1 SEACEN Seminar on “INTERNAL AUDIT OF CENTRAL BANKS” Taipei, Taiwan, R.O.C. 14-17 September 2004 Presented by Shamsul Islam Junior Joint Director Audit.

1

SEACEN SeminarSEACEN Seminar on on

“INTERNAL AUDIT OF CENTRAL BANKS”“INTERNAL AUDIT OF CENTRAL BANKS”Taipei, Taiwan, R.O.C.Taipei, Taiwan, R.O.C.14-17 September 200414-17 September 2004

Presented by

Shamsul Islam

Junior Joint Director

Audit Department

2

SEACEN SeminarSEACEN Seminar

Organized by: South East Asian Central Bank

Research & Training Centre

(SEACEN Centre) Malaysia.

Financed by: Bank of Japan (BOJ)

Hosted by: The Central Bank of China

(CBC)Taiwan.

3

Central Bank of China

4

Seminar ParticipantsSeminar Participants30 participants from the following 15 Central 30 participants from the following 15 Central

Banks/Monetary Authorities/Ministry of Finance.Banks/Monetary Authorities/Ministry of Finance.

1. Royal Monetary Authority of Bhutan

2. Ministry of Finance, Brunei.

3. Reserve Bank of Fiji.4. Bank Indonesia5. The Bank of Korea6. Bank Negara Malaysia7. The Bank of Mangolia.8. Nepal Rastra Bank

9. State Bank of Pakistan.

10. Bank of Papua New Guinea.

11. Bangko Sentral ng Pilipinas.

12. Central Bank of Sri Lanka.

13. The Central Bank of China, Taipei.

14. Bank of Thailand.

15. Banking and Payments Authority of Tinor – Leste.

5

Resource Persons.Resource Persons.

1. Mr. John Graham Joscelyna CA(SA) CIADirector International ServicesUHY Advisers Inc.

2. Mr. Noriyuki TomiokaDirector Internal Auditors’ OfficeBank of Japan.

3. Dr. JIIN – FENG CHENAssociate ProfessorDepartment of Accounting, College of Commerce,National Chengchi University.

6

ISSUES FOR DISCUSSION IN THE ISSUES FOR DISCUSSION IN THE SEMINAR.SEMINAR.

1. Role of Internal Audit in Governance.2. Identification of gaps in the Internal Audit Function and

Opportunities for Improvement.3. Internal Audit in the Risk Management Process.4. Leveraging on Automation and Information Technology in

Audit Engagements.5. Impact of Regulations on Internal Audit.6. Outsourcing of the Internal Audit Function.7. Industry’s Best Practices in Internal Audit.

7

1. 1. Role of Internal Audit in GovernanceRole of Internal Audit in Governance

• Entire audit process directly or indirectly linked with Governance Process.

• Audit is an on going Governance Process through evaluation of the System of internal controls.

8

What should Governance mean to Audit.What should Governance mean to Audit.

Process of oversight at board level.Relationship between board and management.Organization of executive functionsInformation flow

Key Control Process.TransparencyAuthorityAccountability

Impacts the Bank from top to bottom.Determines the control environment.Influences the bank’s culture.

9

Pre-requisite for Auditors in relation Pre-requisite for Auditors in relation to Governanceto Governance

Authority in Internal Audit Charter/IA Mandate. Competence on the part of Auditors. Real desire of Board and Management to include

Auditors.

10

What should be auditor’s relationship What should be auditor’s relationship with his auditees.with his auditees.Facilitator Picking up on their issues. Questioning them on their needs.

Educator Verification Checklist Sharing best practices Sharing movement in Governance practice.

Listener Listen more from auditee so that auditor may educate and facilitate

them.

11

What can Auditor do?What can Auditor do?

Share Professional Best Practices What reporting works best. Usefulness of an independent audit Usefulness of audit to the auditee. How value is added to the performance of auditee. Agree Audit Charter with the Board and Management. Reporting of Audit activities to the Board. Share International Internal Audit Standards and what they

mean.

12

Objectives of these activitiesObjectives of these activities

Auditor has a voice in the Governance arena. Auditor adds value to the views of the auditee. Auditor is professional. Auditor has an independent voice.

13

Increase understanding with regard to:Increase understanding with regard to:

Code of Ethics. Control Framework in the Bank. Agreement on auditor’s work. Agreement on the risks taken by the Bank. Agreement on what auditor can and should do.

