Risk Management and Internal Audit for MFI &'

Summarized by Hong Ry, Senor Internal Auditor 2007

OPERATIONAL RISK
Vulnerabilities that MFI faces in its operations: portfolio quality, fraud risk and theft. There are 3 types of operational risk I.Credit Risk II.Fraud Risk III.Security Risk

Reduced Risk Factors

Operational risk can be reduced through developing policies and procedures that form organizations Internal control system. These controls usually included preventive and detective aspects

Preventive Controls
Preventive Controls inhibit undesirable outcome from happening: Hiring trustworthy employees who can make good credit decision Ensure that loan are backed by collateral Segregating staff duties Requiring authorization to prevent improper use of resources Maintaining proper record keeping procedures to deter improper transactions Installing sufficient security measures to protect cash and other assets

Detective Controls
Detective Controls identify undesirable outcome when they do happen Reconciling bank statement with cash receipts Monitoring early warning signals for signs of pending portfolio quality problems Implementing delinquency management policies to prevent late payments from escalating into bad debts Monitoring staff performance to ensure policies and procedure are followed Visiting clients to ensure that their loan and saving account balances and transaction dates correspond with the MFIs records

I.

Credit Risk

Deterioration in loan portfolio quality that result in loan losses and high delinquency management cost. Credit risk related to client failure to meet the terms of a loan contract. This risk can be livestock disease for portfolio quality. In this point we focus on Credit risk controls and Credit risk monitoring.

I.1. Credit Risk Controls

A lenders risk management expand from controls that reduce the potential for loss to controls that reduce actual losses. The four key credit risk controls are (1) loan product design, (2) client screening, (3) credit committees, (4) delinquency management

(1) Loan Product Design

Loan product should be designed to address the specific loan purpose with different design features included loan size, loan terms, interest rate, repayment schedule, collateral requirements, eligibility requirements, and other special terms in order to meet client need. These Product design features cam minimize credit risk

(2) Client Screening

MFI typically use the 5Cs for screening clients: 1.Character:the applicants willingness to repay and ability to run the enterprise 2.Capacity: whether the cash flow of business or household can service loan repayments. 3.Capital: Assets and liabilities of the business and/or household 4.Collateral: Access to an asset that the applicant is willing to cede in case of non-repayment, or a guarantee by a respected person to repay a loan in default. 5.Condition: a business plan that considers the level of competition and the market for the product or service, and the legal and economic environment

(3) Credit Committee Credit committee is established to approve loans, monitor their progress and get involved in delinquency management. Additionally, MFI should have written policies regarding Loan approval authority with specific loan amount which can be approved by two people or third person requirement.

(4) Delinquency Management

To minimize the delinquency, CARE recommends six delinquency management methods: 1. Institutional culture 2. Client Orientation 3. Staff incentives 4. Delinquency penalties 5. Enforcing contracts 6. Loan rescheduling

I.2. Credit Risk Monitoring

This point discuss about the monitoring of the portfolio quality ratios on monthly basis which can minimize credit risk. These ratios included Portfolio at Risk, Loan Loss Ratio, Reserve Ratio, and Loan Rescheduling Ratio.

II. Fraud Risk

Wherever there is money, there is an opportunity for fraud. However, through proper controls they can reduce their vulnerability to fraud. This section first summarize common types of fraud and discusses controls for preventing and detecting fraud.

II.1. Types of Fraud

Fraudulent activities can occur in following lending process: 1. Loan disbursement 2. Repayment 3. Collateral procedures, and 4. Closure activities Fraud can occur from misuse of petty cash, false travel claims, kickbacks from procurement contracts, and management override.

II.2. Types of Fraud (cont)

High level employees incite employee violate control policies or procedures, enabling his/her commit fraud. The More vulnerable to MFIs fraud such as: poor portfolio quality, weak information system, change in information system, weak internal control procedures, high employee turnover, multiple loan products, handle cash, and rapid growth.

II.2. Control: Fraud Prevention

The CARE EDU suggests the following 8 categories of control to reduce fraud: 1.excellent portfolio quality 2.simplicity and transparency 3.human resource policies 4.client education 5.credit committee 6.handling cash 7.handling collateral and 8.write-off and rescheduling policies

II.3. Monitoring: Fraud detection

The best prevention strategies in the world are not going to eliminate fraud. This is partly. The fraud detection is the responsibility of all staff members, from the chairman of the board down to cleaners and drivers. So this responsibility for fraud detection is tasked to internal auditor which should report directly to audit committee of the board. Fraud detection involves the following four elements: 1) operational audit, 2) loan collection policy, 3) client sampling, and 4) customer complaints.

