Framework

RESERVE BANK OF ZIMBABWE
BANK LICENSING, SUPERVISION & SURVEILLANCE
Guideline No. 02 -2004/BSD
MINIMUM INTERNAL AUDIT STANDARDS IN
BANKING INSTITUTIONS
TABLE OF CONTENTS
5. Organisation of the Internal Audit Function 12. Audit of Critical Areas of Operations 1. PRELIMINARY
1.1. Short
– Minimum Internal Audit Standards in Banking 1.2. Authorization
– This Guideline is issued under the authority of section 45 of the Banking Act [Chapter 24:20]. Definitions – Terms used within this Guideline are as
defined in the Banking Act[ Chapter 24:20] 1.4. Application
– This Guideline applies to all banking and non- bank financial institutions that are licensed and supervised by the Reserve Bank of Zimbabwe including bank holding companies. The Guideline should be read in conjunction with Guideline No. 01-2004/BSD on Corporate Governance. 2. INTRODUCTION
2.1. The internal audit function is an integral component of sound
corporate governance and risk management practices in banks. It is part of the ongoing monitoring of controls which provides an independent assessment of the adequacy of, and compliance with the bank’s established policies and procedures. As such, the internal audit function assists the board and management of the organization in the effective 2.2. Increased competition, pressure to operate profitably or to
improve performance, introduction of new financial products and the change in information technologies have heightened operational risk. This is manifested in the numerous frauds reported to the Reserve Bank of Zimbabwe (RBZ). RBZ examinations continue to reveal weaknesses in the records, systems and controls in financial institutions. Therefore, it is incumbent upon the management to enhance and to play a more proactive and meaningful role in achieving sound and stable growth in financial institutions. 2.3. In carrying out the internal audit function, the internal auditor
must take cognisance of the following characteristics that generally distinguish banks from other commercial enterprises, and which the auditor must take into account in 2.3.1. Banks have custody of large amounts of monetary items,
including cash and negotiable instruments, whose physical security has to be safeguarded during transfer and while being stored. They also have custody and control of negotiable instruments and other assets that are readily transferable in electronic form. The liquidity characteristics of these items make banks vulnerable to misappropriation and fraud. Banks therefore need to establish formal operating procedures, well defined limits for individual discretion and 2.3.2. They have assets that can rapidly change in value and
whose value is often difficult to determine. Consequently, a relatively small decrease in asset values may have a 2.3.3. They generally derive a significant amount of their funding
from short-term deposits. Loss of confidence by depositors in a bank’s solvency can quickly result in a liquidity crisis. 2.3.4. They have fiduciary duties in respect of the assets they hold
that belong to other persons. This may give rise to liability for breach of trust. Banks, therefore, need to establish operating procedures and internal controls designed to ensure that they deal with such assets only in accordance with the terms on which the assets were transferred to the bank. 2.3.5. They engage in large volumes and a variety of transactions
whose value may be significant. This necessarily requires complex accounting and internal control systems and widespread use of information technology (IT). 2.3.6. Transactions can often be directly initiated and completed by
the customer without any intervention by the bank’s employees, for example over the Internet or through 2.3.7. They often assume significant commitments without any
initial transfer of funds other than, in some cases, the payment of fees. These commitments may involve only memorandum accounting entries. Consequently their 2.3.8. They are regulated by governmental authorities whose
regulatory requirements influence the accounting principles that banks follow. Non-compliance with regulatory requirements, for example, capital adequacy requirements, could have implications for the bank’s financial statements or 2.3.9. They deal in complex financial instruments, some of which
may need to be recorded at fair value in the financial statements. There is therefore need to establish appropriate valuation and risk management procedures. The effectiveness of these procedures depends on the appropriateness of the methodologies and mathematical models selected, access to reliable current and historical market information, and the maintenance of data integrity. 2.4. It is against this background of the centrality of the internal
audit function in the risk management process in banking institutions that the Reserve Bank is issuing these Guidelines on Minimum Audit Standards for Internal Auditors of Banking 3. PURPOSE
The Guidelines are issued to meet the following objectives:- 3.1. To improve the quality and effectiveness of the internal audit
3.2. To outline the role, duties and responsibilities of internal
auditors to the board of directors (board), all levels of management and the external auditors; and 3.3. To provide uniform practice on internal auditing which would
serve as a benchmark for guidance and measurement of the effectiveness of the internal audit function. 4. LIMITATIONS
