Internal Control and Fraud Prevention

by Normand Arsenault

This article was written in response to a crisis that developed in PADME, a microfinacne institution in Benin.

In March 2008, the Council of Ministers of the Government of Benin decided to intervene in the management and operations of PADME. PADME is the second largest MFI in Benin with almost 30,000 active borrowers and an outstanding loan portfolio of US$31 million. The Council of Ministers cited concerns with the financial and operational management of PADME and requested suspension of the Executive Board and resignation of the Director René Azokli.

In response, PADME's board and management issued a lawsuit to prevent the Government's actions, and PADME's staff went on strike. In late March, the Ministry of Microfinance installed Didier Djoi as interim Director and required staff to return to work.

The PADME situation raises issues of MFI management and supervision as well as political risk. Do governments have adequate tools and procedures to manage such crises, and are they used appropriately? What is the appropriate role of the Government, Central Bank, donors and investors in an MFI failure (or perceived failure)? How can MFIs and banks manage political risk?

Originally started through a microfinance project of the Government of Benin and the World Bank in 1993, PADME became a private Association in 1997. Throughout its lifetime, PADME has received funding from USAID, World Bank, ADF, Oikocredit, and BOAD, amongst others, and technical assistance from ACCION, Women's World Banking, Freedom from Hunger and other leading international organizations. PADME has been preparing to transition from a private association to a share-capital non-bank financial institution, with potential investors including IFC, Stichting Triodos Doen, Ecobank and ACCION Investments.

What could have been done to avoid fraud and embezzlement?

There are several procedures that could have aided PADME in the prevention or early detection of this loss.

1. Review of a sample of all new loans issued
  • Missing documentation is one of the most important symptoms of fraud.
  • A supervisor may regularly review a sample of all new loans issued and determines that required documentation is present, and if not, confirm missing information with third parties.
  • Make sure loan documentation is complete: guarantee titles, insurance, or income verification.
  • Make sure to follow up on the exceptions noted. Be aware of counterfeit collateral.
  • Fictitious loans could be made in the name of people taken from the phone book or in the name of former borrowers.

2. Visits to the clients
  • The most effective way to mitigate the risk associated with frauds is for the MFI to conduct client visits to some of its clients.
  • A supervisor may visit a sample of clients of all new loans issued (for example, one client out of every 10 new loans) to verify the authenticity of the loans.
  • This way a microfinance institution can also identify fraudulent practices by loan officers or non adherence to new policies before they are replicated on a wide scale.
  • In general, MFIs must audit a larger number of loans but a smaller percentage of the overall portfolio than a traditional financial institution would. To adequately assess risk, the key is for MFIs to audit a large enough sample of loans to get a good overall picture of the true quality of the loan portfolio.
  • MFIs generally employ a combination of two types of sampling: random and selective sampling. Random sampling is a process by which the auditor selects clients in a haphazard manner, with no attempt to influence the list of clients to audit. Selective sampling is a process by which the auditors attempt to create a list of clients to visit based on predetermined criteria (higher risk clients).
  • For MFIs that use group lending methodologies, a supervisor may attend a group meeting. The supervisor may verify that groups only issue loans to group members, check the group’s records to ensure proper calculations and accurate reporting. For example, many MFIs that target women-only report incidents of husbands pressuring their wives to take out loans for them. Many MFIs that use a group lending methodology allow the groups to select their members but do not allow immediate relatives to be involved in the same group.

3. Segregation of duties
  • The segregation of duties is the design in the job functions to properly segregate tasks so that the same person does NOT record, approve and do.
  • Combination of duties may allow a manager or supervisor to approve the loans, set them up on the system, issue the checks, and then cash them through a teller drawer.
  • No one should have full control of the loan process from beginning to end.
  • Make sure that managers and supervisors don’t know the tellers’ passwords and make sure the tellers change their passwords regularly.
  • Make sure returned monthly account statements are carefully monitored.
  • People on vacation or on maternity leave should not be allowed to keep their office keys. These people can visit the branch after hours to process loan advances and make payments under other employees' teller codes.

4. Supervisory committee/internal audit department
  • In smaller MFIs, the supervisory committee often oversees the internal controls, while in larger MFIs, the controls are often monitored by the internal audit department.

5. Policies
  • Make sure to have clear board approved policies for lending.
  • Make sure to have mandatory vacation policy policies that require managers and employees to take at least one and preferably two weeks' vacation (not a day here and there) to reduce the risk of embezzlements (embezzlements usually require the embezzler's ongoing attention).

