Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve the Group operations. It helps the Group accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
The purpose, authority, and responsibility of the Internal Audit Department should be defined in a formal written document (charter). The head of the Internal Audit Department of ABG should seek approval of the document from the Board Audit Committee.
Internal auditing is a vital part of AlBaraka Banking Group (ABG) and functions in accordance with the policies established by the Board of ABG. Each subsidiary (Unit) of ABG is expected to have an Internal Audit Department, even if local authorities do not require it. Internal auditing is an independent appraisal function established within ABG to examine and evaluate its activities as a service to the Board of each Unit, and ultimately to the Board of ABG. The findings arising from the performance of this function, are highly relevant to the management of each Unit and the ABG. The internal auditors must have a high degree of independence and must not be assigned duties or engage in any activities that they would normally be expected to review or appraise.
Group Internal Audit adheres to the standards of best professional practice, such as those published by the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA) and relevant requirements of the Central Bank of Bahrain related to the Internal Audit function.
The appointment, removal and evaluation of the head of Internal Audit department of ABG is the sole responsibility and discretion of the Board Audit Committee (BAC).
The BAC will study the details of the candidates, make a shortlist of a number of the candidates, and will interview them, and will decide on a candidate it deems fit for the job.
The audit committee must ensure that the head of the internal audit function is a person of integrity. This means that he or she will be able to perform his or her work with honesty, diligence and responsibility. It also implies that this person observes the law and has not been a party to any illegal activity. The head of internal audit must also ensure that the members of internal audit staff are persons of integrity.
Similarly, the appointment, removal and evaluation of head of Internal Audit of each Albaraka subsidiary banks (Unit) is at the discretion of the Audit Committee of the respective Unit. However, such appointment should be subject to consultation with the head of Internal Audit of ABG.
Prior approval of the Central Bank of Bahrain (CBB) must be obtained for the appointment of the head of Internal Audit Department of ABG.
The head of the Internal Audit Department of ABG, reports functionally and directly to the Board Audit Committee of ABG. Administratively, the head of the Department reports to the President & Chief Executive (P&CE) of ABG.
The head of the Internal Audit Department of ABG will be the secretary to the Board Audit Committee (BAC). As per the agreed annual schedule, or at the request of the Chairman of BAC, he will make invitations to all members of the Committee. After acceptance of the invitation by the majority of the members, he will propose an agenda for the meeting. Once the agenda agreed, he will prepare a file containing details of each agenda at least 10 calendar days prior to the meeting. He is responsible to draft the minutes of the meeting and submit it to all members for their initial approval not later than 7 calendar days after the meeting. Once the initial approval is obtained from majority of the members, he should sign it and submit it to the Secretary of the Board for submission to the Board in its next meeting.
The mission of the Internal Audit Department is to assist the Board Audit Committee and the management of ABG in the effective discharge of their responsibilities. It will aim to furnish them with analyses, appraisals and recommendations concerning the activities reviewed by the Department. A further globabl objective is to promote effective controls at reasonable costs. The overriding objectives of the Audit Department of ABG includes the following:
To provide an independent and objective assurance to the board of directors and senior management on the quality and effectiveness of the bank’s internal control, risk management and governance systems and processes, to protect the bank and its reputation.
To provide the Board and management a view on the function of the internal audit departments in each Unit to ensure it exists and it is functioning effectively.
To provide the internal audit departments of each Unit assistance so that they can provide the management and the Board of the Unit and of ABG with independent, objective evaluations of operations, policies, procedures and controls.
Internal auditors should be independent of the activities they audit and they must therefore be permitted to carry out their work freely and objectively. This means that the internal audit is independent of all functions including compliance, risk management and financial control functions. The internal audit function must also have sufficient standing and authority within the bank and must operate according to sound principles. Independence permits internal auditors to render an impartial and unbiased judgment essential to the proper conduct of audits.
The audit committee must ensure that the internal audit function is able to discharge its responsibilities in an independent manner, consistent with CBB rules relating to internal audit department independence. It must review and approve the audit plan, its scope, and the budget of the internal audit function. It must also review audit reports and ensure that senior management is taking necessary and timely corrective actions to address control weaknesses, compliance issues with policies, laws and regulations, and other concerns identified and reported by the internal audit function.
The status of each Internal Audit Department within ABG and each of the Units should be sufficient to permit the accomplishment of its audit responsibilities. The head of the Internal Audit Department should have sufficient authority to promote and maintain independence and to ensure broad audit coverage, adequate proper appreciation of audit reports, and appropriate action on audit recommendations.
Objectivity is an independent mental attitude, which internal auditors should maintain in performing audits.
