Internal control system in Vietnamese commercial banks

city. 8 1.3. Conclusion on research gaps Through the author's overall research, there have been many studies on internal control systems in different industries, fields, and units but there are still gaps for the topic to continue researching and exploiting. can: Regarding the content: According to the author's overall research, from a theoretical research perspective, most of the topics approach to internal control systems under the perspective of corporate governance within a Sector, a Ministry, or a Corporation. ... but has not mentioned the role of the State with the function of macro-management, performing the management/supervision of operations for enterprises in general and banks in particular. Regarding the scope of research: According to the author's overall research, there are very few general studies on the theory and practice of internal control systems of commercial banks in the industry, especially approaching internal control systems. with the important function of warning and preventing risks that may occur in business activities of the banking industry. From the above reasons, the author thinks that space for the author to study the topic "Internal control in Vietnamese commercial banks" is completely appropriate and necessary. The thesis focuses on studying the basic issues of internal control systems in commercial banks; assess the status of the internal control system in commercial banks in Vietnam from the perspective of state management and the components of the internal control system itself; propose solutions to perfect the internal control system in commercial banks in Vietnam. Chapter 2 BASIC ISSUES ON INTERNAL CONTROL AND INTERNAL CONTROL SYSTEM OF COMMERCIAL BANKS 2.1. Internal control 2.1.1. Control in management 2.1.1.1. The concept and role of control in governance Control is a function that managers must perform, even though the results of the work of all departments are achieved according to the set plan. To ensure things are on track, managers must monitor and evaluate the results of their work. Actual results must be compared with the goals established earlier for the manager to take the necessary actions to ensure the organization is on track. From different perspectives on control and identifying the role of control in management, according to the author, a comprehensive understanding of control can be understood as follows: Control is an important function of management. done regularly in all aspects of operations and all levels of management within the business. The ultimate goal of control is to make the business reach its highest goal with the lowest cost and level of risk. 2.1.1.2. Classification of control 9 Control is classified according to the relationship of the controlling subject with the controlling object; influence level, time of control, content, target, control target. 2.1.2. Internal control 2.1.2.1. The history of development and the nature of internal control According to COSO's definition of internal control: "Internal control is a process, influenced by the board of directors, managers and employees of the unit, designed to provide a consistent assurance. reason to achieve operational, financial reporting and compliance goals " From the different perspectives on internal control, in the author's opinion, internal control is processes, measures, and methods set up by management and other individuals in the unit to control all activities taking place. in the business as well as preventing and dealing with risks that may occur during the operation of the unit, to achieve the ultimate goal of ensuring that the business operates in the right direction, business strategy. have set and sustainable development, achieving the highest efficiency with the lowest level of risk. 2.1.2.2. Limitations of internal control Stemming from the characteristics of internal control is to help provide a reasonable guarantee for achieving the goals of the business. Therefore, internal control systems, no matter how perfectly designed, cannot overcome inherent limitations: Internal control only takes into account expected errors without taking into account irregularities or irregularities; Errors caused by staff in designing procedural control and performing tasks in the internal control system; Controls may be disabled due to collusion; Due to the fault of the software features; The risk depends entirely on the selection board; Limit on cost. 2.2. The internal control system in commercial banks 2.2.1. Overview of the internal control system in commercial banks 2.2.1.1. Concept and evaluation framework of the internal control system in commercial banks The internal control system is defined at Circular 13 of the State Bank: "Internal control system is a set of mechanisms, policies, processes, internal regulations, the organizational structure of commercial banks and branches. foreign banks are built following the provisions of the Law on Credit Institutions, this Circular, and relevant laws and are implemented to control, prevent, detect, and handle in time. risk and achieve set requirements. Internal control system implements supervision of senior management, internal control, risk management, internal assessment of sufficient capital and internal audit " The evaluation framework of the internal control system issued by COSO is used not only in the US but also widely applied in many countries around the world. Most of the banks in the countries have applied the unified framework for internal control according to COSO to evaluate the internal control system. Based on the internal control framework of the COSO, the Basel Committee has issued a 10 framework for internal control, which serves as a guide for the establishment and evaluation of internal control systems in banks, especially those that comply with Basel. .. 