Guidelines On Internal Audit Function of Licensed Institution

Download as pdf or txt
Download as pdf or txt
You are on page 1of 16

Regulatory Services Page 1 of 1

Welcome, LOGANATHAN Log Off Jul 1, 2010 3:57:48 PM

Community Pages
Home | Enquiry | Document List | Edit My Account

Portal Search

Search:

PREFACE

Title
Choose Sector from the following list and select any Guidelines on Internal Audit Function of Licensed Institutions
relevant option

All
Effective Date
1-Jul-2010

Legislation
Applicability
Policy
Banking institutions; Islamic banking institutions; Insurers; Takaful operators; and Development fin ancial
Licensing and Establishment
institutions

Summary
Statistical Reporting This Guidelines sets out the broad principles for an effective internal audit function. The internal audit
function is an important part of the licensed institution's system of internal controls as it provides an
Payment, Clearing and Settlement
System independent assessment of the effectiveness and adherence to the institution's organizational and
procedural controls.
Non Bank Financial Intermediaries
This Guidelines also reiterates the responsibilities of Board and senior management in regard to the
BNM Special Funds establishment of an adequate and effective system of internal control, including an effective internal audit
function. The responsibilities of the Audit Committee in the independent oversight of the internal audit
function are also highlighted in this Guidelines.
General Circulars and Notification
Issuing Department

Go to links Financial Conglomerates Supervision Department

About the Regulatory Handbook Guideline Info


List of Supervised Institutions

© Copyright 2008 Bank Negara Malaysia. All rights reserved. Terms Of Use

https://kijangnet.bnm.gov.my/portal/server.pt?open=514&objID=355&parentname=CommunityPage&p... 7/1/2010
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Licensed
Supervision Department Institutions

PART A : INTRODUCTION ............................................................................................. 1


1. Introduction................................................................................................................... 1
2. General Supervisory Expectations ........................................................................... 1
3. Applicability................................................................................................................... 3
4. Legal Provision............................................................................................................. 3
5. Guidelines Superseded .............................................................................................. 4
6. Effective Date............................................................................................................... 4
PART B : PRINCIPLES FOR EFFECTIVE INTERNAL AUDIT FUNCTION........... 5
1. Objectives of the Internal Audit Function................................................................. 5
2. Independent Function ................................................................................................. 5
3. Audit Charter ................................................................................................................ 6
4. Objectivity ..................................................................................................................... 7
5. Adequate Resources .................................................................................................. 8
6. Scope of Work.............................................................................................................. 9
7. Audit Methodology and Practices ...........................................................................11
8. Review of Internal Audit Function ...........................................................................13
9. Engaging External Experts ......................................................................................14
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 1/14

PART A : INTRODUCTION

1. Introduction

1.1 Strong internal control, including an internal audit function and an independent
external audit are part of sound corporate governance. Adequate internal
controls must be supplemented by an effective internal audit function that
independently evaluates the control systems within the organisation. External
auditors, on the other hand, can provide an important feedback on the
effectiveness of this process. An effective internal audit function is a valuable
source of information for a licensed institution’s Board and senior
management, as well as Bank Negara Malaysia, about the quality of the
internal control system.

1.2 The Institute of Internal Auditors defines internal audit as follows:


“Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organisation’s operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control a n d
governance processes.”

2. General Supervisory Expectations

2.1 Bank Negara Malaysia expects the licensed institution to establish and follow
effective policies and practices and the institution’s management to take
appropriate corrective action in response to internal control weaknesses
identified by internal and external auditors.

2.2 The Board of the licensed institution has the ultimate responsibility for
ensuring that senior management establishes and maintains an adequate and
effective system of internal controls, a measurement system for assessing the
various risks of the institution’s activities, a system for relating risks to its
capital level a n d appropriate methods for monitoring compliance with laws,
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 2/14

regulations and internal policies. The board should ensure that internal control
system and the capital assessment process are regularly reviewed to keep
pace with the changes in operating environment and the licensed institution’s
business activities.

2.3 T h e s enior management of the licensed institution should maintain an


organisational structure that clearly assigns responsibility, authority and
reporting relationships and ensures that delegated responsibilities are
effectively carried out. The senior management is responsible for developing
processes that identify, measure, monitor and control risks. The senior
management also sets appropriate internal control policies as well as monitors
the adequacy and effectiveness of the internal control system. At least once a
year, the senior management should report to the Board on the scope and
performance of its internal control system and capital assessment procedure.

