Internal Auditing for Commercial Banks

Document Sample
Internal Auditing for Commercial Banks Powered By Docstoc
					     Internal Auditing
Banks & Financial Institutions

      Altaf Noor Ali
   Chartered Accountant
     1st Session: 9.30 - 1.30 pm
             Internal Audit
1. Personal Introductions
2. Group Activity: The Right Questions
3. Basic concepts
4. What are threats to banks? Fraud Profiles
5. Internal Audit: Specimen Disclosures in
   Annual Reports of a Commercial Bank
6. ‘External’ & ‘Internal’ Audit: Related?
7. Training and Continuing Education

       Last Session tommorow
     Administration, Process & Standards
1.  Organisation of Internal Audit Function
2.  Role of Audit Committee in Annual Audit Plan.
3.  Reports to Audit Committee: Audit Rating, Risk
    Evaluation, Issues, Responses & Follow-up
4. What are major human-related issues in an audit?
5. Fraud prevention, detection and investigation
    activities: Is this a job of internal audit?
6. Code of Ethics for Professional Accountant
7. Auditing Standards at 1-1-06: Closer look
8. International Audit Framework: From IAPC to
    IAASB and Contemporary Issues
9. Ten Practical Steps for Improving Internal Audit
10. Evaluation [5.00 - 5.30]
   Your Presenter’s
approach to this session.
 Knowledge is Power, gain as
  much of it as you can, and remember….
                 its deficiency is
            your constraint.
  And I PROMISE to present what I know in an
            interesting manner!
   Key: How can you benefit most from this session?
   ‘Ask, simplify, understand, remember, and apply’.   4
       Tell us about yourself…
Lets know each other well.
Tell us:
• Your Name
• Your position, department & bank
• Time period in present position
• Your most important function

Feel free to express yourself in a way we understand.
   Setting the Scene

‘Wise Sayings’

‘Trust your God….

‘Trust your God
after tying your
Group Activity: Internal Audit
The Questions in Your Mind
    Duration: 5 minutes
Write questions that you have in your mind
at this point of time relating to this session…
the ones for which you are here to seek an

  Example: Is internal audit mandatory?
                  Internal Audit:
                 Key Questions>
1.   What is the role of internal audit in the present scheme of
     corporate governance? What is mentioned about it in the
     annual reports?
2.   Chief Internal Auditor reports to the audit committee of the
     board. Many members in this committee do not have
     understanding of this function. What can be done about it?
3.   What is the utility of internal audit function in a financial
4.   There are different frameworks for approaching internal
     controls, such as COSO [usa], COCO [canada], and Turnbull
     [uk]. How should one go about reconciling its requirements
     given the foreign reporting? Similarly, banks have risk
     assessment and internal control units whose areas of work
     are common and confusing. What can be done?
5.   What do you recommend should be done to improve the
     effectiveness of internal audit function?

               Internal Audit:
              > Key Questions
6.  What indicators are available to the management
    to evaluate the effectiveness and efficiency of this
7. Do you think internal auditors have the desired
    training and skills to go beyond routine checking?
8. Internal auditors toil to get the audit observation to
    a reportable stage. However, audit observations
    are not taken that seriously. Follow-up mechanism
    is weak or non-existent; implementation slow. Why
    is it so?
9. How should an auditor go about assessing the
    ‘non-financial’ risk in a financial institution?
10. Going by the track record, why so many things go
    wrong in banks. Why banks are so vulnerable?

              Internal Audit:
             >> Key Questions
11. How can internal audit function ‘add value’ to the
    financial institution to justify investment in this
12. Why are internal auditors found doing things
    which are not exactly our ‘ core activity’?
13. What are the major technical, admin, and human-
    related issues in an internal audit department?
14. What should an auditor do to cope with the
    pressures on completing an assignment?
    Specifically, should there be a single final report or
    interim reports consolidated in a final report?
15. What are the characteristics of successful internal
                 Internal Audit:
               >>> Key Questions
16.   What can internal auditors do in individual capacity to
      educate and improve their skill base? How should they
      respond to the gap between theory and its application in a
      commercial setting? Tell us about the current auditing
      standards and specially use of software in audits of financial
17.   What is ‘internal risk assessment framework. Are you going
      to discuss how to fill it, in this session?
18.   Do internal auditor have good career paths?
19.   For all practical purposes, the ceo determines the career of
      cia. However, the reporting of cia is to the audit committee.
      How this conflict can be resolved or managed?
20.   How do you think the participants should evaluate the
      ‘return-on-training’ for this program?

