Conditions for Applying Coso International Standards When Establishing Internal Control Systems for Banks

e2. Periodic monitoring

Periodic monitoring helps managers have a more objective and independent view of the effectiveness of internal control. In addition, periodic monitoring also helps evaluate the effectiveness of regular monitoring activities in the bank. When establishing periodic monitoring activities, the following contents should be considered:

- Scope and extent of periodic monitoring activities: The scope of periodic monitoring depends on the objectives that the bank manager chooses, such as operational objectives, financial reporting objectives or compliance objectives. The frequency of periodic monitoring depends on the risk assessment, scope and extent of regular monitoring.

- Persons performing periodic monitoring activities: Periodic monitoring takes the form of self-assessment, specifically managers at all levels and employees undertaking a specific task will self-assess the effectiveness of control procedures for their activities. In addition, internal auditors often conduct internal control assessments as part of their daily activities or at the special request of the Board of Directors or the Board of Management/General Director. Independent auditors also conduct assessments of the effectiveness of internal control through auditing activities, however, the main objective of independent auditors is to evaluate financial statements. The combination of the work of both internal auditors and independent auditors will help the Board of Management objectively assess the bank's internal control.

Maybe you are interested!

• Applying international accounting standards to perfect the corporate financial reporting system in Vietnam conditions - 20
• Requirements of Civil Servant Management Institution in Vietnam in the Conditions of Development and International Integration
• Current Status of Completing Internal Control System at Vietnam's State-owned Enterprises According to COSO International Standards
• Applying UCP 600 to resolve disputes in international payments at some commercial banks - 2
• Risks and Limitations in Applying International Payment Methods

- Evaluation process in periodic monitoring: Based on a clear understanding of the bank's operational characteristics and each component of internal control, the evaluators (employees, managers or auditors) learn about the design and operation of internal control. Then, it is necessary to evaluate the actual operation of internal control to determine the effectiveness of internal control in the bank.

- Evaluation method in periodic monitoring: Banks can use the comparison method to compare their internal control with other banks. In addition, many other methods can be considered. Corresponding to each method, banks can use tools such as checklists, questionnaires and flowcharts.

- Documentation: The level of documentation of internal control depends on the characteristics of each bank. Large banks or enterprises always have a handbook on the unit's policies, organizational structure charts, job descriptions and instructions, and information system flow charts. Documentation at an appropriate level will help control more effectively and in addition, it will help employees understand the operation of the system, their specific roles, and will make it easier when adjustments need to be made.

- Implementation plan: The person conducting the first HTKSNB assessment should refer to the following plan to understand what needs to be done.

+ Decide on the scope of the assessment: Specifically the type of objective (operational, reporting or compliance), the relevant components of internal control (control environment, risk assessment, control activities, information and communication).

+ Identify regular monitoring activities in the bank.

+ Analyze the assessment work of independent auditors and internal auditors to review findings related to internal control.

+ Determine priority level (usually departments, branches or operations with high risk will be given attention first).

+ Develop an evaluation program in accordance with the identified priority order.

+ Meet with all those involved in the system assessment to discuss the scope, timing, methods, tools to be used, and findings to be reported.

+ Conduct assessment and review of findings.

+ Review of necessary next actions and adjustment of the assessment process for subsequent areas if necessary.

The above tasks will be delegated to many people in the bank, but the person responsible for the assessment must monitor the assessment process until completion.

e3. Report on deficiencies of the internal control system

Deficiencies (actual or potential) of the internal control system that affect the achievement of the bank's objectives must be reported. These deficiencies can be detected from many sources: regular monitoring, periodic monitoring and from outside (customers, investors, etc.). In addition to the deficiencies detected,

The consequences of the defect must also be considered. Specifically, employees who discover defects during their daily activities report them to their immediate supervisor. This person then reports to a higher level of management to ensure that the information reaches someone who can take the necessary action.

1.2.5 Conditions for applying COSO international standards when establishing internal control systems for commercial banks

To establish an internal control system according to COSO international standards, commercial banks need to meet the following basic conditions:

Firstly, there must be a clear and complete legal framework. The legal framework here is, on the one hand, all legal documents related to the organization, functions, and tasks of each area of ​​operation, each department, and even each job position in the bank; on the other hand, it is the legal basis for establishing and implementing internal control in the bank such as standards or regulations on internal control of the management agency as well as the bank itself.