1) Operational Audit
1)The purpose of operational audit is to confirm that the policies are being followed. There are 3 reasons for being not following policies:1) the employees was involved in some sort of fraudulent activities; 2) the employees did not know about policies or didnt understand; 3) the employees believed that the policy was unreasonable. 2)An operational audit is a review of all operation activities, procedures and process, including human resources, procurement, finance, information systems and any other operational areas. Its important that this independent person or department report to the board of director, not to management.

2) Loan Collection Policies

The collection policies have a very important role in fraud detection. By involving several different persons in the collection process, MFIs not only escalate the pressure on client, but also help to identify instances of fraud.

3) Client Sampling
The client visited by internal auditors is a main aspect of fraud detection. Internal auditors use selective sampling of borrowers whose loans that are more likely to be fraudulent, especially payment in arrears.This client visit, internal auditors may find major discrepancies between information in clients file and the reality in the field, which could expose the organization to credit or fraud risk. auditor also use selective sampling of depositors.Prior to visiting clients, internal auditors are preferred to reviewing document first. Field work, internal auditor can fulfill other important function such as delinquency management, gathering information on customer satisfaction and market tends, and identify staff training needs.

4) Customer Complaints
Another important method for detecting fraud and improving customer service, is to establish a complain and suggestion system that creates a communication through which clients can voice their opinions.

II.4. Response to Fraud

If fraud is suspected, in most cases the most MFI should conduct a fraud audit and then implement damage control proceedings. Fraud audit: There are two factors in conducting fraud audit are potential magnitude(large amount of cash) of fraud and the extent of evidence and should be conducted by specialized training in forensic auditing. Damage control: MFI should consider developing contingency plans which can be dusted off and put into action when fraud is occurred. contingency plan should include the following elements:

III. Security Risk

This risk has two basic elements: 1) Safe of cash: MFIs need to ensure that cash is protected from theft during office hours, after office hours, and in transit. cash can protect through the use of local bank, security measures, and liquidity policies. 2) Safety of Office assets: MFIs need to ensure that they are protecting their computers, fax machine, office equipment..etc from theft. Assets can protect through a fix assets register.

FINANCIAL MANAGEMENT RISKS AND CONTROLS

In this chapter we will discuss the 3 key risk areas: I.Asset and Liability Management Risks II.Inefficiency Risks III.System Vulnerability Risks

I. Asset and Liability Management Risks

Its refers to management of spread, or the positive difference between the interest rate on earning assets and cost of funds. Successful of this spread requires control over: a) interest rate risk, b) foreign exchange gap, c) liquidity, and d) credit risk. MFI can vulnerable if it has one of the following characteristics: It borrows money from commercial sources to fund its portfolio; It funds its portfolio from client saving; It operates in a high inflation environment; It has liabilities denominated in a foreign currency.

I.1 Interest Rate Risk

This risk is particularly problematic for MFIs operating in high inflationary environments. MFIs should monitor interest rate risk by 1) assessing the amount funds at risk for a given shift in rates, and 2) evaluating the timing of the cash changes given a particular interest rate shift. This risk can be effected by interest rate sensitivity which large scale saving is highly effected than small ones. The measure of this risk is net interest margin=( Interest Revenue-Interest Expense)/Average Total Assets

I.2. Foreign Exchange Risk

This risk occurs when MFI hold assets and liabilities in foreign currency. For MFIs with foreign currency exposure should establish control mechanisms which have options as follows: Add the expected devaluation rate Include a provision for devaluation expense on the balance sheet and income statement Index the interest rate on local currency loan to foreign currency. The key ratio is currency gap risk ratio=(Assets in Specified Currency-Liabilities in Specified Currency)/Performing Assets

Currency Devaluation Impact

Amount lent:$100,000 at 20% USD Scenario 1-SAR (no devaluation) Scenario 2-SAR (devaluation)

Amount lent Exchange rate at due date Amount due Principle Interest Actual cost of funds* Client revenue** Operation costs*** Net difference Profit/Loss

