Title: SEACEN Seminar on INTERNAL AUDIT OF CENTRAL BANKS Taipei, Taiwan, R'O'C' 1417 September 2004
1SEACEN Seminar onINTERNAL AUDIT OF CENTRAL
BANKSTaipei, Taiwan, R.O.C.14-17 September
2004
- Presented by
- Shamsul Islam
- Junior Joint Director
- Audit Department
2SEACEN Seminar
- Organized by South East Asian Central Bank
- Research Training
Centre - (SEACEN Centre) Malaysia.
- Financed by Bank of Japan (BOJ)
- Hosted by The Central Bank of China
- (CBC)Taiwan.
-
3Central Bank of China
4Seminar Participants30 participants from the
following 15 Central Banks/Monetary
Authorities/Ministry of Finance.
- Royal Monetary Authority of Bhutan
- Ministry of Finance, Brunei.
- Reserve Bank of Fiji.
- Bank Indonesia
- The Bank of Korea
- Bank Negara Malaysia
- The Bank of Mangolia.
- Nepal Rastra Bank
- State Bank of Pakistan.
- Bank of Papua New Guinea.
- Bangko Sentral ng Pilipinas.
- Central Bank of Sri Lanka.
- The Central Bank of China, Taipei.
- Bank of Thailand.
- Banking and Payments Authority of Tinor Leste.
5Resource Persons.
- Mr. John Graham Joscelyna CA(SA) CIA
- Director International Services
- UHY Advisers Inc.
- Mr. Noriyuki Tomioka
- Director Internal Auditors Office
- Bank of Japan.
- Dr. JIIN FENG CHEN
- Associate Professor
- Department of Accounting, College of Commerce,
- National Chengchi University.
6ISSUES FOR DISCUSSION IN THE SEMINAR.
- Role of Internal Audit in Governance.
- Identification of gaps in the Internal Audit
Function and Opportunities for Improvement. - Internal Audit in the Risk Management Process.
- Leveraging on Automation and Information
Technology in Audit Engagements. - Impact of Regulations on Internal Audit.
- Outsourcing of the Internal Audit Function.
- Industrys Best Practices in Internal Audit.
71. Role of Internal Audit in Governance
- Entire audit process directly or indirectly
linked with Governance Process. - Audit is an on going Governance Process through
evaluation of the System of internal controls.
8What should Governance mean to Audit.
- Process of oversight at board level.
- Relationship between board and management.
- Organization of executive functions
- Information flow
- Key Control Process.
- Transparency
- Authority
- Accountability
- Impacts the Bank from top to bottom.
- Determines the control environment.
- Influences the banks culture.
9Pre-requisite for Auditors in relation to
Governance
- Authority in Internal Audit Charter/IA Mandate.
- Competence on the part of Auditors.
- Real desire of Board and Management to include
Auditors. -
10What should be auditors relationship with his
auditees.
- Facilitator
- Picking up on their issues.
- Questioning them on their needs.
- Educator Verification Checklist
- Sharing best practices
- Sharing movement in Governance practice.
- Listener
- Listen more from auditee so that auditor may
educate and facilitate them.
11What can Auditor do?
- Share Professional Best Practices
- What reporting works best.
- Usefulness of an independent audit
- Usefulness of audit to the auditee.
- How value is added to the performance of auditee.
- Agree Audit Charter with the Board and
Management. - Reporting of Audit activities to the Board.
- Share International Internal Audit Standards and
what they mean.
12Objectives of these activities
- Auditor has a voice in the Governance arena.
- Auditor adds value to the views of the auditee.
- Auditor is professional.
- Auditor has an independent voice.
13Increase understanding with regard to
- Code of Ethics.
- Control Framework in the Bank.
- Agreement on auditors work.
- Agreement on the risks taken by the Bank.
- Agreement on what auditor can and should do.
14Reliance is also sought from other players.
- Risk Managers.
- Compliance Officer.
- External Auditor.
15Auditors leadership in Governance Process.
