Emerging Control Needs in Pandemic scenario.
(Sleeve rolled-up freelancer and cross influencer having extensive hands on experience in BOT of BUs, Operations, Due diligence ,Design and implement Finance and IT Controls, Risk and Assurance , Quality , HR & Team Management .
He is into Consulting space of Management (BCM) , Finance and Accounting , Internal Audits , IT Audits , Information Systems and Security Frameworks , Process Quality Assurance services , Corporate Affairs.)
Understanding the Business Framework.
As the IT dependency has gone up multifold these days due to pandemic and amongst the three pillars of the business components People , Process and Technology the priority has taken a paradigm shift in its positioning by the most critical asset “ people “ because of Covid 19. The business ecosystem is all out to keep up with this new challenge and the global Governments are at their toes to fight with this never before catastrophe . The forward looking organizations have taken a 180 degree turn in terms of it’s strategies to find rhythm with the changing Government policies and regulations on various business compliance components , viz; Reporting , Privacy , Data Protections , Network availability etc . Amendments are order of the day and the deadlines gone for a toss which impacts the public exchequer in terms of government revenue. Business houses are struggling to meet both ends as the planned cash flows gone awry due to business cycles have been impacted . Government agencies are forced to keep the recovery regulations in abeyance to support the show up in running . The leaders from both the sides ie; Government and business are looking for a panacea model that is working to control the risk of business continuity in this turbulent scenario.
Let us illustrate a model framework to elaborate further .
Fig 1 – Rendezvous of Business Interests - Tier 1 Model - standalone
Keeping in mind the business as the key driving factor – it’s key ojective shall be wealth maximization , profit optimization , ROI and a healthy cash flow aligned in terms with a dynamic business environment , for it’s sustainability and growth irrespective of the business nature . The form of business can be Construction , Engineering , IT , Agri-business , Aviation , O&G, Banking , Insurance , Manufacturing , Health etc , with it’s operations having a global presence facing external stakeholders with varied compliance requirements as per the existing regulations of various locations . The regulations demand compliance for transparency of financial reporting to protect the shareholders and general public , customer data privacy and confidentiality , data authenticity , enforcement of transparency and accountability , Network availability and privacy of the card transactions, protection of sensitive data to keep the risk below an acceptable level. It’s imperative that compliance have to be met within the timelines defined as per the rules and regulations. Failure in compliance may cost the business with heavy penalties , imprisonment of key personnel and also can lead to business shut down.
Some of the Regulators of various countries monitoring the compliance requirements are :-
USA - Security Exchange Commission (SEC) , Federal Reserve ,Federal Deposit Insurance Corporation (FDIC), Financial Crimes Enforcement Network etc.
UK – Bank of England (BOE) , Financial Reporting council (FRC ) , Financial Conduct Authority (FCA ) etc
India – Stock Exchange Board of India (SEBI) , Reserve Bank of India (RBI ) , Insolvency and Bankruptcy Board of India (IBBI) etc
Singapore – Monetary Authority of Singapore (MAS) , Singapore Exchange SGX etc.
Some of the IT related Regulations that is prevalent having it’s strong presence in various countries have been given below :-
USA – Electronic Transactions Act , Paperwork Elimination Act , Uniform computer information transactions Act, Sarbanes Oxley Act , Can Spam Act , Health Insurance Portability and Accountability Act , Dodd Franc Act , Federal Information Management Security Act , Payment Card Industry Data security Standard , Health Insurance Portability and Accountability Act etc.
UK – Data Protection Act , Electronic communication Act , Electronic Signatures Regulations etc
EU – GDPR , Directives on 97/66 , 1999/93 , 2000/31 – EC of the European Parliament and of the council.
India – Information Technology Act , Guidelines of Social media ethics under IT rules , Data Protection Act (2006) is yet to become an Act.
Singapore – Electronic Transaction Regulations .
Indian Banking System and Compliance issues in Internet Banking
As the Bankers Bank RBI in its supervisory capacity issues guidelines /directives all the Financial institutions coming under it’s purview to adhere with the policies.