6. Record keeping
  • Inaccurate or incomplete records are often used to hide fraud.
  • To keep the loans current, the employee may make the monthly payments in a variety of ways. In some cases, he/she would take an advance from one loan and use it to make payments on several other loans via journal-voucher transfers. At other times, he/she would take a loan advance in cash and make cash payments on the loans coming due. He /she can also purchase bank money orders with stolen funds and mail payments to different branch offices of the MFI to ensure that other employees processed transactions on the accounts.

7. Weak software
  • Weak software can be used to hide fraud. One software I know is particularly weak on internal control because the programmers who did conceive the software received no directions from experts in internal control as to what internal control principles or procedures to integrate into the software (for example, segregation of duties).

8. MIS
  • Risk management and internal control are closely linked with the MFI management information system. A review and evaluation of the MIS by outside experts can reveal flaws in risk management and internal control.

9. Resistance to improve the MIS from the management or some employees
  • What I have seen in some cases is a manager of the MFI or some employees resisting efforts to modify or improve the MIS. There are“ghosts and skeletons” which some managers or employees do not want to bring out.

10. In-transit or suspense accounts
  • Review of general ledger in-transit or suspense accounts is very important. I would say that the second most frequent category of frauds (fictitious loans being first) are done using general ledger suspense accounts or in-transit accounts. General ledger suspense accounts generally are used to temporarily "store" a transaction until all necessary information is available, but can also be used to hide an unauthorized transaction.
  • General ledger suspense accounts or in-transit accounts should be reconciled and checked weekly by a supervisor.

11. Bank reconcilements
  • Process of reconciling the accounts is important. May hide problems.
  • Bank accounts should be reconciled and checked weekly by a supervisor.

12. Reports
  • MIS reports should contain proper information for review by management for internal control purposes.
  • Management should regularly review MIS reports.
  • Investigate yield on loans (as shown in MIS reports) far less than stated loan rate.
  • Review maintenance reports showing loan due date changes - unwarranted changes to loan due dates may disguise a fictitious loan or loans not receiving regular payments.
  • Review reports showing loans by interest rate - reveals unusually low loan rates.
  • Review loans in arrears. These reports should regularly be investigated by supervisors who may visit a sample of clients having loans in arrears.
  • Review reports for new loans disbursed.
  • Review rescheduled loans reports.
  • Aberrations and exceptions in any report should be investigated

13. Audit trails
  • Make sure to maintain adequate audit trails. Audit trails enable the tracing of any given item through the MFI's books.
  • Software should also have a thorough audit trail built in. The application should log and report the user name and event date/time of all entry and deletion of transactions and also for creating, editing, and deleting clients, loans, and schedules of instalments, and loan product definitions.

14. Auditing
  • Audits (required at least annually) and verifications (required at least every two years) must be performed in a timely manner, under controlled conditions, and independent of MFI management and staff.
  • Although fraud may be uncovered, the annual audit and regulatory examination are not intended to detect fraud.
  • An example of infraction to reviewing the loans is when the auditors select their sample from the new-loan listings and fax the list to each branch manager before coming to the branch to review loan files. This seemingly minor infraction may provide the embezzler with notice of when his/her fictitious loans are about to be reviewed and give him/her ample time to create loan files--complete with altered documentation from legitimate loan files.
  • The auditor should pull all loan files him/herself. The auditor should keep in mind that any person he/she is asking to assist could be a thief. The auditor should verify every explanation that an employee offers. In some cases, the auditor should contact the loan recipient.

15. Integration with RM and CRM
  • Internal control mechanisms can be integrated into a larger risk management (RM) and customer relationship management (CRM) framework. By linking internal control to RM and CRM, the MFI can proactively identify fraud and other risk exposures, but also continuously learn from its experiences, and make product development and operational improvements as necessary.
  • The MFI can use the information collected using internal control procedures to improve the loan product and procedures to reduce risk in the future. During client visits, the MFI may solicit feedback on how to enhance customer satisfaction The MFI can improve relations with employees by supporting changes to policies that have become outdated or have negative consequences.
  • “”During Mibanco’s client visits in Peru, for example, the internal auditor initiates the conversation by explaining that the purpose of the visit is to ensure the customer’s satisfaction with Mibanco’s services and to make sure that staff handled all transactions properly. This approach puts the client at ease and facilitates a more frank and open discussion about the client’s business and experiences with the financial institution. The auditor records the notes from the conversation and reports key findings to management, including commonly suggested improvements to customer service or changes in product features. This approach does not undermine the auditors’ relationships with branch staff because the auditors only communicate general findings to management and avoid naming staff, unless fraud is suspected.”” ***
  • “”In addition, Mibanco’s auditors treat client visits as a component of Mibanco’s customer service orientation. By posing audit questions in a way that suggests that the auditors are concerned about the client’s satisfaction with past products and services, clients are more likely to give honest and thorough responses. The auditors’ ability to make suggestions for improvements to management further reinforces the internal audit department’s link to customer satisfaction.”” ***