- Adding value at the highest level.
- Working at a strategic level.
- Facilitating.
- Enabling.
162) Identification of Gaps in the Internal Audit
Function and opportunities for improvement.
- Gaps
- IIAs standards.
- Negative conception with regard to Auditors.
- Level of competence in risk based auditing.
- Auditor as watchdog and faultfinder.
- Less emphasis on scientific audit programs.
- Designing and implementing of flow charts in
audit process. - Preparation of check list and their applications.
- Designing of questionnaire for the auditee.
17- Gaps
Cont - Central Bank experience Professional
qualifications. - Professional qualifications Central Bank
experience. - I.T. experts - Experience of Central Bank
working. - Central Bank working experience - I.T. expertise.
- Lack of coordination and understanding between
Internal and External Auditors.
18Opportunities for improvement
- Adoption of IIAs Standards.
- To further educate the auditee with patience
behavior. - To increase the level of competency in risk based
auditing through training and by changing audit
methodology. - To switch over in role of auditor from watchdog
and faultfinder to the educator/facilitator/ment
or. - To prepare scientific audit programs
- To design and implement flow charting.
- To use check list and questionnaire during the
audit process.
19Opportunities for improvement
contd..
- To arrange short courses/training for the
officials who have a handsome experience but far
behind the professional qualifications regarding
audit. - Auditors other than I.T. should impart the I.T.
training. - Top level management/Audit Committee should
ensure the coordination and better understanding
between Internal and External auditors.
203. Internal Audit in the Risk Management Process.
- Change in the role of Audit.
- Watchdog/Faultfinder Risk identifier/educator.
- Change in Audit Methodology.
- Compliance based audit/Financial audit Risk
Based audit.
21Risk Based Audit Process
- Understanding of risks faced.
- Assessing the exposures.
22Risk Based Audit Process Contd
- Gather information and plan.
- Knowledge of departments/segments/objectives.
- Understanding of operations and procedures.
- Prior years audit results.
- Regulatory statutes, approved policies.
- Identifying risk associated with segment/process.
23Risk Based Audit Process Contd
- Obtain understanding of Internal Control
- Control environment.
- Control procedures.
- Matches of associated risks with controls.
24Risk Based Audit Process Contd
- Perform Audit Tests
- Test effectiveness of controls and other
substantive audit procedures.
25Risk Based Audit Process Contd
- Conclude the Audit
- Analyse the audit findings.
- Discuss with departmental heads and draw
conclusion. - Recommendation for improvements.
- Draft Report.
26Risk Evaluation Family
Internal Auditor
Risk Manager
Compliance Officer or Unit
External Auditor
27Risk Based Audit Process Contd
- Auditors own Risks.
- Explicit Audit.
- Delivering the right audit product.
- Assuring the quality of work.
- Maintaining professional reputation
- Managing Human Resources.
284. Leveraging on Automation and Information
Technology in Audit Engagements.
- Why the automation is need of the time?
- To increase in efficiency productivity of
Audit. - To increase in accuracy.
- To eliminate storage of work papers.
- To enable instantaneous communications.
- To permit access of information via Internet.
- To lower audit cost.
- To faster the audit process.
29- Overall status of automation.
- Initial / middle stage.
- Working is being automated.
- Designing of software.
- Parallel Runs.
- Partially live working.
- Complete live working.
30- Usage of Software Tools.
- In-house development.
- Outsourcing the computerization.
- Readymade Softwares.
31- Automation status in other Central Banks -
- SRILANKA
- Payment System with - Real Time Gross Settlement
(RTGS) - Government Debt Security Management with -
Scriptless Securities Settlement System (SSSS). - Treasury and International Reserve Management
with Treasury Dealing Room Management System
(TDRMS).
32- Computer Assisted Audit Tools and Techniques
(CAATTs). - Readymade Softwares
- Audit Command Language (ACL).
- Sarbox Portal (SP)
- Risk and Control Tracking System (RCTS).
- Control Assessment Template (CAT).