4.1. These Guidelines serve as a general guide for the internal
auditors of financial institutions. They are not intended to provide comprehensive discussion of all possible matters or situations of audit significance that the internal auditors may 4.2. The Guidelines are also not meant to be exhaustive nor
intended to provide detailed audit steps required to perform the audit of every operational area of financial institutions. The internal auditors should be guided by the authoritative pronouncements issued by the relevant professional 5. ORGANISATION OF THE INTERNAL AUDIT FUNCTION
5.1. Overview
5.1.1. Internal auditors play an important functional role in helping
to establish and maintain the best possible internal control environment at their financial institutions. An effective internal audit function is crucial to ensure a sound financial system as a whole. Important consideration has to be given to the organization of the internal audit function in the financial institution to ensure its effectiveness. 5.1.2. Financial conglomerates, by virtue of their nature and size of
operations, may find the establishment of an internal audit department too onerous. For reasons of synergy and economies of scale, these may use the services of the group 5.2. Audit
Committee
5.2.1. An Audit Committee shall comprise of non-executive
directors who shall be appointed by the board of the financial institution. The chairman of the Audit Committee shall be an independent non-executive director and shall not be the 5.2.2. The role of the Audit Committee in the context of the
Guideline is to provide an avenue for the internal audit department to effectively communicate findings and should be in line with the provisions of the Banking Act [Chapter 5.3. Independence
5.3.1. The independence of internal auditors is an important
prerequisite for the proper conduct of audits so as to render 5.3.2. The organizational and reporting structure of the internal
audit function shall ensure that the function is independent of the activities audited and should also be independent from the everyday internal control process. This means that internal audit is given an appropriate standing within the bank and carries out its assignments with objectivity and 5.3.3. The internal audit department should be able to exercise its
assignment on its own initiative in all departments, establishments and functions of the bank. It must be free to report its findings and appraisals and to disclose them 5.3.4. The principle of independence entails that the head of the
internal audit department has the authority to communicate directly on his/her own initiative, to the board, the chairman of the board of directors, board audit committee or the external auditors where appropriate, according to the INTERNAL AUDIT REPORTING STRUCTURE
The reporting lines of the internal audit function in all cases Chief Executive
Committee
Internal Audit
Function
5.3.6. The status of the internal audit department within a bank’s
overall organizational structure should be sufficient and distinct to permit the internal auditors to accomplish their audit objectives. Internal auditors should have the support of the management in order to gain the cooperation of the auditees and to perform their work free from interference. The position of the head of internal audit should be equivalent to the status of other key functional heads to enable him to deal effectively with his peers and superiors when discharging his duties and responsibilities. The appointment, remuneration, performance appraisal, transfer and dismissal of the head of internal audit should be decided 5.3.7. Internal auditors shall have unrestricted access to the
institution’s records, assets, personnel and premises which are necessary for the proper conduct of the audit. Any restriction should be promptly communicated in writing to the Audit Committee for the latter to resolve with the 5.4. Objectivity
5.4.1. Objectivity is an independent mental attitude which would
enable the internal auditors to exercise judgment, express opinions and present recommendations with impartiality. 5.4.2. The internal auditors should at the least observe the
a. Avoid any conflict of interest situation arising either from their professional or personal relationships in an organization or activity which is subject to audit; b. Have no authority or responsibility over any unit or c. Should not be assigned to audit operational areas which they were previously involved as non-audit staff until an independent audit has been conducted during the d. Act only in advisory capacity when recommending controls on new systems or reviewing procedures prior 5.4.3. The internal audit function must be subject to an
independent review by an independent party. This function can be carried out by an external auditor or the Audit 6. PROFESSIONAL PROFICIENCY
6.1. The effectiveness of the internal audit function depends
substantially on the quality, training and experience of the audit staff. Professional competence is assessed taking into account the nature of the role and the auditors' capacity to collect information to examine, to evaluate and to 6.2. In this respect cognisance is taken of the ability of the auditor
to understand the growing technical complexity of a bank's activities and the increasing diversity of tasks that need to be undertaken by the internal audit department as a result of 6.3. The internal audit staff should be suitably qualified and be
