SEACEN Seminar
on
“INTERNAL AUDIT OF CENTRAL BANKS”
Taipei, Taiwan, R.O.C.
14-17 September 2004
Presented by
Shamsul Islam
Junior Joint Director
Audit Department
1
SEACEN Seminar
Organized
Financed
Hosted
by:
by:
by:
South East Asian Central Bank
Research & Training Centre
(SEACEN Centre) Malaysia.
Bank of Japan (BOJ)
The Central Bank of China
(CBC)Taiwan.
2
Central Bank of China
3
Seminar Participants
30 participants from the following 15 Central
Banks/Monetary Authorities/Ministry of Finance.
1.
2.
3.
4.
5.
6.
7.
8.
Royal Monetary
Authority of Bhutan
Ministry of Finance,
Brunei.
Reserve Bank of Fiji.
Bank Indonesia
The Bank of Korea
Bank Negara Malaysia
The Bank of Mangolia.
Nepal Rastra Bank
9.
10.
11.
12.
13.
14.
15.
State Bank of Pakistan.
Bank of Papua New Guinea.
Bangko Sentral ng Pilipinas.
Central Bank of Sri Lanka.
The Central Bank of China,
Taipei.
Bank of Thailand.
Banking
and
Payments
Authority of Tinor – Leste.
4
Resource Persons.
1.
Mr. John Graham Joscelyna CA(SA) CIA
Director International Services
UHY Advisers Inc.
2.
Mr. Noriyuki Tomioka
Director Internal Auditors’ Office
Bank of Japan.
3.
Dr. JIIN – FENG CHEN
Associate Professor
Department of Accounting, College of Commerce,
National Chengchi University.
5
ISSUES FOR DISCUSSION IN THE
SEMINAR.
1.
2.
3.
4.
5.
6.
7.
Role of Internal Audit in Governance.
Identification of gaps in the Internal Audit Function and
Opportunities for Improvement.
Internal Audit in the Risk Management Process.
Leveraging on Automation and Information Technology in
Audit Engagements.
Impact of Regulations on Internal Audit.
Outsourcing of the Internal Audit Function.
Industry’s Best Practices in Internal Audit.
6
1. Role of Internal Audit in Governance
•
Entire audit process directly or indirectly linked
with Governance Process.
•
Audit is an on going Governance Process through
evaluation of the System of internal controls.
7
What should Governance mean to Audit.
Process
of oversight at board level.
Relationship between board and management.
Organization of executive functions
Information flow
Key
Control Process.
Transparency
Authority
Accountability
Impacts
the Bank from top to bottom.
Determines the control environment.
Influences the bank’s culture.
8
Pre-requisite for Auditors in relation
to Governance

Authority in Internal Audit Charter/IA Mandate.
 Competence on the part of Auditors.
 Real desire of Board and Management to include
Auditors.
9
What should be auditor’s relationship
with his auditees.
Facilitator


Picking up on their issues.
Questioning them on their needs.
Educator


Verification Checklist
Sharing best practices
Sharing movement in Governance practice.
Listener

Listen more from auditee so that auditor may educate and facilitate
them.
10
What can Auditor do?
Share Professional Best Practices







What reporting works best.
Usefulness of an independent audit
Usefulness of audit to the auditee.
How value is added to the performance of auditee.
Agree Audit Charter with the Board and Management.
Reporting of Audit activities to the Board.
Share International Internal Audit Standards and what they
mean.
11
Objectives of these activities

Auditor has a voice in the Governance arena.
 Auditor adds value to the views of the auditee.
 Auditor is professional.
 Auditor has an independent voice.
12
Increase understanding with regard to:


Code of Ethics.
Control Framework in the Bank.
Agreement on auditor’s work.
Agreement on the risks taken by the Bank.

Agreement on what auditor can and should do.


13
Reliance is also sought from other
players.

Risk Managers.
 Compliance Officer.
 External Auditor.
14
Auditor’s leadership in Governance
Process.

