Compliance Boot Camp


Published on

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Compliance Boot Camp

  2. 2. What is a “Boot Camp” <ul><li>Boot Camp refers to military new recruit training , the initial indoctrination and instruction given to military personnel. Creates a base level of conditioning and discipline . Awareness of requirements and expectations. Creates a set of shared core values </li></ul>
  3. 3. BUY THIS BOOK (Create your own Compliance Library) Integrated Compliance & Total Risk Management Mark G. Arthus
  4. 4. SOURCE MATERIALS (Create your own Compliance Library) <ul><li>FDIC’s Trust Examination Handbook , May 2005 </li></ul><ul><li>OTS’s Trust and Asset Management Handbook , July 2001  </li></ul><ul><li>OCC’s: </li></ul><ul><ul><li>Asset Management , December 2000 </li></ul></ul><ul><ul><li>Collective Investment Funds , October 2005 </li></ul></ul><ul><ul><li>Conflicts of Interest , June 2000 </li></ul></ul><ul><ul><li>Custody Services , January 2002 </li></ul></ul><ul><ul><li>Investment Management Services , August 2001 </li></ul></ul><ul><ul><li>Personal Fiduciary Services , August 2002 </li></ul></ul><ul><ul><li>Retirement Plan Services , December 2007 </li></ul></ul><ul><li>FRB’s Trust Examination Manual , February 1997 </li></ul><ul><li>FRB’s Transfer Agent Examination Manual , February 1997 </li></ul><ul><li>The Trust Compliance Handbook , Price Waterhouse </li></ul>
  5. 5. SOURCE MATERIALS (Create your own Compliance Library) <ul><li>Sheshunoff (Regulatory Compliance Associates, Inc.) </li></ul><ul><ul><li>Trust Department Internal Control Manual </li></ul></ul><ul><ul><li>Trust Department Management Manual </li></ul></ul><ul><ul><li>Trust Department Policies and Procedures </li></ul></ul><ul><ul><li>Trust Department Risk Management: Preparing for an Examination </li></ul></ul><ul><ul><li>Trust Services Audit Manual </li></ul></ul><ul><li>ABA </li></ul><ul><ul><li>Guide to Operational Risks in the Trust Business </li></ul></ul><ul><ul><li>Trust & Fiduciary Federal Reporting Requirements , </li></ul></ul>
  6. 6. SOURCE MATERIALS (Create your own Compliance Library) <ul><li>Texas Bankers Association </li></ul><ul><ul><li>Trust Policy Manual </li></ul></ul><ul><ul><li>Trust Operations and Procedures Manual </li></ul></ul><ul><ul><li>Trust Compliance Checklist </li></ul></ul><ul><li>Kenneth J. Namjestnik (BIA/Probus) </li></ul><ul><ul><li>The Trust Audit Manual: Fiduciary Audit Practices, Policies and Regulations </li></ul></ul><ul><ul><li>Trust Risk Management: Assessing and Controlling Fiduciary Risk </li></ul></ul><ul><ul><li>The Trust Risk Management Manual : A Hands-On Guide to Assessing and Monitoring Trust Operations </li></ul></ul>
  7. 7. PURPOSE/DEFINITION <ul><li>External Audit </li></ul><ul><li>SAS 70 Review </li></ul><ul><li>Internal Audit </li></ul><ul><li>Regulatory Exam </li></ul><ul><li>Compliance Testing </li></ul><ul><li>Risk Management Program </li></ul><ul><li>Control Self-assessments </li></ul>
  8. 8. TYPE OF PROGRAM NEEDED <ul><li>INTEGRATED SOLUTION </li></ul><ul><li>FOCUS ON THE “BIG PICTURE” </li></ul><ul><li>WHAT GETS “ MEASURED” GETS “ DONE” </li></ul><ul><li>IF IT CAN BE “ MEASURED” IT CAN BE “ IMPROVED” </li></ul>
  9. 9. DEVELOPING AN INTEGRATED TEAM <ul><li>Board of Directors </li></ul><ul><li>Fiduciary Committees (Board and Officer) </li></ul><ul><li>Senior Management </li></ul><ul><li>Line Management </li></ul><ul><li>Staff </li></ul><ul><li>Compliance Officer </li></ul><ul><li>Internal Auditor </li></ul><ul><li>Risk Management Officer </li></ul><ul><li>Legal Counsel </li></ul>
  10. 10. 10 KEY ELEMENTS OF AN EFFECTIVE COMPLIANCE PROGRAM <ul><li>Board of Director & Senior Management Involvement </li></ul><ul><li>Organized Structure </li></ul><ul><li>Policies and Procedures </li></ul><ul><li>Training Program </li></ul><ul><li>Internal Controls </li></ul><ul><li>Self-assessments </li></ul><ul><li>Compliance Review </li></ul><ul><li>Legal Review </li></ul><ul><li>Risk Review </li></ul><ul><li>Audit Review </li></ul>
  11. 11. Introduction and Purpose <ul><li>Bank directors must use care and prudence in the administration of the bank’s fiduciary activities and must exercise caution to see that applicable laws, regulations, and fiduciary principles, policies and procedures are not violated. </li></ul><ul><li>If, through their failure to do so, a loss to the beneficiaries or the bank results, they can be held liable for such loss in an action for damages. </li></ul><ul><li>Banks are encouraged to purchase insurance to provide appropriate protection from financial loss imposed by such potential liability. </li></ul><ul><li>Directors should recognize that all aspects of the bank’s performance of its fiduciary duties are their responsibility and the official records of the board should clearly reflect the proper discharge of that responsibility. </li></ul>
  12. 12. Discharging Director’s Duties <ul><li>Bank directors are expected to retain and perform general supervision over the exercise of the bank’s fiduciary powers. </li></ul><ul><li>In discharging that responsibility, directors may assign the administration of fiduciary powers as they may consider proper to such directors, officers, employees, or committees as they may designate. </li></ul><ul><li>However, directors cannot discharge their duties by delegating the entire administration to officers selected by them. </li></ul><ul><li>They are responsible for directing and reviewing the actions of all persons or committees involved in the exercise of fiduciary powers. </li></ul>
  13. 13. Discharging Director’s Duties <ul><li>The directors of each national bank may discharge their duties and responsibilities as they deem most practical within the limits set for the in OCC Regulation 9.7 (12 CFR 9.7). </li></ul><ul><li>Any workable system or organization of a trust department may be acceptable as long as the directors are fully aware of and are fulfilling their responsibilities. </li></ul>
  14. 14. Discharging Director’s Duties <ul><li>If the board assigns functions to individuals or committees, it must keep informed about how such assignments are performed. </li></ul><ul><li>All actions taken by committees in the performance of fiduciary functions should be recorded properly in appropriate minutes , or in a similar record, when performed by a designated person. </li></ul><ul><li>It is not necessary for the board to review all written records and formally approve every action taken by those persons or committees. </li></ul><ul><li>However, such records should be available for the board’s inspection, and minutes of board meetings should reflect that such records are made available to directors. </li></ul>
  15. 15. Discharging Director’s Duties <ul><li>The system of organization and the manner of administration of the bank’s fiduciary activities should be prescribed in the bank’s bylaws or by resolutions of the board of directors. </li></ul><ul><li>Each board should make an annual reassessment of trust department organization and administration to ensure the proper exercise of fiduciary powers. </li></ul><ul><li>If some responsibilities of the board of directors are assigned to persons or committees by resolution , it should be done annually during the organizational meeting at which committees and officers are appointed. </li></ul>