Second, it is necessary to establish awareness in risk management as well as awareness of the importance of internal control in the bank . Establishing an internal control system is understood as establishing a monitoring mechanism where management is not based on trust but on clear regulations to help banks minimize risks. The internal control system established according to the COSO internal control model will be based on the risk assessment foundation in the organization's control environment to ensure that the banking organization achieves the set goals as Lai (2012) stated that internal control is to ensure that organizations achieve the set goals under the consensus of all employees in an organization. Therefore, for the established internal control system to operate effectively in a bank, all members of the bank need to be aware of the importance of the internal control system. Specifically, all members need to clearly understand their responsibility to identify and assess risks within their scope of work and at the same time must attach importance to internal control in the bank in helping the bank minimize risks.

Third, there must be sufficient human and financial resources . People are the central and most important factor in the control environment. First of all, the bank

must have a team of leaders with ethical character, their behavior and work efficiency are always an example for employees to follow. Next, the bank needs to have a team of personnel with professional qualifications, experience, professional ethics, dynamism, creativity and flexible adaptation to the job position as well as long-term commitment with the development of the organization so that the bank can ensure the implementation of the commitment on capacity when establishing a control environment as the foundation for the internal control system. To have human resources to ensure the commitment on capacity according to the COSO internal control model, the bank needs to have regulations issued in written form such as rules, standards of conduct; Job description" clearly defines the authority and responsibility, knowledge requirements and quality of personnel for each job position in the bank; A system of documents regulating recruitment, training, employee evaluation, promotion, salary, allowances... to encourage people to work honestly and effectively as well as maintain and develop human resources in line with the bank's goals. In addition to human resources, banks also need to prepare sufficient financial resources to be able to deploy the establishment of an internal control system according to COSO standards. If the internal control system is established according to the COSO internal control model, it will require a lot of technological support and therefore require a large investment from banks.

Fourth, there must be a complete organizational structure, ensuring independence between departments and individuals . According to the COSO internal control model, banks need to establish an internal control system with three lines of defense to ensure independence to ensure the implementation of the functions of the internal control system. To establish a three-line defense model, banks must have a reasonable organizational structure to ensure that management work (planning, organization, personnel management, leadership and control) is implemented accurately, promptly and effectively in the bank. This comes from the fact that one of the signs of instability in the internal control system is that there is overlap between departments, there is no exchange of information, when errors occur, departments push responsibility to each other. Therefore, the prerequisite for the three-line defense model as well as an effective internal control system is that the bank must have a reasonable organizational structure that clearly defines the authority and responsibility between departments and individuals; clear relationships and reporting channels.

Fifth, the bank must have an effective internal audit department . An unmonitored internal audit system will gradually lose its effectiveness until it is no longer effective in controlling. Monitoring is carried out to ensure that internal audit is operated continuously and effectively (Pforsich & Kramer, 2008). Thus, the bank needs a department that performs the independent monitoring function - one of the functions of the internal audit department. Therefore, banks need an effective internal audit department to achieve the monitoring goal in the organization. To do that, banks first need auditors with appropriate professional qualifications, experience, professional ethics, operating according to principles and empowered to directly and openly report to the superior audit agency or senior leaders of the bank on the results as well as the shortcomings of the internal control system discovered by the internal audit to make timely adjustments.

Sixth, there must be support from a modern IT system . In the current conditions of computerizing all banking business activities, banks need to focus on promoting investment and application of IT to promote rapid and sustainable development. IT is not only applied to support direct business activities but also needs to be applied to support activities such as internal control and internal audit to bring higher efficiency to these activities. Therefore, when establishing, completing and implementing an internal control system according to the COSO model, banks need great support from IT, so it is necessary to consider upgrading the IT platform to be able to meet the requirements.

1.3 IMPROVING THE INTERNAL CONTROL SYSTEM AT COMMERCIAL BANKS ACCORDING TO COSO INTERNATIONAL STANDARDS

1.3.1 Concept of perfecting internal control system at commercial banks

According to the Vietnamese dictionary, "Complete" means good and complete. Accordingly, the thesis asserts that the completion of the internal control system at commercial banks means a good internal control system with the presence and operation of all components of the system in accordance with established principles, thereby helping commercial banks to achieve the control goals.

control. So based on the COSO internal control model, a complete internal control system is a system with five complete components: control environment, risk assessment, control activities, information and communication and monitoring; these five components operate together in an integrated manner in practice at the bank based on the relationship between the identified components; when establishing and operating each component in the system, it must comply with 17 principles to ultimately help the banking organization achieve control objectives, including: operational objectives, reliable financial reporting objectives and compliance objectives.

