China Boardroom Update - Greater expectations on the internal audit  function - new regulatory guidance
6 Pages
English

China Boardroom Update - Greater expectations on the internal audit function - new regulatory guidance

-

Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

China Boardroom Update Greater expectations on the internal audit function – new regulatory guidance for banks November 2009 ADVISORY Regulators globally are increasing their focus on, and expectations of, banks' Internal Audit Functions (IAFs). The global financial crisis has highlighted the importance of banks having effective risk management and strong internal controls, for example in the areas of enterprise risk management and enhanced valuation techniques, and the importance of having strong and independent IAFs to help management monitor and assess the effectiveness of these risk activities and related controls. The China Banking Regulatory Commission (CBRC) issued guidelines on the positioning, organisation and responsibilities of IAFs in banks in June 2006 to set out the principles relating to independence, objectivity, professional competence and work methods, which are in line with the Basel Committee’s principal guidelines. ry expectations with The Hong Kong Monetary Authority (HKMA) recently released a detailed paper on regulato respect to Internal Audit [Supervisory Policy Manual – Module IC-2] (the Guidance), which has been developed with reference to international standards set by the Basel Committee as well as the HKMA’s own supervisory experiences and practices. This Guidance, while intended primarily for banks in Hong Kong, can also serve as a useful guide to banks in mainland China and elsewhere ...

Subjects

Informations

Published by
Reads 145
Language English




China Boardroom Update
Greater expectations on the internal audit function – new
regulatory guidance for banks November 2009

ADVISORY



Regulators globally are increasing their focus on, and expectations of, banks' Internal Audit Functions (IAFs).
The global financial crisis has highlighted the importance of banks having effective risk management and strong
internal controls, for example in the areas of enterprise risk management and enhanced valuation techniques,
and the importance of having strong and independent IAFs to help management monitor and assess the
effectiveness of these risk activities and related controls.

The China Banking Regulatory Commission (CBRC) issued guidelines on the positioning, organisation and
responsibilities of IAFs in banks in June 2006 to set out the principles relating to independence, objectivity,
professional competence and work methods, which are in line with the Basel Committee’s principal guidelines.

ry expectations with The Hong Kong Monetary Authority (HKMA) recently released a detailed paper on regulato
respect to Internal Audit [Supervisory Policy Manual – Module IC-2] (the Guidance), which has been developed
with reference to international standards set by the Basel Committee as well as the HKMA’s own supervisory
experiences and practices. This Guidance, while intended primarily for banks in Hong Kong, can also serve as a
useful guide to banks in mainland China and elsewhere on current leading practices in this area and of
regulators' expectations.

Compared with the CBRC requirements on IAFs of banks in mainland China, which contain certain precise and
quantifiable recommendations, the HKMA’s Guidance is principles-based, with a greater focus and elaboration
on the qualitative aspects of an IAF, for example, on the adequacy of audit resources and the quality of work
processes.

Highlights of the HKMA’s guidance
The Guidance is expected to be applicable for both authorised institutions
(AIs) incorporated in Hong Kong as well as AIs which are branches or
subsidiaries of foreign banks or regulated holding companies. It sets out the
HKMA’s expectations of the IAF of AIs, and describes the approach the
regulator will adopt in assessing the effectiveness of the IAF. As an effective
IAF would facilitate its supervisory work, the HKMA may take into account
the effectiveness of the AI’s IAF when assessing the quality of an AI’s
internal control systems.








1
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Key qualities expected of the IAF
Independence An effective IAF must be independent from the AI’s business operations, functional units and control
processes that are subject to its review.

Areas to consider
 Does the IAF directly report to the highest governing levels of the AI, i.e. the Board or the Audit
Committee and can the IAF communicate to the governing bodies without management

involvement?
 Is the IAF subject to periodic independent review to evaluate its effectiveness and for continuous
improvement?
Authority and The authority and standing of the IAF depend on the commitment of the Board and senior
standing management. In assessing the IAF’s standing in the organisation, the following should be considered:

Areas to consider
Does the AI have an audit charter that sets out the IAF’s objectives, scope, power, accountabilities,
responsibilities and relations with other control functions?

