Arising Importance of Audit
due to Present Economic
Developments
Korcan DEMİRCİOĞLU, Ph-D
Supervisor Auditor, Garanti Bank
Agenda
1.
Definition and Components of Internal Audit
2.
International Standards and Regulations about Internal Audit
3.
Effects of Economic Crisis and Technological Improvements
4.
New Trends and Changing Role of Internal Audit
2
Definition and Components
of Internal Audit
Definition of Internal Audit
Internal audit helps an organization to
accomplish its objectives by bringing
a systematic, disciplined approach to
evaluate and improve the effectiveness of
risk management,
control,
governance processes.
Internal Audit is an independent, objective assurance and
consulting activity designed to add value and improve an
organization's operations.
4
Corporate Governance
Corporate governance is a general system which promotes enterprise
orientation and control structure.
As generally accepted international corporate governance understanding involves;
• Equality,
• Transparency,
• Accountability and
• Liability.
5
Risk Management
Risk management is a process which satisfies appropriate transition or
exchange between risk and yield and adds “value” to the organization.
Risk management concerns all departments.
IDENTIFICATION
OF RISKS
PRIORITIZATION
OF RISKS
TAKING
NECESSARY
ACTIONS
1. Identification of Risks
2. Prioritization of Risk
3. Taking Necessary Actions
Defining the risks
Measuring the risks
Analysis the risks
Reporting
Probability of the Risk
Severity of the Risk
Acceptance
Transferring
Controlling
6
Internal Control
Control is one of the actions which are taken to mitigate the effects of the risks in terms of;

Safeguarding of assets,

Compliance with laws, regulations, and aggrements,

Reliability and integrity of financial and operational information,

Effectiveness and efficiency of operations.
Basic Control Activity Examples are;

Authorization Methods

Limit Applications

Decompositions of Tasks

Policy and Procedures

Task Descriptions and Responsibilities

Reconcilement Methods
7
International Standards and
Regulations about Internal
Audit
Regulations about Internal Audit
Regulations in Turkey
- 5411 numbered Banking Law
- Arrangements of BRSA
- Arrangements of Capital Markets Boards Of Turkey
International Regulations
- Regulations by Basel Committee
- Regulations by Professional Associations (IFAC, IICPA,
etc.)
9
Standards of Internal Audit
A. ATTRIBUTE STANDARDS




Purpose, Authority and Responsibilities
Independency and Objectiveness
Proficiency and Due Professional Care
Quality, Assurance and Improvement Program
B. PERFORMANCE STANDARDS







Management of Internal Audit Activities
Quality of Work
Engagement Planning
Performing Engagement
Reporting Results
Observing Developments
Acceptance of Residual Risks by Management
10
Attribute Standards
Purpose, Authority and Responsibilities
Purpose, authority and responsibilities of internal audit activities should be obviously declared in the
charter.
Independence and Objectivity



Organizational Independence
Individual Objectivity
Impairment to Independence or Objectivity
Proficiency and Due Professional Care

Proficiency
Requires the knowledge, skills and other competencies needed to perform individual
responsibilities.

Due Professional Care
The care and the skill expected of a reasonably prudent and competent internal auditor. Due
professional care does not imply infallibility.

Continuing Professional Development
Enhancement of knowledge, skills, and other competencies through continuing professional
development.
11
Performance Standards
The Internal Audit Activity Management
The chief audit executive must effectively manage the internal audit activity to
ensure it adds value to the organization.

Planning

Communication and Approval

Resource Management

Policies and Procedures

Coordination

The Board of Directors, Internal Audit Committee and Reporting to Top
Management
12
Engagement Planning

Performance Standards
Engagement Objectives:
Setting the engagement objectives, internal auditors should:



Identify and assess risks relevant to the activity under review and the engagement objectives must reflect
the results of this assessment,

Consider the probability of significant errors, fraud, noncompliance, and other exposures when developing
the engagement objectives.

Consulting engagement objectives should address risks, controls and governance processes to the extent
agreed upon with the client.
Scope of Engagement:

The established scope must be sufficient to satisfy the objectives of the engagement.

The scope of the engagement must include consideration of relevant systems, records, personnel, and
physical properties, including those under the control of third parties.
Engagement Resource Allocation:
Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on
a plan regarding the below mentioned issues:
-an evaluation of the nature of engagement,
-complexity of engagement,
-time constraints,
-available resources.
13
Performance Standards
Performing the Engagement
Internal auditors must
•
identify,
•
analyze,
•
evaluate, and
•
document sufficient information to achieve the engagement's objectives.
Recording Information

Internal auditors must document the relevant information to support the conclusions and engagement results.

