SEACEN Seminar on INTERNAL AUDIT OF CENTRAL BANKS Taipei, Taiwan, R'O'C' 1417 September 2004

1
SEACEN Seminar onINTERNAL AUDIT OF CENTRAL
BANKSTaipei, Taiwan, R.O.C.14-17 September
2004

• Presented by
• Shamsul Islam
• Junior Joint Director
• Audit Department

2
SEACEN Seminar

• Organized by South East Asian Central Bank
• Research Training
  Centre
• (SEACEN Centre) Malaysia.
• Financed by Bank of Japan (BOJ)
• Hosted by The Central Bank of China
• (CBC)Taiwan.

3
Central Bank of China
4
Seminar Participants30 participants from the
following 15 Central Banks/Monetary
Authorities/Ministry of Finance.

• Royal Monetary Authority of Bhutan
• Ministry of Finance, Brunei.
• Reserve Bank of Fiji.
• Bank Indonesia
• The Bank of Korea
• Bank Negara Malaysia
• The Bank of Mangolia.
• Nepal Rastra Bank

• State Bank of Pakistan.
• Bank of Papua New Guinea.
• Bangko Sentral ng Pilipinas.
• Central Bank of Sri Lanka.
• The Central Bank of China, Taipei.
• Bank of Thailand.
• Banking and Payments Authority of Tinor Leste.

5
Resource Persons.

• Mr. John Graham Joscelyna CA(SA) CIA
• Director International Services
• UHY Advisers Inc.
• Mr. Noriyuki Tomioka
• Director Internal Auditors Office
• Bank of Japan.
• Dr. JIIN FENG CHEN
• Associate Professor
• Department of Accounting, College of Commerce,
• National Chengchi University.

6
ISSUES FOR DISCUSSION IN THE SEMINAR.

• Role of Internal Audit in Governance.
• Identification of gaps in the Internal Audit
  Function and Opportunities for Improvement.
• Internal Audit in the Risk Management Process.
• Leveraging on Automation and Information
  Technology in Audit Engagements.
• Impact of Regulations on Internal Audit.
• Outsourcing of the Internal Audit Function.
• Industrys Best Practices in Internal Audit.

7
1. Role of Internal Audit in Governance

• Entire audit process directly or indirectly
  linked with Governance Process.
• Audit is an on going Governance Process through
  evaluation of the System of internal controls.

8
What should Governance mean to Audit.

• Process of oversight at board level.
• Relationship between board and management.
• Organization of executive functions
• Information flow
• Key Control Process.
• Transparency
• Authority
• Accountability
• Impacts the Bank from top to bottom.
• Determines the control environment.
• Influences the banks culture.

9
Pre-requisite for Auditors in relation to
Governance

• Authority in Internal Audit Charter/IA Mandate.
• Competence on the part of Auditors.
• Real desire of Board and Management to include
  Auditors.

10
What should be auditors relationship with his
auditees.

• Facilitator
• Picking up on their issues.
• Questioning them on their needs.
• Educator Verification Checklist
• Sharing best practices
• Sharing movement in Governance practice.
• Listener
• Listen more from auditee so that auditor may
  educate and facilitate them.

11
What can Auditor do?

• Share Professional Best Practices
• What reporting works best.
• Usefulness of an independent audit
• Usefulness of audit to the auditee.
• How value is added to the performance of auditee.
• Agree Audit Charter with the Board and
  Management.
• Reporting of Audit activities to the Board.
• Share International Internal Audit Standards and
  what they mean.

12
Objectives of these activities

• Auditor has a voice in the Governance arena.
• Auditor adds value to the views of the auditee.
• Auditor is professional.
• Auditor has an independent voice.

13
Increase understanding with regard to

• Code of Ethics.
• Control Framework in the Bank.
• Agreement on auditors work.
• Agreement on the risks taken by the Bank.
• Agreement on what auditor can and should do.

14
Reliance is also sought from other players.

• Risk Managers.
• Compliance Officer.
• External Auditor.

15
Auditors leadership in Governance Process.

• Adding value at the highest level.
• Working at a strategic level.
• Facilitating.
• Enabling.

