Internal Audit Standard. Introduction Laws and other regulatory and legal documents associated with the Standard Provisions of the Standard

Transcription

1 Internal Audit Standard Table of contents Introduction Laws and other regulatory and legal documents associated with the Standard Provisions of the Standard 1. General principles of internal audit of banks 1.1. Definition of internal audit 1.2. Objectives and responsibilities of internal audit function 1.3. Principles of internal audit 1.4. Scope of work of internal audit 1.5. Internal Audit Regulations 2. Internal audit structure of banks 2.1. Internal Audit Committee 2.2. Internal audit department 3. Activities of internal audit department 3.1. Methods of work and types of audit 3.2. Audit plan and risk significance 3.3. Procedures 3.4. Reporting requirements 4. CBA's interactions with internal and external auditors of banks 4.1. CBA's interactions with a bank's Internal Audit Committee and IAD 4.2. CBA's interactions with external auditors 4.3. Interactions between internal auditors and external auditors 4.4. Cooperation between the CBA, external auditors and internal auditors Internal control aspects of the Standard

2 Internal Audit Standard Introduction The purpose of this Standard is to assist banks in determining the structure, organization and procedures of internal audit in accordance with the existing laws and regulations, as well as best international practices and standards. All banks shall apply this Standard in consistency with their own requirements and conditions. Laws and other regulatory and legal documents associated with the Standard The Law «On banks» of Azerbaijan Republic and the «Regulation on internal controls and internal audit of banks» of the Central Bank of Azerbaijan Republic (hereinafter referred to as the CBA) require banks to establish an internal audit function and identify the purpose of internal audit as «providing assurance of existence and adequacy of appropriate controls ensuring the safety of the bank's assets, and accuracy, completeness and authenticity of the bank's periodic reports presented to shareholders, regulators and general public». Provisions of the Standard 1. General principles of internal audit of banks «Internal audit of banks and the regulator's interactions with auditors» (a Basel Committee document, August 2001) Definition of internal audit Internal audit is a non-profit service, independent of the bank's executive bodies, established in order to increase the effectiveness of the bank's internal controls and risk management systems. The internal audit function assists the bank in accomplishing its goals of evaluating and improving the effectiveness of risk management, control and governance processes. Internal audit is a part of regular inspection process of the bank's internal control systems, as well as the internal controls system ensuring that the bank is operated and managed in a safe and prudential manner. The internal audit function operates independently of the bank's Supervisory Board and Management Board Objectives and responsibilities of internal audit function Objectives and responsibilities of internal audit function primarily require the internal audit department (hereinafter referred to as the IAD) to inspect, evaluate and report the following areas of the bank's activities: compliance with the existing laws of Azerbaijan Republic and the CBA's regulations; risk control and management; existence of an internal control system; quality procedures in development and introduction of new bank transactions, systems and processes; asset safety/protection systems and procedures;

3 systems and procedures to ensure adequacy and accuracy of accounting records; If necessary, the IAD will recommend amendments to the bank's regulations (internal procedures, policies and by-laws). Each IAD employee shall possess profound knowledge of the applicable laws of Azerbaijan Republic and the CBA's regulations, directives, and the bank's policies. 1.3.Principles of internal audit Principles of internal audit include: Continuity. Internal audit activities shall be conducted on a continual basis. Independence. Internal audit must be an activity not included in the everyday control process. Independence ensures that internal audit is objective and unbiased. Impartiality. Internal audit must be unbiased and operate without undue influence. Professionalism. An internal auditor must possess necessary knowledge and experience to perform his duties. Scope of work. The scope of internal audit's work must cover all areas of the bank's operations and structure. Confidentiality. Internal auditors must exercise utmost confidentiality with respect to use of information obtained in course of his work and must not use such information for his personal gain or to the detriment of the bank's interests Scope of work of internal audit The scope of work of internal audit includes: inspection and evaluation of effectiveness and adequacy of internal controls; analysis of application and effectiveness of risk management methodologies; analysis of financial and management information systems, including electronic information and payments systems, and banking services; inspection of accuracy and authenticity of accounting records and financial statements; analysis of asset protection methods; review of the bank's risk-weighted capital evaluation system; evaluation of performance efficiency and cost-effectiveness; examination of performance of specific internal controls and operating procedures; review of compliance systems covering regulations and procedures, laws and codes of conduct; verification of whether regulatory reporting is reliable and timely; conduct of special researchs. 1.5.Internal Audit Regulations The Internal Audit Regulations shall describe the objectives, functions and powers of the internal