Or, is it, for God sake, tell me… where am I right now? 

 Auditors: Traditional Weak Areas
1. Clear objectives, understanding and
   commitment from the top
2. Operational information and training
3. Assessing operational environments and
4. Audit documentation and referencing
5. Provision for continuous training
6. Communication skills
7. Clout in the organisation
‘Internal Audit’: Evolution>
1. The Evolution of Business
2. Agriculture Age
3. Industrial Age: The Rise of Mass
   Manufacturing…and Corporate Sector
4. The Rise of Service Sector: Banking,
   Financial, Insurance
5. The Electronic/Information/Digital Age
6. The Code of Corporate Governance
               ‘Internal Audit’:
            > Recent Happenings
7.     Prudential Regulation G-1 [16-7-05]: Rotation of External
       Auditors to be changed after every five years
8.     External Auditors: Separate report on internal controls from
9.     Requirement of paid-up capital. [at 3-2-07 Listed Commercial
       Banks = 22, Investment Banks =11, Leasing companies = 19,
       Others= 10]
10.    Meltdown of Islamic Investment Bank, Crescent Standard
       Investment Bank Ltd, etc [taken over by secp]
11.    Separate risk management structure
12.    Recent flurry of arrivals and acquisitions
      1.   Union Bank taken over
      2.   Picic due diligence continues
      3.   Barclays Bank – arrival of new player
      4.   Future of relatively small and regional banks

   External Audit Report on
       Internal Control
               SBP Circular
The requirement is that the external
 auditor will provide a separate report to
 the shareholders of Banks and financial
 institutions on internal control.
The will be applicable to financial
 statements from 1.1.06

     Financial services in Pakistan:
      Major trends in last 5 years
1.   Privatisation and down sizing
2.   Central bank management
3.   Dominance of Consumer Financing
4.   E-banking and plastic money
5.   Advent of open-ended funds
6.   Islamic banking
7.   Active involvement in Stock Exchanges
8.   Banking spreads and bank charges
    Tell me:
  Who are the
stakeholders in a
Major Stakeholders in a Bank
                1. Investors
               2. Employees
               3. Depositors
    4. Clients extended banking services
                5. Lenders
       6. Central Board of Revenue
               7. Regulators
            [also known as banking supervisors]
•   Have I skipped any significant stakeholder?
             like a general physician…
       Tell me:
How is a bank different
from other commercial
 Banks: How are they different?
1. Bearer Securities>> Banks hold custody of large amounts of monetary
   items, like cash, whose security is critical.
   The liquidity characteristics of these items make banks vulnerable to
   misappropriation and fraud.
2. Leverage>> Banks operate with very high leverage (the ratio of capital
   to total assets is low). This makes banks’ vulnerable to adverse
   economic events and increases the risk of failure.
3. Change in Fair Value>> Bank have assets that can rapidly change in
   value and whose value is often difficult to determine. A relatively small
   decrease in asset values may have a significant effect on their capital
   and potentially on their regulatory solvency.
4. Credibility>> Banks generally derive a significant amount of their
   funding from short-term deposits. A loss of confidence by depositors
   in a bank’s solvency may quickly result in a liquidity crisis.

>Banks: How are they different?
5. Transaction Volume>> Engage in a large volume and variety of
   transactions whose value may be significant. This ordinarily requires
   complex accounting and internal control systems and widespread use
   of information technology (IT).
6. Decentralisation>> Ordinarily operate through networks of branches
   and departments that are geographically dispersed. This mandates a
   greater decentralization of authority and dispersal of accounting and
   control functions, with consequential difficulties in maintaining
   uniform operating practices and accounting systems, particularly
   when the branch network transcends national boundaries.
7. Electronic>> Transactions can often be directly initiated and
   completed by the customer without human contact, for example, over
   the Internet or through automatic teller machines.
8. Third Party>> Fiduciary duties in respect of the assets they hold that
   belong to other persons like lockers. This may give rise to liabilities
   for breach of trust.

