Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve the Group operations. It helps the Group accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. The purpose, authority, and responsibility of the Internal Audit Department should be defined in a formal written document (charter). The head of the Internal Audit Department of the Group should seek approval of the document from the Group Board Audit Committee (GBAC). Internal auditing is a vital part of the Group and functions in accordance with the policies established by the Board of the Group. Each subsidiary (Unit) of the Group is expected to have an Internal Audit Department, even if local authorities do not require it. Internal auditing is an independent appraisal function established within the Group to examine and evaluate its activities as a service to the Board of each Unit, and ultimately to the Board of the Group. The findings arising from the performance of this function, are highly relevant to the management of each Unit and the Group. The internal auditors must have a high degree of independence and must not be assigned duties or engage in any activities that they would normally be expected to review or appraise. Group Internal Audit adheres to the standards of best professional practice, such as those published by the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA) and relevant requirements of the Central Bank of Bahrain related to the Internal Audit function.
The appointment, removal and evaluation of the head of Internal Audit department of the Group is the sole responsibility and discretion of the GBAC. The GBAC will study the details of the candidates, make a shortlist of a number of the candidates, and will interview them, and will decide on a candidate it deems fit for the job. The audit committee must ensure that the head of the internal audit function is a person of integrity. This means that he or she will be able to perform his or her work with honesty, diligence and responsibility. It also implies that this person observes the law and has not been a party to any illegal activity. The head of internal audit must also ensure that the members of internal audit staff are persons of integrity.
Prior approval of the Central Bank of Bahrain (CBB) must be obtained for the appointment of the head of Internal Audit Department of the Group
The head of the Internal Audit Department of the Group, reports functionally and directly to the GBAC. Administratively, the head of the Department reports to the Group Chief Executive (GCEO).
The Group Head of Internal Audit Department will be the secretary to the GBAC. As per the agreed annual schedule, or at the request of the Chairman of GBAC, he will make invitations to all members of the Committee. After acceptance of the invitation by the majority of the members, he will propose an agenda for the meeting. Once the agenda agreed, he will prepare a file containing details of each agenda at least 10 calendar days prior to the meeting. He is responsible to draft the minutes of the meeting and submit it to all members for their initial approval not later than 7 calendar days after the meeting. Once the initial approval is obtained from majority of the members, he should sign it and submit it to the Secretary of the Board for submission to the Board in its next meeting.
The mission of the Internal Audit Department is to assist the Group Board Audit Committee and the management of the Group in the effective discharge of their responsibilities. It will aim to furnish them with analyses, appraisals and recommendations concerning the activities reviewed by the Department. A further globabl objective is to promote effective controls at reasonable costs. The overriding objectives of the Audit Department of the Group includes the following: 1. To provide an independent and objective assurance to the board of directors and senior management on the quality and effectiveness of the bank’s internal control, risk management and governance systems and processes, to protect the bank and its reputation. 2. To provide the Board and management a view on the function of the internal audit departments in each Unit to ensure it exists and it is functioning effectively. 3. To provide the internal audit departments of each Unit assistance so that they can provide the management and the Board of the Unit and of the Group with independent, objective evaluations of operations, policies, procedures and controls.
Internal auditors should be independent of the activities they audit and they must therefore be permitted to carry out their work freely and objectively. This means that the internal audit is independent of all functions including compliance, risk management and financial control functions. The internal audit function must also have sufficient standing and authority within the bank and must operate according to sound principles. Independence permits internal auditors to render an impartial and unbiased judgment essential to the proper conduct of audits. The GBAC must ensure that the internal audit function is able to discharge its responsibilities in an independent manner, consistent with CBB rules relating to internal audit department independence. It must review and approve the audit plan, its scope, and the budget of the internal audit function. It must also review audit reports and ensure that senior management is taking necessary and timely corrective actions to address control weaknesses, compliance issues with policies, laws and regulations, and other concerns identified and reported by the internal audit function. The status of each Internal Audit Department within the Head Office and each of the local units should be sufficient to permit the accomplishment of its audit responsibilities. The head of the Internal Audit Department should have sufficient authority to promote and maintain independence and to ensure broad audit coverage, adequate proper appreciation of audit reports, and appropriate action on audit recommendations. Objectivity is an independent mental attitude, which internal auditors should maintain in performing audits. The staff of the internal audit department of the Group shall every year sign a testimony of their independence and declare any conflict of interests, financial or otherwise. Difference in opinions between the Group internal audit department and local management of the units shall be finally resolved and referred to the GBAC.