  16. 16. Trust Department Policies and Procedures <ul><li>The directors must implement sufficient trust department policies, procedures , and internal controls to promote high-quality fiduciary administration. </li></ul><ul><li>When properly monitored by the directors , well-developed policies, procedures, and internal controls promote efficiency and compliance with laws and sound fiduciary principles, and deter losses through charge offs or surcharge. </li></ul>
  17. 17. Trust Department Policies and Procedures <ul><li>Policies should be written and formulated to provide a clear framework within which the trust officers must operate and administer all aspect of the bank’s fiduciary business. </li></ul><ul><li>Written at an knowledgeable stranger level of comprehension </li></ul>
  18. 18. Trust Department Policies and Procedures <ul><li>Some of the more important areas where policies, procedures, and internal controls are needed include: </li></ul><ul><ul><li>Organization & Supervision </li></ul></ul><ul><ul><li>Operations </li></ul></ul><ul><ul><li>Controls </li></ul></ul><ul><ul><li>Audits </li></ul></ul><ul><ul><li>Conflicts of Interest </li></ul></ul><ul><ul><li>Pricing </li></ul></ul><ul><ul><li>Account Acceptance (4-P’s) & Closing </li></ul></ul><ul><ul><li>Ethics </li></ul></ul>
  19. 19. Trust Department Policies and Procedures <ul><li>Some of the more important areas where policies, procedures, and internal controls are needed include: </li></ul><ul><ul><li>Account Administration </li></ul></ul><ul><ul><ul><li>Personal Trust, Agency & Court Accounts </li></ul></ul></ul><ul><ul><ul><li>Retirement Accounts </li></ul></ul></ul><ul><ul><ul><li>Corporate Trust & Agency </li></ul></ul></ul><ul><ul><ul><li>Investment Management Agency </li></ul></ul></ul><ul><ul><ul><li>Custodial & Safekeeping Agencies </li></ul></ul></ul><ul><ul><ul><li>Escrow </li></ul></ul></ul>
  20. 20. Trust Department Policies and Procedures <ul><li>Some of the more important areas where policies, procedures, and internal controls are needed include: </li></ul><ul><ul><li>Asset Management </li></ul></ul><ul><ul><ul><li>Marketable Securities </li></ul></ul></ul><ul><ul><ul><li>Closely-Held Businesses </li></ul></ul></ul><ul><ul><ul><li>Real Estate </li></ul></ul></ul><ul><ul><ul><li>Loans & Mortgages </li></ul></ul></ul><ul><ul><ul><li>Limited Partnerships </li></ul></ul></ul><ul><ul><ul><li>Mineral Interests </li></ul></ul></ul><ul><ul><ul><li>Unique & Miscellaneous Assets </li></ul></ul></ul><ul><ul><ul><li>Mutual Funds & Collective Funds </li></ul></ul></ul>
  21. 21. REGULATORY RISK CATAGORIES & SUB-CATAGORIES <ul><li>Credit </li></ul><ul><li>Interest rate </li></ul><ul><li>Liquidity </li></ul><ul><li>Price </li></ul><ul><li>Foreign exchange </li></ul><ul><li>Transaction </li></ul><ul><li>Compliance </li></ul><ul><li>Strategic </li></ul><ul><li>Reputation </li></ul>
  22. 22. REGULATORY RISK CATAGORIES & SUB-CATAGORIES <ul><li>Process risk </li></ul><ul><li>People risk </li></ul><ul><li>Systems risk </li></ul><ul><li>Event risk </li></ul><ul><li>Business risk </li></ul>
  23. 23. 7 Key Lessons of Effective Risk Management <ul><li>Lesson 1 - Know your business . </li></ul><ul><ul><li>Utilize criteria established in due diligence process. </li></ul></ul><ul><ul><li>Managers must understand risks . </li></ul></ul><ul><ul><li>All employees must understand how their jobs affect the risk profile. </li></ul></ul>
  24. 24. 7 Key Lessons of Effective Risk Management <ul><li>Lesson 2 - Establish checks and balances. </li></ul><ul><ul><li>Ensure balance of power in managing resources. </li></ul></ul><ul><ul><ul><li>Look for concentrations ; </li></ul></ul></ul><ul><ul><ul><ul><li>Knowledge </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Power </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Volume </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Dollars </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Bottle-necks </li></ul></ul></ul></ul><ul><ul><ul><li>Then diversify. </li></ul></ul></ul><ul><ul><li>Not desirable to let concentration of power commit capital to risk-taking activities. </li></ul></ul>
  25. 25. 7 Key Lessons of Effective Risk Management <ul><li>Lesson 3 - Set limits and boundaries . </li></ul><ul><ul><li>Limits and boundaries describe where and when to STOP! </li></ul></ul><ul><ul><ul><li>Trading limits </li></ul></ul></ul><ul><ul><ul><li>Credit limits </li></ul></ul></ul><ul><ul><ul><li>Dollar limits </li></ul></ul></ul><ul><ul><ul><li>Discretionary authority </li></ul></ul></ul><ul><ul><ul><li>Deviations, exceptions & waivers </li></ul></ul></ul><ul><ul><ul><li>Hiring practices </li></ul></ul></ul><ul><ul><ul><li>Acceptance of appointments </li></ul></ul></ul><ul><ul><ul><li>Pricing of services </li></ul></ul></ul>
  26. 26. 7 Key Lessons of Effective Risk Management <ul><li>Cash transfer </li></ul><ul><ul><li>Authorized signatures </li></ul></ul><ul><ul><li>Limits </li></ul></ul><ul><ul><li>Approvals </li></ul></ul><ul><ul><li>Separate processing </li></ul></ul><ul><li>Cash movement </li></ul><ul><ul><li>Measure </li></ul></ul><ul><ul><li>Monitor </li></ul></ul><ul><ul><li>Reconcile </li></ul></ul><ul><ul><li>Document </li></ul></ul>Lesson 4- Monitor cash (funds) “ Cash is king. Accounting is opinion.”
  27. 27. 7 Key Lessons of Effective Risk Management <ul><li>Lesson 5- Use correct measures of success. </li></ul><ul><ul><li>Performance measures and rewards drive behavior and risk. </li></ul></ul><ul><ul><li>Performance measures and incentives must be risk-adjusted. </li></ul></ul><ul><ul><li>What pressures are there to meet goals ? </li></ul></ul><ul><ul><li>What gets measured gets done </li></ul></ul><ul><ul><li>What can be measured can be improved </li></ul></ul>
  28. 28. 7 Key Lessons of Effective Risk Management <ul><li>Lesson 6 - Pay for desired performance . </li></ul><ul><ul><li>Are rewards established at correct targets ? </li></ul></ul><ul><ul><li>What is effect on risk and/or losses? </li></ul></ul><ul><ul><li>Hint: If smart people are doing stupid things, check the incentive structure. </li></ul></ul>
  29. 29. 7 Key Lessons of Effective Risk Management <ul><li>Drivers of risk taking </li></ul><ul><ul><li>Independent risk function </li></ul></ul><ul><ul><li>Oversight committee </li></ul></ul><ul><ul><li>Risk assessment </li></ul></ul><ul><ul><li>Risk based audits and compliance monitors </li></ul></ul><ul><ul><li>Risk limits </li></ul></ul><ul><ul><li>Risk based policies and procedures </li></ul></ul><ul><li>Enablers of risk taking </li></ul><ul><ul><li>Setting tone from the top </li></ul></ul><ul><ul><li>Establish risk culture and values </li></ul></ul><ul><ul><li>Facilitate open discussions about risk </li></ul></ul><ul><ul><li>Provide risk training </li></ul></ul><ul><ul><li>Reinforce desired behaviors </li></ul></ul>Lesson 7 - Take a balanced approach.