16
2) Identification of Gaps in the Internal Audit
Function and opportunities for improvement.

• Gaps
• IIAs standards.
• Negative conception with regard to Auditors.
• Level of competence in risk based auditing.
• Auditor as watchdog and faultfinder.
• Less emphasis on scientific audit programs.
• Designing and implementing of flow charts in
  audit process.
• Preparation of check list and their applications.
• Designing of questionnaire for the auditee.

17

• Gaps
  Cont
• Central Bank experience Professional
  qualifications.
• Professional qualifications Central Bank
  experience.
• I.T. experts - Experience of Central Bank
  working.
• Central Bank working experience - I.T. expertise.
• Lack of coordination and understanding between
  Internal and External Auditors.

18
Opportunities for improvement

• Adoption of IIAs Standards.
• To further educate the auditee with patience
  behavior.
• To increase the level of competency in risk based
  auditing through training and by changing audit
  methodology.
• To switch over in role of auditor from watchdog
  and faultfinder to the educator/facilitator/ment
  or.
• To prepare scientific audit programs
• To design and implement flow charting.
• To use check list and questionnaire during the
  audit process.

19
Opportunities for improvement
contd..

• To arrange short courses/training for the
  officials who have a handsome experience but far
  behind the professional qualifications regarding
  audit.
• Auditors other than I.T. should impart the I.T.
  training.
• Top level management/Audit Committee should
  ensure the coordination and better understanding
  between Internal and External auditors.

20
3. Internal Audit in the Risk Management Process.

• Change in the role of Audit.
• Watchdog/Faultfinder Risk identifier/educator.
• Change in Audit Methodology.
• Compliance based audit/Financial audit Risk
  Based audit.

21
Risk Based Audit Process

• Understanding of risks faced.
• Assessing the exposures.

22
Risk Based Audit Process Contd

• Gather information and plan.
• Knowledge of departments/segments/objectives.
• Understanding of operations and procedures.
• Prior years audit results.
• Regulatory statutes, approved policies.
• Identifying risk associated with segment/process.

23
Risk Based Audit Process Contd

• Obtain understanding of Internal Control
• Control environment.
• Control procedures.
• Matches of associated risks with controls.

24
Risk Based Audit Process Contd

• Perform Audit Tests
• Test effectiveness of controls and other
  substantive audit procedures.

25
Risk Based Audit Process Contd

• Conclude the Audit
• Analyse the audit findings.
• Discuss with departmental heads and draw
  conclusion.
• Recommendation for improvements.
• Draft Report.

26
Risk Evaluation Family
Internal Auditor
Risk Manager
Compliance Officer or Unit
External Auditor
27
Risk Based Audit Process Contd

• Auditors own Risks.
• Explicit Audit.
• Delivering the right audit product.
• Assuring the quality of work.
• Maintaining professional reputation
• Managing Human Resources.

28
4. Leveraging on Automation and Information
Technology in Audit Engagements.

• Why the automation is need of the time?
• To increase in efficiency productivity of
  Audit.
• To increase in accuracy.
• To eliminate storage of work papers.
• To enable instantaneous communications.
• To permit access of information via Internet.
• To lower audit cost.
• To faster the audit process.

29

• Overall status of automation.
• Initial / middle stage.
• Working is being automated.
• Designing of software.
• Parallel Runs.
• Partially live working.
• Complete live working.

30

• Usage of Software Tools.
• In-house development.
• Outsourcing the computerization.
• Readymade Softwares.

31

• Automation status in other Central Banks -
• SRILANKA
• Payment System with - Real Time Gross Settlement
  (RTGS)
• Government Debt Security Management with -
  Scriptless Securities Settlement System (SSSS).
• Treasury and International Reserve Management
  with Treasury Dealing Room Management System
  (TDRMS).

32

• Computer Assisted Audit Tools and Techniques
  (CAATTs).
• Readymade Softwares
• Audit Command Language (ACL).
• Sarbox Portal (SP)
• Risk and Control Tracking System (RCTS).
• Control Assessment Template (CAT).
• Risk Navigator (RN).
• Team Mate (TM).
• Office-Suite Software.

