A QAR Application in Turkey and Sharing the Experiences Stefano Perazzini

1
A QAR Application in Turkey and Sharing the
Experiences Stefano Perazzini

• Özge Asçioglu
• Istanbul 09/11/2007

2
AGENDA

• Overview of UniCredit
• Overview of Yapi Kredi Bank
• Our Vision
• Why are companies interested in Quality of
  Internal Audit?
• Requirements of IIA
• What is QAR
• Internal and External Assessments
• Why Deloitte
• Work plan
• Phase 1 _ Quick Check
• Phase 2 _ Remediation (performed by KFS Internal
  Audit)
• Phase 3 _ Detailed Review by Deloitte
• Phase 4 _ Assessment and Benchmark with Best
  Practices
• Phase 5 _ Overall Conclusion and Final Report

3
UNICREDIT

• UniCredit at a Glance
• UniCredit Group is one of the largest banking and
  financial services organisations in Europe with a
  network of 9,000 branches and strong local roots
  in 23 countries.
• Its international network is made of branches,
  representative offices and small banking
  subsidiaries in 50 countries worldwide.
• In Europe we are one of the leaders in terms of
  business size and we can leverage on a unique
  strategic positioning.The Group is, in fact,
  leader in one of the richest areas of Europe
  Bavaria, Austria and Italy as well as in Central
  and Eastern Europe, an area featuring fast rates
  of economic growth and the fastest growth rates
  for banking revenues.

4
UNICREDIT

5
OVERVIEW OF YAPI KREDI BANK

• Yapi Kredi Bank at a Glance
• One of the most dynamic and experienced
  institutions in Turkey created from the
  successful legal  merger on the 2nd of October
  2006,
• With total assets of YTL47.8 billion (approx.
  USD34.7 billion) as of June 2007
• As per ownership structure, 80.2 of Yapi Kredi
  is controlled by Koç Financial Services A.S.
  (KFS) the 50/50 joint venture between
  UniCredit and Koç Group
• the Bank serves its over 13 million customers
  through approx 650 branches throughout the
  country and various alternative distribution
  channels
• strong domestic presence including domestic
  financial subsidiaries Yapi Kredi owns
  subsidiary banks in the Netherlands, Russia and
  Azerbaijan.

6
YKB ORGANIZATION CHART
Board of Directors
AUDIT COMMITTEE
CREDIT COMMITTEE
INTERNAL AUDIT
INTERNAL CONTROL
COMPLIANCE OFFICE
RISK MANAGEMENT
GM
COO
MANAGEMENT COMMITTEES
CORPORATE IDENTITY AND COMMUNICATION
OPERATIONS
ORGANIZATION
ALTERNATIVE DISTRIBUTION CHANNELS
FINANCIAL PLANNING, ADMINISTRATION AND CONTROL
(CFO)
CREDIT CARDS AND CONSUMER LENDING
CORPORATE BANKING
RETAIL BANKING
PRIVATE BANKING AND INTERNATIONAL
TREASURY
COMMERCIAL BANKING
LEGAL
LOGISTICS AND COST MANAGEMENT
HR
IT
CREDIT MANAGEMENT
7
INTERNAL AUDIT DEPARTMENT ORG CHART
8
INTERNAL CONTROL UNIT ORG CHART
9
OUR VISION

• Our vision is to become A World Class Internal
  Audit Function at KFS level in order to satisfy
  expectations coming from various stakeholders and
  counterparties Audit Committee, Board of
  Directors, Top Management, Shareholders,
  Supervisory Bodies, External Auditors, etc.

10
WHY ARE COMPANIES INTERESTED IN QUALITY OF
INTERNAL AUDIT?

• IIA Standards require companies to have an
  independent quality assessment every five
  years, effective since January 2002
• Increased responsibility of, and focus on, Audit
  Committees
• Audit Committee increasing their reliance on IA
  for regulatory requirements, risk management
• Increased focus on corporate governance and fraud
  prevention
• More focus on audit activities from executive
  management and regulators

11
REQUIREMENTS OF THE INSTITUTE OF INTERNAL AUDITORS

• 1310 Quality Program Assessments
• The internal audit activity should adopt a
  process to monitor and assess the overall
  effectiveness of the quality program. The process
  should include both internal and external
  assessments.
• 1311 Internal Assessment
• It should include ongoing reviews of the
  performance of internal audit activity and
  periodic reviews performed through self
  assessments or by other persons within the
  organization with the knowledge of internal
  auditing practices and the standards.
• 1312 External Assessment
• External assessments, such as quality
  assessment reviews, should be conducted at least
  once every five years by a qualified, independent
  reviewer or review team from outside the
  organization.

12
WHAT IS QAR

• A Quality Assurance Review (QAR) is a strategic
  assessment of an internal audit function,
  including its infrastructure, staff experience,
  and performance relative to business goals, "best
  practices", and applicable standards.
• QAR evaluates compliance with the Standards, the
  internal audit activity and audit committee
  charters, the organizations risk and control
  assessment, and the use of successful practices.

