Compliance Boot Camp

FIRMA COMPLIANCE “BOOT CAMP”

DUANE E. LEE, II

EXECUTIVE VICE PRESIDENT

CANNON FINANCIAL INSTITUTE

What is a “Boot Camp”

Boot Camp refers to military new recruit training, the initial indoctrination and instruction given to military personnel. Creates a base level of conditioning and discipline. Awareness of requirements and expectations. Creates a set of shared core values

BUY THIS BOOK (Create your own Compliance Library)

Integrated Compliance & Total Risk Management Mark G. Arthus

SOURCE MATERIALS(Create your own Compliance Library)

FDIC’s Trust Examination Handbook, May 2005 OTS’s Trust and Asset Management Handbook, July 2001 OCC’s:

– Asset Management, December 2000– Collective Investment Funds, October 2005– Conflicts of Interest, June 2000– Custody Services, January 2002– Investment Management Services, August 2001– Personal Fiduciary Services, August 2002– Retirement Plan Services, December 2007

FRB’s Trust Examination Manual, February 1997 FRB’s Transfer Agent Examination Manual, February 1997 The Trust Compliance Handbook, Price Waterhouse

SOURCE MATERIALS (Create your own Compliance Library)

Sheshunoff (Regulatory Compliance Associates, Inc.)– Trust Department Internal Control Manual – Trust Department Management Manual – Trust Department Policies and Procedures – Trust Department Risk Management: Preparing for an Exa

mination

– Trust Services Audit Manual ABA

– Guide to Operational Risks in the Trust Business– Trust & Fiduciary Federal Reporting Requirements,

SOURCE MATERIALS (Create your own Compliance Library)

Texas Bankers Association– Trust Policy Manual – Trust Operations and Procedures Manual – Trust Compliance Checklist

Kenneth J. Namjestnik (BIA/Probus)– The Trust Audit Manual: Fiduciary Audit Practices,

Policies and Regulations – Trust Risk Management: Assessing and Controlling

Fiduciary Risk – The Trust Risk Management Manual : A Hands-On

Guide to Assessing and Monitoring Trust Operations

PURPOSE/DEFINITION

External Audit SAS 70 Review Internal Audit Regulatory Exam Compliance Testing Risk Management Program Control Self-assessments

TYPE OF PROGRAM NEEDED

INTEGRATED SOLUTION FOCUS ON THE “BIG PICTURE” WHAT GETS “MEASURED” GETS “DONE” IF IT CAN BE “MEASURED” IT CAN BE

“IMPROVED”

DEVELOPING AN INTEGRATED TEAM

Board of Directors Fiduciary Committees (Board and Officer) Senior Management Line Management Staff Compliance Officer Internal Auditor Risk Management Officer Legal Counsel

10 KEY ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM

Board of Director & Senior Management Involvement Organized Structure Policies and Procedures Training Program Internal Controls Self-assessments Compliance Review Legal Review Risk Review Audit Review

Introduction and Purpose

Bank directors must use care and prudence in the administration of the bank’s fiduciary activities and must exercise caution to see that applicable laws, regulations, and fiduciary principles, policies and procedures are not violated.

If, through their failure to do so, a loss to the beneficiaries or the bank results, they can be held liable for such loss in an action for damages.

Banks are encouraged to purchase insurance to provide appropriate protection from financial loss imposed by such potential liability.

Directors should recognize that all aspects of the bank’s performance of its fiduciary duties are their responsibility and the official records of the board should clearly reflect the proper discharge of that responsibility.

Discharging Director’s Duties

Bank directors are expected to retain and perform general supervision over the exercise of the bank’s fiduciary powers.

In discharging that responsibility, directors may assign the administration of fiduciary powers as they may consider proper to such directors, officers, employees, or committees as they may designate.

However, directors cannot discharge their duties by delegating the entire administration to officers selected by them.

They are responsible for directing and reviewing the actions of all persons or committees involved in the exercise of fiduciary powers.


The directors of each national bank may discharge their duties and responsibilities as they deem most practical within the limits set for the in OCC Regulation 9.7 (12 CFR 9.7).

Any workable system or organization of a trust department may be acceptable as long as the directors are fully aware of and are fulfilling their responsibilities.


If the board assigns functions to individuals or committees, it must keep informed about how such assignments are performed.

All actions taken by committees in the performance of fiduciary functions should be recorded properly in appropriate minutes, or in a similar record, when performed by a designated person.

It is not necessary for the board to review all written records and formally approve every action taken by those persons or committees.