provided with the necessary training and continuing professional education for the purpose of enhancing or enriching their audit and relevant technical skills. 6.4. Resources
6.4.1. The head of internal audit, in consultation with the CEO,
shall decide on the right resources required for the internal audit department taking into consideration the size and complexity of operations of the financial institution. The level of the resources required should be justified and endorsed 6.4.2. The head of internal audit must establish suitable criteria for
the recruitment of the internal audit staff. The effectiveness of the internal audit function may be enhanced by the use of specialist staff or consultants, particularly in highly technical areas e.g. I.T. and new complex synthetic products. 6.5. Qualification, Knowledge, Experience and Skills
6.5.1. The academic background and expertise required of the
head of internal audit varies depending on the size and complexity of the financial institution’s operations. Commensurate with his position in the organizational hierarchy, the head of internal audit should possess relevant academic/professional qualifications and sufficient audit experience. The head of internal audit should also have in- depth knowledge of the business and organizational, technical, communication and other relevant skills. 6.5.2. Internal auditors should be proficient in applying approved
auditing guidelines and accounting standards, legal and regulatory requirements, directives and guidelines issued by RBZ and other authorities, and other rules and regulations issued by the relevant associations of the banking industry. 6.6. Supervision
6.6.1. Supervision is a continuing process from planning to the
conclusion of the audit assignment. The head of internal audit is responsible for the audit performed by his subordinates. The head of internal audit should ensure that the audit objectives stated in the approved audit programme 6.6.2. The head of internal audit should set milestones for each
audit assignment (i.e. from the commencement of the assignment to the issuance of the audit report) after 6.7. Professional Ethics
6.7.1. Internal auditors should at all times exercise due
professional care when discharging their duties and responsibilities. They should carry out their work independently, objectively, professionally and with utmost good faith. Internal auditors should subject themselves to the highest ethical standards and avoid any conflict of interest Internal auditors are required to maintain strict confidentiality with regard to all information obtained in the course of their work and must not use any privileged information for personal gain. They should comply with RBZ guidelines, relevant laws and regulations and the requirements of relevant professional bodies. 6.8. Training
6.8.1. The Audit Committee has a responsibility to ensure that the
internal audit staff receives the necessary training to perform the audit work. There should be a programme of continuing education and training to enable internal auditors to keep abreast with the business trends and developments as well as to upgrade and enhance their technical skills. 6.8.2. The head of internal audit should ensure that on-the-job
training is provided to new recruits under the supervision of competent and experienced internal auditors. Training should be a planned and continuous process for all levels of internal audit staff. The head of internal audit, in consultation with the Audit Committee and the CEO, should determine the budget requirements for the training needs of 7. RELATIONSHIP AND COMMUNICATION
7.1. Internal auditors should have a constructive working
relationship and be in constant communication with management, external auditors and the RBZ. Regular meetings should be held with the external auditors on areas of common concerns such as audit planning, audit priorities and 7.2. The head of internal audit should monitor all corrective actions
taken by management with regard to RBZ examination findings and report to RBZ any instances where corrective 8. AUDIT GOVERNANCE
8.1. The internal audit department should have an audit charter,
audit plan, audit manual, audit programme and internal control questionnaires in place. Although these documents may be called by different names and differ in comprehensiveness, the underlying principle is that they serve the intended 8.2. Audit
8.2.1. The internal audit function must be guided by a formal Audit
a. the objectives, scope purpose and independence of the b. the internal audit department's position within the organization, its powers, responsibilities and relations with c. the accountability of the head of the internal audit 8.2.2. The Charter shall be drawn up, and reviewed periodically, by
the internal audit department; it must be approved by senior management and subsequently confirmed by the board of directors as part of its supervisory role. 8.2.3. The Charter shall also state the terms and conditions
according to which the internal auditor may provide 8.2.4. The audit charter must be approved by the Audit Committee
and endorsed by the board so that the internal audit function 8.3. Audit
8.3.1. The head of internal audit should develop an audit plan as a
means of directing and controlling the audit work. The audit strategic plan may range from one to five years depending on the size and complexity of operations. 8.3.2. The plan shall set out the audit objectives, auditable areas,