Internal Audit Department of the Group should have full, unrestricted, and free access to records, personnel, and assets subject to their audit, review, or investigation. Senior management must inform the internal audit function of new developments, initiatives, projects, products and operational changes. Internal Audit Department of the Group should have access to the human capital and other resources of internal audit functions of each Unit. Internal Audit Department of the Group can seek and obtain external assistance should the requisite knowledge, skills, or competence not be available within the department. Internal Audit Department of the Group must exercise discretion and confidentiality with regard to all operations and administrative procedures and/or any other information to which they become aware of during their audit. The staff of Internal Audit Department shall not play any executive role whatsoever in the Head Office or in its Units. The staff of Internal Audit Department of the Group should be restricted from the followings; - Must not perform any operational duties, - Must not audit specific operations for which they were previously responsible, for which they had management responsibility in the previous one year. - Internal Auditors should not become involved in the design, installation, drafting procedures or operation of systems primarily, because such an involvement would be presumed to impair audit independence and objectivity. - Internal auditors are not to subordinate their judgment on audit matters to that of others.
The internal audit function must be accountable to GBAC, on all matters related to the performance of its mandate as described in the internal audit charter. It must also promptly inform the GCEO and other related Heads of Functions about its findings.
The internal audit function must inform senior management of all significant findings so that timely corrective actions can be taken. Subsequently, the internal audit function must follow up with senior management on the outcome of these corrective measures.
The head of the local internal audit function will have a dotted-line reporting to the Group Head of Internal Audit to ensure that his/her function is following the Group policies/guidelines and procedures. At the same time, he is responsible for understanding the unique local requirements for the internal audit function. Major irregularities or fraud should be reported to the Group Head of Internal Audit by the local head. The appointment, removal and evaluation of head of Internal Audit of each Albaraka subsidiary banks (Unit) is at the discretion of the Audit Committee of the respective Unit. However, such appointment should be subject to consultation with the head of Internal Audit of the Group. The aim of such dotted line reporting is to increase sharing knowledge and resources across the group and also ensure that the Group Internal Audit Department exercises its oversight role. Sharing resources between Group Internal Audit and Local resources is also a recommended practice where experts from one subsidiary can provide value adding expertise to another subsidiary through the Group Internal Audit assignments. The role of both group internal audit and local subsidiaries internal audit functions are different as follows:
Local internal audit
Group internal audit
Scope of work is comprehensive
Scope of work is limited to key risk areas on a high level basis
Comfort obtained is to serve both local stakeholders and Group shareholders
Comfort obtained to serve the Group shareholders and to add value to the units.
Coverage is wider in terms of sampling, time taken to perform the audit, number of staff and level of details required to be covered.
Coverage is narrower in terms of sampling, time taken to perform the audit, number of staff and level of details required to be covered.
The sampling selection can be judgmental or statistical depending on the assurance required and audit objective to meet. The local internal audit department is required to follow the IIA for this matter where it can choose between judgmental or statistical sampling. However, the selection of the samples should reduce the sampling risk and ensure reasonable assurance is provided on the audit objective.
The sampling selection criteria is more judgmental and limited to the operating model of the department (decentralized) and the assurance the department can provide with this type of operating model. The group internal audit department may use Sarbanes Oxley Act 2002 sampling method or any other judgmental sampling or ACL tools. However, the coverage and samples selected are only to provide overall comfort on the audit objective and not reasonable assurance that the objective is met. Therefore, the sampling risk will always exist.
The nature of work of the local internal audit department is limited to audits and consultancy.
The group internal audit will perform both audits on key risks (high level) as explained above and establish quality improvement programs for the units. Quality improvement programs will include different initiatives depending on the need of each subsidiary. Examples, quality assurance reviews, training, on job training, guidance, update unified group policies and procedures. Such initiatives should be included in the annual audit plan and budgeted for. The objective is to strengthen the internal audit functions across the group. The local audit committees in the units must work with the group on improvement and support the group initiatives. Quality improvement programs will only be conducted if resources and budgets are available.
The the local internal audit function will report directly to the local audit committee and dotted line reporting to Group Head of Internal Audit.
The group internal audit department will report directly to the Group Audit Committee and perform reviews on the local audit reports.
1.01.09.01 Group Key Performance Indicators
In order to align the local internal audit functions with the group internal audit direction, the Group Internal Audit Department will establish on a yearly basis Group Key Performance Indicators. Such indicators should be circulated to the heads of the local internal audit functions and the performance is reviewed on a yearly basis against those Indicators. The evaluations report of the performance will shared with the Group Audit Committee, the chairman of the local internal audit function and also the local internal audit head of the department.
At least annually, the Head of Internal Audit of ABG will submit GBAC an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/ calendar year. The internal audit plan will be developed based on prioritization of the audit universe using a risk-based methodology, including input of senior management and the GBAC if any. The Group Head of Internal Audit will review and adjust the scheduled audits and the number of staff allocated for each audit as per the audit plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, controls and other administrative changes. The Group Head of Internal Audit Department can include an additional audit of unit, cancel a scheduled audit as per the approved audit plan, or change the scope in response to new information and changes, such changes must be communicated to the audit committee either through circulation or in the next Group Board Audit Committee meeting.