100,000 120,000 100,000 20,000 20,000

600,000 R6/USD 720,000 600,000 120,000 120,000 420,000 240,000 180,000 60,000

600,000 R7/USD 840,000 700,000 140,000 240,000 420,000 240,000 180,000 (60,000)

*Includes interest expense, revaluation of principal, and revaluation of interest expense **Assume interest rate of 70% ***Assume operation cost ratio of 40%

I.3. Liquidity Risk

Liquidity refers to an MFIs ability to meet its immediate demands for cash, such as disbursement, bill payment, and debt repayment. A temporary lack of loan capital can result in a dramatic spike in portfolio quality problems. The key control for liquidity is cash flow management which ensure that cash inflow is equal to or greater than cash outflow. Besides cash flow projection is ratios: -Quick Ratio=liquid assets/current liabilities -Liquidity Ratio=(cash+ expected cash inflows in period)/anticipated cash outflow in period -Idle fund ratio=(cash+Near cash)/Total outstanding Portfolio

II. Inefficiency Risk

This risk involves the an organizations disability to manage costs per unit of output which cause waste of resources and ultimately provide clients with poor services and products. MFIs can improve efficiency in three ways:(1) increase the numbers of clients to achieve greater economics of scale, (2) streamline systems to improve productivity, and (3) cut costs.

II.1. Inefficiency Controls

There are four elements were discussed in this part: Budgeting: the master plan of all expenses and all sources of capital. A budget comparison report: the purpose is to allow the board and staff to monitor performance relative to the approved budget. Activity Based Costing: its allocates both direct and indirect related costs to specific revenue generating activity. Reengineering: The process of cleaning up inefficiencies (such as poor customer service or unattractive product). The greatest challenge to successful reengineering is the lack of strong leadership to organizational resistance to change.

II.2. Inefficiency Monitoring

This point was discussed the Efficiency and Productivity Ratios and Monitoring Human Errors. EPRs analyze its level of efficiency, and MFI should compare its current performance to two other data sets: 1) the organizations past performance (trend analysis) and 2) similar organizations identified as industry leaders (industry benchmarks).

III. System Integrity Risk

Its the way of secure the reliability of source data and information contained in the financial statement and management reports through definitive assessed the financial reports and systems in an MFI by external audit firm. The financial audit should conduct on an annual basis in order to safeguard company assets.

Auditing
Audit: Examination of books, records and
accounts of a company which is carried out by independent auditors both external and internal.

External audit: Audit carried out by

independent auditors who come from private firm. External audit focus on financial statement audit.

Auditing review (cont)

Internal audit: an independent appraisal
function established by the management of an organization for the review of internal control system as service to the organization

The need for an audit

The need of audit is to certify the reports are free from errors and frauds in order to show strong reliability to interest parties.

Objectives of auditing
-Primary: Produce report of true and fair opinion of financial statement. -Subsidiary: .to detect errors and fraud .to prevent errors and fraud by the .deterrent and moral effect of the audit. .to provide pin-off

Auditor qualification
a. Independence :Auditor not only must be independent in fact and attitude in mind but also must be seen to be independent with unbiased opinion. b. Competence : referred to CPA candidates. c. Integrity : referred to qualified accountants are renowned for their honesty, discretion and tactfulness

Types of auditor
Independent auditors or external auditors: referred to CPA members Internal auditors: referred to employees of the entities they audit. Government auditors: not mentioned in this point.

Audit Process

Internal Audit Process

-Background research -Preparation of the audit plan -Accounting system review -Internal control system review -Review related document and do substantive testing -Analytical review techniques -Analytical review of financial statement -Preparation and signing report

Internal control
Internal control is process designed by managements to provide reasonable assurance regarding the achievement of objectives in the following categories: Reliability of financial reporting; Compliance with applicable laws and regulations; Effectiveness and efficiency of operations. The elements of internal control are policies, procedures, manuals, memos, working processes.

Engagement Letter
A letter which provides the understanding each other between auditor and client. It presents the services, objective, responsibilities, scope of work, period and audit fee.

Audit Evidence
-Audit evidence (alternatively referred to as evidential matter) consist of two categories: underlying accounting data and all corroborating information -Auditor can collect the evidence through observation, third parties, authoritative document, internal control, calculation, interview

Working Papers
Working papers are papers (soft and hard) that document the evidence gathered by auditors to show the work they have done, the methods and procedures they have followed, and the conclusions they have developed in an audit of financial statement or other type of engagement.