  >>Banks: How are they different?
9. Memo Transactions>> Assume significant commitments without any
   initial transfer of funds other than, in some cases, the payment of fees.
   These commitments may involve only memorandum accounting
   entries. Consequently their existence may be difficult to detect.
10. Highly Regulated>> They are regulated by governmental authorities,
    whose regulatory requirements often influence the accounting
    principles that banks follow. Non-compliance with regulatory
    requirements, for example, capital adequacy requirements, could have
    implications for the bank’s financial statements or the disclosures.
11. Clearing System Access>> They generally have exclusive access to
    clearing and settlement systems for checks, fund transfers, foreign
    exchange transactions, etc.
12. International Settlements>>They are an integral part of, or are linked
    to, national and international settlement systems and consequently
    could pose a systemic risk to the countries in which they operate.
 Some basic concepts…
   Lets talk about…

……………internal audit?

……………internal auditor?

………internal audit deptt.?
     Tell me:
     What is
‘Internal Audit’?

         Internal Audit
A corporate function responsible
    for evaluating an entity's
      financial, operational,
  procedural and other aspects
     [by its own employees].
                Keywords: FOPO

[Can a bank outsource its internal audit function?]
      Tell me:
     Who is an
‘Internal Auditor’?

     Internal Auditor
 The person who does internal
auditing for a living and a career.
The ‘Human Face’ of internal audit
       function of an entity.

    Tell me:
   What is an
‘Internal Audit
 Internal Audit Deptt.
         The official base of
          internal auditors.
(in other words, the official place to
      look for internal auditors).

     Recap of basic concepts…

 Name…internal audit = function

Person……internal auditor = human

Place…internal audit deptt. = venue

     Tell me:
     What is
‘Basle Committee
   on Banking
Basle Committee on
Banking Supervision
 The de-facto standard setting
   body for central and their
supervised commercial banks.

Any idea about what is Basle-I and Basle-II?
   Image Issue

Internal Auditors

            Internal Auditors:
      Public Compliments - Shikwa
1.   They have limited understanding of business
     issues. They believe everything to be done by the
     book. Commercial compulsions do not exist for
2.   They seem to be in a perpetual state of urgency.
3.   They expect your full attention at their
4.   They waste a lot of your time by not doing their
     homework. Sometimes they ask stupid questions.
5.   The worst part is that they doubt integrity of
6.   They are mainly introvert in nature. They hardly
     ever make friends.

         Internal Auditors:
 Public Compliments – The Ultimate
7. They are Post-Mortem Generals.
8. The corporate internal audits are full of
    OSDs (Officers on Special Duty); it’s a
    permanent resting place for all those who
    could not do anything sensible elsewhere.
9. My wife was an internal auditor before
    wedding; since then all her observations
    have been about me!
10. If you are so good, how come Code had to
    bring you into existence through legislation
    and that too for listed companies only?

                Internal Auditors:
1.   We are your colleagues, with a difficult task to do. Why
     not be open with us? Do you have something to hide?
2.   You handle us properly and we can be your
     messangers in conveying to the management your
     operational and human issues/problems. Feel free to
     discuss any business matter!
3.   We at Audit Deptt. are severely understaffed. The
     Management would not take any chances with
     understaffing which hampers revenue growth, but we
     confess being seen often as an item of expenditure.
4.   We need to gain quantum knowledge in a very limited
     time, and in the process of learning we feel free to ask
     any question rather than not understanding it.

            Internal Auditors:
         Jawab-e-Shikwa Ultimate
5.   You may be honest but is that inscribed on your
6.   Who do you think the management remembers
     first as an expert in case of a fraud?
7.   We have been effective by preventing many
     peoples from having wrong ideas. If management
     is more comfortable paying for fraud than foot our
     bill, its their problem. We were always a utility.
8.   We know that you see us as a necessary evil in a
     corporate set-up but you can’t wish us away!
9.   In the end you need to see that we are trained but

Five Critical Concepts….

    What is


The liability of a board of directors
to shareholders and stakeholders
  for corporate performance and

 Should the concept of accountability be any
different for banks and financial institutions?
     Example of Accountability
         Annual Report

 An official document/report presented
annually by all publicly listed companies
         to its shareholders by law.
 It contains decisions, representations,
      data and information on different
   It also contains financial results and
   overall performance of the previous
   fiscal year and comments on future. 42
Where Annual Report is presented?
    Annual General Meeting

A company gathering, usually held
after the end of each financial year,
     at which shareholders and
management discuss the previous
year and the outlook for the future,
   directors are elected and other
      shareholder concerns are
             addressed.                 43
      Tell me:
  What is the most
important term used
    in auditing?
    Starts with ‘r’ ends with ‘k’

 Risk-based Auditing Approach

An approach [method] that questions and
        responds to the question:
 what is the risk involved in a particular
  audit subject e.g process, procedure,
       disclosure, non-disclosure.