However, such records should be available for the board’s inspection, and minutes of board meetings should reflect that such records are made available to directors.


The system of organization and the manner of administration of the bank’s fiduciary activities should be prescribed in the bank’s bylaws or by resolutions of the board of directors.

Each board should make an annual reassessment of trust department organization and administration to ensure the proper exercise of fiduciary powers.

If some responsibilities of the board of directors are assigned to persons or committees by resolution, it should be done annually during the organizational meeting at which committees and officers are appointed.

Trust Department Policies and Procedures

The directors must implement sufficient trust department policies, procedures , and internal controls to promote high-quality fiduciary administration.

When properly monitored by the directors, well-developed policies, procedures, and internal controls promote efficiency and compliance with laws and sound fiduciary principles, and deter losses through charge offs or surcharge.


Policies should be written and formulated to provide a clear framework within which the trust officers must operate and administer all aspect of the bank’s fiduciary business.

Written at an knowledgeable stranger level of comprehension


Some of the more important areas where policies, procedures, and internal controls are needed include:– Organization & Supervision– Operations– Controls– Audits– Conflicts of Interest– Pricing– Account Acceptance (4-P’s) & Closing– Ethics


Some of the more important areas where policies, procedures, and internal controls are needed include:– Account Administration

Personal Trust, Agency & Court Accounts Retirement Accounts Corporate Trust & Agency Investment Management Agency Custodial & Safekeeping Agencies Escrow


Some of the more important areas where policies, procedures, and internal controls are needed include:– Asset Management

Marketable Securities Closely-Held Businesses Real Estate Loans & Mortgages Limited Partnerships Mineral Interests Unique & Miscellaneous Assets Mutual Funds & Collective Funds

REGULATORY RISK CATAGORIES & SUB-CATAGORIES

Credit Interest rate Liquidity Price Foreign exchange

Transaction Compliance Strategic Reputation

REGULATORY RISK CATAGORIES & SUB-CATAGORIES

Process risk People risk Systems risk Event risk Business risk

7 Key Lessons of Effective Risk Management

Lesson 1 - Know your business.– Utilize criteria established in due diligence

process.– Managers must understand risks.– All employees must understand how their jobs

affect the risk profile.


Lesson 2 - Establish checks and balances.– Ensure balance of power in managing resources.

Look for concentrations;– Knowledge– Power– Volume– Dollars– Bottle-necks

Then diversify.

– Not desirable to let concentration of power commit capital to risk-taking activities.


Lesson 3 - Set limits and boundaries.– Limits and boundaries describe where and when to STOP!

Trading limits Credit limits Dollar limits Discretionary authority Deviations, exceptions & waivers Hiring practices Acceptance of appointments Pricing of services


Cash transfer– Authorized signatures– Limits– Approvals– Separate processing

Cash movement– Measure– Monitor– Reconcile– Document

Lesson 4- Monitor cash (funds)

“Cash is king. Accounting is opinion.”


Lesson 5- Use correct measures of success.– Performance measures and rewards drive

behavior and risk.– Performance measures and incentives must be

risk-adjusted.– What pressures are there to meet goals?– What gets measured gets done– What can be measured can be improved


Lesson 6 - Pay for desired performance.– Are rewards established at correct targets?– What is effect on risk and/or losses?– Hint: If smart people are doing stupid things,

check the incentive structure.


Drivers of risk taking– Independent risk function– Oversight committee– Risk assessment– Risk based audits and

compliance monitors– Risk limits– Risk based policies and

procedures

Enablers of risk taking– Setting tone from the top– Establish risk culture and

values– Facilitate open

discussions about risk– Provide risk training– Reinforce desired

behaviors

Lesson 7 - Take a balanced approach.

Trust Department Audits

When the directors lack adequate knowledge of trust audit techniques and procedures, or internal auditors lack expertise, boards are encouraged to employ outside auditors to perform the trust department audit on their behalf.

An audit by an outside firm is more beneficial to the directors if the audit committee or the entire board is well informed of audit activity and audit results.

Directors are responsible for approving and monitoring audit scope, reviewing audit findings, and ensuring correction of all audit exceptions.

Before concluding an audit review, directors should understand thoroughly the significance of the report.

The audit committee should determine that the scope of audit is sufficient to present a true picture of the department’s condition.

Compliance Management

The directors should establish a system to promote, monitor, and evaluate adherence to internal policies, procedures, fiduciary principles and applicable laws and regulations.

