Guidelines On Internal Audit Function of Licensed Institution
Guidelines On Internal Audit Function of Licensed Institution
Guidelines On Internal Audit Function of Licensed Institution
Community Pages
Home | Enquiry | Document List | Edit My Account
Portal Search
Search:
PREFACE
Title
Choose Sector from the following list and select any Guidelines on Internal Audit Function of Licensed Institutions
relevant option
All
Effective Date
1-Jul-2010
Legislation
Applicability
Policy
Banking institutions; Islamic banking institutions; Insurers; Takaful operators; and Development fin ancial
Licensing and Establishment
institutions
Summary
Statistical Reporting This Guidelines sets out the broad principles for an effective internal audit function. The internal audit
function is an important part of the licensed institution's system of internal controls as it provides an
Payment, Clearing and Settlement
System independent assessment of the effectiveness and adherence to the institution's organizational and
procedural controls.
Non Bank Financial Intermediaries
This Guidelines also reiterates the responsibilities of Board and senior management in regard to the
BNM Special Funds establishment of an adequate and effective system of internal control, including an effective internal audit
function. The responsibilities of the Audit Committee in the independent oversight of the internal audit
function are also highlighted in this Guidelines.
General Circulars and Notification
Issuing Department
© Copyright 2008 Bank Negara Malaysia. All rights reserved. Terms Of Use
https://kijangnet.bnm.gov.my/portal/server.pt?open=514&objID=355&parentname=CommunityPage&p... 7/1/2010
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Licensed
Supervision Department Institutions
PART A : INTRODUCTION
1. Introduction
1.1 Strong internal control, including an internal audit function and an independent
external audit are part of sound corporate governance. Adequate internal
controls must be supplemented by an effective internal audit function that
independently evaluates the control systems within the organisation. External
auditors, on the other hand, can provide an important feedback on the
effectiveness of this process. An effective internal audit function is a valuable
source of information for a licensed institution’s Board and senior
management, as well as Bank Negara Malaysia, about the quality of the
internal control system.
2.1 Bank Negara Malaysia expects the licensed institution to establish and follow
effective policies and practices and the institution’s management to take
appropriate corrective action in response to internal control weaknesses
identified by internal and external auditors.
2.2 The Board of the licensed institution has the ultimate responsibility for
ensuring that senior management establishes and maintains an adequate and
effective system of internal controls, a measurement system for assessing the
various risks of the institution’s activities, a system for relating risks to its
capital level a n d appropriate methods for monitoring compliance with laws,
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 2/14
regulations and internal policies. The board should ensure that internal control
system and the capital assessment process are regularly reviewed to keep
pace with the changes in operating environment and the licensed institution’s
business activities.
2.4 The internal audit function assists the Board and senior management by
providing independent assessment of the effectiveness of and adherence to
the institution’s organisational and procedural controls. Therefore, a robust
and sound internal audit function, equipped with the necessary skills and the
authority to pursue its concerns is essential for the proper discharge of the
Board’s oversight responsibilities.
2.6 For licensed institutions with Islamic operations, it is expected that advice from
the Shariah Committee will be sought on Shariah related matters to enable the
internal audit function to effectively play its role in providing an independent
assessment on the compliance of the institution’s operations and business
activities with Shariah principles.
3. Applicability
3.1 The Guidelines is applicable to banks licensed under the Banking and
Financial Institutions Act 1989 (BAFIA), Islamic banking institutions licensed
under the Islamic Banking Act 1983 (IBA), insurers licensed under the
Insurance Act 1996 (IA), Takaful operators registered under the Takaful Act
1 9 8 4 ( T A ) and development financial institutions prescribed under the
Development Financial Institutions Act 2002 (DFIA), which shall be collectively
referred to as licensed institutions in this Guidelines.
4. Legal Provision
4.1 This Guidelines is issued pursuant to Section 126 of the BAFIA, Section 53A
of the IBA, Section 201 of the IA, Section 69 of the TA and Section 126 of the
DFIA.
4.2 The Guidelines shall be read together with the BAFIA, IBA, IA, TA, DFIA and
other relevant regulations, guidelines or circulars that Bank Negara Malaysia
may issue from time to time.
1
Guidelines on Corporate Governance for Licensed Institutions (Revised BNM/GP1)
Guidelines on Corporate Governance for Licensed Islamic Banks
Guidelines on Directorship for Takaful Operators
Guidelines on Corporate Governance Standards on Directorship for Development Financial Institutions
Prudential Framework on Corporate Governance for Insurers
Minimum Standard for Prudential Management of Insurers (Consolidated)
Guidelines for Audit Committees and Internal Audit Departments for Insurance Companies (Part A - Audit
Committees)
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 4/14
5. Guidelines Superseded
6. Effective Date
1.1 The internal audit function provides the Board with independent assurance
that the risk management systems, internal controls and governance
processes of the licensed institution are effective and that its operations are
properly controlled. The scope of work of the internal audit function is detailed
under principle 6.
