Arising Importance of Audit due to Present Economic Developments Korcan DEMİRCİOĞLU, Ph-D Supervisor Auditor, Garanti Bank Agenda 1. Definition and Components of Internal Audit 2. International Standards and Regulations about Internal Audit 3. Effects of Economic Crisis and Technological Improvements 4. New Trends and Changing Role of Internal Audit 2 Definition and Components of Internal Audit Definition of Internal Audit Internal audit helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, governance processes. Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. 4 Corporate Governance Corporate governance is a general system which promotes enterprise orientation and control structure. As generally accepted international corporate governance understanding involves; • Equality, • Transparency, • Accountability and • Liability. 5 Risk Management Risk management is a process which satisfies appropriate transition or exchange between risk and yield and adds “value” to the organization. Risk management concerns all departments. IDENTIFICATION OF RISKS PRIORITIZATION OF RISKS TAKING NECESSARY ACTIONS 1. Identification of Risks 2. Prioritization of Risk 3. Taking Necessary Actions Defining the risks Measuring the risks Analysis the risks Reporting Probability of the Risk Severity of the Risk Acceptance Transferring Controlling 6 Internal Control Control is one of the actions which are taken to mitigate the effects of the risks in terms of; Safeguarding of assets, Compliance with laws, regulations, and aggrements, Reliability and integrity of financial and operational information, Effectiveness and efficiency of operations. Basic Control Activity Examples are; Authorization Methods Limit Applications Decompositions of Tasks Policy and Procedures Task Descriptions and Responsibilities Reconcilement Methods 7 International Standards and Regulations about Internal Audit Regulations about Internal Audit Regulations in Turkey - 5411 numbered Banking Law - Arrangements of BRSA - Arrangements of Capital Markets Boards Of Turkey International Regulations - Regulations by Basel Committee - Regulations by Professional Associations (IFAC, IICPA, etc.) 9 Standards of Internal Audit A. ATTRIBUTE STANDARDS Purpose, Authority and Responsibilities Independency and Objectiveness Proficiency and Due Professional Care Quality, Assurance and Improvement Program B. PERFORMANCE STANDARDS Management of Internal Audit Activities Quality of Work Engagement Planning Performing Engagement Reporting Results Observing Developments Acceptance of Residual Risks by Management 10 Attribute Standards Purpose, Authority and Responsibilities Purpose, authority and responsibilities of internal audit activities should be obviously declared in the charter. Independence and Objectivity Organizational Independence Individual Objectivity Impairment to Independence or Objectivity Proficiency and Due Professional Care Proficiency Requires the knowledge, skills and other competencies needed to perform individual responsibilities. Due Professional Care The care and the skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. Continuing Professional Development Enhancement of knowledge, skills, and other competencies through continuing professional development. 11 Performance Standards The Internal Audit Activity Management The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Planning Communication and Approval Resource Management Policies and Procedures Coordination The Board of Directors, Internal Audit Committee and Reporting to Top Management 12 Engagement Planning Performance Standards Engagement Objectives: Setting the engagement objectives, internal auditors should: Identify and assess risks relevant to the activity under review and the engagement objectives must reflect the results of this assessment, Consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. Consulting engagement objectives should address risks, controls and governance processes to the extent agreed upon with the client. Scope of Engagement: The established scope must be sufficient to satisfy the objectives of the engagement. The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. Engagement Resource Allocation: Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on a plan regarding the below mentioned issues: -an evaluation of the nature of engagement, -complexity of engagement, -time constraints, -available resources. 13 Performance Standards Performing the Engagement Internal auditors must • identify, • analyze, • evaluate, and • document sufficient information to achieve the engagement's objectives. Recording Information Internal auditors must document the relevant information to support the conclusions and engagement results. Thus, it would be beneficial that the Internal auditors prepare working papers. 