Transforming the internal audit activity: An imperative need for local banks in Viet Nam

owned banks, and (v) State Bank of Viet Nam’s weak 
inspection functiondid not meet the development of credit institutions in the new period, 
together with inspectors’ limited competence and violation of law for some cases. 
Limitations of the internal audit activity and its challenges. Along with the 
restructuring of credit institutions, Sate Bank of Viet Nam took a step by step to create 
comprehensive requirements for internal control framework and placed the internal audit 
activity as a third line of defense together with first line and second line operating and 
n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 
 10 
monitoring internal control systems as required in the circular no. 44(6) and circular no. 13(7) 
which is to replace the circular no. 44 from 1 January 2019. 
The internal audit activity was regulated and provided a good corridor to perform. 
However, in practice, the internal audit activity faces with many challenges and limitations 
influencing its performance. From practical points of view, the author concerns limitations 
faced by a local bank’s internal audit activity in the following aspects. 
Positioning. Internal audit and internal control are normally misunderstood and used 
in exchange for each other. A big number of staff, evenly managers at a high level do not 
understand clearlyof the internal audit’s role. For a long time, the internal audit activity was 
considered a must have unit according to law but added little value to organization as its main 
focus was on checking the mistakes and compliance of transactions including credits or 
transfers. It was a common practice that internal audit’s findings and recommendations were 
not paid much attention bythe management and they did not care of correction measures by 
issue owners as it went mainly with old compliance issues. Along with more comprehensive 
regulations on internal audit and internal control system, the internal audit activity is required 
to take a more proactive role in risk management and assurance. It becomes a helping hand 
for BOS, BOD, CEO to undertake their oversight responsibilities over the operation of 
internal control systems and regulatory compliance. Position of the internal audit activity is 
dependent on how it wants to transform towards assurance and advisory roles and level of its 
involvement in the organization risk management process. 
Organization structure.It depends on each bank, organization of the internal audit 
activity varies. However, a typical structure would be called a department or a center. It 
groups auditors into several teams aligned with geographic locations or divisions and support 
functions. It is also centralized for decentralized. This structure tends to create a specialized 
team for each activity such as retail banking, wholesale banking, or support functions. The 
question might be raised herewith whether the internal audit’s organization is aligned with 
bank’s strategies and help it in achievement of objectives in the most efficient and effective 
ways. As audit team assignments are the center point in delivering annual audit plan, creating 
many control layers between the teams and chief audit officer is not necessary as it could 
slower down information flow. The flat or matrix organizations are more preferable. This 
view is supportive by the requirements at Circular no. 13 that BOSapproves internal audit 
report before sending to BOD and management. In addition, Circular no. 13 specifies risks 
that banks have to manage and controls to manage such risks. In practice, one type of risk 
might occur at several locations and one control might help to manage several types of risks. 
It creates a matrix of risks and controls. In consequence, the challenge here is to answer the 
question: how well risks are managed butnot whether controls works well. Therefore, the 
internal audit activity is also in question of how to structure itself to best fit to changes in risk 
management framework required by SBV and assure on the design and operation of internal 
control systems. 
Audit methodology.As a common practice, the internal audit activity mainly 
concentrates on checking and detecting compliance issues and violations of internal 
regulations or laws, it is likely seen as “a policeman” who tracks and makes conclusion of 
n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 
 11 
what go wrong and who are responsible. The audit approach, therefore, is likely a 
compliance-based approach. While foreign banks and foreign bank branches are familiar with 
the risk-based audit approach, the approach is still not popular with local banks due to its 
limited position, audit staff competence and infant risk management framework implemented 
by banks. The audit method consists of two parts: (i) annual audit plan approved by BOS and 
sent to Sate Bank for report before the start of the next fiscal year. The audit universe consists 
of list of branches, products or units which have not been checked for a period of three year to 
the date of audit start in the plan and branches intuitively considered as a high priority. It 
depends on audit resources but mandatory audits are normally accounted for at least two third 
of total planned audits. The credit risk is the main focus, other risks (market, liquidity, 
operational risks) are still paid by less or little attention; (ii) individual audits are normally 
planned before field visits a weeks, team leaders are rotated among specialized team 
members. The sample size is selected depended on number of team members or size of 
population. As credit operation is a key risk and dominate in branches’ income, the selected 
sample emphasizes significantly on credit files. Auditors checks along with credit process 
(loan origination, appraisal, approval, documentation, disbursement and monitoring) if any 
violations or lack of support documents in the files; the report summarizes findings and 
presents detail of discovered violations, persons responsible and then send to the auditee for 
comment and sign off. Then report sent to the auditee for correction and their supervisors for 
information and follow up. The reports to senior management are usually made on a quarter 
basis on upon their requests; (iii) the audit follow up is normally handled by the internal audit 
itself. The limitation of the audit methodology is that it use traditional compliance approach 
and lack of a foresight anticipation that add value to the auditee in risk management and 
controls. The risk-based audit approach and best practices in audit are not popular with local 
banks. Along with the new regulatory requirements on internal control system and risk 
management framework, the internal audit activity should reengineer its methodology 
applying best practices and international standards for its success. 