Is the audit charter including any subsequent amendments subject to the Board or Audit
Committee’s approval and well communicated throughout the organisation?
Does the IAF have rights to directly communicate to the members of the Board or Audit Committee
and unlimited access rights to any records and personnel in the AI? Are such rights clearly defined

in the audit charter?
Objectivity and The IAF must preserve objectivity in substance and in appearance to avoid any conflict of interests
impartiality when performing audit work. This, however, will not preclude the IAF from providing consulting /
advisory services to the business where the IAF nevertheless should not take part in management’s
decision making process.

Areas to consider
 Is the IAF involved in any business or functional operations or designing or implementing internal
control procedures?

 Are internal auditors recruited internally allowed to audit the function or activities in which they
were previously involved without a sufficient cooling off period?
 Who determines the IAF’s compensation scheme and budget - the Board or the Audit Committee
or management of functional units subject to internal audit review?

Adequate The IAF should have the right resources in terms of skills and experience, financial and technical
resources and support that are commensurate with the size, complexity and risks of the AI’s operations.
professional
competence Areas to consider
 Is the existing skills inventory in the IAF sufficient to address the nature of risks in the AI’s
operations? Is there sufficient manpower in the IAF to complete audit plans approved by the Audit

Committee?
 Is there a process in place to analyse IAF’s staffing and development with respect to the audit plan,
taking into account new knowledge and skills acquired through training and recruitment?
 How does the IAF keep pace with risks emerging from rapid financial innovations and

developments as well as the skills and methodologies required to evaluate the robustness of
systems and controls for managing the associated risks e.g. risk models for complex, structured
products?
2
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Continuity Each AI should have a permanent IAF that is adequately staffed with people that have sufficient
experience and expertise. To achieve continuity in consistent audit processes and procedures, the
following should be considered:

Areas to consider
 Is an internal audit manual established to document the audit charter, internal audit policies, work
processes and standards and properly communicated to IAF staff members?
 Is succession planning in place for the head of IAF to ensure seamless transition during
management changes?
Work processes of the IAF
Audit planning The IAF is expected to have a structured work process in performing its internal audit work to ensure
that auditing work is prioritised around the most significant and relevant risks and those internal control
weaknesses can be identified effectively and addressed in a timely manner.

An audit plan documenting the audit priority, timing and frequency, as well as the manpower and
financial resources required should be established by the IAF and approved by the Board or the Audit
Committee. To ensure the IAF has a risk-based and forward looking plan, the following needs be
considered:

Areas to consider

 Are the extent, nature and frequency of audit assignments driven by the results of a
comprehensive risk assessment on the AI’s and its subsidiaries, covering risks inherent in
significant activities and those likely to emerge from expected future developments?
 Is the risk assessment methodology regularly updated to reflect changes in controls or work
processes as well as new lines of businesses?
 Is the audit assignment scope limited to specific business units or departments or does it cut
across different functional units?
Audit The IAF should have proper documentation to support audit execution including audit programmes and
programmes procedures performed, to be included in working papers.
and procedures
Areas to consider
 Do the audit programmes clearly set out audit objectives, scope of work, audit methodology,
parties with whom to communicate the audit report, work schedules and resources plan?
 Are audit procedures performed as documented, working papers properly organised (e.g. drawn up
with suitable indexes and cross-references) and able to reflect the audit trail, with only information
relevant to achieving the audit objectives included?
Audit reporting The IAF should issue audit reports presenting the scope, purpose of the audit assignment, audit
and follow-up findings, recommendations and management responses to the auditee management, senior
procedures management and the Board or Audit Committee as quickly as practicable. While the principal
responsibility for implementing remedial measures to address audit findings rests with management,
the IAF should conduct follow-up reviews and report the implementation status to senior management
and the Board periodically.

Areas to consider
 Are the draft audit reports issued to provide opportunities for internal auditors and the relevant

management to exchange views and comments on the audit findings prior to the audit report
issuance where the IAF can retain findings in the final report if disagreements cannot be resolved?
 Are there mechanisms to escalate serious issues to the relevant management, if necessary to the
senior management and the Board or Audit Committee?
 Does the follow-up report highlight areas of delays of agreed action plans, remedial measures not

properly implemented and ineffective remedial actions after implementation?
3
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.


