risk management and internal audit

46
Risk Management and Internal Audit for MFI &' Summarized by Hong Ry, Senor Internal Auditor 2007

Upload: hong-ry

Post on 18-Nov-2014

627 views

Category:

Documents


3 download

TRANSCRIPT

Risk Managementand Internal Audit for MFI

&'

Summarized by Hong Ry, Senor Internal Auditor

2007

OPERATIONAL RISK

Vulnerabilities that MFI faces in it’s operations: portfolio quality, fraud risk and theft. There are 3 types of operational riskI.Credit RiskII.Fraud RiskIII.Security Risk

Reduced Risk Factors

Operational risk can be reduced through developing policies and procedures that form organization’s Internal control system.

These controls usually included preventive and detective aspects

Preventive ControlsPreventive Controls inhibit undesirable outcome from happening:

Hiring trustworthy employees who can make good credit decision

Ensure that loan are backed by collateralSegregating staff dutiesRequiring authorization to prevent improper

use of resourcesMaintaining proper record keeping procedures

to deter improper transactionsInstalling sufficient security measures to

protect cash and other assets

Detective Controls

Detective Controls identify undesirable outcome when they do happen

Reconciling bank statement with cash receiptsMonitoring early warning signals for signs of

pending portfolio quality problemsImplementing delinquency management policies to

prevent late payments from escalating into bad debtsMonitoring staff performance to ensure policies and

procedure are followedVisiting clients to ensure that their loan and saving

account balances and transaction dates correspond with the MFI’s records

I. Credit Risk

Deterioration in loan portfolio quality that result in loan losses and high delinquency management cost. Credit risk related to client failure to meet the terms of a loan contract.This risk can be livestock disease for portfolio quality.In this point we focus on Credit risk controls and Credit risk monitoring.

I.1. Credit Risk Controls

A lender’s risk management expand from controls that reduce the potential for loss to controls that reduce actuallosses. The four key credit risk controls are (1) loan product design, (2) client screening, (3) credit committees, (4) delinquency management

(1) Loan Product Design

Loan product should be designed to address the specific loan purpose with different design features included loan size, loan terms, interest rate, repayment schedule, collateral requirements, eligibility requirements, and other special terms in order to meet client need. These Product design features cam minimize credit risk

(2) Client Screening

MFI typically use the 5Cs for screening clients:1.Character:the applicant’s willingness to repay and ability to run the enterprise2.Capacity: whether the cash flow of business or household can service loan repayments.3.Capital: Assets and liabilities of the business and/or household4.Collateral: Access to an asset that the applicant is willing to cede in case of non-repayment, or a guarantee by a respected person to repay a loan in default.5.Condition: a business plan that considers the level of competition and the market for the product or service, and the legal and economic environment

(3) Credit Committee

Credit committee is established to approve loans, monitor their progress and get involved in delinquency management. Additionally, MFI should have written policies regarding Loan approval authority with specific loan amount which can be approved by two people or third person requirement.

(4) Delinquency Management

To minimize the delinquency, CARE recommends six delinquency management methods:1. Institutional culture2. Client Orientation3. Staff incentives4. Delinquency penalties5. Enforcing contracts6. Loan rescheduling

I.2. Credit Risk Monitoring

This point discuss about the monitoring of the portfolio quality ratios on monthly basis which can minimize credit risk. These ratios included Portfolio at Risk, Loan Loss Ratio, Reserve Ratio, and Loan Rescheduling Ratio.

II. Fraud Risk

Wherever there is money, there is an opportunity for fraud. However, through proper controls they can reduce their vulnerability to fraud. This section first summarize common types of fraud and discusses controls for preventing and detecting fraud.

II.1. Types of Fraud

Fraudulent activities can occur in following lending process:1. Loan disbursement2. Repayment3. Collateral procedures, and4. Closure activitiesFraud can occur from misuse of petty cash, false travel claims, kickbacks from procurement contracts, and management override.

II.2. Types of Fraud (cont)

High level employees incite employee violate control policies or procedures, enabling his/her commit fraud.The More vulnerable to MFI’s fraud such as: poor portfolio quality, weak information system, change in information system, weak internal control procedures, high employee turnover, multiple loan products, handle cash, and rapid growth.

