China Boardroom Update - Greater expectations on the internal audit function - new regulatory guidance

Vewyig - Kpmg China (Www.Kpmg.Com.Hk / Www.Kpmg.Com.Cn)

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

6 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Informations

Publié par	Vewyig
Nombre de lectures	145
Langue	English

Extrait

China Boardroom Update
Greater expectations on the internal audit function – new
regulatory guidance for banks November 2009

ADVISORY

Regulators globally are increasing their focus on, and expectations of, banks' Internal Audit Functions (IAFs).
The global financial crisis has highlighted the importance of banks having effective risk management and strong
internal controls, for example in the areas of enterprise risk management and enhanced valuation techniques,
and the importance of having strong and independent IAFs to help management monitor and assess the
effectiveness of these risk activities and related controls.

The China Banking Regulatory Commission (CBRC) issued guidelines on the positioning, organisation and
responsibilities of IAFs in banks in June 2006 to set out the principles relating to independence, objectivity,
professional competence and work methods, which are in line with the Basel Committee’s principal guidelines.

ry expectations with The Hong Kong Monetary Authority (HKMA) recently released a detailed paper on regulato
respect to Internal Audit [Supervisory Policy Manual – Module IC-2] (the Guidance), which has been developed
with reference to international standards set by the Basel Committee as well as the HKMA’s own supervisory
experiences and practices. This Guidance, while intended primarily for banks in Hong Kong, can also serve as a
useful guide to banks in mainland China and elsewhere on current leading practices in this area and of
regulators' expectations.

Compared with the CBRC requirements on IAFs of banks in mainland China, which contain certain precise and
quantifiable recommendations, the HKMA’s Guidance is principles-based, with a greater focus and elaboration
on the qualitative aspects of an IAF, for example, on the adequacy of audit resources and the quality of work
processes.

Highlights of the HKMA’s guidance
The Guidance is expected to be applicable for both authorised institutions
(AIs) incorporated in Hong Kong as well as AIs which are branches or
subsidiaries of foreign banks or regulated holding companies. It sets out the
HKMA’s expectations of the IAF of AIs, and describes the approach the
regulator will adopt in assessing the effectiveness of the IAF. As an effective
IAF would facilitate its supervisory work, the HKMA may take into account
the effectiveness of the AI’s IAF when assessing the quality of an AI’s
internal control systems.

1
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Key qualities expected of the IAF
Independence An effective IAF must be independent from the AI’s business operations, functional units and control
processes that are subject to its review.

Areas to consider
 Does the IAF directly report to the highest governing levels of the AI, i.e. the Board or the Audit
Committee and can the IAF communicate to the governing bodies without management

involvement?
 Is the IAF subject to periodic independent review to evaluate its effectiveness and for continuous
improvement?
Authority and The authority and standing of the IAF depend on the commitment of the Board and senior
standing management. In assessing the IAF’s standing in the organisation, the following should be considered:

Areas to consider
Does the AI have an audit charter that sets out the IAF’s objectives, scope, power, accountabilities,
responsibilities and relations with other control functions?

Is the audit charter including any subsequent amendments subject to the Board or Audit
Committee’s approval and well communicated throughout the organisation?
Does the IAF have rights to directly communicate to the members of the Board or Audit Committee
and unlimited access rights to any records and personnel in the AI? Are such rights clearly defined

in the audit charter?
Objectivity and The IAF must preserve objectivity in substance and in appearance to avoid any conflict of interests
impartiality when performing audit work. This, however, will not preclude the IAF from providing consulting /
advisory services to the business where the IAF nevertheless should not take part in management’s
decision making process.

Areas to consider
 Is the IAF involved in any business or functional operations or designing or implementing internal
control procedures?

 Are internal auditors recruited internally allowed to audit the function or activities in which they
were previously involved without a sufficient cooling off period?
 Who determines the IAF’s compensation scheme and budget - the Board or the Audit Committee
or management of functional units subject to internal audit review?

Adequate The IAF should have the right resources in terms of skills and experience, financial and technical
resources and support that are commensurate with the size, complexity and risks of the AI’s operations.
professional
competence Areas to consider
 Is the existing skills inventory in the IAF sufficient to address the nature of risks in the AI’s
operations? Is there sufficient manpower in the IAF to complete audit plans approved by the Audit

Committee?
 Is there a process in place to analyse IAF’s staffing and development with respect to the audit plan,
taking into account new knowledge and skills acquired through training and recruitment?
 How does the IAF keep pace with risks emerging from rapid financial innovations and

developments as well as the skills and methodologies required to evaluate the robustness of
systems and controls for managing the associated risks e.g. risk models for complex, structured
products?
2
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Continuity Each AI should have a permanent IAF that is adequately staffed with people that have sufficient
experience and expertise. To achieve continuity in consistent audit processes and procedures, the
following should be considered:

Areas to consider
 Is an internal audit manual established to document the audit charter, internal audit policies, work
processes and standards and properly communicated to IAF staff members?
 Is succession planning in place for the head of IAF to ensure seamless transition during
management changes?
Work processes of the IAF
Audit planning The IAF is expected to have a structured work process in performing its internal audit work to ensure
that auditing work is prioritised around the most significant and relevant risks and those internal control
weaknesses can be identified effectively and addressed in a timely manner.

An audit plan documenting the audit priority, timing and frequency, as well as the manpower and
financial resources required should be established by the IAF and approved by the Board or the Audit
Committee. To ensure the IAF has a risk-based and forward looking plan, the following needs be
considered:

Areas to consider

 Are the extent, nature and frequency of audit assignments driven by the results of a
comprehensive risk assessment on the AI’s and its subsidiaries, covering risks inherent in
significant activities and those likely to emerge from expected future developments?
 Is the risk assessment methodology regularly updated to reflect changes in controls or work
processes as well as new lines of businesses?
 Is the audit assignment scope limited to specific business units or departments or does it cut
across different functional units?
Audit The IAF should have proper documentation to support audit execution including audit programmes and
programmes procedures performed, to be included in working papers.
and procedures
Areas to consider
 Do the audit programmes clearly set out audit objectives, scope of work, audit methodology,
parties with whom to communicate the audit report, work schedules and resources plan?
 Are audit procedures performed as documented, working papers properly organised (e.g. drawn up
with suitable indexes and cross-references) and able to reflect the audit trail, with only information
relevant to achieving the audit objectives included?
Audit reporting The IAF should issue audit reports presenting the scope, purpose of the audit assignment, audit
and follow-up findings, recommendations and management responses to the auditee management, senior
procedures management and the Board or Audit Committee as quickly as practicable. While the principal
responsibility for implementing remedial measures to address audit findings rests with management,
the IAF should conduct follow-up reviews and report the implementation status to senior management
and the Board periodically.

Areas to consider
 Are the draft audit reports issued to provide opportunities for internal auditors and the relevant

management to exc