4 audit function. The Regulations shall also assist the bank management in reinforcing the internal audit function's position within the bank's overall structure. The internal audit regulations shall cover: objectives of internal audit; role of the IAD; rights and responsibilities of the IAD; scope of work of internal audit; reporting obligations. 2. Internal audit structure of banks The internal audit function's structure of banks includes an Audit Committee and the bank's IAD Internal Audit Committee Members of the Audit Committee shall be appointed by the General Meeting of Shareholders. The Audit Committee shall assist the Supervisory Board and Management Board in ensuring that efficient internal controls are put in place and are adequate. The Chairman of the Audit Committee may invite the Chairman of the Management Board, other members of the Management Board, the IAD Director and external auditors to Committee meetings. The Audit Committee shall have the following responsibilities: to develop the IAD's By-laws (subject to approval by the Audit Committee); to oversee the IAD's activities, including approval of audit plans and resource allocation; Interactions with external auditors: to adopt audit work plans, audit findings and recommendations; to advise the Supervisory Board on selection of external auditors; to meet and inform regulators on the bank's management structure and operating system; to coordinate interactions between the Supervisory Board, Management Board, IAD, external auditors and regulators; to report the Committee's performance to the Supervisory Board on a regular basis. 2.2.Internal audit department The IAD shall be responsible for performing internal audit functions within the bank. The IAD shall prepare and implement audit plans, and report audit findings. The IAD is part of internal controls and independently evaluates the appropriateness of the bank's compliance with regulatory, governance and supervisory requirements Role and responsibilities of the IAD The IAD is an independent audit function of the bank, responsible for inspecting, evaluating and reporting the performance of the bank's employees and management Scope of work

5 The IAD shall inspect and evaluate the performance of all business units of the bank. The scope of work of the internal audit function includes regular evaluation and inspection of effectiveness and compliance of internal controls, as well as execution of internal control responsibilities and obligations. The IAD shall inspect, in particular: the bank's compliance with internal policies and risk management (measurable and nonmeasurable risks); reliability, completeness, accuracy and timeliness of financial and management reports, including reports presented to external users; performance of business unit responsible for ensuring undisrupted and reliable operation of electronic information systems. The IAD shall pay particular attention to legal and regulatory requirements governing the bank's operations, including policies, principles, regulations and directives issued by the regulator with respect to organization and management issues of banks. Although the IAD has a broad range of activities, it shall not be involved in developing the bank's policy, except the internal control policy, and shall not be generally authorized to criticize the bank's policy and its appropriateness. However, the IAD shall report actual or potential concerns to the Audit Committee. If the IAD becomes aware of any management decision taken or to be taken in conflict with the existing legal and regulatory requirements or the bank's policies and procedures, the Department Director shall immediately notify the chairman of the Management Board and/or the Supervisory Board. The IAD Director shall report all such instances to the chairman of the Audit Committee Rights of the IAD The IAD shall have the following rights: to request any information from previous periods necessary for audit; to get any necessary documents relating to operations from the audited or previous periods; to check and ascertain existence of cash, other financial valuables, securities, special reportable forms, inventories, fixed assets, equipment and other assets in audited business units of the bank (branch office, division, representative office); to inspect any and all assets under lease agreements, possession, sales and other agreements and deals closed with legal entities and individuals; to analyze and review soft and hard copies of documents related to operations of the audited business unit (branch office, division, representative office); to request any explanations from the bank's executive officers regarding the accounting treatment and specifics of any operation; to verify whether actions and operations of the bank's employees are in compliance with the existing laws and regulatory requirements, and to obtain written documents on the bank's internal decisions identifying the bank's policy and strategy, decision-making procedures, accounting and reporting procedures; to inquire customers on the bank's operations, in accordance with the existing laws of Azerbaijan Republic.