Adding value at the highest level.
 Working at a strategic level.
 Facilitating.
 Enabling.
15
2) Identification of Gaps in the Internal Audit
Function and opportunities for improvement.
Gaps
 IIAs standards.
 Negative conception with regard to Auditors.
 Level of competence in risk based auditing.
 Auditor as “watchdog” and “faultfinder”.
 Less emphasis on scientific audit programs.
 Designing and implementing of flow charts in audit
process.
 Preparation of check list and their applications.
 Designing of questionnaire for the auditee.
16
Gaps
Cont………
 Central Bank experience – Professional
qualifications.
 Professional qualifications – Central Bank
experience.
 I.T. experts - Experience of Central Bank working.
 Central Bank working experience - I.T. expertise.
 Lack of coordination and understanding between
Internal and External Auditors.
17
Opportunities for improvement:

Adoption of IIAs Standards.
 To further educate the auditee with patience behavior.
 To increase the level of competency in risk based auditing
through training and by changing audit methodology.
 To switch over in role of auditor from “watchdog” and
“faultfinder” to the educator/facilitator/mentor.
 To prepare scientific audit programs
 To design and implement flow charting.
 To use check list and questionnaire during the audit process.
18
Opportunities for improvement:
cont’d…..

To arrange short courses/training for the officials who have
a handsome experience but far behind the professional
qualifications regarding audit.
 Auditors other than I.T. should impart the I.T. training.
 Top level management/Audit Committee should ensure the
coordination and better understanding between Internal and
External auditors.
19
3. Internal Audit in the Risk
Management Process.
Change in the role of Audit.

Watchdog/Faultfinder – Risk identifier/educator.
Change in Audit Methodology.

Compliance based audit/Financial audit – Risk
Based audit.
20
Risk Based Audit Process

Understanding of risks faced.

Assessing the exposures.
21
Risk Based Audit Process
 Gather information and





Cont’d……
plan.
Knowledge of departments/segments/objectives.
Understanding of operations and procedures.
Prior year’s audit results.
Regulatory statutes, approved policies.
Identifying risk associated with segment/process.
22
Risk Based Audit Process
Cont’d……

Obtain understanding of Internal Control

Control environment.

Control procedures.

Matches of associated risks with controls.
23
Risk Based Audit Process
Cont’d……
 Perform Audit Tests

Test effectiveness of controls and other substantive audit
procedures.
24
Risk Based Audit Process
 Conclude
Cont’d……
the Audit

Analyse the audit findings.
 Discuss with departmental heads and draw
conclusion.
 Recommendation for improvements.
 Draft Report.
25
Risk Evaluation Family
Internal Auditor
Risk Manager
External Auditor
Compliance
Officer or Unit
26
Risk Based Audit Process
 Auditor’s





Cont’d……
own Risks.
Explicit Audit.
Delivering the right audit product.
Assuring the quality of work.
Maintaining professional reputation
Managing Human Resources.
27
4. Leveraging on Automation and
Information Technology in Audit
Engagements.
 Why







the automation is need of the time?
To increase in efficiency & productivity of Audit.
To increase in accuracy.
To eliminate storage of work papers.
To enable instantaneous communications.
To permit access of information via Internet.
To lower audit cost.
To faster the audit process.
28
 Overall






status of automation.
Initial / middle stage.
Working is being automated.
Designing of software.
Parallel Runs.
Partially live working.
Complete live working.
29
 Usage
of Software Tools.

In-house development.
 Outsourcing the computerization.
 Readymade Softwares.
30

Automation status in other Central Banks SRILANKA
 Payment System with - Real Time Gross
Settlement (RTGS)
 Government Debt Security Management with Scriptless Securities Settlement System (SSSS).
 Treasury and International Reserve Management
with – Treasury Dealing Room Management
System (TDRMS).
31
Computer Assisted Audit Tools and Techniques
(CAATTs).
 Readymade Softwares







Audit Command Language (ACL).
Sarbox Portal (SP)
Risk and Control Tracking System (RCTS).
Control Assessment Template (CAT).
Risk Navigator (RN).
Team Mate (TM).
Office-Suite Software.
32
Sarbanes – Oxley Software