- Risk Navigator (RN).
- Team Mate (TM).
- Office-Suite Software.
33- Sarbanes Oxley Software
- 10th Annual Survey of Internal Audit Utilization
of Software Tools - Why are you not using Sarbanes Oxley Software?
- Our Company is not subject to Sarbanes Oxley
79. - Another Department in our organization handles
Sarbanes Oxley compliance 5, - Sarbanes Oxley compliance is outsource at our
Organization 1. - These types of tools are too expensive 8.
- Others 10.
34Summary of the Survey Results.
355. Impact of Regulations on Internal Audit
- Rules and Regulations may be National or
International. - Evaluate how does it impact the Bank?
- What about its stakeholders?
36Rules and Regulations may relate to
- Best practices.
- Leading Central Bank practices.
- IMF suggestions or demands.
- Money Laundering
- Reserve Management.
- Electronic Banking.
- Generally Accepted Accounting Principles.
- International Accounting Standards.
- International standards of Auditing.
- Income Tax Laws.
- Rules and Regulations framed by SEC.
- Corporate Governance Rules.
37Impact on audit due to compliance of rules and
Regulations
- Cost.
- Responsibility
- Control Establishment
- Scope.
38Compliance of Regulations is every ones
business, therefore
- Is it in the risk assessment?
- Is it understood in the Banks control
environment? - Is it in the control activities of the Bank?
- How does management see and acts?
- How are regulatory issues communicated?
39In compliance of the Regulations, information,
communicated to the regulators
- Fair
- Complete.
- Transparent.
- Independently verifiable by the Internal and
External Auditor.
40Impact of Incorrect information communicated to
the regulators
- Lack of Trust
- Disbelief
- Lack of credibility.
416. Outsourcing of the Internal Audit Function
- Kinds of outsourcing.
- Special Project outsourcing.
- Partial outsourcing.
- Temporary staffing.
- Full outsourcing.
42Determining factors if the Internal Auditing be
outsourced
- Will the outsourcing of Internal Audit effect the
effectiveness of corporate governance? - What are the advantages and disadvantages of
internal audit outsourcing?
43Arguments in favour of Outsourcing
- Allows management to focus on core competencies.
- Cost saving resulting from economies of scale.
- Flexible access to expertise.
- Access to leading practices.
44Arguments against outsourcing
- By the lapse of time outsourcing provider will
demand an ever greater premium for their
services. - An external provider will not know the business
as well, as the internal personnel do. - A valuable training ground is lost.
- Morale of the personnel will be seriously
impaired. - Individual Employee allegiance is to the
outsourcing provider, not to the client. - Corporate governance is a management function
which can not be outsourced. - Independence of external auditor will be impaired
when the outsourcing provider is also external
auditor. - Confidentiality is potentially lost.
- Management and the audit committee lose an
objective source of information.
45Advantages of Outsourcing
- Smaller Organizations access to a broader set of
skills. - Information systems audit skills highly
effective. - Innovative approaches knowledge of Best
Practices. - Integrated audit approach Internal External.
- Active Management Participation Provide
direction and oversight.
46Disadvantages of Outsourcing
- Loss of a second set of eyes and ears.
- Confidentiality could not be maintained.
- Outsource provider might be an auditor of
commercial bank(s) to which central bank is
monitoring. - Expertise leave the Organization.
- Outsourcing does not build new managers.
- Outsourcing does not have to live with the
decisions or recommendations made but still
have pressure to retain the contract. - Difficult to rebuild internal auditing
department, if outsourcing is not successful
dependency on one outside provider. - External Auditor may be lacking internal audit
knowledge material differences in perspective
and execution
47Central Banks Outsourced
- Internal Audit function of the Reserve Bank of
Fiji is outsourced. - Justifications for outsourcing put forth by the
representative of Reserve Bank of Fiji - Cost effective.
- Provides more independence and autonomy to the
auditor. - Outsourcing addresses the problem of resource
constraints. - Staff can be engaged in the core areas of the
Bank. - Expertise in the field of audit were lacking.