1.2 In order for the internal audit function to carry out its mandate effectively,
senior management should ensure that internal audit is kept fully informed of
new developments, initiatives, products and operational changes to facilitate
early identification of all associated risks.
2. Independent Function
2.1 The independence of the internal audit function is derived from its direct
reporting and unencumbered access to the AC. The stature of the CIA within
the organisation should be appropriate for the function to be effective in
fulfilling its mandate.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 6/14
2.2 Internal audit should be able to conduct assignments on its own initiative in all
departments, establishments and functions of the licensed institution. Internal
audit should not make management decisions on operational matters,
establish control procedures or be responsible for any operational or system
functions. Internal audit should be not restricted in reporting its findings and
appraisals as well as disclosing them internally.
2.3 The CIA should have the authority to communicate directly, as and when
necessary, to the Board, chairman of the Board and the regulators. The CIA
may also communicate with the external auditors, where appropriate,
according to rules defined in its audit charter.
2.4 To maintain the independence of the internal audit function, the AC should
provide oversight on the adequacy of resources and remuneration of the
internal auditors. The AC should also decide on the appointment, performance
appraisal, transfer and dismissal of the CIA. At the same time, the senior
management should take necessary measures to ensure that the licensed
institution can continuously rely on an adequate internal audit function
appropriate to the size and nature of its operations. Such measures include
providing the appropriate resources and staffing for the internal audit function.
3. Audit Charter
Principle 3: Each licensed institution should have an internal audit charter that
enhances the standing and authority of the internal audit function within the
institution.
3.1 The internal audit charter should at least establish the following:
(i) Objectives and scope of the internal audit function;
(ii) Authority of the internal audit function to carry out its responsibilities
independently;
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 7/14
3.2 The internal audit charter should be approved by the Board and
communicated throughout the licensed institution. The charter should be
reviewed periodically.
4. Objectivity
4.1 The principle of objectivity requires the internal auditors to not allow bias,
conflict of interest or undue influence of others to override professional and
business judgment. The internal auditors should avoid any conflict of interest
situation arising either from their professional or personal relationships in the
licensed institution or activity which is subject to audit. As a best practice,
internally recruited auditors do not conduct audit on areas which they
previously performed as non-audit staff until twelve months have passed or
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 8/14
until an independent audit has been conducted during the intervening period,
whichever is earlier.
4.3 In the event the internal audit is requested by management to give an opinion
on the setting up of internal controls (for example the commencement of new
risky activities), such advisory services should constitute an ancillary task
which would not impair the independence, objectivity and effectiveness of the
internal audit function. The responsibility of eventual development, introduction
and implementation of these measures rests with the management. The
i n t e r n a l a u d i t should not be restrained from making subsequent
recommendations on the deficiencies or weaknesses of internal controls
although it was previously involved in giving advice. Wherever possible, the
subsequent audit should be assigned to audit staff not involved earlier in
providing advice.
5. Adequate Resources
Principle 5: The internal audit function should have adequate and appropriate
resources to achieve its objectives. This includes the professional competence
of the internal auditors, in particular, the internal audit function as a whole,
which is essential for the proper functioning of the licensed institution’s
internal audit function.
5.1 The internal audit function as a whole, should have adequate qualifications
and competencies, including investigative skills, to execute its mandate.
Professional competence o f each internal auditor, particularly knowledge,
experience as well as motivation and continuing training are prerequisites for
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 9/14
5.2 The AC should ensure that adequate and appropriate resources are made
available to the internal audit function and the compensation scheme of the
internal auditors is consistent with the objectives and the demands of the
internal audit function. There should be continuing professional development
programs for the internal audit staff to ensure they have sufficient up-to-date
knowledge of auditing techniques and the activities of the licensed institution.
Suitable recruitment criteria and career progression should also be clearly
established in order to attract and retain quality audit staff.
6. Scope of Work
6.1 The scope of the internal audit should include every activity of the licensed
institution, including that of its branches, and subsidiaries as well outsourced
activities. The internal audit function should have access to any records, files
or data of the licensed institution, including management information and
minutes of the consultative and decision-making bodies, when it is relevant to
the performance of audit assignments.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 10/14
6.2 Generally, the scope of internal audit should include t h e assessment and
evaluation of the appropriateness and effectiveness of the internal control
system and of the manner in which the assigned responsibilities are fulfilled.
This would include evaluation of the following:
(i) Compliance with internal policies and risk controls;
(ii) Adequacy and effectiveness of risk management, internal controls,
governance processes;
(iii) Appropriateness of management’s approach to risk and control in
relation to the licensed institution’s objectives;
(iv) Reliability, integrity and continuity of the information technology,
payment systems and electronic delivery channels;
(v) Effectiveness and robustness of stress testing procedures and
practices;
(vi) Adequacy and effectiveness of the licensed institution’s system of
assessing its capital in relation to its estimate of risk;
(vii) Reliability (including accuracy and comprehensiveness), integrity and
timeliness of the regulatory reporting, accounting records, financial
reports and management information;
(viii) Compliance with relevant legal, regulatory and internal policy
requirements; and
(ix) Compliance with Shariah rules and principles as determined by Shariah
Committee of the licensed institution or other relevant bodies (for
Islamic operations).