The staff of the internal audit department of ABG shall every year sign a testimony of their independence and declare any conflict of interests, financial or otherwise, of the Units and departments of ABG subject to their audit.
Difference in opinions between ABG internal audit department and local management of the units shall be finally resolved and referred to the BAC.
Internal Audit Department of ABG should have full, unrestricted, and free access to records, personnel, and assets subject to their audit, review, or investigation.
Senior management must inform the internal audit function of new developments, initiatives, projects, products and operational changes.
Internal Audit Department of ABG should have access to the human capital and other resources of internal audit functions of each Unit.
Internal Audit Department of ABG can seek and obtain external assistance should the requisite knowledge, skills, or competence not be available within the department.
Internal Audit Department of ABG must exercise discretion and confidentiality with regard to all operations and administrative procedures and/or any other information to which they become aware of during their audit.
The staff of Internal Audit Department shall not play any executive role whatsoever in ABG or in its Units. The staff of Internal Audit Department of ABG should be restricted from the followings;
Must not perform any operational duties,
Must not audit specific operations for which they were previously responsible, for which they had management responsibility in the previous one year.
Internal Auditors should not become involved in the design, installation, drafting procedures or operation of systems primarily, because such an involvement would be presumed to impair audit independence and objectivity.
Internal auditors are not to subordinate their judgment on audit matters to that of others.
The internal audit function must be accountable to BAC, on all matters related to the performance of its mandate as described in the internal audit charter. It must also promptly inform the P & CE and other related Heads of Functions about its findings.
The internal audit function must inform senior management of all significant findings so that timely corrective actions can be taken. Subsequently, the internal audit function must follow up with senior management on the outcome of these corrective measures.
To accomplish the objectives stated above, the Internal Audit Department of ABG, will do the followings;
Develop a risk-based internal audit plan. The plan will cover audit of each Unit and departments within ABG taking into consideration the goals and objectives of the Group. This plan addresses two key areas (1) risk assessment results (2) Internal Audit resources. This plan should be submitted annually to the Board Audit Committee for its prior approval.
Review of policies and guidelines, and codes of conduct.
Review the systems established to ensure compliance with these policies, plans, procedures, guidelines, which could have a significant impact on operations.
Review the adherence to these group policies and guidelines, and to codes of conduct.
Review the means of safeguarding assets and, as appropriate, verify the existence of such assets.
Appraise the economy and efficiency with which resources are employed.
Review operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
Review of bank's capital in relation to its estimate of risks (CAR).
Assess and evaluate the reliability and integrity of financial and operating information and the means used to identify, measure, classify, and report such information.
Review of the electronic information system and electronic banking services (IT audit).
Review the compliance to regulatory requirements (CBB regulations, local central bank regulations, UN regulations, and international practices for prevention of financial crimes and terrorism).
Review compliance to best international practices of Corporate Governance.
Providing independent appraisals and recommendations regarding the ability of each Unit to comply with applicable policies, plans, procedures, laws, and regulations with the aim of adequately safeguarding assets; using resources economically and efficiently; and accomplishing established objectives and goals through:
Conducting or participating in audits of profit and support centers within ABG and at each Unit. The audit Scope can include the following:
Risk Assets reviews. This covers mainly credit review of financing portfolio on sampling basis, which includes credit transactions / financings to Corporate, financings to Small & Medium entities, Retail financings, exposures to Financial Institutions, Sovereign exposures, Sukuks, Investment & Trading portfolios if any. This also includes the review of Trade Finance activities, Letter of Guarantees and other Commitments and other banking services. This also covers the operational control aspects relating to processing and monitoring of these facilities / transactions. It also covers review of credit process. Horizontally, the review covers the whole cycle from initiation (the approval process) till expiry (repayments) of these transactions.
Internal Controls within the Unit as a whole and other Support departments. It includes the review of the internal audit function, internal control function, financial control, risk management function, and others. But, it does not cover the work of HR and Admin department, unless a need arises.
IT Audit. This audit is carried out by an IT auditor, who is part of the internal audit team of ABG. The review is based on best practice controls and the basic standards of ISO/17799/2700x. It covers the review of controls in the core-banking system, and any other separate ancillary system used, such as HR system, Trade Finance, E-Banking services, Windows, PCs, Internet, and the website of the unit. A separate audit report for this is issued and is included in the overall audit report of each unit.
Corporate Governance & Compliance Audit. As part of the audit, a review of corporate governance practices and compliance to regulations is carried out. This will cover; Corporate Governance best practices, and a review of the compliance to Local regulations, CBB regulations, UN regulations, and international practices for the prevention of money laundering and financial crimes. This will cover regulations issued by OFAC of USA and the EU, the purpose of which is to distance the group from any possible accusation of non-respect to these regulations, which could lead to prevent the group from dealing in the currencies of these countries. The work will cover in particular regulations relating to AML/CFT, Sanctions, FATCA, and any similar new regulations such as the new CRTs.
