Factors to be considered for the Internal Auditors Compiled By: JBSC, Dhaka

Operation of Internal Audit & Operational Risk Management. Basel Committee for Banking Supervision (BCBS) Evolution of Internal Control & Compliance (ICC) concepts has 13 Recommendations. Internal Audit is part of the management process in the bank. It is the actions taken by management to plan, organize and direct the performance of sufficient actions to provide reasonable assurance that the following objectives will be achieved: Ascertainment of Risks exposures in the bank branches & in business operations. Accomplishment of established objectives and goals for operations and programs. The economic and efficient use of resources. The reliability and integrity of information. Compliance with policies, plans, procedures, laws and regulations.

Operational Risk Operational risk is the broad discipline focusing on the risks arising from the people, systems and processes through which a company operates. It can also include other classes of risk, such as Fraud & Legal risks, physical or environmental risks. Operational Risk is the potential loss arising from a breakdown in company’s systems and procedures that result in human error, fraud, failure, damage of reputation, delay to perform or compromise of the company’s interests by employees. 3 P-S Policy (lacking or outdated) , Processes ( imperfectly / misguided model ) People ( Ignorance-negligence – offense- lack of integrity – poor judgment ) Systems (unsecured systems –Software- non complying security measures )

Risk in Banking Internal Process People External Factors Corporate Bank Sovereign Retail Project Finance Equity Internal Process People External Factors Interest Rate – in banking and trading books Foreign Exchange Equity Commodity Credit Risk Operational Risk Types of Risks Market Risk Information Risk Systems Risk Security and Integrity Risk

Operational risk is inherent to banking business Retail Banking Commercial Banking Payment and Settlement Treasury (Trading & Sales) ACTIVITY Retail Deposits & Lending Project Finance Payments and Collections Sales Private Banking Trade Finance Funds Transfer Market Making Card Services Proprietary Positions Working Capital Finance Clearing and Settlement Treasury Advisory Services Operation Risk categories Internal Fraud External fraud Employment Practices & Workplace Safety Clients, Products & Business Practices Physical Damage to Assets Business Disruption and System Failures Execution, Delivery & Process Management

Components of Operational Risk Management Framework Control environment: The Control Environment sets the tone of an organization, influencing the control consciousness of its people at the all tiers. Risk Addressing: The risk in an organization is the auditor’s starting point. The audit function is an expensive overhead, so it is important for auditors to concentrate their resources in the areas of greatest risk. Control activities: Control activities are the policies and procedures that help ensure management directives are carried out. Information and communication: Information systems play a key role in internal control systems as they produce reports, including operational, financial and compliance-related information, that make it possible to run and control the business. Monitoring: Internal control systems need to be monitored—a process that assesses the quality of the system's performance over time.

Operational Risks Includes: The loss of money or reputation are the high level risks, but the actual loss can come about in a number of different ways. These different ways give rise to a set of secondary risks, which auditors particularly need to focus on, these risks will include: Individual Ignorance, Negligence, Offence & Lacking of Integrity Frauds & Forgery, Misappropriation, embezzlement Breach of the law- Malpractice Error - Loss of data Theft - Loss of premises Poor judgment Poor strategic planning Insufficient management information Ineffective support for computer systems

Some Basic practical points for Auditors There are a number of basic practical points that auditors need to bear in mind during their day-to-day work: Auditors should not act as part of a control system itself.. Auditors should observe Audit protocol ( Audit Manual) wherever they are auditing. Auditors should declare any personal interest which may make it inappropriate for them to audit in an area. Auditors need to be discreet. They will probably see sensitive documents during the course of their audits. Auditors need to follow a strict ethical code. Some information that auditors see could be used for personal gain.

Factors to be considered for the Auditors There are many different types of control that an internal auditor will look for. To control the risks in banks, the types of control will include the following: Controls over STAFF: Adequate experience - Adequate staff level Adequate training - Clear lines of communication Controls over PROCESSING: Delegated authorities ( Business/ Finance, Administration, Expenditure) limits Two signatures needed to transfer money (Checker & Maker). Time deadlines (Execution of Transactions & Feedback) Check totals to prove accuracy of figures

Factors to be considered for the Auditors Controls over TRADING or Investment : Dealing Limits for traders Exception reports showing limit breaches Separation of the dealing function from that of settlement Authentication of foreign trading settlement instructions through SWIFT Separate verification of input of settlement instructions & reconciliation

Factors to be considered for the Auditors Controls over VALUABLES: Dual control over access to valuables, usually by two keys held by different people Separation of custody of valuables from record keeping Regular counting and reconciliation Video screening vaults or strong rooms

Factors to be considered for the Internal Auditors Controls over Information and Communication Technology: Backed-up data in case of loss of prime computer records is ensured Uninterrupted power supply for critical systems Remote contingency site in case there is a disaster in the prime site (DRC) Password access to the computer system Properly documented systems so that technicians can easily trace faults Strict controls over how programs can be accessed when they need to be changed Encrypted networks to reduce the risk of hackers gaining access · Physical controls over access to computer rooms ( Server) ‘Day End’ ‘Audit Tail’ verification & authentications.

END