non-measurable aspects of risks. Second part of risk assessment – evaluation is done to determine which risks are controllable by the financial institutions and which are not. For those risks that are controllable, the financial institutions must assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures.

For those risks that cannot be controlled, the financial institutions must decide, for the present, whether to these risks or to withdraw from or reduce the level of business activity concerned. But for the future, internal controls may need to be revised to appropriately address any new or previously uncontrolled risks. An effective risk assessment system allows the board and the management to plan for and respond to existing and emerging risks in the financial institutions activities. For that matter, such a system needs to demonstrate following: Board and management involve audit personnel or other internal control experts in the risk assessment and risk evaluation process.

Those experts should be competent, knowledgeable, and provided with adequate resources. As the risks mutate with time and with changing circumstances, the board and the management, with due involvement of audit personnel, should appropriately evaluate the risks and consider control issues related to existing products and those relevant to new products and activities. Risk coverage in the form of insurance (that is risk transfer) or provisioning (contingency fund) in relation to the financial institutions risk profile is adequate. In the recent past, inadequate risk assessment has contributed to some organizations’ internal control problems and related losses.

In some cases, the potential high yields associated with certain loans, investments, and derivative instruments distracted management from the need to thoroughly assess the risks associated with the transactions and devote sufficient resources to the continual monitoring and review of risk exposures. Losses have also been caused when management has failed to update the risk assessment process as the organization’s operating environment changed. For example, as more complex or sophisticated products within a business line are developed, internal controls may not be enhanced to address the more complex products. A second example involves entry into a new business activity without a full, objective assessment of the risks involved.

Without this reassessment of risks, the system of internal control may not appropriately address the risks in the new business. 4. 3 Instituting Controls: Control activities are designed and implemented to address the risk that the financial institutions identified through the risk assessment process as described above. Control activities involve: (a) establishment of control policies and procedures, (b) verification that the control policies and procedures are being complied with. It is desired that control activities should involve all levels of personnel in the financial institutions, including senior management as well as front line personnel. Instituting an appropriate controls structure ensures the efficacy of an internal control system. This process involves:

Existence and compliance of policies and procedures ensuring that decisions are made with appropriate approvals and authorizations for transactions and activities while assuring that exceptions to the policies are minimal and reported to the board and the top management; Timely reconciliation of accounts so that outstanding items, both on-and of balance-sheet, are resolved and cleared; Segregation of duties, existence of cross-checks, more-than-one-person authorization, dual controls, joint custody of keys, safeguards for access to and use of sensitive assets and records and forced leave policies, employees rotation systems are functioning in sensitive positions or risk-taking activities so that concerned employees do not have absolute control over areas; Building of such reporting lines within a business or functional area that independence of the control function is ensured; Accountability mechanism for the actions taken by the personnel as per their responsibilities and uthorities; Structure and functioning of compliance framework through which the board and senior management establishes that compliance with applicable laws and regulations is ensured. In short, top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on noncompliance; a system of approvals and authorizations; and, a system of verification and reconciliation are major constituents of the control activities. 4. 4 Accounting Information and Communication Systems An institution’s accounting, information, and communication systems ensure that risk-taking activities are within policy guidelines and that the systems are adequately tested and reviewed.

For this the following is important to note; Effective internal control system requires that there is an effective reporting system of information that is relevant to decision making. The information should be reliable, timely accessible and provided in a consistent format. Information would have to include external market information about events and conditions that are relevant to decision making. Internal information include financial, operational and compliance data. There, should be appropriate committees within the organization which would evaluate data received through various information systems. This will ensure supply of correct and accurate information to the management.

Internal information must cover all significant activities of the financial institutions. These systems including those that hold and use data in electronic form must be secure, monitored independently and supported by contingency arrangements. Most importantly the channels of communication must ensure that all s fully understand and adhere to policies and procedures effecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel. An accounting system is adequate if it properly identifies, assembles, analyzes, classifies, records, and reports the institution’s transactions in accordance with prescribed formats and international best practices.

The adequacy of information systems is determined by the type, number, and depth of reports it generates for operational, financial, managerial, and compliance-related activities and the access and authorization to information systems. An ideal information system covers the full range of its activities in such a manner that information remains understandable and useful for audit trail. Adequate information and effective communication are essential to the proper functioning of a system of internal control. From the financial institutions perspective, in order for information to be useful, it must be relevant, reliable, timely, accessible, and provided in a consistent format.