14

Reliance is also sought from other Reliance is also sought from other players.players.

Risk Managers. Compliance Officer. External Auditor.

15

Auditor’s leadership in Governance Auditor’s leadership in Governance Process.Process.

Adding value at the highest level. Working at a strategic level. Facilitating. Enabling.

16

2) 2) Identification of Gaps in the Internal Audit Identification of Gaps in the Internal Audit Function and opportunities for improvement.Function and opportunities for improvement.

Gaps IIAs standards. Negative conception with regard to Auditors. Level of competence in risk based auditing. Auditor as “watchdog” and “faultfinder”. Less emphasis on scientific audit programs. Designing and implementing of flow charts in audit process. Preparation of check list and their applications. Designing of questionnaire for the auditee.

17

Gaps Cont……… Central Bank experience – Professional qualifications. Professional qualifications – Central Bank experience. I.T. experts - Experience of Central Bank working. Central Bank working experience - I.T. expertise. Lack of coordination and understanding between

Internal and External Auditors.

18

Opportunities for improvement:Opportunities for improvement:

Adoption of IIAs Standards. To further educate the auditee with patience behavior. To increase the level of competency in risk based auditing

through training and by changing audit methodology. To switch over in role of auditor from “watchdog” and

“faultfinder” to the educator/facilitator/mentor. To prepare scientific audit programs To design and implement flow charting. To use check list and questionnaire during the audit process.

19

Opportunities for improvement: cont’d…..Opportunities for improvement: cont’d…..

To arrange short courses/training for the officials who have a handsome experience but far behind the professional qualifications regarding audit.

Auditors other than I.T. should impart the I.T. training. Top level management/Audit Committee should ensure the

coordination and better understanding between Internal and External auditors.

20

3. 3. Internal Audit in the Risk Internal Audit in the Risk Management Process.Management Process.

Change in the role of Audit. Watchdog/Faultfinder – Risk identifier/educator.

Change in Audit Methodology. Compliance based audit/Financial audit – Risk

Based audit.

21

Risk Based Audit ProcessRisk Based Audit Process

Understanding of risks faced.

Assessing the exposures.

22

Risk Based Audit Process Cont’d……Risk Based Audit Process Cont’d……

Gather information and plan. Knowledge of departments/segments/objectives. Understanding of operations and procedures. Prior year’s audit results. Regulatory statutes, approved policies. Identifying risk associated with segment/process.

23


Obtain understanding of Internal Control

Control environment.

Control procedures.

Matches of associated risks with controls.

24


Perform Audit Tests Test effectiveness of controls and other substantive audit

procedures.

25


Conclude the Audit Analyse the audit findings. Discuss with departmental heads and draw

conclusion. Recommendation for improvements. Draft Report.

26

Compliance Officer or Unit

Internal Auditor Risk Manager

External Auditor

Risk Evaluation Family

27


Auditor’s own Risks. Explicit Audit. Delivering the right audit product. Assuring the quality of work. Maintaining professional reputation Managing Human Resources.

28

4. 4. Leveraging on Automation and Leveraging on Automation and Information Technology in Audit Information Technology in Audit Engagements.Engagements.

Why the automation is need of the time? To increase in efficiency & productivity of Audit. To increase in accuracy. To eliminate storage of work papers. To enable instantaneous communications. To permit access of information via Internet. To lower audit cost. To faster the audit process.

29

Overall status of automation. Initial / middle stage. Working is being automated. Designing of software. Parallel Runs. Partially live working. Complete live working.

30

Usage of Software Tools. In-house development. Outsourcing the computerization. Readymade Softwares.

31

Automation status in other Central Banks -SRILANKA Payment System with - Real Time Gross

Settlement (RTGS) Government Debt Security Management with -

Scriptless Securities Settlement System (SSSS). Treasury and International Reserve Management

with – Treasury Dealing Room Management System (TDRMS).

32

Computer Assisted Audit Tools and Techniques (CAATTs).

Readymade Softwares Audit Command Language (ACL). Sarbox Portal (SP) Risk and Control Tracking System (RCTS). Control Assessment Template (CAT). Risk Navigator (RN). Team Mate (TM). Office-Suite Software.

33

Sarbanes – Oxley Software 10th Annual Survey of Internal Audit Utilization of

Software Tools Why are you not using Sarbanes – Oxley Software? Our Company is not subject to Sarbanes – Oxley – 79%. Another Department in our organization handles Sarbanes – Oxley

compliance 5%, Sarbanes – Oxley compliance is outsource at our Organization – 1%.