6 Non-audit work policy The impartiality requirement to the IAD shall not preclude the Chairman of the Management Board from getting the IAD's opinion on special internal control issues. For example, the IAD's opinion may be used in connection with restructuring, introduction of significant and new bank products, establishment or reorganization of risk control systems, review of management information systems and other issues. Furthermore, the management shall be responsible for application and subsequent development of such measures. Advisory services are a supplementary function that does not affect the IAD's main duties and independence. In addition, the Chairman of the Management Board or another executive officer, with his approval, may engage the IAD in activities not related to internal audit. For example: evaluation of assets of entities the bank has business relationships with; review and assessment of financial statements of other entities; inspection and assessment of legal entities to be acquired. Such activities require a written permission from the Supervisory Board and approval from the Audit Committee Chairman. The IAD shall check whether it has time and skills necessary to perform such tasks. Such assignments shall be planned for and shall be performed with the same degree of quality as audit work Confidentiality In course of audits IAD staff are authorized to access confidential information about the bank, its executives and employees. Such confidential/private information may include, among others: salary of executive officers and other employees; financial position information of customers; property and investments owned by the bank; profitability of branch offices; future plans of the bank (chief executive officers); investigation of counterfeits and possible legal actions. IAD staff shall exercise utmost caution and confidentiality when using such information in course of their work. IAD staff shall not use such information in any manner that is in conflict with the laws of Azerbaijan Republic, the Central Bank's regulation and the bank's internal policies, or to the detriment of the bank Professionalism of the IAD staff IAD staff must be qualified and competent. The nature of the IAD's work may require high technical and communication skills. Important technical skills required for IAD staff include:

7 knowledge and experience of application of International Financial Reporting Standards (IFRS); internal audit skills; high level qualifications in development and evaluation of internal control systems and procedures; latest knowledge of International Standards on Auditing (ISA) and business of banking. Important communication skills include: ability to preserve independence; observance and fact-finding skills; problem solution skills and ability to reach agreement on audit findings; reporting and correspondence skills Exclusive work of internal audit staff In avoidance of any doubts of the internal audit function's independence, internal audit staff may not work for any other business units of the bank or substitute any executive officer of the bank. 3. Performance of internal audit department 3.1. Methods of work and types of audit The internal audit department shall develop audit plans, check and evaluate information available, discuss the results with the bank's competent executive body, provide recommendations and followup on their execution. There are various types of internal audit, including, but not limited to the following: Financial audit: designed to evaluate the credibility of the accounting system and records, as well as financial statements; Compliance audit: designed to evaluate the quality and adequacy of systems and procedures put in place to ensure compliance with laws, regulations, policies and procedures; Operations audit: designed to evaluate the quality and adequacy of systems and procedures, thoroughly analyze the organizational structure and assess the adequacy of audit methods and resources; Management audit: designed to evaluate the quality of the management's treatment of risks and controls. The IAD is authorized to inspect and evaluate the bank's performance in all areas of the bank's structure. In this view, the internal audit department should not focus only on one type of audit, but employ the type of audit most appropriate given the objectives of audit in each individual case. Furthermore, the IAD's activities should not be limited to auditing the bank's departments special attention should be given to auditing all functions of the bank's areas of business. Types of audit conducted by the IAD shall be determined by the IAD Director, taking account of risk assessments (including evaluation of internal control environment), external audit findings, regulatory inspection findings or other applicable facts and findings. Audits are classified as follows:

8 Type Audit Limited inspection Monitoring/Regular audit Special project Ad-hoc project Description The objective of audit is to establish sufficient grounds for giving an opinion on the system of internal controls. An audit consistes of a detailed investigation of financial and opetional control aspects. The scope of a limited inspection has a smaller coverage as opposed to a full-scale audit and may be initiated by the IAD Director or included in the annual Audit Plan. A limited inspection may turn into a full-scale audit, based on its preliminary findings. Surveys, observation, analysis of trends and monitoring of main risk indicators. Long-term, detailed projects beyond the regular scope of audit. The IAD Director shall determine the scope of inspection and objectives of work. A short-term, limited scope inspection focusing on certain risks and issues inconsistent with the regular audit scope. The Management Board shall determine the scope and require a project, as necessary. Note: If the Management Board announces that a special project is needed that is beyond the scope of the annual audit plan or the regular audit activities, such special project shall be given preferential treatment. The IAD Director shall notify the Audit Committee's Chairman of the need to conduct a special project that requires amendments to the audit plan (e.g., to increase the timeframe allocated in the audit plan for special projects). The IAD Director shall consult with the Audit Committee's Chairman on unusual or difficult requirements Audit plan and significance of risks The IAD Director shall develop an annual audit plan for all projects to be implemented. The audit plan shall specify the time and duration of the planned audit. This plan shall be grounded in a consistent assessment of control risks confirming the internal auditor's understanding of the bank's important activities and associated risks. The IAD Director shall define the principles of risk assessment methodology in writing and shall make regular amendments and additions to such principles in order to reflect the changes in the system or process of internal controls and to include new areas of activities. Risk assessment/analysis shall cover all areas and structure of the bank, including the overall internal control system. Based in risk assessments, the annual audit plan shall developed, considering the level of risk inherent in the areas of the bank's business to be audited. A risk-based audit shall cover both financial and operational risks of the bank, as well as make the operation of the IAD with limited resources more effective. The objective of this approach is to ensure that the IAD's resources are focused on areas of high risk or that would benefit from audit the most. Lower risk areas are usually audited less frequently and comprehensively. The audit plan shall include:

9 developments and innovations anticipated in the audit plan period; high level risks arising primarily from new activities; need to audit all important activities and components of the bank within an acceptable timeframe. The audit plan must be realistic. It shall identify the time budget, conveyance of opinions and training courses for other projects and activities such as special inspections at the management's request. The plan shall also specify the required number of staff, their qualifications and other abilities. The audit plan shall be regularly reviewed and revised, as necessary. The audit plan shall be subject to approval by the Audit Committee. The Management Board shall coordinate the IAD's budget with the Audit Committee and shall be responsible for providing the resources required under the audit plan. 3.3.Procedures Auditing procedures Audit procedures of a bank shall be divided in the following components: Planning procedures; Fact-finding procedures; Documentation procedures; Inspection procedures; Evaluation procedures; Finding identification procedures; Reporting procedures. Audit procedures shall be divided in the following categories: 1. Compliance procedures Designed to verify whether internal controls exist and are complied with. 2. Substantive procedures Designed to verify whether reported balances and amounts are accurate. Audit work inside the bank is mostly related to compliance procedures. These procedures verify whether internal policies are existent and applied in an effective and consistent manner. Procedures used to get information on internal control policies include: Survey and presentation; Observation; Examination of supporting and other documents; Follow-up implementation of control policies. Substantive procedures are designed to verify the accuracy of accounting records and reports, as well as the authenticity of the balance sheet. An example of such procedures is the verification of customer account entries against the supporting documents. Substantive procedures include: Survey and presentation; Analytical procedures; Comprehensive check of operations and balances;

10 Examination of supporting and other documents; Physical inspection; External assurance; Follow-up/repeated implementation Inspection procedures Presented below is a list of general auditing procedures to be considered by the IAD when developing audit tests: a) Survey and presentation A survey includes getting both verbal and written information or presentations from unit managers and other employees. Surveys may have following objectives: to obtain information about the operations of the audited area; to obtain evidence on the reliability of systems; to obtain clarifications on issues arising in course of audit. Information obtained through surveys and presentation may require certain substantiation. b) Observation Observation of various internal procedures/policies composing the systems is helpful for: obtaining evidence of enforcement of control procedures where there are no documentary evidence to confirm that they are implemented or even exist; obtaining evidence of enforcement of other procedures/policies. The quality of this type of evidence is better when the internal auditor does not only observe, but also discusses the specifics of their responsibilities with unit managers engaged in the audit; obtaining evidence of existence, quality and condition of the bank's assets. Observation generally provides the best reliable evidence available at the time of observation, however it does not provide any evidence of activities in other periods. Consequently, if observation obtains evidence of control, assurance of consistent application of control procedures and policies throughout the period requires additional efforts. c) Analytical procedures Analytical procedures includes examination and evaluation of information by using comparisons against other necessary information. Analytical procedures are used to identify the following: Unexpected differences/mismatches; Lack of expected differences; Possible errors; Possible irregularities or illegal actions; Other unusual or unrepeated transactions or events. Analytical procedures include: General rationale verifications Verification of the rationale of a balance or an amount using internal and external data for approximation. For example, calculation of the approximate interest accrual on a customer account using the average monthly account balance and average monthly interest rates, and subsequent reconciliation of the

