Solutions to improve the control environment: (1) Board of Directors and Board of
Management must develop, maintain, encourage and promote control culture at Agribank;
(2) Enhance the oversight responsibility on internal control of Board of Directors and
Supervisory Board of Agribank and at the same time ensure the independence of Board of
Directors and Board of Management; (3) Improve the organizational structure of Agribank,
establishe full reporting lines, ensure the distribution of authorities and responsibilities; (4)
Improve the quality of human resources; (5) Renovate personnel policies, focus on training
for employees; create motivation to improve work efficiency
27 trang |
Chia sẻ: honganh20 | Ngày: 02/03/2022 | Lượt xem: 399 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Tóm tắt Luận án Improving internal control system of vietnam bank for agriculture and rural development according to coso international standard, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
400), VSA No.315 (2012) also
gave the definition of internal control that is considered to be approach oriented to risk
assessment and is similar to COSO's point of view: Internal control is a process, not a
system like previous concepts.
1.1.2 The components of the internal control system according to COSO international
standard: The COSO Report (1992) suggested that an ICS consists of five components,
namely: Environment Control; Risk Assessment; Control Operations; Information and
Communication; Monitoring.
1.2 INTERNAL CONTROL SYSTEM AT COMMERCIAL BANKS ACCORDING
TO COSO INTERNATIONAL STANDARD
1.2.1 The necessary for establishing an internal control system in commercial banks:
Commercial banks are a specific type of enterprise operating in the field of finance,
typically operating to receive and convert risks into profits, the organizational structure
usually has a large scale, many branches, transaction offices operating on a wide area, with
8
many complex and constantly changing financial business operations. Therefore, the
establishment of the ICS in commercial banks becomes even more necessary.
1.2.2 The characteristics of commercial banks affecting the establishment and
implementation of internal control system according to COSO international standard.
(1) Affecting the establishment of control environment; (2) Affecting the establishment of
risk assessment; (3) Affecting the establishment and operation of control activities; (4)
Affecting the establishment of information and communication; (5) Affecting the
implementation of monitoring of controls.
1.2.3 Establishment and implementation of internal control system in accordance with
international practices: According to Suzanne Steyn (1997), there are 05 documents
considered as the basis for establishing and implementing the ICS according to international
practices, namely: COSO framework; Enterprise Risk Management - A COSO integrated
framework (ERM); The Control Objectives for Information and Related Technology
(COBIT); Inspection and Control Framework of The Institute of Internal Auditors (IIA);
Standards to consider internal control in auditing financial statements of AICPA (SAS55,
SAS78, SAS94). In addition, particularly in the banking sector, in 1998 the Basel
Committee on Banking Supervision issued documents on the internal control framework in
banks. The Basel report on the internal control framework did not offer new theory but only
applied the COSO framework 1992 to banking activities. It can be said that, COSO report
provides a complete framework of internal control such as objectives, components,
principles... The compliance with the principles of the COSO report almost guarantees the
Basel Committee's principles when estabishing the ICS in banks as well as the provisions of
Circular 13/2018/TT-NHNN regulating the ICS in commercial banks. Therefore, the study
chose COSO internal control framework to esatablish and improve the ICS in commercial
banks in general or at Agribank in particular.
1.2.4 Establishing internal control system in commercial banks according to COSO
international standard: Basing on COSO internal control framework as well as Basel
Committee's regulations and commercial banks' specific characteristics; the study proposed
the ICS in commercial banks should be established including the following contents:
1.2.4.1 Identify the objectives of internal control system in commercial banks according to
COSO international standard: (1) Operation; (2) Reporting; (3) Compliance.