These types of tools are too expensive – 8%. Others – 10%.

34

Summary of the Survey Results.Summary of the Survey Results.

Category % of usage

Most Popular Tools.

Sarbanese – Oxley Compliance.

22% Risk and Control Tracking System.

Data Extraction 86% ACL, Excel

Data Analysis 94% Excel, ACL

Fraud Detection/Prevention 50% ACL, Excel

Network Security/Assessment.

28% ISS Internet Scanner

Audit Management 78% Excel, Auto Audit

Risk Management/Analysis 96% Excel, Word.

Control Self-assessment 33% Excel, Word.

Continuous Monitoring 38% ACL, Excel

35

5. 5. Impact of Regulations on Internal Impact of Regulations on Internal AuditAudit

Rules and Regulations may be National or International.

Evaluate how does it impact the Bank? What about its stakeholders?

36

Rules and Regulations may relate to:Rules and Regulations may relate to: Best practices. Leading Central Bank practices. IMF suggestions or demands. Money Laundering Reserve Management. Electronic Banking. Generally Accepted Accounting Principles. International Accounting Standards. International standards of Auditing. Income Tax Laws. Rules and Regulations framed by SEC. Corporate Governance Rules.

37

Impact on audit due to compliance of Impact on audit due to compliance of rules and Regulationsrules and Regulations

Cost.ResponsibilityControl EstablishmentScope.

38

Compliance of Regulations is every Compliance of Regulations is every one’s business, therefore:one’s business, therefore:

Is it in the risk assessment?Is it understood in the Bank’s control

environment?Is it in the control activities of the Bank?How does management see and acts?How are regulatory issues communicated?

39

In compliance of the Regulations, In compliance of the Regulations, information, communicated to the information, communicated to the regulators:regulators: Fair Complete. Transparent. Independently verifiable by the Internal and

External Auditor.

40

Impact of Incorrect information Impact of Incorrect information communicated to the regulators:communicated to the regulators:

Lack of Trust Disbelief Lack of credibility.

41

6. 6. Outsourcing of the Internal Audit Outsourcing of the Internal Audit FunctionFunction

Kinds of outsourcing. Special Project outsourcing. Partial outsourcing. Temporary staffing. Full outsourcing.

42

Determining factors if the Internal Determining factors if the Internal Auditing be outsourced:Auditing be outsourced:

Will the outsourcing of Internal Audit effect the effectiveness of corporate governance?

What are the advantages and disadvantages of internal audit outsourcing?

43

Arguments in favour of Outsourcing:Arguments in favour of Outsourcing:

Allows management to focus on core competencies.

Cost saving resulting from economies of scale.

Flexible access to expertise.

Access to leading practices.

44

Arguments against outsourcing:Arguments against outsourcing: By the lapse of time outsourcing provider will demand an ever greater

premium for their services. An external provider will not know the business as well, as the

internal personnel do. A valuable training ground is lost. Morale of the personnel will be seriously impaired. Individual Employee allegiance is to the outsourcing provider, not to

the client. Corporate governance is a management function which can not be

outsourced. Independence of external auditor will be impaired when the

outsourcing provider is also external auditor. Confidentiality is potentially lost. Management and the audit committee lose an objective source of

information.

45

Advantages of Outsourcing:Advantages of Outsourcing:

Smaller Organizations’ access to a broader set of skills.

Information systems audit skills – highly effective. Innovative approaches – knowledge of “Best

Practices”. Integrated audit approach – Internal + External. Active Management Participation – Provide

direction and oversight.

46

Disadvantages of Outsourcing:Disadvantages of Outsourcing:

Loss of a second set of eyes and ears. Confidentiality could not be maintained. Outsource provider might be an auditor of commercial bank(s) to

which central bank is monitoring. Expertise leave the Organization. Outsourcing does not build new managers. Outsourcing does not have to live with the decisions or

recommendations made – but still have pressure to retain the contract. Difficult to rebuild internal auditing department, if outsourcing is not

successful – dependency on one outside provider. External Auditor may be lacking internal audit knowledge – material

differences in perspective and execution:

47

Central Banks– OutsourcedCentral Banks– Outsourced

Internal Audit function of the Reserve Bank of Fiji is outsourced. Justifications for outsourcing put forth by the representative of

Reserve Bank of Fiji: Cost effective. Provides more independence and autonomy to the auditor. Outsourcing addresses the problem of resource constraints. Staff can be engaged in the core areas of the Bank. Expertise in the field of audit were lacking. Career paths and opportunities of audit personnel is limited as only

one central bank in the country. Skills required for auditing are readily available in the market.

