Guidelines On Internal Audit Function in Banks-2018 (PBA) PDF

STATE BANK OF PAKISTAN
Guidelines on Internal Audit

Function
Banking Policy & Regulations Department
Guidelines on Internal Audit Function
The Team
S. No Name Designation
1. Syed Irfan Ali Executive Director,
Banking Policy & Regulations Group
2. Mr. Muhammad Akhtar Javed Director,
Banking Policy & Regulations
Department
3. Mr. Muhammad Qaisar Raza Malik Sr. Joint Director,
Department
4. Mr. Zuhaib Pasha Khero Joint Director,
Department
Table of Contents
INTERPRETATIONS .................................................................................................................................................................. 1
INTRODUCTION ........................................................................................................................................................................ 2
OBJECTIVES ............................................................................................................................................................................... 3
SCOPE OF GUIDELINES ........................................................................................................................................................... 3
EFFECTIVE DATES ................................................................................................................................................................... 3
AUDIT GOVERNANCE.............................................................................................................................................................. 4
BOARD AUDIT COMMITTEE (BAC) ...................................................................................................................................... 4
AUDIT COMMITTEE CHARTER (ACC) ................................................................................................................................. 4
MANAGEMENT ......................................................................................................................................................................... 7
ROLES & RESPONSIBILITIES OF CIA .................................................................................................................................... 8
INTERNAL AUDIT CHARTER (IAC) .................................................................................................................................... 10
ORGANIZATION OF IAF ......................................................................................................................................................... 11
PROFESSIONAL PROFICIENCY ........................................................................................................................................... 13
RESOURCES ............................................................................................................................................................................ 13
TRAINING ................................................................................................................................................................................ 14
CODE OF ETHICS.................................................................................................................................................................... 14
INTERACTION WITH REGULATORS & EXTERNAL AUDITORS ................................................................................... 15
SCOPE OF AUDIT WORK ....................................................................................................................................................... 16
i. Adequacy & Effectiveness of Internal Controls .......................................................................................................... 16
ii. Reliability & Integrity of MIS ..................................................................................................................................... 16
iii. Expenditure Control & Safeguarding of Assets ........................................................................................................... 17
iv. Discovering Frauds, Errors, and other Irregularities.................................................................................................... 17
v. Adequacy & Effectiveness of Risk Management Activities ......................................................................................... 18
vi. Information Technology (IT) and Shariah Audit ......................................................................................................... 18
vii. Optimal Utilization of Organizational Resources ........................................................................................................ 19
AUDIT PROCESS AND METHODOLOGIES ......................................................................................................................... 20
INTERNAL AUDIT STRATEGY............................................................................................................................................. 20
RISK BASED AUDIT PLAN (RBAP) ...................................................................................................................................... 20
RISK BASED INTERNAL AUDIT (RBIA) ............................................................................................................................. 22
RISK ASSESSMENT FOR THE PURPOSE OF INTERNAL AUDIT .................................................................................... 23
INTERNAL AUDIT MANUAL ................................................................................................................................................ 25
AUDIT TECHNIQUES/PROCEDURES .................................................................................................................................. 25
AUDIT RESULTS & REPORTING.......................................................................................................................................... 26
FOLLOW UP OF AUDIT RECOMMENDATIONS ................................................................................................................ 28
CONFIDENTIALITY OF AUDIT REPORTS & WORKING PAPERS .................................................................................. 28
INTERPRETATIONS
Administrative Reporting: It covers matters like application of leave, staff loans, advances and claims as
per FIs approved policies. However, for CIA, BAC should approve any deviation from such policies.
Assurance: In the context of these guidelines, the assurance means, an independent and reasonable
assertion by FI’s internal audit function (IAF), based on sufficient, relevant and reliable evidence; that FI’s
implemented system of internal controls is working effectively.
Auditable areas or Auditee: Any unit or activity within an organization subject to audit.
Audit Universe: The potential activities/processes/functions/departments/units subject to audit as

determined/categorized by Internal Audit Function of FI after discussions with management. The audit
universe can be determined/categorized using vertical i.e. top-down approach or horizontal i.e. cross
functional approach or the mix of two can also be used.
Chief Internal Auditors (CIA): The person who heads the internal audit function (IAF) in a FI.
Effective: A process/activity that successfully achieves the objectives it was established/undertaken for.
Financial Institution (FI): For these guidelines, the FIs mean all banks/DFIs and Micro Finance Banks.
Internal Auditing: “an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes (IIA).”
Management: Refers to the Chief Executive Officer and other key executives of FIs as defined in
Prudential Regulations (PRs) for Corporate & Commercial banking as amended by SBP from time to time.
Management Audit: Also referred to as value for money auditing, performance auditing and efficiency
auditing to review and evaluate performance of management (at all levels) in managing and utilizing
available resources in an efficient and effective manner.
Risk Management: A logical and systematic method of establishing the context, identifying, analyzing,
evaluating, treating, monitoring and communicating the risks associated with any activity, function or
process in a way that will enable the organization to minimize losses and maximize opportunities.
System of Internal Controls: The whole system of control established and implemented by management
of FI to conduct its business activities in an orderly and efficient manner, ensure adherence to management
policies, safeguard assets and ensure, as far as possible, the completeness and accuracy of records.
INTRODUCTION
1. In the wake of a several instances of market failures- both in developed and developing world- the
Governance, Risk and Compliance practices have been under a strong and critical public spotlight in
recent years. The banking industry in Pakistan has, under the stewardship of State Bank of Pakistan
(SBP), undergone a complete makeover for last fifteen to twenty years in almost all areas of their
operations; i.e. governance & risk management, modernization of operations, development of new
products & services, branchless banking, adoption of modern technologies, customer service orientation
and penetrating new areas & markets; to name a few. In addition to such transformation, the FIs in
Pakistan have also been tested by good and bad times whereby almost all of FIs readjusted their business
models to meet the dynamic and growing needs of market participants.
2. The SBP, being a robust and dynamic regulatory authority, continues to strengthen its regulatory
framework in the light of changing market dynamics and international best practices in all critical areas of
operation of a Financial Institution (FI). However, Internal Auditing is one of the areas where no
regulatory guidance has been issued so far, either by SBP or any other regulatory authority in Pakistan.
The Internal Audit Function (IAF) is one of the fundamental components of overall corporate governance
framework in any organization including FIs. The internal auditors and IAF work on behalf of FIs Board
of Directors to provide independent assurance to the Board on the adequacy and effectiveness of internal
control systems as implemented by FI’s Management.
3. The need of a strong and effective IAF was never as much felt before till the market failures forced
standard setting bodies and regulatory authorities to recognize that development of IAF has not been able
to keep pace with fast changing dynamics in which the FIs conduct their business. In addition, the fast
changing technological & business landscape, enhanced regulatory expectations, competitive market
forces, market disruption and increasing complexity of operations have increased the type and level of
risks that a FI is faced with, and have forced FIs’ Boards & Management to realize the importance of
investing in strengthening overall internal control framework including IAF.
4. These changes in the drivers of risk as well as ever changing/evolving risk exposures of FIs call for a
more dynamic rather than static audit process. For this, the internal auditors are expected to play a greater,
risk focused and more proactive role in carrying out management and compliance audits enabling FI to
achieve its goals and objectives. It is high time that the importance of IAF be re-emphasized for a FI
where the IAF should not only be construed as a routine compliance based activity but a quality resource
which can add value to the organization by helping management identify the governance, policy and
process level gaps that may expose the FI to variety of existing or new risk(s) thereby hindering its ability
to achieve its goals and objectives.
OBJECTIVES
1. The IAF is one of the most important and key element of overall internal control system since it
provides an independent assurance of the adequacy and effectiveness of implemented policies, systems,
processes, controls and shariah compliance (where applicable1) to achieve organizational objectives.
Besides, the existence of a robust, independent and effective IAF can provide sufficient comfort to
regulatory/supervisory authorities on the overall governance, risk and compliance environment in the FI
thereby leading to more efficient allocation of scarce supervisory resources.
2. These guidelines are intended to set regulatory expectations for a strong, independent and effective IAF
and also provide guidance on standardized and risk based practices of internal auditing. These guidelines
would serve as a basis for performance appraisal of IAF by Regulatory/Supervisory Authorities and Board
Audit Committee (BAC). In addition, these guidelines emphasize the role, duties and responsibilities of
Chief Internal Auditor, internal auditors, BAC; their interaction with management, external auditors and
regulators; and how IAF can contribute in enabling the organization to achieve its objectives. These
guidelines provide the minimum requirements that FIs need to fulfill while establishing a strong and
effective IAF. The FIs are strongly encouraged to consider the requirements of these guidelines as
‘minimum’ and should strive to build on this foundation by adopting more advanced tools, methods,
approaches and processes.
3. The perception of IAF and the nature of work that is desired of internal auditors is undergoing major
shift across the world. While such changes principally require IAFs to be proactive & risk focused in their
approach to help management in achieving their objectives, however, it does not essentially want IAF to
eliminate its focus on transaction testing & validation of systems and processes. The guidelines intend to
encourage banks for adopting latest trends in internal auditing especially risk based auditing, making use
of IAF experience to improve internal controls environment by providing consultancy services to
management and enhancing its acceptability with auditees’ by adopting more constructive approach
without compromising on their primary objective of provision of assurance.
SCOPE OF GUIDELINES
1. The Guidelines area applicable to all Banks/DFI/MFBs.
2. The scope of guidelines is limited to provision of uniform and standardized general guidance on
important and critical aspects of IAF and internal auditors of FIs and is not intended to cover all possible
situations that the IAF or internal auditors may face in performing their roles and responsibilities. All the
footnotes shall be considered as part of guidelines.
3. The IAF and internal auditors should also be guided by the standards/ pronouncements issued by the
relevant international/national professional bodies/institutions on auditing methodologies with respect to
several auditable areas as well as Quality Assurance programs.
EFFECTIVE DATES
The FIs shall take necessary steps, keeping in view their size, nature and complexities of operations, to
align there IAF in line with instructions given in these guidelines by December 31, 2018. However, the
FIs shall have time until June 30, 2018 to implement system solution for IAF.
1
In case of full-fledged Islamic banks and conventional banks with Islamic banking operations, the Shariah audit shall be
considered as an important part of organization of IAF and scope of its activities. The relevant FIs shall take all measures possible
to strengthen their shariah audit function in line with instructions of these guidelines.
AUDIT GOVERNANCE
1. While the ultimate responsibility of creating and maintaining an effective internal control system rests
with Board of Director (BoD) of a FI, however, as per SBP Prudential Regulations/other instructions and
SECP’s Corporate Governance Regulations (where applicable), it is mandatory for all FIs’ to have
separate Board Audit Committee (BAC) to oversee FIs matters related to internal controls, external audit,
internal audit etc. The FIs shall continue to comply with existing SBP & SECP regulations (where
applicable) with respect to BAC.
2. These Guidelines, however, are intended to build on that foundation and provide for a broader, pro-
active, and comprehensive role of BAC in the overall framework of internal control systems in FIs.
BOARD AUDIT COMMITTEE (BAC)

