STATE BANK'S GUIDELINES ON INTERNAL CONTROLS
By MUHAMMAD BASHIR CHAUDHRY
May 10 - 16, 2004
The State Bank of Pakistan (SBP) has invited comments and suggestions by 31st March 2004 on the draft 'Guidelines on Internal Controls' to encourage the banks/DFIs for instituting adequate internal control system commensurate with the nature, complexity, and risk inherent in their activities and responsive to the changing environment. These guidelines apply to all the banks/DFIs. According to the SBP, the control activities contained in this guide are not presented as all-inclusive or exhaustive of all the specific controls appropriate in each department/activity of banks/DFIs. Over time, controls may be subject to change to reflect changes in our operating environment. A properly designed and strictly enforced system of internal controls helps protect the organization's assets and profitability from operational losses, frauds and forgeries, produces reliable financial and management reports, helps compliance with laws and regulations, and finally, creates value for the stakeholders.
The draft guidelines cover areas such as purpose of Internal Controls (ICs), principles, components such as environment, risk assessment & management, institution of the ICs and activities for accounting, information & communication systems and self-assessment & monitoring. In this context the responsibilities of board of directors, management, and internal and external auditors as well as the regulator have been covered. Separate sections have been added for implementation, evaluation and reporting of the ICs. SBP has mentioned that these guidelines have been aligned to internal best practices as enumerated in BIS Framework of Internal Controls, COSO and COCO guidelines on Internal Controls, etc. and the readers have been encouraged, if interested, to refer to those documents. The draft Guidelines is a lengthy document. It is felt that there are many repetitions and through proper editing the size can be reduced substantially. The ICs might be clear, concise and cover important aspects of the bank / DFIs.
It may be noted that the ICs are not something totally new now being imposed by the SBP. These have been always there in the form of policies, plans and processes as affected by the board of directors and performed on continuous basis by the senior management and all levels of employees within the banks/DFIs. In general, internal controls are simply good business practices, adequate checks and balances, and include anything, which serves to safeguard bank's assets and to improve the effectiveness and efficiency of operations. The issue of the new Guidelines aims at bringing our local practices to the level of the best practices in the developed world. It is more of re-focussing attention to the key areas having strong bearing on the existence, organisational structure, growth and profitability of our banks and the DFIs.
A few decades ago almost all banks and DFIs used to have Statement of Policies, adopted by the respective Board of Directors. These Policies were periodically amended to meet the new challenges. The International Financing Institutions (IFIs), which were offering credit lines to the Pakistani institutions, fully realized the usefulness of these Policies for safeguarding the operations of the banks and DFIs. These IFIs used to prescribe that no amendments to be made to these Policies without their prior concurrence. The purpose was served well for quite sometime. These days the Prudential Regulations, various Risk Management Guides and the proposed Guidelines on ICs aim to achieve the same objectives. Admittedly, the ICs are important for good governance and improved performance of the corporate sector- public and private- as well as the banks and DFIs and therefore must be properly complied with. However, the proposed ICs might not be inconsistent with the guidelines and strategies earlier adopted by the Board of Directors or prescribed by the SBP.
As one of the Control Principles it has been stated in the SBP draft that the costs associated with control processes should not exceed expected benefits. The costs are easily quantifiable but the benefits are not that easy. It is felt that in the banking institutions, the ICs are sometimes relegated to a secondary level by creating a situation of high costs that are termed as 'unnecessary'. To avoid such situations it would be appropriate that the costs associated with the ICs be linked to the volume of total assets or the business volume. The quality and the commitment of the personnel assigned to the ICs function and the costs allocated to this head might be carefully monitored.
Under the Control Principles it has been also mentioned that documented policies and procedures promote employee understanding of duties and help ensure continuity during employee absences or turnover. Therefore, policies and procedures (in the form of operations manuals and desk instructions) should exist in all banks/DFIs. The usefulness of the documentation might increase substantially if all the employees have access to these relevant documents. Each serving employee should confirm that he/she has read the Guidelines carefully for compliance. If it is too much to provide copies of the Guidelines to all employees, they should always have access to these policies for reference purposes.
It has been stated in the draft that the ICs provide an additional reference tool for all managers to identify and assess basic weaknesses in operating controls, financial reporting, legal/regulatory compliance and to take action to strengthen controls where needed. By developing effective compliance programs, management can contribute to reducing the bank's potential liability from fines and penalties that could be imposed for violations. This is typical of the supervisory authorities. It is urged that the SBP and other supervisory authorities also suitably modify their approach to supervision in line with the present day conditions.
It is agreed that every system is run by human beings who, by the very nature, are vulnerable to personal distraction, carelessness, fatigue, errors in understanding and judgment, or unclear instructions in addition to fraud or deliberate noncompliance with policies. Effective controls systems help detect such mistakes, thus help rectify them before its too late. The supervisory authorities must require the banks and the DFIs to institute procedures and practices for recruitment on merit, extensive training, and fair compensation including promotions to employees at different tiers of the hierarchy. This should be followed in practice as well. No amount of the ICs is going to help much if the employees are not fully motivated.
Until recently, some of the Banks/DFIs had the culture of dubbing as 'negative' the officers who strictly followed the rules in business and were often superceded or discriminated in promotion probably because of the 'negative' image they carried. It is presumed that with the introduction of the ICs now the SBP will also be taking measures so that the officers who go by the rules are not penalized in their postings and promotions. A clear message need to be passed that whosoever violates the prescribed policies and procedures shall be taken to task. Thorough understanding and knowledge of the prescribed policies and procedures by the employees at different levels might be useful in the application of the ICs and must be appreciated by the management as well as the external supervisory authorities.
