Internal Controls For Treasury PDF
Internal Controls For Treasury PDF
Internal Controls For Treasury PDF
Copyright
© CPA Australia (ABN 64 008 392 452), 2005. All rights reserved.
Save and except for third party content, all content in these materials is owned or licensed by CPA Australia (ABN 64 008 392 452)
Other than for the purposes of and subject to the conditions prescribed under the Copyright Act 1968 (Cth) (or any other applicable
legislation throughout the world), or as otherwise provided for in this copyright notice, no part of these materials may in any manner or
any medium whether now existing or created in the future, (including but not limited to electronic, mechanical, microcopying,
photocopying or recording) be reproduced, adapted, stored in a retrieval system, transmitted or communicated to the public without the
prior written permission of the copyright owner.
Modification of the materials for any purpose other than provided under this notice is a violation of CPA Australia’s copyright and other
proprietary rights. All trade marks, service marks and trade names are proprietary to CPA Australia. For permission to reproduce any
material, a request in writing is to be made to the Legal Business Unit, CPA Australia, Level 28, 385 Bourke Street, Melbourne, Victoria 3000.
CPA Australia has used reasonable care and skill in compiling the content of this material. However, CPA Australia and the editors make no
warranty as to the accuracy or completeness of any information in these materials.
This material is intended to be a guide only and no part of these materials are intended to be advice, whether legal or professional. You
should not act solely on the basis of the information contained in these materials as parts may be generalized and may apply differently to
different people and circumstances.
Further, as laws change frequently, all practitioners, readers, viewers and users are advised to undertake their own research or to seek
professional advice to keep abreast of any reforms and developments in the law.
To the extent permitted by applicable law, CPA Australia, its employees, agents and consultants exclude all liability for any loss or damage
claims and expenses including but not limited to legal costs, indirect special or consequential loss or damage (including but not limited to,
negligence) arising out of the information in the materials.
Where any law prohibits the exclusion of such liability, CPA Australia limits its liability to the re-supply of the information.
Introduction
This internal control checklist will help organisations with investment or treasury functions to assess their own internal
controls. The checklist sets out typical internal controls (in categories) as well as providing guidance on how these controls
can be applied. Put another way, this checklist outlines the controls typically found in well controlled environments where
there is a treasury or treasury type activity.
The control checklist has three columns.
• The column on the left sets out the typical controls which would be expected in most organisations.
• The column in the middle provides examples of which would be applied in an environment where there is a treasury
system (controls for a treasury systems environment).
• The column on the right provides examples of controls which would be applied in an environment where spreadsheets
are employed or where there are manual records (controls for spreadsheets and manual systems environment).
• The central column and the right-hand column have been merged where the same controls would be applied to both
environments.
Environments which have treasury systems will usually ‘host’ larger treasury establishments, whereas environments with
spreadsheet and manual systems will usually ‘host’ smaller treasury establishments.
i
Contents
Introduction i
Risk management framework and governance 1
Policy and procedures 1
Organisational structure 2
Limits 3
Personnel: training, compliance and performance 3
Reporting 4
Operational reports 4
Risk management activities 5
Post-deal controls 6
Operations (settlements) 7
Controls over settlement 8
Reconciliation of bank accounts and
treasury records to the general ledger 8
Cash management 9
Physical security (records/key systems) 10
Monitoring of risk management activities 10
Treasury infrastructure 11
ii
A Checklist of Internal Controls
for Treasury
Risk management framework and governance
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
The risk management objectives must match the Statement of treasury objectives in policy document and risk
organisational culture and the board’s objectives. appetite.
The board should adequately communicate the Policy document available to staff.
organisation’s culture and objectives to the staff.
The board must clearly understand the risk The board has been involved through discussions in accepting
management issues faced by the organisation. policy.
The board is responsible for the execution of, The board receives reports on treasury activities, including
and compliance with, the internal controls. This compliance with policy. People with specialist skills may be required
may be delegated to an audit or risk committee. to sit on this committee.
The policy should clearly relate to the financial Statement of treasury objectives in policy document.
risk management objectives and strategies of the
organisation.
The policy should be approved by the board, Actual evidence of board approval.
including date of approval and next review date.
