Introduction to risk-based internal auditing and lessons learnt for commercial banks in Vietnam

612 International Conference on Finance, Accounting and Auditing (ICFAA 2018) November 23rd, 2018 Hanoi City, Vietnam Introduction to Risk-Based Internal Auditing and Lessons Learnt for Commercial Banks in Vietnam Khieu Huu Binha aUniversity of Economics and Business, VNU Submission day: 30/10/2018 Review day: 10/11/2018 Acceptance day: 15/11/2018 Abstract Background: It is essential for Vietnam Commercial Banks to improve roles and effectiveness of internal auditing (IA), which will ensure their safe and sound development in the market economy and meet international standards for financial institutions. From only involving in periodic inspecting and monitoring, modern internal auditors are expanding on risk-based activities and assisting enterprises to make strategic decisions. Scope and approach: The paper aims to give insight in the current approach in the banking internal audit system. Furthermore, the need for modern approach in risk-based auditing is discussed by introducing contemporary model in developed countries. Using structured questionnaires and interview, the author collects recommendations from Vietnam banking and auditing experts about risk-based auditing trend in Vietnam. Key findings and conclusions: Moving to risk-based auditing will lead to more effective corporate governance in every organisations, especially in risky and highly regulated industries. A new paradigm in risk based auditing is needed to ensure sustainable development for commercial banks, however, for emerging economies like Vietnam, a lot of preparation for knowledge, system and resources should be available before comprehensively applying this audit system. Keywords: Commercial aank, Internal auditors, Risk-based. 1. Introduction According to the Definition of Internal Auditing in The IIA's International Professional Practices Framework (IPPF), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, 613 disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. The operations of internal audit uninterruptedly change as the economy, organizational activities and risks develop over time. A number of corporate failures, accounting scandals, and the collapses of corporations, especially in banking industry lead to the fact that the internal audit should be transformed to improve corporate governance in any organization. Table 1: Major failures and Accounting Scandals in banking industry Name of organization Year Country Baring Bank 1990s UK Crédit Lyonnais 1990s France Berliner Bank 1990s Germany Banking Industry (in the Asian crisis) 1997 Asia Northern Rock 2007 UK Lehman Brothers 2010 USA HSBC, Lloyds, Royal Bank of Scotland, Barclays 2012 UK J.P Morgan 2012 UK By enhancing their roles, internal audits implement various services and activities to their key stakeholders (Board of Directors, Audit committee, senior managements, regulators) Over the last few decades, internal audits have improved and expanded from their traditional roles such as monitoring, inspecting, assessing internal control system to a contemporary internal audit approach. By changing or improving their role, internal audit can provide different types of services (or activities) to their key stakeholders (such as the board, audit committee, senior management, operating line managers, regulators, external auditors) according to their needs. Internal audit services and activities have improved and expanded from the traditional role that focused on financial compliance, internal controls, operational, computer, value-for-money, quality and management auditing to a modern approach. This contemporary role is designed to provide assurance and consulting services, value-added activities; business insights and strategic advice services especially risk management. In fact, controlling risks play a vital role in retaining a sound internal control system. While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed. This suggests every organization to adopt a new approach - the Risk based internal audit to deal with above issues. 2. Literature Review: The IA is one of the fastest developing jobs in the last seven decades since the foundation of the IIA (Reding et al., 2013). Selim and McNamee (1999) suggest that there are current three stages for the IA: performing observation and counting physical items in 614 the early day of IA, control-driven audits (1940s-1990s) and the contemporary risk-driven approach. By taking into account uncertainty and risky nature of current business activities, risk management is a focal point in good corporate governance practice. (The IIA UK and Ireland, 2003). The IA will play critical roles in mitigating all the risks which hurdle the organizations to achieve objectives (Griffiths, 2015). It is inevitable for each origination to in-depth risk management with the increasing contributions from the IA (Sarens and De Beelde, 2006). IA will concentrate on high risk areas and the working will be carried out in more efficient manner (Colbert and Alderman, 1995). By implementing matrix risk, risk- based IA includes determining and assessing risks right from audit planning (Ayvax a and Pehlivanli, 2010). Since the late 1990s, many accounting firms have been conducting audit methodology basically called risk-based auditing (Bell, Peecher, &Solomon, 2005, Chapter 2; Knechel, 2007; Lemon, Taturn & Turkey, 2000). IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organization’s overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. Griffiths, 2006 agreed that risk-based IA should be conducted on the risk-appetite of organizations. The fundamental principal of this IA approach is analyzing risks before the audit work, aiming to optimize the human resources and taking into account all main risks. All of the previous studies mentioned the roles of IA in assessing, identifying and managing risks, but some organizations do not realize the importance of moving to risk-based approach for the IA. Therefore it suggests for introducing this model in Vietnam. The author expects by applying this model, the quality of internal audit work and performance of commercial banks will be improved. 