1. Introduction
The Board of Directors (the Board) of the Pakistan Mortgage Refinance Company Limited (PMRC) aspires to uphold the highest standards of Internal Control and to adopt a company-wide policy on internal controls conforming to global standards.
2. Broad framework of internal controls
PMRC has adopted the Committee of Sponsoring Organizations (COSO) framework and SBP guidelines
on internal controls as its internal control standard.
3. Objectives
The following are the broad objectives of internal controls at PMRC:
Reliability of financial reporting: Ensuring the preparation of reliable, complete, accurate, and timely financial and management information to ensure the quality of internal and external reporting. (Information Objective)
Compliance with applicable laws and regulations: Ensuring strict compliance with policies, procedures, and applicable laws and regulations; identifying, reporting, and resolving deviations of operations and activities from established standards in a timely manner. (Compliance Objective)
Effectiveness and Efficiency of Operations: Maintaining the efficiency, economy, and effectiveness of the PMRC’s operations and activities, while adequately safeguarding PMRC’s assets. (Performance Objective)
4. Roles and responsibilities
4.1 Board of Directors
The Board is ultimately responsible for ensuring that an adequate and effective system of internal controls is in place at all times. The board also:
- determines whether there is an audit and control system in place to periodically test and monitor compliance with internal control policies and to report to the board instances of non-compliance;
- on the Board Audit Committees’ (BAC) recommendation, endorse the management’s evaluation of ICFR in addition to their endorsement of management’s evaluation of overall controls.
- ensures that appropriate remedial action has been taken when instances of non-compliance are reported, and that system has been improved to avoid recurring errors / mistakes.
4.2 Board Audit Committee
The Board of Directors provides governance, guidance, and oversight to management through its various sub-committees. The BAC provides the Board with an independent and objective evaluation of the operations, policies, procedures, and controls implemented within PMRC, as outlined in the Board-approved audit charter. The BAC will:
- review Management’s assessment of ICFR and recommend the same for consideration and endorsement by the Board.
- monitor the progress of ICFR through internal audit reports.
- review the Long Form Report (LFR) of external auditors.
4.3 Management
Management will be responsible for implementing strategies and policies approved by the board, developing processes that identify, measure, monitor, and control risks incurred by PMRC, maintaining an organizational structure that clearly assigns responsibility, authority, and reporting relationships, ensuring that delegated responsibilities are effectively carried out, and monitoring the adequacy and effectiveness of the internal control system.
Management will also be responsible for carrying out the directives of the Board, including the implementation of strategies and policies and the establishment of an effective system of internal control.
Respective department heads will be responsible for ensuring the updating of internal control documentation (Standard Operating Procedures along with process flow charts and Risk Control Matrices), conducting risk assessments, and signing off to confirm the evaluation of internal controls.
4.4 Finance
The Finance Department is responsible for ensuring the implementation of different stages of ICFR. With an established internal control system, the Finance Department heavily depends on how well the internal controls have been documented. This includes the documentation and communication of the organizational structure, job descriptions, and segregation of duty matrix, which clearly delineate lines of reporting responsibility and authority and facilitate effective communication throughout the organization.
The allocation of duties and responsibilities must ensure that there are no overlaps in reporting lines and that an effective level of management control extends to all levels of PMRC and its various activities.
4.5 Internal Auditors
Internal audit would ensure the existence and effectiveness of the ICFR System. It would monitor the implementation of the ICFR Roadmap, internally evaluate the ICFR system through reviewing documentation and through testing of certain financial controls during audits, and make timely and practical suggestions to the BAC for improvements in ICFR.
4.6 External Auditors
The external auditors provide important feedback on the effectiveness of the internal control system through LFR on an annual basis. They will provide feedback to the management on the effectiveness of the internal control system, any weaknesses found during the review, and recommendations for improving the robustness of the internal control system.
5. Components of Internal Control System
Internal control must be consistently applied and well understood by PMRC’s employees if Board and management policies are to be effectively implemented. The following are important components for ensuring the effective implementation of the internal control process:
- Control Environment
- Risk Recognition & Assessment
- Control Activities & Segregation of Duties
- Accounting Information & Communication
- Self-Assessment & Monitoring
5.1 Control Environment
The control environment refers to the overall attitude, awareness, and actions of the Board, relevant Board committees, and senior management regarding the internal control systems and their importance in PMRC. It sets the tone that influences the control consciousness of its people, besides giving structure to the internal control system and providing discipline and protocol
5.2 Risk Recognition and Assessments
For PMRC to exercise effective controls, it must establish objectives and understand the risks it faces in achieving those objectives. Every activity involves some kind of risk, so it is essential that those risks are identified, assessed, and mitigated. From an internal control perspective, risk assessment involves the identification and evaluation of factors, both internal and external, that could adversely affect the financial reporting, operational, and compliance objectives of PMRC.
Risk assessment is the identification and analysis of relevant risks to the achievement of the objectives, forming a basis for determining how the risks should be managed.
5.3 Control Activities and Segregation of Duties
Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to the achievement of the entity’s objectives. Control activities occur throughout the organization, at all levels, and in all functions.
Appropriate activity controls for different departments or divisions, physical controls, checking for compliance with exposure limits and follow-up on non-compliance, a system of approvals and authorizations, and a system of verification and reconciliation are major constituents of control activities. Internal controls should be devised in such a manner that no one person has control over a key function or activity, ensuring that duties are adequately segregated.
5.4 Accounting, Information & Communication Systems
The accounting information and communication system ensure that the required information is current, accurate, and accessible on a timely basis to facilitate effective and timely analysis, evaluations, and reporting of exceptions and significant risks.
PMRC’s accounting system should properly identify, assemble, analyze, classify, record, and report transactions in accordance with the prescribed internal formats and international accounting standards applicable in Pakistan.
The information system’s adequacy is determined by the type, number, and depth of reports it generates for operational, financial, managerial, and compliance-related activities.
The adequacy of communication systems is established by ensuring significant information is imparted throughout the institution (from top-down, bottom-up, and laterally), ensuring personnel understand the communicated information. Additionally, communication systems should ensure significant information is imparted to external parties such as regulators, shareholders, and customers.
The accounting, information, and communication systems shall be adequately tested and reviewed periodically to ensure functionality appropriateness. It shall also be ensured that risks inherent in information technology systems are adequately controlled to avoid disruptions to operations.
5.5 Self-Assessment and Monitoring
Self-Assessment is an empowering method/process by which management and staff of all levels collectively identify and evaluate risks and associated controls. It adds value by increasing an operating unit’s involvement in designing and maintaining control and risk systems, identifying risk exposures and determining corrective action. Monitoring is a process that assesses the quality of the system’s performance over time. This is accomplished through on-going monitoring activities, separate evaluations or a combination of the two.