2.4 The internal audit function assists the Board and senior management by
providing independent assessment of the effectiveness of and adherence to
the institution’s organisational and procedural controls. Therefore, a robust
and sound internal audit function, equipped with the necessary skills and the
authority to pursue its concerns is essential for the proper discharge of the
Board’s oversight responsibilities.

2.5 While the Board is responsible to ensure the establishment of an effective


internal audit function, the oversight of the function is delegated to the Audit
Committee (AC). The areas under the AC’s purview include review of audit
scope, audit findings and actions taken by management, appointment,
performance evaluation and remuneration of the Chief Internal Auditor (CIA)
as well as review on the effectiveness of internal controls and risk
management processes. The AC’s oversight, particularly on the adequacy of
resources and remuneration of the internal auditors is essential to ensure
independence of the internal audit function. The roles and responsibilities,
composition as well as authority of the Board, AC and senior management are
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 3/14

elaborated in the relevant Bank Negara Malaysia’s guidelines on corporate


governance for licensed institutions.1

2.6 For licensed institutions with Islamic operations, it is expected that advice from
the Shariah Committee will be sought on Shariah related matters to enable the
internal audit function to effectively play its role in providing an independent
assessment on the compliance of the institution’s operations and business
activities with Shariah principles.

3. Applicability

3.1 The Guidelines is applicable to banks licensed under the Banking and
Financial Institutions Act 1989 (BAFIA), Islamic banking institutions licensed
under the Islamic Banking Act 1983 (IBA), insurers licensed under the
Insurance Act 1996 (IA), Takaful operators registered under the Takaful Act
1 9 8 4 ( T A ) and development financial institutions prescribed under the
Development Financial Institutions Act 2002 (DFIA), which shall be collectively
referred to as licensed institutions in this Guidelines.

4. Legal Provision

4.1 This Guidelines is issued pursuant to Section 126 of the BAFIA, Section 53A
of the IBA, Section 201 of the IA, Section 69 of the TA and Section 126 of the
DFIA.
4.2 The Guidelines shall be read together with the BAFIA, IBA, IA, TA, DFIA and
other relevant regulations, guidelines or circulars that Bank Negara Malaysia
may issue from time to time.

1
Guidelines on Corporate Governance for Licensed Institutions (Revised BNM/GP1)
Guidelines on Corporate Governance for Licensed Islamic Banks
Guidelines on Directorship for Takaful Operators
Guidelines on Corporate Governance Standards on Directorship for Development Financial Institutions
Prudential Framework on Corporate Governance for Insurers
Minimum Standard for Prudential Management of Insurers (Consolidated)
Guidelines for Audit Committees and Internal Audit Departments for Insurance Companies (Part A - Audit
Committees)
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 4/14

5. Guidelines Superseded

5.1 This Guidelines supersedes the following guidelines:


(i) “Guidelines on Minimum Audit Standards for Internal Auditors of Financial
Institutions” dated 27 January 1997;
(ii) “Guidelines on Audit Committees and Internal Audit Departments for
Insurance Companies” (Part B – Internal Audit Departments) dated 3 February
1997; and
(iii) “Guidelines on Minimum Audit Standards for Internal Auditors of Development
Financial Institutions” dated 18 December 2006.

6. Effective Date

The Guidelines shall take effect from 1 July 2010.


BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 5/14

PART B : PRINCIPLES FOR EFFECTIVE INTERNAL AUDIT FUNCTION

1. Objectives of the Internal Audit Function

Principle 1: Internal audit is part of the ongoing monitoring of the licensed


institution's system of internal controls, because internal audit provides an
independent assessment of the adequacy of, a nd compliance with, the
institution's established policies and procedures. As such, the internal audit
function assists the Board and senior management in the efficient and effective
discharge of their responsibilities.

1.1 The internal audit function provides the Board with independent assurance
that the risk management systems, internal controls and governance
processes of the licensed institution are effective and that its operations are
properly controlled. The scope of work of the internal audit function is detailed
under principle 6.

1.2 In order for the internal audit function to carry out its mandate effectively,
senior management should ensure that internal audit is kept fully informed of
new developments, initiatives, products and operational changes to facilitate
early identification of all associated risks.