Information includes internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Internal information is part of a record-keeping process that should include established procedures for record retention. On the one hand, the adequacy of communication systems is established by the fact that it imparts significant information throughout the institution (from the top down and from the bottom up, and laterally), ensuring that personnel understand whatever has been communicated and on the other hand, communication system should ensure that significant information is imparted to external parties such as regulators, shareholders, and customers. Without effective communication, information is useless.

Senior management of financial institutions needs to establish effective paths of communication in order to ensure that the necessary information is reaching the appropriate people. This information relates both to the operational policies and procedures of the financial institutions as well as information regarding the actual operational performance of the organization. The organizational structure of the financial institutions should facilitate a complete flow of information - upward, downward and across the organization. A structure that facilitates this flow ensures that information flows upward so that the board of directors and senior management are aware of the business risks and the operating performance of the financial institutions.

Information flowing down through an organization ensures that the financial institutions objectives, strategies, and expectations, as well as its established policies and procedures, are communicated to lower level management and operations personnel. This communication is essential to achieve a unified effort by all financial institutions employees to meet the financial institutions objectives. Finally, communication across the organization is necessary to ensure that information that one division or department knows can be shared with other affected divisions or departments. 4. 5 Self-Assessment and Monitoring: An integral component of internal control system is self-assessment and monitoring which includes: Board and senior management oversight of the internal control, control reviews, and audit findings.

Before starting full scale control review, the board and senior management should give their approval of the overall scope of the control review activities (e. g. , audit, loan review, etc. ). Frequent and comprehensive reporting of deviations to the board or board committee and senior management regarding sufficiency of details and timely presentation to allow for resolution and appropriate action. Adequate documentation of management responses to audit or other control review findings so that it can be tracked for adequate follow-up. Board or board committee or senior management review of the qualifications and independence of the personnel evaluating controls (e. g. , external auditors, internal auditors, or line managers). Financial institutions is a dynamic, rapidly evolving industry.

Financial institutions must continually monitor and evaluate their internal control systems in light of changing internal and external conditions, and must enhance these systems as necessary to maintain their effectiveness. Monitoring the effectiveness of internal controls should be part of the daily operations of the financial institutions but also include separate periodic evaluations of the overall internal control process. The frequency of monitoring different activities of a financial institution should be determined by considering the risks involved and the frequency and nature of changes occurring in the operating environment. Ongoing monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the system of internal control.

Such monitoring is most effective when the system of internal control is integrated into the operating environment and produces regular reports for review. Examples of ongoing monitoring include the review and approval of journal entries, and management review and approval of exception reports. (B) CONTROL PRINCIPLES So far we have discussed about the elements of a sound internal control. Now the question is how to assess the internal controls of a particular organization The following principles related to the basic elements of control should be borne in mind while assessing internal control: A. Management Oversight and Control Environment Principle 1:

The board of directors should have responsibility for approving and periodically reviewing the overall business strategies and significant policies of the financial institutions; understanding the major risks run by the financial institutions, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, measure, monitor and control these risks; approving the organizational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system. The board of directors is ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained. Principle 2:

Senior management should have responsibility for implementing strategies and policies approved by the board; developing processes that identify, measure, monitor and control risks incurred by the financial institutions; maintaining an organizational Structured that clearly assigns responsibility, authority and reporting relationships; ensuring that delegated responsibilities are effectively carried out; setting appropriate internal control policies; and monitoring the adequacy and effectiveness of the internal control system. Principle 3: The board of directors and senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. All personnel at a financial institution sing organization need to understand their role in the internal controls process and be fully engaged in the process. B) Risk Recognition and Assessment Principle 4:

An effective internal control system requires that the material risks that could adversely affect the achievement of the financial institutions goals are being recognized and continually assessed. This assessment should cover all risks facing the financial institutions (that is, credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and reputation risk). Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks. C) Control Activities and Segregation of Duties Principle 5: Control activities should be an integral part of the daily activities of a financial institution. An effective internal control system requires that an appropriate control structure be set up, with control activities defined at every business level.