What is a relatively less understood but critical term in auditing?   NFI
      Tell me:
  What is an
‘audit committee’?

        Audit Committee
   An Audit Committee is a sub-
 committee of Board of Directors
  responsible for over-seeing the
  matters relating to external and
         internal auditors.
It owes its existence to the Code.

Is CEO a member of Audit Committee?
There should be atleast one Finance Expert in Audit Committee. T/F
      Tell me:
    Who are
‘external auditors’?

        External Auditors

A person or a firm of chartered
 accountants appointed by the
shareholders in Annual General
 Meeting to audit the financial
 statements of an entity for the
         current year.

External auditors can also be appointed as
          internal auditors. T/F
   Tell me:
   What is
‘audit report’?
          Audit Report

   Statement of the accounting
firm's assessment of the validity
  and accuracy of a company's
    financial information and
    conformity with accepted
      accounting practices.
Group Activity: Share your views

 Why do we need
an internal auditor
in the presence of
 external auditor?                 52
   Commercial Banks:
Practical Fraud Profiles….
             Cooperative Societies
              Bankers Equity Ltd
         Islamic Investment Bank Ltd
    Crescent Standard Investment Bank Ltd
 Press Reporting of Frauds in Commercial Bank

   Was it possible for internal audit function to have
              prevented such happenings?
Prevention of fraud should be an expressive objective of
                   internal audit. T/F                 53
Commercial Banks:
 Fraud Profiles….

 Lending, dealing and
 deposit taking cycles
       Fraud Risk Factors:
         Lending Cycle
Impersonation and False Information on Loan Applications/Double-
   Pledging of Collateral/Fraudulent Valuations/Forged or Valueless
1• No on-site appraisal of or visit by the borrower.
2• Difficulty in obtaining corroboration of the individual’s credentials,
   inconsistent or missing documentation and inconsistencies in
   personal details.
3• Valuer from outside the area in which the property is situated.
4• Valuation is ordered and received by the borrower rather than the
5• Lack of verification of liens to substantiate lien positions and
6• Lack of physical control of collateral that requires physical
   possession to secure a loan (like jewellery, bearer bonds, art work).

        Fraud Risk Factors:
         >>Lending Cycle
Use of Nominee Companies/Transactions with Connected Companies
1• Complex structures which are shrouded in secrecy.
2• Several customers with sole contact, that is, handled exclusively by one
    member of staff.
3• Limited liability partnerships without full disclosure of ownership or with
    complex common ownership structures.
Kickbacks and Inducements
1• Excessive amounts of business generated by particular loan officers.
2• Strong recommendation by director or lending officer but missing data or
    documentation on credit file.
3• Indications of week documentation controls, for example providing funding
    before documentation is complete.
Use of Parallel Organizations
(Companies under the common control of directors/shareholders)
1• Unexpected settlement of problem loans shortly before the period end or
    prior to an audit visit or unexpected new lending close to the period end.
2• Changes in the pattern of business with related organizations.
        Fraud Risk Factors:
         >>>Lending Cycle
Loans to Fictitious Borrowers/Transactions with Connected Companies
1• “Thin” loan files with sketchy, incomplete financial information, poor
    documentation or management claim that the borrower is wealthy and
    undoubtedly creditworthy.
2• Valuations which seem high, valuers used from outside the usually permitted
    area or the same valuer used on numerous applications.
3• Generous extensions or revised terms when the borrower defaults.

Deposit Transformation or Back-to-Back Lending
1• A bank deposit is made by another bank, which is then used to secure a loan
    to a beneficiary nominated by the fraudulent staff member of the first bank,
    who hides the fact that the deposit is pledged.
2• Pledges over deposits (disclosed by confirmations which have specifically
    requested such pledges to be disclosed).
3• Documentation of files held in directors’ or senior managers’ offices outside
    the usual filing areas; deposits continually rolled over or made even when
    liquidity is tight.