  30. 30. Trust Department Audits <ul><li>When the directors lack adequate knowledge of trust audit techniques and procedures, or internal auditors lack expertise , boards are encouraged to employ outside auditors to perform the trust department audit on their behalf. </li></ul><ul><li>An audit by an outside firm is more beneficial to the directors if the audit committee or the entire board is well informed of audit activity and audit results. </li></ul><ul><li>Directors are responsible for approving and monitoring audit scope, reviewing audit findings, and ensuring correction of all audit exceptions. </li></ul><ul><li>Before concluding an audit review, directors should understand thoroughly the significance of the report. </li></ul><ul><li>The audit committee should determine that the scope of audit is sufficient to present a true picture of the department’s condition. </li></ul>
  31. 31. Compliance Management <ul><li>The directors should establish a system to promote, monitor, and evaluate adherence to internal policies, procedures, fiduciary principles and applicable laws and regulations. </li></ul><ul><li>Trust compliance is a management function deserving the same effort as other management functions. </li></ul><ul><li>Management should make individuals accountable for the trust department’s compliance program. </li></ul><ul><li>Compliance should be part of each employee’s performance standards. </li></ul>
  32. 32. Risk Management <ul><li>A formal program of fiduciary risk management should be established to identify and control fiduciary risks. </li></ul><ul><li>Board participation and control of the risk management process is essential. </li></ul><ul><li>The program should include delineation by management and the board of the risk they are willing to assume, identification of risks in current operations, supervision of current and proposed operations, implementation of adequate controls and risk monitoring systems . </li></ul>
  33. 33. Internal Controls <ul><li>Internal control procedures are included as part of a trust system’s normal processing tasks. </li></ul><ul><li>It is the responsibility of directors to ensure that good internal controls exist to prevent persons from making significant errors or perpetrating irregularities without timely detection. </li></ul><ul><li>Internal controls should include methods to protect assets , assure the integrity of operating records , promote operating efficiency , and promote adherence to policies , laws, and regulations . </li></ul>
  34. 34. Common Problems <ul><li>Every organization faces problems in its daily operations that are simply a part of doing business. </li></ul><ul><ul><li>Control </li></ul></ul><ul><ul><li>Reduce </li></ul></ul><ul><ul><li>Minimize </li></ul></ul><ul><ul><li>Transfer </li></ul></ul><ul><ul><li>Eliminate </li></ul></ul>
  35. 35. Source of Problems <ul><li>Internally created (two-headed). </li></ul><ul><ul><li>Strengths </li></ul></ul><ul><ul><ul><li>Paying sufficient attention to familiar situations </li></ul></ul></ul><ul><ul><li>Weaknesses </li></ul></ul><ul><ul><ul><li>Appropriate judgment of unfamiliar situation </li></ul></ul></ul><ul><li>Created by external factors: </li></ul><ul><ul><li>Political </li></ul></ul><ul><ul><li>Social </li></ul></ul><ul><ul><li>Economic </li></ul></ul><ul><ul><li>Competitive </li></ul></ul><ul><li>Perform SWOT Analysis </li></ul>
  36. 36. Types of Problems <ul><li>Those that exist now. </li></ul><ul><ul><li>Known </li></ul></ul><ul><ul><li>Unknown </li></ul></ul><ul><li>Those that will exist in the future. </li></ul><ul><ul><li>Change driven : </li></ul></ul><ul><ul><ul><li>Strategic direction </li></ul></ul></ul><ul><ul><ul><li>Marketplace </li></ul></ul></ul><ul><ul><ul><li>Regulatory </li></ul></ul></ul><ul><ul><ul><li>Product </li></ul></ul></ul><ul><ul><ul><li>Service </li></ul></ul></ul><ul><ul><ul><li>Security Features </li></ul></ul></ul><ul><ul><ul><li>Process & Systems </li></ul></ul></ul><ul><ul><ul><li>Conversions </li></ul></ul></ul>
  37. 37. Common Problems and Resulting Risk to an Organization <ul><li>There is no consistent, formal, organization-wide approach to compliance and risk management </li></ul><ul><li>Outdated, incomplete, and inconsistently applied policies and procedures </li></ul><ul><li>Compliance and risk management education and awareness are poor </li></ul><ul><li>Lack of or poor compliance and risk management controls </li></ul><ul><li>No compliance validation program </li></ul><ul><li>No business-wide management review </li></ul><ul><li>Weak internal audit relationship and interface. </li></ul><ul><li>Compliance viewed as a cost center or a necessary evil </li></ul>
  38. 38. Compliance <ul><li>Defined as complying with: </li></ul><ul><ul><li>Legal regulations </li></ul></ul><ul><ul><li>Corporate policy </li></ul></ul><ul><ul><li>Sound productivity practices </li></ul></ul><ul><ul><li>Sound efficiency practices </li></ul></ul><ul><ul><li>Quality control </li></ul></ul><ul><ul><li>Training and education </li></ul></ul><ul><ul><li>Sound human resource management </li></ul></ul><ul><ul><li>The corporate mission statement </li></ul></ul><ul><ul><li>The strategic plan </li></ul></ul><ul><ul><li>The business plan </li></ul></ul><ul><ul><li>The budget </li></ul></ul><ul><ul><li>Contingency planning </li></ul></ul><ul><ul><li>Strong ethical and moral social behavior </li></ul></ul><ul><ul><li>Profitability requirements and cost controls </li></ul></ul>
  39. 39. Compliance <ul><li>Compliance is not just government regulations anymore. It encompasses virtually everything an organization does . </li></ul><ul><li>If it is important enough to do it in the first place, it is important enough to do it right , no matter how small the task is. </li></ul><ul><li>Compliance is all about doing the right things right. </li></ul>
  40. 40. 7 Most Common and Serious Problems <ul><li>I. There is no consistent, formal, organization-wide approach to compliance and risk management. </li></ul>
  41. 41. 7 Most Common and Serious Problems <ul><li>II. Outdated, incomplete, and inconsistently applied or non-existent policies and procedures : </li></ul><ul><ul><li>Key operating policy and procedure manuals are outdated in several areas and are not comprehensive across all functions. </li></ul></ul><ul><ul><li>Policies are not well communicated or understood by staff and management and they are not consistently followed throughout the organization. </li></ul></ul><ul><ul><li>All procedures are not formalized or documented . </li></ul></ul><ul><ul><li>Identical functions are performed differently among businesses, areas, and/or departments. </li></ul></ul>
  42. 42. 7 Most Common and Serious Problems <ul><li>III. Compliance and risk management education and awareness are poor or non-existent: </li></ul><ul><ul><li>No formalized education or training process . </li></ul></ul><ul><ul><li>The board of directors, committees, senior management, and key employees are not fully aware of important policy and procedure. </li></ul></ul><ul><ul><li>No mechanism for identifying education, training and compliance needs. </li></ul></ul><ul><ul><li>Not everyone understands that compliance and risk management is good for business . </li></ul></ul>
  43. 43. 7 Most Common and Serious Problems <ul><li>IV. Lack of poor or non-existent compliance and risk management controls: </li></ul><ul><ul><li>Ineffective and inefficient controls that are often ignored by staff and management because they are error-prone , hard to evaluate, or too complex to fully execute. </li></ul></ul><ul><ul><li>Inability to identify actual and potential risk and compliance concerns until well after they have occurred. </li></ul></ul>
  44. 44. 7 Most Common and Serious Problems <ul><li>V. No compliance validation program : </li></ul><ul><ul><li>Since there is not compliance validation or self-testing , there is an inability to verify that compliance controls are working in the organization. </li></ul></ul><ul><ul><li>There is a very low confidence level in risk assessment as well as an incapacity to consistently demonstrate whether a process is functioning properly. </li></ul></ul><ul><ul><li>There is no compliance oversight function on the individual department level or the organizational level. </li></ul></ul>