11 approximation against the actual numbers. Trend analysis Analysis of comparable information over a certain period of time in order to identify inconsistent periods. Factor analysis For example, the correlation between the number of staff and the total payroll expenses. Administrative analysis Application of administration and service knowledge to evaluate the logic of information. d) Inspection of documents and records Documents and other records reflecting operations or balances are inspected in order to substantive evidence or evidence of control. Substantive evidence substantiates the accuracy of receipts of individual systems reflecting operations or balances. Internal audit is able to identify whether controls are used properly by checking documents to obtain evidence of existence of signatures or other indicators. e) Physical inspection Counting or physical inspection of tangible assets (such as cash) and reconciliation of the results against the bank's accounting records can, in most cases, provide direct evidence of existence of such assets. In addition, internal auditors should remember that although a physical inspection does ascertain the existence of assets, it does not ascertain who the assets belong to. Additional inspections may be required to ascertain who the assets belong to. f) Repeated implementation Repeated implementation means repetition of control procedures and operating functions in order to ensure the accuracy of operations. Repeated implementation can provide evidence in two areas: Evidence of mathematical accuracy and proper processing of data. This evidence may be obtained by verifying the calculations or by making independent calculations. Evidence of deficiencies in the control system or breach of control procedures. This evidence is obtained by identifying errors unidentifiable by the control system. Evidence of existence and effectiveness of internal controls is usually obtained by observing the staff responsible for survey and controls, and by verifying the evidence of compliance such as repeated implementation and approvals or signatures for individual transactions. If deficiencies are found in previous transactions, repeated implementation of control (for example, reconciliation of currency exchange receipts against cash payment records) may provide evidence of both effectiveness of controls (if the deficiency is detected and removed) and ineffectiveness of controls. If no deficiencies are found in previous transactions, repeated implementation would not be able to detect ineffective internal controls, nor cases of ineffective implementation of controls. g) Audit sample Audit sampling implies an examination of representative sample elements (of a set of information about the object of audit). Thus, results of an examination of a sample can be applied to the entire unit. Audit sample is usually used when examination of all elements is inefficient. 3.4.Reporting requirements Reporting serves the following purposes:

12 to inform the management about important issues arising as a result of each internal audit in a short period of time; to verify whether control systems are satisfactory; if problems exist, to persuade unit managers of the need to act upon the recommendations to improve the unit's performance and controls; to ensure that official and written notes on agreements with the management exist in order to address issues arising as a result of internal audit and to make improvements as recommended; to give advice on the adequacy of control systems and effectiveness of the organization's internal control arrangements to the management. The contents, format, time and users of the report shall be determined in writing and comply with the bank's procedures. Each audit report: shall specify the objective, scope and findings of audit and, if necessary, the auditor's opinion; shall be written in an objective, clear, concise, constructive form and presented on time; agreement on audit findings and measures to act upon recommendations shall be included in the audit plan. All audit reports shall have the following characteristics: Accurate All reports shall be based on facts. It is essential to maintain confidence in the internal audit department and each auditor by preparing fact-based, unbiased and objective reports. Clear All reports must be clear and comprehensible. It is very important not to use assumptions or verbal comments to fill in gaps in the report. A report must be sufficiently clear without a need to additional explanations and commentary. Quantifiable All notes must be as quantitative as possible in order to describe the effects and seriousness of issues presented. Concise All reports must be to the point. This does not necessarily mean that a report should be brief. Fair All reports should be user-sensitive. Focus should be placed on improving the current condition, not on criticizing past events or individuals. Timely All reports must be published in a timely manner after completion of audit. Typical timeline is two weeks. Present solutions All reports must specify who, how and when should address the deficiencies identified. Efficiency is lost when accountability is not established. Internal audit reports must be kept confidential and may not be disclosed or divulged outside or inside the bank without the IAD Director's approval. 4. CBA's interactions with internal and external auditors of banks Banks shall develop and put in place an effective internal control system in consistency with the balance sheet and off-balance sheet risks, nature and complexity of operations, as well as changes in the bank's market conditions and operating environment. If the internal controls are inadequate in relation to the risks arising as a result of the bank's operations, the CBA shall hold appropriate discussions with bank executives and shall supervise the banks' measures to improve their internal controls.