To accomplish the objectives stated above, the Internal Audit Department of the Group, will perform the followings;
1. Develop a risk-based internal audit plan. The plan will cover audit of each Unit and departments within ABG taking into consideration the goals and objectives of the Group. This plan addresses two key areas (1) risk assessment results (2) Internal Audit resources. This plan should be submitted annually to the Group Board Audit Committee for its prior approval. 2. Review of policies and procedures. 3. Review the systems established to ensure compliance with these policies, plans, procedures, guidelines, which could have a significant impact on operations. 4. Review the adherence to these group policies and procedures, and to codes of conduct. 5. Review the means of safeguarding assets and, as appropriate, verify the existence of such assets. 6. Appraise the economy and efficiency with which resources are employed. 7. Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. 8. Review of bank's capital in relation to its estimate of risks (CAR). 9. Assess and evaluate the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information. 10. Review of the electronic information system and electronic banking services (IT audit). 11. Review the compliance to regulatory requirements (CBB regulations, local central bank regulations, UN regulations, and international practices for prevention of financial crimes and terrorism). 12. Review compliance to best international practices of Corporate Governance. 13. Providing independent appraisals and recommendations regarding the ability of each Unit to comply with applicable policies, plans, procedures, laws, and regulations with the aim of adequately safeguarding assets; using resources economically and efficiently; and accomplishing established objectives and goals through: a) Conducting or participating in audits of profit and support centers within Head Office and at each Unit. The audit scope can include the following: o Risk Assets reviews. This covers mainly credit review of financing portfolio on sampling basis, which includes credit transactions / financings to Corporate, financings to Small & Medium entities, Retail financings, exposures to Financial Institutions, Sovereign exposures, Sukuks, Investment & Trading portfolios if any. This also includes the review of Trade Finance activities, Letter of Guarantees and other Commitments and other banking services. This also covers the operational control aspects relating to processing and monitoring of these facilities / transactions. It also covers review of credit process. Horizontally, the review covers the whole cycle from initiation (the approval process) till expiry (repayments) of these transactions. o Internal Controls within the Unit as a whole and other Support departments. It includes the review of the internal audit function, internal control function, financial control, risk management function, and others. But, it does not cover the work of HR and Admin department, unless a need arises. o IT Audit. This audit is carried out by an IT auditor, who is part of the internal audit team of ABG. The review is based on best practice controls and the basic standards of ISO/17799/2700x. It covers the review of controls in the core-banking system, and any other separate ancillary system used, such as HR system, Trade Finance, E-Banking services, Windows, PCs, Internet, and the website of the unit. A separate audit report for this is issued and is included in the overall audit report of each unit. o Corporate Governance & Compliance Audit. As part of the audit, a review of corporate governance practices and compliance to regulations is carried out. This will cover; Corporate Governance best practices, and a review of the compliance to Local regulations, CBB regulations, UN regulations, and international practices for the prevention of money laundering and financial crimes. This will cover regulations issued by OFAC of USA and the EU, the purpose of which is to distance the group from any possible accusation of non-respect to these regulations, which could lead to prevent the group from dealing in the currencies of these countries. The work will cover in particular regulations relating to AML/CFT, Sanctions, FATCA, and any similar new regulations such as the new CRTs. o Risk Management. This will cover a review to evaluate the governance of the Board Risk Committee and the Risk management function of each unit. o Site audit visits of branches. A few number (between two to four) of branches will be selected, and audited if operational risks is covered with the audit scope. The audit will be on-site. o Follow-up of issues raised in our previous audits. Monthly follow up will be conducted by the follow up auditor on audit reports to ensure timely implementation of audit findings and reports such status to management. o Scope. The scope of internal auditing shall encompass the examination and evaluation of the adequacy and effectiveness of the internal controls and the quality of performance in carrying out assigned responsibilities. The scope of each individual audit will be determined prior to commencement of such audits. The scope will be based on a risk assessment which of each Unit and of each department within Head Office. b) Conducting special audits or special consultations/reviews requested by the Board of the Unit, by the Board of the Group, or by the GCEO. Such types of assignments will be conducted if they do not interrupt the already scheculded audits as per the internal audit plan leading to cancelation of any already scheduled audit already approved by the audit committee. If such request will lead to cancelation of any audit assignment, the approval of the audit committee must be obtained. c) Investigating reported or suspected occurrences of fraud, embezzlement, theft, waste, and otherwise, and recommending controls to prevent and/or detect such occurrences. 14. Providing independent appraisals with recommendations regarding resource sharing, with an emphasis on program results and the economic and efficient use of resources. 15. Preparing an annual summary of all Internal Audit committee activities to be presented to the Board of Directors of the Group through the Group Board Audit Committee.