       Fraud Risk Factors:
       >>>>Lending Cycle
Funds Transformation
(Methods used to conceal the use of bank funds to make apparent loan
1• Loans which suddenly become performing shortly before the period
   end or prior to an audit visit.
2• Transactions with companies within a group or with its associated
   companies where the business purpose is unclear.
3• Lack of cash flow analysis that supports the income generation and
   repayment ability of the borrower.

             Fraud Risk Factors:
                    Dealing Cycle
      Off-Market Rings/Related Party Deals
     1.   No spot checks on the prices at which deals are transacted.
     2.   Unusual levels of activity with particular counterparties.
2.    Broker Kickbacks
     1.   High levels of business with a particular broker.
     2.   Unusual trends in broker commissions.
3.    False Deals
     1.   A significant number of cancelled deals.
     2.   Unusually high value of unsettled transactions.
4.    Unrecorded Deals
     1.   High levels of profit by particular dealers in relation to stated dealing strategy.
     2.   Significant number of unmatched counterparty confirmations.
5.    Delayed Deal Allocations
     1.   No time stamping of deal tickets or a review of the time of booking.
     2.   Alterations to or overwriting of details on deal sheets.
6.    Misuse of Discretionary Accounts
     1.   Unusual trends on particular discretionary accounts.
     2.   Special arrangements for preparation and issue of statements.                     59
            Fraud Risk Factors:
           Deposit Taking Cycle
1.    Depositors’ Camouflage
(Hiding the identity of a depositor, possibly in connection with funds
      transformation or money laundering.)
     •      Similar or like-sounding names across various accounts.
     •      Offshore company depositors with no clearly defined business or about which
            there are few details.
2.       Unrecorded Deposits
     1.     Any evidence of deposit-taking by any other company of which there are
            details on the premises, whether part of the bank or not.
     2.     Documentation held in management offices that it is claimed has no
            connection with the business of the bank or evasive replies on such
3.       Theft of Customer Deposits/Investments
     1.     Customers with hold-mail arrangements who only have very occasional
            contact with the bank.
     2.     No independent resolution of customer complaints or review of hold-mail

     Fraud Risk Factors: Analogy
1.   The risk of fraudulent activities or illegal acts arises at banks both
     from within the institution and from outsiders.
2.   Among the many fraudulent activities and illegal acts that banks
     may face are check-writing fraud, fraudulent lending and trading
     arrangements, money laundering and misappropriation of banking
3.   Fraudulent activities may involve collusion by management of
     banks and their clients. Those perpetrating fraudulent activities may
     prepare false and misleading records to justify inappropriate
     transactions and hide illegal activities.
4.   Fraudulent financial reporting is another serious concern.
5.   In addition, banks face an ongoing threat of computer fraud.
     Computer hackers, and others who may gain unauthorized access
     to banks computer systems and information databases, can
     misapply funds to personal accounts and steal private information
     about the institution and its customers. Also, as is the case for all
     businesses, fraud and criminal activity perpetrated by authorized
     users inside banks is a particular concern.                            61
 >>Fraud Risk Factors: Analogy
Banks with serious deficiencies in corporate governance and internal
      control are most vulnerable.
Significant losses may arise from:
i.    Lack of adequate management oversight and accountability, and
      failure to develop a strong control culture within the bank. Major
      losses due to fraud often arise as a consequence of management's
      lack of attention to, and laxity in, the control culture of the bank,
      insufficient guidance and oversight by management, and a lack of
      clear management accountability through the assignment of roles
      and responsibilities. These situations also may involve a lack of
      appropriate incentives for management to carry out strong line
      supervision and maintain a high level of control consciousness
      within business areas.
ii.   Inadequate recognition and assessment of the risk of certain
      banking activities, whether on- or off-balance sheet. When the risks
      of new products and activities are not adequately assessed and
      when control systems that function well for simpler traditional
      products are not updated to address newer complex products, a
      bank may be exposed to a greater risk of loss from fraud.
>>>Fraud Risk Factors: Analogy
iii.   The absence or failure of key control structures and
       activities, such as segregation of duties, approvals,
       verifications, reconciliations, and reviews of operating
       performance. Lack of a segregation of duties has played a
       major role in fraudulent activities. [reasons: saving
       manpower costs, budget, etc]
iv.    Inadequate communication of information between levels of
       management within the bank, especially in the upward
       communication of problems. Fraud may go undetected when
       information about inappropriate activities that should be
       brought to the attention of higher level management is not
       communicated until the problems become severe.
v.     Inadequate or ineffective internal audit programs and
       monitoring activities. When internal auditing or other
       monitoring activities are not sufficiently rigorous to identify
       and report control weaknesses, fraud may go undetected at
       banks. Also, when adequate mechanisms are not in place to
       ensure management action to correct reported deficiencies.
    Commercial Banks:
 Comments on Internal Audit in
      Annual Report
‘The Board has set up an effective Internal Audit
  function. All the branches, regions and groups
  are subject to audit. All the Internal Audit Reports
  are accessible to the Audit Committee and
  important points arising out of audit are reviewed
  by the Audit Committee and important points
  requiring Board’s attention are bought into their
   Statement of Compliance para.20 NBP AR 2004
     Commercial Banks:
>>Comments on Internal Audit in
       Annual Report
‘The Board has formed an audit committee
  comprising of three non-executive directors. The
  audit committee has written terms of reference in
  the form of a charter, which has been approved
  by the Board of Directors. The committee is
  responsible for the oversight of he internal audit
  function and reviews its approach and
  methodology from time to time’.
                    Directors’ Report 2004 AR NBP
     Commercial Banks:
>>>Comments on Internal Audit
      in Annual Report
‘Internal audit department of the bank conducts the
   audit of all branches, regions and groups at
   head office level on ongoing basis to evaluate
   the efficiency and effectiveness of internal
   control system and proper follow-up of
   irregularities and control weaknesses is carried
                   Directors’ Report 2004 AR NBP
Internal & External Auditors
 The relationship &
   the Difference

