Most important prerequisite to become an effective Internal Control Officer is to have a clear understanding about the objective of having an internal control process in the bank as well as what management is expecting from the Internal Control Officer(ICO)and also how Internal Control Process could add value to the bank.
In simple terms,Internal Control Process is an independent reporting system to the management to ensure that:
- The transactions have been correctly recorded in accordance with bank's accounting methods;
- The procedures,rules,regulations that should be followed while carrying out the business transactions have been followed;
- Frauds,irregularities and errors are prevented or detected and corrected;
Today,Management of Information Technology(IT)Risk is one of the key responsibilities imposed upon the Bank in a "Corporate Governance framework".Therefore,managing IT related operational risk is very vital and it is a part of the total risk profile of the bank.By carrying out an effective Internal Control function,ICOs in branches can ensure that operational risk is adequately managed.
To carry out the roles and responsibilities that are expected from an Internal Control Officer,he or she should possess a number of qualities and capabilities. Among them clear understanding of the following are very important:
- Comprehensive knowledge of the business;
* ICO should possess an adequate awareness on business functionalists,business rules such as interest rates,limits,tariffs etc.as well as current practices
- As to how business process are being executed through computer system;
*ICO,by attending training programs,by reading user manual as well as inquiring from help desk should acquire adequate knowledge on the application system in order to know various business transactions are being processed.
- Nature of the controls that are inbuilt into the Computer system;Manual procedures that have to be followed during input,processing and output stages during transaction processing;
*ICO should be familiar with the validation controls,segregation of duties is.Data entry and processing,authentication and authorization,control over data editing and changing,incorporated in ti the application system.
- Manual procedures that have to be followed during input,processing and output stages during transaction processing;
*As more and more controls are introduces into the system it may adversely impact upon the efficiency of the system.Therefore,to maintain proper balance between efficiency and control certain procedures are handled manually .ICO should be aware of the nature of those procedures and impact(Risk) of non compliance of those procedures.
- Fair knowledge of Information System security policies and procedures(ISSPP),OIC circulars,management guidelines relevant to internal controls;
*In the management of IT related operational risk,compliance with the policies & procedures lid down in ISSPP is critically important ie. access control,password control,incident reporting.
- Levels of authorities,extent of responsibilities and related accountabilities assigned to individuals who are working in the operational environment;
*ICO should have a comprehensive understanding of the user profile of each member performing duties in the business environment under which internal control system is in force and thereby he would be able to identify any violation of authorities.As computer systems are maintaining logs through which ICO could identify the individuals responsible for any given transactions,ICO should also have a good understanding on the "content" and the " form" of the system logs.
- books are records maintained and output that are generated by the computer system;
* Outputs are the evidences of transactions carried out during a particular day.Outputs could either be printed or viewed whereas some output cannot be printed or are not allowed to be printed at branch level considering its bulky nature.Reports that are generated at day begin,day end,daily transaction reports(maintenance reports),relating to master file changes),error reports,exception reports,if any,etc and inquiries(options)relating to various functionalities should be studied by the ICO because effectiveness of ICO's function is mainly dependent upon the critical examination and the evaluation of the evidences.
In addition to the above,ICO should also know how the internal control process is performed,reported,supervises and monitored and governed up to the level of Audit Committee.All audit finding are to be recorded and should be monitored continuously.Thereby critical findings could be made use of as value additions to future control processes resulting in continuous improvement in the process leading to the achievement of the core objectives of an effective control system.