These should include: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorizations; and, a system of verification and reconciliation. BIS Framework for Internal Control Systems in Financial institutions. Principle 6: An effective internal control system requires that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring. D) Information and communication Principle: 7

An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format. Principle 8: An effective internal control system requires that there are reliable information systems in place that cover all significant activities of the financial institutions. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements. Principle 9:

An effective internal control system requires effective channels of communication to ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel. (E) Monitoring Activities and Correcting Deficiencies Principle 10: The overall effectiveness of the financial institutions internal controls should be monitored on an ongoing basis. Monitoring of key risks should be part of the daily activities of the financial institutions as well as periodic evaluations by the business lines and internal audit. Principle 11: There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately trained and competent staff.

The internal audit function, as part of the monitoring of the system of internal controls, should report directly to the board of directors or its audit committee, and to senior management. Principle 12: Internal control deficiencies, whether identified by business line, internal audit, or other control personnel, should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the board of directors. RESPONSIBILITIES OF THE PARTIES TO INTERNAL CONTROL The board of directors, senior management and other personnel of financial institutions are responsible for establishing, maintaining, and operating an appropriate internal control system on an ongoing basis. Board of Directors:

The Board of Directors of all financial institutions is responsible for ensuring that an adequate and effective internal control system exists in their organization and that the senior management is maintaining and monitoring the performance of that system. Moreover, Board should periodically review the internal control systems and the significant findings. From the above it can be said that: The overall responsibility of setting acceptable level of risk, ensuring that the senior management committee take necessary steps to identify , measure , monitor and control these risks, establishing broad business strategy, significant policies and understanding significant risks of the company rests with the Board of Directors.

Through the establishment of an 'Audit Committee' of the Board and ‘Internal Control Department’ the Board of Directors can monitor the effectiveness of internal control system. The internal as well as external audit reports will be sent to the board without any intervention of the management and ensure that the management takes timely and necessary actions as per the recommendations. The Board should have periodic review meetings with the senior management to discuss the effectiveness of the internal control system of the company and ensure that the management has taken appropriate actions as per the recommendations of the auditors and internal control. Management:

Senior management of financial institutions have the responsibility for implementing strategies and policies as approved by the board in work place ; developing processes that identify, measure, monitor and control risks incurred by the financial institutions; maintaining an organizational structure that clearly assigns responsibility, authority and reporting relationships; ensuring that delegated responsibilities are effectively carried out; setting appropriate internal control policies; and monitoring the adequacy and effectiveness of the internal control system. Audit Committee of the Board: This Committee shall be formed by the Board of a company.

The members of the Audit Committee shall be the selected Directors and the Managing Director. The Committee shall seat at least quarterly in a year. The Committee shall perform its work through an Internal Control Unit comprising of the Audit & Inspection wing and Compliance wing. The Committee shall monitor the adequacy and effectiveness of the Internal Control System based on established policies and procedure. The Committee vide its two wing shall produce, on quarterly basis, a report on internal control system and significant findings and present it to the Board. The terms of reference of the Audit Committee, frequency of meeting , name of the members of the Committee shall be decided by the Board. External Auditor:

The external auditors are not part of a financial institution and, therefore, are not part of its internal control system, yet they have an important impact on the quality of internal controls through their audit activities, including discussions with management and recommendations for improvement of internal controls. The external auditors provide important feedback on the effectiveness of the internal control system. The concept of external reporting on internal controls is well established and supported in the accounting literature. It is expected that external / statutory auditors shall review control systems for the impact they have on financial reporting and compliance with relevant policies, procedures, regulations and laws.

The extent of attention given to the internal control system may vary by auditor and by financial institutions; however, it is generally expected that the auditor would identify significant weaknesses that exist at a financial institutions and report material weaknesses to management and the board in the form of an audit report/ management letter. As regards internal control and the role of external auditors the following things should be borne in mind by the auditors: External Auditors by dint of their independence from the management of the financial institutions can provide unbiased recommendation on the strength and weakness of the internal control system of the financial institutions.

