Arising Importance of Audit due to Present Economic Developments

Agenda Definition and Components of Internal Audit International Standards and Regulations about Internal Audit Effects of Economic Crisis and Technological Developments New Trends and Changing Role of Internal Audit

Definition and Components of Internal Audit

Definition of Internal Audit Internal audit helps an organization to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, governance processes. Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. The functions mentioned over here are the main activities that a given corporate has to build in order to operate properly. Where the internal audit comes in the picture is to be the bad cop for the organization; namely, we are at a position checking the magnitude of risk taking given the corporate’s objectives.

Corporate Governance Corporate governance is a general system which promotes enterprise orientation and control structure. As generally accepted international corporate governance understanding involves; Equality, Transparency, Accountability and Liability. Besides shareholders, let me tell you that stakeholders are major beneficiaries from a good corporate governance. These are all parties effected from the operations of a corporate, this involves; public, government, sector, rivals and many more. Given these adjectives are accomplished, any corporate raises its chance to survive in any sector it is operating in.

TAKING NECESSARY ACTIONS IDENTIFICATIONOF RISKS Risk Management Risk management is a process which satisfies appropriate transition or exchange between risk and yield and adds “value” to the organization. Risk management concerns all departments. TAKING NECESSARY ACTIONS IDENTIFICATIONOF RISKS PRIORITIZATION OF RISKS 2. Prioritization of Risk Probability of the Risk Severity of the Risk 3. Taking Necessary Actions Acceptance Transferring Controlling 1. Identification of Risks Defining the risks Measuring the risks Analysis the risks Reporting For a strong company, you have to know about your risks, you have to rank those in order to make the decisions with which of those you want to live with, and design the appropriate controls to mitigate the undesired results (impact) that may occur when a risk evolves. Taking necessary actions also involves the making of the action plans in order to be ready to take the necessary action to smooth out the impact of a realized risk.

Internal Control Control is one of the actions which are taken to mitigate the effects of the risks in terms of; Safeguarding of assets, Compliance with laws, regulations, and aggrements, Reliability and integrity of financial and operational information, Effectiveness and efficiency of operations. Basic Control Activity Examples are; Authorization Methods Limit Applications Decompositions of Tasks Policy and Procedures Task Descriptions and Responsibilities Reconcilement Methods The first four sentences summarize how the internal control focus on the operations order to increase the efficiency of the control activities and making it easier to communicate any deficiency with the management in a common and simpler language.

International Standards and Regulations about Internal Audit

Regulations about Internal Audit Regulations in Turkey - 5411 numbered Banking Law - Arrangements of Banking Regulation and Supervision Agency (BRSA) - Arrangements of Capital Markets Boards Of Turkey International Regulations - Regulations by Basel Committee - Regulations by Professional Associations (IFAC, IICPA, etc.) First, there are some regulations made by BRSA starting from 2002 and got heavily felt by 2006. These regulations are still yet to come, mostly depending on the latest crisis. Main international regulator is Bank for International Settlements (BIS) located at Basel and commonly known as Basel Committee. The main regulator for Internal Audit practice is Institute of Internal Auditors (IIA) and its major documentation on the profession is “Red Book”.

Standards of Internal Audit A. ATTRIBUTE STANDARDS Purpose, Authority and Responsibilities   Independency and Objectiveness Proficiency and Due Professional Care Quality, Assurance and Improvement Program B. PERFORMANCE STANDARDS Management of Internal Audit Activities Quality of Work Engagement Planning Performing Engagement Reporting Results Observing Developments Acceptance of Residual Risks by Management   These standards are defined by IIA and known to be common for all internal audit practitioners. Attribute and performance standards are those expected to be accomplished by the internal audit department and internal auditors in accordance to the which of them they are attributed to.

Attribute Standards Purpose, Authority and Responsibilities Purpose, authority and responsibilities of internal audit activities should be obviously declared in the charter which has to be approved by the Board of Directors. Independence and Objectivity Organizational Independence Individual Objectivity Impairment to Independence or Objectivity Proficiency and Due Professional Care Proficiency Requires the knowledge, skills and other competencies needed to perform individual responsibilities. Due Professional Care The care and the skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. Continuing Professional Development Enhancement of knowledge, skills, and other competencies through continuing professional development. Attribute standards have to be given place in the internal audit department’s charter and which has to be approved by the Board of Directors.