1. An independent and effective BAC is one of the fundamental components of a robust corporate
governance framework in any FI. No other committee of the board of FI is more focused on, or is as
involved in ensuring efficacy of governance practices in the entity, as is the BAC. The BAC is entrusted
by BoD with the central role to assist the board in fulfilling its oversight responsibilities pertaining to
adequacy & effectiveness of overall internal control systems. The BAC, thus, acts on behalf of BoD of FI
with the responsibility to ensure that management, at all times, maintains and promotes a strong internal
control system to ensure that all of management actions & decisions are taken in the best interest of FI.
The BoD should keep itself aware of the activities of BAC and as a good practice may review minutes of
BAC meetings.
2. The BAC, being one of the highest forum to evaluate the alignment of FIs internal control systems with
its overall strategy, business model and objectives; is expected to demonstrate highest standards of
professionalism and integrity in performance of its responsibilities. The BAC should desire same conduct
from FIs’ senior management to create a uniform/synchronized ‘tone at the top’ with respect to
implementation of internal controls. The BAC then, through IAF, shall monitor the transformation of that
‘tone’ down the line in business operations to help FI achieve its objectives.
3. In order to be effective, it is important that BAC members should remain aware of best practices in
internal auditing profession and are capable of assessing the effectiveness of existing audit processes and
gaps therein.
AUDIT COMMITTEE CHARTER (ACC)

1. The FI shall comply with all the relevant regulations with respect to establishment, composition,
frequency of meetings and other related matters pertaining to BAC. Besides, the operations of BAC shall
be governed under ‘Audit Committee Charter (ACC)’, approved by BoD that should serve as a ‘blueprint’
for its operations and delineate the basic framework under which the BAC would perform its assigned
responsibilities. While the ACC is supposed to be a uniquely customized document to capture the
objectives, mission and overall organizational culture of the FI, it should at minimum, cover the following
components:
 Purpose, Objectives and Authority;

 Composition & Frequency of meetings;
 Roles & Responsibilities;
 Frequency & mechanism of reporting BoD,
 Performance evaluation mechanism of the Committee (itself);
 Frequency of review of ACC;
The Board should, on an annual basis, review the performance and effectiveness of BAC against the roles
& responsibilities set forth in the charter and make necessary changes, either in its charter or its
operations, to fill the gaps.
2. In addition to existing responsibilities as mentioned in relevant codes/regulations, following should
also be included in the ACC as TORs of BAC of a FI. The BAC2 shall;
1. Ensure that IAF has adequate & required physical, financial, system, human and operational
resources to carry out their mandated responsibilities effectively as per Internal Audit Charter
(IAC) and that internal auditors receive sufficient necessary training to remain up-to-date on
auditing tools, techniques and methodologies.
2. Develop the criteria for performance evaluation of Chief Internal Auditor (CIA) and that of IAF
and evaluate their respective performances3 against the set criteria on annual basis.
3. Ensure that the quality of IAF is assessed through relevant external agency after every 3 years.
The first such assessment (if no such assessment is conducted within last 3 years) shall be
initiated by FI within 6 months of issuance of these guidelines.
4. Have complete authority, independence and budget to conduct investigations (utilizing internal as
well as external resources) into any matters within its scope of responsibilities.
5. Facilitate Board in establishing an unambiguous & observable ‘tone at the top’ for strong and
effective internal controls based on & supported by strong ethical practices, comprehensive
policies, procedures, processes and technological systems.
6. Establish, maintain and promote a continuous communication with senior management regarding
deficiencies in internal control system, actions taken to address identified deficiencies and
ascertain any new developments to achieve a uniform organization-wide commitment/buy-in for
strong and effective internal controls.
2
As stipulated in the guidelines, the expected role and responsibilities of a BAC is to provide a platform to CIA and IAF to
present their findings and get the senior management fill the identified gaps as swiftly as they can. However, the effectiveness,
independence and how influential the BAC in a FI is, would to a great extent, depend upon the professional competence of the
members themselves.
3
It may, however, be noted that failure of IAF to perform its mandated responsibilities have a fall out on the effectiveness of
BAC itself. If IAF is not meeting its mandate and BAC’s expectations, it could possibly have something to do with Bac itself i.e.
BAC’s failure to communicate its expectations clearly, IAF not understanding BAC needs, BAC not providing the critical
support that the IAF needs to face management’s pressure, IAF is not provided with matching/required financial, physical,
system & human resources to IAF, BAC not taking sufficient actions to implement change, or all of the above.
7. Remain aware, recognize trends/themes and review management’s plan to address significant
internal control breaches/issues, investigations, frauds, disciplinary actions etc.
8. Ensure that all employees, senior management and board receive code of conduct/ethics,
understand it, and obtain appropriate training/awareness sessions on its importance and
integration into day to day business processes.
9. Review and monitor the independence, performance and effectiveness of IAF & audit process.
10. Receive and review summary4 of reported violations identified by internal auditors and follow-up
actions taken by management, to ensure that audit observations/recommendations receive proper
and timely attention by senior management.
11. Obtain from CIA, an independent and objective assessment of the adequacy and effectiveness of
the controls over (1) financial reporting, (2) business operations5, and (3) compliance with laws &
regulations (including Shariah standards where applicable), on annual basis and at other times as
necessary.
12. Review & approve annual internal audit plan that adequately covers all the high risk areas6 of FIs
operations based on risk assessments conducted by IAF.
13. Review & approve an annual internal audit budget that is sufficient to carry out planned audit
activities; review performance against budget, and determine if the variance observed is justified.
14. Report to BoD any significant matters identified by CIA or external auditors that warrant board's
attention.
15. Establish whistle blowing procedures for receiving (through internal or external sources)
complaints/concerns regarding business ethics/conduct practices, governance & risk management
practices, controls over financial reporting, auditing practices etc. The BAC must ensure that such
concerns are treated confidentially such that when highlighted by employee(s), they remain duly
protected and are not penalized in any manner. The BAC should ensure that employees remain
aware of existence of such procedures; the procedure to utilize it and are encouraged using it
when needed.
4
The summary of audit observations presented to BAC should be comprehensive enough and must include all high, medium &
low risk observations. The BAC should also be presented with a robust analysis and reports regarding the themes and trends of
internal control breaches observed by IAF during the course of their audits. The BAC reporting should be comprehensive enough
enabling BAC members to remain fully informed of the state of internal controls in FI.
5This includes all functions of the FI including risk management, credit operations, general banking operations, IT systems, BCP
& DRP, AML & CFT operations, effectiveness of compliance function, treasury, SAM and various other department that are
important components in entity’s overall governance, financial and operational structure.
6 Audit will conduct risk assessment that would be purely for the purpose of audit planning i.e. committing immediate and more
resources to activity/area that has been assessed as high risk without compromising the level of audit attention on other areas.
These risk assessment would primarily be based on last year audit observations and compliance there against, any information
shared by compliance department with IAF, regulatory inspections, surfacing of fraudulent activities, etc.
16. Review and approve Internal Audit Charter (IAC) in the light of instructions of these guidelines.
The IAC should include details on IAF’s advisory role7 providing the extent, nature of
assignments, level of engagement, conflict of interest, number of assignments etc.
17. Provide its fullest support to IAF and internal auditors to perform their mandated activities
independently and in objective manner.
18. Ensure that available audit resources are being utilized effectively and efficiently to get insights
into how well the management is managing all critical risks of FI. The BAC should challenge any
audit activity that is not designed to address a specific risk or covers an immaterial risk resulting
into inefficient use of audit resources.
MANAGEMENT
1. The management of FI is primarily responsible for preparing, establishing, implementing and
maintaining effective system of internal controls in the FI. For this, management should design and place
appropriate structures that clearly assign the authorities, responsibilities, duties and reporting lines in the
organization. In order to bring the needed improvements in the existing system of internal controls, the
management should take audit observations/ recommendations seriously and take all necessary steps to
fill the identified gaps as swiftly as possible. Besides, the management should also keep the IAF fully
informed of any substantial new developments, initiatives, products and operational changes so that the
annual audit plan can be modified to reflect the new associated risks. Besides, the IAF should also
establish, formal or informal, regular communication channels with other internal governance functions
(risk management, compliance, finance etc.) to remain aware of their activities and issues.
2. In order to benefit from internal auditors’ rich and diverse experience, skill set and expertise in various
areas of FI’s business, the management may engage IAF for consultative/advisory services under a clearly
communicated and agreed upon scope & nature of deliverables of any such assignment. The advisory role
of IAF can be highly beneficial to management and add great value to overall the organization if timely
solicited by management and professionally executed by internal auditors. The most appropriate time for
involving IAF8 in consultative process would be at the outset of any new project such that the feedback of
IAF can easily be incorporated instead of redesigning everything when IAF advice is sought at the end of
development process.
3. The purpose of consultancy/advisory services by IAF is to share their expertise with the management in
the context of internal control environment across the organization. It should, however, be made clear that
the internal auditors and/or IAF, individually or collectively, shall bear no responsibility of the
7
The IAF, after fulfilling the needs/requirements of its primary function of assurance, may utilize audit resources for
consultancy/advisory services, however, even in such case the allocation of audit resources to consultancy/advisory services shall
not be more than 5 to 10% of available audit resources. In addition,
8 It is a general practice in FIs that they include CIA as ‘guest member’ in various management committees to seek his/her
feedback (on behalf of IAF) on various matters. While this practice may be easy to adopt it may not be considered the most
appropriate way to seek IAF input/feedback. Going forward, the FIs shall only include CIA as ‘guest member’-that too without
any voting rights- to only committees which pertain to control functions like risk management, compliance etc. The
management, if required, shall seek services of internal auditors for advisory purposes under a formal arrangement that clearly
delineates the scope and other relevant matters of such advisory assignment.
subsequent implementation and/or consequences of the process/system/activity/product on which advice

