ANNUAL REPORT. on the operation of Internal Audit Department. in the course of 2014

Transcription

1 ANNUAL REPORT on the operation of Internal Audit Department in the course of 2014 KOMERCIJALNA BANKA AD Skopje Internal Audit January 2015 Page 1 of 8

2 Content: I. Introduction I.1. Review of the individual audits carried out in the course of 2014 and other activities I.2. Realization of the objectives prescribed by the Annual Plan of the Internal Audit for 2014 I.3. Assessment of the adequacy and efficiency of the systems of internal control Page 2 of 8

3 I. INTRODUCTION The Internal Audit Department is an independent organizational part, which is separated from the other organization units of the Bank in terms of its function and organization, directly reporting to the Supervisory Board and Audit Committee. The main objective of the Internal Audit Department is to provide an objective and independent assessment of the internal controls, through measuring, monitoring and testing the adequacy of the internal controls, aimed towards efficient performance of the operative processes in accordance with the internal policies and procedures and the law regulations, as well as with the aims and objectives of the Bank s Business Policy. Pursuant to article 97 of the Banking Law (Official Gazette No. 67/2007), article 121 of the Statute of Komercijalna Banka AD Skopje and Section VIII of the Rules of Procedures of the Internal Audit, the Internal Audit of the Bank submits Annual Report on its operation in the year ending on Pursuant to the provisions of the above mentioned acts, the Report on the operation of the Internal Audit in the course of 2014 contains the following information: Description of the individual regular and additional audits carried out in the course of 2014; Additional audits and other activities of the Internal Audit in the course of 2014; Realization of the aims prescribed by the Annual Plan for the operation of the Internal Audit in the course of 2014; Evaluation of the adequacy and efficiency of the systems of internal control of the Bank made on the basis of the findings from the audits carried out; Starting from the risk profile of the Bank, the structure of the assets and liabilities, types of credit and deposit products, main business activities with the Bank, in the course of 2014, the Internal Audit had directed its activities towards revision of the adequacy of the controls of the internal control system of the Bank for managing the essential material risks the operative processes are exposed to, thus individually auditing and testing the respective controls in the systems for undertaking, measuring, monitoring and managing the credit, currency, liquidity, market, legal risk and the risk from changes in the interest rates. Within the regular on-site audits carried out in accordance with the Annual Plan for operation in 2014, the Internal Audit carried out complete audit and control of the operation of 4 (four) branches of the Bank: the branches in Prilep, Ohrid, Stip and Kavadarci. In the course of 2014, pursuant to the Annual Plan of the Internal Audit Department prepared upon previously made internal identification of IT risks, the regulatory requirements and setting of the information technology in the Bank, we conducted IT audits in several significant segments of functioning of the ICT system in the Bank (video surveillance system, SWIFT system, systems for uninterrupted power supply, ATMs system, etc.) In the part of individual audits of the business-technology systems were accompanied with audit on the adequacy of the system support and controls in the application solutions for operation within the integrated IT system of the Bank. I.1. Review of the individual audits carried out in the course of 2014 In the course of 2014, and pursuant to the Annual Plan for the operation, the Internal Audit realized 33 individual audits. No. Report on the realized regular direct controls 1 Audit on the processes and procedures of opening and keeping FX and denar accounts to non-financial legal entities in the Bank s Head Office in the course of 2013 Page 3 of 8