They can examine the records, transactions of the financial institutions and evaluate its accounting policy, disclosure policy and methods of financial estimation made by the financial institutions; this will allow the board and the management to have an independent overview on the overall control system of the financial institutions. It should be made obligatory on the part of the auditor to report to the Bangladesh Bank immediately if during the course of audit the auditor come across any facts which (1) might warrant qualification (2) endanger the entity audited and (3) indicate that the organization has severely infringed the regulatory provisions/guidelines. Regulator:

The Financial Institutions Department(FID) of Bangladesh Bank is the direct supervisor of the financial institutions of Bangladesh. FID has many responsibilities to the Financial Institutions to protect interest of the public and to maintain financial discipline. The responsibilities of FID should be regulatory as well as advisory. In order to achieve the regulatory and supervisory objectives the Bangladesh Bank may introduce a comprehensive supervisory framework. Supervision can be of two types: a. On Site Supervision and b. Off Site Supervision Off site supervision would structurally be an in-house review and analysis based on various statutory returns and other statements.

On site supervision includes physical visit and inspection by Bangladesh Bank Official ensuring regulatory compliance, evaluation of financial soundness, appraisal of management and identification of areas requiring corrections, review of asset quality , analysis of key financial indicators etc. As a regulator the Bangladesh Bank may introduce a system whereby the name of the Financial Institute which had not complied with the regulatory directions could be published in the newspapers. The Bank may make it compulsory for the NBFIs to do credit rating periodically. The Bank may introduce an on-line corporate memory/profile building process based on the observations generated from off-site surveillance system, , market intelligence, complaints, supervisory rating, record of compliance with directions and inspection findings.

Bangladesh Bank may think of devising a suitable system for co-coordinating the Onsite inspection in tandem with the other regulatory authorities so that these NBFIs are subject to one shot examination by different regulatory authorities. The Bank may think of introducing a supervisory rating system for the NBFIs. Such a rating system should be designed on the basis of different levels of regulatory compliance, capital adequacy and rating assigned by the credit rating agencies. Based on the rating the NBFIs may be placed in three different supervisory “watch list” with low, medium and high risks. The rating assigned may primarily be the tool for triggering on-site inspection at various intervals.

It shall play its role as a watch dog, review the compliances of the regulations and Circulars issued from time to time through periodic inspections and visits, issue new directives for the betterment of macro economy, take corrective actions, if necessary, provide necessary advises and clarifications to the NBFIS. During the course of regular inspection of financial institutions or when required, Financial institutions Department (FID)of Bangladesh Bank shall review the internal control system of any financial institutions in order to ensure compliance with these guidelines and all other relevant regulations and laws, circulars issued and enforced from time to time.

In addition to that, the FID may review the report of the internal auditor of the financial institutions, assessment report of the management regarding effectiveness of the internal control and Boards’ endorsement thereof and the external/statutory auditors’ evaluation of the management regarding effectiveness of the internal control. In addition to the above the following points shall also apply to the regulators: For the financial institutions Bangladesh Bank is the primary regulator, who governs the activities of financial institutions. In addition Tax Authority, Registrar of Joint Stock Company Finance Ministry, Securities and Exchange Commission etc. are different types of Govt. bodies whose directives have significant impact of financial institutions business. The internal control system should always take into account the financial institutions internal processes to meet the regulatory requirement before conducting any operation.

The internal control system of the financial institutions must be designed in a manner that the compliance with regulatory requirements is recognized in each activity of the financial institutions. The financial institutions must obtain regular information on regulatory changes and distribute among the concerned department, so that they can take necessary, action to adapt to such changes. The financial institutions must develop an effective communication process which will allow smooth distribution of relevant regulations among different departments and, personnel. IMPLEMENTATION OF INTERNAL CONTROLS: Various models/methodologies are used for the design and implementation of internal controls.

However, it is the decision of the organizations to decide what model / strategy suit the size, nature, complexity, scope, risk exposure, etc. of their activities. Nevertheless, following is a brief summary of the key points that should be kept in mind while implementing the internal controls: Compare current practices to the internal control system and identify gaps. For an internal control expert, the most important consideration should be to evaluate the existing system of internal control in comparison to one defined by these guidelines and other international best practices. In this regard the first step is to identify what is and what is not covered by existing practices. Involve senior management, the audit committee, audit staff, other key players.

The thought process and implementation of change should not be considered as “just other audit things. " Senior management and the audit committee must be perceived as driving the change and developing the control culture. Assess business environment, organization culture and key players. Before the process of change is set in, it would be necessary to understand: (1) what is changing in the culture (2) What is changing in the organization’s businesses and systems (3) Are there organizational initiatives which internal control system implementation could link to (4) What is the perception about the internal auditing function within the organization .