scope of coverage, frequency of audit, resources required and duration of each audit assignment. The head of internal audit should assess the risks of the auditable areas before determining the audit frequency and scope of coverage. 8.3.3. The head of internal audit shall establish the principles of the
risk assessment methodology in writing and regularly update them to reflect the changes to the system of internal control or work process, and to incorporate new lines of business. As a general guide, the audit cycle for all auditable areas 8.3.4. The head of internal audit, however, has the discretion to
determine the audit cycle for auditable areas deemed not critical if the financial institution has an effective risk 8.3.5. The head of internal audit should also include management
audit in the audit plan. The audit plan must be endorsed by the Audit Committee, approved by the board and should be flexible to respond to changing priorities or needs. 8.4. Manual
8.4.1. The audit manual provides the audit department personnel
with a set of audit standards for guidance and reference. It also serves as a valuable training aid for new recruits. The audit manual should contain written audit policies, objectives, standard procedures and programmes. 8.4.2. The head of internal audit should ensure that the audit
manual is comprehensive enough to cover at least the major operations of the financial institution and is reviewed periodically to reflect corporate, regulatory and industry 8.5. Audit Programme and Internal Control Questionnaires
8.5.1. The audit programme shall set out detailed step-by-step
audit procedures for each auditable area which should be supplemented by the internal control questionnaire. Both the audit programme and internal control questionnaire should be comprehensive and tailored to keep abreast with the current developments relevant to the industry. 8.5.2. A well-designed audit programme and internal control
questionnaire should provide a systematic audit approach. In addition, the internal auditors’ sound judgment and analytical skills are essential in ensuring a high quality audit. 9. DUTIES AND RESPONSIBILITIES
9.1. The core function of an internal audit department is to perform
an independent appraisal of the financial institution’s activities as a service to management. The internal audit function plays an important role in helping management to establish and maintain the best possible internal control environment within 9.2. A sound internal control environment would ensure:
9.2.1. Adequacy and effectiveness of the internal control system,
9.2.2. Compliance with policies, procedures, rules, guidelines,
9.2.3. Detection of frauds, errors, omissions and any other
9.2.4. Management audit,
9.2.5. Information systems audit,
9.2.6. Participative and consultative role in the development of new
10. SCOPE OF AUDIT WORK
10.1. The audit scope should entail the examination and
evaluation of all functions and activities of the financial institution including control features, operational systems and procedures as well as assessment of the quality of management performance in discharging their duties and 10.2. The scope of audit work covered under this part should not
be construed to be exhaustive but serves to provide the minimum scope to be covered under audit assignment. The head of internal audit should ensure that sufficient coverage and depth are given to each audit assignment based on the assigned risk factors. The head of internal audit, after having considered the level of risk for each auditable area, should decide whether to expand or limit the audit scope. Such decision should be properly documented. 10.3. The internal auditors should also decide on the appropriate
level of audit sampling in order to achieve their audit objectives. The internal auditors should be guided by the International Auditing Guideline on Audit Sampling. 10.4. The audit scope should cover:
10.4.1. Evaluation And Appraisal Of The Internal Control
System: The audit scope should cover the effectiveness
of the system of internal control, the reliability and integrity of MIS, the prevention or timely detection of frauds, errors, omissions and other irregularities, and the means for the Compliance with Policies, Procedures, Rules,
Guidelines, Directives, Laws And Regulations: All
financial institutions should ensure strict compliance with all applicable laws and regulations, guidelines, directives, reporting requirements and internal policies and operating procedures. The audit scope should cover the financial a. Banking Act, Banking Regulations and other applicable b. Guidelines, directives and circulars issued by RBZ and pronouncements or rules issued by the relevant c. Internally approved policies and operational procedures as well as the soundness and effectiveness of the 10.4.3. Adequacy and Effectiveness of Risk Management
System: In view of increasing competition, complexities of