II.2. Control: Fraud Prevention

The CARE EDU suggests the following 8 categories of control to reduce fraud:1.excellent portfolio quality2.simplicity and transparency3.human resource policies4.client education5.credit committee6.handling cash7.handling collateral and 8.write-off and rescheduling policies

II.3. Monitoring: Fraud detectionThe best prevention strategies in the world are not going to eliminate fraud. This is partly. The fraud detection is the responsibility of all staff members, from the chairman of the board down to cleaners and drivers. So this responsibility for fraud detection is tasked to internal auditor which should report directly to audit committee of the board.Fraud detection involves the following four elements: 1) operational audit, 2) loan collection policy, 3) client sampling, and 4) customer complaints.

1) Operational Audit1)The purpose of operational audit is to confirm that the policies are being followed. There are 3 reasons for being not following policies:1) the employees was involved in some sort of fraudulent activities; 2) the employees did not know about policies or didn’t understand; 3) the employees believed that the policy was unreasonable.2)An operational audit is a review of all operation activities, procedures and process, including human resources, procurement, finance, information systems and any other operational areas. It’s important that this independent person or department report to the board of director, not to management.

2) Loan Collection Policies

The collection policies have a very important role in fraud detection. By involving several different persons in the collection process, MFI’s not only escalate the pressure on client, but also help to identify instances of fraud.

3) Client SamplingThe client visited by internal auditors is a main aspect of fraud detection. Internal auditors use selective sampling of borrowers whose loans that are more likely to be fraudulent, especially payment in arrears.This client visit, internal auditors may find major discrepancies between information in client’s file and the reality in the field, which could expose the organization to credit or fraud risk. auditor also use selective sampling of depositors.Prior to visiting clients, internal auditors are preferred to reviewing document first.Field work, internal auditor can fulfill other important function such as delinquency management, gathering information on customer satisfaction and market tends, and identify staff training needs.

4) Customer Complaints

Another important method for detecting fraud and improving customer service, is to establish a complain and suggestion system that creates a communication through which clients can voice their opinions.

II.4. Response to FraudIf fraud is suspected, in most cases the most MFI should conduct a fraud audit and then implement damage control proceedings.Fraud audit: There are two factors in conducting fraud audit are potential magnitude(large amount of cash) of fraud and the extent of evidence and should be conducted by specialized training in forensic auditing.Damage control: MFI should consider developing contingency plans which can be dusted off and put into action when fraud is occurred. contingency plan should include the following elements:

III. Security Risk

This risk has two basic elements:1) Safe of cash: MFIs need to ensure that

cash is protected from theft during office hours, after office hours, and in transit. cash can protect through the use of local bank, security measures, and liquidity policies.

2) Safety of Office assets: MFIs need to ensure that they are protecting their computers, fax machine, office equipment..etc from theft. Assets can protect through a fix assets register.

FINANCIAL MANAGEMENT RISKS AND CONTROLS

In this chapter we will discuss the 3 key risk areas:I.Asset and Liability Management RisksII.Inefficiency RisksIII.System Vulnerability Risks

I. Asset and Liability Management Risks

It’s refers to management of spread, or the positive difference between the interest rate on earning assets and cost of funds. Successful of this spread requires control over: a) interest rate risk, b) foreign exchange gap, c) liquidity, and d) credit risk. MFI can vulnerable if it has one of the following characteristics:

It borrows money from commercial sources to fund its portfolio;

It funds its portfolio from client saving;It operates in a high inflation environment;It has liabilities denominated in a foreign

currency.

I.1 Interest Rate RiskThis risk is particularly problematic for MFIsoperating in high inflationary environments. MFIs should monitor interest rate risk by 1) assessing the amount funds at risk for a given shift in rates, and 2) evaluating the timing of the cash changes given a particular interest rate shift.This risk can be effected by interest rate sensitivity which large scale saving is highly effected than small ones.The measure of this risk is net interest margin=( Interest Revenue-Interest Expense)/Average Total Assets

I.2. Foreign Exchange RiskThis risk occurs when MFI hold assets and liabilities in foreign currency.For MFIs with foreign currency exposure should establish control mechanisms which have options as follows:

Add the expected devaluation rateInclude a provision for devaluation expense on

the balance sheet and income statementIndex the interest rate on local currency loan to

foreign currency.The key ratio is currency gap risk ratio=(Assets in Specified Currency-Liabilities in Specified Currency)/Performing Assets

Currency Devaluation Impact

Amount lent:$100,000 at 20% USD Scenario 1-SAR Scenario 2-SAR(no devaluation) (devaluation)

Amount lent 100,000 600,000 600,000

Exchange rate at due date - R6/USD R7/USDAmount due 120,000 720,000 840,000

Principle 100,000 600,000 700,000Interest 20,000 120,000 140,000Actual cost of funds* 20,000 120,000 240,000