   Internal & External Auditors:
1. Appointment & Functional
2. Scope of Work
3. Qualification
4. External Auditor’s use of
   Internal Auditor work
5. Form of Reporting               68
   Internal & External Auditors:
 Appointment & Function Reporting
1. Internal Auditors are appointed by the CEO
   solely or in consultation. They report to the
   Audit Committee. Issue: Provide safeguards.
2. The Code provides that the CEO may appoint
   the internal auditor and determine his terms of
   employment, to be approved by the BOD.
3. The appointment of external auditor (person or
   firm) is provided in the Companies Ordinance
4. External Auditor is appointed by the
   shareholders in Annual General Meeting.        69
     Internal & External Auditors:
1. The scope of work of internal auditor is
   defined and determined by the Audit
   Committee. Normally, it includes:
  1. Financial & Procedural Reviews
  2. Operational Reviews [most importantly that of
     non-financial indicators]
  3. Compliance Reviews
2. The scope of work of external auditor is
   defined by the statute. Its more focused on
   ensuring that financial statements are free
   from material misstatements.
         Internal Auditors:
   Scope 1: Review Accounting &
     Internal Control Systems
1. The establishment of adequate accounting
   and internal control systems is a
   responsibility of management which
   demands proper attention on a continuous
2. Internal auditing is ordinarily assigned
   specific responsibility by management for
   reviewing these systems, monitoring their
   operation and recommending
   improvements thereto.
       Internal Auditors:
Scope 2: Examination of financial
   and operating information.

This may include review of the means
used to identify, measure, classify and
report such information and specific
inquiry into individual items including
detailed testing of transactions,
balances and procedures.

         Internal Auditors:
    Scope 3: Operational Reviews
    Scope 4: Compliance Reviews
1. Review of the economy, efficiency
   and effectiveness of operations
   including non-financial controls of an
2. Review of compliance with laws,
   regulations and other external
   requirements and with management
   policies and directives and other
   internal requirements.                 73
     Internal Auditors: Recap of Scope
1.    Review of the accounting and internal control systems.
      Internal auditing is ordinarily assigned specific responsibility
      by management for reviewing these systems, monitoring
      their operation and recommending improvements thereto.
2.    Examination of financial and operating information.
3.    Review of the economy, efficiency and effectiveness of
      operations including non-financial controls of an entity.
4.    Review of compliance with laws, regulations and other
      external requirements and with management policies and
      directives and other internal requirements.

How an internal auditor can ‘add value’ to an entity?
How the performance of internal audit should be evaluated?

