Tóm tắt Luận án Improving internal control system of vietnam bank for agriculture and rural development according to coso international standard

400), VSA No.315 (2012) also gave the definition of internal control that is considered to be approach oriented to risk assessment and is similar to COSO's point of view: Internal control is a process, not a system like previous concepts. 1.1.2 The components of the internal control system according to COSO international standard: The COSO Report (1992) suggested that an ICS consists of five components, namely: Environment Control; Risk Assessment; Control Operations; Information and Communication; Monitoring. 1.2 INTERNAL CONTROL SYSTEM AT COMMERCIAL BANKS ACCORDING TO COSO INTERNATIONAL STANDARD 1.2.1 The necessary for establishing an internal control system in commercial banks: Commercial banks are a specific type of enterprise operating in the field of finance, typically operating to receive and convert risks into profits, the organizational structure usually has a large scale, many branches, transaction offices operating on a wide area, with 8 many complex and constantly changing financial business operations. Therefore, the establishment of the ICS in commercial banks becomes even more necessary. 1.2.2 The characteristics of commercial banks affecting the establishment and implementation of internal control system according to COSO international standard. (1) Affecting the establishment of control environment; (2) Affecting the establishment of risk assessment; (3) Affecting the establishment and operation of control activities; (4) Affecting the establishment of information and communication; (5) Affecting the implementation of monitoring of controls. 1.2.3 Establishment and implementation of internal control system in accordance with international practices: According to Suzanne Steyn (1997), there are 05 documents considered as the basis for establishing and implementing the ICS according to international practices, namely: COSO framework; Enterprise Risk Management - A COSO integrated framework (ERM); The Control Objectives for Information and Related Technology (COBIT); Inspection and Control Framework of The Institute of Internal Auditors (IIA); Standards to consider internal control in auditing financial statements of AICPA (SAS55, SAS78, SAS94). In addition, particularly in the banking sector, in 1998 the Basel Committee on Banking Supervision issued documents on the internal control framework in banks. The Basel report on the internal control framework did not offer new theory but only applied the COSO framework 1992 to banking activities. It can be said that, COSO report provides a complete framework of internal control such as objectives, components, principles... The compliance with the principles of the COSO report almost guarantees the Basel Committee's principles when estabishing the ICS in banks as well as the provisions of Circular 13/2018/TT-NHNN regulating the ICS in commercial banks. Therefore, the study chose COSO internal control framework to esatablish and improve the ICS in commercial banks in general or at Agribank in particular. 1.2.4 Establishing internal control system in commercial banks according to COSO international standard: Basing on COSO internal control framework as well as Basel Committee's regulations and commercial banks' specific characteristics; the study proposed the ICS in commercial banks should be established including the following contents: 1.2.4.1 Identify the objectives of internal control system in commercial banks according to COSO international standard: (1) Operation; (2) Reporting; (3) Compliance. 9 1.2.4.2 Components of internal control system in commercial banks according to COSO international standard: The proposed ICS should also include five components according to the COSO internal control framework as well as the Basel Committee’s regulations. a. Control environment: The study proposed establishment of control environment that will focus on people in the banks, including the following factors: (a1) Integrity and ethical values; (a2) Commitment to competence; (a3) Board of Directors and Audit Committee; (a4) Philosophy and operating style; (a5) Organizational structure; (a6) Authority and responsibilities; (a7) Personnel policy. b. Risk assessment: (b1) Specify suitable objectives; (b2) Risk: Identify and analyze risks to be able to devise measures to manage them; (b3) Change management: Identify and analyze significant change. c. Control activities: Banks select and develop control activities. (1) By purpose: preventive control, detective control, corrective control; (2) By type: manual control, application control, semi-automatic control-IT dependent; (3) By function: high-level management review, operational management, division of responsibilities, control of information processing, material control, review analysis. d. Information and communication: Information systems need to have accurate, appropriate, timely and continuous information; communication systems should be established including internal and external communication. e. Monitoring: Monitoring is understood as the process of assessing the quality of internal control over time, including ongoing and separate monitoring. 