Transforming the internal audit activity: An imperative need for local banks in Viet Nam
Credit institutions in Viet Nam regulated under Law on Credit Institutions(1) consist of
commercial banks, non-bank credit institutions, and cooperative banks. The commercial
banks are allowed to perform all types of banking activities and for profit purpose. The
internal audit activity is established under direct supervision of Board of Supervisors
(hereafter called BOS), which is elected by General Shareholders’ Meeting. As a
consequence, the internal audit activity is expected to retain organizational independence as
having direct access to Board of Directors (hereafter called BOD), BOS.
Trang 1
Trang 2
Trang 3
Trang 4
Trang 5
Bạn đang xem tài liệu "Transforming the internal audit activity: An imperative need for local banks in Viet Nam", để tải tài liệu gốc về máy hãy click vào nút Download ở trên
Tóm tắt nội dung tài liệu: Transforming the internal audit activity: An imperative need for local banks in Viet Nam
owned banks, and (v) State Bank of Viet Nam’s weak inspection functiondid not meet the development of credit institutions in the new period, together with inspectors’ limited competence and violation of law for some cases. Limitations of the internal audit activity and its challenges. Along with the restructuring of credit institutions, Sate Bank of Viet Nam took a step by step to create comprehensive requirements for internal control framework and placed the internal audit activity as a third line of defense together with first line and second line operating and n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 10 monitoring internal control systems as required in the circular no. 44(6) and circular no. 13(7) which is to replace the circular no. 44 from 1 January 2019. The internal audit activity was regulated and provided a good corridor to perform. However, in practice, the internal audit activity faces with many challenges and limitations influencing its performance. From practical points of view, the author concerns limitations faced by a local bank’s internal audit activity in the following aspects. Positioning. Internal audit and internal control are normally misunderstood and used in exchange for each other. A big number of staff, evenly managers at a high level do not understand clearlyof the internal audit’s role. For a long time, the internal audit activity was considered a must have unit according to law but added little value to organization as its main focus was on checking the mistakes and compliance of transactions including credits or transfers. It was a common practice that internal audit’s findings and recommendations were not paid much attention bythe management and they did not care of correction measures by issue owners as it went mainly with old compliance issues. Along with more comprehensive regulations on internal audit and internal control system, the internal audit activity is required to take a more proactive role in risk management and assurance. It becomes a helping hand for BOS, BOD, CEO to undertake their oversight responsibilities over the operation of internal control systems and regulatory compliance. Position of the internal audit activity is dependent on how it wants to transform towards assurance and advisory roles and level of its involvement in the organization risk management process. Organization structure.It depends on each bank, organization of the internal audit activity varies. However, a typical structure would be called a department or a center. It groups auditors into several teams aligned with geographic locations or divisions and support functions. It is also centralized for decentralized. This structure tends to create a specialized team for each activity such as retail banking, wholesale banking, or support functions. The question might be raised herewith whether the internal audit’s organization is aligned with bank’s strategies and help it in achievement of objectives in the most efficient and effective ways. As audit team assignments are the center point in delivering annual audit plan, creating many control layers between the teams and chief audit officer is not necessary as it could slower down information flow. The flat or matrix organizations are more preferable. This view is supportive by the requirements at Circular no. 13 that BOSapproves internal audit report before sending to BOD and management. In addition, Circular no. 13 specifies risks that banks have to manage and controls to manage such risks. In practice, one type of risk might occur at several locations and one control might help to manage several types of risks. It creates a matrix of risks and controls. In consequence, the challenge here is to answer the question: how well risks are managed butnot whether controls works well. Therefore, the internal audit activity is also in question of how to structure itself to best fit to changes in risk management framework required by SBV and assure on the design and operation of internal control systems. Audit methodology.As a common practice, the internal audit activity mainly concentrates on checking and detecting compliance issues and violations of internal regulations or laws, it