operations and financial innovations, management should develop a formalized system to ensure that risk exposures are identified and adequately measured, monitored and controlled. The risk management system should be commensurate with the scope, size and complexity of the financial institution’s activities and the level of risk a financial institution is prepared to assume. In assessing the overall risk management system, the auditor should review a. Effective management supervision is practiced by the b. Procedures that identify and quantify the level of risk on a c. Limits or other controls are in place to manage the risk; d. Reports to management accurately present the nature and level of risk taken and any non-compliance with e. Responsibilities for managing individual risks are clearly f. Procedures relating to the calculation and allocation of g. A risk matrix adequately capturing the institution’s risk profile prepared and updated as necessary. 10.4.4. Effective and Efficient Use of Resources: Internal
auditors should play a proactive role in determining the financial institution’s optimum utilization of resources in the accomplishment of the organisation’s overall objectives and 10.4.5. Accomplishment Of Set Goals And Objectives: In
evaluating the accomplishment of set goals and objectives, the internal auditors’ scope should cover the entire operations or a sub-section thereof to determine whether:- a. Objectives and goals are clearly set and measurable; Objectives and goals have been articulated and communicated to all staff and are being met; c. Adequate controls are established for measuring and reporting the accomplishment of objectives and goals; d. An effective control mechanism is implemented to monitor actual performance against budget. Any significant variances are analyzed, investigated and promptly reported to the management and the board; Management has considered the strengths, weaknesses, opportunities and threats of the respective The achievement of set objectives and goals is in compliance with policies, plans, procedures, laws and g. The underlying assumptions used by management in developing business plans and strategies are 11. REPORTING AND DOCUMENTATION
11.1. Internal audit reports provide a formal means of
communicating audit results and recommended actions to management and the Audit Committee. Audit reports provide an avenue for the Audit Committee to highlight significant weaknesses and the management’s proposed remedial measures to the board. The management’s responsiveness to internal auditors’ recommendations for reducing risks, strengthening internal controls and correcting errors should be the desired result of the audit reports. 11.2. It is of primary importance that in the course of the audit,
should the internal auditors uncover major issues or frauds that would significantly affect the financial institution’s financial position or operations, they shall immediately inform management to ensure prompt corrective actions are 11.3. Audit Report
11.3.1. A signed report should be issued after the completion of
each audit assignment irrespective of the significance of the issues raised. The internal auditors should discuss the audit results and the recommendations thereof with the auditee before the financial audit report is issued. The discussion should be carried out with those individuals who are knowledgeable of detailed operations and those who can authorize the implementation of corrective actions. 11.3.2. Management comments shall be incorporated in the
financial audit report. The head of internal audit should review and approve the final audit report before it is 11.3.3. A copy of the final audit report should be forwarded to the
Audit Committee, the auditee, the CEO and the bank should forward such report to the RBZ on a timely basis. 11.3.4. Where the completion of an audit is likely to take a longer
period, an interim audit report may be issued to communicate any significant issues which require management’s immediate attention. The Audit Committee and the CEO should be kept informed of the issues as well as the progress of the audit. Discretion as to whether an interim audit report is warranted rests with the head of 11.3.5. The head of internal audit shall ensure that an audit report
is of sufficient quality so as to command management’s attention. In order to communicate the audit results effectively, the following standards should be adopted:- a. The audit report shall be objective, clear, concise, b. The structure of the audit report shall include the • Date of report and period covered by the audit; • The scope and objectives of the audit; • The significance and magnitude of the problems or • The causes of the problems or issues; • Recommended solutions or preventive actions; recommendations, and remedial measures taken or proposed to be taken to address the audit issues; • Management’s achievements noted during the 11.4. Action and Follow-Up on Audit Recommendations
11.4.1. Management shall treat all audit findings and
recommendations seriously. Management’s response to the audit findings should be included in the report. The internal auditors should monitor whether appropriate 11.4.2. Management’s plan of corrective actions and
implementation time-table for completion should be developed and jointly agreed upon by management and the auditee. The status of the corrective actions should be monitored and reported to the Audit Committee and the CEO so that follow-up action can be taken to inform the appropriate levels of management on outstanding audit 11.5. Reporting of Significant Findings and Frauds
11.5.1. The internal auditors shall immediately report to the Audit