  45. 45. 7 Most Common and Serious Problems <ul><li>VI. No business-wide management review : </li></ul><ul><ul><li>Compliance and risk management review is not seen as an income/profit producing event. </li></ul></ul><ul><ul><li>Senior management, fiduciary examining committees, and board of directors get their information through slide presentations and bullet memos. </li></ul></ul><ul><ul><li>There is no consistent business-wide management communication top down or bottom up . </li></ul></ul><ul><ul><li>Senior management, fiduciary examining committees, and boards of directors do not hold regularly scheduled compliance and risk reviews and thus, are not always kept current on compliance and risk matters. </li></ul></ul><ul><ul><li>Dashboard Metrics </li></ul></ul>
  46. 46. 7 Most Common and Serious Problems <ul><li>VII. Weak or non-existent internal audit relationship and interface: </li></ul><ul><ul><li>Management: </li></ul></ul><ul><ul><ul><li>There is a general lack of strong communication between management and audit in terms of teamwork, goals, and the organizational benefit. </li></ul></ul></ul><ul><ul><ul><li>Line managers have a limited understanding of audit’s purpose and therefore regard them as an outside intervention into their department. </li></ul></ul></ul><ul><ul><ul><li>Line managers have a limited understanding of the audit process and therefore do not utilize audit as a compliance and risk management tool and information source. </li></ul></ul></ul><ul><ul><ul><li>The consequence of all this is too many surprises in the audit findings and very little understanding of the final outcome. </li></ul></ul></ul>
  47. 47. 7 Most Common and Serious Problems <ul><li>VII. Weak or non-existent internal audit relationship and interface: </li></ul><ul><ul><li>Auditors: </li></ul></ul><ul><ul><ul><li>There is no complete verification of the effectiveness and efficiency of the compliance and risk management function. </li></ul></ul></ul><ul><ul><ul><li>The audits do not focus on process and controls , but rather test only historical transactions. </li></ul></ul></ul><ul><ul><ul><li>The audit focus does not cause management to concentrate on areas that are sensitive to business risk and overall compliance. </li></ul></ul></ul>
  48. 48. 7 Most Common and Serious Problems <ul><li>Why a small compliance staff is better than a large one: </li></ul><ul><ul><li>Smaller compliance and risk management staff </li></ul></ul><ul><ul><li>Pro-active management </li></ul></ul><ul><ul><li>Easy identification of training needs </li></ul></ul><ul><ul><li>Cross-training </li></ul></ul><ul><ul><li>More accurate information </li></ul></ul><ul><ul><li>Better controls and organization </li></ul></ul><ul><ul><li>Involvement of line management </li></ul></ul><ul><ul><li>Personal accountability </li></ul></ul>
  49. 49. Definition of Risk <ul><li>Public image </li></ul><ul><li>Loss of clients </li></ul><ul><li>Weak profitability </li></ul><ul><li>Loss of revenue or funds through errors </li></ul><ul><li>Loss of revenue or funds through fraud </li></ul><ul><li>Inappropriate business fit with current or future plans </li></ul><ul><li>Poor new product review </li></ul><ul><li>Poor new account review </li></ul><ul><li>Poor new security type/feature review </li></ul><ul><li>Weak management expertise in key areas </li></ul>
  50. 50. Definition of Risk <ul><li>Poor knowledge level (education) of management and staff </li></ul><ul><ul><li>Business knowledge </li></ul></ul><ul><ul><li>Conflict of interest </li></ul></ul><ul><ul><li>Policy and procedures </li></ul></ul><ul><ul><li>Regulatory </li></ul></ul><ul><li>Poor risk monitoring and controls </li></ul><ul><li>Poor strategic and business planning </li></ul><ul><li>Poor contingency planning </li></ul><ul><li>Non-compliance and direct violations of law </li></ul><ul><li>Breach of fiduciary responsibility (22-Basic Principles) </li></ul>
  51. 51. Compliance Validation Program <ul><li>An effective compliance and risk management validation program must have the following: </li></ul><ul><ul><li>The experts or line managers and staff who perform the functions do the validation (CSA). </li></ul></ul><ul><ul><li>Consistent and organized proactive approach that regularly validates the risk points on a periodic basis. </li></ul></ul><ul><ul><li>Review and assessment of the findings to effect appropriate change and improvements . </li></ul></ul><ul><ul><li>Full and continuous support from senior management. </li></ul></ul><ul><ul><li>Periodic review of the program by the compliance and risk managers and the auditors to ensure its continued effectiveness. </li></ul></ul>
  52. 52. Twelve Point Risk Oriented Compliance Validation <ul><li>Map and schedule the compliance universe for risk overview. </li></ul><ul><li>Gain detailed understanding of the area functions and responsibilities of the identified compliance review areas. </li></ul><ul><li>Create a risk point outline of the area. </li></ul><ul><li>Risk-rank the points of the Risk Point Outline and identify desired review areas. </li></ul><ul><li>Flowchart the functions and operations under review. </li></ul><ul><li>Evaluate the major risk controls and monitoring systems. </li></ul>
  53. 53. Twelve Point Risk Oriented Compliance Validation <ul><li>Use statistical sampling during the validation process. </li></ul><ul><li>Develop an effective validation process . </li></ul><ul><li>Perform testing – documentation and evaluation of results. </li></ul><ul><li>Understand the results to identify required changes. </li></ul><ul><li>Ensure implementation of changes. </li></ul><ul><li>Report and follow-up . </li></ul>
  54. 54. 5 Basic Requirements of an Integrated Compliance and Risk Management Program <ul><li>The program must utilize very limited personnel and corporate resources. </li></ul><ul><li>The program must be easily accepted, understood, and implemented. </li></ul><ul><li>The program must have permanence and remain intact and effective long after the initial start-up . </li></ul><ul><li>The program must be flexible and capable of change with the growing demands of the organization, industry, and regulations. </li></ul><ul><li>The program must be virtually seamless and invisible to the daily functions of the staff. </li></ul>
  55. 55. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>I. Total organizational management commitment , top down: </li></ul><ul><ul><li>Total organizational commitment must start at the top with management and work its way down through the organization. </li></ul></ul><ul><ul><ul><li>Continually talk compliance and risk management. </li></ul></ul></ul><ul><ul><ul><li>Demonstrate through actions, rewards, and consequences that compliance and risk management is everyone’s responsibility . </li></ul></ul></ul><ul><ul><li>Creation of a risk management review committee . </li></ul></ul><ul><ul><li>Identification of compliance designate in each area. </li></ul></ul><ul><ul><li>Provide quarterly updates to the Board of Directors, committees and senior management. </li></ul></ul><ul><ul><li>Build accountability into all management’s objectives. </li></ul></ul>
  56. 56. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>II. Current and accurate policy and procedures manuals. </li></ul><ul><ul><li>Reflect: </li></ul></ul><ul><ul><ul><li>Organizational Structure </li></ul></ul></ul><ul><ul><ul><li>Workflows </li></ul></ul></ul><ul><ul><ul><li>Vendor System </li></ul></ul></ul>
  57. 57. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>III. Ongoing and thorough education program : </li></ul><ul><ul><li>Some of the more critical reasons for having a thorough and ongoing and organization-wide education and training program are as follows: </li></ul></ul><ul><ul><ul><li>Better trained and knowledgeable organization members </li></ul></ul></ul><ul><ul><ul><li>Clear and consistent understanding throughout the organization </li></ul></ul></ul><ul><ul><ul><li>More efficient, effective, productive controls </li></ul></ul></ul><ul><ul><ul><li>Fewer errors and fraud </li></ul></ul></ul><ul><ul><ul><li>Reduce liability </li></ul></ul></ul><ul><ul><li>There are three important points to be kept in mind for every program: </li></ul></ul><ul><ul><ul><li>Education </li></ul></ul></ul><ul><ul><ul><li>Ownership </li></ul></ul></ul><ul><ul><ul><li>Recognition </li></ul></ul></ul>
  58. 58. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>IV. Compliance validation program (review): </li></ul><ul><ul><li>12-point risk oriented compliance validation </li></ul></ul><ul><ul><ul><li>Map and schedule compliance universe for risk overview </li></ul></ul></ul><ul><ul><ul><li>Gain detailed understanding of the area functions and responsibilities of the identified compliance review areas. </li></ul></ul></ul><ul><ul><ul><li>Create a risk point outline of the area. </li></ul></ul></ul><ul><ul><ul><li>Risk-rank the points of the risk point outline and identify desired review areas. </li></ul></ul></ul><ul><ul><ul><li>Flowchart functions and operations under review. </li></ul></ul></ul>