was given to management.
4. The CIA should take all necessary steps to ensure that providing consultancy/advisory services by
internal auditors does not in any way affect the availability of audit resources to conduct their primary
function i.e. provision of independent assurance.
ROLES & RESPONSIBILITIES OF CIA

1. The Chief Internal Auditor (CIA) shall lead the IAF in a FI, provide direction & support to internal
auditors in performance of their duties and shall play its due role in promoting good governance practices
in the entity.
2. In order to steer his/her way ahead, the CIA must engage with all stakeholders in a challenging but
positive/constructive way enabling internal auditors to perform their duties independently and objectively.
Besides, the CIA should, while identifying and reporting on internal control weaknesses, must exercise
sound judgment and take a balanced view in determining their significance in the overall control
environment of the FI.
3. In order to maintain independence, the CIA must functionally report to BAC with administratively
reporting to Chief Executive Officer (CEO) of the FI. In addition, to maintain its stature, the CIA shall
preferably be a senior officer of SEVP level.
4. The CIA should be an audit professional meeting the minimum requirements as mentioned in SECP
codes/regulations issued from time to time and must have in-depth knowledge of FIs’ business and
structure; should be straightforward, honest and person of integrity; and must be professionally competent
with adequate technical & communication skills to perform his/her roles and responsibilities.
5. In addition to roles and responsibilities of CIA mentioned in various sections of these guidelines, the
CIA shall have following roles and responsibilities;
1. Provide an independent & objective annual opinion, without fear or favor, to BAC on state of
internal control systems (including shariah compliance, where applicable) in the FI. The
annual opinion shall be based on audit assignments undertaken during the year and shall be
supported by specific audit observations/conclusions.
2. To ensure that there are no restrictions on internal auditors’ access to record, information,
people, processes, systems and properties to perform their audit activity with objectivity.
3. Ensure that professional international internal audit standards are complied with to the extent
that these are not in direct conflict with regulatory instructions.
4. Conduct, on annual basis, a thorough analysis of IAF’s performance to ascertain whether it
meets the needs and/or expectations of stakeholders & adds value to the organization; identify
the areas for improvements to increase IAF’s efficiency & effectiveness and take necessary
steps to improve quality of audit activities/process in the light of IIAs standards on Quality
Assurance & Improvement Program.
5. Ensure that the professional and personal training needs of internal auditors are periodically
assessed and adequately met and that auditors are professionally well developed (demonstrate
highest ethical and professional standards) and are motivated to perform their work with
dedication and diligence.
6. Since a great deal of reliance is placed on the work of internal audit, the CIA should put in
place an adequate ongoing monitoring/quality assurance mechanism to ensure that audit
processes/procedures are being followed and that the output is evidence based and of good
quality.
7. Review FIs significant outsourcing/partnership arrangements to ensure that proper controls
are in place to protect FIs’ interests.
8. Liaise closely with the external auditor to share knowledge, understand the extent of external
auditor’s reliance on work of IAF and devise such audit plan that leads to effective utilization
of limited audit resources.
9. Develop and implement a risk based internal audit strategy9 for approval of BAC after
consultations with relevant stakeholders that fits with and supports FIs overall
strategy/objectives. The CIA may also use FIs risk register when developing the risk based
internal audit strategy and audit plans.
10. Prepare a risk based10 annual audit plan for approval of BAC and ensure that it is flexible
enough to allow for allocation of suitable resources for investigations into significant matters
that emerge over the year. The proposed consultancy/advisory assignments may also be made
part of plan subject to availability of audit resources.
11. Remain aware of new systems as well as major changes in
institutional/structural/operational/technological setup of FI such that the required changes in
internal audit plan are made to evaluate FIs preparedness/management against/of
new/emerging risks.
12. Formulate a policy delineating the extent to which IAF will rely on work of other control
functions i.e. risk management, compliance, or any other control function, for its assurance
on FIs internal controls vis-a-vis risks.
13. Report to BAC on regular basis, the results of audits, highlighting significant audit findings,
internal control concerns, shariah noncompliance issues (where applicable) along with
recommendations.
14. Ensure prompt communication of all significant deficiencies, material weaknesses, and frauds
to the BAC with appropriate follow-up on progress made in filling the identified gaps.
15. Report to SBP any significant audit findings uncovered during audit process that may have
serious impact on FI’s financial and operational condition and are not being properly
addressed by management and/or BAC.
9
The audit strategy is discussed in sufficient detail in a separate section of guidelines. The primary responsibility for effective
governance arrangements (including risk management) to conduct its business remains with managers; the CIA cannot be
expected to prevent or detect all weaknesses or failures in internal control nor can the internal audit strategy or internal audit plan
cover each and every area of risk across the organization.
10
The risk based internal audit plan is covered in separate section of these guidelines.
16. Ensues that IAF has adequate budget, systems, human resources11 with relevant
qualifications, expertise, competencies & skills, and other required resources to fulfill its
mandated responsibilities.
17. Ensure that IAF in general and internal auditors in particular has the capacity to review key
risk management functions, establish interlink-ages between different business
processes/function, challenge management assertions on sound footing, understand regulatory
& Shariah requirements (where applicable) etc.
18. Engage with internal audit teams on regular basis to provide guidance and to ensure that they
are up-to-date on current issues affecting FI and on internal audit techniques & developments.
19. Assist BAC in establishing ethics policy and whistle blowing procedures through which the
employees or customers of FI can voice their concerns about controls/accounting systems
/frauds /misconduct, etc.
20. Assist BAC to remain abreast of material changes under consideration by regulatory
authorities and/or accounting standard setting bodies to gauge FI preparation against the
same.
21. Evaluate the implementation and effectiveness of performance management and
accountability mechanisms in the FI at all hierarchal levels.
INTERNAL AUDIT CHARTER (IAC)