Committee and the CEO any significant audit findings uncovered in the course of audit. RBZ should also be promptly informed of such findings. Significant financial findings are those that would have an adverse impact on the financial performance and condition of the financial institution. Significant non-financial findings represent fundamental weaknesses that could lead to the collapse of the financial institution’s system of internal control. The interim audit report shall incorporate preliminary summary findings, the impact or potential impact on the financial position and operations of the financial institution, and the proposed actions to be carried out by the internal 11.6. Control and Filing of Audit Reports and Working Papers
11.6.1. The internal audit reports and working papers should be
treated confidentially. The internal audit reports should only be disclosed to those persons authorized by the Audit Committee. As the internal audit working papers provide evidence of audit coverage and documentation of audit trails, they should be properly filed and stored. 11.6.2. To ensure systematic filing and control of audit reports and
working papers, the following minimum procedures should a. The format for the working papers should be b. There should be adequate referencing to identify the audit records, files and working papers created; and c. There should be a system for filing and retrieving past 11.7. Retention of Audit Reports and Working Papers
11.7.1. As a minimum requirement, the audit working papers on
the routine audit should be retained until the next audit is carried out on the same auditable area. Reports and working papers on investigation matters should be retained for at least seven years or such period until the matter is 11.7.2. All internal audit reports, however, should be retained for at
least three years or until the next audit report on the same 12. AUDIT OF CRITICAL AREAS OF OPERATIONS
12.1. Internal auditors should focus their attention and direct their
available resources to those operations or units which entail significant risks that may have an adverse impact on the operations and financial condition of the financial institution. 12.2. The critical operational areas identified are Credit
Operations, Treasury Operations, Derivatives, Investment in Debt and Equity Securities and, Information Systems. These critical areas of operations are not meant to be exhaustive and the internal auditors should also identify and review other operational areas deemed to be critical to the specific business undertaken by the financial institution. 12.3. In reviewing the critical areas of the operations, it is vital that
the audit coverage is comprehensive. The internal auditors should extend their scope if serious unsatisfactory features are uncovered in the course of the audit. 12.4. Important features to consider when auditing different critical
12.4.1. Credit Operations: When auditing the credit operations
internal auditors shall put more emphasis on the: b. Risk inherent in the credit operations; e. Credit disbursement, administration, monitoring and h. Compliance with legal and regulatory requirements. 12.4.2. Treasury Operations: The control areas to be checked
a. Risk inherent in treasury operations; b. Adequacy of and compliance with established policies e. Compliance with legal and regulatory requirements. 12.4.3. Derivatives: To carry out their audit effectively, internal
auditors should be conversant and knowledgeable about the derivative products and transactions, and must be guided by comprehensive audit manuals and programmes. Internal auditors should be conversant with: 12.4.4. Investment In Debt and Equity Securities
a. A financial institution’s investment in debt and equity securities normally involves participation in two main financial markets namely, the capital market and the money and foreign exchange market. A typical investment portfolio usually consists of public debt securities, equity securities (quoted and unquoted), equity–link securities, and private debt securities. Equity securities and private debt securities may also be acquired in the primary market or as a result of underwriting commitment. In banking institutions, equity securities are also acquired in satisfaction of debt and through debt-equity conversion. b. Investment and trading securities may account for a sizeable proportion of the financial institution’s assets and hence, securities of inferior quality may have an adverse impact on the financial institution’s financial condition. Hence the internal auditors should be 12.4.5. Information Systems
a. The financial institution shall have an effective information system audit function to evaluate the internal controls of the computerized system. b. The information system auditors should review the effectiveness of information systems in supporting the business activities of the financial institution and the adequacy of controls over the information system programming, computer operations and security, teleprocessing and data integrity. In reviewing information systems auditors should pay particular • Computer operations procedures and physical • Computer security e.g. password issuance and maintenance, follow up on access violation; • System reliability and availability; 13. Effective
These guidelines are effective from 30 September 2004. Questions relating to these guidelines should be addressed to the Division Chief, Bank Licensing, Supervision & Division Chief
Licensing,
Supervision & Surveillance

Source: http://www.baz.org.zw/sites/default/files/BSD%20INTERNAL%20AUDIT%20GUIDELINES%20IN%20_.pdf