Decide on implementation strategy. If the new practices can be designed to align with other organizational initiatives, or if senior management has taken ownership, this step is relatively easy. In any case, having a realistic implementation strategy is critical to success. Most implementers introduce the new ideas slowly and informally, building on personal relationships within the organization, listening as much as talking, and gradually building a consensus for change. Provide training to everyone involved. The most critical factor to the successful implementation of a control model is that everyone involved must understand internal control.

Effective training depends heavily on how concepts are phrased and the concrete examples and exercises which make the concepts real to participants. Rectification & Improvement: The findings of the internal audit department and that of other experts should be reported back to the relevant staff/office for rectification and improvement of the internal control system. Instituting an appropriate organization structure: Organization structure plays a vital role in establishing effective internal control system. It is the sometimes called the pictorial representation of the chain of command and the authority and supervision chain of an organization.

The essence of the ideal organizational structure that will facilitate effectiveness of the internal control system is the segregation of duties. The financial institutions should, depending on the nature of business, structure, size, location of its branches and strength of its manpower try to establish an organizational structure which allow segregation of duties among its key functions such as marketing, operations, credit, financial administration etc. Up to which level this segregation will take place will depend on an individual financial institution. For instance a financial institution which has small branch operations at remote places of the country may not find it feasible to have such functional segregation of duties at that branch level.

However at the higher level such segregation should exist and where possible this should be extended to the branch levels. In cases where such segregation is not possible, there must be certain monitoring mechanism which should be independently reviewed to ensure all policies and procedures are followed at the branch level. A detail guideline in this respect is given in the following section. Structure of the Internal Control Unit For an effective control system a separate organizational structure is also provided for this unit. The audit committee of the board shall be the contact point for the internal control unit. The unit should be adequately staffed so that it can perform its duty properly.

In order to ensure that availability of efficient people with internal control the financial institutions will make it mandatory for all middle to senior management staff to spend at least two years with internal control on second meant. The head of internal control will report directly to the Audit Committee of the Board He will be responsible for the both compliance and control related tasks which include compliance with laws and regulation, audits and inspection, monitoring activities and risk assessment. The audit team of the internal control unit will perform periodic and special audit and inspection. The compliance unit will be responsible to ensure that financial institution complies with all regulatory requirement while conducting its business.

They will maintain liaison with the regulators at all level and notify the other units regarding regulatory changes. Audit Committee of Board Audit & Inspection Wing Inspector Compliance Wing Internal Control Unit Preparing various guidelines/manuals Each Financial institution should have a policy guideline in line with relevancy laws and internal documents in order to ensure an effective control over its process in various fields e. g. credit, human resources, finance & accounts, treasury, audit, customer service etc. There should be a written policy guideline for each Department’s function which may be as follows. (a) Standard Operating Procedures -Credit & Operations The main objective of lending money is to ensure maximum return of lend able fund.

This manual should highlight the process starting from review of credit proposals, obligor risk rating, approving credit limit, disbursement of loans, monitoring of credit risk etc. Various types of MIS should be provided in order to have better control over assets of the financial institutions which can be generated if the system is in place. This manual should also contain role of Credit Admin. , Trade Finance, Reconciliations, Cash, Client’s service, Treasury, Back office etc. It should also reflect a clear guideline regarding Anti-Money Laundering activity in order to protect Financial institution’s interest. Credit Admin will be responsible for monitoring of limits and outstanding as per credit approval.

This manual should cover the following areas inter alias: Risk classes, lending limits and credit authorities Investment policies Policies on financial & other product & services Lending guidelines Approval processes Documentations Securities and collaterals etc. Account Opening and closing Payment monitoring procedures Loan Administration Treasury Operations Anti-money Laundering procedures etc. (b) Finance & Accounting Manual This manual should provide guidelines on financial activities regarding income and expenditure of a financial institution. They will look after if there is any exaggeration of expenditure where it is necessary to get control.

