Background: It is essential for Vietnam Commercial Banks to improve roles and effectiveness of
internal auditing (IA), which will ensure their safe and sound development in the market
economy and meet international standards for financial institutions. From only involving in
periodic inspecting and monitoring, modern internal auditors are expanding on risk-based
activities and assisting enterprises to make strategic decisions.
Scope and approach: The paper aims to give insight in the current approach in the banking
internal audit system. Furthermore, the need for modern approach in risk-based auditing is
discussed by introducing contemporary model in developed countries. Using structured
questionnaires and interview, the author collects recommendations from Vietnam banking and
auditing experts about risk-based auditing trend in Vietnam.
Key findings and conclusions: Moving to risk-based auditing will lead to more effective corporate
governance in every organisations, especially in risky and highly regulated industries. A new
paradigm in risk based auditing is needed to ensure sustainable development for commercial
banks, however, for emerging economies like Vietnam, a lot of preparation for knowledge,
system and resources should be available before comprehensively applying this audit system.
7 trang |
Chia sẻ: Thục Anh | Ngày: 24/05/2022 | Lượt xem: 396 | Lượt tải: 0
Nội dung tài liệu Introduction to risk-based internal auditing and lessons learnt for commercial banks in Vietnam, để tải tài liệu về máy bạn click vào nút DOWNLOAD ở trên
612
International Conference on Finance, Accounting and Auditing (ICFAA 2018)
November 23rd, 2018
Hanoi City, Vietnam
Introduction to Risk-Based Internal Auditing and Lessons Learnt
for Commercial Banks in Vietnam
Khieu Huu Binha
aUniversity of Economics and Business, VNU
Submission day: 30/10/2018
Review day: 10/11/2018
Acceptance day: 15/11/2018
Abstract
Background: It is essential for Vietnam Commercial Banks to improve roles and effectiveness of
internal auditing (IA), which will ensure their safe and sound development in the market
economy and meet international standards for financial institutions. From only involving in
periodic inspecting and monitoring, modern internal auditors are expanding on risk-based
activities and assisting enterprises to make strategic decisions.
Scope and approach: The paper aims to give insight in the current approach in the banking
internal audit system. Furthermore, the need for modern approach in risk-based auditing is
discussed by introducing contemporary model in developed countries. Using structured
questionnaires and interview, the author collects recommendations from Vietnam banking and
auditing experts about risk-based auditing trend in Vietnam.
Key findings and conclusions: Moving to risk-based auditing will lead to more effective corporate
governance in every organisations, especially in risky and highly regulated industries. A new
paradigm in risk based auditing is needed to ensure sustainable development for commercial
banks, however, for emerging economies like Vietnam, a lot of preparation for knowledge,
system and resources should be available before comprehensively applying this audit system.
Keywords: Commercial aank, Internal auditors, Risk-based.
1. Introduction
According to the Definition of Internal Auditing in The IIA's International
Professional Practices Framework (IPPF), internal auditing is an independent, objective
assurance and consulting activity designed to add value and improve an organization's
operations. It helps an organization accomplish its objectives by bringing a systematic,
613
disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes.
The operations of internal audit uninterruptedly change as the economy,
organizational activities and risks develop over time. A number of corporate failures,
accounting scandals, and the collapses of corporations, especially in banking industry lead
to the fact that the internal audit should be transformed to improve corporate governance in
any organization.