  59. 59. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>IV. Compliance validation program (review): </li></ul><ul><ul><li>12-point risk oriented compliance validation </li></ul></ul><ul><ul><ul><li>Evaluate major risk controls and monitoring systems. </li></ul></ul></ul><ul><ul><ul><li>Use of statistical sampling during the validation process. </li></ul></ul></ul><ul><ul><ul><li>Development of an effective validation process. </li></ul></ul></ul><ul><ul><ul><li>Completed validation – documentation and evaluation of results. </li></ul></ul></ul><ul><ul><ul><li>Understanding the results to identify required changes. </li></ul></ul></ul><ul><ul><ul><li>Ensuring implementation of changes. </li></ul></ul></ul><ul><ul><ul><li>Reporting and follow-up. </li></ul></ul></ul>
  60. 60. VALIDATION PROCESS <ul><li>VALIDATION IS NOT </li></ul><ul><ul><li>A checklist compliance test. </li></ul></ul><ul><ul><li>Concerned with wholesale sampling. </li></ul></ul><ul><ul><li>Transaction testing. </li></ul></ul><ul><ul><li>Testing every aspect of the department or organization . </li></ul></ul><ul><li>VALIDATION IS </li></ul><ul><ul><li>Concerned with tactical sampling. </li></ul></ul><ul><ul><li>Verifying the effectiveness of processes and controls. </li></ul></ul><ul><ul><li>Uncovering excessive and/or duplicate process and controls that eventually hamper productivity and profitability. </li></ul></ul><ul><ul><li>Identifying training and education needs. </li></ul></ul><ul><ul><li>Validation of the overall soundness of compliance and risk management of the area . </li></ul></ul>
  61. 61. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>V. Strong compliance and risk management controls : </li></ul><ul><ul><li>Identifying where the controls should be . </li></ul></ul><ul><ul><li>Installing those controls that are not there, removing those that don’t belong, and assessing and modifying the remaining desired controls. </li></ul></ul><ul><ul><li>Mandatory vs. Discretionary </li></ul></ul><ul><ul><ul><li>Preventive </li></ul></ul></ul><ul><ul><ul><li>Detective </li></ul></ul></ul><ul><ul><ul><li>Directive </li></ul></ul></ul><ul><ul><ul><li>Mitigating </li></ul></ul></ul>
  62. 62. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>V. Strong compliance and risk management controls: </li></ul><ul><ul><li>Some of the specific benefits of a compliance certification are: </li></ul></ul><ul><ul><ul><li>Line management that is very knowledgeable and kept current of area systems and process. </li></ul></ul></ul><ul><ul><ul><li>Strong awareness of compliance and risk management at the grass roots level. </li></ul></ul></ul><ul><ul><ul><li>Accountability is placed where it belongs and with the people who can affect the change. </li></ul></ul></ul><ul><ul><ul><li>Effective use of existing resources . </li></ul></ul></ul><ul><ul><ul><li>Lower staff costs by not utilizing whole groups or departments of third party reviewers (checker and auditors). </li></ul></ul></ul><ul><ul><ul><li>Ultimate and very beneficial by-products of this approach are increased efficiency, productivity, and overall quality. </li></ul></ul></ul>
  63. 63. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>VI. Well and consistently informed management and staff: </li></ul><ul><ul><li>Hold regularly scheduled compliance and risk management training sessions. </li></ul></ul><ul><ul><li>Create formal information services in the organization. </li></ul></ul><ul><ul><li>Hold regularly scheduled key compliance and risk management meetings. </li></ul></ul><ul><ul><li>Hold regularly scheduled group risk assessment discussions. </li></ul></ul>
  64. 64. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>VII. Adequate Staffing in the Business Units: </li></ul><ul><ul><li>The compliance designate must: </li></ul></ul><ul><ul><ul><li>Acquire basic knowledge and understanding of the laws, regulations, and corporate policy that directly affects his or her area. </li></ul></ul></ul><ul><ul><ul><li>Review and be thoroughly familiar with the area and department policy and procedure manual. </li></ul></ul></ul><ul><ul><ul><li>Keep the department fully informed on all relevant compliance requirements, matters, and problems. </li></ul></ul></ul><ul><ul><ul><li>Act as focal point for the department compliance and risk management issues. </li></ul></ul></ul><ul><ul><ul><li>Keep fully informed and understand the audit programs , approach, technique, and requirements. </li></ul></ul></ul><ul><ul><ul><li>Assist in the area preparation of all audits. </li></ul></ul></ul><ul><ul><ul><li>Act as major information source during all audits. </li></ul></ul></ul><ul><ul><ul><li>Coordinate and/or perform the department compliance validation . </li></ul></ul></ul><ul><ul><ul><li>Be responsible for the coordination of all area compliance and risk management education needs. </li></ul></ul></ul>
  65. 65. 8 Components of an Integrated Compliance and Risk Management Program <ul><li>VIII. Internal Audit as a Team Member: </li></ul><ul><ul><li>Review all of the audit programs to determine if they have the most effective focus for ensuring that the bank meets compliance, risk management, and regulatory requirements. </li></ul></ul><ul><ul><li>Review all of the audit programs to determine if they are consistent in their application and execution . </li></ul></ul><ul><ul><li>Review all of the audit programs to determine if they have a process and control orientation and not a transactional focus. </li></ul></ul><ul><ul><li>Review the audit scope to determine if it covers all of the appropriate areas and functions. </li></ul></ul>
  66. 66. Developing a Risk-Based Compliance Team <ul><li>Compliance teamwork benefits: </li></ul><ul><ul><li>More efficient operations </li></ul></ul><ul><ul><li>Reduced personnel </li></ul></ul><ul><ul><li>More responsive and flexible system </li></ul></ul><ul><ul><li>Better educated management and staff </li></ul></ul><ul><ul><li>Increased productivity </li></ul></ul><ul><ul><li>Reduced overall risk </li></ul></ul><ul><ul><li>Reduced overall cost </li></ul></ul>
  67. 67. Developing a Risk-Based Compliance Team <ul><li>Compliance and risk management team: </li></ul><ul><ul><li>The Board of Directors </li></ul></ul><ul><ul><li>Fiduciary Committees </li></ul></ul><ul><ul><li>Senior management </li></ul></ul><ul><ul><li>Line management </li></ul></ul><ul><ul><li>Staff </li></ul></ul><ul><ul><li>Compliance Officer </li></ul></ul><ul><ul><li>Internal Auditor </li></ul></ul><ul><ul><li>Legal counsel </li></ul></ul>
  68. 68. Developing a Risk-Based Compliance Team <ul><li>Board of Director Responsibilities: </li></ul><ul><ul><li>Review the organization’s strategic and business plan for appropriate direction, business fit, and overall soundness. </li></ul></ul><ul><ul><li>Each board member must be given a copy of the Key Operating Policy and Procedure Manual for review. </li></ul></ul><ul><ul><li>Review quarterly, the actual financial and business results of the organization in comparison to expectations and plan . </li></ul></ul><ul><ul><li>Affirm and require on a quarterly, the actual financial and business results of the organization in comparison to expectations and plan. </li></ul></ul><ul><ul><li>Affirm and require on a quarterly basis, evidence of the organization’s compliance with the laws, regulations, and corporate policies. </li></ul></ul><ul><ul><li>Periodic review and approval of the organization’s major risk areas and functions. </li></ul></ul><ul><ul><li>Act as the Management Operating Review Committee . Review and pass recommendations on all major operations changes and considerations. </li></ul></ul>
  69. 69. Developing a Risk-Based Compliance Team <ul><li>Audit Committee Functions: </li></ul><ul><ul><li>Each committee member must be given a copy of the Key Operating Policy and Procedure Manual for review. </li></ul></ul><ul><ul><li>Perform a quarterly review and assessment of the organization’s Integrated Compliance and Risk Management Program to determine if it meets the needs of the organization. </li></ul></ul><ul><ul><li>Review financial statements and reporting results for major variances and exceptions. </li></ul></ul><ul><ul><li>Review annually the organization’s major risk policies . </li></ul></ul><ul><ul><li>Assess and attest to the internal and external audit independence. </li></ul></ul><ul><ul><li>Review the plan and scope of the internal audits based on assessment. </li></ul></ul>