Trust compliance is a management function deserving the same effort as other management functions.

Management should make individuals accountable for the trust department’s compliance program.

Compliance should be part of each employee’s performance standards.

Risk Management

A formal program of fiduciary risk management should be established to identify and control fiduciary risks.

Board participation and control of the risk management process is essential.

The program should include delineation by management and the board of the risk they are willing to assume, identification of risks in current operations, supervision of current and proposed operations, implementation of adequate controls and risk monitoring systems.

Internal Controls

Internal control procedures are included as part of a trust system’s normal processing tasks.

It is the responsibility of directors to ensure that good internal controls exist to prevent persons from making significant errors or perpetrating irregularities without timely detection.

Internal controls should include methods to protect assets, assure the integrity of operating records, promote operating efficiency, and promote adherence to policies , laws, and regulations.

Common Problems

Every organization faces problems in its daily operations that are simply a part of doing business.– Control– Reduce– Minimize– Transfer– Eliminate

Source of Problems

Internally created (two-headed).– Strengths

Paying sufficient attention to familiar situations– Weaknesses

Appropriate judgment of unfamiliar situation Created by external factors:

– Political– Social– Economic– Competitive

Perform SWOT Analysis

Types of Problems

Those that exist now.– Known– Unknown

Those that will exist in the future.– Change driven:

Strategic direction Marketplace Regulatory Product Service Security Features Process & Systems Conversions

Common Problems and Resulting Risk to an Organization

There is no consistent, formal, organization-wide approach to compliance and risk management

Outdated, incomplete, and inconsistently applied policies and procedures

Compliance and risk management education and awareness are poor

Lack of or poor compliance and risk management controls No compliance validation program No business-wide management review Weak internal audit relationship and interface. Compliance viewed as a cost center or a necessary evil

Compliance

Defined as complying with:– Legal regulations– Corporate policy– Sound productivity practices– Sound efficiency practices– Quality control– Training and education– Sound human resource management– The corporate mission statement– The strategic plan– The business plan– The budget– Contingency planning– Strong ethical and moral social behavior– Profitability requirements and cost controls

Compliance

Compliance is not just government regulations anymore. It encompasses virtually everything an organization does.

If it is important enough to do it in the first place, it is important enough to do it right, no matter how small the task is.

Compliance is all about doing the right things right.

7 Most Common and Serious Problems

I. There is no consistent, formal, organization-wide approach to compliance and risk management.


II. Outdated, incomplete, and inconsistently applied or non-existent policies and procedures:– Key operating policy and procedure manuals are

outdated in several areas and are not comprehensive across all functions.

– Policies are not well communicated or understood by staff and management and they are not consistently followed throughout the organization.

– All procedures are not formalized or documented.– Identical functions are performed differently

among businesses, areas, and/or departments.


III. Compliance and risk management education and awareness are poor or non-existent:– No formalized education or training process.– The board of directors, committees, senior

management, and key employees are not fully aware of important policy and procedure.

– No mechanism for identifying education, training and compliance needs.

– Not everyone understands that compliance and risk management is good for business.


IV. Lack of poor or non-existent compliance and risk management controls:– Ineffective and inefficient controls that are often

ignored by staff and management because they are error-prone, hard to evaluate, or too complex to fully execute.

– Inability to identify actual and potential risk and compliance concerns until well after they have occurred.


V. No compliance validation program:– Since there is not compliance validation or self-testing,

there is an inability to verify that compliance controls are working in the organization.

– There is a very low confidence level in risk assessment as well as an incapacity to consistently demonstrate whether a process is functioning properly.

– There is no compliance oversight function on the individual department level or the organizational level.


VI. No business-wide management review:– Compliance and risk management review is not seen as an

income/profit producing event.– Senior management, fiduciary examining committees, and

board of directors get their information through slide presentations and bullet memos.

– There is no consistent business-wide management communication top down or bottom up.

– Senior management, fiduciary examining committees, and boards of directors do not hold regularly scheduled compliance and risk reviews and thus, are not always kept current on compliance and risk matters.

– Dashboard Metrics


VII. Weak or non-existent internal audit relationship and interface:

– Management: There is a general lack of strong communication between

management and audit in terms of teamwork, goals, and the organizational benefit.

Line managers have a limited understanding of audit’s purpose and therefore regard them as an outside intervention into their department.

Line managers have a limited understanding of the audit process and therefore do not utilize audit as a compliance and risk management tool and information source.

The consequence of all this is too many surprises in the audit findings and very little understanding of the final outcome.