The Internal Audit Department should be available to carry out consulting services needed by the Board, Board Audit Committee, or by management. Prior approval for significant consulting services requested by management should be obtained from the Chairman of the Board Audit Committee. Consulting services are advisory in nature and are generally performed at the specific request of the Board/Management.
The Group head of internal audit/coordinator must maintain adequate oversight and ensure that any outsourcing providers comply with the principles of the bank’s internal audit charter. To preserve independence, the Group head of internal audit/coordinator must ensure that the outsourcing provider has not been previously engaged in a consulting engagement in the same area within the bank unless a one-year “cooling-off” period has elapsed. Subsequently, those experts who participated in an internal audit engagement must not provide consulting services to a function of the bank they have audited within the previous 12 months. Additionally, the Group must not outsource internal audit activities to its own external audit firm.
The Internal Audit Department shall establish and maintain a program of quality assurance designed to evaluate the operations of the department. The purpose of this program is to provide reasonable assurance, to the Group Board Audit Committee that all work performed by the department conforms to the guidelines under which the department operates. This program should include supervision, training, and internal reviews.
Internal assessment must include: - Ongoing monitoring of the performance of the internal audit activity. - Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.
The internal audit department of the Group, as part of its activities in performing the audit on each Unit, will review the audit function of the said Unit to ensure compliance with the group policies and procedures and to monitor the effectiveness and efficiency of the departments. Such reviews should only be decided taking into consideration the results fo the risk assessments and availability of resources.
The audit function of the Group should be reviewed by an external consultant, who is not the external auditor of the Group, once every five years. Before the start of such assignment, the Group Board Audit Committee should approve the appointment. It is also highly recommended that each Unit’s management should make the same arrangement from an external advisor who is not their auditor, to have a plan for review of the effectiveness of the Internal Audit Department.
To enhance the oversight role of the Group Internal Audit and to be up to date with the latest developments in the units with regards to auditing matters, it is important that the Group Internal Audit Department participate in the meetings of the audit committee of the units. The Group Head of the Internal Audit Department or his representative may participate in such meetings as obervers only either in-person or remotely. The Group Internal Audit Department is not responsible for any decision taken during such meetings as the committees have their own chairman and voting members who are the ultimate approval authority. The frequency of the participation in such meetings may also consider the risk of over famility with the subsidiary leading to possible impairment of independence. The balance of this factor and other important factors that may outweigh this risk may also be considered. The professional judgement and experience with the subsidairiy is a key component to the decision taken.
The Group established risk,compliance and audit follow up committee. The role of the committee is to review follow up items and pending issues. restricted to follow up on audit observations raised by ABG internal audit department. Such a practice is encouraged to be developed in the units to ensure all pending issues are timely actioned unless the local function has another set up for the same purpose.
The internal audit function and the external auditors should coordinate their activities to increase efficiency and minimize duplication of efforts where it is possible and applicable. Procedures for the coordination between the internal audit function and external auditor as follows: - Internal Audit can work with external auditors only if such joint effort can lead to increasing the time available to the internal audit department or increase the audit coverage to lower the risks of fraud or misstatement. Joint audit is allowed for such purpose only with the approval of the Audit Committee. Joint audit only allowed if the time saving from such approach lead to reduction in audit fees charged by the external auditor and does not materially impact the risk assessment performed by the internal audit for the year. - Internal Audit Department may rely on work performed by external auditors if such reliance can lead to time saving enabling the internal audit additional time to focus on other areas. Such approach if adopted must be first approved by the Audit Committee. - Once the Audit Committee accepts to adopt any of the above strategies, the internal audit must provide a plan to the Committee on the potential changes.
The Group Head of Internal Audit Department should consider rotating team leaders in order to avoid over familiarity with the unit. Such rotation will be based on the head’s best knowledge and assessment, and availability of resources.
Adequate, relevant, complete and accurate records of information should be maintained which can be easily retrieved by those with a legitimate right of access. Also, information records should be secured from unauthorized alteration and that access is properly controlled. The internal audit department should follow the Group policy and local rules and regulations with regards to retention of records. Team leaders are responsible for ensuring that this policy is complied with. Individual auditors must ensure that they keep appropriate records of their work and manage those records effectively.
The internal audit department in the Group/Head Office is evaluated against its annual key performance indicators. The results of performance review against those indicators is reported to the audit committee on annual basis and to the board of directors through the annual internal audit report presented to the Board of Directors by the Audit Committee.
This Charter should be made available to all the auditees in all Units, and to all heads of departments in the Head Office. Staff of the Internal Audit Department of the Head Office should have access to this Charter. This Charter should be made available in the website of the group, and regularly updated.