6.3 Where the responsibility for any of the areas mentioned above is undertaken
by another department, internal audit should provide independent assurance
to the Board on the adequacy and effectiveness of the department in carrying
out its function. Examples of such departments a r e the Compliance
Department which oversees the compliance with applicable laws, regulations
and guidelines, and Risk Management Department which is responsible for
the oversight of the identification, measurement, monitoring and control of
risks emanating from the business activities of licensed institutions.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 11/14
6.5 Apart from the general scope of audit, the internal audit may be required to
conduct investigation.
7.1 The internal audit department reviews and evaluates the whole of the licensed
institution’s activities in all its entities. Depending on the audit objective to be
achieved, the internal audit function should use the most appropriate type of
audit. The different types of internal audit include:
· The financial audit, the aim of which is to assess the reliability of the
accounting system and information and of resulting financial reports;
· The compliance audit, the aim of which is to assess the quality and
appropriateness of the systems established to ensure compliance with
laws, regulations, policies and procedures;
· The operational audit, the aim of which is to assess the quality and
appropriateness of other systems and procedures, to analyse the
organisational structures with a critical mind, and to evaluate the
adequacy of the methods and resources, in relation to the assignment;
and
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 12/14
7.2 The internal audit should establish an audit methodology to assess the risk
profile and vulnerabilities of each auditable area. The risk assessment
conducted should cover all of the licensed institution’s activities and entities,
and the complete internal control system. The audit methodology should be
properly documented and regularly updated to reflect changes to the system
of internal control or work process and to incorporate new activities.
7.3 Based on the risk assessment, the internal audit should draw up an audit plan
for all the assignments to be performed. The audit plan generally includes
audit objectives and scope, timing, frequency of audit and resource
requirements. In coming out with the audit plan, the internal audit should take
into account the expected developments and innovations, the generally higher
degree of risk of new activities and the intention to audit all significant activities
and entities within a reasonable time period (the audit cycle). The audit plan
should be approved by the AC or the Board.
7.4 The internal audit should have clearly documented audit programs which
provide guidance to the auditors in gathering information, documenting
procedures performed and making an assessment. All audit procedures
forming part of the assignment should be documented in working papers. The
working papers should be drawn up to provide sufficient information to verify
whether the assignment was duly performed.
7.5 A written audit report, detailing the audit findings and recommendations as
well as the auditee’s responses and action plans should be issued to the
relevant parties in a timely manner after the completion of the audit. Significant
audit findings uncovered in the course of audit that would materially affect the
licensed institution’s operating and financial condition should be promptly
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 13/14
reported to the AC and Chief Executive Officer. Bank Negara Malaysia should
also be promptly informed of such audit findings. The internal audit function
should monitor progress of rectification actions taking into consideration the
timeline committed by management. This includes rectification actions taken in
regard to findings raised by regulatory authorities or external auditors.
Exceptions and issues of concern should be escalated to the AC and even to
the Board, when impact of non-implementation is of significant consequence.
The internal audit is expected to regularly inform the AC of outstanding audit
and control issues as well the status of the implementation of the audit
recommendations. The AC and senior management should ensure that the
audit issues and concerns are appropriately and timely addressed.
7.6 The CIA is responsible for ensuring that the internal audit function complies
with sound internal auditing principles and practices as well as that there is a
process in place to ensure the continued relevance and effectiveness of audit
methodology.
8.1 The AC should satisfy itself that the internal audit function is effective by
establishing a mechanism to assess its performance and effectiveness. This is
to ensure the continuing effectiveness of the internal audit function. The
performance of the internal audit function may be assessed against the
achievement of its mandate, benchmarking against best practices or other
considerations. The manner and frequency of assessment is left to the
discretion of the AC. For example, the AC may require a regular review to be
conducted by itself or another independent party with knowledge of internal
audit practices, which may be an external party or peers from within the
licensed institution’s group.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 14/14
Principle 9: Where the internal audit function lacks the expertise needed to
perform the audit of specialised areas, external experts may be engaged.
However, AC remains responsible for ensuring that audit of specialised areas
is adequate.
9.1 In circumstances where the internal audit is not or not sufficiently proficient in
specialised areas, external experts may be engaged to carry out the review. In
such situations, the AC should ensure that t h e terms and scope of the
engagement, the working arrangement with the internal auditors and reporting
requirements are clearly established.
9.2 The external experts engaged should possess appropriate knowledge and
expertise to carry out the audit engagement in the specialised area. Ideally,
external experts engaged should be independent of the external auditor of the
licensed institution to ensure that there is no conflict of interest. However, in a
situation where the external auditor of the licensed institution is engaged, the
AC is responsible for ensuring that such engagement does not compromise
the independence of the external auditor in its role as statutory auditor of the
licensed institution.