Risk Management. This will cover a review to evaluate the work of Board Risk Committee and the Risk management function of each unit.
Financial Performance of each Unit / ABG Department. An appraisal of the financial performance of each Unit / ABG Department will be carried-out.
Site audit visits of branches. A few number (between two to four) of branches will be selected, and audited. The audit will be on-site.
Follow-up of issues raised in our previous audits. Follow up audits will be conducted on internal audit reports issued. Such follow up will be initiated after the expiry of the last target date in the audit report. Also the internal audit department will obtain status report on quarterly basis to keep track of progress on implementation of audit findings.
Scope. The scope of internal auditing shall encompass the examination and evaluation of the adequacy and effectiveness of the internal controls and the quality of performance in carrying out assigned responsibilities. The scope of each individual audit will be determined prior to commencement of such audits. The scope will be based on a risk assessment which of each Unit and of each department within ABG.
Conducting special audits or special consultations requested by the Board of the Unit, by the Board of ABG, or by the P&CE of ABG.
Investigating reported or suspected occurrences of fraud, embezzlement, theft, waste, and otherwise, and recommending controls to prevent and/or detect such occurrences.
Providing independent appraisals with recommendations regarding resource sharing, with an emphasis on program results and the economic and efficient use of resources.
Preparing an annual summary of all Internal Audit Department activities carried out by the department to be presented to the Board of Directors and the Board Audit Committee.
The Internal Audit Department should be available to carry out consulting services needed by the Board, Board Audit Committee, or by management. Prior approval for significant consulting services requested by management should be obtained from the Chairman of the Board Audit Committee.
Consulting services are advisory in nature and are generally performed at the specific request of the Board/Management.
The Internal Audit Department shall establish and maintain a program of quality assurance designed to evaluate the operations of the department. The purpose of this program is to provide reasonable assurance, to the Board Audit Committee of ABG that all work performed by the department conforms to the guidelines under which the department operates. This program should include supervision, training, and internal reviews.
Internal assessment must include:
Ongoing monitoring of the performance of the internal audit activity.
Periodic self-assessments or assessments by other persons within the organization with sufficient knowledge of internal audit practices.
Reviews by The Internal Audit Department of ABG
The internal audit department of ABG, as part of its activities in performing the audit on each Unit, will review the audit function of the said Unit to ensure compliance with the group policies and procedures and to monitor the effectiveness and efficiency of the departments.
The audit function of ABG should be reviewed by an external consultant, who is not the external auditor of ABG, once every five years. Before the start of such assignment, the Board Audit Committee should approve the appointment. It is also highly recommended that each Unit’s management should make the same arrangement from an external advisor who is not their auditor, to have a plan for review of the effectiveness of the Internal Audit Department.
The head of Internal Audit Department of each Unit shall be in continuous contacts with the Head of Internal Audit Department of ABG discussing significant issues and must keep him informed of any irregularities.
To enhance the follow up process of the audit findings arising from audits being carried out by the internal audit team of ABG, and also to be updated with the latest developments within the unit, it is important that the audit department of ABG participate in the meetings of the audit committee of the units. Another purpose is to ensure these audit committees function effectively.
The Head of internal audit department of ABG or his representative will participate in these meetings as obervers only either in-person or remotely. ABG group internal audit department is not responsible for any decision taken during such meetings as the committees have their own chairman and voting members who are the ultimate approval authority. The frequency of the participation in such meetings may also consider the risk of over famility with the subsidiary leading to possible impairment of independence. The balance of this factor and other important factors that may outweigh this risk may also be considered. The professional judgement and experience with the subsidairiy is a key component to the decision taken.
A management follow up committee was established by the President & Chief Executive of ABG. The role of the committee is restricted to follow up on audit observations raised by ABG internal audit department. In addition, the committee is responsible to resolve disputes between local management and group internal audit. However, if such issues are not resolved, it must be referred to the Board Audit Committee to take final decision.
The internal audit function and the external auditors should coordinate their activities to increase efficiency and minimize duplication of efforts where it is possible and applicable. Procedures for the coordination between the internal audit function and external auditor as follows:
Internal Audit can only work with external auditors only if such joint effort can lead to increasing the time available to the internal audit department or increase the audit coverage to lower the risks of fraud or misstatement. Joint audit is allowed for such purpose only with the approval of the Audit Committee. Joint audit only allowed if the time saving from such approach lead to reduction in audit fees charged by the external auditor and does not materially impact the risk assessment performed by the internal audit for the year.