2. Independent Function

Principle 2: The internal audit function of the licensed institution should be


independent of the activities audited and from the day-to-day internal control
process. To fulfil its mandate, internal audit should be given an appropriate
standing within the licensed institution.

2.1 The independence of the internal audit function is derived from its direct
reporting and unencumbered access to the AC. The stature of the CIA within
the organisation should be appropriate for the function to be effective in
fulfilling its mandate.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 6/14

2.2 Internal audit should be able to conduct assignments on its own initiative in all
departments, establishments and functions of the licensed institution. Internal
audit should not make management decisions on operational matters,
establish control procedures or be responsible for any operational or system
functions. Internal audit should be not restricted in reporting its findings and
appraisals as well as disclosing them internally.

2.3 The CIA should have the authority to communicate directly, as and when
necessary, to the Board, chairman of the Board and the regulators. The CIA
may also communicate with the external auditors, where appropriate,
according to rules defined in its audit charter.

2.4 To maintain the independence of the internal audit function, the AC should
provide oversight on the adequacy of resources and remuneration of the
internal auditors. The AC should also decide on the appointment, performance
appraisal, transfer and dismissal of the CIA. At the same time, the senior
management should take necessary measures to ensure that the licensed
institution can continuously rely on an adequate internal audit function
appropriate to the size and nature of its operations. Such measures include
providing the appropriate resources and staffing for the internal audit function.

3. Audit Charter

Principle 3: Each licensed institution should have an internal audit charter that
enhances the standing and authority of the internal audit function within the
institution.

3.1 The internal audit charter should at least establish the following:
(i) Objectives and scope of the internal audit function;
(ii) Authority of the internal audit function to carry out its responsibilities
independently;
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 7/14

(iii) Authority of the internal audit function to have unrestricted access to


and communicate with any staff as well as to examine any activity or
entity/ subsidiary of the licensed institution;
(iv) Authority of the internal audit function to access all records, files or data
of the licensed institution, including management information and the
minutes of all board and management committees meetings, where
relevant to the performance of its audit work;
(v) Accountability of the CIA to the AC and ultimately the Board;
(vi) Terms and conditions under which the internal audit function can be
called upon to carry out other special tasks;
(vii) A requirement to express an opinion on the effectiveness of a n d
adherence to the organisational and procedural controls of the licensed
institution as well as applicable laws and regulations; and
(viii) Authority to follow-up with management on action taken in response to
audit findings and recommendations.

3.2 The internal audit charter should be approved by the Board and
communicated throughout the licensed institution. The charter should be
reviewed periodically.

4. Objectivity

Principle 4: The internal auditors should be objective and impartial. The


internal audit function should be in a position to perform its assignments free
from bias and interference.

4.1 The principle of objectivity requires the internal auditors to not allow bias,
conflict of interest or undue influence of others to override professional and
business judgment. The internal auditors should avoid any conflict of interest
situation arising either from their professional or personal relationships in the
licensed institution or activity which is subject to audit. As a best practice,
internally recruited auditors do not conduct audit on areas which they
previously performed as non-audit staff until twelve months have passed or
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 8/14

until an independent audit has been conducted during the intervening period,
whichever is earlier.

4.2 The AC is responsible for establishing an appropriate mechanism to address


and managing situations where there is a threat to the objectivity of internal
audit. An example of such situation would be where internal audit is required
to audit an area of operations which was previously headed by the present
CIA, who was only recently transferred out of the former department.

4.3 In the event the internal audit is requested by management to give an opinion
on the setting up of internal controls (for example the commencement of new
risky activities), such advisory services should constitute an ancillary task
which would not impair the independence, objectivity and effectiveness of the
internal audit function. The responsibility of eventual development, introduction
and implementation of these measures rests with the management. The
i n t e r n a l a u d i t should not be restrained from making subsequent
recommendations on the deficiencies or weaknesses of internal controls
although it was previously involved in giving advice. Wherever possible, the
subsequent audit should be assigned to audit staff not involved earlier in
providing advice.

5. Adequate Resources

Principle 5: The internal audit function should have adequate and appropriate
resources to achieve its objectives. This includes the professional competence
of the internal auditors, in particular, the internal audit function as a whole,
which is essential for the proper functioning of the licensed institution’s
internal audit function.