VII. Weak or non-existent internal audit relationship and interface:– Auditors:

There is no complete verification of the effectiveness and efficiency of the compliance and risk management function.

The audits do not focus on process and controls, but rather test only historical transactions.

The audit focus does not cause management to concentrate on areas that are sensitive to business risk and overall compliance.


Why a small compliance staff is better than a large one:

– Smaller compliance and risk management staff– Pro-active management– Easy identification of training needs– Cross-training– More accurate information– Better controls and organization– Involvement of line management– Personal accountability

Definition of Risk

Public image Loss of clients Weak profitability Loss of revenue or funds through errors Loss of revenue or funds through fraud Inappropriate business fit with current or future plans Poor new product review Poor new account review Poor new security type/feature review Weak management expertise in key areas

Definition of Risk

Poor knowledge level (education) of management and staff– Business knowledge– Conflict of interest– Policy and procedures– Regulatory

Poor risk monitoring and controls Poor strategic and business planning Poor contingency planning Non-compliance and direct violations of law Breach of fiduciary responsibility (22-Basic Principles)

Compliance Validation Program

An effective compliance and risk management validation program must have the following:– The experts or line managers and staff who perform the

functions do the validation (CSA).– Consistent and organized proactive approach that regularly

validates the risk points on a periodic basis.– Review and assessment of the findings to effect

appropriate change and improvements.– Full and continuous support from senior management.– Periodic review of the program by the compliance and risk

managers and the auditors to ensure its continued effectiveness.

Twelve Point Risk Oriented Compliance Validation

Map and schedule the compliance universe for risk overview.

Gain detailed understanding of the area functions and responsibilities of the identified compliance review areas.

Create a risk point outline of the area. Risk-rank the points of the Risk Point Outline and

identify desired review areas. Flowchart the functions and operations under review. Evaluate the major risk controls and monitoring

systems.

Twelve Point Risk Oriented Compliance Validation

Use statistical sampling during the validation process.

Develop an effective validation process. Perform testing – documentation and evaluation of

results. Understand the results to identify required

changes. Ensure implementation of changes. Report and follow-up.

5 Basic Requirements of an Integrated Compliance and Risk Management Program

The program must utilize very limited personnel and corporate resources.

The program must be easily accepted, understood, and implemented.

The program must have permanence and remain intact and effective long after the initial start-up.

The program must be flexible and capable of change with the growing demands of the organization, industry, and regulations.

The program must be virtually seamless and invisible to the daily functions of the staff.

8 Components of an Integrated Compliance and Risk Management Program

I. Total organizational management commitment, top down:

– Total organizational commitment must start at the top with management and work its way down through the organization.

Continually talk compliance and risk management. Demonstrate through actions, rewards, and consequences that

compliance and risk management is everyone’s responsibility.– Creation of a risk management review committee.– Identification of compliance designate in each area.– Provide quarterly updates to the Board of Directors,

committees and senior management.– Build accountability into all management’s objectives.


II. Current and accurate policy and procedures manuals.– Reflect:

Organizational Structure Workflows Vendor System


III. Ongoing and thorough education program:– Some of the more critical reasons for having a thorough and

ongoing and organization-wide education and training program are as follows:

Better trained and knowledgeable organization members Clear and consistent understanding throughout the organization More efficient, effective, productive controls Fewer errors and fraud Reduce liability

– There are three important points to be kept in mind for every program:

Education Ownership Recognition


IV. Compliance validation program (review):– 12-point risk oriented compliance validation

Map and schedule compliance universe for risk overview

Gain detailed understanding of the area functions and responsibilities of the identified compliance review areas.

Create a risk point outline of the area. Risk-rank the points of the risk point outline and identify

desired review areas. Flowchart functions and operations under review.


IV. Compliance validation program (review):– 12-point risk oriented compliance validation

Evaluate major risk controls and monitoring systems. Use of statistical sampling during the validation process. Development of an effective validation process. Completed validation – documentation and evaluation

of results. Understanding the results to identify required changes. Ensuring implementation of changes. Reporting and follow-up.

VALIDATION PROCESS

VALIDATION IS NOT– A checklist compliance

test.– Concerned with

wholesale sampling.– Transaction testing.– Testing every aspect of

the department or organization.

VALIDATION IS– Concerned with tactical

sampling.– Verifying the effectiveness

of processes and controls.– Uncovering excessive

and/or duplicate process and controls that eventually hamper productivity and profitability.

– Identifying training and education needs.