is likely seen as “a policeman” who tracks and makes conclusion of n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 11 what go wrong and who are responsible. The audit approach, therefore, is likely a compliance-based approach. While foreign banks and foreign bank branches are familiar with the risk-based audit approach, the approach is still not popular with local banks due to its limited position, audit staff competence and infant risk management framework implemented by banks. The audit method consists of two parts: (i) annual audit plan approved by BOS and sent to Sate Bank for report before the start of the next fiscal year. The audit universe consists of list of branches, products or units which have not been checked for a period of three year to the date of audit start in the plan and branches intuitively considered as a high priority. It depends on audit resources but mandatory audits are normally accounted for at least two third of total planned audits. The credit risk is the main focus, other risks (market, liquidity, operational risks) are still paid by less or little attention; (ii) individual audits are normally planned before field visits a weeks, team leaders are rotated among specialized team members. The sample size is selected depended on number of team members or size of population. As credit operation is a key risk and dominate in branches’ income, the selected sample emphasizes significantly on credit files. Auditors checks along with credit process (loan origination, appraisal, approval, documentation, disbursement and monitoring) if any violations or lack of support documents in the files; the report summarizes findings and presents detail of discovered violations, persons responsible and then send to the auditee for comment and sign off. Then report sent to the auditee for correction and their supervisors for information and follow up. The reports to senior management are usually made on a quarter basis on upon their requests; (iii) the audit follow up is normally handled by the internal audit itself. The limitation of the audit methodology is that it use traditional compliance approach and lack of a foresight anticipation that add value to the auditee in risk management and controls. The risk-based audit approach and best practices in audit are not popular with local banks. Along with the new regulatory requirements on internal control system and risk management framework, the internal audit activity should reengineer its methodology applying best practices and international standards for its success. Auditors’ competence and compensation. Internal auditors’ competence is the key issue faced by local banks in Viet Nam. Auditors in banks are not required to be a certified professional. The Circular 13 requires those who act as banks’ auditors having at least bachelor degree in economics, business administration, law, auditing and accounting, and information technology for IT auditors, and a minimum 2 years of work experience in a bank. The concept of a risk-based audit approach is still unfamiliar with many auditors and banks’ executives. It is not easy to find a professional who have experience or expertise of internal audit best practices or international standards in Viet Nam job market at present. As its positioning, the internal audit activity is classified as a back office function. Its reward and compensation policy are still under management’s decision and lower than middle or front offices. The situation prevents internal audit from recruiting the best talents. Although the Amendment Law on Credit Institutions allows BOS to decide the recruitment of internal auditors and their compensation, it might take time and strong effort from BOS to bring the requirement into practice as it is a change in mindset of top leaders and management.Therefore, BOS plays a key role to promote the transformation of the Internal audit activity. n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 12 Data analytics.According to PWC(8), internal audit continues to search for opportunities to provide deeper insights and value across the organization to address rising pressure from stakeholders, increased regulations, and a dynamic business landscape. To that end, 82% of internal audit functions surveyed in PwC’s 2017 State of the Internal Audit Profession Study have increased their investment in data mining and data analytics to facilitate monitoring of key trends and support continuous auditing. However, many functions are finding their analytics programs stalled and in need of a jumpstart. Data analytics becomes more and more important for any business in today times. Data analytics might be risk-focused or performance-focused and expected to (i) identify additional risks, (ii) better understand of existing risks, (iii) provide more assurance coverage and (iv) extract and come-out with insights to support management’s decision making process. The data analytics level applied for banks depends much on the skill level of staff and maturity of the internal audit activity.As internal audit activities for Viet Nam banks are in initial stages of development, the skills and methods for data analytics are still not available at a large