5.1 The internal audit function as a whole, should have adequate qualifications
and competencies, including investigative skills, to execute its mandate.
Professional competence o f each internal auditor, particularly knowledge,
experience as well as motivation and continuing training are prerequisites for
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 9/14

an effective internal audit function. Professional competence must be


assessed taking into account the nature of the role and the capacity of the
internal auditor to collect information, examine, evaluate and communicate.
This is particularly so, taking into consideration the growing technical
complexity of the licensed institutions’ activities and increasing diversity of
tasks that need to be undertaken by internal audit as a result of the
developments in the financial sector. As a whole, the internal audit function
should b e competent to be able to examine all areas in which the licensed
institution o p e r a t e s including possessing the understanding of the
interlinkages of risks posed by the various activities, related companies of the
licensed institution and significant outsourced service providers.

5.2 The AC should ensure that adequate and appropriate resources are made
available to the internal audit function and the compensation scheme of the
internal auditors is consistent with the objectives and the demands of the
internal audit function. There should be continuing professional development
programs for the internal audit staff to ensure they have sufficient up-to-date
knowledge of auditing techniques and the activities of the licensed institution.
Suitable recruitment criteria and career progression should also be clearly
established in order to attract and retain quality audit staff.

6. Scope of Work

Principle 6: Every activity and subsidiary of the licensed institution should be


included in the scope of the internal audit.

6.1 The scope of the internal audit should include every activity of the licensed
institution, including that of its branches, and subsidiaries as well outsourced
activities. The internal audit function should have access to any records, files
or data of the licensed institution, including management information and
minutes of the consultative and decision-making bodies, when it is relevant to
the performance of audit assignments.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 10/14

6.2 Generally, the scope of internal audit should include t h e assessment and
evaluation of the appropriateness and effectiveness of the internal control
system and of the manner in which the assigned responsibilities are fulfilled.
This would include evaluation of the following:
(i) Compliance with internal policies and risk controls;
(ii) Adequacy and effectiveness of risk management, internal controls,
governance processes;
(iii) Appropriateness of management’s approach to risk and control in
relation to the licensed institution’s objectives;
(iv) Reliability, integrity and continuity of the information technology,
payment systems and electronic delivery channels;
(v) Effectiveness and robustness of stress testing procedures and
practices;
(vi) Adequacy and effectiveness of the licensed institution’s system of
assessing its capital in relation to its estimate of risk;
(vii) Reliability (including accuracy and comprehensiveness), integrity and
timeliness of the regulatory reporting, accounting records, financial
reports and management information;
(viii) Compliance with relevant legal, regulatory and internal policy
requirements; and
(ix) Compliance with Shariah rules and principles as determined by Shariah
Committee of the licensed institution or other relevant bodies (for
Islamic operations).

6.3 Where the responsibility for any of the areas mentioned above is undertaken
by another department, internal audit should provide independent assurance
to the Board on the adequacy and effectiveness of the department in carrying
out its function. Examples of such departments a r e the Compliance
Department which oversees the compliance with applicable laws, regulations
and guidelines, and Risk Management Department which is responsible for
the oversight of the identification, measurement, monitoring and control of
risks emanating from the business activities of licensed institutions.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 11/14

6.4 For branches abroad as well as subsidiaries, internal auditing principles


should be established centrally by the parent licensed institution without
prejudice to local, legal and regulatory provisions and instructions. The parent
licensed institution should draw up the auditing principles for the whole group.
The internal audit department of the parent licensed institution should provide
the criteria and framework for the recruitment and evaluation of the internal
auditors of the subsidiaries and branches.

6.5 Apart from the general scope of audit, the internal audit may be required to
conduct investigation.

7. Audit Methodology and Practices

Principle 7: There should be an effective audit methodology and practices for


the conduct of audit. This includes a robust audit risk assessment, plan, work
programs and reports.

7.1 The internal audit department reviews and evaluates the whole of the licensed
institution’s activities in all its entities. Depending on the audit objective to be
achieved, the internal audit function should use the most appropriate type of
audit. The different types of internal audit include:
· The financial audit, the aim of which is to assess the reliability of the
accounting system and information and of resulting financial reports;
· The compliance audit, the aim of which is to assess the quality and
appropriateness of the systems established to ensure compliance with
laws, regulations, policies and procedures;
· The operational audit, the aim of which is to assess the quality and
appropriateness of other systems and procedures, to analyse the
organisational structures with a critical mind, and to evaluate the
adequacy of the methods and resources, in relation to the assignment;
and
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 12/14

· The management audit, the aim of which is to assess the quality of


management’s approach to risk and control in the framework of the
bank’s objectives.