Outsourcing of IAF work
Where it is not possible due to cost constraints to maintain in-house all required skills, outsourcing
relevant areas of internal audit work is an allowed option provided for in the Guidance. Co-sourcing is
also a good way for the IAF to continuously build new skills as they become more relevant to the risk
profile of the AI’s operations. This will not only help the AI complete the required audits on certain
special focus areas but also reduce the costs of having specific-subject-matter experts in-house on a
full-time basis.

Areas to consider
 Are appropriate measures in place to enable the IAF to retain control of, and accountability on, the
project, and to ensure that at the end of the day there is effective transfer of the relevant skills and
knowledge to the IAF?
IAF’s relationship with other control functions and external auditors
The Guidance differentiates the roles of the IAF with that of the AI’s compliance and other separate
internal control departments within business or functional units. These departments form part of the
internall system and provides a useful source of information for the IAF. Their existence,
however, does not relieve the IAF from performing their independent assessment of controls relating to
those related areas of operations.

Areas to consider
 How often and to what extent does the IAF communicate with other control functions and external
auditors, to ensure that they have a timely and good understanding of known and potential issues?
 In what ways can the IAF leverage on existing controls related information residing with the
compliance/monitoring functions of businesses or functional units in order to perform a more
efficient audit?
Supervisory assessment of the IAF
The Guidance explains methods the HKMA will be using to assess the effectiveness of the IAF through
documentary review and supervisory contacts such as meetings, interviews and on-site examinations.
The HKMA also expects to be meeting external parties such as the AI’s group internal auditors of foreign
banks, external auditors, outsourcing vendors/auditors appointed to perform special reviews, as well as
home supervisors of Hong Kong branches or subsidiaries of foreign banks to discuss issues in relation to
the effectiveness of the group IAF and the local IAF.

Critical challenges for internal audit in banks and the way
forward

Many financial institutions have been impacted by the global financial crisis.
Management, stakeholders and regulators are specifically assessing the
effectiveness of all controlling and monitoring units including the
independent IAF, in particular, its resilience and ability to cope with the
changing business environment and enhance the bank’s corporate
governance framework in the volatile marketplace.

Although the principles set out in the HKMA’s Guidance do not propose any
radical changes to the IAF’s traditional role as an independent assurance
function, the IAF in banks is facing more challenges than ever as financial
institutions have been operating in one of the toughest business
environments in history, with the increasing trend to diversify into different
products / markets and growing complexity of the regulatory requirements.
Some of the key challenges faced by the IAF include:
4
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Regulatory  How can the IAF ensure that requirements and expectations of regulators in the relevant
compliance jurisdictions are met in terms of processes, organisational structures, people, communication
lines and early warning systems?

Ability to attract,  How to attract and maintain quality audit professionals who have a sound understanding of the
develop and businesses and associated risks to provide quality challenges to management?
retain the right
 How can the IAF achieve the right balance of technical skills and business credibility with people
people who understand complex financial products and associated risks?

Stay on top of  How does the IAF stay on top of things by anticipating, instead of merely responding to
things and make changes?
its voice heard
 How does the IAF effectively articulate its view on the bank’s control environment, emerging
issues and risk vulnerabilities to get the right level and amount of attention from the Board and
management in a timely manner?

Independent  How to ensure IAF’s true independence and objectivity while at the same time maintain
assurance over proximity to the businesses to keep updated of current developments and emerging issues?
key risks
 How can the IAF evolve its risk assessment and audit plan continuously to keep them aligned
with changing risks, keep pace with the business and provide assurance that those risks are
being effectively managed?

Integrated  How to collaborate with other monitoring functions such as compliance and risk management
assurance to to form a single view of risks faced by the organisation?
form a single
 How does the IAF evolve to provide a ‘real time’ overarching view of the control environment view of risks
and reduce inefficiency of duplication of work by different assurance functions?

Robust internal  How to continuously adapt and improve audit methodology and processes to establish a holistic
audit view across the bank’s business processes and locations?
methodology
 How does the IAF achieve the application of a global methodology across multiple locations and
ensure consistent quality of delivery?
 How can the IAF effectively track management’s actions to ensure critical audit findings are
adequately and timely addressed?

