Risk Management and Internal Audit

Risk Management and Internal Audit for MFI

Summarized by Hong Ry, Senor Internal Auditor 2007

OPERATIONAL RISK Vulnerabilities that MFI faces in it’s operations: portfolio quality, fraud risk and theft.  There are 3 types of operational risk I.Credit Risk II.Fraud Risk III.Security Risk

Reduced Risk Factors Operational risk can be reduced through developing policies and procedures that form organization’s Internal control system.  These controls usually included  preventive  and detective aspects

Preventive Controls  Preventive Controls inhibit undesirable outcome from happening: Hiring trustworthy employees who can make good credit decision Ensure that loan are backed by collateral Segregating staff duties Requiring authorization to prevent improper use of resources Maintaining proper record keeping procedures to deter improper transactions Installing sufficient security measures to

Detective Controls  Detective Controls identify undesirable outcome  when they do happen Reconciling bank statement with cash receipts Monitoring early warning signals for signs of  pending portfolio quality problems Implementing delinquency management policies to prevent late payments from escalating into bad debts Monitoring staff performance to ensure policies and procedure are followed Visiting clients to ensure that their loan and saving account balances and transaction dates correspond  with  w ith th the e MFI MFI’s ’s re reco cord rds s

I.

Credit Risk

Deterioration in loan portfolio quality that result in loan losses and high delinquency management cost. Credit risk related to client failure to meet the terms of a loan contract.  This risk can be livestock l ivestock disease for portfolio quality. In this point we focus on Credit risk  controls and Credit risk monitoring.

I.1. Credit Risk Controls A lender’s risk management expand from controls that reduce the potential for loss to controls that reduce actual  losses. The four key credit risk controls are (1) loan product design, (2) client screening, (3) credit committees, (4) delinquency management

(1) Loan Product Design Loan product should be designed to address the specific loan purpose with different design features included loan  size, loan terms, interest rate, repayment  schedule sche dule,, collat collateral eral requirements, eligibility  eligibilit y  requirements, and other special terms in order to meet client need. These Product design des ign fea featur tures es cam min minimiz imize e cred credit it risk

(2) Client Screening MFI typically use the 5Cs for screening clients: 1.Character:the 1.C haracter:the applicant’s willingness to repay and ability to run the enterprise 2.Capacity: 2.C apacity: whether the cash flow of business or household can service loan repayments. 3.Capital: 3.C apital: Assets and liabilities of the business and/or household 4.Collateral: 4.C ollateral: Access Access to an asset that the applicant is  willing to cede in case of non-repayment, or a guarantee by a respected person to repay a loan in default. 5.Condition: 5.C ondition: a business plan that considers the level of  competition and the market for the product or service, and the legal and economic environment

(3) Credit Committee Credit committee is established to approve loans, monitor their progress and get involved in delinquency management. Additionally, MFI should have written policies regarding Loan approval authority  with specific loan amount which can be approved by two people or third person requirement.

(4) Delinquency Management  To minimize the delinquency, CARE recommends six delinquency management methods: 1. Institutional culture 2. Client Orientation 3. Staff incentives 4. Delinquency penalties 5. Enforcing contracts 6. Loan rescheduling

I.2. Credit Risk Monitoring  This point discuss about the monitoring of the portfolio quality ratios on monthly basis which can minimize credit risk. These ratios included Portfolio at Risk, Loan Loss Ratio, Reserve Ratio, and Loan Rescheduling Ratio.

II. Fraud Risk Wherever there is money, there is an opportunity for fraud. However, through proper controls they can reduce their vulnerability to fraud. This section first fraud  and summarize common t ypes of fraud  discusses controls for  preventing  and detecting fraud.

II.1. Types of Fraud Fraudulent activities can occur in following lending process: process: 1. Lo Loan an di disb sbur urse seme ment nt 2. Repayment 3. Co Coll llate atera rall pro proce cedu dures res,, and and 4. Cl Clos osur ure e ac acti tivi viti ties es Fraud can occur from misuse of petty cash, false travel claims, kickbacks from procurement contracts, and management override.

II.2. Types of Fraud (cont) High level employees incite employee violate control policies or procedures, enabling his/her commit fraud.  The More  The More vul vulner nerabl able e to to MFI’ MFI’s s fra fraud ud suc such h as: poor as:  poor portfolio quality, weak information  system, change in information system, weak internal int ernal control procedur procedures, es, high  employee employe e turnove t urnover, r, multiple multi ple loan product products, s, handle cash, and rapid growth.