The policy should cover the five financial risks: Each risk is covered in the policy document. The policy document
• Market risk may state which issues are applicable and which are not.
• Liquidity risk
• Credit risk
• Settlement risk
• Operational risk
The policy should establish a clear and internally For each financial risk, state the amount of discretion delegated to
consistent risk management policy including management. For example, management may hedge 60 to 80 per
appropriate risks limits. cent of an exposure.
The policy should outline the organisational Specify the role of individuals, State role of individuals,
structure for the management of financial risks, committees and the board. committees and the board.
including the authority and role of each body or
individual.
The policy should include a table of specific Delegations should be stated in Delegations should be stated in
delegations. For example, who can approve new the treasury policy document the treasury policy document as
financial facilities, negotiate facilities, draw down as well as position descriptions. well as position descriptions.
loan facilities etc. These delegations may also be
built into treasury and payment
systems (eg, approval limits).
The policy should specify which financial Specified in treasury policy Specified in treasury policy
instruments can be used and for what purpose. and dealing mandates and dealing mandates
For example, if options are permitted, can they communicated to counterparties communicated to
be bought or sold and in what circumstances? may form a part of systems counterparties.
set-up – as well as position
descriptions.
The policy should state formal escalation Systems to detect and report Built in organisational controls
procedures for policy breaches. breaches (eg, exceeding e.g. review of transactions by
counterparty limits) senior officer.
1
A Checklist of Internal Controls
for Treasury
Organisational structure
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
It is preferable that the treasury back office Treasury back office functions Oversight of treasury activities
be responsible and report to finance staff, for undertaken by shared service or by an officer independent of
example, the financial controller, rather than financial control function. day-to-day activities.
report directly to the treasurer. Finance staff must
understand the activities taking place within the
treasury.
There should be an effective segregation of Segregation of duties is Segregation of duties is
key duties including dealing, settlement, and enforced through organisational implemented to the extent that
accounting/reconciliation. These segregations structures, user access in the it is possible, given the number
need to be further strengthened if the treasurer treasury/payment systems and of staff available in finance
executes transactions. This segregation is procedural documents. related functions. Compensating
reinforced through procedures documentation controls such as senior
and position descriptions. management oversight are used.
For example, payments made
through electronic payment
systems may require a senior
officer from outside the finance
function to release the payment.
There should be a policy and procedures Self-explanatory. Procedures Self-explanatory. Basic
documentation, which is up to date and easily including systems should be procedures should be in place.
accessible to all staff. It can be audited for detailed.
compliance.
There should be a formal and independent This role may be carried out by This role may be carried out by
compliance function which monitors compliance an independent risk function or, audit on a periodic basis.
with policy, procedures and limits. internal audit.
Treasury is subject to regular review by internal Treasury function Included in Reviewed by external auditors or
audit, external audit or by peer auditors. internal audit plan. specialist adviser.
There should be formal job descriptions or For each treasury position there should be a job description
delegations for key treasury positions. specifying the duties of the position, reporting lines, delegations of
authority and qualification requirements.
There should be sufficient resources for the The level of staffing and type of staff (in terms of their qualifications
treasury to operate effectively. and experience) should be commensurate with the workload and
complexity of transactions undertaken by the treasury staff.
2
A Checklist of Internal Controls
for Treasury
Limits
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
Dealers are trained and authorised to execute Relevant education may include:
deals.
All personnel should be appropriately trained AFMA accreditation Authority levels
above the minimum required. CPA.,ICA.,FTA.,ASIA, AFMA core Discussion with your banks to
and specialization ensure knowledge
Dealers should have appropriate qualifications. Current relevant training Experience, FTA, CPA, ICA,ASIA
All employees’ references should be properly Self-explanatory
checked.
Employees sign an ethics policy when joining the Self-explanatory
company.
Settlement and support staff have appropriate Self-explanatory Especially important for manual
education. systems as support must be a
check against manual systems.
3
A Checklist of Internal Controls
for Treasury
Reporting
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
The following reports are recommended: Typically generated by a treasury May be systems or manually
System. generated.