10th Annual Survey of Internal Audit Utilization of
Software Tools
Why are you not using Sarbanes – Oxley Software?
Our Company is not subject to Sarbanes – Oxley – 79%.
Another Department in our organization handles Sarbanes – Oxley
compliance 5%,
Sarbanes – Oxley compliance is outsource at our Organization – 1%.
These types of tools are too expensive – 8%.
Others – 10%.
33
Summary of the Survey Results.
Category
% of Most Popular Tools.
usage
Sarbanese – Oxley
Compliance.
22%
Risk and Control Tracking
System.
Data Extraction
86%
ACL, Excel
Data Analysis
94%
Excel, ACL
Fraud Detection/Prevention
50%
ACL, Excel
Network
Security/Assessment.
28%
ISS Internet Scanner
Audit Management
78%
Excel, Auto Audit
Risk Management/Analysis
96%
Excel, Word.
Control Self-assessment
33%
Excel, Word.
Continuous Monitoring
38%
ACL, Excel
34
5. Impact of Regulations on Internal
Audit

Rules and Regulations may be National or
International.
 Evaluate how does it impact the Bank?
 What about its stakeholders?
35
Rules and Regulations may relate to:












Best practices.
Leading Central Bank practices.
IMF suggestions or demands.
Money Laundering
Reserve Management.
Electronic Banking.
Generally Accepted Accounting Principles.
International Accounting Standards.
International standards of Auditing.
Income Tax Laws.
Rules and Regulations framed by SEC.
Corporate Governance Rules.
36
Impact on audit due to compliance of
rules and Regulations

Cost.
 Responsibility
 Control Establishment
 Scope.
37
Compliance of Regulations is every
one’s business, therefore:

Is it in the risk assessment?
 Is it understood in the Bank’s control
environment?
 Is it in the control activities of the Bank?
 How does management see and acts?
 How are regulatory issues communicated?
38
In compliance of the Regulations,
information, communicated to the
regulators:

Fair
 Complete.
 Transparent.
 Independently verifiable by the Internal and
External Auditor.
39
Impact of Incorrect information
communicated to the regulators:

Lack of Trust
 Disbelief
 Lack of credibility.
40
6. Outsourcing of the Internal Audit
Function





Kinds of outsourcing.
Special Project outsourcing.
Partial outsourcing.
Temporary staffing.
Full outsourcing.
41
Determining factors if the Internal
Auditing be outsourced:

Will the outsourcing of Internal Audit effect the
effectiveness of corporate governance?

What are the advantages and disadvantages of
internal audit outsourcing?
42
Arguments in favour of Outsourcing:

Allows management to focus on core
competencies.

Cost saving resulting from economies of scale.

Flexible access to expertise.

Access to leading practices.
43
Arguments against outsourcing:









By the lapse of time outsourcing provider will demand an ever greater
premium for their services.
An external provider will not know the business as well, as the
internal personnel do.
A valuable training ground is lost.
Morale of the personnel will be seriously impaired.
Individual Employee allegiance is to the outsourcing provider, not to
the client.
Corporate governance is a management function which can not be
outsourced.
Independence of external auditor will be impaired when the
outsourcing provider is also external auditor.
Confidentiality is potentially lost.
Management and the audit committee lose an objective source of
information.
44
Advantages of Outsourcing:





Smaller Organizations’ access to a broader set of
skills.
Information systems audit skills – highly effective.
Innovative approaches – knowledge of “Best
Practices”.
Integrated audit approach – Internal + External.
Active Management Participation – Provide
direction and oversight.
45
Disadvantages of Outsourcing:








Loss of a second set of eyes and ears.
Confidentiality could not be maintained.
Outsource provider might be an auditor of commercial bank(s) to
which central bank is monitoring.
Expertise leave the Organization.
Outsourcing does not build new managers.
Outsourcing does not have to live with the decisions or
recommendations made – but still have pressure to retain the contract.
Difficult to rebuild internal auditing department, if outsourcing is not
successful – dependency on one outside provider.
External Auditor may be lacking internal audit knowledge – material
differences in perspective and execution:
46
Central Banks– Outsourced
Internal Audit function of the Reserve Bank of Fiji is outsourced.
 Justifications for outsourcing put forth by the representative of Reserve
Bank of Fiji:
 Cost effective.
 Provides more independence and autonomy to the auditor.
 Outsourcing addresses the problem of resource constraints.
 Staff can be engaged in the core areas of the Bank.
 Expertise in the field of audit were lacking.
 Career paths and opportunities of audit personnel is limited as only one
central bank in the country.
 Skills required for auditing are readily available in the market.
47
Central Banks– Outsourced
Cont’d……