1.2.5 Conditions to apply COSO international standards for establishing internal control system in commercial banks: (1) Clear and complete legal framework; (2) Sense of rirk management and respect for internal control in banks; (3) Human and financial resources; (4) Complete organizational structure ensuring the independence between departments and individuals; (5) Internal audit department with effective working capaciby; (6) The support of morden IT sysem. 1.3 IMPROVEMENT OF INTERNAL CONTROL SYSTEM IN COMMERCIAL BANKS ACCORDING TO COSO INTERNATIONAL STANDARD 1.3.1 Concept of improvement of internal control system in commercial banks: A good ICS with the presence and operation of all components of the system complying with established principles, thereby helping the commercial banks achieve their control objectives. 1.3.2 Criteria to evaluate improvement of internal control system in commercial 10 banks: (1) Existence: All five components of ICS and all relevant principles must be present; (2) Validity: All five components of ICS and all relevant principles must be functioning in fact; (3) Effectiveness: Achievement of control objectives. 1.4 INTERNATIONAL EXPERIENCE IN ESTABLISHING INTERNAL CONTROL SYSTEM IN BANKS ACCORDING TO COSO INTERNATIONAL STANDARD - LESSONS FOR AGRIBANK 1.4.1 International experience in establishing internal control system in banks according to COSO international standard 1.4.1.1 The US: Banks in the US establish the ICS according to COSO framework with full of components: control environment, risks assessment, control activities, information and communication and monitoring activities to achieve control objectives. 1.4.1.2 China: China is one of the countries that fully utilizes COSO framework to establish the ICS with full of basic components, including internal control environment, risk identification and assessment, internal control measures, information exchange and feedback; monitoring and overcoming to achieve control objectives. 1.4.1.3 India: In India, COSO framework is also used to establish the ICS with all the basic components, including: (1) control environment; (2) risk identification and assessment; (3) control activities; (4) segregation and rotation of duties; (5) authorisation of transactions; (6) accountability for and safeguarding of assets; (7) accounting, information and communication systems; (8) Monitoring activities and also to achieve control objectives. 1.4.2 Lessons for Agribank: (1) The basic components of the ICS in banks often include control environment, information and communication, risk management systems, control procedures and monitoring systems; (2) Risk assessment is considered as an important basis for establishing and improving the ICS in banks; (3) Ensuring the quality of the ICS in commercial banks over time through the establishment of monitoring activities for this system; (4) The human element plays a very important role. 11 CHAPTER 2 IMPROVEMENT SITUATION OF INTERNAL CONTROL SYSTEM AT VIETNAM BANK FOR AGRICULTURE AND RURAL DEVELOPMENT ACCORDING TO COSO INTERNATIONAL STANDARD 2.1 INTRODUCTION ABOUT VIETNAM BANK FOR AGRICULTURE AND RURAL DEVELOPMENT 2.1.1 The establishment and development of Agribank: Agribank is a state-owned commercial bank, the operation of the bank is always associated with the role of implementing monetary and credit policies of the Government, leading implementation of the policy promotion for green credit growth, building safe agriculture, sustainable development, and also fulfilling social security responsibilities of a corporate, contributing to the development and increase of positive living values for the community, becoming one of the largest microfinance service providers in Vietnam. 2.1.2 Overview of Agribank's operations: Agribank is currently the commercial bank with the largest asset size in the system; always ensure safety ratios as prescribed; widest operating network; largest automatic banking network; largest staff in the system; offerring nearly 220 types of products and services... In the coming time, Agribank determined to continue the successful implementation of the phase 2 restructuring; project of development strategy to 2025, orientation to 2030; accelerate the implementation of IT projects creating an important technical foundation for developing e-banking services and requirements of risk management; implement the roadmap to ensure compliance with the regulations of SBV in Circular 13/2018, Circular 41/2016 and gradually towards the application of safety standards under Basel II; improve financial capacity, labor productivity, and aim to operate effectively to be equitized successfully. 