The Internal Audit Activity Management Performance Standards The chief audit executive must effectively manage the internal audit activity to ensure it adds value to the organization. Planning Communication and Approval Resource Management Policies and Procedures Coordination Effective reporting mechanisms in order to communicate with the Board of Directors, Internal Audit Committee and Top Management Planning requires an annual audit plan to be prepared based on a systematic approach, namely, a risk matrix designed to prioritize the risks in accordance to evaluated impact on the operations and the probability (frequency) to occur. Communication and approval is attributed to the communication with the Board and internal audit committee and taking their approval whenever required. Resource management is a major issue to match the ever diminishing musts with the scarce resources. Policies and procedures are required to standardize the audit practices. Coordination is mainly important in order to accomplish a full focus on the risks that are already observable or hidden in the activities and required to be identified and assessed immediately. Reporting is important to assure that the operations are safe and monitored closely. It is also important to clarify the risks and necessary actions to mitigate the impact.

Performance Standards Engagement Planning Performance Standards Engagement Objectives: Setting the engagement objectives, internal auditors should: Identify and assess risks relevant to the activity under review and the engagement objectives must reflect the results of this assessment, Consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. Consulting engagement objectives should address risks, controls and governance processes to the extent agreed upon with the client. Scope of Engagement: The established scope must be sufficient to satisfy the objectives of the engagement. The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties.  Engagement Resource Allocation: Internal auditors must determine appropriate and sufficient resources to achieve engagement objectives based on a plan regarding the below mentioned issues: -an evaluation of the nature of engagement, -complexity of engagement, -time constraints, -available resources. First, you have to assess the risks, related probabilities to evolve depending on the control activities already on duty. Then you will define your objectives and required information sources in order fullfill those objectives. One major concern comes into picture on staff management since the resources are limited and there exists an already approved annual plan.

Performing the Engagement Performance Standards Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement's objectives. Recording Information Internal auditors must document relevant information to support the conclusions and engagement results. Thus, it would be beneficial that the Internal auditors prepare working papers. During the engagement, any information tool must be evaluated and any significant information including the audit methodology must be documented.

Communication of the Engagement Results Performance Standards INTERNAL AUDIT Observations about Board of Internal Audit AUDIT COMMITTEE Periodic Activity Report BOARD OF DIRECTORS One of the major issues regarding the internal audit activity is the communication of the audit results. First, the results are communicated to the related auditees and the top management level responsible from that business line. Then issues, including the recommendations of the internal audit department, are reported to the audit committee. Audit committee takes these most significant issues to the Board of Directors in order to inform them about the main risks and deficiencies about the operations as well as the recommendations to fully eliminate the risks or mitigate them. BoD may also decide to accept the risk when it is costly to build a control mechanism. The BoD reports the results of internal audit activity to the BRSA annually. BRSA (BDDK) Annual Report and Observations

Performance Standards Monitoring Progress Performance Standards There are some tasks that each Chief Audit Executive (CAE) is expected to satisfy. These are as follows: A CAE; Must establish and maintain a system to monitor the disposition of results communicated to management, Must establish a follow-up process to monitor and ensure that management actions have been effectively implemented, Or that senior management has accepted the risk of not taking action (defined as residual risk). These tasks are determined by the IIA in order to ensure that the internal audit mechanism operates effectively.

Effects of Economic Crisis and Technological Developments

October 07 January 08 June 08 September 08 Important Corporations Which are Negatively Affected and Failed October 07 January 08 June 08 September 08 Here are some of the giant financial corporates which could not survive or faced with major losses during the latest crisis.

Developments After Crisis What's Expected? Reconstruction of the Global Banking System Canonical market economy instead of Free Market Economy– Establishing New Audit/Control System, Elimination of Weakness of Risk Management, The Development of Credit Rating Agencies Applications New Regulations and Regulatory Institutions in Financial Markets Reconstruction: Major responsibility is on Basel Committee and professional institutions mainly focused on accounting principles due to the fact that recent principles may lead to profits which are mostly imaginary, and pump the financial markets to the boundaries. Canonical: More strict regulations are expected to be materialized. Some of them are also mentioned in the G-20 meetings loudly. Elimination: New risk management measurement approaches are under discussion and Basel II is expected to be redesigned as Basel III. The Development: Since among the major contributors to this crisis were the credit rating agencies, there evolves a need for regulation in order to closely monitor their capabilities and objectiveness. New regulations: Many regulators are working on the weaknesses of the current system and preparing the brand-new regulations which would take place very soon in order to prevent a new crisis.