13 Evaluation of internal controls of banks (together with the effectiveness of internal controls) is part of the CBA's banking supervision activities. The CBA shall identify whether bank executives pay attention to problems identified in internal control processes. The CBA requires that bank pay special attention to the following issues when evaluating their internal control systems: Activities or circumstances historically associated with internal control breaches; Internal control aspects of changes in the bank's operating environment, for example: - new management or new senior staff; new or reorganized information systems; rapidly developing areas/activities; new technologies; new operations or activities (especially sophisticated ones); corporate reconstruction, mergers and acquisitions; and establishment of new branch offices and divisions, incorporation or acquisition of new enterprises, expansion of their business (including effects of changes in relevant economic and regulatory environment); 4.1. CBA's interactions with the bank's Internal Audit Committee and IAD The CBA shall hold regular consultations with internal auditors of banks to discuss risk areas identified and measures taken. Although internal audit has a broad coverage, it does not define the bank's policy, and, except internal control-related procedures, does not ascertain the authenticity of such procedures and policies. If bank management takes decisions in conflict with the existing laws or regulations or the bank's internal policies and procedures, the IAD Director shall notify the Chairman of the Audit Committee, the Management Board, and, if necessary, the Supervisory Board. Furthermore, internal auditors may notify the IAD Director of any cases of incorrect, inattentive and damaging actions of individual staff members of the bank. Thus, the CBA expects the IAD to respond quickly and efficiently to any instances of fraudulent and illegal activities detected or suspected. This is an important prudential issue because nonprudential procedures and actions may adversely impact depositors and other creditors, shareholders, as well as the proper operation of the credit system CBA's interactions with external auditors External auditors provide a positive input to the quality of internal control systems by holding discussions with the Audit Committee, Management Board and Supervisory Board, audit activities and improvement proposals for internal controls. External auditors must possess knowledge of internal control systems sufficient to give assurance of accuracy of a bank's financial statements. External auditors shall report any deficiencies identified to bank management and regulators. The CBA requires senior executives and the Audit Committee to take measures to address any internal control deficiencies identified by external auditors. There are a number of areas where regulators and external auditors may benefit from each other's work. External auditors may get helpful understanding of information provided by the regulator, for example, management meetings or other meetings with the bank as a result of an onsite inspection. The regulator may require external auditors to give an opinion on the IAD's performance. The CBA may appoint an external auditor for a special inspection of a bank. Related areas include:

14 prudential reporting methods used by the bank; adequacy of the structure and performance of the internal control system (including the internal audit department); the bank's compliance; opinion on compliance with accounting rules. In some cases, external auditors may be aware of important information relating to the regulator or requiring immediate actions on its part. Such information includes: the bank's failure to meet any of its licensing requirements; there is a serious conflict inside the bank's decision-making bodies or the chief executive officer suddenly resigns; significant non-compliance with laws and regulations or the bank's charter; the auditor intends to resign or there is an intention to dismiss the auditor; negative changes in the risks inherent in the bank's business and the risks are likely to increase in the future. If the external auditor becomes aware of any of the above described, he must immediately notify the CBA. External auditors shall be held liable for providing unsubstantiated and biased information. 4.3.Interactions between internal auditors and external auditors Information provided by the internal auditor may be helpful for determining the specifics, time and scope of external audit procedures. Still, the external auditor shall have the exclusive responsibility for giving an auditor's opinion on financial statements. The external auditor should be authorized to use significant internal audit reports and data. The internal auditor must notify the external auditor of any important issues that may affect the latter's work. The external auditor also, in his turn, shall inform the internal auditor of any important issues that may affect the internal auditor's work. From external audit standpoint, collaboration with the bank's internal audit working team provides many benefits. These would include an opportunity to get profound information and knowledge about the bank's operations and activities, and to avoid repeating the internal auditors' work in terms of inspecting the bank's operations. In addition, this cooperation would enable the external auditor to expand the coverage of the bank's audit function. This cooperation should be especially helpful when the number and complexity of the bank's services and operations of branch offices, and the scope of audit work required as a result tend to increase. Cooperation between external auditors and internal auditor is grounded in equal understanding and audit expertise. IAD staff and external auditor can benefit from cooperative work by learning from each other. The external auditor's opinion on how much the internal audit function should be relied on when determining the time, scope and type of external audit procedures shall be identified as a result of an initial assessment of the internal audit function. As the level of reliability gross, this cooperation should bring material benefits to both parties as indicated in the table below. Phase 1 Activities supervised and managed by external auditors IAD staff report to the workplace as indicated in the external audit's work program and are supervised by the senior member of the external