2.2.1.2. Roles and objectives of the internal control system in commercial banks The internal control system plays a very important role in the operation of the bank. Because the operation of the internal control system is an integral part of the daily activities of the bank. The internal control system is organized regularly and continuously to ensure that all operational processes of the bank are implemented under the laws, safety, and efficiency. 2.2.1.3. Basic principles of the internal control system in commercial banks The internal control system is associated with the responsibilities and powers of all departments, processes, operations, and every employee in a unit. It is designed by business administrators. An internal control system is considered to promote wellness, it should follow 5 basic principles: ensure validity; ensure efficiency; ensure completeness and comprehensiveness; ensure the rationality; Ensure timeliness. 2.2.2. Components of the internal control system in commercial banks 2.2.2.1. Environment controlled According to the COSO Report, "The control environment reflects the general nuance of an organization, affecting the consciousness of everyone in the unit, which is the foundation for other parts of the system". The control environment includes management and management functions, perceptions, and actions of the Management Board and the Board of Directors related to internal control of the operation of the entity. The control environment reflects the character of the entity, influenced by the consciousness of the people within the organization. 2.2.2.2. Risk assessment process The risk assessment process will help identify and analyze the risks to the implementation of the entity's goals from which to design control procedures - which is considered a key factor to promote. efficiency and performance of the internal control system. The Bank not only sets the desired goals to achieve but also understands the risks encountered in the implementation process. The risk assessment process is carried out through the following steps: Determining goals; Identify risks; Analyze and assess risks; Decide on appropriate actions for such risks. 2.2.2.3. Operation control According to COSO 2005, the control activities are the supporting policies and procedures to ensure the direction of managers. The objective of the control activities is to ensure that the directions of the Board of Directors are followed. Control activity appears throughout the organization, at all levels, and in all functions. Control exists at all levels of governance within the bank, including general control related to multiple control objectives and specific control activities that focus on each objective. 11 2.2.2.4. Information system and information exchange The information and information exchange system creates a report, containing information necessary for the management and control of the unit. The necessary information must be identified and collected and exchanged within the unit to help people perform their duties. The information and information exchange system includes an overall system related to the processing, storage, and provision of information within the unit and contributes to the connection with other components in the internal control system. 2.2.2.5. Monitoring Monitoring of controls is the process of assessing the performance of internal control systems in each period, to ensure that the internal control system is always operating effectively, promptly detecting the defects of the internal control system and taking measures. remedy as soon as possible. Monitoring includes regular and periodic monitoring, evaluation of internal control systems, and reporting of system limitations. 2.2.3. Internal control system and risk management in commercial banks 2.2.3.1. Risks and risk management in the bank Risk is associated with any business in the process of operation. Risks are things that happen unexpectedly and bring bad consequences. There are many different ways of defining risks, the author approaches the State Bank's definition of risks "Risk is the possibility of losses (financial losses, non-financial losses) that reduce income and capital. own capital has led to a reduction in capital adequacy ratio or restriction of foreign bank branch's ability to achieve business objectives ". During its operation, the bank may encounter the following significant risks: Credit risk, operational risk, market risk, liquidity risk, interest rate risk on the bank book To minimize the losses and losses caused by risks to the bank and minimize the adverse effects of risks, managers at all levels in the bank must conduct risk management. Figure 2.2: Risk management process of commercial banks 12 Source: Author complied 2.2.3.2. Internal control system and risk management in the bank Internal control systems and bank risk management have a two-way relationship, mutual interaction, and mutual support. This is shown by the internal control system itself is built based on identifying and analyzing the risks that may occur in the operation of the bank, and the internal control system is set up and operated for purpose of preventing and minimizing possible risks, affecting the implementation of the bank's objectives. 2.3. The influence of commercial bank characteristics on the internal control system 2.3.1. Commercial banks and the requirements set out for the internal control system Commercial banks are a special type of business with the most complex business operations in the economy. In essence, a commercial bank is a form of financial intermediation standing between lenders and borrowers, the basic operation of the bank is to borrow to lend and the object of the bank's transactions are economic institutions and individuals. Therefore, the bank's business activities have certain characteristics, thereby setting requirements for the design and operation of internal control systems based on scale, potential risks, broad customer relationships. and diversity, the scope of activities and interdependence are very large and the most closely managed management agencies ... 