Table 1: Major failures and Accounting Scandals in banking industry
Name of organization Year Country
Baring Bank 1990s UK
Crédit Lyonnais 1990s France
Berliner Bank 1990s Germany
Banking Industry (in the Asian crisis) 1997 Asia
Northern Rock 2007 UK
Lehman Brothers 2010 USA
HSBC, Lloyds, Royal Bank of Scotland, Barclays 2012 UK
J.P Morgan 2012 UK
By enhancing their roles, internal audits implement various services and activities to
their key stakeholders (Board of Directors, Audit committee, senior managements,
regulators) Over the last few decades, internal audits have improved and expanded from
their traditional roles such as monitoring, inspecting, assessing internal control system to a
contemporary internal audit approach. By changing or improving their role, internal audit
can provide different types of services (or activities) to their key stakeholders (such as the
board, audit committee, senior management, operating line managers, regulators, external
auditors) according to their needs. Internal audit services and activities have improved and
expanded from the traditional role that focused on financial compliance, internal controls,
operational, computer, value-for-money, quality and management auditing to a modern
approach. This contemporary role is designed to provide assurance and consulting services,
value-added activities; business insights and strategic advice services especially risk
management. In fact, controlling risks play a vital role in retaining a sound internal control
system. While the responsibility for identifying and managing risks belongs to management,
one of the key roles of internal audit is to provide assurance that those risks have been
properly managed. This suggests every organization to adopt a new approach - the Risk
based internal audit to deal with above issues.
2. Literature Review:
The IA is one of the fastest developing jobs in the last seven decades since the
foundation of the IIA (Reding et al., 2013). Selim and McNamee (1999) suggest that there
are current three stages for the IA: performing observation and counting physical items in
614
the early day of IA, control-driven audits (1940s-1990s) and the contemporary risk-driven
approach. By taking into account uncertainty and risky nature of current business activities,
risk management is a focal point in good corporate governance practice. (The IIA UK and
Ireland, 2003). The IA will play critical roles in mitigating all the risks which hurdle the
organizations to achieve objectives (Griffiths, 2015). It is inevitable for each origination to
in-depth risk management with the increasing contributions from the IA (Sarens and De
Beelde, 2006). IA will concentrate on high risk areas and the working will be carried out in
more efficient manner (Colbert and Alderman, 1995). By implementing matrix risk, risk-
based IA includes determining and assessing risks right from audit planning (Ayvax a and
Pehlivanli, 2010). Since the late 1990s, many accounting firms have been conducting audit
methodology basically called risk-based auditing (Bell, Peecher, &Solomon, 2005, Chapter
2; Knechel, 2007; Lemon, Taturn & Turkey, 2000). IIA defines risk based internal auditing
(RBIA) as a methodology that links internal auditing to an organization’s overall risk
management framework. RBIA allows internal audit to provide assurance to the board that
risk management processes are managing risks effectively, in relation to the risk appetite.
Griffiths, 2006 agreed that risk-based IA should be conducted on the risk-appetite of
organizations. The fundamental principal of this IA approach is analyzing risks before the
audit work, aiming to optimize the human resources and taking into account all main risks.
All of the previous studies mentioned the roles of IA in assessing, identifying and managing
risks, but some organizations do not realize the importance of moving to risk-based approach
for the IA. Therefore it suggests for introducing this model in Vietnam. The author expects
by applying this model, the quality of internal audit work and performance of commercial
banks will be improved.
3. Theoretical framework:
Practitioners and regulators were both confident that risk-based auditing will enhance
the audit quality. The Auditing Standard Board (ASB) require that its risk assessment
standards must include in-depth understanding of the entity and its environment to identify
the risk of material misstatement in the financial statement, linkage between risks and the
nature, timing and extent of audit procedures.
The same ideas are applied to RBIA, when RBIA implements an audit plan with lots
of activities from strategic analysis to risk assessment. RBIA is developed by identifying and
assessing risk elements, through strategic analysis and designing the auditing process in line
with risk matrix or risk map (Ayvaz a & Pehlivanli, 2010). Internal audits focus on high risk
areas, so that the engagement will be performed in a cost-effective manner (Colbert &
Alderman, 1995). The risk now is assessed before starting audit engagement which helps the
most optimal resource allocation and create value for the organization. A research conducted
by IIA (UK & Ireland) and KPMG (2005) showed that 89% of Chief Audit Executive use
risk based methods for yearly planning audit work, 93% use a risk based approach in internal
audit engagements. Risk assessments are implemented at each internal audit work to identify
risk level and evaluate the adequacy and effectiveness of internal control system (Nuno, Lucia,
615
& Russel, 2009). Therefore, RBIA is an active process, continuously developing so that it
differs from traditional method.