A few audit functions have been co-sourced by
Central Bank of Srilanka.
 The functions out sourced:

General Review of Information System.
 Pay Role System.
 Real Time Gross Settlement System (RTGS).
 Justification for co-sourcing put forth by the
representatives of Sri Lanka.
 Early retirement of staff and the absence of expertise to
special audit functions.
48
7. Industry Best Practices in
Internal Audit
Principles of Internal Audit.
 Independence, objectivity and impartiality.






Audit should exercise their assignment without interference and are
free to report their findings and appraisals.
Audit charter should be approved by the Board of Directors and should
be communicated to all staff within the Bank.
Rotation of staff assignments within the audit department.
No involvement in the operations of the bank.
Recognition of the auditors’ independence in the audit charter.
Official internally transferred to audit department should not involve in
the audit of his previous activity for a certain period.
49
Principles of Internal Audit
Cont’d….

Maintenance of professional competence:

On the job training.

Formal internal and external training.

Staff rotation within the Department.

Incentives to become a Certified Internal Auditor.
50
Working methods and types of
Audit

Working methods:


Drawing up a risk-based audit plan.
Examining and assessing the available information.
Communicating the results.
Follow up of recommendations.

Types of audit:

Financial Audit.
Compliance Audit.
Operational Audit.
Management Audit.
Risk-based Audit.
I.T. Audit.







51
Audit Procedure:

Prepare audit program and document audit
procedures in working papers.
 Distribute audit reports to auditees and senior
management.
 Follow up the audit recommendations to see
whether they are implemented.
 Inform senior management about the status of the
said implementation.
52
Management of the Internal Audit Department

The head of the Internal Audit Department is responsible
for:

Ensuring the use of sound internal audit standards by the internal audit
staff.
Existence of upto-date audit charter.
Existence of upto-date written policies and procedures for audit staff.
Appropriate professional competence and training of the audit staff.
To regularly send report to appropriate management level for
discussion.




53
IIA’s International Standards for the
Professional Practice of Internal Auditing




The purpose, authority and responsibility of the internal
audit activity should be formally defined in a charter,
consistent with the standards, and approved by the board.
Internal auditors should be objective in performing their
work.
Internal auditors should have impartial, unbiased attitude
and avoid conflicts of interest.
Engagements should be performed with proficiency and
due professional care.
54
IIA’s International Standards for the
Professional Practice of Internal Auditing
Cont’d…..

Quality Assurance and Improvement Program Chief Audit
Executive (CAE) should develop and maintain a quality assurance
and improvement program which should cover:
– All aspects of the internal audit actively and continuously
monitoring its effectiveness.
– Periodic internal and external quality assessments and ongoing
internal monitoring.
– Assurance that the internal audit activity is in conformity with the
Standards and the Code of Ethics.
55
IIA’s International Standards for the
Professional Practice of Internal Auditing
Cont’d…..

Disclosure of non-compliance.
– Internal audit actively should achieve full compliance with the
Standards and internal auditors with Code of Ethics.
– In case of full compliance not achieved, disclosure should be made
to senior management and the board.
56
IIA’s International Standards for the
Professional Practice of Internal Auditing
Cont’d…..

Governance:

IIA’s Internal Standards for the Professional Practice of Internal
Auditing. Internal audit actively should assess and make appropriate
recommendations for improving the governance process for:
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and
accountability.
Effectively communicating risk and control information to appropriate
areas of the organization.
Effectively coordinating the activities and communicating information
among the board, external auditors and management.




57
58
September 17
Post Seminar City Tour
-
- Yingo Ceramics Museum
-
- Lin Family Mansion and Garden.
59
Thank You
60