Internal Audit Department may rely on work performed by external auditors if such reliance can lead to time saving enabling the internal audit additional time to focus on other areas. Such approach if adopted must be first approved by the Audit Committee.
Once the Audit Committee accepts to adopt any of the above strategies, the internal audit must provide a plan to the Committee on the potential changes.
This Charter should be made available to all the auditees in all Units, and to all heads of departments in ABG.
Staff of the Internal Audit Department of ABG should have access to this Charter.
This Charter should be made available in the website of ABG, and regularly updated.
The Group Internal Audit Department follows ABG group structure (decentralized structure) which provide autonomy to the subsidiaries with overall oversight monitoring which include:
Group audit assignment performed directly on the subsidiary.
Quality assurance reviews on subsidiaries internal audit department.
Receiving quarterly local internal audit reports.
Therefore, the role of both group internal audit and local subsidiaries internal audit functions are different and serve different purposes as follows:
Local internal audit
Group internal audit
Scope of work is comprehensive
Scope of work is limited to key risk areas on a high level basis
Comfort obtained is to serve both local stakeholders and ABG shareholders
Comfort obtained to serve ABG shareholders
Coverage is wider in terms of sampling, time taken to perform the audit, number of staff and level of details required to be covered.
Coverage is narrower in terms of sampling, time taken to perform the audit, number of staff and level of details required to be covered.
The sampling selection can be judgmental or statistical depending on the assurance required and audit objective to meet. The local internal audit department is required to follow the IIA for this matter where it can choose between judgmental or statistical sampling. However, the selection of the samples should reduce the sampling risk and ensure reasonable assurance is provided on the audit objective.
The sampling selection criteria is more judgmental and limited to the operating model of the department (decentralized) and the assurance the department can provide with this type of operating model. The group internal audit department may use Sarbanes Oxley Act 2002 sampling method or any other judgmental sampling or ACL tools. However, the coverage and samples selected are only to provide overall comfort on the audit objective and not reasonable assurance that the objective is met. Therefore, the sampling risk will always exist.
The nature of work of the local internal audit department is limited to audits and consultancy.
The group internal audit will perform both audits on key risks (high level) as explained above and establish quality improvement programs for the units. Quality improvement programs will include different initiatives depending on the need of each subsidiary. Examples, quality assurance reviews, training, on job training, guidance, update unified group policies and procedures. Such initiatives should be included in the annual audit plan and budgeted for. The objective is to strengthen the internal audit functions across the group. The local audit committees in the units must work with the group on improvement and support the group initiatives.
The function of the local internal audit will report directly to the audit committee and also report to the group on a quarterly basis.
The group internal audit will review the quarterly reports with the aim of establishing action plans for improvement and/or action that may need to be taken on a group board level if necessary.
At least annually, the Head of Internal Audit of ABG will submit to senior management and BAC an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/ calendar year.
The internal audit plan will be developed based on prioritization of the audit universe using a risk-based methodology, including input of senior management and the Board. The Head of Internal Audit will review and adjust the scheduled audits and the number of staff allocated for each audit as per the audit plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, controls and other administrative changes.
The head of Internal Audit Department can include an additional audit of unit, cancel a scheduled audit as per the approved audit plan, or change the scope in response to new information and changes, such changes must be communicated to the audit committee either through circulation or in the next Board Audit Committee meeting.
The head of internal audit/coordinator must maintain adequate oversight and ensure that any outsourcing providers comply with the principles of the bank’s internal audit charter.
To preserve independence, the head of internal audit/coordinator must ensure that the outsourcing provider has not been previously engaged in a consulting engagement in the same area within the bank unless a one-year “cooling-off” period has elapsed. Subsequently, those experts who participated in an internal audit engagement must not provide consulting services to a function of the bank they have audited within the previous 12 months. Additionally, ABG must not outsource internal audit activities to its own external audit firm.
The head of ABG Internal Audit Department should consider rotating team leaders in order to avoid over familiarity with unit. Such rotation will be based on the head’s best knowledge and assessment, and availability of resources.
Adequate, relevant, complete and accurate records of information should be maintained which can be easily retrieved by those with a legitimate right of access. Also, information records should be secured from unauthorized alteration and that access is properly controlled. The internal audit department should follow ABG policy and local rules and regulations with regards to retention of records. Team leaders are responsible for ensuring that this policy is complied with. Individual auditors must ensure that they keep appropriate records of their work and manage those records effectively.
The internal audit department is evaluated against its annual key performance indicators. The results of performance review against those indicators is reported to the audit committee on annual basis and to the board of directors through the annual internal audit report presented to the Board of Directors by the Audit Committee.