14 Performance Standards Communication of the Engagement Results CHIEF AUDIT EXECUTIVE (CAE) AUDIT COMMITTEE Periodic Activity Report Informative Memos about the Annual Activities of the Internal Audit BOARD OF DIRECTORS Annual Report and Informative Memo BRSA (BDDK) 15 Performance Standards Monitoring Progress The chief audit executive, Must establish and maintain a system to monitor the disposition of results communicated to management, Must establish a follow-up process to monitor and ensure that management actions have been effectively implemented, Or that senior management has accepted the risk of not taking action (namely, residual risk). 16 Effects of Economic Crisis and Technological Developments Important Corporations Which are Negatively Affected or Failed During the Last Crisis October 07 January 08 June 08 September 08 18 Developments After Crisis What's Expected? Reconstruction of the Global Banking System, Regulated Market Economy instead of Free Market Economy– Establishing New Audit/Control System, Elimination of Weaknesses of Risk Management, Improvement in the Credit Rating Agencies’ Applications, New Regulations and Regulatory Institutions in Financial Markets. 19 Developments After Crisis Increasing Importance of Audit Differentiation in Audit Methodologies Monitoring Audit Results Attributions and Adequacy of Auditors Lessons to Take Risk must be “respected”. Risk management function should be seen equally important as the other functions in Banks, and not be described as a ‘back office’ function. Risk analysis is an important part of modern risk management. On the other hand, models all alone are not sufficient. There is limit to regulations. If the level of exaggerated debts seem to be good in an unbelievable way, then it is really unbelievable. The U.S. banks owned tools which they used mainly to remove their credits from their balance-sheets, their leverage ratios were as much as 600 to 1. Accounting change everything. The accounting methodology of the credit assets according to the market value (mark to market) increased the volatility in reported losses nearly 50% during the depression period. Accounting must be accounting. There should not be any creative accountancy. Audit activity should be as much effective as its results are considered. Volume based promotion redoubles the risk appetite. 20 Queries Rating Agencies What are the standard method for working and decision-making? How transparent and accountable they are ? How much their approach and reviews are objective? These organizations and their reports on global and local base who checks? The scale of grading the company reflex (reaction time) what should it be? 21 Queries Market Risk Credit Risk Risk Management and Risk Management Models Operational Risk How risk management is proactive ? Did the Risk management was located in the right position within the bank ? Risk Management Models How applicable it is ? How accurate it is ? Are control and measurement methods sufficient? The Basel II Banking capital rules did not produce the needed effect on Banks having enough liquidity. Northern Rock and Bradford & Bingley did cover the requirements related to “capital” but it did not prevent them from bankruptcy. (The Independent) 22 Queries Audit Principles Internal Audit Independency Sanction Power Risk Oriented Qualitative Adequacy External Audit Regulations Standards 23 Queries Board of Directors and Top Management Volume Focused and Premiums Audit Committee Acts Functions of Independent Administrative Board Corporate Governance 24 New Trends and Changing Role of Internal Audit New Trends in Audit Risk Oriented Audit Continuous Audit and Supervision Information System(IT) Audit 26 Risk Oriented Audit The reasons which are below have changed working concept of audit departments. Also risk oriented audit has found acceptance due to those reasons; Control resources are not unlimited. Controlled activities face different risks. Controlled unit activities has relatively different severity levels. Risk Oriented Audit Concept •Identification RISK •Specify Resources •Evaluation •Prioritizing AUDIT PLAN Purpose: Transferring Resources of Audit to Most Risky Areas! 27 Continuous Audit and Supervision Deriving benefits from IT, Continuous supervision of processes, Checking immediately afterwards the process, Warning system before the process 28 IT Audit Information Systems provide more effective works with less errors, so it causes more addiction to IS. Important processes are done by using Information Systems. IT systems are vulnerable to many risks. Authentication Non-deniable Data Integrity/Consistency Data Confidentiality (Privacy) Business Continuity Accordance of Legal Arrangements Regulations to suggest some requirements about IT Audits. 29 Standards of IT Audit COBIT is an IT Management and Audit Model and legislatively accepted standard in IT Audits in Turkey. CMMI: Software Standards Development ISO: Service/Service Standards ITIL: Information/System Standards Process Management Security 30 Changing Approaches in Audit TRADITIONAL Detection Functional Including whole Once Partial MODERN Prevention Process based Risk oriented Continuous Integrated 31 Audit Certifications 32 33