     Internal & External Auditors:
1. For internal auditors, the Code does not
   prescribes any minimum qualifications.
   You may have any person as an internal
   auditor. This area needs to be addressed
   by the Code.
2. For external auditors, for public companies
   (listed or unlisted), the minimum
   qualification for appointment is that of
   being a Chartered Accountant.

   Internal & External Auditors:
      Relationship = ISA 610
1. Internal auditors are free to use similar
standards that external auditors do in
reaching to an audit opinion.
2. The external auditors MAY rely on the
work of the internal auditors in forming an
overall opinion on the financial statements.
However, to do so, they perform an
assessment of the effectiveness of the
internal audit function.
The final responsibility of expressing an
opinion is that of the external auditors.
   Internal & External Auditors:
  Relationship = ISA 610 Para 13
When obtaining an understanding and performing a
preliminary assessment of the internal audit
function, the important criteria are the following:
(a) Organizational status: Specific status of internal
auditing in the entity and the effect this has on its
ability to be objective. In the ideal situation, internal
auditing will report to the highest level of
management and be free of any other operating
responsibility. Any constraints or restrictions placed
on internal auditing by management would need to
be carefully considered. In particular, the internal
auditors will need to be free to communicate fully
with the external auditor.
      Internal & External Auditors:
         >>Relationship Contd.
(b) Scope of function: The nature and extent of internal
   auditing assignments performed. The external
   auditor would also need to consider whether
   management acts on internal audit
   recommendations and how this is evidenced.
(c) Technical competence: Whether internal auditing is
   performed by persons having adequate technical
   training and proficiency as internal auditors. The
   external auditor may, for example, review the
   policies for hiring and training the internal auditing
   staff and their experience and professional
    Internal & External Auditors:
     >>>Relationship Concluded
• (d) Due professional care: Whether
  internal auditing is properly planned,
  supervised, reviewed and documented.
  The existence of adequate audit
  manuals, work programs and working
  papers would be considered.

     Internal & External Auditors:
          Form of Reporting
1. External Auditors report in a prescribed
   statutory form.
2. There is no standard form of reporting for
   the internal auditor. The internal audit
   conclusion may be in the form of a rating
   exclusive to the bank.

     Internal & External Auditors:
            Code of Ethics
1. External Auditors abide by IAASB.
   Non-compliance results in
   disciplinary action.
2. There is no abiding form of code of
   ethics for the internal auditor unless
   he is a member of Institute of Internal
   Auditors, USA. Presently there is no
   local professional institute for internal

             Internal Auditors:
            Sum of Advantages
1. No constraint on resources, with proper
   management attitude.
2. No bar on frequency of undertaking a specific
   aspect for audit, may be weekly, monthly, quarterly
   or even daily.
3. Afford time to get into much more details than
   would be expected from an external auditor – much
   wider scope.
4. Most likely to have updated and thorough
   knowledge of business than an external auditor.

        Internal Auditors:
 Competencies, Attitudes, Skills etc
1. Integrity.
2. Relevant qualifications [education training].
3. Technical [understanding of dynamics of
   issues and business] and analytical mind.
4. Inquisitiveness. Continuous learning
5. Communication Skills
  1. Asking right questions
  2. Listening skills
  3. Writing skills
6. Personal: Patience and doing homework.
Group Activity 1: Your Views

How much an internal
  auditor can benefit
        from the
methods & techniques
 of external auditors?
  Group Activity: Your Views

     Do you think that the
   external auditors should
  make a reference in their
       Report about the
effectiveness of internal audit
     Internal Audit Function
Training & Continuing Education
1.    Bank of International Settlement   =   Basle
     Committee on Banking Supervision
2. IFAC Website or = HANDBOOK OF
    PRONOUNCEMENTS. 2007 handbook available can be
    downloaded free.
3. SECP = Code of Corporate Governance
4. IIA = 20 Qs Directors Should Ask About Internal
5.    Search and find. Examples include = audit programs etc
6. State Bank of Pakisan =
         Recap 1st Session
1. Internal Audit Framework for Commercial
   Bank: Success Factors
2. External & Internal Audit: The knot
3. Scope of Internal Audit: How internal
   audit can be more effective than external
4. Constraints on Internal Audit Function.
5. Update on SBP Circulars on Internal
Thank You.


jolinmilioncherie jolinmilioncherie http://