– Validation of the overall soundness of compliance and risk management of the area.


V. Strong compliance and risk management controls:– Identifying where the controls should be.– Installing those controls that are not there,

removing those that don’t belong, and assessing and modifying the remaining desired controls.

– Mandatory vs. Discretionary Preventive Detective Directive Mitigating


V. Strong compliance and risk management controls:– Some of the specific benefits of a compliance certification are:

Line management that is very knowledgeable and kept current of area systems and process.

Strong awareness of compliance and risk management at the grass roots level.

Accountability is placed where it belongs and with the people who can affect the change.

Effective use of existing resources. Lower staff costs by not utilizing whole groups or

departments of third party reviewers (checker and auditors).

Ultimate and very beneficial by-products of this approach are increased efficiency, productivity, and overall quality.


VI. Well and consistently informed management and staff:

– Hold regularly scheduled compliance and risk management training sessions.

– Create formal information services in the organization.– Hold regularly scheduled key compliance and risk

management meetings.– Hold regularly scheduled group risk assessment

discussions.


VII. Adequate Staffing in the Business Units:– The compliance designate must:

Acquire basic knowledge and understanding of the laws, regulations, and corporate policy that directly affects his or her area.

Review and be thoroughly familiar with the area and department policy and procedure manual.

Keep the department fully informed on all relevant compliance requirements, matters, and problems.

Act as focal point for the department compliance and risk management issues.

Keep fully informed and understand the audit programs, approach, technique, and requirements.

Assist in the area preparation of all audits. Act as major information source during all audits. Coordinate and/or perform the department compliance validation. Be responsible for the coordination of all area compliance and risk

management education needs.


VIII. Internal Audit as a Team Member:– Review all of the audit programs to determine if they have

the most effective focus for ensuring that the bank meets compliance, risk management, and regulatory requirements.

– Review all of the audit programs to determine if they are consistent in their application and execution.

– Review all of the audit programs to determine if they have a process and control orientation and not a transactional focus.

– Review the audit scope to determine if it covers all of the appropriate areas and functions.

Developing a Risk-Based Compliance Team

Compliance teamwork benefits:– More efficient operations– Reduced personnel– More responsive and flexible system– Better educated management and staff– Increased productivity– Reduced overall risk– Reduced overall cost


Compliance and risk management team:– The Board of Directors– Fiduciary Committees– Senior management– Line management– Staff– Compliance Officer– Internal Auditor– Legal counsel


Board of Director Responsibilities:– Review the organization’s strategic and business plan for

appropriate direction, business fit, and overall soundness.– Each board member must be given a copy of the Key Operating

Policy and Procedure Manual for review.– Review quarterly, the actual financial and business results of the

organization in comparison to expectations and plan.– Affirm and require on a quarterly, the actual financial and business

results of the organization in comparison to expectations and plan.– Affirm and require on a quarterly basis, evidence of the

organization’s compliance with the laws, regulations, and corporate policies.

– Periodic review and approval of the organization’s major risk areas and functions.

– Act as the Management Operating Review Committee. Review and pass recommendations on all major operations changes and considerations.


Audit Committee Functions:– Each committee member must be given a copy of the Key

Operating Policy and Procedure Manual for review.– Perform a quarterly review and assessment of the organization’s

Integrated Compliance and Risk Management Program to determine if it meets the needs of the organization.

– Review financial statements and reporting results for major variances and exceptions.

– Review annually the organization’s major risk policies.– Assess and attest to the internal and external audit

independence.– Review the plan and scope of the internal audits based on

assessment.


Audit Committee Functions:– Review and formally approve annually the internal audit

programs and schedule of audits.– Review all internal audit results. Ensure that all major risk issues

haves been identified and are being addressed.– Give a report to the Board Of Directors on a quarterly basis, on

the committee’s evaluations, conclusions, and recommendations on the condition of the organization’s compliance and risk management activities and the effectiveness of its policies, procedures, and controls, with regulation, law, corporate policy, and sound compliance and risk management principles.

– Review all external audits and examinations by outside accounting firms and government regulators.


Role of Line Management:– Line management has the primary responsibility and

accountability for complete compliance and risk management in the organization.

– Keep policies and procedures current and accurate.– Develop and maintain internal compliance controls in their area

and department.– Develop with compliance and maintain a compliance validation

and a compliance certification program for their area and department to identify potential compliance and risk management issues.

– Take immediate corrective action on all identified issues.– Keep staff educated and maintain high compliance awareness.