1. As the ‘Audit Committee Charter (ACC)’ serves as a blue print for operations of BAC, the ‘Internal
Audit Charter (IAC)’ serves as a blue print for IAF, that defines the very purpose, authority, scope and
responsibilities of IAF. The IAF is required to have an IAC that is approved by BoD (on recommendation
of BAC) that formally establishes the purpose and position of IAF in the overall governance structure of
FI and clearly defines and differentiates the roles & responsibilities of other stakeholders (senior
management, auditees, other control functions etc.). Keeping in view the constantly changing
environment and associated risks in which FIs operates the IAF should ensure that the IAC and the
internal auditors adapt to these changes to remain relevant and effective.
2. The BAC in consultation with CIA should develop an IAC that caters to the specific needs of the FI,
however, at minimum; an IAC should cover following areas;
a) The formal standing, authority, powers and responsibilities of IAF in FI in the light of these
guidelines, international best practices & standards as well as its relations with other control
functions.
b) The authority of IAF to openly and independently express its opinion on different affairs of
the institutions' controls.
c) The purpose and scope of the IAF activities and roles and responsibilities of auditors and
management (where relevant).
d) Internal auditors’ unrestricted access to FIs records, files, data, information, meeting
minutes, people and properties.
11
The requirement of human resources for IAF should be based on a comprehensive workload assessment for each internal
auditor/audit team such that they are provided with sufficient time to conclude their audit assignments without compromising
audit report quality. The assessment shall be led by CIA in consultation with BAC and FIs HR department.
e) The nature & extent of IAFs advisory/consultancy services with respect to strengthening of
internal controls as well as compliance with regulatory requirements.
f) The organizational independence of IAF and independence & objectivity of auditors.
g) IAF’s reporting mechanisms to BAC and other relevant stakeholders (internal & external).
h) The criteria for, and the extent to which IAF may engage external consultants/experts to
perform specific audit related tasks.
i) The responsibilities, performance evaluation and accountability of CIA and internal auditors.
j) Compliance with international internal auditing standards.
ORGANIZATION OF IAF
1.There are several factors that can influence IAF’s effectiveness and performance in overall
organizational governance like; i) the recognition of importance of internal audit, the acceptability of IAF
as a partner of board of directors to oversee senior management activities, ii) the internal organization of
IAF (e.g. size, professionalism, effectiveness of CIA, iii) structure down the line, skill-set), and iv) IAF’s
relationship with BAC and auditees.
2. Whatever way the IAF is organized, its independence shall be fully ensured. The independence of IAF
along with independence12 & objectivity13 of internal auditors are two key and defining ingredients of an
effective IAF. The key aspects that help in establishing the independence of IAF are i) when it has a direct
functional reporting to board or BAC ii) its role is institutionalized/formalized under a board approved
‘Internal Audit Charter (IAC)’. As a matter of fact the IAF shall not only be independent on ‘paper’ but
its independence should also be ‘visible’ in practice. For this, the CIA must confirm to BoD or BAC, at
least annually, the organizational independence of IAF.
3. The FIs are free to decide on organization of IAF keeping in view their size, jurisdictions served,
complexity of operations, processes implemented etc. however, whatever way the IAF is organized, it
must be ensured that it does not put IAF in apposition where its primary objective of providing
independent and objective assurance on FI’s internal control system is compromised.
4. The BAC and CIA should ensure that IAF is organized in a way to ensure optimal utilization of audit
resources, increases CIA’s engagements with audit teams/set-up down the line, ensures clear
communication among audit teams auditing different and/or interdependent processes/functions, enhances
sharing of knowledge & information among internal auditors, ensure critical yet constructive engagement
with senior management & auditee units etc. In addition, the structure of IAF at Head Office and down
12 The independence in the context of internal audit refers to two aspects: 1) the positioning of IAF in the FI such that it conducts
its operations with complete independence and 2) independence of internal auditor. The ‘Institute of Internal Auditors’ (IIA)
refers to independence as the freedom from conditions that threaten the ability of the internal audit activity to carry out internal
audit responsibilities in an unbiased manner.
13The objectivity, primarily, refers to personal trait of internal auditor. The Glossary of IIA refers to objectivity as “an unbiased
mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and
that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit
matters to others”.
the line should be such which ensures that auditors performing the work have relevant technical and
social skills, sufficient knowledge of the work being audited and is able as well as motivated to perform
its responsibilities honestly and diligently.
5. Besides, in order to audit certain specialized functions/activities like treasury, IT & IS, trade, risk
management operations, etc. where specialized skill set is required, the CIA should hire/develop subject
specialists to perform such audit activities. In addition to operational audits, the CIA should establish a
separate ‘risk review’ function/division/department under IAF to perform independent risk reviews of
FIs’ lending operations in line with SBP’s Risk Management Guidelines.
INDEPENDENCE AND OBJECTIVITY OF INTERNAL AUDITORS

1. In order to perform its responsibilities without any fear or favor and to arrive at unbiased & impartial
judgments/conclusions regarding the internal control system in activities being audited, it is essential that
internal auditor enjoys individual independence (on paper as well as in practice) and is objective in its
approach. The CIA should manage all the actual or perceived threats to independence & objectivity of an
internal auditor at assignment/engagement and/or functional levels.
2. The BAC in consultation with CIA should take all necessary actions to ensure individual independence
and objectivity of internal auditors. Some of the steps that may be taken are given below:
1) Ensure that remuneration of internal auditor is not linked (in any way) to the financial
performance of business activities that are being audited.
2) Whenever possible and without jeopardizing the competence and expertise of internal
auditors, the internal auditors should be rotated within various divisions/sections of IAF
relevant to auditors’ skill set & expertise.
3) Under a formal rotation policy of FI, ensure rotation of staff from other functional areas of FI
to IAF on periodic basis and in a systemic way that does not have any major negative impact
on performance of IAF.
4) CIA to devise a policy to address the issues of individual independence and objectivity that
may arise after completion of rotation exercise to IAF. The policy should provide for means
to remove any conflict of interest of newly rotated staff by not assigning them the audit of
activity14 that they were previously involved in/responsible for in line with the ‘cooling off’
period requirements of IIA.
5) CIA to ensure that internal auditors disclose any conflict of interest prior to starting their
audit assignment arising either from their professional or personal relationships with the
activity being audited.
6) While the IAF and the internal auditors may provide consultancy/advisory services to
business functions in their area of expertise (under a formal arrangement in line with BAC
approved policy), however, they should not, in any way be involved in or assume
responsibility of designing and/or implementing controls.
14 While the internal auditors may provide advisory/consulting services relating to operations for which they had previous
responsibilities, however, in order to remove any actual or potential conflicts of interests’, proper disclosure must be made to the
management before starting the advisory assignment.
7) To ensure that the team which provided the advisory services to management is not assigned
to audit the same auditable activity until completion of two audit cycles.
8) To ensure that there are no undue scope/timeline limitations and/or funding deficiencies for
audit assignments enabling internal auditors to have complete and comprehensive review of
audited activity/function before finalizing his/her judgment/conclusion.
PROFESSIONAL PROFICIENCY
1. The internal auditors should conduct their audit activities in a professional manner with utmost care.
This becomes more important in cases where audit is evaluating certain business areas/functions/process
where high level of judgment is involved and their observations/conclusions may have a direct impact on
the future decisions or the course of action adopted by management.
2. The CIA should ensure that IAF has the mix of professionally competent, technically sound,
knowledgeable and skilled internal auditors capable of evaluating internal control systems of all core and
support functions of FI. The quality of audit report & audit findings are directly linked with the quality
and experience of the audit staff performing that audit, hence, assigning right auditors to perform right
audit may greatly enhance the quality of audit output. The quality of audit reports are enhanced when
auditors performing audit activity are capable of asking right questions, collecting and synthesizing
different pieces of relevant information, evaluating audit evidence and establishing proper audit trail.
3. Since the business functions always resort to innovations and bring in new processes, activities,
product and services to meet their business objectives, the CIA should also keep on assessing the skill set
that is required to be inducted in IAF with relevant qualifications, experience, competencies and skill set.
Besides, given the different roles and functional responsibilities of auditors at same or different hierarchal
levels, it must be ensured that their skill set and competencies’ commensurate with their respective roles
& responsibilities. In addition to managerial skills, the internal auditors at senior/managerial level should
have sufficient audit & business knowledge to understand and derive linkages from audit reports of
various audit functions to construct a macro picture of deficiencies in internal control’s implementation.
RESOURCES
1. The BAC in consultation with CIA must ensure that IAFs staffing needs at all hierarchical levels are
met with people having relevant skills, experience, knowledge and competencies. The CIA in consultation
with BAC should work with HR department of FI to set up suitable criteria, assessment & hiring process
for recruitment of the internal audit staff at all hierarchal levels as well as their performance evaluation
mechanism. The CIA in consultation with BAC may also decide on hiring/using specialist
staff/consultants especially when the activities to be audited are highly technical in nature.
2. In order to ensure organizational and functional independence of IAF, the remuneration, benefits and
other terms & conditions of internal auditors at different hierarchal levels shall be determined by CIA and
approved as well as periodically reviewed by BAC and board HR Committee.
3. In order to increase the efficiency of IAF as well as internal auditors, the CIA, in consultation with
BAC, should develop and implement a comprehensive automated system capable of handling complete
audit process/lifecycle starting from data collection, risk assessment, audit planning, audit execution,
audit review, audit reporting, recommendations and follow-up.
The system should be capable of supporting all types of audits i.e. operational audits, IT audits,
management audits and shall facilitate auditors in collecting audit evidence, recording audit findings,
along with detailed observations and recommendations in standardized templates. The availability of such
a system with the CIA/regional audit head/section head shall also help them in keeping track of the audit
process and make necessary resource reallocations to complete audit assignment in time.
The audit system shall help in saving time spent on preparation of working papers & audit report and
subsequent communication of audit findings/recommendations to management for discussion & actions.
Such a system shall enable IAF to record draft & final audit report with complete details and tracks of
past several years enabling it to comprehensively assess the status of internal controls in a particular
auditable area over the course of past several years.
TRAINING
1. A comprehensive training program for internal auditors is essential to keep pace with the latest
developments in auditing methodologies, tools, techniques and approaches as well as the emerging
challenges/risks that FIs may face. The BAC in consultation with CIA should ensure that IAF staff
remains equipped with relevant skills, knowledge and competencies to perform the ever changing
type/nature of audit assignments as well as be able to perform its responsibilities in changing roles over
his/her career in IAF.
2. The CIA should develop a comprehensive & continuous training program for auditors at all levels in
line with SBP guidelines on Training & Development as issued vide BPRD Circular # 12 of 2016.
Besides, the CIA should ensure that on-the-job training is provided to the new recruits under the
supervision of suitably competent and experienced internal auditors. Another way of promoting and
encouraging learning & development initiatives at IAF could be that regular meetings and knowledge
sharing sessions of all auditors are held to share their experiences and exchange information on various
existing and new/developing topics of interest (related to internal audit or business of banking) that can
help auditors in any way possible in performance of their functions.
3. The BAC in consultation with CIA should ensure that IAF has sufficient budget available to impart
required training to internal audit staff.
CODE OF ETHICS
1. The internal auditors should demonstrate highest ethical standards and professional integrity while
performing audit activities. Such a conduct greatly increases ownership of internal audit work on part of
auditee and helps create trust between auditor and auditee which is essential for successful conduct of
audit activity.
2. All staff of IAF (including CIA) is subject to FIs ‘code of ethics/conduct’ as well as the code of ethics
established by any relevant international standard setting body. If required, a separate BAC approved
code of ethics/conduct should be developed for internal auditors that addresses, at minimum, the aspects
of independence, objectivity, competence, confidentiality and integrity.
3. Besides, the CIA should develop a comprehensive mechanism whereby all staff of IAF (including CIA)
are subject to maintain (at all times) strict confidentiality of the information obtained during
audit/investigation process and to ensure that any privileged information is never used by any IAF staff
for malicious action or personal gain.
INTERACTION WITH REGULATORS & EXTERNAL AUDITORS