- Career paths and opportunities of audit personnel
is limited as only one central bank in the
country. - Skills required for auditing are readily
available in the market.
48Central Banks Outsourced
Contd
- A few audit functions have been co-sourced by
Central Bank of Srilanka. - The functions out sourced
- General Review of Information System.
- Pay Role System.
- Real Time Gross Settlement System (RTGS).
- Justification for co-sourcing put forth by the
representatives of Sri Lanka. - Early retirement of staff and the absence of
expertise to special audit functions. -
497. Industry Best Practices in Internal Audit
- Principles of Internal Audit.
- Independence, objectivity and impartiality.
- Audit should exercise their assignment without
interference and are free to report their
findings and appraisals. - Audit charter should be approved by the Board of
Directors and should be communicated to all staff
within the Bank. - Rotation of staff assignments within the audit
department. - No involvement in the operations of the bank.
- Recognition of the auditors independence in the
audit charter. - Official internally transferred to audit
department should not involve in the audit of his
previous activity for a certain period.
50Principles of Internal Audit
Contd.
- Maintenance of professional competence
- On the job training.
- Formal internal and external training.
- Staff rotation within the Department.
- Incentives to become a Certified Internal Auditor.
51Working methods and types of Audit
- Working methods
- Drawing up a risk-based audit plan.
- Examining and assessing the available
information. - Communicating the results.
- Follow up of recommendations.
- Types of audit
- Financial Audit.
- Compliance Audit.
- Operational Audit.
- Management Audit.
- Risk-based Audit.
- I.T. Audit.
52Audit Procedure
- Prepare audit program and document audit
procedures in working papers. - Distribute audit reports to auditees and senior
management. - Follow up the audit recommendations to see
whether they are implemented. - Inform senior management about the status of the
said implementation.
53Management of the Internal Audit Department
- The head of the Internal Audit Department is
responsible for - Ensuring the use of sound internal audit
standards by the internal audit staff. - Existence of upto-date audit charter.
- Existence of upto-date written policies and
procedures for audit staff. - Appropriate professional competence and training
of the audit staff. - To regularly send report to appropriate
management level for discussion.
54IIAs International Standards for the
Professional Practice of Internal Auditing
- The purpose, authority and responsibility of the
internal audit activity should be formally
defined in a charter, consistent with the
standards, and approved by the board. - Internal auditors should be objective in
performing their work. - Internal auditors should have impartial, unbiased
attitude and avoid conflicts of interest. - Engagements should be performed with proficiency
and due professional care.
55IIAs International Standards for the
Professional Practice of Internal Auditing
Contd..
- Quality Assurance and Improvement Program Chief
Audit Executive (CAE) should develop and maintain
a quality assurance and improvement program which
should cover - All aspects of the internal audit actively and
continuously monitoring its effectiveness. - Periodic internal and external quality
assessments and ongoing internal monitoring. - Assurance that the internal audit activity is in
conformity with the Standards and the Code of
Ethics.
56IIAs International Standards for the
Professional Practice of Internal Auditing
Contd..
- Disclosure of non-compliance.
- Internal audit actively should achieve full
compliance with the Standards and internal
auditors with Code of Ethics. - In case of full compliance not achieved,
disclosure should be made to senior management
and the board.
57IIAs International Standards for the
Professional Practice of Internal Auditing
Contd..
- Governance
- IIAs Internal Standards for the Professional
Practice of Internal Auditing. Internal audit
actively should assess and make appropriate
recommendations for improving the governance
process for - Promoting appropriate ethics and values within
the organization. - Ensuring effective organizational performance
management and accountability. - Effectively communicating risk and control
information to appropriate areas of the
organization. - Effectively coordinating the activities and
communicating information among the board,
external auditors and management.
58(No Transcript)
59 September 17 Post Seminar City Tour
- - Yingo Ceramics Museum
- - Lin Family Mansion and Garden.
60