Role of the Compliance Officer and Compliance Function:– Review the organization’s Integrated Compliance and Total

Risk Management Program for adequacy and effectiveness.– Assist in the development and maintenance of policies ,

procedures, internal controls, validation, and training and education programs.

– Monitor the organization’s management of risk and compliance and the effectiveness of its controls.

– Conduct spot testing to confirm overall compliance.– Act as interface between auditors and examiners.– Monitor regulatory changes and ensure that compliance

requirements and corporate policy are current.– Be responsible for the oversight of the training and education

program.


Role of Audit:– Ensure compliance and risk management

effectiveness by performing strong audits that focus on sound compliance, and risk management processes, controls and practices, and the concerns of regulators.


Role of Legal:– Support the compliance and risk management

effort through legal review and opinion of actual and potential issues and management considerations.

Common Challenges in Developing an Effective Integrated Compliance and Total Risk Management

Organizational structure: The importance of the right culture.

Compliance and risk management areas: They exist everywhere.

Resources: Every organizational member is a team resource.

Motivational requirements: Compliance is the right thing to do.

Building an Environment of Effective Compliance

Establish an incentive and reward system based on excellence and hard work.

Develop an ethical environment that can foster and sustain responsible decisions.

Build a system of ethical practice throughout the compliance program and the organization.

CHECKLISTS & QUESTIONAIRES

Management appraisal– 3600 Evaluations

Audit Function Internal Audit Internal Quality Control Regulatory Compliance Required Reporting (Federal & State)

CHECKLISTS & QUESTIONAIRES

Personal Trust, Court & Agency Services– See sample

Retirement Services– See sample

Corporate Trust & Transfer Agency Services– See sample

Operations– See sample

Asset & Portfolio Management– See sample

Custody & Related Services– See sample

What is Risk?

Risk is the probability that an event or action may adversely affect an organization’s ability to function properly.

As part of the process of meeting objectives of any program, there is a degree of uncertainty intrinsic (built-in) to the achievement of those objectives.

Risk involves consequences (severity) and the likelihood (frequency) that negative events will take place.

What is Risk?

To identify risk related to objectives, ask common sense questions like the following:– What resources/assets need to be protected (i.e.,

financial records, land records, etc.)?– Do we have liquid assets or assets which could

be used by others easily?– How could someone steal assets (i.e., oil from oil

leases) ?– How could someone disrupt operations?

What is Risk?

To identify risk related to objectives, ask common sense questions like the following:– How do we know if we are achieving our objectives?– What information is most relied upon?

What information does each manager monitor?

– On what do we spend the most money?– What decisions require the best judgment?– What activities are most complex?– What activities are regulated?– What is the greatest legal exposure?

What is Risk?

Consequences are tangible outcomes of risk associated with decisions, events, or processes related to the successful operation of any particular government program.

Consequences involve a cause or event with a related effect.

What is Risk?

The effect of risk can involve:– An erroneous decision as the result of using

incorrect, untimely, incomplete, or otherwise unreliable information.

– Erroneous record keeping, inappropriate accounting, fraudulent financial reporting, financial loss, and exposure.

– Failure to adequately safeguard assets.

What is Risk?

The effect of risk can involve:– Customer dissatisfaction, negative publicity, and damage to

the organization’s reputation.– Failure to adhere to organizational policies and procedures,

or not complying with relevant laws and regulations.– Acquiring resources uneconomically or using them

inefficiently or ineffectively.– Failure to accomplish established objectives and goals for

the program.

Risk Increasers

Concentration Correlation

Design of Internal Controls

A prerequisite to designing good internal controls used by an organization is to have clear, precise, and quantifiable objectives in place.

An excellent place to start when identifying objectives is the Strategic Plan and Mission Statement of your area.

Objectives are needed in order to determine what are the necessary controls to put in place and when the controls have been successful.

When objectives have been established, the risks associated with accomplishing each objective can be determined.

Only when risks associated with the activities involved in completing objectives are identified can the required controls be determined to ensure successful completion of the objectives.

Internal Control Development as it Relates to Risk

OBJECTIVE(What do you want to accomplish?)

RISK(What can go wrong to prevent

you from accomplishing your objectives?)

CONTROLS (What can be done to minimize the

risks?)

Internal Control Defined

Internal control is broadly defined as a process, effected by management and other personnel, designed to provide reasonable assurance that the objectives of the area are being achieved in the following categories:

– Effectiveness and efficiency of operations including the use of the entity’s resources.