Daily settlement reports – Daily settlement report for – Diary systems e.g. ‘outlook’
dealers and settlement staff – Spreadsheet of maturities
Cashflow reports
– Cash flow forecast from compared with back office
Bank account balances from all sources
business units – Electronic banking/ bank
Exposure reports – Bank account and transaction statements & spreadsheet
Limit reports listings from the electronic listing
banking system – Register/spreadsheet
– Maturity diaries for dealers – Senior management receives
– Counterparty limit reports for inward confirmations
dealers and compliance staff Provision of deal confirmations
– Transaction audit trail reports which the banking unit must
– End of day reports from track.
Austraclear for matching to
bank account information.
– Reports are provided to
business units of their net
currency position
Operational reports
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
• Exception reports are provided to senior Monthly board report on treasury activities on key financial risks of
management and the board, especially relating the organisation which should tie in with key risk indicators – data
to policy breaches. and graphics.
• Management reporting
• Board reports
• The board (or delegated committee) receives
information on ’stress testing’ and scenario
forecasts – particularly where treasury policy is
being reviewed or updated.
Stress testing is running scenarios that are
extremely unlikely but show the board possible
worse case situations.
4
A Checklist of Internal Controls
for Treasury
Deal execution
On the execution of a deal, the following must be observed:
• dealers must check position/exposure limits Process to check limits including Process to check registers/
and credit limits prior to dealing; counterparty limits and exposure spreadsheets of exposures and
limits in treasury systems. counterparty limits.
• each deal may need to be designated to Hedge designation (ie, Hedge designation completed
an underlying exposure to meet hedge documentation of hedge manually and on spreadsheet
accounting under AASB139; relationship and effectiveness including documentation
testing) completed in system. of hedge relationship and
effectiveness testing.
• dealers must execute deals clearly and Dealers trained in correct Dealers trained in correct dealing
concisely so that there is no possibility of dealing methods and entry of methods with numbering
confusion; deal information into treasury systems.
systems.
• dealers must deal only with financial Agreement with counterparties to be able to review phone
institutions that tape phone calls; conversations.
• dealers must maintain a position blotter or Maintain spreadsheet or position blotter or scratch pad.
scratch pad and be able to verify or challenge
the reported position produced by the
treasury system/settlements function;
• dealers must enter their own deals into Dealer input into treasury Deal ticket completed by
the treasury system as soon as practicable system. System generates dealer and Input in to deal
after the deal is executed. This is particularly outward confirmation and register (spreadsheet) by
important if there is a trading portfolio where deal is flagged ‘unmatched’ in back office. Spreadsheet is
delayed input may permit deal redesignation. treasury system (pending receipt password protected. Back
of inward confirmation). office keeps deal ticket pending
inward confirmation. Inward
confirmation recorded against
spreadsheet.
• if the deal is linked to a strategy, it must be Recorded in treasury systems Recorded in deal register.
clearly designated in deal records;
• the audit trail of new deals as well as deal Amended and cancelled deals If the dealer wants to amend or
amendments and cancellations, must be are reported on an end of cancel a deal, he must obtain
reviewed daily by a party independent of the day report and reveiwed by management sign-off on deal
dealing function. the treasurer. Cancelled deals ticket and receive confirmation
are confirmed as cancelled by from the counterparty. The
counterparty. (If necessary). deal may then be cancelled in
register or spreadsheet.
5
A Checklist of Internal Controls
for Treasury
Post-deal controls
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
Internal exposures of business units that Request for cover by business Manual request for cover by
are covered by treasury are supported by unit or generated by business business unit.
documentation from business units, signed off unit system (eg, SAP).
by the delegated authority within the business
unit. This documentation is available to support
all deals.
Internal counterparties receive a listing of Sent automatically from the Copy of treasury records
open deals once a month and are requested to system.
acknowledge the correctness of the listing.
Dealers are nominated in counterparty mandates. Original letter sent to counterparties.
There are controls and procedures around out of Limits state if out of hours dealing is permitted and who can do it.
hours dealing.
Orders left with banks/brokers are recorded by Keep copy of email.
email advice to the counterparty.
Orders left with banks/brokers are recorded in Orders register maintained and signed off daily.
an internal register and reviewed on opening of
each day.
Stop loss orders are used where there is an Maximum loss per transaction as well as cumulative loss limit is
open position with exposure to the market price specified in treasury policy statement.
movements.