The IAF should maintain a close coordination with SBP inspection teams and external auditors to seek
their input on the state of internal controls in the FI. The exchange of information between IAF and SBP
and between IAF & external auditors may help in transfer of knowledge/information on state of internal
controls. Such coordination may help IAF to update its audit strategy/plan, revamp audit process, increase
audit resources etc. leading to an optimal utilization of audit resources as well as help in expanding the
underlying expertise.
SCOPE OF AUDIT WORK
1. The IAF shall cover the examination and evaluation of all functions & activities of FI (including
outsourced activities) as well as the assessment of management’s quality in discharging their duties and
responsibilities. While the scope of every individual audit assignment may be different and distinct given
variety of factors pertaining to activity being audited, however, some general guidance is being provided
below regarding audit scope of some of critical FI functions/activities. The scope given below provides
minimum areas that audit must cover and should be expanded as much as possible by internal auditors to
achieve specific or general audit objectives.
2. Before starting any audit assignment, it is the responsibility of CIA/regional audit head/section audit
head etc. and the audit team to ensure that the planned coverage & depth of audit assignment in hand
commensurate with the risks involved i.e. an activity or function with ‘high risk’ rating during audit
planning shall have wider/expanded scope than it otherwise would have. Besides, in situations where
there is logical reason for expanding or limiting the scope of ongoing audit assignment, the
reasons/justifications of the same must be documented and approved from relevant audit head or CIA, as
the case may be.
3. The minimum areas of focus that should invariably be covered in any audit assignment are following:
i. Adequacy & Effectiveness of Internal Controls

The internal controls, whatever their nature i.e. physical, system based or managerial; or purpose i.e.
preventive, detective or corrective; are implemented with a specific objective to streamline the processes,
safeguard against misuse of resources/authority, remove actual or perceived conflict of interest among
parties involved in the process, strengthening of governance practices etc. such that the organizational
objectives are achieved.
It is the primary responsibility of internal audit to provide assurance on the adequacy and effectiveness of
internal controls to ascertain whether controls are enough vis-a-vis FI’s objectives and/or risks and if
these are working/yielding results as intended. The internal auditors shall, regardless of the nature/type of
audit activity being conducted, must test the relevant controls by evaluating transactions conducted during
the period or under different possible scenarios (wherever applicable) to satisfy themselves about their
adequacy and effectiveness. While doing so, the auditors must be cognizant of the fact that effectiveness
of internal controls is greatly influenced by the overall control/risk/compliance culture in the FI and
hence, they must be specific in identification of gaps as to whether the internal controls are deficient by
design or if there are weaknesses in their implementation.
ii. Reliability & Integrity of MIS

The capacity, capability and reliability of Management Information Systems (MIS) is of critical
importance for any FI since majority of financial & operational decisions/actions taken are primarily
based on or supplemented by the information generated from MIS. The internal auditors should,
therefore, put special emphasis on the relevance; integrity and authenticity of information generated from
MIS as well as the adequacy and effectiveness of such systems in identification, classification, reporting
and protection of information. The internal auditors should evaluate the control mechanism implemented
by management for regulatory reporting and determine whether such controls are adequate and effective.
The internal auditors should also review the accounting records maintained at respective department of FI
and ascertain the adequacy and effectiveness of controls implemented over financial data capturing,
classifications, processing, valuations, and reporting. The internal auditors should check financial data
reconciliation with various other systems to determine the authenticity of accounting record and identify
any gaps/deficiencies.
In addition, the internal auditors should evaluate the communication processes implemented by
management to provide timely and relevant information to concerned decision makers in appropriate
manner.
iii. Expenditure Control & Safeguarding of Assets

The ‘assets’ referred here primarily include physical assets that a FI owns to conduct its business
activities. The internal audit must determine if the management has put in place adequate control
mechanisms to safeguard FIs physical assets against losses from theft, fire and unauthorized use. Besides,
the internal audit shall assess & evaluate, in sufficient detail, the administrative expenditure incurred via a
vis budget and procurement process of physical assets and other assets (acquisition, development &
implementation of technology solutions/systems) and must identify and report anomalies, over invoicing,
misrepresentation of facts etc. in such processes.
iv. Discovering Frauds, Errors, and other Irregularities

While the existence of an effective system of internal controls serves as a strong deterrent against
financial corruption, frauds, errors, omissions, manipulations and other irregularities (collectively herein
referred to as malpractices), however, it does not completely eliminate risk of malpractices from
occurring. This happens because no matter how strong a system or process is; there always remains a risk
of manipulation at the hands of employees (who are in-charge of the process/system) when they collude
to bypass the implemented process/system.
While it is not the primary responsibility of internal auditors to detect these malpractices during course of
audit, however, they may be held responsible for not being able to identify large scale control breaches if
such malpractices stay unearthed even after several audit reviews. Such a situation also warrants a
comprehensive review of adopted audit process by CIA and BAC to revise/update it, if need arises.
Despite the fact that detecting these malpractices is not the primary responsibility of internal auditor,
however, the internal auditor shall remain responsible to justify the way the audit activity was conceived,
planned and executed. It is the responsibility of internal auditors to enhance the audit scope of business
activities where, as determined by internal auditor, the likelihood of occurrence of these malpractices is
high. The internal audit shall also assess the adequacy & effectiveness of implemented controls in
detecting and/or preventing these malpractices (whether intentional or unintentional).
The IAF/internal auditors should conduct separate investigations if they are informed (through internal or
external sources) of such malpractices or major breach of controls. The internal auditors should also be
cognizant of manipulation and misrepresentation of records/information where financial
rewards/promotions of employees (at any hierarchal level) are linked with performance of business
functions/unit/activity.
v. Adequacy & Effectiveness of Risk Management Activities

The risk management function(s) play an important and distinct role in governance framework of any FIs.
The internal audit shall comprehensively assess the adequacy & effectiveness of risk governance
practices, risk management processes, systems, structures etc. Since the risk management activities may
be performed by several different departments/functions of FI, the IAF should conduct end-to-end review
of cross-departmental processes to take a holistic view of entity-wide risk management practices and to
ascertain whether these are synchronized with each other and aligned with organizational objectives and
risk exposures.
In particular, the internal auditors shall include, at minimum, the following audit concerns into audit
scope of risk management activities:
1) Adequacy & effectiveness of entity-wide risk governance framework vis-a-vis organizational risk
profile with clarity on responsibility of different functions for managing individual/inter-
dependent/overlapping risks.
2) The adequacy & effectiveness of risk management structures, policies, systems and processes for
identifying, measuring, assessing, managing and reporting all kind of risks, financial as well as
non-financial (non financial risks include reputational risk, strategic risk, legal risk, conduct risk
etc) arising from FI’s activities.
3) The risk management function(s) to have required stature & authority as well as sufficient
physical, financial and human resources to carry out their functions effectively as per their
mandate provided by regulatory authority or in FIs own policies.
4) The overall risk/compliance culture in the FI and efforts made by risk management/compliance
function(s) to inculcate risk/compliance culture in FI.
5) The capacity, relevance, integrity, reliability, completeness and comprehensiveness of risk
management information systems and timely reporting of such information to all relevant
stakeholders across the FI for informed decision making.
6) Evaluate adopted stress testing processes to ascertain their reasonableness, reliability, frequency
and scenarios used, assumptions employed and the extent to which its results are used in decision
making process.
7) Evaluate the validity of adopted risk models based on which several management decisions are
taken. The evaluation may include, among other relevant things, the verification of consistency,
timeliness of data used in the model and independence & reliability of data sources.
8) Evaluate if the risk impact assessments are updated as circumstances change and properly &
timely communicated to concerned decision makers.
9) Evaluate whether risk management processes take into account the emerging risks; records their
impact and considers them in making relevant decisions.
vi. Information Technology (IT) and Shariah Audit