  70. 70. Developing a Risk-Based Compliance Team <ul><li>Audit Committee Functions: </li></ul><ul><ul><li>Review and formally approve annually the internal audit programs and schedule of audits. </li></ul></ul><ul><ul><li>Review all internal audit results . Ensure that all major risk issues haves been identified and are being addressed. </li></ul></ul><ul><ul><li>Give a report to the Board Of Directors on a quarterly basis, on the committee’s evaluations, conclusions, and recommendations on the condition of the organization’s compliance and risk management activities and the effectiveness of its policies, procedures, and controls, with regulation, law, corporate policy, and sound compliance and risk management principles. </li></ul></ul><ul><ul><li>Review all external audits and examinations by outside accounting firms and government regulators. </li></ul></ul>
  71. 71. Developing a Risk-Based Compliance Team <ul><li>Role of Line Management: </li></ul><ul><ul><li>Line management has the primary responsibility and accountability for complete compliance and risk management in the organization. </li></ul></ul><ul><ul><li>Keep policies and procedures current and accurate . </li></ul></ul><ul><ul><li>Develop and maintain internal compliance controls in their area and department. </li></ul></ul><ul><ul><li>Develop with compliance and maintain a compliance validation and a compliance certification program for their area and department to identify potential compliance and risk management issues. </li></ul></ul><ul><ul><li>Take immediate corrective action on all identified issues. </li></ul></ul><ul><ul><li>Keep staff educated and maintain high compliance awareness. </li></ul></ul>
  72. 72. Developing a Risk-Based Compliance Team <ul><li>Role of the Compliance Officer and Compliance Function: </li></ul><ul><ul><li>Review the organization’s Integrated Compliance and Total Risk Management Program for adequacy and effectiveness. </li></ul></ul><ul><ul><li>Assist in the development and maintenance of policies , procedures, internal controls, validation, and training and education programs. </li></ul></ul><ul><ul><li>Monitor the organization’s management of risk and compliance and the effectiveness of its controls. </li></ul></ul><ul><ul><li>Conduct spot testing to confirm overall compliance. </li></ul></ul><ul><ul><li>Act as interface between auditors and examiners. </li></ul></ul><ul><ul><li>Monitor regulatory changes and ensure that compliance requirements and corporate policy are current. </li></ul></ul><ul><ul><li>Be responsible for the oversight of the training and education program. </li></ul></ul>
  73. 73. Developing a Risk-Based Compliance Team <ul><li>Role of Audit : </li></ul><ul><ul><li>Ensure compliance and risk management effectiveness by performing strong audits that focus on sound compliance, and risk management processes, controls and practices, and the concerns of regulators. </li></ul></ul>
  74. 74. Developing a Risk-Based Compliance Team <ul><li>Role of Legal : </li></ul><ul><ul><li>Support the compliance and risk management effort through legal review and opinion of actual and potential issues and management considerations. </li></ul></ul>
  75. 75. Common Challenges in Developing an Effective Integrated Compliance and Total Risk Management <ul><li>Organizational structure : The importance of the right culture. </li></ul><ul><li>Compliance and risk management areas : They exist everywhere. </li></ul><ul><li>Resources : Every organizational member is a team resource. </li></ul><ul><li>Motivational requirements : Compliance is the right thing to do. </li></ul>
  76. 76. Building an Environment of Effective Compliance <ul><li>Establish an incentive and reward system based on excellence and hard work. </li></ul><ul><li>Develop an ethical environment that can foster and sustain responsible decisions. </li></ul><ul><li>Build a system of ethical practice throughout the compliance program and the organization. </li></ul>
  77. 77. CHECKLISTS & QUESTIONAIRES <ul><li>Management appraisal </li></ul><ul><ul><li>360 0 Evaluations </li></ul></ul><ul><li>Audit Function </li></ul><ul><li>Internal Audit </li></ul><ul><li>Internal Quality Control </li></ul><ul><li>Regulatory Compliance </li></ul><ul><li>Required Reporting (Federal & State) </li></ul>
  78. 78. CHECKLISTS & QUESTIONAIRES <ul><li>Personal Trust, Court & Agency Services </li></ul><ul><ul><li>See sample </li></ul></ul><ul><li>Retirement Services </li></ul><ul><ul><li>See sample </li></ul></ul><ul><li>Corporate Trust & Transfer Agency Services </li></ul><ul><ul><li>See sample </li></ul></ul><ul><li>Operations </li></ul><ul><ul><li>See sample </li></ul></ul><ul><li>Asset & Portfolio Management </li></ul><ul><ul><li>See sample </li></ul></ul><ul><li>Custody & Related Services </li></ul><ul><ul><li>See sample </li></ul></ul>
  79. 79. What is Risk? <ul><li>Risk is the probability that an event or action may adversely affect an organization’s ability to function properly. </li></ul><ul><li>As part of the process of meeting objectives of any program, there is a degree of uncertainty intrinsic (built-in) to the achievement of those objectives. </li></ul><ul><li>Risk involves consequences (severity) and the likelihood (frequency) that negative events will take place. </li></ul>
  80. 80. What is Risk? <ul><li>To identify risk related to objectives, ask common sense questions like the following: </li></ul><ul><ul><li>What resources/assets need to be protected (i.e., financial records, land records, etc.)? </li></ul></ul><ul><ul><li>Do we have liquid assets or assets which could be used by others easily ? </li></ul></ul><ul><ul><li>How could someone steal assets (i.e., oil from oil leases) ? </li></ul></ul><ul><ul><li>How could someone disrupt operations ? </li></ul></ul>
  81. 81. What is Risk? <ul><li>To identify risk related to objectives, ask common sense questions like the following: </li></ul><ul><ul><li>How do we know if we are achieving our objectives? </li></ul></ul><ul><ul><li>What information is most relied upon ? </li></ul></ul><ul><ul><ul><li>What information does each manager monitor? </li></ul></ul></ul><ul><ul><li>On what do we spend the most money ? </li></ul></ul><ul><ul><li>What decisions require the best judgment ? </li></ul></ul><ul><ul><li>What activities are most complex ? </li></ul></ul><ul><ul><li>What activities are regulated ? </li></ul></ul><ul><ul><li>What is the greatest legal exposure ? </li></ul></ul>
  82. 82. What is Risk? <ul><li>Consequences are tangible outcomes of risk associated with decisions, events, or processes related to the successful operation of any particular government program. </li></ul><ul><li>Consequences involve a cause or event with a related effect . </li></ul>
  83. 83. What is Risk? <ul><li>The effect of risk can involve: </li></ul><ul><ul><li>An erroneous decision as the result of using incorrect, untimely, incomplete, or otherwise unreliable information. </li></ul></ul><ul><ul><li>Erroneous record keeping , inappropriate accounting, fraudulent financial reporting, financial loss, and exposure. </li></ul></ul><ul><ul><li>Failure to adequately safeguard assets. </li></ul></ul>
  84. 84. What is Risk? <ul><li>The effect of risk can involve: </li></ul><ul><ul><li>Customer dissatisfaction , negative publicity, and damage to the organization’s reputation. </li></ul></ul><ul><ul><li>Failure to adhere to organizational policies and procedures, or not complying with relevant laws and regulations. </li></ul></ul><ul><ul><li>Acquiring resources uneconomically or using them inefficiently or ineffectively. </li></ul></ul><ul><ul><li>Failure to accomplish established objectives and goals for the program. </li></ul></ul>
  85. 85. Risk Increasers <ul><li>Concentration </li></ul><ul><li>Correlation </li></ul>
  86. 86. Design of Internal Controls <ul><li>A prerequisite to designing good internal controls used by an organization is to have clear, precise, and quantifiable objectives in place. </li></ul><ul><li>An excellent place to start when identifying objectives is the Strategic Plan and Mission Statement of your area . </li></ul><ul><li>Objectives are needed in order to determine what are the necessary controls to put in place and when the controls have been successful. </li></ul><ul><li>When objectives have been established, the risks associated with accomplishing each objective can be determined. </li></ul><ul><li>Only when risks associated with the activities involved in completing objectives are identified can the required controls be determined to ensure successful completion of the objectives. </li></ul>
  87. 87. Internal Control Development as it Relates to Risk OBJECTIVE (What do you want to accomplish?) RISK (What can go wrong to prevent you from accomplishing your objectives?) CONTROLS (What can be done to minimize the risks?)