33

• Sarbanes Oxley Software
• 10th Annual Survey of Internal Audit Utilization
  of Software Tools
• Why are you not using Sarbanes Oxley Software?
• Our Company is not subject to Sarbanes Oxley
  79.
• Another Department in our organization handles
  Sarbanes Oxley compliance 5,
• Sarbanes Oxley compliance is outsource at our
  Organization 1.
• These types of tools are too expensive 8.
• Others 10.

34
Summary of the Survey Results.
35
5. Impact of Regulations on Internal Audit

• Rules and Regulations may be National or
  International.
• Evaluate how does it impact the Bank?
• What about its stakeholders?

36
Rules and Regulations may relate to

• Best practices.
• Leading Central Bank practices.
• IMF suggestions or demands.
• Money Laundering
• Reserve Management.
• Electronic Banking.
• Generally Accepted Accounting Principles.
• International Accounting Standards.
• International standards of Auditing.
• Income Tax Laws.
• Rules and Regulations framed by SEC.
• Corporate Governance Rules.

37
Impact on audit due to compliance of rules and
Regulations

• Cost.
• Responsibility
• Control Establishment
• Scope.

38
Compliance of Regulations is every ones
business, therefore

• Is it in the risk assessment?
• Is it understood in the Banks control
  environment?
• Is it in the control activities of the Bank?
• How does management see and acts?
• How are regulatory issues communicated?

39
In compliance of the Regulations, information,
communicated to the regulators

• Fair
• Complete.
• Transparent.
• Independently verifiable by the Internal and
  External Auditor.

40
Impact of Incorrect information communicated to
the regulators

• Lack of Trust
• Disbelief
• Lack of credibility.

41
6. Outsourcing of the Internal Audit Function

• Kinds of outsourcing.
• Special Project outsourcing.
• Partial outsourcing.
• Temporary staffing.
• Full outsourcing.

42
Determining factors if the Internal Auditing be
outsourced

• Will the outsourcing of Internal Audit effect the
  effectiveness of corporate governance?
• What are the advantages and disadvantages of
  internal audit outsourcing?

43
Arguments in favour of Outsourcing

• Allows management to focus on core competencies.
• Cost saving resulting from economies of scale.
• Flexible access to expertise.
• Access to leading practices.

44
Arguments against outsourcing

• By the lapse of time outsourcing provider will
  demand an ever greater premium for their
  services.
• An external provider will not know the business
  as well, as the internal personnel do.
• A valuable training ground is lost.
• Morale of the personnel will be seriously
  impaired.
• Individual Employee allegiance is to the
  outsourcing provider, not to the client.
• Corporate governance is a management function
  which can not be outsourced.
• Independence of external auditor will be impaired
  when the outsourcing provider is also external
  auditor.
• Confidentiality is potentially lost.
• Management and the audit committee lose an
  objective source of information.

45
Advantages of Outsourcing

• Smaller Organizations access to a broader set of
  skills.
• Information systems audit skills highly
  effective.
• Innovative approaches knowledge of Best
  Practices.
• Integrated audit approach Internal External.
• Active Management Participation Provide
  direction and oversight.

46
Disadvantages of Outsourcing

• Loss of a second set of eyes and ears.
• Confidentiality could not be maintained.
• Outsource provider might be an auditor of
  commercial bank(s) to which central bank is
  monitoring.
• Expertise leave the Organization.
• Outsourcing does not build new managers.
• Outsourcing does not have to live with the
  decisions or recommendations made but still
  have pressure to retain the contract.
• Difficult to rebuild internal auditing
  department, if outsourcing is not successful
  dependency on one outside provider.
• External Auditor may be lacking internal audit
  knowledge material differences in perspective
  and execution

47
Central Banks Outsourced

• Internal Audit function of the Reserve Bank of
  Fiji is outsourced.
• Justifications for outsourcing put forth by the
  representative of Reserve Bank of Fiji
• Cost effective.
• Provides more independence and autonomy to the
  auditor.
• Outsourcing addresses the problem of resource
  constraints.
• Staff can be engaged in the core areas of the
  Bank.
• Expertise in the field of audit were lacking.
• Career paths and opportunities of audit personnel
  is limited as only one central bank in the
  country.
• Skills required for auditing are readily
  available in the market.