The scope of the audit of FIs IT operations and reporting of its audit observations shall be same as
given in SBP’s Guidelines on Enterprise Technology Governance issued vide BPRD Circular #
05 of 2017. The CIA may enhance the scope of IT audit if deemed necessary. The IT audit
program given in above mentioned guidelines shall be made part of annual audit plan in light of
IAF guidelines. Besides, the IAF shall follow SBP’s instruction on Shariah Audit as given in
Shariah Governance Framework issued in April 2015 and other regulations on the matter issued
by SBP from time to time. All such instructions of IAF guidelines that are not covered in any of
the above guidelines with respect to IT & Shariah Audit shall remain enforce.
vii. Optimal Utilization of Organizational Resources

It is the responsibility of senior and middle management of a FI to put in place an organizational
structure, supplemented by the right control environment, that ensures and promotes efficient use of
available organizational resources to achieve FIs long term objectives and protect depositors’ interests.
While the decisions for utilization of resources may be taken at various or almost hierarchal levels the
internal auditors should always evaluate the process through which such decisions were made. This
becomes especially more important when it comes to management audits. The internal auditors shall, in
addition to compliance audits, conduct comprehensive management audits with specific focus on i) level
of understanding of regulatory requirements pertaining to their area of operations, ii) level of
risk/compliance awareness at senior & middle management level; iii) the extent of use of risk information
in making decisions (where applicable) and iv) ability & willingness of senior & middle management to
use resources optimally.
The internal audit shall highlight the instances of underutilized resources, non-productive & redundant
policies, activities & processes; processes that could be automated to increase efficiency;
gaps/deficiencies (including transparency & fairness issues) in decision making processes; and staffing
issues in their management audit reports. The BAC and CIA shall ensure that management has taken
required actions to address internal audit observations for optimal utilization of resources.
With regard to management audit, the internal auditors shall, in addition to reviewing internal controls
pertaining to their functions/operations, review the following as well;
1) Clear and measurable objectives and goals are set for business functions/activities and are
properly communicated to all employees and are being met.
2) Evaluation yardsticks (Key Performance Indicators-KPIs) are established and communicated
to all staff for measuring and reporting the accomplishment of objectives and goals.
3) An effective monitoring mechanism is implemented to assess actual performance vis-a-vis
planned activities within budgeted funds and any major deviations are properly documented,
analyzed, investigated and reported to the management and the Board (where necessary).
4) Business functions have adopted a thorough decision making process before initiating any
major project/program by considering the risks, opportunities & threats involved.
5) The assumptions used by management for developing business/strategic plan for a particular
function/activity and/or for FI as a whole are relevant, appropriate and reasonable and also if
the targets/objectives set are clear, achievable and doable.
6) Appropriate operating standards have been established for measuring the economy, efficiency
and effectiveness of resources employed.
7) Established system/procedures for planning, evaluating, authorizing and controlling the use
of resources are operational, effective and meeting the set standards.
8) Deviations from operating standards are promptly identified, analyzed and communicated to
those responsible for taking timely and proportional remedial measures.
AUDIT PROCESS AND METHODOLOGIES
INTERNAL AUDIT STRATEGY

1. The CIA should develop a multiyear audit strategy/strategic plan for IAF that can be divided into
annual risk based audit plans. The strategic plan if, conceived, designed and implemented appropriately
could have substantial impact on increasing organizational control environment, governance practices and
efficiency. The audit strategy is to be approved by BoD on recommendations of BAC and must set out the
short term and long term vision, mission and objectives of IAF. The audit strategy should be aligned with
organizational vision, mission and objectives such that it helps board and senior management of FI to
realize its goals and objectives.
2. The audit strategic plan can be for a 3 to 5 years’ period depending on the size and complexity of FIs
operations and must determine the priority areas/risks/activities for audit and other contribution that IAF
can make, through improvement of control environment, for achievement of organizational goals. The
CIA could review the allocation of audit resources to various business areas over past many years and
come with areas that may not have been properly reviewed or audit resources that may have been
underutilized/mis-utilized and can thus be made part of strategy going forward.
3. The audit strategic plan shall be developed after thorough consultation process with BAC, board &
senior management (through BAC) of FI keeping in view the objectives of audit activities as well as
expectations of different stakeholders of audit activity. The strategic plan shall be flexible enough to
adopt changes subsequent to changes in organizational strategy, business activities, risk exposures,
organizational structures, mergers & acquisitions etc.
RISK BASED AUDIT PLAN (RBAP)

1. The CIA should develop a risk based audit plan on annual basis in line with FI’s internal audit charter
and strategy. The annual RBAP should be approved by BAC and must provide for best and efficient use
of available audit resources enabling CIA in forming an objective opinion on the state of internal controls
system in FI. Since the audit resources would always be limited against the demand of assurance (and
advisory services, if any) from various internal stakeholders and/or regulatory authorities, the formulation
of a balanced RBAP may become a challenge for CIA. Since CIA is responsible to provide an opinion on
state of internal controls to BAC on annual basis he/she should, at the time of RBAP formulation, strike a
balance15 between breadth- a broad look at governance and risk management and depth-drilling down into
specific auditable areas- where internal audit can provide valuable insights into activities being audited.
2. The scope of internal audit is somehow ‘unlimited’ in a sense that it can test whatever controls it deems
fit to provide independent assurance on state of internal controls. However, in order to discuss/seek BAC
buy-in for efficient allocation of audit resources, the CIA should formulate a list of all potential areas for
audit in order of importance and/or risks involved together with available resources. The BAC should,
based on the information that it has and/or its expectations of audit provide its feedback on which
15
The CIA in consultation with BAC should determine what needs to be audited from within the audit universe. Besides, keeping
in view the maturity of risk management and state of internal controls in FI, the CIA may choose to develop a blended internal
audit plan that includes both ‘risk based audits’ and ‘conventional control audits’ depending on the nature and objectives of each
specific audit assignment in the plan.
areas/risks shall be included in audit plan and other areas where assurance may not be provided due to
limited audit resources.
3. The audit plan should set out the audit objectives, audit universe, scope of coverage, frequency of audit,
resources required and duration of each audit assignment. The frequency and scope of an audit
assignment as well as resources required should be based on the prior risk assessments of auditable areas
by CIA/internal audit teams. Such a risk assessment should be conducted only for the purpose of devising
a risk based audit plan and should not be used for any other purpose outside IAF. The risk assessment
methodology used as well as its periodic review should be properly documented. The internal auditors
should supplement their risk assessments on the basis of advice/feedback of board, board committees,
senior management, regulatory authorities and external auditors.
4. As a general guide, each auditable area should be audited once a year; however, CIA may (in
consultation with BAC) to increase or decrease the audit frequency of any auditable area based on the
results of risk assessments16. The CIA must describe in audit plan, the extent of IAF’s reliance (if any) on
other assurances providing functions i.e. risk management, internal control and compliance functions,
while performing audit activities. Any such reliance, however, should be well thought out, well founded,
reasonable & limited in nature, fit to meet audit objectives and in no way compromise the independence
& objectivity of audit activity or auditors. Even when auditors are relying on the output of these
functions, the internal auditors shall not evaluate their accuracy & relevance on test-check basis and
should not accept or act on the content of their reports/information blindly. Nonetheless, all the audit
observations which are based on or supported by these functions’ reports, shall invariably be owned &
defended by audit team at the time of finalization of audit report.
5. While designing internal audit plan, the CIA must ensure that all the areas of regulatory importance are
covered in sufficient detail with matching frequency since any form of regulatory non-compliance may
have serious consequences on financial and operational performance of FI. Such areas may include all
those policies, processes, systems and governance structures that are established in response to various
laws, rules, regulations, instructions and Guidelines of regulatory authority.
6. The CIA shall ensure that audit plan is implemented as planned and shall review and submit its
implementation status to BAC on quarterly basis. Any deviations of the plan should be documented and
presented to BAC on regular basis. In addition, the CIA shall ensure that the audit plan is reviewed
subsequent to significant change(s) in FI over time i.e. mergers & acquisition, structural changes,
establishment of new business lines, reorganization of functions etc so that the plan remains relevant. The
CIA should document the process for identifying any such change that warrants review of existing annual
audit plan and should also explain the fate of cancelled or deferred assignments, if any, in revised internal
audit plan.
16
In addition to results of risk assessments, the IAF may also define other criteria like, management’s request, mandatory audits,
legal & regulatory requirements, etc. based on which audit of an activity/function/unit may be included in the annual audit plan.
RISK BASED INTERNAL AUDIT (RBIA)17