  88. 88. Internal Control Defined <ul><li>Internal control is broadly defined as a process, effected by management and other personnel, designed to provide reasonable assurance that the objectives of the area are being achieved in the following categories: </li></ul><ul><ul><li>Effectiveness and efficiency of operations including the use of the entity’s resources. </li></ul></ul><ul><ul><li>Reliability of financial reporting , including reports on budget execution, financial statements, and other reports for internal and external use. </li></ul></ul><ul><ul><li>Compliance with applicable laws and regulations. </li></ul></ul><ul><ul><li>Control (safeguarding) of assets. </li></ul></ul>
  89. 89. Standards of Internal Control <ul><li>The five standards for internal control are: </li></ul><ul><ul><li>1. Control Environment </li></ul></ul><ul><ul><li>2. Risk Assessment </li></ul></ul><ul><ul><li>3. Control Activities </li></ul></ul><ul><ul><li>4. Information and Communications </li></ul></ul><ul><ul><li>5. Monitoring </li></ul></ul>
  90. 90. 1. Control Environment <ul><li>The control environment sets the tone of an organization , influencing the control consciousness of its people. </li></ul><ul><li>It is the foundation for all other components of internal control, providing discipline and structure. </li></ul><ul><li>Several key factors affect the control environment. </li></ul><ul><li>Integrity and ethical values maintained and demonstrated by management and staff is one factor. </li></ul><ul><li>Area management plays a key role in providing leadership in this area, especially in setting and maintaining the organization’s ethical tone, providing guidance for proper behavior, removing temptations for unethical behavior, and providing discipline when appropriate. </li></ul>
  91. 91. 2. Risk Assessment <ul><li>Internal control should provide for an assessment of the risks the area faces from both external and internal sources. </li></ul><ul><li>A precondition to risk assessment is establishment of clear, consistent area objectives. </li></ul><ul><li>Risk assessment is the identification and analysis of relevant risks associated with achieving the objectives, and forming a basis for determining how risks should be managed. </li></ul>
  92. 92. 3. Control Activities <ul><li>Internal control activities help ensure that management’s directives are carried out. </li></ul><ul><li>The control activities should be effective and efficient in accomplishing an area’s control objectives. </li></ul><ul><li>Control activities are the policies, procedures, techniques, and mechanisms that enforce management’s directives. </li></ul><ul><li>They help ensure that actions are taken to address risks to achievement of the entity’s objectives. </li></ul><ul><li>Control activities are an integral part of an entity’s planning, implementing, reviewing, and accountability for stewardship of government resources and achieving effective results. </li></ul>
  93. 93. 3. Control Activities <ul><li>There are certain categories of control activities that are common to all organizations. </li></ul><ul><li>Examples include the following: </li></ul><ul><ul><li>Top level reviews of actual performance </li></ul></ul><ul><ul><li>Reviews by management at the functional or activity level </li></ul></ul><ul><ul><li>Management of human capital </li></ul></ul><ul><ul><li>Controls over information processing </li></ul></ul><ul><ul><li>Physical control over vulnerable assets </li></ul></ul><ul><ul><li>Establishment and review of performance measures and indicators </li></ul></ul><ul><ul><li>Segregation of duties </li></ul></ul><ul><ul><li>Proper execution of transactions and events </li></ul></ul><ul><ul><li>Accurate and timely recording of transactions and events </li></ul></ul><ul><ul><li>Access restrictions to and accountability for resources and records </li></ul></ul><ul><ul><li>Appropriate documentation of transactions and internal control </li></ul></ul>
  94. 94. 4. Information and Communications <ul><li>Information should be recorded and communicated to management and others in a form and within a time frame that enables them to carry out their responsibilities. </li></ul><ul><li>Information systems produce reports containing operational, financial and compliance–related information that make it possible to run and control the trust activities at hand. </li></ul>
  95. 95. 4. Information and Communications <ul><li>They deal not only with internally generated data , but also information about external events, activities, and conditions necessary to allow informed decision making and external reporting. </li></ul><ul><li>Effective communication also must occur in a broader sense, flowing down, across and up the individual bureaus and between bureaus located in the Department. </li></ul><ul><li>All personnel must receive the clear message </li></ul>
  96. 96. 5. Monitoring <ul><li>Internal control monitoring should assess the quality of performance over time and ensure that the findings of audits and other reviews are promptly resolved . </li></ul><ul><li>Internal control should generally be designed to ensure that ongoing monitoring occurs in the course of normal operations. </li></ul><ul><li>It is performed continually and is ingrained in the organization’s operations. </li></ul><ul><li>It includes regular management and supervisory activities , comparisons, reconciliation, self-evaluations, and other actions people take in performing their duties. </li></ul>
  97. 97. Internal Control Components
  98. 98. Appendix-Listing Of 15 Primary Internal Controls
  99. 99. Access to Equipment and Data Files <ul><li>Since information is valuable and often confidential, it must be physically safeguarded against unauthorized access and intentional or unintentional damage. </li></ul><ul><li>Access devices are designed so that only certain persons can operate them, passwords are used, data is encrypt ed, computer rooms are locked and protected against fire and heat, files are carefully handled and controlled, data is copied and stored in separate, offsite locations, and other similar procedures are followed. </li></ul>
  100. 100. Audit <ul><li>The effectiveness of any internal control system must be monitored to be successful. </li></ul><ul><li>Departmental reviews, quality control auditing, internal auditing and external auditing are the primary means of monitoring an internal control system. </li></ul>
  101. 101. Authorizations for Intended Actions <ul><li>Allocating resources for future activities require management authorization to ensure the proper use of personnel, office equipment and other assets to avoid waste and minimize possible conflicting needs within an organization. </li></ul>
  102. 102. Approvals for Actions Taken <ul><li>Many day-to-day activities have built-in segregation of duties and responsibilities and may only require an approval after an action has been taken as a final check and balance. </li></ul>
  103. 103. Commitment to Competence <ul><li>Hiring, training and maintaining the technical skills of employees assigned to complete critical tasks helps eliminate errors in judgment and mistakes due to ignorance. </li></ul><ul><li>Even the best designed internal control systems or business practices will fail if an employee lacks the skills and training needed to complete a given task. </li></ul>
  104. 104. Communication of the Importance of Internal Controls <ul><li>organizations can set a tone and influence the behavior of its employees when the highest levels of management stress the importance of the internal controls. </li></ul><ul><li>Without high-level support, and commitment toward internal control efforts, internal reviews and other self-checks become ineffective. </li></ul>