2.2 IMPROVEMENT SITUATION OF INTERNAL CONTROL SYSTEM AT VIETNAM BANK FOR AGRICULTURE AND RURAL DEVELOPMENT ACCORDING TO COSO INTERNATIONAL STANDARD 2.2.1 Legal basis for the establishment of internal control system in commercial banks in Vietnam 2.2.1.1 Regulations of SBV: The Law on Credit Institutions 2010 and Circular 13/2018/TT- NHNN regulating the ICS in commercial banks. 12 2.2.1.2 Internal regulations of Agribank: Decision 600/QĐ-HĐTV/2012 on promulgating the regulation on organization and operation of Agribank; Decision 102/QĐ-HĐTV- KTNB/2014 on the Regulation on internal control of Agribank; Decision 206/QĐ- BKS/2019 on the Regulation on organization and operation of Agribank’s internal audit. 2.2.2 Improvement situation of internal control system at Agribank according to COSO international standard 2.2.2.1 Situation of control environment a. Demonstrates commitment to integrity and ethical values: Agribank has issued an Agribank cultural handbook; regulations on standards, manners, transaction style of tellers in Agribank system; labor regulations... which are widely disseminated in the system through the Website, Eoffice... to encourage and ensure individuals and departments to grasp control messages, thereby actively identify and control risks. Since then, creating a relatively healthy control culture in this bank. b. Board of Directors and Supervisory Board: Agribank's Board of Directors has established a high-level supervision function for the ICS. The Chairman of the Board of Members and members are all professional people; most of them are aware of risk management and quite independent of the Board of Management. c. Organizational structure and the division of authority and responsibility: The organizational structure at the Head Office is structured in the direction of clearly defining the functions and duties of the units, avoiding overlapping, enhancing risk control throughout the system. Agribank is currently building a draft of job description and has not have KPIs. The criteria for evaluating salaries and promotions are still based on achievements in making profits. d. Commitment to competence: The quality of human resources has been increasingly improved at Agribank, the average labor productivity has been raised. e. Personnel Policy: Agribank has also issued regulations related to recruitment, training and employee evaluation, promotion ... in a specific and fairly transparent manner. 2.2.2.2 Situation of risk assessment a. Specifying suitable objectives: Basically, the objectives were established at Agribank, namely: operational objectives, reporting objectives and compliance objectives. 13 b. Risk identification: Agribank has chosen a relatively safe, scientific risk management model that can be easily operated consistently and basically ensures the “testability” of internal control. + Risk Management Committee: The Risk Management Committee under the Board of Directors advises the Board of Directors in issuing policies related to risk management. However, Agribank has not developed an operational regulation of the Risk Management Committee according to its functions and tasks based on the research, access to Basel as well as international practices, in accordance with the actual operation and the provisions of SBV. + Risk Council: Risk Council and Capital Management Council are established. The Deputy General Director in charge of risk management is the chairman of the Risk Council; members of the Risk Council are classified into credit risk, market risk, operational risk, liquidity risk and interest risk in banking book, centralized risk, new product and new market risk. + The committees and centers at the head office according to their functions and tasks managing each type of risk must have a risk management department. c. Change management: Agribank has not focused on change management - a content recommended by international practice. 2.2.2.3 Situation of control activities: Agribank's ICS has also been established with independent three-line defense associated with the organizational structure but there is no guarantee of complete independence between the first and second line of defense. In each business process, on the basis of identifying and assessing risk, control activities have been established at Agribank based on purpose or form but risks and frauds still occur because of weakness of staff’s morality. 