15 audit team. The external audit team can use this work subsequently to ascertain the completeness, reliability and accuracy of the bank's financial statements. Phase 2 Performance of activities managed by external auditor IAD staff, when reporting to the workplace indicated in the external audit work program, operate without supervision by the external audit team. This is possible when external auditors are not on the premises. The external auditors will determine a timeframe for completion of such work and will analyze the work performed in order to ascertain the completeness, accuracy and reliability of the bank's financial statements. Before their cooperation can reach this level, the external audit team will evaluate the performance of the Internal Audit staff. Phase 3 External auditors' reliance on standard internal audit procedures External auditors may decide to rely on the IAD's work and thus reduce the amount of work to be done. For example, if an internal audit was conducted at a branch office of the bank and the external auditors find the quality and results of that audit satisfactory, the external auditors may decide not to audit this branch office at the yearend, or conduct a limited audit. Presented below are some areas where external auditors can use internal audit work and information: flowcharts or narrative descriptions of the accounting system; findings of an assessment survey of internal controls or a survey sheet for internal controls; examination of control of the accounting system; substantive inspection of elements of the financial statements; the external auditor's decision to visit a branch office, based on the information provided by the internal auditor; decision to check the computer system, based on the information provided by the internal auditor. The IAD Director shall ensure that the work performed by internal auditor does not unnecessarily duplicate or repeat the work performed by external auditors. Coordination of audit efforts covers the following areas: regular meetings to discuss issues of mutual interest; sharing audit reports and management reports; establishing common understanding of audit facilities, methods and terms Cooperation between the CBA, external auditors and internal auditors. The CBA and the bank's auditors share common interests and objectives. The CBA's stability interest coincides with the «going concern» requirement of auditors;

16 The CBA's interest in having an efficient system of internal controls as the foundation of safe and sound management is consistent with the auditors' requirements for complete and accurate financial statements; Both CBA and auditors require satisfactory performance and quality of the accounting system. Cooperation between external auditors, internal auditors and the CBA serves the purpose of increasing the effectiveness and efficiency of work for all parties involved. This cooperation should be based on regular meeting of the CBA with external and internal auditors. The CBA may invite senior bank executives to such meetings. In these meetings each party should provide information about areas of common interest and special attention should be given to areas to be audited and the timing of work. Furthermore, the parties should discuss the bank's measures to implement the recommendations given by external and internal auditors. Collaboration implies that there is mutual confidence and trust among the CBA, the bank and external auditors. The CBA expects the senior bank management to report any decisions, facts or events that may have a significant effect on the bank's condition. Internal control aspects of the Standard Strong internal controls, including internal audit and external auditor represent a part of efficient corporate governance. Internal audit is a part of the continuous process of inspection of the bank's internal control systems. An effective internal control system is an essential component of the bank's governance, safety and soundness. A strong internal control system can assist in accomplishing goals and objectives, longterm profitability plans and preparing reliable financial statements and management reports. Such a system can also ensure the bank's compliance with the laws and regulations, directives, plans, internal procedures and policies, and assist in minimizing the risks of unexpected damages or losses that may have an adverse effect on the bank's reputation. The main objectives of internal controls are to provide: reliability and completeness of information; compliance with regulations, plans, procedures, laws, rules and contracts; asset protection; efficient and effective use of resources; accomplishment of goals and objectives set for operations or plans. Control is an effort taken by the management in order to increase the likelihood of correct and adequate accomplishment of goals and responsibilities identified. The management plans, arranges and orders implementation of a number of measures to sufficiently assure that goals and objectives identified are met. Thus, control is a result of proper planning, organization and direction by the management. There are three types of internal control: preventive/proactive control (prevents undesirable events from happening), identification control (identifies and removes undesirable events that took place), management control (causes or enables desirable events to happen). An effective system of internal controls requires the adequate and detailed internal financial, operational and compliance information, as well as external market environment data is made

17 available on events and circumstances considered important for decision-making. Such information should be provided in a reliable and timely manner, and prepared in a usable and appropriate format. An effective internal control system requires that reliable information systems are available that cover all important areas of the bank's activities. Security of such systems and other systems that store and use data electronically must be provided, controlled and supported with appropriate contingency/emergency action plans. An effective internal control system requires that the bank's employees comply with and understand the rules and procedures affecting their duties and authorities, as well as that effective communication channels are established to communicate other necessary information to relevant staff members. Overall effectiveness of the bank's internal control system must be checked on a regular basis. Risk controls should be a part of the regular assessments conducted by the internal auditors. Operationally independent, appropriately trained and competent employees must conduct an effective and comprehensive audit of the internal control system. The internal audit function, as part of inspection of the internal control system, must report directly to the Audit Committee or the Management Board, as well as the top management of the bank.