Client revenue** 420,000 420,000Operation costs*** 240,000 240,000

Net difference 180,000 180,000Profit/Loss 60,000 (60,000)

*Includes interest expense, revaluation of principal, and revaluation of interest expense

**Assume interest rate of 70%***Assume operation cost ratio of 40%

I.3. Liquidity RiskLiquidity refers to an MFI’s ability to meet its immediate demands for cash, such as disbursement, bill payment, and debt repayment. A temporary lack of loan capital can result in a dramatic spike in portfolio quality problems. The key control for liquidity is cash flow management which ensure that cash inflow is equal to or greater than cash outflow. Besides cash flow projection is ratios:-Quick Ratio=liquid assets/current liabilities-Liquidity Ratio=(cash+ expected cash inflows in period)/anticipated cash outflow in period-Idle fund ratio=(cash+Near cash)/Total outstanding Portfolio

II. Inefficiency RiskThis risk involves the an organization’s disability to manage costs per unit of output which cause waste of resources and ultimately provide clients with poor services and products. MFIs can improve efficiency in three ways:(1) increase the numbers of clients to achieve greater economics of scale, (2) streamline systems to improve productivity, and (3) cut costs.

II.1. Inefficiency ControlsThere are four elements were discussed in this part:

Budgeting: the master plan of all expenses and all sources of capital.

A budget comparison report: the purpose is to allow the board and staff to monitor performance relative to the approved budget.

Activity Based Costing: it’s allocates both direct and indirect related costs to specific revenue generating activity.

Reengineering: The process of cleaning up inefficiencies (such as poor customer service or unattractive product). The greatest challenge to successful reengineering is the lack of strong leadership to organizational resistance to change.

II.2. Inefficiency Monitoring

This point was discussed the Efficiency and Productivity Ratios and Monitoring Human Errors. EPRs analyze its level of efficiency, and MFI should compare its current performance to two other data sets: 1) the organization’s past performance (trend analysis) and 2) similar organizations identified as industry leaders (industry benchmarks).

III. System Integrity Risk

It’s the way of secure the reliability of source data and information contained in the financial statement and management reports through definitive assessed the financial reports and systems in an MFI by external audit firm. The financial audit should conduct on an annual basis in order to safeguard company assets.

Auditing

Audit: Examination of books, records and accounts of a company which is carried out by independent auditors both external and internal.

External audit: Audit carried out by independent auditors who come from private firm. External audit focus on financial statement audit.

Auditing review (cont)

Internal audit: an independent appraisal function established by the management of an organization for the review of internal control system as service to the organization

The need for an audit

The need of audit is to certify the reports are free from errors and frauds in order to show strong reliability to interest parties.

Objectives of auditing

-Primary: Produce report of true and fairopinion of financial statement.-Subsidiary:

.to detect errors and fraud

.to prevent errors and fraud by the

.deterrent and moral effect of the audit.

.to provide pin-off

Auditor qualification

a. Independence :Auditor not only must be independent in fact and attitude in mind but also must be seen to be independent with unbiased opinion.

b. Competence : referred to CPA candidates.c. Integrity : referred to qualified

accountants are renowned for their honesty, discretion and tactfulness

Types of auditor• Independent auditors or external

auditors: referred to CPA members

• Internal auditors: referred to employees of the entities they audit.

• Government auditors: not mentioned in this point.

Audit Process

Internal Audit Process-Background research-Preparation of the audit plan-Accounting system review-Internal control system review-Review related document and do substantive testing-Analytical review techniques-Analytical review of financial statement-Preparation and signing report

Internal controlInternal control is process designed by managements to provide reasonable assurance regarding the achievement of objectives in the following categories:•Reliability of financial reporting;•Compliance with applicable laws and regulations;•Effectiveness and efficiency of operations.The elements of internal control are policies, procedures, manuals, memos, working processes……….

Engagement Letter

A letter which provides the understanding each other between auditor and client.

It presents the services, objective, responsibilities, scope of work, period and audit fee.

Audit Evidence-Audit evidence (alternatively referred to as evidential matter) consist of two categories:underlying accounting data and all corroborating information -Auditor can collect the evidence through observation, third parties, authoritative document, internal control, calculation, interview………

Working Papers

Working papers are papers (soft and hard) that document the evidence gathered by auditors to show the work they have done, the methods and procedures they have followed, and the conclusions they have developed in an audit of financial statement or other type of engagement.