2.2.2.4 Situation of information and communication a. Situation of information: Agribank has established a system of information reports on business results for all operations, the system of reporting forms to the SBV has been issued uniformly, most of which are automatically exploited from the IPCAS program system (MIS Report Module). In addition, Agribank also established an Eoffice program system to facilitate the smooth transfer and process documents and reports in the system. However, Agribank has not built MIS so that it can implement the information exchange mechanism throughout the system. 14 b. Situation of communication: Internal communication ensure that the control information is transmitted accurately and timely to individuals and departments in the bank. Agribank's external communication activities should be proactively implemented so that the bank's control messages are transmitted to external objects such as customers, investors, regulatory agencies, auditors 2.2.2.5 Situation of monitoring the controls: Including supervision of the Board of Directors, the Supervisory Board through the internal audit department under the Supervisory Board and the General Director's supervision through a specialized internal inspection and control department. 2.3 QUANTITATIVE RESEARCH ON THE IMPACT OF FACTORS ON EFFECTIVENESS OF INTERNAL CONTROL SYSTEM AT VIETNAM BANK FOR AGRICULTURE AND RURAL DEVELOPMENT ACCORDING TO COSO INTERNATIONAL STANDARD 2.3.1 Results of qualitative research to explore factors affecting the effectiveness of internal control system at commercial banks: The thesis uses a qualitative research method, specifically through in-depth interviews with experts to identify the factors affecting the effectiveness of the ICS in banks. Associating with the perspective of the effectiveness of the ICS is shown in the fact that the system has a full range of factors and each factor operate in practive to help bank achieve the control objectives. The thesis interview results with the inheritance of the COSO framework and identifies the following five factors affecting on the effectiveness of the ICS in commercial banks; they are: (1) Control environment; (2) Risk assessment; (3) Control activities; (4) Information and communication; (5) Monitoring. 2.3.2 Quantitative research results of the factors affecting the effectiveness of internal control system at Agribank 2.3.2.1 Sample: The questionnaire was developed and sent to the survey subjects in the following forms: (1) Phone; (2) Email; (3) Direct Interview. With 350 votes issued, the author collected 315 votes (90% rate). Through the cleaning process, the number of votes has been processed and analyzed is 278. 2.3.2.2 Research orientation: After determining the factors affecting the effectiveness of the ICS in banks as above and survey results, the thesis measures the impact of these factors on the effectiveness of the ICS at Agribank by using the Explored Factor Analysis (EFA) 15 method and multiple regression models to solve the following research question: How do the determined factors affect the effectiveness of the ICS at Agribank? 2.3.2.3 Results of measuring the effectiveness of the internal control system at Agribank: The control objectives have not been achieved at Agribank, this means that the ICS at Agribank has not really achieved the effectiveness. Therefore, in general, the ICS has not been improved because it has not met the “effectiveness” of this system in helping banks to achieve the control objecitves. 2.3.2.4 Results of measuring factors affecting the effectiveness of internal control system at Agribank a. Summary of scale quality testing results: Through analysis of Cronbach’s Alpha test, 06 scales of model ensure good quality with 33 specific variables. b. Results of explored factor analysis (EFA): (*) Testing the appropriateness of the method and data collected (KMO and Bartlett's Test) we have a coefficient of KMO = 0.856, satisfying the condition: 0.5 <KMO <1, thus explored factor analysis (EFA) is suitable for actual data. (*) Correlation test of observed variables in representative measurements: Barlett test has Sig. <= 0.05 means that representative factors and observed variables are linearly correlated with each other. (*) Test the interpretation level of observed variables for the factor: Testing the explanation level of the observed variables for the factor affecting the effectiveness of the ICS at Agribank has results: Cumulative column shows the value of variance extracted is 60.887%, this means that the observed variables explain 60.876% of the change of factors; 6 factors have an Eigen value greater than 1 (*) Results of the EFA model: Using the Varimax method for the factors results EFA model suitable for the study. c. Multivariate Regression Analyze (MRA) The real factors directly effect the effectiveness of the ICS is expressed through linear regression equation: The effectiveness of the ICS = -0,441 + 0,319 (control environment) + 0,319 (risk assessment) + 0,146 (control activities) + 0,194 (information and communication) + 0,126 (monitoring) (*) Testing the level of explanation and relevance of the model 16 - Explanation: Adjusted R Square is 0.612. Thus, 61.2% of the change in the effectiveness of the ICS is explained by 5 independent variables - Relevance: Sig results. <0.01, it can be concluded that the model given is consistent with the actual data. In other words, the independent variables are linearly correlated with the dependent variables with 99% confidence level. 