The Reserve Bank of India (RBI) in its financial stability report (FSR ) pointed out that the banking industry remains a target choice for cyber – attacks especially post the covid 19 – pandemic induced lockdown there has been an increased incidence of cyber-threats.
While there have been concerns around cyber – security in the context of banking operations involving critical payment systems infrastructure.
Since March 2020, RBI has issued more than 10 advisories/alerts on different cyber threats and best practices. RBI in its FSR said, “On March 11, 2020, when WHO declared COVID-19 a pandemic, the RBI issued an advisory on March 13, 2020 to all its regulated/supervised entities to inter alia ensure that access to systems is secure and critical services to customers operate without disruption.
Indian Compute Emergency Response Team (CERT-In) is tracking latest cyber-threats, analyzing threat intelligence from multiple sources .
According to RBI report Information technology (IT) sector remained in positive terrain throughout the Covid-19 pandemic period and their sales increased by 5.2 per cent (Y-o-Y) in Q3:2020-21.
Rendezvous of Business Interests - Tier 2 Model - Connected
Figure 2 – RTGS – NEFT Framework – INFINET ( Indian Financial system Networking )
The model that is shown above is INFINET Indian Financial Systems Networking . A Financial Network in the form of a reliable communication backbone facilitates running different applications / services, which eventually result in:
- Banking and Financial services independent of their location
- Extended banking business reach and hours as well as increased business volume and better fund utilisation, thereby facilitating reduced operational cost
- Increased security
- Reduction / elimination of payment risks
- Efficient Housekeeping
- Improvement in decision making process
- Innovative customer-oriented delivery mechanisms
The primary objective of INFINET for the banking and financial sector is to enhance efficiency and productivity on the one hand and provide state-of-the-art customer services through innovative delivery channels such as Internet banking, home banking etc., on the other.
Each of the FI s connected to INFINET will have their in-house infrastructure and Internal Control mechanisms.
Generic Internal Control Framework.
Fig 3 – COSO Framework
Key Concepts
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of the organization.
- Internal control can be expected to provide only reasonable assurance , not absolute assurance, to an entity's management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories
Components
Internal control consists of five interrelated components Control Environment , Risk Assessment , Control Activities , Information & Communication and Monitoring Activities . These are derived from the way management runs a business and are integrated with the management process.
New scenario - The Impact of Covid 19 on Internal Controls.
Previous studies by various agencies have reported earlier that the majority of the threats are from within the organization , which are at a generic level given as below :
- Disgruntled Employees
- Attrition
- Absenteeism
- Information and Data Loss
- Negative cash flows
- Physical security
To mitigate the risks to organizations , it follow the risk assessment procedure and keep the control activities in place which will be communicated to the key stakeholders in a timely manner and shall be monitored on a regular basis.
The internet and mobile platforms opened up a plethora of opportunities to the organizations to reach out to the markets and to take leverage of the situations most of the organizations moved into this space as a value add to the business over a period of time . Covid 19 accelerated the dependency on IT which enforces a revisit of its the internal control scenario due to the consistent changes taking place both internal and external.
The key change happening due to the Pandemic is technology to follow the process has taken a back seat to technology to follow people as the remote working model is in place in a big way.
- Impacted Business Cycles and Cash Flows
- Technology to follow process taken a back seat to technology to follow people
- Changes at instinct opens up Internal vulnerabilities
- Trust Issues at large
Key Control Area - Change Management.
After the stage of problem Identification , the problem statement is made and capture the business requirement ( People , Process and Technology ) , Develop and Deploy are the stages of Systems Development Cycle. Control Need is build at the time of development after the Risk Assessment on the system change and put to test before the implementation .In anticipation to strengthen the control weaknesses likely to arise at this stage due to various changes , channels to be opened for the consistent communication and monitoring . Greater emphasis needs to be applied to assurance activities rather than automated controls . An example of this is the McCumber cube which has been , and continues to be heavily utilized and enhanced within the enhanced security practices as part of the Control activity of the COSO frame work.
Courtesy :- RBI Guidelines , www. csub.edu