4 2 Audit on the financial activities of making placements and taking foreign currency assets and trading with foreign currency with domestic and foreign banks in the course of Audit on the processes of issuance and administering of denar letters of guarantee and letters of guarantee with FX clause issues by order of nonfinancial legal entities in the Bank s Head Office, as at Audit on the activities and processes in application of the law regulation by the Bank as a tax-payer for the income tax for Audit on the level of implementation of the safety and health measures at work that the Bank is obliged to implement pursuant to the Law on safety and health at work, as at Control of implementation of the recommendations from the Written Warning No / and the Governor s Recommendation No / , as at Audit on the operation of the Ohrid Branch and comparison indexes as at Audit on the operation of the Kavadarci Branch and comparison indexes as at Audit on the operation of the Tetovo Branch and comparison indexes as at Audit on the operation of the Gostivar Branch and comparison indexes as at Audit on the organization of the information-communication technology in the branches in Ohrid, Kavadarci, Tetovo and Gostivar, as at IT audit of the systems providing continuity of the power supply of the ICT system of the Bank, as at IT audit of the SWIFT system of the Bank and application platform for connection and exchange of SWIFT messages, as at Audit of the processes of approving credit placements under purchase of shortterm FX and denar claims factoring and purchasing claims from clients exporters forfeiting in the Bank s Head Office, as at Audit of the processes of managing and administration of the foreclosed property of the Bank acquired under uncollected claims, as at IT Audit of the video surveillance system of the Bank as at Audit of the business activities and processes which are under the competence of the Marketing department based on obtained authorizations pursuant to the internal acts, realized in the course of 2013 and first half of Audit and assessment of the controls within the system and effects from the management of the liquidity, currency, interest rates and market risks within the period ; 19 Audit of the process of carrying out custodian activities for obligatory and voluntary pension funds as at ; 20 Audit on the calculation of the internal capital index (ICI) of the Bank for 2014 according to the methodology for realization of the process for determining the internal capital adopted by the Supervisory Board of the Bank; 21 Audit on the method of realization, scenarios used and results obtained from the annual stress testing carried out on the exposure of the Bank to material risks, on the basis of the approved Program for Stress Testing; 22 Audit on the internal procedures for development and introduction of new product/service/system in the Bank as part of the operative risk management system, as at ; 23 Audit on the established information system and information infrastructure for providing confidentiality and personal data processing protection in the Bank as at ; Page 4 of 8

5 24 Audit on the Audit on the application platform of the Bank as support for carrying out financial activities approving and administration of denar loans to legal entities as at ; 25 Audit on the operation of Stip Branch and comparison indexes as at ; 26 Audit on the operation of Prilep Branch and comparison indexes as at ; 27 Audit on the organization and functioning of information-communication technology in Stip and Prilep Branches within the period controlled ; 28 IT audit on the systems for management and monitoring of databases of the Bank as at ; 29 Audit and assessment of the procedures for approving and administering denar short-term loans to non-financial legal entities in the Bank s Head Office as at ; 30 Audit of the manner of determining the category of net-debtor of the Bank in accordance with the legally prescribed methodology and the way of reporting to NBRM; 31 Audit of the implemented methodology for preparation of Note 44 A and 44 B transactions with related parties as Note to the Financial Reports of the Bank; 32 Audit and assessment of the procedures for establishing lien over movable and immovable property as a security instrument for credit placements approved to legal entities subject to the audit in the last quarter; 33 IT Audit of ATM network of the Bank, as at ; The managing bodies of the Bank, Supervisory Board, Audit Committee and the Board of Directors are regularly and in due time reported on the findings and more significant weaknesses identified in the course of the audits carried out, through the 6 (six) individual reports, which is within the legal obligation for minimum reporting on quarterly basis. Other activities of the Internal Audit Department in the course of 2014 Within the frames of its additional activities, the Internal Audit Department was frequently engaged in providing independent and objective consulting services regarding certain issues and at the request of the responsible officers of different OU in order to help the management to improve the internal control system controls aimed towards efficient management of the operative risks. It also took active part in consideration of the draft regulations of NBRM and other draft law regulations, as well as other draft amendments and supplements to the internal acts of the Bank only from the aspect of consulting activities. Human resources of the Department, qualification structure and participation in seminars and training courses in the course of 2014 The regular and additional activities in the course of the first half of 2014 were realized by 8 (eight) officers in coordination with the Department Manager. Qualification structure of the officers is as follows: - one authorized auditor, in accordance with the Law on Audit, - one IT auditor, holder of BCC and CISA certificate authorized auditor for IT systems; - 7 BCC internal auditors, out of whom five are economists, one lawyer and one electrical engineer. One of the officers has Ph.D. degree in economy, two of the Page 5 of 8