This manual must incorporate a clause which shall make it mandatory to prepare and present an annual budget which shall contain target business, revenue, expenses, capital expenditures etc. This budget should be placed to the Board before starting of a new year and a periodic review of the actual achievement. Through this process it can also ensure the profitability of the financial institutions. The basic content of Finance Manuals are: Financial & Accounting Policies Financial Accounting Financial Management & Administration Fixed Assets Control Procurement of Goods and Services Audit and Internal Control General Clause Capital structure policies Treatment of Land, Building & Equipment Capital Adequacy and Shareholders Equity

Treatment of revenue and expenditures Income tax procedures Write-off procedures etc. (c) Treasury Manual This manual should include activities of fund transfer. Inter financial institutions fund management is one by them. The manual should include the guideline so that they may manage the financial institutions fund properly and profitably. There may be some idle fund in the financial institutions which is to be taken into account so as to make them invested in optimum profit seeking area. They should also ensure the security of the fund. If possible, they may look into international money market subject to the available opportunity in the money market arena.

While framing a treasury manual the following things should be considered inter alias : Internal Items Liquidity Cost of fund Vs. yield from assets Policies & Procedure Skill of staff etc. External Items Market Liquidity Risks including changes in Exchange Rates Changes in regulations etc. Investments Capital management etc. (d)Human Resource Policy Manual They will, at first, ensure the proper distribution of available human resources in the infrastructure of the financial institutions. It should also delineate the authority and responsibility of each employees . To find out the right person for setting up them at the right position is very crucial.

The rewarding method of that department should be impartial. They will ensure staff welfare which will ultimately encourage people and create a healthy working atmosphere. This manual should contain inter alias the following: Recruitment policy Background checking policy Leave policy Compensation policy Reward and Recognition policy Termination & retirement policy Promotion and increment policy Training guidelines Employees code of conduct etc. (e)Information Technology Manual This manual should contain the following areas: MIS to be generated Security of Data and programme Back up system Control mechanism of data and files Disaster recovery plan Networking

Hardware maintenance Service agreements etc. Training Manpower backup Power backup system Data storage 20 EXAMINATION OR EVALUATION OF CONTROL As soon as the implementation of control is completed the next question is how to evaluate the effective functioning of this system. Evaluation may be done in the following ways: a. Verification of departmental function through Check List b. Reviewing the documentation relating to operational activities through a check list c. Preparing quarterly report and reviewing the same d. Risk analysis e. Audit Process & communication of weakness Departmental Control Function Checklist (DCFCL) {Appendix 7. 1 to 7. 4} ) The guideline/procedure deals with matters relating to review/verifications of departmental functions to ensure that prescribed procedures are being followed by each department. b) All departments are required to check that prescribed controls are being observed and laid down procedures are not overlooked & relaxed. c) Departmental Managers/Branch Managers will review the DCFCL to ensure that control functions are performed and documented in the control sheets (Appendix 1) at the prescribed frequencies i. e. Daily, weekly, monthly and quarterly. d) The DCFCL Checklist should be retained with the branch/departments for future inspection by Internal Control and Senior Management. Loan Documentation Checklist {Appendix 7. 6}

The checklist deals with matters relating to security/other documentation for sanctioning credit facilities to ensure that prescribed documentation is being obtained to safe guard financial institutions interest in case of litigation. Copy of the loan documentation check list shall be sent to the lease/loans department for their use. Quarterly Operations Report {Appendix 7. 5} This guideline/procedure relates to reporting of operational functions of each branch/centre under the following heads on the enclosed format: i. Policies, Procedures and Controls ii. Protection of Valuables iii. Proofs/Verifications and Internal Checks iv. Personal and Supervision and v. Premises Management vi. Confirmation on Regulatory Compliance This report will be prepared by the Departmental/Branch Head .

This will be prepared in duplicate copies one copy is to be dispatched to Internal Audit Department and another copy to the Audit Committee of the Board by 10th of the following month. The items which are not applicable for individual Department should be marked as N/A and no signature is required against the items marked as N/A. Any deviation in the quarterly operations report must be reported in a separate exception report or shall be marked specially in the report. Risk Analysis of Control Functions Individual items in the DCFCL need to be assigned a risk rating in terms of the following dimensions: a) Impact: Before taking into account the mitigation (i. e. Insurance) what is the impact of the lapse/omission. b) Probability: After taking into account of the mitigation what is the likelihood of the event occurring.