  105. 105. Documentation of Workflow <ul><li>In larger organizations, or those whose work must be integrated with work completed by another operating unit, flow charting or otherwise documenting the workflow is a key element in maintaining internal control. </li></ul><ul><li>Critical points where two or more non-integrated information systems must agree or where potential control problems might occur must be identified and control procedures incorporated into the workflow at those points. </li></ul>
  106. 106. Duplication of Activities <ul><li>Since the cost of duplicating critical activities is prohibitive, a good internal control system employs a separation of activities into interrelated segments, which must mesh at critical points within a process. </li></ul><ul><li>If one segment is off, the other parts should reflect the imbalance. </li></ul>
  107. 107. Closure of Identified Problems <ul><li>The monitoring of any internal control system must include the final resolution of audit findings and other identified weaknesses in a timely manner. </li></ul><ul><li>Resolving these issues not only strengthens the internal control system but also reinforces management’s commitment to and support of the system. </li></ul>
  108. 108. Reports <ul><li>Reports of past events serve as the most significant control by management of its operations. </li></ul><ul><li>These reports must be timely, complete, concise and accurate. </li></ul><ul><li>The reports must also be impartial and present an accurate picture of what has actually occurred. </li></ul>
  109. 109. Separation of Duties <ul><li>Separating the operational responsibility from the accountability insures that the same individual is not authorizing and performing a task and also responsible for reporting the results. </li></ul>
  110. 110. Supervision of Critical Activities <ul><li>Management must identify the points within the area’s operating processes that are most critical and routinely supervise these activities to help ensure the area’s objectives are being met in a competent manner. </li></ul>
  111. 111. Physical Control and Safe Guards of Assets <ul><li>All resources have some value and protecting a particular asset from theft or misuse helps insure that the particular asset will be available for its intended used when needed. </li></ul>
  112. 112. Data Input Controls <ul><li>Input controls are essential to assure that only authorized data is entered into the computer and that such data is correct. </li></ul><ul><li>Among the more important types of input controls are; “Key Verification” that allows the typist to re-key in entries to check the data for correctness, and the use of “Check Digits” and “Control Totals” to verify that all of the data put into the computer is processed. </li></ul>
  113. 113. Data Output Controls <ul><li>With the heightened reliability of today’s Electronic Data Processing systems, and reliable Input controls, the need for Output controls is limited to error listings and the physical control of the reports that are generated. </li></ul>
  114. 114. The Compliance Officer As a First Class Consultant EXTRA CREDIT
  115. 115. The Compliance Officer as “Consultant to Management” <ul><li>Compliance is both: </li></ul><ul><li>A Control Process </li></ul><ul><ul><li>Safeguarding Assets </li></ul></ul><ul><ul><li>Compliance with Laws </li></ul></ul><ul><ul><li>Reliability of Information </li></ul></ul><ul><li>An Improvement Process </li></ul><ul><ul><li>Achievement of Objectives </li></ul></ul><ul><ul><li>Economic and Efficient Use of Resources </li></ul></ul>
  116. 116. The Roles of Compliance Officers <ul><li>The Purpose of Compliance is to compare: </li></ul><ul><li>What is: What should be: </li></ul><ul><li>The Watchdog Role: Watch and Warn. </li></ul><ul><li>The Consultant Role: Advise and Participate. </li></ul><ul><li>The Catalyst Role: Leading and Moving. </li></ul>
  117. 117. Compliance Interaction Model (C) Copyright 1994
  118. 118. The Relationship of Role to Other Compliance Elements <ul><li>Relationships </li></ul>
  119. 119. The Role of the Consultant <ul><li>The consultant gives improvement advice. </li></ul><ul><li>Practices operational, value-for-money, or performance enhancement skills. </li></ul><ul><li>The focus of the consultant is on the conservation of the organization’s resources and helping managers manage. </li></ul><ul><li>Makes sure the organization gets best use of its assets (human, physical, financial, information). </li></ul><ul><li>These reviews of economy, efficiency, and effectiveness usually have a mid-term impact on management. </li></ul>
  120. 120. 5 Skills that Make A Good Consultant <ul><li>1. Listener: </li></ul><ul><ul><li>A good consultant listens and observes 90% of the time. </li></ul></ul><ul><ul><li>Careful listening is the first step in problem identification. </li></ul></ul>
  121. 121. 5 Skills that Make A Good Consultant <ul><li>2. Learner: </li></ul><ul><ul><li>Before you can teach, you must learn. </li></ul></ul><ul><ul><li>Most clients want the latest in thinking and best practices. </li></ul></ul><ul><ul><li>Similar to training for a professional athlete. </li></ul></ul>
  122. 122. 5 Skills that Make A Good Consultant <ul><li>3. Teacher: </li></ul><ul><ul><li>Must be unselfish with knowledge. </li></ul></ul><ul><ul><li>Skill in oral communication and organizing thoughts. </li></ul></ul><ul><ul><li>Genuine interest in helping people to learn. </li></ul></ul>
  123. 123. 5 Skills that Make A Good Consultant <ul><li>4. Problem Solver: </li></ul><ul><ul><li>What are the goals (outcomes) desired? </li></ul></ul><ul><ul><li>What processes are in lace to produce these? </li></ul></ul><ul><ul><li>What processes are in place to provide Feedback? </li></ul></ul><ul><ul><li>Who will monitor the Feedback Process? </li></ul></ul><ul><ul><li>How will improvements to the processes be made? </li></ul></ul><ul><ul><li>What reward systems are in place for improvements? </li></ul></ul>
  124. 124. 5 Skills that Make A Good Consultant <ul><li>5. Team Builder: </li></ul><ul><ul><li>Problems tend to be complex, so consultants must be able to work with others. </li></ul></ul><ul><ul><li>Working with teams, leading teams, helping to build teams. </li></ul></ul>
  125. 125. Teams and Team Work <ul><li>Teams are not committees! </li></ul><ul><li>Teams share common goals. </li></ul><ul><li>Teams share leadership and tasks. </li></ul><ul><li>Teams have their own purpose, roles and responsibilities. </li></ul><ul><li>Teams are interdependent. </li></ul>
  126. 126. Compliance Officers and Teams <ul><li>A compliance team to perform an compliance assessment. </li></ul><ul><li>A joint review/investigation team to perform a fraud investigation. </li></ul><ul><li>An improvement team to work on improving the compliance process. </li></ul><ul><li>A cross-functional team of compliance and others to improve the organization. </li></ul>
  127. 127. Setting Up a Team - 1 <ul><li>Clearly define the purpose of the team: </li></ul><ul><li>Our team is important because _____________ </li></ul><ul><li>If it weren’t for us _________________________ </li></ul>
  128. 128. Setting Up a Team - 2 <ul><li>Establish a set of Ground Rules: </li></ul><ul><li>Behaviorally defined (“Do not interrupt”). </li></ul><ul><li>Use consensus to develop ground rules. </li></ul><ul><li>Keep visible. </li></ul><ul><li>Call time-out when broken. </li></ul><ul><li>Revisit from time-to-time to ensure that they are working. </li></ul>
  129. 129. Setting Up a Team - 3 <ul><li>Establish Team Roles: </li></ul><ul><li>Team Leader. </li></ul><ul><li>Team Facilitator. </li></ul><ul><li>Team Scribe. </li></ul><ul><li>Team Member. </li></ul>
  130. 130. How to Gain these Skills? <ul><li>Practice, practice, practice </li></ul><ul><li>Three Principles: </li></ul><ul><li>1. Value diversity : Seek out people that think differently than you. </li></ul><ul><li>2. Coping, not Controlling : Stay focused on the essential elements; don’t bog down in trivia. </li></ul><ul><li>3. Devote at least 5% to Learning New Skills. </li></ul>