Lessons learnt from banking crisis have been adopted in the form of widely accepted 'Controls Principles' and have been included in the SBP draft. These principles include: (i) The ICs to cover all functions, in particular the key risk areas, and be an integral part of daily activities; (ii) Division of duties so that no single person has complete control over a key function or activity; (iii) Authorization of all transactions before recording and execution; (iv) Separation of responsibility for custody of assets from the related record keeping; (v) Records should be examined and regularly reconciled; (vi) Equipment, inventories, cash and other assets should be secured physically, counted periodically and compared with amounts shown on control records; (vii) Employment of qualified, well-trained and supervised employees to ensure control processes to function properly; (viii) Documented policies and procedures for promoting employee understanding of duties; (ix) Setting standards of professional integrity and work ethics; and (x) Costs associated with control processes should not exceed expected benefits. Conflict of interest might be added to these principles although the same has been mentioned in the Principles for the Assessment of the ICs System as an Annexure to the Guidelines. If any employ or a member of the Board has a potential conflict of interest in any bank transaction, the fact should be brought on record and that person should never participate in decision making in that matter. Another principles could be at-arms-length transaction when the bank is dealing with a sister company or associated concerns.
One cardinal principle is the separation of the executive and the supervisory authority in the banks/DFIs. The Chief Executive Officer/the Managing Director and the Chairman of the Board of Directors should be two different persons. Historically, the Joint Venture DFIs in Pakistan have had such an arrangement throughout. As against this, the Pakistani DFIs or banks were mostly having the same person as the CEO/MD who was also the Chairman of the Board of Directors. The Joint Venture DFIs have been mostly profitable since inception whereas the Pakistani banks and DFIs had mixed results. This principle might be considered for making part of the new ICs.
The SBP has since introduced improvements in filling the key positions in banks and DFIs. Prior to that these positions were sometimes offered to the employees who were not the top of the list for those positions. This practice had an adverse effect on the operations as well as on the morale of the employees who were superceded. Under the proposed guidelines, the filling of the key posts with the top of the list persons might be made as a control principle.
These days the banks and DFIs are making lot of money from trading of shares on the stock exchanges. There might be cases where the officers handling or approving these transactions are also engaged in trading of shares on their personal accounts. These people might also be aware of affairs/developments of their borrower companies. It is apprehended that there might be certain cases, which sometime border the Insider Trading. The proposed Guidelines might also add a control principle to effectively check potential mal-practices in this area.
According to the SBP, all in all there are 13 Principles for the Assessment of Internal Control Systems, of which 12 have been included in the Guidelines as an Annexure. The 13th Principle that is relevant to the Supervisors only has not been included in this Annexure. It is felt that this Principle might also be made part of the Annexure for information purposes. The Board of Directors, the senior management, the middle tiers and even the lowest level supervisor has to see that their juniors are complying with the ICs. The internal supervisors also need to develop skills for compliance with the ICs.
The proposed Guidelines might also protect the legitimate interests of two important stakeholders namely, the bank borrowers and the depositors. The banks and the DFIs are expected to be fair to both the groups. The bank borrowers should not be given the short shrift in the methodology used in calculating interest/mark up or other fees or charges collected from them. These days the SBP has been trying to sort out the disagreements between the banks and the borrowers over the past due interest/mark-ups. As regards the depositors, the banks and the DFIs might not be allowed collection of unduly large fees or charges for their services or the levy of penalty for failure to maintain the minimum balance in their bank accounts. Certain banks are prescribing unreasonably large minimum balance to discourage the depositors. Sometimes the banks do not allow credits on timely basis to the depositors' accounts for encashment of government securities. The SBP might consider introducing Fair Practices Principle to give solace to these two groups under the proposed Guidelines.
In terms of the Principles regarding Management Oversight and the Control Culture, the board of directors have responsibility for approving and periodically reviewing the overall business strategies and significant policies of the bank; understanding the major risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, measure, monitor and control these risks; approving the organizational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system. The board of directors is ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained. Further, the board of directors and the senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. The SBP is urged to study the adequacy of the fees or emoluments paid to the members of the Board vis-a-vis the responsibilities assigned to them.
It has been mentioned in the draft Guidelines that the success of control environment is judged according to; the integrity, ethics, and competence of personnel; the organizational structure of the institution; oversight by the board of directors and senior management; management's philosophy and operating style; attention and direction provided by the board of directors and its committees, especially the audit and risk management committees; personnel policies and practices and; external influences affecting operations and practices. Now that the Guidelines on the ICs are about to be formally prescribed for the first time, the SBP might consider requiring the banks and the DFIs to help compile a comprehensive report on all the aspects mentioned above.
The SBP has been doing very well by issuing new guidelines and by amending the existing ones as per needs of the current situation. However, one glaring omission is that not much appears to be done to better safeguard the interest of the depositors, especially the return paid to them. The banks receiving these deposits are making big profits. However, it appears that the pay out to the depositors have no link with the bank profits. Depositors are hard hit especially the ones who are old and are dependent on the profits from their life savings. The SBP is urged to explore this area urgently. The depositors expect the return to be at least equal to the inflation in the country, after covering Zakat and withholding tax.