To assist in this task, the following matrix (Table 1) can be used. However some financial institutions may consider customization of this matrix to suit their own risk profile. Where appropriate, additional details (e. g. financial values can be added). The key principle is that all financial institutions should be able to differentiate between different levels of risk in their own area of activity and then ensure appropriate controls are established. Scores should be plotted on the following table to determine a category of high, medium and low risk. Conclusion Recommendations The quality of internal control is (strong, satisfactory, weak). Note: Examiners should use appropriate tools (e. g. the CEO questionnaire,ICQs, and FDICIA internal control assertion work papers) and findings from all areas under examination, including the OCC’s review of the bank’s audit functions, when completing these objectives and steps. When substantive supervisory concerns about the adequacy of internal control or the integrity of financial reporting controls exist after achieving the following objectives and performing the following steps, examiners should consider performing additional examination procedures, such as using ICQs,for those areas of concern. If, after completing those additional procedures, examiners remain concerned about internal control adequacy or financial reporting control integrity, they should perform appropriate verification procedures to confirm the existence and description of bank assets.

As an alternative, examiners may require the bank to expand its own verification program to include the areas of weakness or deficiency; however, this alternative will be used only if management has demonstrated a capacity and willingness to address regulatory problems, if there are no concerns about management’s integrity, and if management has initiated timely corrective action in the past. Use of this alternative must result in timely resolution of each identified supervisory problem. If examiners use this alternative, supervisory follow-up must include a review of work papers in areas where the bank’s program was expanded The institution’s internal control is (strong, satisfactory, weak)Objective: Assess the overall effectiveness and adequacy of the institution’s internal control, communicate findings to the EIC, management, and the board of directors, and complete/update OCC work papers. 1. Prepare written conclusion summaries, discuss findings with the Rican communicate findings to management.

Conclusion summaries should address, as appropriate,• Whether the internal control environment poses actual or potential undue risk to the institution’s financial performance for any of the following reasons:– The magnitude of control exceptions. – Financial effect of inaccurate, untimely, or improper transactions. – Previous losses from fraud. – Claims against insurance policies. – Employee turnover. – Other high operational losses. – Violations of laws or regulations and nonconformance with established internal policies and procedures related to the internal control functions. • The adequacy of internal control policies, procedures, and programs to control and limit risk in bank operations. • Whether bank personnel operate in conformance with established policies and, if not, the causes and consequences of nonconformance. The adequacy of information on the internal control function received by the board or its committee• Significant areas of control weakness identified by internal or external audits or other control reviews and the board’s and management’s progress in addressing those weaknesses. • Audit or other control review report findings not acted upon by management, as well as any other concerns or recommendations resulting from the review of internal control functions. • Recommended corrective actions, if applicable, and management’scommitments. 2. Determine how the quality of internal control affects the aggregate level and direction of OCC risk assessments.

Examiners should refer to guidance provided under the OCC’s risk assessment programs for large and community banks. 3. Determine how the quality of internal control affects the bank’s composite and component CAMELS ratings. In coordination with examiners performing information system/technology, asset management, and fiduciary reviews, communicate the effect of control findings and conclusions on Uniform Rating System for Information Technology (URSIT), Uniform Interagency Trust Rating System (UITRS),and compliance ratings. 4. Determine, in consultation with the EIC, whether the risks identified are significant enough to merit bringing them to the board’s attention in the report of examination.

If so, prepare items for inclusion under the heading “Matters Requiring Attention” (MRA). MRA comments should cover practices that (1)deviate from sound fundamental principles and are likely to result in financial deterioration if not addressed or (2) result in substantive noncompliance with laws or internal policies or processes. The examiner should provide details regarding:• Factors contributing to the problem’s and management Consequences of inaction.. • Management’s commitment to corrective action. • The time frame for any corrective action and who is responsible further action. 5. Update any applicable schedule or table and include a comment on internal control in the report of examination.

The comment should address• Adequacy of internal control policies and processes, internal control and overall programs, personnel, and board oversight. • Significant problems discerned by the auditors or other control reviewers that have not been corrected. • Any deficiencies or concerns reviewed with management, any corrective actions recommended by examiners, and management commitments to corrective actions. 6. Prepare a memorandum and update OCC work programs with any information that will facilitate future examinations. Make recommendations about the scope of the next internal control review and determine whether internal control findings should change the scopes of other area reviews. 7. Update the OCC databases, including rating screens/schedules.