Thus, it would be beneficial that the Internal auditors prepare working papers.
14
Performance Standards
Communication of the Engagement Results
CHIEF AUDIT
EXECUTIVE (CAE)
AUDIT COMMITTEE
Periodic Activity Report
Informative Memos about
the Annual Activities of the
Internal Audit
BOARD OF
DIRECTORS
Annual Report and Informative
Memo
BRSA
(BDDK)
15
Performance Standards
Monitoring Progress

The chief audit executive,

Must establish and maintain a system to monitor the disposition of
results communicated to management,

Must establish a follow-up process to monitor and ensure that
management actions have been effectively implemented,

Or that senior management has accepted the risk of not taking
action (namely, residual risk).
16
Effects of Economic Crisis
and Technological
Developments
Important Corporations Which are Negatively
Affected or Failed During the Last Crisis
October 07
January 08
June 08
September 08
18
Developments After Crisis

What's Expected?
 Reconstruction of the Global Banking System,
 Regulated Market Economy instead of Free Market Economy–
Establishing New Audit/Control System,
 Elimination of Weaknesses of Risk Management,
 Improvement in the Credit Rating Agencies’ Applications,
 New Regulations and Regulatory Institutions in Financial Markets.
19
Developments After Crisis


Increasing Importance of Audit

Differentiation in Audit Methodologies

Monitoring Audit Results

Attributions and Adequacy of Auditors
Lessons to Take

Risk must be “respected”. Risk management function should be seen equally important as the other
functions in Banks, and not be described as a ‘back office’ function.

Risk analysis is an important part of modern risk management. On the other hand, models all alone
are not sufficient.

There is limit to regulations.

If the level of exaggerated debts seem to be good in an unbelievable way, then it is really
unbelievable. The U.S. banks owned tools which they used mainly to remove their credits from their
balance-sheets, their leverage ratios were as much as 600 to 1.

Accounting change everything. The accounting methodology of the credit assets according to the market
value (mark to market) increased the volatility in reported losses nearly 50% during the depression period.
Accounting must be accounting. There should not be any creative accountancy.

Audit activity should be as much effective as its results are considered.

Volume based promotion redoubles the risk appetite.
20
Queries

Rating Agencies





What are the standard method for working and decision-making?
How transparent and accountable they are ?
How much their approach and reviews are objective?
These organizations and their reports on global and local base
who checks?
The scale of grading the company reflex (reaction time) what
should it be?
21
Queries
Market Risk
Credit Risk

Risk Management and Risk Management Models
Operational
Risk

How risk management is proactive ?

Did the Risk management was located in the right position within
the bank ?

Risk Management Models



How applicable it is ?
How accurate it is ?
Are control and measurement methods sufficient?
The Basel II Banking capital rules did not produce the needed effect on Banks
having enough liquidity. Northern Rock and Bradford & Bingley did cover the
requirements related to “capital” but it did not prevent them from bankruptcy.
(The Independent)
22
Queries

Audit Principles

Internal Audit





Independency
Sanction Power
Risk Oriented
Qualitative Adequacy
External Audit


Regulations
Standards
23
Queries

Board of Directors and Top Management




Volume Focused and Premiums
Audit Committee Acts
Functions of Independent Administrative Board
Corporate Governance
24
New Trends and Changing
Role of Internal Audit
New Trends in Audit



Risk Oriented Audit
Continuous Audit and Supervision
Information System(IT) Audit
26
Risk Oriented Audit
The reasons which are below have changed working concept of audit departments.
Also risk oriented audit has found acceptance due to those reasons;
 Control resources are not unlimited.
 Controlled activities face different risks.
 Controlled unit activities has relatively different severity levels.
Risk Oriented Audit Concept
•Identification
RISK
•Specify Resources
•Evaluation
•Prioritizing
AUDIT
PLAN
Purpose:
Transferring Resources of Audit to
Most Risky Areas!
27
Continuous Audit and Supervision
Deriving benefits from IT,

Continuous supervision of processes,

Checking immediately afterwards the process,

Warning system before the process
28
IT Audit
 Information
Systems provide more effective works with less errors, so it causes
more addiction to IS. Important processes are done by using Information Systems.
 IT
systems are vulnerable to many risks.







Authentication
Non-deniable
Data Integrity/Consistency
Data Confidentiality (Privacy)
Business Continuity
Accordance of Legal Arrangements
Regulations to suggest some requirements about IT Audits.
29
Standards of IT Audit
COBIT is an IT Management
and
Audit
Model
and
legislatively accepted standard
in IT Audits in Turkey.
CMMI: Software
Standards
Development
ISO:
Service/Service
Standards
ITIL:
Information/System
Standards
Process
Management
Security
30
Changing Approaches in Audit
TRADITIONAL





Detection
Functional
Including whole
Once
Partial
MODERN





Prevention
Process based
Risk oriented
Continuous
Integrated
31
Audit Certifications
32
33