16. Technical assistance
  • “”MFIs can benefit from outside experts to help them set up and make improvements to their internal control systems. It is often easier for an impartial third party to identify shortcomings in the internal control system than for operational staff to objectively evaluate its effectiveness. …An internal control assessment should determine the appropriate ongoing controls and checks to the system to be conducted by the MFI’s operational or audit staff in the future.””***

17. Donor role
  • “”Donors should require MFIs to have some type of internal control mechanism, appropriate to the MFI’s level of development as discussed in Chapter 4. Donors should encourage MFIs to develop an operations manual and to conduct client visits as part of its regular operations. Donors can facilitate the development of internal control mechanisms by providing funds for the initial risk assessment and implementation of internal controls but should avoid developing dependencies for ongoing operational support. For example, donors could provide support for the initial development of operational control manuals contingent upon the MFI’s commitment to adding to and updating the manuals in the future. In addition, donors can support microfinance NGOs in their efforts to test new ways to mitigate old risks through new products, such as microinsurance, or operational control tools, such as internal audit software. Furthermore, donors should discourage MFIs from relying too heavily on donor audits to identify control issues since these, like other external audits, usually are conducted infrequently and lack the depth of a thorough internal audit.””***

18. Regulatory requirements
  • “”Regulators should become familiar with microfinance and possibly adjust their requirements to suit the nature of microfinance operations. It is reasonable for regulators to require that MFIs have at least one dedicated internal auditor or risk manager to oversee the effectiveness of the internal control system. However, requiring an audit of all loan clients each year is a much greater burden for a microfinance institution than a traditional financial institution, since a microfinance portfolio is made up of many small short-term loans. Regulators should provide clear guidance on how to fulfill internal control requirements for a newly licensed microfinance institution and allow a reasonable amount of time for the MFI to implement these changes. In addition, regulators should compile and use historical data and other tools to assess the soundness of microfinance institutions.””***
  • “”The ultimate tests of the effectiveness of an MFI’s internal control systems will be time and investor interest. Unfortunately, some MFIs will suffer serious losses before discovering the weaknesses inherent in their internal control systems. MFIs that become complacent, assuming that what works well today will work well tomorrow, will be at the greatest risk of unforeseeable financial loss. MFIs that proactively apply the principles of risk management and implement an effective feedback loop will be able to uncover and address risk exposures and succeed the test of time. MFIs that prove their ability to manage and mitigate risk will be more likely to demonstrate consistent profits, the primary objective of private investors. In addition, MFIs that implement effective internal control systems that aid in the risk management process will be most effective in fulfilling the social mission to provide financial services to low income sectors over the long-term.””***
  • “”Furthermore, MFIs that mobilize client savings can apply risk management strategies to ensure adequate protection of client assets, the primary concern of financial regulators.””***
  • “”The lack of effective internal controls is one of the remaining impediments to the development of a sustainable microfinance industry; MFIs, technical assistance providers, donors, practitioner networks and regulators all have a role in overcoming this obstacle.””***
19. References

*** Campion, Anita. "Improving Internal Control: A Practical Guide for Microfinance Institutions". Washington, D.C.: Microfinance Network and GTZ, 2000

Churchill, Craig, and Dan Coster. "CARE Microfinance Risk Management Handbook". Washington, D.C.: CARE and Pact Publications, Inc., 2001

"External Audit of Microfinance Institutions: A Handbook". CGAP Technical Tool No. 3. Washington, D.C.: CGAP, 1998

20. Courses

CGAP's course: Operational Risk Management
See participant course materials
- Assessing operational risk
- Designing and implementing internal control processes against fraud and other risks
- Designing monitoring processes including internal control and external audit

Ateneo de Manila University
Course: Risk Management and Internal Controls

This course helps microfinance institutions develop and improve the quality of their risk management processes. It focuses on problem prevention, early problem identification and control. The course provides guidelines for establishing operational activities that assist the MFI in identifying vulnerabilities, designing and implementing controls and monitoring the effectiveness of controls. The risk management and internal control is linked with the MFI management information system. It also highlights problem resolution as a means for risk management and internal control. The course also offers how internal and external audit could be used to the advantage of the MFI.

21. Conclusion

Internal control includes the prevention of potential problems as well as the early detection and correction of actual problems should they occur. The most common type of fraud by employees is fictitious loans. Other common forms of fraud are the use of in-transit or suspense accounts and kickbacks.

Good internal controls provide a working environment in which good employees are not tempted to do something they would not ordinarily do.

Contact the author:

Normand Arsenault
Québec, Canada
1 819 843 7719
Skype : sirdarana

Hari Srinivas -
Return to the Microfinance Governance Page
Return to the Virtual Library on Microcredit