9
1.2.4.2 Components of internal control system in commercial banks according to COSO
international standard: The proposed ICS should also include five components according
to the COSO internal control framework as well as the Basel Committee’s regulations.
a. Control environment: The study proposed establishment of control environment that
will focus on people in the banks, including the following factors: (a1) Integrity and ethical
values; (a2) Commitment to competence; (a3) Board of Directors and Audit Committee; (a4)
Philosophy and operating style; (a5) Organizational structure; (a6) Authority and
responsibilities; (a7) Personnel policy.
b. Risk assessment: (b1) Specify suitable objectives; (b2) Risk: Identify and analyze
risks to be able to devise measures to manage them; (b3) Change management: Identify and
analyze significant change.
c. Control activities: Banks select and develop control activities. (1) By purpose:
preventive control, detective control, corrective control; (2) By type: manual control,
application control, semi-automatic control-IT dependent; (3) By function: high-level
management review, operational management, division of responsibilities, control of
information processing, material control, review analysis.
d. Information and communication: Information systems need to have accurate,
appropriate, timely and continuous information; communication systems should be
established including internal and external communication.
e. Monitoring: Monitoring is understood as the process of assessing the quality of
internal control over time, including ongoing and separate monitoring.
1.2.5 Conditions to apply COSO international standards for establishing internal
control system in commercial banks: (1) Clear and complete legal framework; (2) Sense
of rirk management and respect for internal control in banks; (3) Human and financial
resources; (4) Complete organizational structure ensuring the independence between
departments and individuals; (5) Internal audit department with effective working capaciby;
(6) The support of morden IT sysem.
1.3 IMPROVEMENT OF INTERNAL CONTROL SYSTEM IN COMMERCIAL
BANKS ACCORDING TO COSO INTERNATIONAL STANDARD
1.3.1 Concept of improvement of internal control system in commercial banks: A good
ICS with the presence and operation of all components of the system complying with
established principles, thereby helping the commercial banks achieve their control
objectives.
1.3.2 Criteria to evaluate improvement of internal control system in commercial
10
banks: (1) Existence: All five components of ICS and all relevant principles must be
present; (2) Validity: All five components of ICS and all relevant principles must be
functioning in fact; (3) Effectiveness: Achievement of control objectives.
1.4 INTERNATIONAL EXPERIENCE IN ESTABLISHING INTERNAL CONTROL
SYSTEM IN BANKS ACCORDING TO COSO INTERNATIONAL STANDARD -
LESSONS FOR AGRIBANK
1.4.1 International experience in establishing internal control system in banks
according to COSO international standard
1.4.1.1 The US: Banks in the US establish the ICS according to COSO framework with full
of components: control environment, risks assessment, control activities, information and
communication and monitoring activities to achieve control objectives.
1.4.1.2 China: China is one of the countries that fully utilizes COSO framework to establish
the ICS with full of basic components, including internal control environment, risk
identification and assessment, internal control measures, information exchange and
feedback; monitoring and overcoming to achieve control objectives.
1.4.1.3 India: In India, COSO framework is also used to establish the ICS with all the basic
components, including: (1) control environment; (2) risk identification and assessment; (3)
control activities; (4) segregation and rotation of duties; (5) authorisation of transactions; (6)
accountability for and safeguarding of assets; (7) accounting, information and
communication systems; (8) Monitoring activities and also to achieve control objectives.
1.4.2 Lessons for Agribank: (1) The basic components of the ICS in banks often include
control environment, information and communication, risk management systems, control
procedures and monitoring systems; (2) Risk assessment is considered as an important basis
for establishing and improving the ICS in banks; (3) Ensuring the quality of the ICS in
commercial banks over time through the establishment of monitoring activities for this system;
(4) The human element plays a very important role.
11
CHAPTER 2
IMPROVEMENT SITUATION OF INTERNAL CONTROL SYSTEM
AT VIETNAM BANK FOR AGRICULTURE AND RURAL
DEVELOPMENT ACCORDING TO COSO INTERNATIONAL
STANDARD
2.1 INTRODUCTION ABOUT VIETNAM BANK FOR AGRICULTURE AND
RURAL DEVELOPMENT
2.1.1 The establishment and development of Agribank: Agribank is a state-owned
commercial bank, the operation of the bank is always associated with the role of
implementing monetary and credit policies of the Government, leading implementation of
the policy promotion for green credit growth, building safe agriculture, sustainable
development, and also fulfilling social security responsibilities of a corporate, contributing
to the development and increase of positive living values for the community, becoming one
of the largest microfinance service providers in Vietnam.