Continuous  How does the IAF harness technology to enable early warnings of emerging issues and ensure
auditing and continuous oversight over the control environment?
monitoring


There is no simple answer to these questions. In today’s dynamically
changing environment, the IAF needs to evolve with the bank and
continuously monitor and improve internal audit effectiveness.

Consequently, the head of IAF should develop a comprehensive quality
assurance and improvement program and the IAF must keep up to speed with
industry leading practices e.g. through IAF executives’ participation in networking
events such as external seminars to exchange ideas with peer organisations and
professional firms. Regulatory guidelines suggest the IAF should be subject to an
5
© 2009 KPMG, a Hong Kong partnership, Is a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
www.kpmg.com.cn
www.kpmg.com.hk

independent effectiveness review by external parties on an ongoing periodic
basis covering all major aspects of the IAF’s work. The Institute of Internal
Contact us Auditors also recommends an external assessment on the IA function to be
conducted by independent reviewers outside the organisation at least once every
five years. For more information on the
topics discussed and how they
Quality audit people have always been one of the critical issues for the IAF may affect your enterprise,
because highly skilled and experienced resources are difficult to recruit and retain please contact:
within their current area of specialisation. The IAF sometimes invites guest
auditors from the business to participate in an internal audit review to project Risk & Compliance, KPMG
business insight and fresh perspective where safeguard measures are in place to
China ensure independence. There is now an increasing trend for banks to enter into
Partner-in-charge co-sourcing arrangements for the provision of highly technical skills. The HKMA
Stephen Lee permits co-sourcing or partial outsourcing and considers it a good way to build a
Tel: +852 2826 7267 new skill inventory or relieve skill gaps on areas requiring specific expertise. The
stephen.lee@kpmg.com.hk HKMA also emphasises that regardless of certain internal audit activities being
outsourced, the Board remains ultimately responsible for the financial
institution’s internal control system and the IAF should have a mechanism in Internal Audit, Risk and
place to maintain control of and accountability over outsourced audit projects. Compliance Services, KPMG
China


How KPMG’s Internal Audit, Risk and Compliance Services can help
Beijing
Helen Wang
KPMG has dedicated Internal Audit practices in 45 countries. Our Internal Audit, Partner
Risk and Compliance Services Practice (IARCS) provides comprehensive internal Tel: +86 (10) 8508 7092
audit services, including internal audit outsourcing / co-sourcing, assistance / helen.wang@kpmg.com.cn
advisory in developing internal audit mandates / procedures manuals, strategic

performance review for internal audit (or IA effectiveness review), internal audit
Shanghai
training services. Our IARCS practice also offers corporate governance Christine Yau
assessment / compliance assistance or advisory services, US/Japan Sarbanes-Partner
Oxley advisory services and enterprise risk management advisory services, Tel: +86 (21) 2212 2771
control and risk self assessment and other control related advisory services. christine.yau@kpmg.com.cn


By KPMG China
Hong Kong
Helen Li
KPMG China prepared this document for board members, audit committee Partner members and management of Chinese enterprises. The information contained
Tel: +852 2143 8717 within is only for general discussion of the matters included and should not be
helen.li@kpmg.com.hk relied upon as advice for any particular enterprise because no consideration is
given to individual facts and circumstances, which could vary greatly from
enterprise to enterprise.

This document should be read in conjunction with the relevant standard, rules,
regulations, guidelines and/or authoritative pronouncement. This document is
written in both English and Chinese. Where there is inconsistency between the
two versions, the Chinese version shall prevail.
The information contained herein is of a general nature and is not intended to address the circumstances of © 2009 KPMG, a Hong Kong partnership, is a
any particular individual or entity. Although we endeavour to provide accurate and timely information, there member firm of the KPMG network of
can be no guarantee that such information is accurate as of the date it is received or that it will continue to be independent member firms affiliated with KPMG
accurate in the future. No one should act upon such information without appropriate professional advice after International, a Swiss cooperative. All rights
a thorough examination of the particular situation. reserved. Printed in Hong Kong.
KPMG and the KPMG logo are registered 6 trademarks of KPMG International, a Swiss
cooperative.