Developments After Crisis Increment Severity of Audit Differentiation of Audit methodologies Monitoring Audit Results Attribution and Adequacy of Auditors Worldcom Wrong accounting records more than 9 million $ Enron The greatest bankrupt in USA. Although these corporates all went bankrupt or faced with severe losses prior to the current crisis, these also inspire regulators to prepare the new regulations also taking these shenanigans (financial underhand tricks) and embezzlements into account. Tyco International Presented 400 million $ more than real figures of 2002. Société Generale 4,9 million Euro Tresury Transactions

Developments After Crisis Lessons to Take Risk must be “respected”. Risk management function should be seen equally with other functions in Banks, and not be described as a ‘back office’ function. Risk analysis is an important part of modern risk management. On the other hand, models all alone are not sufficient. There may be limits to regulations. If the level of exaggerated debts seem to be good in an unbelievable way then it is really unbelievable. U.S.A banks owned tools which they used mainly to remove their credits from their balance-sheets, explained their leverage ratios to 600 to 1. Accounting change everything. The accounting of the credit assets in accordance to their market value (mark to market) increased the volatility in reported losses nearly 50 percent during the depression period. Accounting is accounting. There should not be any creative accountancy. Activity of Audit is as effective as its results. Volume based bonuses redoubles the risk appetite.

Questions to be Answered Rating Agencies What are the standard method for working and decision-making? How transparent and accountable are they? How objective are their approaches and reviews? Who checks these organizations and their reports globally and locally?

Questions to be Answered Market Risk Credit Risk Operational Risk Risk Management and Risk Management Models How proactive is risk management? Was the risk management located in the right position within the bank? Risk Management Models How applicable are they? How accurate are they? Are control and measurement methods sufficient? The Basel II regulations on capital adequacy did not produce the needed effect on Banks to hold enough liquidity. Northern Rock and Bradford & Bingley did cover the requirements related to “capital”, but it did not prevent them from bankruptcy. (The Independent)

Questions to be Answered Audit Principles Internal Audit Independenct? Sanction Power? Risk Oriented? Qualitative Adequacy? External Audit Regulations? Standards?

Questions to be Answered Board of Directors and Top Management Volume Focused Bonuses Audit Committee Acts Functions of Independent Members of the Board Corporate Governance Are they really focusing on their operations safety or the peak level bonuses that are promised? AC; is it really independent and cared about? Are they? Is it in practice or just a magical term?

New Trends and Changing Role of Internal Audit

New Trends in Audit Risk Oriented Audit Continuous Audit and Supervision Information System (IT) Audit

Risk Oriented Audit Concept The reasons stated below have effects on working principles of internal audit departments. Risk oriented audit becomes acceptable based on these reasons; Resources for audit activities are scarce. Brand new risks may evolve in audited fields. Activities involve relatively different severity levels. Identify Assess Measure Monitor AUDIT PLAN RISK Risk Oriented Audit Concept Purpose: Transferring Resources of Audit to Most Risky Areas!

Continuous Audit and Supervision Deriving benefits from IT, Continuous supervision of processes, Immediate audit following the transaction, Early warning system before the risk is materialized.

IT Audit Information Systems (IS) provide more effective works with less errors, so it causes more addiction to IS. Important processes flow on IS. IT systems are vulnerable to many risks: Authentication Non-deniable Data Integrity/Consistency Data Confidentiality (Privacy) Business Continuity Compliance to Regulations

IT Audit Standards COBIT (Control Objectives for Information and Related Technology) is an IT Management and Audit Model and legislatively accepted standard in IT Audits in Turkey. CMMI: Software Development Process Standards ISO: Service/Service Management Standards ITIL: Information/System Security Standards Service/Service Management Standards

Changing Approaches in Audit TRADITIONAL Detection Functional Including whole Once Partial MODERN Prevention Process based Risk oriented Continuous Integrated

Audit Certifications There are some certification programs which promotes professionalism in internal audit. These are some of the most reputable ones among those. CIA by IIA, CISA by ISACA (Information System Audit and Control Association, FRM by GARP (Global Association of Risk Professionals), SMMM (Serbest Muhasebeci Mali Müşavirlik), CFE (Certified Fraud Examiner), CFA (Chartered Financial Analyst) by CFA Institute.

Being proactive is crucial to internal audit activity.

QUESTIONS???

Thank You...