1.3.2 Criteria for evaluating the completion of internal control systems at commercial banks

The assessment of the completeness of a commercial bank's internal control system can be considered through a number of criteria as follows:

1.3.2.1 Existence

The existence of a complete internal control system is reflected in the fact that the system has all the components and complies with the principles according to practice and the provisions of law. The COSO 2013 internal control framework also emphasized that an internal control system must have all the components, including the control environment, risk assessment, control activities, information and communication, monitoring and ensuring compliance with the 17 corresponding principles in practice; the existence of one component cannot be used to cover up the non-existence of another component. COSO 2013 also affirmed the existence of a direct relationship between the objectives and the components of the internal control system, that is, any control objective can only be achieved when the internal control system has all five components and any component in the internal control system is established to achieve all three control objectives. According to Pricewaterhouse Coopers (2007), the internal control system must be a complete system, integrated with management processes to achieve the overall goals of the organization. For an organization to achieve its goals, the five components of control environment, risk assessment, control activities, information and communication and monitoring must be integrated into management processes throughout the organization. Like the body, internal control components and business processes must interact continuously.

for a sound and effective internal control system. The objectives and control measures derived from the identification and assessment of risks must be put into practice in the organization through an effective information and communication component to ensure the smooth flow of information to the personnel responsible for actual control. In 2008, Karagiorgos, Drogalas and Dimou in their study found some interactions between the components of the internal control system and the effectiveness of internal control in Greek banks. The study summarized the theories and the empirical results, thereby indicating that the components of internal control are very important for banks - it will determine the survival and success of the banking business. Amudo and Inanga (2009) identified the following six key components of an effective internal control system: control environment, risk assessment, control activities, information and communication, monitoring and IT with a model developed based on the COSO and COBIT internal control frameworks. From there, the study assessed the effectiveness of internal control related to the existence and operation of the six key components identified by the model. Later, Adeyemi et al (2011) also stated that an inadequate internal control system leads to the inability to detect fraudulent activities and reduces the performance of the bank. The study by Sultana & Haque (2011) built models developed from the internal control framework of the COSO report to assess the five components of internal control affecting three control objectives, including: operational efficiency, reliability of financial statements and compliance with laws and other relevant regulations. The study concluded that some banks here lacked some components of the internal control system, leading to inefficiency, so it is necessary to assess the internal control system structure in a unit. The study also showed that each component of the internal control system operating well will ensure reasonable control objectives and thus ensure the effectiveness of the internal control system of banks. Later studies by Gamage CT et al (2014) and Gamage CT, Low, Lock Teng Keving (2018) continued to affirm the relationship between the components of the internal control system and the effectiveness of this system. Thus, a complete internal control system requires meeting the "existence" of the components of the internal control system according to COSO standards.

1.3.2.2 Validity

The effectiveness of a complete internal control system is demonstrated by the fact that the system has components and related principles that operate in practice as expected. This means that the effectiveness of a bank's internal control system is measured by examining the extent to which the internal control system interacts with itself and how the system is integrated with the bank's business processes. Amudo and Inanga (2009) argue that the internal control framework is flawed if it focuses too much on explaining the details of the different components of the system and how they are designed, while ignoring the details of how each component is measured to assess its effectiveness. The COSO report (2011) suggests that the assessment of whether an internal control system is effective is a subjective result of evaluating the performance of the five components of the system at the organization-wide level. A new study by Hayali et al (2012) shows that effective control procedures exist in the banking system which in turn have a great impact on the prospects of strong development and stable operation of the banking industry in Turkey. Thus, a complete internal control system requires the need to meet the "effectiveness" of this system in the actual operations of banks.

1.3.2.3 Effectiveness

The effectiveness of an internal control system is reflected in the achievement of the control objectives of a commercial bank. An internal control system is considered complete when the control objectives are achieved in the bank. The COSO report (1992 and 2013) stated that: The effectiveness of an internal control system can be considered according to one of three different groups of objectives if the Board of Directors and managers have reasonable assurance that: They clearly understand the extent to which the organization's operating objectives are being achieved? Are the financial statements being prepared and presented in a reliable manner? Are laws and regulations being complied with? ". Thus, while affirming that internal control is a process, the effectiveness of an internal control system is a state (condition) of that process at a certain point in time. Evaluating the effectiveness of an internal control system is only speculative. To evaluate a complete internal control system, in addition to evaluating the existence of its components, it is also necessary to see whether they are operating effectively.