48

A few audit functions have been co-sourced by Central Bank of Srilanka.

The functions out sourced: General Review of Information System. Pay Role System. Real Time Gross Settlement System (RTGS). Justification for co-sourcing put forth by the

representatives of Sri Lanka. Early retirement of staff and the absence of expertise to

special audit functions.

Central Banks– Outsourced Central Banks– Outsourced Cont’d……Cont’d……

49

7. 7. Industry Best Practices in Industry Best Practices in Internal AuditInternal Audit

Principles of Internal Audit. Independence, objectivity and impartiality. Audit should exercise their assignment without interference and are

free to report their findings and appraisals. Audit charter should be approved by the Board of Directors and

should be communicated to all staff within the Bank. Rotation of staff assignments within the audit department. No involvement in the operations of the bank. Recognition of the auditors’ independence in the audit charter. Official internally transferred to audit department should not involve

in the audit of his previous activity for a certain period.

50

Principles of Internal Audit Cont’d….Principles of Internal Audit Cont’d….

Maintenance of professional competence:

On the job training.

Formal internal and external training.

Staff rotation within the Department.

Incentives to become a Certified Internal Auditor.

51

Working methods and types of Working methods and types of AuditAudit Working methods: Drawing up a risk-based audit plan. Examining and assessing the available information. Communicating the results. Follow up of recommendations.

Types of audit: Financial Audit. Compliance Audit. Operational Audit. Management Audit. Risk-based Audit. I.T. Audit.

52

Audit Procedure:Audit Procedure:

Prepare audit program and document audit procedures in working papers.

Distribute audit reports to auditees and senior management.

Follow up the audit recommendations to see whether they are implemented.

Inform senior management about the status of the said implementation.

53

Management of the Internal Audit DepartmentManagement of the Internal Audit Department

The head of the Internal Audit Department is responsible for:

Ensuring the use of sound internal audit standards by the internal audit staff.

Existence of upto-date audit charter. Existence of upto-date written policies and procedures for audit staff. Appropriate professional competence and training of the audit staff. To regularly send report to appropriate management level for

discussion.

54

IIA’s International Standards for the IIA’s International Standards for the Professional Practice of Internal AuditingProfessional Practice of Internal Auditing

The purpose, authority and responsibility of the internal audit activity should be formally defined in a charter, consistent with the standards, and approved by the board.

Internal auditors should be objective in performing their work.

Internal auditors should have impartial, unbiased attitude and avoid conflicts of interest.

Engagements should be performed with proficiency and due professional care.

55

IIA’s International Standards for the IIA’s International Standards for the Professional Practice of Internal AuditingProfessional Practice of Internal Auditing Cont’d…..Cont’d…..

Quality Assurance and Improvement Program Chief Audit Executive (CAE) should develop and maintain a quality assurance and improvement program which should cover:

– All aspects of the internal audit actively and continuously monitoring its effectiveness.

– Periodic internal and external quality assessments and ongoing internal monitoring.

– Assurance that the internal audit activity is in conformity with the Standards and the Code of Ethics.

56


Disclosure of non-compliance.

– Internal audit actively should achieve full compliance with the Standards and internal auditors with Code of Ethics.

– In case of full compliance not achieved, disclosure should be made to senior management and the board.

57


Governance: IIA’s Internal Standards for the Professional Practice of Internal

Auditing. Internal audit actively should assess and make appropriate recommendations for improving the governance process for:

Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and

accountability. Effectively communicating risk and control information to appropriate

areas of the organization. Effectively coordinating the activities and communicating information

among the board, external auditors and management.

58

59

September 17 September 17 Post Seminar City TourPost Seminar City Tour

- - Yingo Ceramics Museum

- - Lin Family Mansion and Garden.

60

Thank You

1 SEACEN Seminar on “INTERNAL AUDIT OF CENTRAL BANKS” Taipei, Taiwan, R.O.C. 14-17 September 2004 Presented by Shamsul Islam Junior Joint Director Audit.

Documents

internal audit function

role of internal audit

audit engagements

bank indonesia

bank of korea

bank of mangolia

bank of thailand

reporting of audit activities