3. Theoretical framework: Practitioners and regulators were both confident that risk-based auditing will enhance the audit quality. The Auditing Standard Board (ASB) require that its risk assessment standards must include in-depth understanding of the entity and its environment to identify the risk of material misstatement in the financial statement, linkage between risks and the nature, timing and extent of audit procedures. The same ideas are applied to RBIA, when RBIA implements an audit plan with lots of activities from strategic analysis to risk assessment. RBIA is developed by identifying and assessing risk elements, through strategic analysis and designing the auditing process in line with risk matrix or risk map (Ayvaz a & Pehlivanli, 2010). Internal audits focus on high risk areas, so that the engagement will be performed in a cost-effective manner (Colbert & Alderman, 1995). The risk now is assessed before starting audit engagement which helps the most optimal resource allocation and create value for the organization. A research conducted by IIA (UK & Ireland) and KPMG (2005) showed that 89% of Chief Audit Executive use risk based methods for yearly planning audit work, 93% use a risk based approach in internal audit engagements. Risk assessments are implemented at each internal audit work to identify risk level and evaluate the adequacy and effectiveness of internal control system (Nuno, Lucia, 615 & Russel, 2009). Therefore, RBIA is an active process, continuously developing so that it differs from traditional method. Although RBIA is being used in a number of places all over the world, it is still new to many organizations. If the risk management framework is not really strong or does not exist, the organization is not ready for RBIA. More importantly, it means that the organization’s system of internal control is poor. Internal auditors in such an organization should promote good risk management practice to improve the system of internal control. IIA provided guidance on how to implement RBIA in 3 stages follows: Stage 1: Assessing risk maturity Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes. Stage 2: Periodic audit planning Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritizing all those areas on which the board requires objective assurance, including the risk management processes, the management of key risks, and the recording and reporting of risks. Stage 3: Individual audit assignments Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including the mitigation of individual or groups of risks. The instruction from IIA above only provided general ideas for organization to adopt RBIA. Although banking is one of the most risky industries and under rigorous national and international requirements, there is no detailed guidance on how to implement RBIA in 616 banking industry. This paper recommends commercial banks to refer to this general instruction to apply RBIA with considerations of their own conditions and development. The author also suggests further research on practical implementing RBIA approach in banking industry and impacts on the overall banking performance in the following papers. 4. Methodology Starting from researching transformation of the contemporary IA as well applying Risk-based IA in banking industry, this paper uses process of a synthesis and antithesis of the ideas found in the specialty literature and in the norms specific to the analyzed fields. The author also used a constructivist approach that was applied step by step by reviewing some best practices of risk-based auditing in developed countries, especially in commercial banks. The paper also conducted constructed questionnaires and interview to some of the banking and finance experts to obtain their opinion about the current and future development of IA in Vietnam. Moving to RBIA is a suitable and inevitable direction for all commercial banks in Vietnam, especially when a number of them are implementing standards and regulations under Basel II, this is also the point of view of many experts in banking and finance industry in Vietnam. One of the most central documents by the Basel committee is BCBS 223, in which 20 guidance and recommendation for banks and banking supervisory body are introduced. In this documentation, there are some instructions about organizing and conducting internal audit in commercial banks and how to implement assessment and monitoring internal audit activity for banking supervisory body. Mr. Dinh Tuan Hung, director of Market risk department-BIDV said that, all banks are recommended to create and issue internal audit manuals with at least 7 sections: purpose and scope of the IA, requirements for the IA, reporting procedures, outsourcing the IA, responsibility of IA head, applicable practice and standards for the IA, working procedures with external audit and management body. Internal audit operation should be conducted based on risk-based activities, and the scope of work should be updated and revised annually, in which there must be internal audit area under regulations of management body (risk assessment, capital adequacy, liquidity, compliance, finance) and the requirements from banks. Banks should ensure they have enough capabilities to monitor and assess the effectiveness of the IA, risk assessment procedures, banking governance (including outsourcing activity and branches’ operation) Dr. AJ Purcell, Head