7.2 The internal audit should establish an audit methodology to assess the risk
profile and vulnerabilities of each auditable area. The risk assessment
conducted should cover all of the licensed institution’s activities and entities,
and the complete internal control system. The audit methodology should be
properly documented and regularly updated to reflect changes to the system
of internal control or work process and to incorporate new activities.

7.3 Based on the risk assessment, the internal audit should draw up an audit plan
for all the assignments to be performed. The audit plan generally includes
audit objectives and scope, timing, frequency of audit and resource
requirements. In coming out with the audit plan, the internal audit should take
into account the expected developments and innovations, the generally higher
degree of risk of new activities and the intention to audit all significant activities
and entities within a reasonable time period (the audit cycle). The audit plan
should be approved by the AC or the Board.

7.4 The internal audit should have clearly documented audit programs which
provide guidance to the auditors in gathering information, documenting
procedures performed and making an assessment. All audit procedures
forming part of the assignment should be documented in working papers. The
working papers should be drawn up to provide sufficient information to verify
whether the assignment was duly performed.

7.5 A written audit report, detailing the audit findings and recommendations as
well as the auditee’s responses and action plans should be issued to the
relevant parties in a timely manner after the completion of the audit. Significant
audit findings uncovered in the course of audit that would materially affect the
licensed institution’s operating and financial condition should be promptly
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 13/14

reported to the AC and Chief Executive Officer. Bank Negara Malaysia should
also be promptly informed of such audit findings. The internal audit function
should monitor progress of rectification actions taking into consideration the
timeline committed by management. This includes rectification actions taken in
regard to findings raised by regulatory authorities or external auditors.
Exceptions and issues of concern should be escalated to the AC and even to
the Board, when impact of non-implementation is of significant consequence.
The internal audit is expected to regularly inform the AC of outstanding audit
and control issues as well the status of the implementation of the audit
recommendations. The AC and senior management should ensure that the
audit issues and concerns are appropriately and timely addressed.

7.6 The CIA is responsible for ensuring that the internal audit function complies
with sound internal auditing principles and practices as well as that there is a
process in place to ensure the continued relevance and effectiveness of audit
methodology.

8. Review of Internal Audit Function

Principle 8: The AC is responsible for ensuring the effectiveness of internal


audit function

8.1 The AC should satisfy itself that the internal audit function is effective by
establishing a mechanism to assess its performance and effectiveness. This is
to ensure the continuing effectiveness of the internal audit function. The
performance of the internal audit function may be assessed against the
achievement of its mandate, benchmarking against best practices or other
considerations. The manner and frequency of assessment is left to the
discretion of the AC. For example, the AC may require a regular review to be
conducted by itself or another independent party with knowledge of internal
audit practices, which may be an external party or peers from within the
licensed institution’s group.
BNM/RH/GL 013-4 Financial Conglomerates Guidelines on Internal Audit Function of Page
Supervision Department Licensed Institutions 14/14

9. Engaging External Experts

Principle 9: Where the internal audit function lacks the expertise needed to
perform the audit of specialised areas, external experts may be engaged.
However, AC remains responsible for ensuring that audit of specialised areas
is adequate.

9.1 In circumstances where the internal audit is not or not sufficiently proficient in
specialised areas, external experts may be engaged to carry out the review. In
such situations, the AC should ensure that t h e terms and scope of the
engagement, the working arrangement with the internal auditors and reporting
requirements are clearly established.

9.2 The external experts engaged should possess appropriate knowledge and
expertise to carry out the audit engagement in the specialised area. Ideally,
external experts engaged should be independent of the external auditor of the
licensed institution to ensure that there is no conflict of interest. However, in a
situation where the external auditor of the licensed institution is engaged, the
AC is responsible for ensuring that such engagement does not compromise
the independence of the external auditor in its role as statutory auditor of the
licensed institution.

9.3 The terms of engagement of the external experts should:


(i) Define clearly the assignments, roles and responsibilities;
(ii) State that the licensed institution and regulators have access to the
external experts’ records, including audit work plan and working papers;
(iii) Provide for the commitment of the external experts to devote the
resources required to effectively perform their assignment; and
(iv) Provide protocol for changing the terms of engagement, especially
expansion of scope of audit work if significant issues are found.

You might also like