II.2. Control: Fraud Prevention  The CARE EDU suggests the following 8 categories of control to reduce fraud: 1.excellent portfolio quality 2.simplicity and transparency 3.human 3. human resource policies 4.client education 5.credit committee 6.handling cash 7.handling collateral and 8.write-off and rescheduling policies

II.3. Monitoring: Fraud detection  The best prevention strategies in the world are not going to eliminate fraud. This is partly. The fraud detection is the responsibility of all staff members, from the chairman of the board down to cleaners and drivers. So this responsibility for fraud detection is tasked to internal auditor which should report directly to audit committee of  the board. Fraud detection involves the following four elements: 1) operational audit, 2) loan collection policy, 3) client sampling, and 4)

1)

Operational Audit

1)The purpose of operational audit is to confirm that the policies are being followed. There are 3 reasons for being not following policies:1) the employees was involved in some sort of fraudulent activities; 2) the employees did not know about policies or didn’t understand; 3) the employees believed that the policy  was unreasonable. 2)An operational audit is a review of all operation activities, procedures and process, including human resources, procurement, finance, information systems and any other operational areas. It’s important that this independent person or department report to the board of director, not to management.

2) Loan Collection Policies  The collection policies have a very important role in fraud detection. By involving several different persons in the col collec lectio tion n pro proces cess, s, MFI MFI’s ’s not onl only y escalate the pressure on client, but also help to identify instances of fraud.

3) Client Sampling  The client visited by internal auditors is a main aspect of fraud detection. Internal auditors use selective sampling of borrowers whose loans that are more likely to be fraudulent, especially payment in arrears.This client visit, internal auditors may find major discrepancies between information in client’s file and the reality in the field, which could expose the organization to credit or fraud risk. auditor also use selective sampling of depositors.Prior to visiting clients, internal auditors are preferred to reviewing document first. Field work, internal auditor can fulfill other important function such as delinquency management, gathering information on customer satisfaction and market tends, and identify staff 

4) Customer Complaints Another important method for detecting fraud and improving customer service, is to establish a complain and suggestion system that creates a communication through which clients can voice their opinions.

II.4. Response to Fraud If fraud is suspected, in most cases the most MFI should conduct a fraud audit and then implement damage control proceedings. Fraud audit: There audit: There are two factors in conducting fraud audit are potential magnitude(large amount of cash) of fraud and the extent of evidence and should be conducted by specialized training in forensic auditing. Damage control: MFI should consider developing contingency plans which can be dusted off and put into action when fraud is occurred. contingency plan should plan should include the following elements:: elements

III. Security Risk  This risk has two basic elements: 1) Safe of cash: MFIs need to ensure that cash is protected from theft during office hours, after office hours, and in transit. cash can protect through the use of local bank, security measures, and liquidity policies. 2) Safety of Office assets: MFIs need to ensure that they are protecting their computers, fax machine, office equipment..etc from theft. Assets can

FINANCIAL MANAGEMENT RISKS AND CONTROLS In this chapter we will discuss the 3 key risk areas: I.Asset and Liability Management Risks II.Inefficiency Risks III.System Vulnerability Risks

I. Asset and Liability Managementt Risks Managemen It’s refers to management of spread, or the positive difference between the interest rate on earning assets and cost of funds. Successful of  this spread requires control over: a) interest rate risk, b) foreign exchange gap, c) liquidity, and d) credit risk. MFI can vulnerable if it has one of the following characteristics characteristics:: It borrows money from commercial sources to fund its portfolio; It funds its portfolio from client saving; It operates in a high inflation environment; It has liabilities denominated in a foreign

I.1 Interest Rate Risk  This risk is particularly problematic for MFIs operating in high inflationary environments. MFIs MFI s sho should uld mon monito itorr interes interestt rate rate risk risk by by 1) assessing the amount funds at risk for a given shift in rates, and 2) evaluating the timing of the cash changes given a particular interest rate shift.  This risk can be effected by intere interest st rate  rat e  sensitivity  which  which large scale saving is highly effected than small ones.  The measure of this risk is net interest margin=(( Interest Revenue-Interest margin=

I.2. Foreign Exchange Risk  This risk occurs when MFI hold assets and liabilities in foreign currency. currency. For MFIs MFIs wit with h foreign foreign curren currency cy exposu exposure re should should establish control mechanisms which have options as follows: Add the expected devaluation rate Include a provision for devaluation expense on the balance sheet and income statement Index the interest rate on local currency loan to foreign currency.  The key ratio is currency gap risk ratio=(Assets in Specified Currency-Liabilities in Specified

Currency Devaluation Impact Amount lent:$100,000 at 20%

Amount lent Exchange rate at due date Amount due Principle Interest Actual cost of funds* Client revenue** Operation costs*** Net difference Profit/Loss

USD

Scenario 1-SAR (no devaluation)

Scenario 2-SAR   (devaluation )  