1. RBIA is a systematic process and an audit approach that ensures efficient utilization of internal audit
resources by allocating more audit resources to the areas where the existing or potential
weaknesses/deficiencies in internal control systems may have serious financial or operational
consequences for the FI. RBIA is designed to start off from big picture18 and trickle down to various
processes/systems/audit activities understanding and defining linkages of one activity to the other and
assessing its importance in overall control environment/audit universe. The, RBIA, if designed &
implemented properly would make the contribution of IAF duly ‘visible’ in improving risk management
& control processes to ‘manage19’ entity wide risks, thereby achieving organizational goals in line with
board approved risk appetite.
2. As its name suggests, the RBIA is based on independent risk assessments conducted by internal audit
for the purpose of audit. These risk assessments should be broad based and cover all
processes/activities/business segment/locations and functions including risk management and compliance
function.
3. While the RBIA does not replace the traditional role of internal audit of transaction testing, checking
accuracy & reliability of accounting records and compliance to laws & regulations, however, given the
complex interdependencies, interaction and interplay of various processes/activities/functions with each
other, the transaction testing by itself (and that too in isolation) may not be sufficient. The CIA in
consultation with BAC shall devise a comprehensive plan to move towards RBIA (if not already adopted)
in a gradual and phased manner in line with international standards & best practices.
17
RBIA emphasizes management's responsibility for managing risks and is meant to add value to organization by identifying
deficiencies in risk management processes where they matter the most. RBIA is in fact a change of mindset on part of CIA and
internal auditors requiring auditors to enhance their engagement with auditee to understand the way they conduct their business,
integrate various pieces of information relating to audit in hand but retrieved from different internal sources and take a holistic
view for providing a specific audit opinion/findings.
18
The RBIA approach requires a broad understanding and in-depth experience of business as well as audit processes and hence
may require CIA to invest heavily in its new/existing internal auditors by providing them relevant trainings on skills and
competencies required to conduct audits under RBIA.
19
The management of risks is, primarily, the responsibility of management. Audit is responsible to provide assurance on the
adequacy & effectiveness of implemented controls (control = single risk response or collection of responses to manage a risk). It
means that auditor’s job is to i) assess the adequacy & effectiveness of implemented controls against identified risks and ii) to
assess whether all material risks in a process/activity/function have been duly identified by management or not. If audit identifies
a risk that was not identified by management before, then it’s more like a ‘consultancy’ work done by audit instead of providing
‘assurance’ because the ‘assurance’ of audit can only be provided on the risks/controls already identified/implemented by
management. That is to say that in FIs where risk management processes/systems are strong and mature, risk registers are in
place and risk awareness is high; the implementation of RBIA is more smooth and successful.
4. In moving to RBIA, the FIs may also explore the option of establishing separate functions/divisions
within IAF that shall focus on various kind of risks like credit, market, operational, liquidity etc. across
the FI and also assess the efficacy of risk management function responsible to manage such risks20. These
functions/divisions of IAF shall be staffed with employees with relevant skill set & competencies and
would be supported by audit teams that shall focus on administrative issues/expenditure controls or other
processes of these functions.
RISK ASSESSMENT FOR THE PURPOSE OF INTERNAL AUDIT

1. The risk assessment is fundamental tenet of ‘Risk Based Internal Audit (RBIA)’ framework. The CIA
should develop a robust, BAC approved, risk assessment policy delineating the processes, methodologies
and internal mechanism for conducting such risk assessments. The risk assessment framework adopted by
IAF should provide for risk assessments at various levels e.g. entity-wide and auditable
unit/activity/function/processes level, keeping in view the size and complexity of operations of FI. The
results of such risk assessment shall be in the ownership of IAF to be used as an important input for
formulation & execution of audit strategy and/or annual internal audit plan.
2. The risk assessments conducted by IAF must be independent21 of risk assessments conducted by ‘risk
management and/or compliance departments’ of the FI and be supplemented with feedback of board,
board committees and senior management. If designed and implemented properly, the result of such risk
assessments can serve as powerful tool for CIA & BAC to understand the risk profile22 of FI and identify
areas, with sufficient clarity, where audit resources may be utilized to help management in improving
internal control systems. The risk assessment methodology used, should be robust enough to not only
assess the risks of certain activity/process in isolation (which may declare it as low risk and put it out of
the radar of IAF for the time being), but also takes into account the interactions/combinations23 of other
risk factors that can completely change the impact & outlook of risk factor under consideration.
3. Besides, these risk assessments should be considered as a supporting tool for CIA and BAC to ‘lead’
the audit process in right direction where it is needed the most. These risk assessments shall help internal
20
The CIA may determine the role of audit in i) activities where individual and/or in combination of other events, the inherent
risk is low ii) activities which have otherwise high inherent risk (individual as well as in combination) but its residual risk is low
owing to implemented controls, iii) any possible combination of point # i & ii, iv) activities where implemented controls are
excessive with negative residual risk.
21
The audit department can, however, use the results of Risk Management and Compliance Departments’ risk assessments, if
any, as an input in their risk assessments. However, the extent of such reliance should be disclosed in annual audit plan of
respective year.
22
The risk profile is the snapshot of overall identified inherent risks, the controls implemented by management and the nature &
level of residual risk the FI decides to carry to achieve its objectives.
23
There may be various business processes/activities where the residual risk impact might be low/high but the frequency of
occurrence may be high/low, in such cases when seen in combination with other risks with similar characteristics the resultant
risk may transform into something that may have a very different impact as compared to its actual potential.
auditors understand, beforehand, the risks of the processes/activities as well as focus of the current audit
activity.
4. While implementation of RBA may warrant significant changes in the audit planning phase and the
‘approach’ of individual internal auditor towards the activity being audited, however, the typical audit
process/techniques/methodologies used to collect and analyze information/evidence may largely remain
the same, provided, that the implemented audit process/techniques/methodologies are up to date and in
line with international standards on internal auditing.
5. The IAF should not consider risk assessment exercise as an annual one-time event but it should
immediately revise these assessments when it receives new information or identifies (before start of audit
assignment) issues that if seen individually or collectively may warrant a revision in risk assessment
results. Soon after the audit activity is completed and report is finalized, the risk assessment of the
activity/unit function shall be revised based on audit findings. The revised risk assessments shall be used
as basis for next period audit after adjusting it to include new information and compliance of audit
observations etc. as the case may be.
6. The following are some of the important points that should be considered while designing and
implementing a risk assessment framework by IAF:
1) Identify all businesses activities, associated processes, systems, product lines, services, and
functions of FI.
2) Prepare functional profiles (their organizational structure, objectives, work they do, resources
they have & use, etc.) of important business units, departments, functions, products, services etc.
that generate business; critical support functions like IT, information security, HR etc. and those
departments that control risks i.e. risk management, compliance, Finance etc.
3) Develop a suitable measurement mechanism to evaluate efficiency and effectiveness of business
generating units (as identified above) and those that control risks; in discharging their respective
responsibilities with respect to internal controls.
4) The effectiveness & efficiency of business units/functions/activities with respect to internal
controls should be assessed against a comprehensive measurement criteria including both
quantitative & qualitative components.
5) The measurement mechanism/criteria should be consistent, relevant and must enable auditors to
define and differentiate between high, moderate and low risks with clarity.
6) The quantitative matrices alone may not be enough for risk assessments unless supported by
further “analysis” of auditors. At minimum, it should incorporate information from various
sources including but not limited to, the observation of last internal audit reports, implementation
status of audit recommendations, regulatory authority observations, feedback from BAC and
other board committees’, results provided by risk control functions regarding management of
risks, senior management feedback, internal organizational changes that have taken place,
changes on regulatory front (this includes international jurisdictions if FI has overseas
operations), change in broader economic/business environment in which FI operates etc.
7) Based on the results against measurement criteria, identify the activities and internal control
issues within those business units, departments, product lines, services, and functions that needs
to be audited along with the scope of these audits i.e. full scope, focused, targeted, thematic etc.
8) Develop a mechanism to integrate risk assessment process into formulation and execution of
audit plan.
9) Develop a mechanism to monitor risk assessments regularly and update them at least annually for
all important business units, departments, functions, activities, processes, services and products.
10) The risk assessments should be forward-looking and must include risks to FIs medium & long
term objectives, growth strategies, new products, external economic environment and regulatory
changes, etc.
INTERNAL AUDIT MANUAL

1. The CIA shall formulate internal audit manual24 that provides details of audit process to be followed by
auditors to conduct a specific audit assignment. The audit process generally includes, setting of audit
objectives, defining the scope of coverage, audit methodology/approach & auditing techniques to be used;
audit sampling25, collection & analysis of audit evidence/working papers, documentation of
facts/observations, preparation of audit report, quality assurance process before finalizing audit report,
reporting of observations to auditee, discussion of audit observations, finalization of audit report and its
follow-up process.
2. The complete audit process/program should be covered in sufficient detail in audit manual so that it can
be used by internal auditors for guidance and reference, whenever required. There may be many similar
processes which may require use of identical audit methods/techniques; however, there can be various
audit assignments where standard audit methods/techniques may not provide desired results. The audit
manual should provide general guidance on conducting such special audit assignments. Besides, it must
be ensured that the audit manual is not merely a collection of steps/checklists to be followed/ticked by
internal auditors during course of audit but instead should provide sufficient room to internal auditors to
modify audit process as and when needed (with proper justifications) to achieve audit objectives. The
internal auditors should do so by applying their mind and expert judgment based on the actual or
perceived risks involved.
3. The CIA should ensure that the audit manual is comprehensive enough to cover the major operational
activities of FI and is updated periodically to reflect institutional, regulatory and business changes.
AUDIT TECHNIQUES/PROCEDURES
1. It may be noted that whether the audit is being conducted under RBA or conventional
control/compliance based audit approach, the auditing practices/techniques to gather
information/evidence, to test controls, and to ensure controls are working as planned may not warrant a
24
The manual should provide a set of detailed step-by-step audit procedures for each auditable area (where possible) and is
usually supplemented by checklists. A well-designed audit program would provide a systematic audit approach that must be
supplemented by internal auditors’ judgment.
25The results/conclusions of the audit assignment greatly depend on the selection of sample by internal auditors. Hence the
sample selection is of critical importance as far as audit activity is concerned and IAF shall seek guidance from International
Auditing Guideline on Audit Sampling and provide a comprehensive guidance on audit sampling in its audit manual.
major change (except that of mindset & approach). The selection of audit techniques purely depend on the
audit assignment in hand and may vary from one audit to another depending on audit objective (what kind
of assurance is being provided and to whom), the unit being audited and time, resources and skills
available.
2. The IAF and internal auditors are free to decide on the techniques/procedure to be used, provided that
selected/used techniques/procedures are in line with objectives of the audit assignment. Such
techniques/procedures should be defined in audit manual in sufficient detail enabling internal auditors to
refer whenever need arises. Some of the techniques that are widely used by internal auditors include
substantive testing approach, systems-based review, policy/procedure/process review, discussions with
management etc. These techniques/procedures are applied or executed in the form of confirmation,
recalculation, re-performance, inquiry, observation etc. enabling auditors to form an opinion on internal
controls.
AUDIT RESULTS & REPORTING