of Internal Audit department from CPA Australia also shared his opinion about international IA by saying that the current function of IA is mainly focusing on compliance risk and monitoring traditional financial system. Compliance risk is exposure to legal penalties, financial forfeiture and material loss an organization faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Many compliance regulations are enacted to ensure that organizations operate fairly and ethically. For that reason, compliance risk is also known as integrity risk. Compliance risk management is part of the collective governance, risk management and compliance (GRC) 617 discipline. Penalties for compliance violations include payments for damages, fines and voided contracts, which can lead to the organization's loss of reputation and business opportunities. Compliance risk is also a major topic when implementing RBIA. In the conference “Changes in International Professional Practices Framework (IPPF) and development of IA in Vietnam” in 2017, most of the experts agreed that banking was a high risk industry, therefore defense lines were very important and the IA played very essential roles in assessing and controlling risk. The standard, framework, ethics and working techniques should always be reviewed and enhanced. In this conference, experts highlighted two new standards regarding roles of IA head in an organization. Beside traditional IA function, the IA head is also responsible for risk assessment, compliance and other events affecting the independence of the IA. The experts also recommended the IA department to regularly refresh their selves by updating new standards, regulations and apply new technology in IA activities. Mr. Tram Tuan Vu, Vice director of Ho Chi Minh Stock-Exchange stressed that, IA provides a lot of benefits to organizations and this is a useful tool to identify and improve weaknesses in any company. By the IA functions, Board of Director and Board of Management can effectively control their business, improve chances to reach goals and better risk management. The IA can boost confidence of shareholders and investors in the stock market about the company’s corporate governance. Although there are many difficulties in term of technical area, human resources and national regulations, movement to RBIA will be helpful for banks in different ways. It will take time for commercial banks to apply RBIA, the author believe that the benefit will far outweigh the disadvantages. 5. Recommendations and Suggestions Transforming to RBIA is currently introduced and applied in Vietnam, however, the movement has not been completed in a comprehensive way. While many banks start for this change, some others are not ready. To meet the standards and regulations from State Bank of Vietnam and Basel II to adopt RBIA, it is crucial for each bank to consider following recommendations: 1. Top management of commercial banks is not aware of the importance of regular monitoring and inspecting. They only conduct special investigation when abnormal events occur. Therefore, the internal audit manual should be created to facilitate periodic and continuous evaluating, reviewing and inspecting. 2. The total number of branches being audited as compared to the whole network of each bank is too small. Some audit engagement is conducted but the scope of work is limited and the audit results do not reflect the overall limited area of each bank, misstatement are not timely controlled and prevented. So the current internal audit practice should be reviewed and the scope of audit must be implemented in the whole banking system, including the Head Office, branches, and departments and banking products. 618 3. The risk assessment is an important step in audit planning, however, many banks abandon this procedure when planning the engagement, and they only carry out this step in the field work. All banks must prioritize the risk evaluation process and set a requirements to apply this procedures in all audit arrangement. 4. Effective use of the internal audit resources no longer means keeping a high quality audit program that clear banks from troubles. The internal audit department should improve the business through actual value-added audits and recommendations. 5. Regular training for internal audit staffs to provide the most updated international guidance and standards. In particular, training of staff at branches, risk management division through special programs in Risk management and RBIA. 6. Support staffs to pursue international internal auditing qualification like CIA by the IIA is one of the most effective way to enhance their professional skills, knowledge and competence. 7. Formats for risk assessment under RBIA should be prepared. RBIA should be implemented and reviewed in updated formats and working papers. 5. References Ali, A., 2016. Change in internal auditing practice: evolution, constraints and ingenious solutions. Thesis: Aston University. Anchor, F. M., 2008. Improving Internal Audit. Kenya: Financial Management Anchor. Brink, V. a. H. W., 1982. Modern Internal Auditing. New York: John Wiley & Sons, Inc.. Chartered Institute of Internal Auditor , 2018. Risk based internal auditing. Chun, 1997. On the functions and objectives of internal audit and their underlying conditions,. Managerial Auditing Journal , p. 247–25 . KPMG, 2008 . Enterprise Risk Management in the United States. PwC, 2011. Internal Audit: Contemporary Challenges and Creative Solutions. Annual Conference IIA Bulgaria. The IIA Australia, 2016. White Paper – Integrated Risk-Based Internal Auditing. The IIA’s Position Paper, 2013. The Three Lines of Defense in Effective Risk Management & Control. VADIM, B., 2009. Internal Audit and its approach to risk mitigation. Journal of Interdisciplinary Research. pp. 11-15.