48
Central Banks Outsourced
Contd

• A few audit functions have been co-sourced by
  Central Bank of Srilanka.
• The functions out sourced
• General Review of Information System.
• Pay Role System.
• Real Time Gross Settlement System (RTGS).
• Justification for co-sourcing put forth by the
  representatives of Sri Lanka.
• Early retirement of staff and the absence of
  expertise to special audit functions.

49
7. Industry Best Practices in Internal Audit

• Principles of Internal Audit.
• Independence, objectivity and impartiality.
• Audit should exercise their assignment without
  interference and are free to report their
  findings and appraisals.
• Audit charter should be approved by the Board of
  Directors and should be communicated to all staff
  within the Bank.
• Rotation of staff assignments within the audit
  department.
• No involvement in the operations of the bank.
• Recognition of the auditors independence in the
  audit charter.
• Official internally transferred to audit
  department should not involve in the audit of his
  previous activity for a certain period.

50
Principles of Internal Audit
Contd.

• Maintenance of professional competence
• On the job training.
• Formal internal and external training.
• Staff rotation within the Department.
• Incentives to become a Certified Internal Auditor.

51
Working methods and types of Audit

• Working methods
• Drawing up a risk-based audit plan.
• Examining and assessing the available
  information.
• Communicating the results.
• Follow up of recommendations.
• Types of audit
• Financial Audit.
• Compliance Audit.
• Operational Audit.
• Management Audit.
• Risk-based Audit.
• I.T. Audit.

52
Audit Procedure

• Prepare audit program and document audit
  procedures in working papers.
• Distribute audit reports to auditees and senior
  management.
• Follow up the audit recommendations to see
  whether they are implemented.
• Inform senior management about the status of the
  said implementation.

53
Management of the Internal Audit Department

• The head of the Internal Audit Department is
  responsible for
• Ensuring the use of sound internal audit
  standards by the internal audit staff.
• Existence of upto-date audit charter.
• Existence of upto-date written policies and
  procedures for audit staff.
• Appropriate professional competence and training
  of the audit staff.
• To regularly send report to appropriate
  management level for discussion.

54
IIAs International Standards for the
Professional Practice of Internal Auditing

• The purpose, authority and responsibility of the
  internal audit activity should be formally
  defined in a charter, consistent with the
  standards, and approved by the board.
• Internal auditors should be objective in
  performing their work.
• Internal auditors should have impartial, unbiased
  attitude and avoid conflicts of interest.
• Engagements should be performed with proficiency
  and due professional care.

55
IIAs International Standards for the
Professional Practice of Internal Auditing

Contd..

• Quality Assurance and Improvement Program Chief
  Audit Executive (CAE) should develop and maintain
  a quality assurance and improvement program which
  should cover
• All aspects of the internal audit actively and
  continuously monitoring its effectiveness.
• Periodic internal and external quality
  assessments and ongoing internal monitoring.
• Assurance that the internal audit activity is in
  conformity with the Standards and the Code of
  Ethics.

56
IIAs International Standards for the
Professional Practice of Internal Auditing

Contd..

• Disclosure of non-compliance.
• Internal audit actively should achieve full
  compliance with the Standards and internal
  auditors with Code of Ethics.
• In case of full compliance not achieved,
  disclosure should be made to senior management
  and the board.

57
IIAs International Standards for the
Professional Practice of Internal Auditing

Contd..

• Governance
• IIAs Internal Standards for the Professional
  Practice of Internal Auditing. Internal audit
  actively should assess and make appropriate
  recommendations for improving the governance
  process for
• Promoting appropriate ethics and values within
  the organization.
• Ensuring effective organizational performance
  management and accountability.
• Effectively communicating risk and control
  information to appropriate areas of the
  organization.
• Effectively coordinating the activities and
  communicating information among the board,
  external auditors and management.

58
(No Transcript)
59
September 17 Post Seminar City Tour

• - Yingo Ceramics Museum
• - Lin Family Mansion and Garden.

60

• Thank You