Although RBIA is being used in a number of places all over the world, it is still new
to many organizations. If the risk management framework is not really strong or does not
exist, the organization is not ready for RBIA. More importantly, it means that the
organization’s system of internal control is poor. Internal auditors in such an organization
should promote good risk management practice to improve the system of internal control.
IIA provided guidance on how to implement RBIA in 3 stages follows:
Stage 1: Assessing risk maturity
Obtaining an overview of the extent to which the board and management determine,
assess, manage and monitor risks. This provides an indication of the reliability of the risk
register for audit planning purposes.
Stage 2: Periodic audit planning
Identifying the assurance and consulting assignments for a specific period, usually
annual, by identifying and prioritizing all those areas on which the board requires objective
assurance, including the risk management processes, the management of key risks, and the
recording and reporting of risks.
Stage 3: Individual audit assignments
Carrying out individual risk based assignments to provide assurance on part of the
risk management framework, including the mitigation of individual or groups of risks.
The instruction from IIA above only provided general ideas for organization to adopt
RBIA. Although banking is one of the most risky industries and under rigorous national and
international requirements, there is no detailed guidance on how to implement RBIA in
616
banking industry. This paper recommends commercial banks to refer to this general
instruction to apply RBIA with considerations of their own conditions and development. The
author also suggests further research on practical implementing RBIA approach in banking
industry and impacts on the overall banking performance in the following papers.
4. Methodology
Starting from researching transformation of the contemporary IA as well applying
Risk-based IA in banking industry, this paper uses process of a synthesis and antithesis of
the ideas found in the specialty literature and in the norms specific to the analyzed fields.
The author also used a constructivist approach that was applied step by step by reviewing
some best practices of risk-based auditing in developed countries, especially in commercial
banks. The paper also conducted constructed questionnaires and interview to some of the
banking and finance experts to obtain their opinion about the current and future development
of IA in Vietnam.
Moving to RBIA is a suitable and inevitable direction for all commercial banks in
Vietnam, especially when a number of them are implementing standards and regulations
under Basel II, this is also the point of view of many experts in banking and finance industry
in Vietnam. One of the most central documents by the Basel committee is BCBS 223, in
which 20 guidance and recommendation for banks and banking supervisory body are
introduced. In this documentation, there are some instructions about organizing and
conducting internal audit in commercial banks and how to implement assessment and
monitoring internal audit activity for banking supervisory body.
Mr. Dinh Tuan Hung, director of Market risk department-BIDV said that, all banks
are recommended to create and issue internal audit manuals with at least 7 sections: purpose
and scope of the IA, requirements for the IA, reporting procedures, outsourcing the IA,
responsibility of IA head, applicable practice and standards for the IA, working procedures
with external audit and management body. Internal audit operation should be conducted
based on risk-based activities, and the scope of work should be updated and revised annually,
in which there must be internal audit area under regulations of management body (risk
assessment, capital adequacy, liquidity, compliance, finance) and the requirements from
banks. Banks should ensure they have enough capabilities to monitor and assess the
effectiveness of the IA, risk assessment procedures, banking governance (including
outsourcing activity and branches’ operation)
Dr. AJ Purcell, Head of Internal Audit department from CPA Australia also shared his
opinion about international IA by saying that the current function of IA is mainly focusing on
compliance risk and monitoring traditional financial system. Compliance risk is exposure to
legal penalties, financial forfeiture and material loss an organization faces when it fails to act
in accordance with industry laws and regulations, internal policies or prescribed best practices.
Many compliance regulations are enacted to ensure that organizations operate fairly and
ethically. For that reason, compliance risk is also known as integrity risk. Compliance risk
management is part of the collective governance, risk management and compliance (GRC)
617
discipline. Penalties for compliance violations include payments for damages, fines and voided
contracts, which can lead to the organization's loss of reputation and business opportunities.
Compliance risk is also a major topic when implementing RBIA.