2.3.2. Factors affecting internal control systems in commercial banks The internal control system is understood not as a factor but rather as a collection of elements of the same type that are closely related to achieve the set targets. Therefore, to find out the factors affecting the design of internal control systems, the author is based on the concept of "mixing" in Mikes's research. Figure 2.3. Factors affecting internal control system Source: Author complied 13 2.3.3. State management for the internal control system in commercial banks Within the scope of the study, the author limits the subject of state management to commercial banks as the SBV. Therefore, when researching the state management of commercial banks on the internal control system, in the aspect of management of the State Bank for internal control of the internal banking system, including the following contents: 2.3.3.1 Building and maintaining the operation of internal control systems in commercial banks This is a mandatory requirement for commercial banks, whereby they must build an internal control system that helps the General Director (Director) to operate smoothly, safely, and lawfully all operations. Ensuring compliance with the accounting and accounting regimes according to regulations and having an internal information system on finance, operations, compliance situation in the bank and economic situation, outside the market. management, reliability, and timeliness to serve the management and effective operation 2.3.3.2. The internal control system in commercial banks must regularly self- check and evaluate To ensure the operation of the internal control system is effective and effective, individuals and departments at all levels of the bank must regularly, continuously inspect and self-inspect the implementation of internal regulations and processes. related and must be responsible for the results of the performance of assigned operations. 2.3.3.3. The operation of internal control systems in commercial banks must be independently assessed The independent evaluation of independent audits for the internal control system is implemented following the State Bank's regulations on an independent audit of commercial banks. To ensure the objectivity of the review and completion, the internal control system of commercial banks must be independently evaluated by the provisions of Clause 3, Article 40 of the Law on Credit Institutions. 2.3.3.4. Report the operation of the internal control system to the State management agency The State Bank manages the internal control system of commercial banks through the reports of commercial banks. The report on the internal control system must update the existing, limited, new risks arising from the internal control system in all commercial banks (including parts at the head office, branches and other dependent units of According to the State Bank's regulations on the commercial bank's operation network, the report on the internal control system includes: Annual report on the results of self-examination and evaluation of internal control; about risk management, about the internal assessment of sufficient capital, and internal audit. 14 2.4. International experience on the operation of internal control systems in commercial banks and lessons learned for Vietnam In the UK The model of the internal control system is built based on practice, very effective in risk management at banks in the UK such as Lloyds, Bank of England ... is a three-round defense model. The purpose of building this model is to better manage risk and thereby increase shareholder's assets In Thailand The Thai banking system has been in operation for hundreds of years, however, it was shaken during the Asian financial crisis in 1997-1998. Many commercial banks and financial companies went bankrupt or were forced to merge. In this situation, Thai banks must review the entire policy, manner, process of banking activities, especially internal control activities in banks to minimize risks. Conclusion for Chapter 2 In chapter 2, the author systematized and concretized the basic theoretical issues about the internal control system. The components of the system are also analyzed, synthesized, and generalized to clarify the nature of the internal control system as an effective tool for managers to realize the goals of the internal control system. specific bank: - Systematize basic theoretical issues about internal control systems in enterprises in general and banks in particular. Analysis of different views on the internal control system, the role, position, objectives, principles, and five components of the internal control system in commercial banks. - Analyzing factors affecting the internal control system in commercial banks. The thesis clarifies the influence of operational characteristics of commercial banks affecting the design and operation of internal control systems while analyzing internal control systems with risk management in commercial banks. - Analysis of state management of the internal control system in commercial banks, limited state management entity is the State Bank and state management of internal control system in commercial banks, including 4 main contents. - The thesis researches the experience of operating internal control systems of banks in some countries around the world such as the United Kingdom, Thailand, Singapore, from which draw lessons for the construction and operation of internal control systems in banks. Vietnam commercial banks. Chapter 3 CURRENT SITUATION OF INTERNAL CONTROL SYSTEM IN VIETNAMESE COMMERCIAL BANKS 3.1. Operation of Vietnamese commercial banks and internal control regulations in commercial banks 3.1.1. Overview of Vietnamese commercial banks Vietnam's commercial banking system consists of three main banking groups, namely state-owned commercial banks, joint-stock commercial banks, and 15 foreign commercial banks. Also, there are joint venture banks and representative offices of foreign credit institutions. Vietnam's commercial banking system has experienced rapid growth in both quantity and scale. From the beginning of 2013, the Vietnamese commercial banking system has begun the restructuring process under Project 254 / QD-TTG of Prime Minister. Table 3.1: Number of Vietnamese commercial banks in the period of 2013-2018 Year State-owned Comercial banks Private Joint-stock commercial banks Policy banks Foreign Joint-venture banks Foreign banks Total 2013 5 33 2 4 5 49 2014 5 33 2 4 5 49 2015 7 28 2 3 5 45 2016 4 31 2 2 8 47 2017 4 31 2 2 9 48 2018 4 31 2 2 9 48 Source: Author complied from website https: //www.sbv.gov.vn 3.1.2. Regulations on internal control systems in Vietnamese commercial banks 3.1.2.1. The internal control system was organized and operated by Decision No. 03 / NHNN and the 1997 Law on Credit Institutions. 