2.3.2.5 Discussion from the results of measurement of factors affecting the effectiveness of internal control system at Agribank a. Unstandardized Coefficient: Control environment - Risk assessment - Control activities - Information & communication - Monitoring variables have corresponding ratios of 0.319 - 0.319 - 0.146 - 0.194 - 0.126 in the same direction with the effectiveness of the ICS. This result shows that the above factors are guaranteed to be the foundation for Agribank's ICS to achieve effectiveness. b. Standardized Coefficient: The research results show that through the inspection, can confirm that the factors affecting the effectiveness of the ICS in order of importance as following: Table 2.11 The importance of the factors affecting the effectiveness of ICS at Agribank No. Independent Varibale Value Density % Affecting Order 1 Control Environment 0,319 28,89 1 2 Risk Assessment 0,319 28,89 1 3 Control Activities 0,146 13,22 3 4 Information and Communication 0,194 17,58 2 5 Monitoring 0,126 11,42 4 Tổng 1,104 100% 2.4 GENERAL ASSESSMENT ON THE IMPROVEMENT SITUATION OF INTERNAL CONTROL SYSTEM AT VIETNAM BANK FOR AGRICULTURE AND RURAL DEVELOPMENT ACCORDING TO COSO INTERNATIONL STANDARD 2.4.1 Results: (1) Agribank has created a relatively healthy control culture. Agribank has also established supervision on the ICS of the Board of Members through the Internal Audit Department under the Supervisory Board and ensures the relative independence between the Board of Members and the Board of Directors. The organizational structure has also been improved in accordance with the law and business conditions of bank. The quality of 17 personnel and the average labor productivity has been improved recently. Human resource policies such as recruitment, training, promotions ... have been issued and fairly transparent at Agribank; (2) Agribank has set objectives as the basis for risk assessment. In the model of risk management organization of Agribank, there has been risk management committee and risk management council according to current regulations. Agribank's risk management framework has been issued in an approach-oriented comprehensive risk management framework of the Basel Committee; new policies, regulations and processes for managing critical risks are improving; (3) Agribank's ICS has been established with three independent defenses in accordance with current regulations, creating a culture of control throughout the system. In addition, operational business processes, control policies and procedures have been basically established and clearly decentralized; (4) Agribank has focused on building IT systems; developing internal MIS; upgrading the core banking to suit operational scale, executive management requirements and service product development needs. Internal and external communication activities of Agribank have been basically carried out; (5) The monitoring of control activities has been carried out at Agribank mainly through the internal audit and specialized internal control departments and has also been effective in assessing the effectiveness of the ICS. 2.4.2 Limitations and causes 2.3.2.1 Limitations: (1) Agribank has not established strong enough control culture. Board of Members has not been completely independent with the Board of Directors. Agribank is currently completing the development of a job description, KPIs; horizontal relationship between parts of the system has not been defined. Agribank's human resources have still been uneven and labor productivity is still low. The allocation of resources for business activities, control activities have still been limited; (2) In the risk management model, the independence between the first line of defense and the second line of defense has not been ensured; risk management systems have been scattered in many parts, the specificity has not been high. Policies, regulations and processes on risk management for each critical risk are currently being developed or improved and are currently focusing on discovering and mitigating but not really active in risk identification. Agribank has not really focused on managing new factors that may lead to risks for banks; (3) Compliance with the control policies and procedures has not ensured by the employees, so those policies and procedures are sometimes disabled. The management of change has still been limited; (4) Agribank has 18 not completed the internal info