– Reliability of financial reporting, including reports on budget execution, financial statements, and other reports for internal and external use.

– Compliance with applicable laws and regulations.– Control (safeguarding) of assets.

Standards of Internal Control

The five standards for internal control are:– 1. Control Environment– 2. Risk Assessment– 3. Control Activities– 4. Information and Communications– 5. Monitoring

1. Control Environment

The control environment sets the tone of an organization, influencing the control consciousness of its people.

It is the foundation for all other components of internal control, providing discipline and structure.

Several key factors affect the control environment. Integrity and ethical values maintained and demonstrated by

management and staff is one factor. Area management plays a key role in providing leadership in

this area, especially in setting and maintaining the organization’s ethical tone, providing guidance for proper behavior, removing temptations for unethical behavior, and providing discipline when appropriate.

2. Risk Assessment

Internal control should provide for an assessment of the risks the area faces from both external and internal sources.

A precondition to risk assessment is establishment of clear, consistent area objectives.

Risk assessment is the identification and analysis of relevant risks associated with achieving the objectives, and forming a basis for determining how risks should be managed.

3. Control Activities

Internal control activities help ensure that management’s directives are carried out.

The control activities should be effective and efficient in accomplishing an area’s control objectives.

Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives.

They help ensure that actions are taken to address risks to achievement of the entity’s objectives.

Control activities are an integral part of an entity’s planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results.

3. Control Activities

There are certain categories of control activities that are common to all organizations.

Examples include the following:– Top level reviews of actual performance– Reviews by management at the functional or activity level– Management of human capital– Controls over information processing– Physical control over vulnerable assets– Establishment and review of performance measures and indicators– Segregation of duties– Proper execution of transactions and events– Accurate and timely recording of transactions and events– Access restrictions to and accountability for resources and records– Appropriate documentation of transactions and internal control

4. Information and Communications

Information should be recorded and communicated to management and others in a form and within a time frame that enables them to carry out their responsibilities.

Information systems produce reports containing operational, financial and compliance–related information that make it possible to run and control the trust activities at hand.

4. Information and Communications

They deal not only with internally generated data , but also information about external events, activities, and conditions necessary to allow informed decision making and external reporting.

Effective communication also must occur in a broader sense, flowing down, across and up the individual bureaus and between bureaus located in the Department.

All personnel must receive the clear message

5. Monitoring

Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved.

Internal control should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations.

It is performed continually and is ingrained in the organization’s operations.

It includes regular management and supervisory activities, comparisons, reconciliation, self-evaluations, and other actions people take in performing their duties.

Internal Control Components

Appendix-Listing Of 15 Primary Internal Controls

Access to Equipment and Data Files

Since information is valuable and often confidential, it must be physically safeguarded against unauthorized access and intentional or unintentional damage.

Access devices are designed so that only certain persons can operate them, passwords are used, data is encrypt ed, computer rooms are locked and protected against fire and heat, files are carefully handled and controlled, data is copied and stored in separate, offsite locations, and other similar procedures are followed.

Audit

The effectiveness of any internal control system must be monitored to be successful.

Departmental reviews, quality control auditing, internal auditing and external auditing are the primary means of monitoring an internal control system.

Authorizations for Intended Actions

Allocating resources for future activities require management authorization to ensure the proper use of personnel, office equipment and other assets to avoid waste and minimize possible conflicting needs within an organization.

Approvals for Actions Taken

Many day-to-day activities have built-in segregation of duties and responsibilities and may only require an approval after an action has been taken as a final check and balance.

Commitment to Competence

Hiring, training and maintaining the technical skills of employees assigned to complete critical tasks helps eliminate errors in judgment and mistakes due to ignorance.

Even the best designed internal control systems or business practices will fail if an employee lacks the skills and training needed to complete a given task.

Communication of the Importance of Internal Controls

organizations can set a tone and influence the behavior of its employees when the highest levels of management stress the importance of the internal controls.

Without high-level support, and commitment toward internal control efforts, internal reviews and other self-checks become ineffective.

Documentation of Workflow

In larger organizations, or those whose work must be integrated with work completed by another operating unit, flow charting or otherwise documenting the workflow is a key element in maintaining internal control.

Critical points where two or more non-integrated information systems must agree or where potential control problems might occur must be identified and control procedures incorporated into the workflow at those points.

Duplication of Activities

Since the cost of duplicating critical activities is prohibitive, a good internal control system employs a separation of activities into interrelated segments, which must mesh at critical points within a process.