There is no undue concentration of dealing with Limits are set for each counterparty in treasury policy statement.
a particular counterparty.
There is a code of conduct which prevents Prescribed in treasury policy statement.
acceptance of gifts or entertainment unless they
are of a token nature.
Static data cannot be changed within treasury There are controls over who N/A
systems in an uncontrolled manner. can access the treasury system
to change static data, eg,
counterparty details including
bank details of counterparty.
6
A Checklist of Internal Controls
for Treasury
Operations (settlements)
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
Confirmation issuance and matching System generated automatically Manual confirmations to be sent
Outward confirmations are sent out as soon as to fax/email gateway. out by dealers or back office and
practicable after the deal is executed. all inward bank confirmations
are to be signed from senior
(The authors acknowledge that overnight cash management.
may not have written confirmations on a daily
basis but monthly statements should be verified
and confirmed with the bank.)
There is confirmation within two hours or within Confirmations sent out by Confirmations sent out – this
policy. system. may be a Word document.
Inward confirmations are: Confirmations are received by Inward confirmations are
– received in a manner which prevents dealer the back office in a manner received by an independent
interception; which prevents interceptions. officer/senior officer; then
For example, the confirmation matched to manual deal records
– matched to information within the treasury is received to a secure facsimile and signed off. The deal is
system or deal tickets. or user fax stream (ie, it is faxed recorded in a spreadsheet which
All deals done that day which are not confirmed to a particular individual’s PC) is password controlled.
by close of business are to be investigated and matched against a record Unmatched deal slips
immediately. in systems or produced by the kept separate until inward
system. confirmation received.
Outstanding confirmations are recorded or
registered. Unmatched deals on system Unmatched deals should
reported daily and escalated be escalated to senior staff
NB - Deals without matching inward
to senior staff independent of independent of the dealer.
confirmations are an obvious sign that deals
dealer.
are not being properly recorded and should be
promptly followed up. Verification staff know
how to escalate issues without undue reliance on
dealing staff.
A settlement report ie, the settlement diary, Automated reports settlement Manual or automated
generated by the system is used for all reports distributed to dealing diary system which may be
settlements payments and receipts. This should and settlement staff. spreadsheet driven or rely on
be reviewed by senior staff weekly. diary systems such as outlook or
on manual diary systems.
Where possible, all external settlements should Downloaded treasury payments Payments manually input into
be made using electronic banking systems. from treasury systems, via back electronic banking system with
Where possible treasury systems/payment office support to electronic appropriate level of supporting
systems should be interfaced to electronic banking systems. documentation.
banking systems.
Payments are initiated by one operator, All payments require at least two staff to execute.
confirmed and released by another separate
party.
Settlement amounts are confirmed with Settlements are mainly Settlement confirmed verbally or
counterparties, before payment or receipt. confirmed verbally, but they are in writing.
also confirmed in writing or else
they rely on systems such as
Austraclear.
7
A Checklist of Internal Controls
for Treasury
Estimated end of day balances are compared Compare the bank balance in Bank statement compared with
with actual next day, with investigation of the treasury system with the one cash position keeping blotter/
significant variations from anticipated balances. shown in the bank statement. spreadsheet or accounting records.
Bank reconciliations are undertaken on a regular Self-explanatory
basis, preferably on a daily basis, independent of
the settlement and dealing functions.
The treasury system is reconciled to the general Self-explanatory This may require the recalculation
ledger of spreadsheets to the general
ledger eg, investment balances.
NOTE: Although many corporations have treasury systems, not all of them record all deals within the system. Extra care
must be taken in this situation.
8
A Checklist of Internal Controls
for Treasury
Cash management
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
There is an effective method for monitoring the The daily cash position is The daily cash position is
daily cash position. maintained in the treasury maintained on a spreadsheet or
system or spreadsheet. a scratch pad.
There are targeted bank balances. Important to large organisatons Smaller organisations may aim
to ensure efficient use of for compliance with borrowing
working capital. limits.
Information for monitoring the cash position is Self-explanatory
sourced from:
– cash flow forecasting,
– electronic banking systems or bank statements
– business unit information; and
– settlement diaries emanating from the treasury
system or settlement register or spreadsheet.