3.1.2.2. The internal control system was organized following the Law on Credit Institutions 2004, Decision 36/2006 / QD-NHNN, and Decision 37/2006 / QD-NHNN dated August 1, 2006, of the State Bank of Vietnam. 3.1.2.3. The internal control system was organized following the Law on Credit Institutions 2010 and Circular 44/2011 / TT-NHNN dated December 29, 2011, of the State Bank of Vietnam. 3.1.2.4. The Internal Control system was organized following the Law on Credit Institutions amended and effective from January 15, 2018, and Circular No. 13/2018 / TT-NHNN dated May 18, 2018. from 1 January 2019 3.1.3. Material risks in commercial bank operations Credit risk In Vietnamese commercial banks, the credit risk has been quite complicated in recent years, reflected in the increasing bad debts which are difficult to control in the years before 2013. Since 2013 with the establishment of the Management Company asset (VAMC), the bad debt of commercial banks is also gradually controlled more effectively. Non-performing loans of commercial banks in the period of 2013-2018 tended to decrease gradually from 3.6% in 2013 to 2.4 in 2018. Operational risks In recent years, operational risks have had quite complicated changes due to ineffective internal control activities, in the context of the lack of synchronism and incomplete legal corridor of banking operations. Due to the increasingly diverse 16 and complex conditions associated with the development of information technology, the potential risks are higher for domestic commercial banks. Market risks. Interest rate risk: Because market interest rates have been quite complicated in previous years, it not only affects commercial banks' capital mobilization and lending activities but also causes disadvantages to the financial situation. loan customers. Exchange rate risk: In previous years, commercial banks all mobilized and lent in foreign currencies, so the exchange rate risk was always potential. Securities price risk: The price of securities - a tool held by commercial banks - always has erratic happenings that cause negative impacts on commercial banks holding large securities, and also cause risks. the risk with securities lending banks. Payment risk Liquidity in the market of commercial banks was relatively stable because this was the period when the banking sector implemented restructuring so the liquidity was always under control. Centralized risk This is the risk because commercial banks have business activities focusing on one customer, partner, product, transaction, industry, economic field, currency at a significant impact level. to the income, risk status according to internal regulations of commercial banks. Strategic risks In the context of global and regional financial markets, there are always unpredictable developments, requiring commercial banks to make correct forecasts and have appropriate response scenarios for each situation. and specific circumstances. 3.2. The situation of internal control systems in Vietnamese commercial banks 3.2.1. Actual state management of internal control system in commercial banks As a state management agency for the operation of internal control systems in commercial banks, the State Bank Inspection and Supervision Agency is responsible for supervising the operation of internal control systems in commercial banks and is the recipient of a report on the internal control system of commercial banks following the provisions of the Circular 13 dated May 18, 2018, of the SBV on the Regulation on the internal control system of commercial banks and foreign bank branches. This shows that the state management for the operation of internal control systems in commercial banks has gradually been completed. In particular, the reports of commercial banks reflected the current situation of the internal control system of the bank, the reporting criteria have met the requirements of state management agencies as prescribed in Circular 13. 3.2.2. The situation of internal control systems in Vietnamese commercial banks 3.2.2.1. The real situation of controlled environment 17 The control environment includes internal and external factors that affect the design and operation of internal control systems. Results of the survey of the controlled environment are shown in the following table: Table 3.3: Results of a controlled environment survey Measurement Indicator Minimum Maximum Mean Honestly and Ethical Behaviour for Board of Management and Employees 1.00 5.00 3.62 Guarantee Capacity for Board of Management and Employees 1.00 5.00 3.95 Participation of BoM 1.00 5.00 3.43 Management’s philosophy and và operating style Management 1.00 5.00 3.06 Organization structure 1.00 5.00 4.18 Functional authority and Responsibility 1.00 5.00 3.75 Human resource Policy 1.00 5.00 3.85 3.2.2.2. The situation on the risk assessment process Identifying and assessing risks will form the basis for the bank's leadership to determine the risks that need to be managed and the level of risk tolerance to ensure that the bank controls its significant risks and The risk does not affect the operational objectives of the bank. Table 3.4: Results of the survey on the risk assessment process Measurement indicator Minimum Maximum Mean Clear goals and focus on resource