If one segment is off, the other parts should reflect the imbalance.

Closure of Identified Problems

The monitoring of any internal control system must include the final resolution of audit findings and other identified weaknesses in a timely manner.

Resolving these issues not only strengthens the internal control system but also reinforces management’s commitment to and support of the system.

Reports

Reports of past events serve as the most significant control by management of its operations.

These reports must be timely, complete, concise and accurate.

The reports must also be impartial and present an accurate picture of what has actually occurred.

Separation of Duties

Separating the operational responsibility from the accountability insures that the same individual is not authorizing and performing a task and also responsible for reporting the results.

Supervision of Critical Activities

Management must identify the points within the area’s operating processes that are most critical and routinely supervise these activities to help ensure the area’s objectives are being met in a competent manner.

Physical Control and Safe Guards of Assets

All resources have some value and protecting a particular asset from theft or misuse helps insure that the particular asset will be available for its intended used when needed.

Data Input Controls

Input controls are essential to assure that only authorized data is entered into the computer and that such data is correct.

Among the more important types of input controls are; “Key Verification” that allows the typist to re-key in entries to check the data for correctness, and the use of “Check Digits” and “Control Totals” to verify that all of the data put into the computer is processed.

Data Output Controls

With the heightened reliability of today’s Electronic Data Processing systems, and reliable Input controls, the need for Output controls is limited to error listings and the physical control of the reports that are generated.

The Compliance OfficerAs a First Class Consultant

EXTRA CREDIT

The Compliance Officer as“Consultant to Management”

Compliance is both: A Control Process

– Safeguarding Assets– Compliance with Laws– Reliability of Information

An Improvement Process– Achievement of Objectives– Economic and Efficient Use of Resources

The Roles of Compliance Officers

The Purpose of Compliance is to compare:

What is: What should be: The Watchdog Role: Watch and Warn. The Consultant Role: Advise and

Participate. The Catalyst Role: Leading and Moving.

The Relationship of Roleto Other Compliance Elements

Relationships

ORGANIZATIONAL EXPECTATIONS

ANNUAL AUDIT PLAN

AUDIT SCOPE AUDIT

RECOMMENDATIONS

ROLE PROCESS FOCUS IMPACT

The Role of the Consultant

The consultant gives improvement advice. Practices operational, value-for-money, or

performance enhancement skills. The focus of the consultant is on the conservation

of the organization’s resources and helping managers manage.

Makes sure the organization gets best use of its assets (human, physical, financial, information).

These reviews of economy, efficiency, and effectiveness usually have a mid-term impact on management.

5 Skills that MakeA Good Consultant

1. Listener:– A good consultant listens and observes 90% of

the time.– Careful listening is the first step in problem

identification.


2. Learner:– Before you can teach, you must learn.– Most clients want the latest in thinking and best

practices.– Similar to training for a professional athlete.


3. Teacher:– Must be unselfish with knowledge.– Skill in oral communication and organizing

thoughts.– Genuine interest in helping people to learn.


4. Problem Solver:– What are the goals (outcomes) desired?– What processes are in lace to produce these?– What processes are in place to provide Feedback?– Who will monitor the Feedback Process?– How will improvements to the processes be made?– What reward systems are in place for improvements?


5. Team Builder:– Problems tend to be complex, so consultants

must be able to work with others.– Working with teams, leading teams, helping to

build teams.

Teams and Team Work

Teams are not committees! Teams share common goals. Teams share leadership and tasks. Teams have their own purpose, roles and

responsibilities. Teams are interdependent.

Compliance Officers and Teams

A compliance team to perform an compliance assessment.

A joint review/investigation team to perform a fraud investigation.

An improvement team to work on improving the compliance process.

A cross-functional team of compliance and others to improve the organization.

Setting Up a Team - 1

Clearly define the purpose of the team:

Our team is important because _____________

If it weren’t for us _________________________


Establish a set of Ground Rules: Behaviorally defined (“Do not interrupt”). Use consensus to develop ground rules. Keep visible. Call time-out when broken. Revisit from time-to-time to ensure that they

are working.


Establish Team Roles: Team Leader. Team Facilitator. Team Scribe. Team Member.

How to Gain these Skills?

Practice, practice, practice

Three Principles:

1. Value diversity: Seek out people that think differently than you.

2. Coping, not Controlling: Stay focused on the essential elements; don’t bog down in trivia.

3. Devote at least 5% to Learning New Skills.

Compliance Boot Camp

Documents

Transcript of Compliance Boot Camp