extent. Therefore, it becomes a big challenge for internal audit function to develop the competence along with its transformation process. Process automation. In fact, internal audit resources are never sufficient to cover an absolute assurance on all activities, even a reasonable assurance as banks try to control operating budget during difficult periods and concern of cost-benefits that the internal audit activity could deliver. According to a survey made by IIA(9), the average ratio of the IA staff to total employees in eleven large financial institutions is 0.67% with a range from 0.35% to 1.32%. In reality, an internal audit function must exist but it could not grow its size in parallel with organization’s growth as budget concerns. Therefore, the best solution to gain productivityis by increasing the level of automation of audit processes and reports. The automated controls in audit processes will also increase the accountability and communication practices between auditors and stakeholders. In Viet Nam, although some local banks are looking for audit process automation, most of audit tasks are still done manually. Once the internal audit function becomes more mature and its application of best practices and international standards, the standardized audit software or self-developed ones can be feasibly deployed with local banks. Internal audit activity to be in transformation.As the new regulatory requirements on internal control system is coming in effect and demanding more role and involvement of the internal audit activity in the risk management framework, local banks are facing an imperative need to transform its internal audit activities into more realizable and satisfactory ones towards applying international standards and best practices. MetricStream(10) in its report on internal audit best practices quoted “gone are the days when internal audits were limited to annual assessments of operational and financial controls alone. Today’s internal auditors are expected to do more – to step out of their comfort zones and provide assurance on a range of new and emerging risks, while also delivering timely insights to guide key strategic decisions. Stakeholders are increasingly relying on internal auditors to help them navigate the choppy waters of rapidly changing regulations, large-scale data breaches, complex global business ecosystems, and geopolitical uncertainties. How internal audit responds to these expectations will determine their success, relevance, and value in the coming years.” n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 13 Conclusion. For local banks, transformation might take place as an initiative or a project. It does matter how the change processes proceed, the application of international standards and best practices of the internal audit activity are strongly recommended to ensure the success, including but not limit to the following (i) risk based approach as a center of audit plans, (ii) increasing foresight and advisory role with valuable insights in risk management and control to support the management in decision making process, (iii) sharpening internal auditors’ competence and skills in line with international standards and best practices, (iv) closely managing stakeholders’ expectations, and (v) data analytics and process automation at a maximum possible extent. ------------------------------ References (1) Law on Credit Institutions No. 47/2010/QH12, effective from 1 January 2011, approved by Viet Nam National Assembly on 16 June 2010 and the Amendment Law to the Law on Credit Institutions No. 17/2017/QH17, effective from 15 January 2018, approved by Viet Nam National Assembly on 20 November 2017. (2) VCBS’s Vietnam Banking Reports of years 2011, 2016&2017, viewed at (3) Program for Credit Institutions Restructuring Period 2011-2015 (approved under Prime Minister’s Decision No. 254/QD-TTg dated on 1 March 2012) (4) Program for Credit Institutions Restructuring Combined with Bad Debt Handling Period 2016-2020 (approved under Prime Minister’s Decision No. 1058/QD-TTg dated 19 July 2017 (5) Vietnambiz (2017), Governor of State Bank of Viet Nam pointed out 11 reasons for the bad debts viewed at https://vietnambiz.vn/thong-doc-le-minh-hung-chi-ra-11-nguyen-nhan-dan-den-no-xau-23308.html (6) Circular on Regulation of Internal Control System and Internal Audit of Commercial Bank and Foreign Bank Branches No. 44/2011/TT-NHNN dated 29 December 2011. (7) Circular on Regulation of Internal Control System of Commercial Bank and Foreign Bank Branches No. 13/2018/TT-NHNN dated 18 May 2018. (8) PWC: Transforming your internal audit through data analytics, viewed at https://www.pwc.com/us/en/services/risk-assurance/advanced-risk-compliance-analytics/internal-audit- analytics.html (9) IIA Spain (2013): Internal Audit Function in Large Financial Institutions_An International Benchmarking Survey, viewed at https://www.iia.nl/SiteFiles/Financial%20institutions%20survey%20December%202013.pdf (10) MetricStream: Report on Internal Audit Best Practices, viewed athttps://www.metricstream.com/insights/bestpractices_intaudit.htm ------------------------------
File đính kèm:
- transforming_the_internal_audit_activity_an_imperative_need.pdf