6 officers have completed master studies from the field of accounting and audit, while one of the officers is in the final phase of completion. Note: At the moment, all officers are specialized in performing audit activities. They are divided in three groups: audit of the credit risk management system, systems for management of other risks and in all other activities of the bank including the payment systems. The Department fulfils the criteria provided in Article 95 of the Banking Law stating that at least one employee of the department should be an authorized auditor. In the course of 2014, part of the employees of the Internal Audit Department took part in seminars in the country in the domain of auditing, accounting, tax regulations and IT systems protection, and the authorized auditor had fulfilled the legally prescribed 40 hours additional education at the Institute of Authorized Auditors. I.2. Realization of the aims and objectives set by the auditing plan of the Internal Audit for 2014 As a primary objective in realization of the Annual Plan for 2014, the Internal Audit Department was focused on efficient and effective realization of the planned audits within the available time and resources making efforts to keep and improve the quality of the auditing and results therefore. In the course of 2014, the Internal Audit mainly adhered to the planned regular audits and within the term plan for their realization in accordance with the Annual Plan for operation for 2014 approved by the Supervisory Board of the Bank at its 22 nd meeting held on The Internal Audit realized total 33 individual audits, thus covering the planned segments and business processes assessed as the most critical and prescribed by the Annual Plan. According to the Annual Plan for 2014, out of the planned 11 thematic IT audits, the Internal Audit realized 9 regular IT audits in accordance with the Plan. The planned IT audits of the money laundering prevention system and the systems for sending data to the credit register with NBRM were postponed for the next period in 2015 within the obligatory control on the implementation of the recommendations of NBRM s Supervision in the sphere of money laundering prevention, while the control on the Credit Register has been postponed for the forthcoming period due to the amendments and supplements to the regulations and the method of sending data to the Credit Register with effect from in regards to the reports. I.3. Assessment of adequacy and efficiency of the internal control systems The internal control is a continuous process conducted on all levels in the Bank by the managing bodies, management team and all employees designed to provide reasonable security for achievement of the following aims and objectives: protection of value of the assets, i.e. maximization of value of the Bank, workout of accurate financial reports, increase of the efficiency of the overall operation, advancement of the managing efficiency, as well as compliance with the internal policies of the Bank and the laws and regulations referred to banks. The internal control system is subject to constant changes and adjustments depending on changes of the law regulations and acts of the Bank, changes of the technology of certain processes and systems and therefore it is a significant component in managing and realization of the Business Policy of the Bank. When evaluating the adequacy and efficiency of the internal control system in the audited processes and activities in the course of 2014, the Internal Audit considered the most significant components and aims of the internal control systems, as follows: Page 6 of 8

7 Whether the audited processes or activities are regulated by internal policies and procedures and whether they are in accordance with the law regulations and Business Policy of the Bank; Whether there is implemented adequate division of authorities and responsibilities of employees in the organizational units of the Bank bearers of the audited working processes for the purpose of minimization of conflict duties and responsibilities and elimination of risk from deliberate and non-deliberate mistakes and misuses and on the way providing efficient control of management of risks the audited process is being exposed to; Whether the audited processes are supported by an adequate information system, the level at which the internal and external policies and procedures are integrated, in order to achieve automation of the processes of accepting and processing the orders on all levels and electronic data processing. Whether the system controls incorporated in the application solutions for operation are sufficient, safe and secure in order to prevent deliberate and nondeliberate errors and misuse and efficient enough to minimize the operative risks. Whether the internal control system of the Bank allows recognition and assessment of the significant risks the Bank is exposed to: credit, liquidity, currency, operative, reputation and other risks to which the business processes and the Bank s operation are exposed to. General assessment of Internal audit: Based on the individual audits performed in the course of 2014, the auditors evidences based on control of a representative sample of the audited material selected by random choice out of all audited processes, the Internal Audit hereby confirms the acquired reasonable assurance that the internal control systems in the Bank are adequately implemented in terms of minimization of all types of risks characteristic for banking, and in direction of efficient and appropriate implementation the law regulations and the Bank s Business Policy. The findings from the IT audits carried out have confirmed the expected assessment of the Internal Audit for an established sound system of internal controls at all levels of the operation of the Bank s IT system, which provides full support of the business processes for the realization of the strategic aims of the Bank as a whole. The weaknesses and errors identified in the course of the on-site controls did not have any material significance and were of operative and low-risk character. The recommendations given for improvement of the controls in the internal control system for the purpose of minimization of the operative risks were almost in full accepted by the responsible officers of the controlled OU. Most of them have already been implemented or their implementation is currently in progress, which will be subject to control of the next follow-up audits of these processes. Skopje, January 2015 Internal Audit Department Vesna Maslinko Manager Page 7 of 8

8 Page 8 of 8