100,000

600,000

600,000

120,000 100,000 20,000 20,000

R6/USD 720,000 600,000 120,000 120, 000

R7/USD 840,000 700,000 140,000 240, 0 00

420,000 240,000 18 0, 000 60 , 000

420,000 240,000 180 , 000 ( 60, 000)

*Includes interest expense, revaluation of principal, and revaluation of interest i nterest expense **Assume interest rate of 70% ***Assume operation cost ratio of 40%

I.3. Liquidity Risk Liquidity Liquid ity refe refers rs to an an MFI’s MFI’s abi ability lity to to meet meet its immediate demands for cash, such as disbursement, bill payment, and debt repayment. A temporary lack of loan capital can result in a dramatic spike in portfolio quality problems.  The key control for liquidity is cash flow management which management  which ensure that cash inflow is equal to or greater than cash outflow. Besides cash flow projection is ratios: -Quick Ratio=liquid Ratio=liquid assets/current liabilities -Liquidity Ratio=(cash+ Ratio=(cash+ expected cash inflows in period)/anticipated cash outflow in period -Idle fund ratio=(cash+Near ratio=(cash+Near cash)/Total outstanding

II. Inefficiency Risk  This risk involves the an organization’s disability to manage costs per unit of  output which cause waste of resources and ultimately provide clients with poor serv se rvic ices es an and d pro produ duct cts. s. MFI MFIs s ca can n improve efficiency in three ways:(1) increase the numbers of clients to achieve greater economics of scale, (2) streamline systems to improve productivity, and (3) cut costs.

II.1. Inefficiency Controls  There are four elements were discussed in this part: Budgeting Budgeting:: the master plan of all expenses and all sources of capital. A budget comparison report: the purpose is to allow the board and staff to monitor performance relative to the approved budget. Activity Based Costing: it’s allocates both direct and indirect related costs to specific revenue generating activity. Reengineering: The process of cleaning up inefficiencies (such as poor customer service or unattractive product). The greatest challenge to successful reengineering is the lack of strong leadership to organizational resistance to change.

II.2. Inefficiency Monitoring  This point was discussed the Efficiency and Productivity Ratios and Monitoring Human Errors. Errors. EP EPRs Rs an anal alyz yze e its its le leve vell of  of  efficiency, and MFI should compare its current performance to two other data sets: 1) the organization’s past performance (trend analysis) and 2) similar organizations identified as industry leaders (industry benchmarks).

III. System Integrity Risk It’s the way of secure the reliability of  source data and information contained in the financial statement and management reports through definitive assessed the financial reports and systems in an MFI by external audit firm. The financial audit should conduct on an annual basis in order to safeguard company assets.

Auditing Audit: Examination of books, records and accounts of a company which is carried out by independent auditors both external and internal.

External

audit: Audit carried out by

independent auditors who come from private firm. External audit focus on financial statement audit.

Auditing review (cont) Internal audit audit:: an independent appraisal function established by the management of  an organization for the review of internal control system as service to the organization

The need for an audit  The need of audit is to certify the reports are free from errors and frauds in order to show strong reliability to interest parties.

Objectives of auditing -Primary: Produce report of true and fair  opinion of financial statement. - Subsidiary:  Subsidiary:  errors ors and fraud  fraud  .to detect err .to prevent errors and fraud by the  .dett erre .de errent nt and moral effect effect of the t he audit. audit . .to .t o provide pin-off  pin-off 

Auditor qualification Auditor not only must be a. Independence : Auditor independent in fact and attitude in mind but also must be seen to be independent  with unbiased opinion. : referred referred to CPA candidates. b. Competence :  c. Integrity : referred to qualified accountants are renowned for their honesty, discretion and tactfulness

Types of auditor • Independent auditors or external auditors: referred to CPA members • Internal auditors: referred to employees of  the entities they audit. • Government auditors: not mentioned in this point.

Audit Process

Internal Audit Process -Background research -Preparation of the audit plan -Accounting system review -Internal control system review -Review related document and do substantive testing -Analytical review techniques -Analytical review of financial statement -Preparation and signing report

Internal control Internal control is process designed by managements to provide reasonable assurance regarding the achievement of  objectives in the following categories: •Reliability of financial reporting; •Compliance with applicable laws and regulations; •Effectiveness and efficiency of operations.  The elements of internal control are policies, procedures, manuals, memos, working processes……….

Engagement Letter A letter which provides the understanding each other between auditor and client. It presents the services, objective, responsibilities, scope of work, period and audit fee.

Audit Evidence -Audit evidence (alternatively referred to as evidential matter) consist of two categories: underlying accounting data and all corroborating information -Auditor can collect the evidence through observation, third parties, authoritative document, internal control, calculation, interview………

Working Papers Working papers are papers (soft and hard) that document the evidence gathered by auditors to show the work they have done, the methods and procedures they have followed, and the conclusions they have developed in an audit of financial statement or other type of engagement.