2.1.2 Overview of Agribank's operations: Agribank is currently the commercial bank with
the largest asset size in the system; always ensure safety ratios as prescribed; widest
operating network; largest automatic banking network; largest staff in the system; offerring
nearly 220 types of products and services... In the coming time, Agribank determined to
continue the successful implementation of the phase 2 restructuring; project of development
strategy to 2025, orientation to 2030; accelerate the implementation of IT projects creating
an important technical foundation for developing e-banking services and requirements of
risk management; implement the roadmap to ensure compliance with the regulations of
SBV in Circular 13/2018, Circular 41/2016 and gradually towards the application of safety
standards under Basel II; improve financial capacity, labor productivity, and aim to operate
effectively to be equitized successfully.
2.2 IMPROVEMENT SITUATION OF INTERNAL CONTROL SYSTEM AT
VIETNAM BANK FOR AGRICULTURE AND RURAL DEVELOPMENT
ACCORDING TO COSO INTERNATIONAL STANDARD
2.2.1 Legal basis for the establishment of internal control system in commercial banks
in Vietnam
2.2.1.1 Regulations of SBV: The Law on Credit Institutions 2010 and Circular 13/2018/TT-
NHNN regulating the ICS in commercial banks.
12
2.2.1.2 Internal regulations of Agribank: Decision 600/QĐ-HĐTV/2012 on promulgating
the regulation on organization and operation of Agribank; Decision 102/QĐ-HĐTV-
KTNB/2014 on the Regulation on internal control of Agribank; Decision 206/QĐ-
BKS/2019 on the Regulation on organization and operation of Agribank’s internal audit.
2.2.2 Improvement situation of internal control system at Agribank according to
COSO international standard
2.2.2.1 Situation of control environment
a. Demonstrates commitment to integrity and ethical values: Agribank has issued an
Agribank cultural handbook; regulations on standards, manners, transaction style of tellers
in Agribank system; labor regulations... which are widely disseminated in the system
through the Website, Eoffice... to encourage and ensure individuals and departments to
grasp control messages, thereby actively identify and control risks. Since then, creating a
relatively healthy control culture in this bank.
b. Board of Directors and Supervisory Board: Agribank's Board of Directors has established
a high-level supervision function for the ICS. The Chairman of the Board of Members and
members are all professional people; most of them are aware of risk management and quite
independent of the Board of Management.
c. Organizational structure and the division of authority and responsibility: The
organizational structure at the Head Office is structured in the direction of clearly defining
the functions and duties of the units, avoiding overlapping, enhancing risk control
throughout the system. Agribank is currently building a draft of job description and has not
have KPIs. The criteria for evaluating salaries and promotions are still based on
achievements in making profits.
d. Commitment to competence: The quality of human resources has been increasingly
improved at Agribank, the average labor productivity has been raised.
e. Personnel Policy: Agribank has also issued regulations related to recruitment, training
and employee evaluation, promotion ... in a specific and fairly transparent manner.
2.2.2.2 Situation of risk assessment
a. Specifying suitable objectives: Basically, the objectives were established at Agribank,
namely: operational objectives, reporting objectives and compliance objectives.
13
b. Risk identification: Agribank has chosen a relatively safe, scientific risk management
model that can be easily operated consistently and basically ensures the “testability” of
internal control.
+ Risk Management Committee: The Risk Management Committee under the Board
of Directors advises the Board of Directors in issuing policies related to risk management.
However, Agribank has not developed an operational regulation of the Risk Management
Committee according to its functions and tasks based on the research, access to Basel as
well as international practices, in accordance with the actual operation and the provisions of
SBV.
+ Risk Council: Risk Council and Capital Management Council are established. The
Deputy General Director in charge of risk management is the chairman of the Risk Council;
members of the Risk Council are classified into credit risk, market risk, operational risk,
liquidity risk and interest risk in banking book, centralized risk, new product and new
market risk.
+ The committees and centers at the head office according to their functions and
tasks managing each type of risk must have a risk management department.
c. Change management: Agribank has not focused on change management - a content
recommended by international practice.
2.2.2.3 Situation of control activities: Agribank's ICS has also been established with
independent three-line defense associated with the organizational structure but there is no
guarantee of complete independence between the first and second line of defense. In each
business process, on the basis of identifying and assessing risk, control activities have been
established at Agribank based on purpose or form but risks and frauds still occur because of
weakness of staff’s morality.