In the conference “Changes in International Professional Practices Framework
(IPPF) and development of IA in Vietnam” in 2017, most of the experts agreed that banking
was a high risk industry, therefore defense lines were very important and the IA played very
essential roles in assessing and controlling risk. The standard, framework, ethics and
working techniques should always be reviewed and enhanced. In this conference, experts
highlighted two new standards regarding roles of IA head in an organization. Beside
traditional IA function, the IA head is also responsible for risk assessment, compliance and
other events affecting the independence of the IA. The experts also recommended the IA
department to regularly refresh their selves by updating new standards, regulations and apply
new technology in IA activities.
Mr. Tram Tuan Vu, Vice director of Ho Chi Minh Stock-Exchange stressed that, IA
provides a lot of benefits to organizations and this is a useful tool to identify and improve
weaknesses in any company. By the IA functions, Board of Director and Board of
Management can effectively control their business, improve chances to reach goals and
better risk management. The IA can boost confidence of shareholders and investors in the
stock market about the company’s corporate governance.
Although there are many difficulties in term of technical area, human resources and
national regulations, movement to RBIA will be helpful for banks in different ways. It will
take time for commercial banks to apply RBIA, the author believe that the benefit will far
outweigh the disadvantages.
5. Recommendations and Suggestions
Transforming to RBIA is currently introduced and applied in Vietnam, however, the
movement has not been completed in a comprehensive way. While many banks start for this
change, some others are not ready. To meet the standards and regulations from State Bank
of Vietnam and Basel II to adopt RBIA, it is crucial for each bank to consider following
recommendations:
1. Top management of commercial banks is not aware of the importance of regular
monitoring and inspecting. They only conduct special investigation when abnormal events
occur. Therefore, the internal audit manual should be created to facilitate periodic and
continuous evaluating, reviewing and inspecting.
2. The total number of branches being audited as compared to the whole network of
each bank is too small. Some audit engagement is conducted but the scope of work is limited
and the audit results do not reflect the overall limited area of each bank, misstatement are
not timely controlled and prevented. So the current internal audit practice should be reviewed
and the scope of audit must be implemented in the whole banking system, including the Head
Office, branches, and departments and banking products.
618
3. The risk assessment is an important step in audit planning, however, many banks
abandon this procedure when planning the engagement, and they only carry out this step in
the field work. All banks must prioritize the risk evaluation process and set a requirements
to apply this procedures in all audit arrangement.
4. Effective use of the internal audit resources no longer means keeping a high
quality audit program that clear banks from troubles. The internal audit department should
improve the business through actual value-added audits and recommendations.
5. Regular training for internal audit staffs to provide the most updated international
guidance and standards. In particular, training of staff at branches, risk management division
through special programs in Risk management and RBIA.
6. Support staffs to pursue international internal auditing qualification like CIA by
the IIA is one of the most effective way to enhance their professional skills, knowledge and
competence.
7. Formats for risk assessment under RBIA should be prepared. RBIA should be
implemented and reviewed in updated formats and working papers.
5. References
Ali, A., 2016. Change in internal auditing practice: evolution, constraints and
ingenious solutions. Thesis: Aston University.
Anchor, F. M., 2008. Improving Internal Audit. Kenya: Financial Management Anchor.
Brink, V. a. H. W., 1982. Modern Internal Auditing. New York: John Wiley & Sons, Inc..
Chartered Institute of Internal Auditor , 2018. Risk based internal auditing.
Chun, 1997. On the functions and objectives of internal audit and their underlying
conditions,. Managerial Auditing Journal , p. 247–25 .
KPMG, 2008 . Enterprise Risk Management in the United States.
PwC, 2011. Internal Audit: Contemporary Challenges and Creative Solutions.
Annual Conference IIA Bulgaria.
The IIA Australia, 2016. White Paper – Integrated Risk-Based Internal Auditing.
The IIA’s Position Paper, 2013. The Three Lines of Defense in Effective Risk
Management & Control.
VADIM, B., 2009. Internal Audit and its approach to risk mitigation. Journal of
Interdisciplinary Research. pp. 11-15.
Các file đính kèm theo tài liệu này:
- introduction_to_risk_based_internal_auditing_and_lessons_lea.pdf