Where accounts belong to the same legal entity, Interest calculated for each Interest calculated by
they should be set-off (net the balances) or account calculated by the spreadsheet.
swept into the main interest bearing account. system.
Bank accounts earn credit interest comparable to Self-explanatory
an overnight money market rate.
There is a cash flow forecasting regime for all Self-explanatory
business units, preferably forecasting on a 90-day
basis.
Businesses are charged for working capital and Self-explanatory May not be applicable to smaller
the performance of the business unit is measured organisations or where there are
after finance charges. This has the effect of system constraints.
making business units more efficient in terms of
using working capital.
All bank accounts are recorded in a register. Self-explanatory
– domestic and offshore.
Authorised bank signatories are kept up to Self-explanatory
date in the register. This register is to be review
annually.
Bank accounts can only be opened with approval Self-explanatory
of the treasurer and signed by a director, the
company secretary or a board delegate. Location
of branch and banking institution should be kept
with policy guidelines/compliance paper.
9
A Checklist of Internal Controls
for Treasury
There is physical/password security over key Administrator rights in the Access to spreadsheets or
systems and equipment, including routing treasury and settlements systems treasury drives and electronic
inward confirmations to render them secure from are segregated from operations banking systems is restricted by
interception. password.
The treasury management system has a system Self-explanatory Not applicable
of permissions that prevents dealing staff and
settlement staff from performing each other’s
tasks in the systems.
The static data of the system/process can only be Self-explanatory Not applicable
updated by the administrator. This data includes
the dual controls over changes to counterparty
standard settlement Instructions.
Audit log of all changes to counterparty static Self-explanatory Not applicable
data are independently reviewed on a regular
basis by a senior staff member independent to
the daily operations of the treasury function.
There are dual password controls on Implemented in treasury and payment systems
administrator rights for electronic banking
(particularly payment templates) and treasury
systems.
Important legal documents such as ISDA Stored in a safe, or scanned and stored electronically
(International Swap and Derivative Dealers
Associations) agreements are stored securely.
Spreadsheets should all be audited, tested and Independent audit of all spreadsheets
password protected.
Risk recognition
Treasury staff and systems must recognise all new Self-explanatory
risks when they are accepted by the company.
Staff and business unit staff must be trained to Self-explanatory
recognise key risks.
All new financial investment products must be Self-explanatory
examined for risks and approved by the board.
Bank accounts must be reconciled in a timely Self-explanatory
manner to detect incidents and failed settlements
or unauthorised transactions.
10
A Checklist of Internal Controls
for Treasury
Risk measures
There must be a system that enables risk Self-explanatory
management measures to be reported in an
adequate and timely manner.
There should be daily marking to market all Self-explanatory
positions with the reporting of the profit and loss
effect.
The risk management system must be reviewed Self-explanatory
by internal audit.
The magnitude of complexities and associated Self-explanatory
risks within the treasury must be commensurate
with the entity’s activities.
There must be an annual review of valuation Self-explanatory
methods.
Stress testing on extreme outcomes are carried Self-explanatory
out on all risks at least monthly.
Treasury infrastructure
Controls for a treasury Controls for spreadsheets and
Typical controls
systems environment manual systems environment
Ensure the data for revaluations is valid, Revaluation rates downloaded Revaluation rates obtained
independent and current. from information systems (eg, independently from sources such
Reuters), directly into a TMS. as financial newspapers.
Obtain independent valuations of any models
and spreadsheets used. All treasury software and The output of the model can be
systems have been subject to validated to another model or
Ensure that all spreadsheets are on the company
rigorous internal and external source of information.
drive and backed up.
testing.
Ensure that all spread sheets are independently
review and checked.
CPA Australia and the Finance and Treasury COE would like to thank Susan Campbell,
Stephen Cheesewright, other CPA members and the following companies:
Foxtel
Orica
And the Qantum Users group.
© Copyright CPA Australia 2005
11
A Checklist of Internal Controls
for Treasury
12
CPA AUSTRALIA
ABN 64 008 392 452
www.cpaaustralia.com.au
T 1300 73 73 73
NATIONAL OFFICE
CPA Centre
Level 28, 385 Bourke Street
Melbourne, VIC 3000