1. The internal auditors must, at the completion of audit activity, prepare a comprehensive internal audit
report to communicate their observations/conclusions/findings on the state of internal controls and make
recommendations to management for improvements. The audit report shall serve as a basic document for
CIA & BAC to remain aware of the significant breaches/deficiencies/state of internal controls in the FI.
Besides, the focus of audit report/audit process should be on improving processes instead of targeting
individuals or group of individuals (except as otherwise warranted by circumstances) taking the focus
away from processes and systems.
2. Before finalizing audit report, the audit team should discuss its initial observations (draft audit report)
with management and must maintain complete record of discussion held and the decisions taken along
with reasons/justifications. The management comments on draft report should be made part of final report
to bring in transparency regarding elimination of any audit observation from draft audit report. After a
quality assurance review of internal audit report to ensure uniformity the CIA/relevant sub-function head
etc. should review and approve the final audit report for issuance to management and the auditee.
3. Besides putting their observations in audit report, the internal auditors should immediately report to
CIA, any significant control breaches identified during the course of audit. Keeping in view the gravity of
the matter, the CIA shall refer it to BAC and CEO to take necessary and timely actions.
4. The CIA should put in place a robust ‘quality assurance mechanism’ in IAF to ensure that a draft audit
report and the ‘audit rating’ assigned to audited area meets the set quality standards (as given in audit
manual or any other relevant policy) and is backed by sufficient evidence/supporting material to justify
auditors’ findings/conclusions/judgments. Since the audit report is of significant importance for internal
auditors as well as auditee, the auditors should exercise due professional care and spend sufficient time on
preparation of report to accurately convey their findings. While recording/finalizing their findings,
internal auditors must bear in mind that the instances of non-compliance or breach of controls does not
happen in isolation and there must be a reason (root cause) that led to such non-compliance or breach of
control. It is, therefore, the responsibility of internal auditors to not only focus on instances of breach of
control but also ascertain and highlight in audit report the actual ‘root cause’ of the problem followed by
relevant recommendations that address that root cause.
5. During discussions of draft audit report, there may arise a situation where there may be strong
difference of opinion on the observations/conclusions/judgments made by internal auditors in audit
reports and management point of view on these audit results. While the internal audit report must
mandatorily include all management comments (whether accepting or challenging audit observations), the
position taken by internal auditors/CIA would be considered as final and management is bound to
implement all such audit recommendations in letter and spirit where management does not necessarily
agree with internal audit. However, in order to provide management a chance to present their point of
view, BAC in consultation with CIA may establish a mechanism where such exceptional and significant
cases of disagreement may be elevated at BAC level and decisions be taken accordingly.
6. The CIA should put in place a mechanism to ensure that final audit reports are objective, clear, relevant
& comprehensive in content, written in positive tone (without compromising the criticality of issue) and
must provide strategic & specific insights to help management improve processes/controls to increase
efficiency. The audit reposts should be free from errors and distortions and must covey a fair, impartial
and unbiased view on state of internal controls at audited activity. The CIA is free to decide the format,
structure and contents of audit report depending on the nature of assignment, however, in general the
audit report should contain the following;
a) An executive summary.
b) The audit team, scope, period covered, objectives and audit techniques/methodologies used.
c) The processes/systems/policies/data/information reviewed & evaluated; level & nature of
engagement with auditee.
d) The significant/key findings of the internal auditors, risks involved and their possible
impacts.
e) The underlying weaknesses/control deficiencies/root causes of identified problems/audit
findings (the audit team should include allied factors like shortage of staff, system
unavailability, excessive work load, training deficiency of employees etc. in their audit
reports that serve as basis of control breaches/violations).
f) Recommendations to correct identified deficiencies.
g) Management comments on the deficiencies highlighted/recommendations; remedial
measures taken or proposed to be taken by management to implement recommendations.
h) Major changes taken place during the audit period, if any.
i) Any other information that needs to be conveyed by internal auditors to management and/or
other users of audit report.
7. While the audit report should contain the minimum areas as mentioned above, writing an impactful,
value adding audit report that communicates the precise message to management may well be a challenge
for many internal auditors. The CIA should ensure that relevant report writing trainings are provided to all
internal auditors to develop their writing skills. The internal audit report is more than just compilation of
all the audit work/observations/instances of non-compliance/ control deficiencies highlighted during the
audit process. It is, for much part an activity that requires analytical reasoning on part of internal auditor
to synthesize and link together various minute components of information evaluated/processed during the
course of audit, leading to formulation of a complete picture.
FOLLOW UP OF AUDIT RECOMMENDATIONS

1. After issuance of final audit report, the IAF should actively monitor the compliance position of audit
observations by management and regularly report the summary of compliance status to BAC. In case
where significant shortfalls in implementation of audit recommendations is observed, the same may be
taken up with CEO/senior management of the FI through BAC. The management should make all
possible efforts to implement audit recommendations and as such it must engage with audit team to
understand their point of view and share management’s action plan.
2. In cases where the auditee is not taking serious note of audit observations or the action plan is vaguely
designed that may not adequately cater to risks/control deficiencies highlighted by audit team; the audit
team should keep observation open (and elevate it to right level) until its recommendations are fully
implemented. Instances, where the same deficiency/control breaches of critical nature are also highlighted
in next period audit of the audited activity, a comprehensive review of the matter may be conducted by
internal audit to identify and understand the root cause of the problem and make appropriate
recommendations. Instance which keep on occurring in at-least two audit periods despite implementation
(reported) of audit recommendations should be submitted to BAC on regularly basis and must be taken up
with CEO to address the root cause of problem in a systematic way instead of doing the temporary patch
work.
3. All such instances where the number or nature of observation keeps on repeating in next period audit
reports (that were highlighted in past as well) with no change in the trend or magnitude of occurrences,
the BAC should take notice of such practices and must reassess the entire situation along with CIA. The
BAC should identify the problem and fix the responsibility as to whether there were issues in audit
recommendations or if the management’s action plan was flawed that the problem still persists.
4. Such a scenario also indicates that either the IAF is not effective in performing its task or the
management is unable and/or unwilling to perform its responsibilities with respect to internal controls.
The BAC must take strict note of such situation and take all necessary actions/steps to correct the
problem.
CONFIDENTIALITY OF AUDIT REPORTS & WORKING PAPERS

The CIA should establish a robust mechanism for filing/record keeping of audit reports and audit working
papers at a safe and secure place to ensure that their contents remain confidential and are only accessible,
at all times, to authorized persons. The internal audit working papers should be properly filed, indexed
and stored in a secured place that can be easily accessed and retrieved by authorized persons as and when
needed. A logbook should be maintained to record the movement of audit report & working papers and to
ensure that such record is only accessed by authorized people.
***************************************************************

Guidelines On Internal Audit Function in Banks-2018 (PBA) PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guidelines On Internal Audit Function in Banks-2018 (PBA) PDF

Uploaded by

Copyright:

Available Formats

STATE BANK OF PAKISTAN

Guidelines on Internal Audit

Audit Universe: The potential activities/processes/functions/departments/units subject to audit as

BOARD AUDIT COMMITTEE (BAC)

AUDIT COMMITTEE CHARTER (ACC)

 Purpose, Objectives and Authority;

subsequent implementation and/or consequences of the process/system/activity/product on which advice

ROLES & RESPONSIBILITIES OF CIA

INTERNAL AUDIT CHARTER (IAC)

INDEPENDENCE AND OBJECTIVITY OF INTERNAL AUDITORS

INTERACTION WITH REGULATORS & EXTERNAL AUDITORS

i. Adequacy & Effectiveness of Internal Controls

ii. Reliability & Integrity of MIS

iii. Expenditure Control & Safeguarding of Assets

iv. Discovering Frauds, Errors, and other Irregularities

v. Adequacy & Effectiveness of Risk Management Activities

vi. Information Technology (IT) and Shariah Audit

vii. Optimal Utilization of Organizational Resources

INTERNAL AUDIT STRATEGY

RISK BASED AUDIT PLAN (RBAP)

RISK BASED INTERNAL AUDIT (RBIA)17

RISK ASSESSMENT FOR THE PURPOSE OF INTERNAL AUDIT

INTERNAL AUDIT MANUAL

AUDIT RESULTS & REPORTING

FOLLOW UP OF AUDIT RECOMMENDATIONS

CONFIDENTIALITY OF AUDIT REPORTS & WORKING PAPERS

You might also like