2.2.2.4 Situation of information and communication
a. Situation of information: Agribank has established a system of information reports on
business results for all operations, the system of reporting forms to the SBV has been issued
uniformly, most of which are automatically exploited from the IPCAS program system
(MIS Report Module). In addition, Agribank also established an Eoffice program system to
facilitate the smooth transfer and process documents and reports in the system. However,
Agribank has not built MIS so that it can implement the information exchange mechanism
throughout the system.
14
b. Situation of communication: Internal communication ensure that the control information is
transmitted accurately and timely to individuals and departments in the bank. Agribank's
external communication activities should be proactively implemented so that the bank's
control messages are transmitted to external objects such as customers, investors, regulatory
agencies, auditors
2.2.2.5 Situation of monitoring the controls: Including supervision of the Board of
Directors, the Supervisory Board through the internal audit department under the
Supervisory Board and the General Director's supervision through a specialized internal
inspection and control department.
2.3 QUANTITATIVE RESEARCH ON THE IMPACT OF FACTORS ON
EFFECTIVENESS OF INTERNAL CONTROL SYSTEM AT VIETNAM BANK
FOR AGRICULTURE AND RURAL DEVELOPMENT ACCORDING TO COSO
INTERNATIONAL STANDARD
2.3.1 Results of qualitative research to explore factors affecting the effectiveness of
internal control system at commercial banks: The thesis uses a qualitative research
method, specifically through in-depth interviews with experts to identify the factors
affecting the effectiveness of the ICS in banks. Associating with the perspective of the
effectiveness of the ICS is shown in the fact that the system has a full range of factors and
each factor operate in practive to help bank achieve the control objectives. The thesis
interview results with the inheritance of the COSO framework and identifies the following
five factors affecting on the effectiveness of the ICS in commercial banks; they are: (1)
Control environment; (2) Risk assessment; (3) Control activities; (4) Information and
communication; (5) Monitoring.
2.3.2 Quantitative research results of the factors affecting the effectiveness of internal
control system at Agribank
2.3.2.1 Sample: The questionnaire was developed and sent to the survey subjects in the
following forms: (1) Phone; (2) Email; (3) Direct Interview. With 350 votes issued, the
author collected 315 votes (90% rate). Through the cleaning process, the number of votes
has been processed and analyzed is 278.
2.3.2.2 Research orientation: After determining the factors affecting the effectiveness of
the ICS in banks as above and survey results, the thesis measures the impact of these factors
on the effectiveness of the ICS at Agribank by using the Explored Factor Analysis (EFA)
15
method and multiple regression models to solve the following research question: How do
the determined factors affect the effectiveness of the ICS at Agribank?
2.3.2.3 Results of measuring the effectiveness of the internal control system at Agribank:
The control objectives have not been achieved at Agribank, this means that the ICS at
Agribank has not really achieved the effectiveness. Therefore, in general, the ICS has not
been improved because it has not met the “effectiveness” of this system in helping banks to
achieve the control objecitves.
2.3.2.4 Results of measuring factors affecting the effectiveness of internal control system
at Agribank
a. Summary of scale quality testing results: Through analysis of Cronbach’s Alpha test, 06
scales of model ensure good quality with 33 specific variables.
b. Results of explored factor analysis (EFA):
(*) Testing the appropriateness of the method and data collected (KMO and
Bartlett's Test) we have a coefficient of KMO = 0.856, satisfying the condition: 0.5 <KMO
<1, thus explored factor analysis (EFA) is suitable for actual data.
(*) Correlation test of observed variables in representative measurements: Barlett
test has Sig. <= 0.05 means that representative factors and observed variables are linearly
correlated with each other.
(*) Test the interpretation level of observed variables for the factor: Testing the
explanation level of the observed variables for the factor affecting the effectiveness of the
ICS at Agribank has results: Cumulative column shows the value of variance extracted is
60.887%, this means that the observed variables explain 60.876% of the change of factors; 6
factors have an Eigen value greater than 1
(*) Results of the EFA model: Using the Varimax method for the factors results
EFA model suitable for the study.
c. Multivariate Regression Analyze (MRA)
The real factors directly effect the effectiveness of the ICS is expressed through
linear regression equation:
The effectiveness of the ICS = -0,441 + 0,319 (control environment) + 0,319
(risk assessment) + 0,146 (control activities) + 0,194 (information and
communication) + 0,126 (monitoring)
(*) Testing the level of explanation and relevance of the model
16
- Explanation: Adjusted R Square is 0.612. Thus, 61.2% of the change in the
effectiveness of the ICS is explained by 5 independent variables
- Relevance: Sig results. <0.01, it can be concluded that the model given is consistent
with the actual data. In other words, the independent variables are linearly correlated with
the dependent variables with 99% confidence level.