13
INTERNAL AND EXTERNAL ASSESSMENTS
Internal Ongoing and Periodic
External Full QAR
14
INTERNAL ASSESSMENTS

• CONTINUOUS MONITORING
• CAE SUPERVISION
• AUDITEES FEEDBACK

• AUDIT OF THE AUDIT PROCESS
• SELF-ASSESSMENT
• OTHER COMPETENT PERSONS

15
EXTERNAL ASSESSMENTS

• Certified Audit Professional
• Well versed in the Standards and leading
  practices
• Reasonable experience at management level
• Results to be shared with the Audit Committee and
  Top Management

• Non-reciprocal assessment
• Self-assessment with
  external validation

KFS Audit applied this External Assessment
16
THE STRUCTURAL ELEMENTS OF A QAR ON INTERNAL
AUDIT FUNCTION
Supporting Processes
Production Processes
Planning
Human Resources
Information Technology
Performance
Communication and reports
Activity organization
and management
Vision, values, strategic objectives
Constitution of a team of experts
Electronic management system of work files
Mapping of company risks
Communication / Reporting to audited entities
Information on objectives and expectations for
each mission
Communication / Reporting to management
Collaboration with the audited entity
Structure and organisation (Processes / Methods)
Recruitment
Specific applications and technologies
Knowledge of internal audit clients expectations
Resource management
Training and personal development
Internal audit plan
Communication / Reporting to audit committee
Database of best practices
Needs for expertise evaluation and responses to
main issues
Activity measurement
Internal communication
Communication with external auditors and other
control entities
Coordination with external auditors and other
control entities
Work Program
Individual evaluations
Tests and analysis
Internal audit clients satisfaction measurement
Resources assignment
Remuneration
Work documentation
Engagement supervision
Need for
Need for
Perfectible
Satisfying
Not applicable
Perfectible
Satisfying
Not applicable
improvement
improvement
Follow up
The elements in a shaded color frame appear in
the IIA (Institute of Internal Auditors)
professional standards
17
WHY

• Deloitte has a sound background in performing
  Strategic Quality Assessment of Internal Audit
  activities for European and global companies.
  They have been providing the Internal Audit
  community with services to enhance its overall
  performance since they initiated their Internal
  Audit Services practice more than 20 years ago.

18
DELOITTE TEAM

JEAN-PIERRE GARITTE
Quality Assurance Partner
OKTAY AKTOLUN
Delivery Partner
EVREN ALTUNAY
Engagement Director
NACIYE KURTULUS
Assistant Manager
TUBA INCI
Manager
19
WORK PLAN

• Phase I / Quick Check - January 8th January17th
• High level review of risk assessment approach,
  Internal Audit Charter and entire audit process
  is performed
• Interview with one of the members of the Audit
  Committee
• Results are discussed with Senior Management of
  the Internal Audit Department
• Phase II / Remediation - January 17th May 30th
• Internal Audit Department based on the quick
  review results re-designed process, improved
  documentation standards and initiated other
  improvement activities as necessary
• Phase III / Detailed Review - June 4th- July 14th
• An in-depth review of the Internal Audit function
  is performed and a representative sample of
  Internal Audit projects is tested
• Specific survey formats for KFS are developed and
  results of them are reviewed to address unique
  needs and objective of this project

20
WORK PLAN

• Phase IV / Assessment and Benchmark with Best
  Practices - June 4th- July 14th
• Charter, mission statements, organizational
  structure, span of controls, personnel
  credentials and education levels, training
  policies, performance appraisal process, and
  recruiting policies are reviewed
• Risk assessment, quality control, self auditing
  and follow up activities are analyzed
• Comparisons / benchmarking with leading practices
  on superior performance areas
• Phase V / Overall Conclusion and Final Report
  July 15th - July 23rd
• Main strengths and weaknesses are identified and
  gap analysis between current situation and IIA
  standards is formalized
• Opportunities for improvement are identified and
  recommendations are issued

21
PHASE II REMEDIATION (PERFORMED BY KFS INTERNAL
AUDIT)

• Based on the project timeline, approximately 20
  volunteer auditors are involved in several
  sub-projects that were completed succesfully by
  the end of May, 2007.

22
PHASE III DETAILED REVIEW BY DELOITTE AND PHASE
IV ASSESSMENT AND BENCHMARK WITH BEST PRACTICES

• Performed interviews including board members,
  audit committee members, top management, external
  auditors, corporate audit and internal auditors
• Conducted two separate surveys one to clients
  (audit committee, board members and auditees) and
  the other to the internal audit staff.
• Examined working papers of selected sample audits
• Reviewed Risk Assessments and Audit Plans
• Reviewed IA Charter and regulation
• Examined communication with auditees, Audit
  Committee, external auditors and management
• Reviewed electronic document management systems
• Facilitated participation to web-based IIA
  Benchmark questionnaire GAIN and analyzed the
  results
• Examined KFS IA Dept based on Deloitte
  methodology that describes processes and
  sub-processes according to the IIA standards.

23
PHASE V OVERALL CONCLUSION AND FINAL REPORT

• KFS Internal Audit generally conforms to the
  Standards for the Professional Practice of
  Internal Auditing prescribed by the Institute of
  Internal Auditors.
• Other possible results
• Does not confirm
• Partially confirms

24
LIST OF ORGANISATION WITH COMPLETED EXTERNAL
ASSESSMENTS
25
IN THE PRESS
26
PROJECT TEAM
THANK YOU FOR YOUR ATTENTION