2.3.2.5 Discussion from the results of measurement of factors affecting the effectiveness
of internal control system at Agribank
a. Unstandardized Coefficient: Control environment - Risk assessment - Control activities -
Information & communication - Monitoring variables have corresponding ratios of 0.319 -
0.319 - 0.146 - 0.194 - 0.126 in the same direction with the effectiveness of the ICS. This
result shows that the above factors are guaranteed to be the foundation for Agribank's ICS to
achieve effectiveness.
b. Standardized Coefficient: The research results show that through the inspection, can
confirm that the factors affecting the effectiveness of the ICS in order of importance as
following:
Table 2.11 The importance of the factors affecting the effectiveness of ICS at
Agribank
No. Independent Varibale Value
Density
%
Affecting
Order
1 Control Environment 0,319 28,89 1
2 Risk Assessment 0,319 28,89 1
3 Control Activities 0,146 13,22 3
4 Information and Communication 0,194 17,58 2
5 Monitoring 0,126 11,42 4
Tổng 1,104 100%
2.4 GENERAL ASSESSMENT ON THE IMPROVEMENT SITUATION OF
INTERNAL CONTROL SYSTEM AT VIETNAM BANK FOR AGRICULTURE
AND RURAL DEVELOPMENT ACCORDING TO COSO INTERNATIONL
STANDARD
2.4.1 Results: (1) Agribank has created a relatively healthy control culture. Agribank has
also established supervision on the ICS of the Board of Members through the Internal Audit
Department under the Supervisory Board and ensures the relative independence between the
Board of Members and the Board of Directors. The organizational structure has also been
improved in accordance with the law and business conditions of bank. The quality of
17
personnel and the average labor productivity has been improved recently. Human resource
policies such as recruitment, training, promotions ... have been issued and fairly transparent
at Agribank; (2) Agribank has set objectives as the basis for risk assessment. In the model of
risk management organization of Agribank, there has been risk management committee and
risk management council according to current regulations. Agribank's risk management
framework has been issued in an approach-oriented comprehensive risk management
framework of the Basel Committee; new policies, regulations and processes for managing
critical risks are improving; (3) Agribank's ICS has been established with three independent
defenses in accordance with current regulations, creating a culture of control throughout the
system. In addition, operational business processes, control policies and procedures have
been basically established and clearly decentralized; (4) Agribank has focused on building
IT systems; developing internal MIS; upgrading the core banking to suit operational scale,
executive management requirements and service product development needs. Internal and
external communication activities of Agribank have been basically carried out; (5) The
monitoring of control activities has been carried out at Agribank mainly through the internal
audit and specialized internal control departments and has also been effective in assessing
the effectiveness of the ICS.
2.4.2 Limitations and causes
2.3.2.1 Limitations: (1) Agribank has not established strong enough control culture. Board
of Members has not been completely independent with the Board of Directors. Agribank is
currently completing the development of a job description, KPIs; horizontal relationship
between parts of the system has not been defined. Agribank's human resources have still
been uneven and labor productivity is still low. The allocation of resources for business
activities, control activities have still been limited; (2) In the risk management model, the
independence between the first line of defense and the second line of defense has not been
ensured; risk management systems have been scattered in many parts, the specificity has not
been high. Policies, regulations and processes on risk management for each critical risk are
currently being developed or improved and are currently focusing on discovering and
mitigating but not really active in risk identification. Agribank has not really focused on
managing new factors that may lead to risks for banks; (3) Compliance with the control
policies and procedures has not ensured by the employees, so those policies and procedures
are sometimes disabled. The management of change has still been limited; (4) Agribank has
18
not completed the internal info
Các file đính kèm theo tài liệu này:
- tom_tat_luan_an_improving_internal_control_system_of_vietnam.pdf