Auditors’ competence and compensation. Internal auditors’ competence is the key 
issue faced by local banks in Viet Nam. Auditors in banks are not required to be a certified 
professional. The Circular 13 requires those who act as banks’ auditors having at least 
bachelor degree in economics, business administration, law, auditing and accounting, and 
information technology for IT auditors, and a minimum 2 years of work experience in a bank. 
The concept of a risk-based audit approach is still unfamiliar with many auditors and banks’ 
executives. It is not easy to find a professional who have experience or expertise of internal 
audit best practices or international standards in Viet Nam job market at present. As its 
positioning, the internal audit activity is classified as a back office function. Its reward and 
compensation policy are still under management’s decision and lower than middle or front 
offices. The situation prevents internal audit from recruiting the best talents. Although the 
Amendment Law on Credit Institutions allows BOS to decide the recruitment of internal 
auditors and their compensation, it might take time and strong effort from BOS to bring the 
requirement into practice as it is a change in mindset of top leaders and 
management.Therefore, BOS plays a key role to promote the transformation of the Internal 
audit activity. 
n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 
 12 
Data analytics.According to PWC(8), internal audit continues to search for 
opportunities to provide deeper insights and value across the organization to address rising 
pressure from stakeholders, increased regulations, and a dynamic business landscape. To that 
end, 82% of internal audit functions surveyed in PwC’s 2017 State of the Internal Audit 
Profession Study have increased their investment in data mining and data analytics to 
facilitate monitoring of key trends and support continuous auditing. However, many functions 
are finding their analytics programs stalled and in need of a jumpstart. 
Data analytics becomes more and more important for any business in today times. 
Data analytics might be risk-focused or performance-focused and expected to (i) identify 
additional risks, (ii) better understand of existing risks, (iii) provide more assurance coverage 
and (iv) extract and come-out with insights to support management’s decision making 
process. The data analytics level applied for banks depends much on the skill level of staff 
and maturity of the internal audit activity.As internal audit activities for Viet Nam banks are 
in initial stages of development, the skills and methods for data analytics are still not available 
at a large extent. Therefore, it becomes a big challenge for internal audit function to develop 
the competence along with its transformation process. 
Process automation. In fact, internal audit resources are never sufficient to cover an 
absolute assurance on all activities, even a reasonable assurance as banks try to control 
operating budget during difficult periods and concern of cost-benefits that the internal audit 
activity could deliver. According to a survey made by IIA(9), the average ratio of the IA staff 
to total employees in eleven large financial institutions is 0.67% with a range from 0.35% to 
1.32%. In reality, an internal audit function must exist but it could not grow its size in parallel 
with organization’s growth as budget concerns. Therefore, the best solution to gain 
productivityis by increasing the level of automation of audit processes and reports. The 
automated controls in audit processes will also increase the accountability and communication 
practices between auditors and stakeholders. In Viet Nam, although some local banks are 
looking for audit process automation, most of audit tasks are still done manually. Once the 
internal audit function becomes more mature and its application of best practices and 
international standards, the standardized audit software or self-developed ones can be feasibly 
deployed with local banks. 
Internal audit activity to be in transformation.As the new regulatory requirements on 
internal control system is coming in effect and demanding more role and involvement of the 
internal audit activity in the risk management framework, local banks are facing an imperative 
need to transform its internal audit activities into more realizable and satisfactory ones 
towards applying international standards and best practices. MetricStream(10) in its report on 
internal audit best practices quoted “gone are the days when internal audits were limited to 
annual assessments of operational and financial controls alone. Today’s internal auditors are 
expected to do more – to step out of their comfort zones and provide assurance on a range of 
new and emerging risks, while also delivering timely insights to guide key strategic decisions. 
Stakeholders are increasingly relying on internal auditors to help them navigate the choppy 
waters of rapidly changing regulations, large-scale data breaches, complex global business 
ecosystems, and geopolitical uncertainties. How internal audit responds to these expectations 
will determine their success, relevance, and value in the coming years.” 
n trÞ - Kinh nghiÖm quèc tÕ vµ thùc tr¹ng ë ViÖt Nam 
 13 
Conclusion. For local banks, transformation might take place as an initiative or a 
project. It does matter how the change processes proceed, the application of international 
standards and best practices of the internal audit activity are strongly recommended to ensure 
the success, including but not limit to the following (i) risk based approach as a center of audit 
plans, (ii) increasing foresight and advisory role with valuable insights in risk management 
and control to support the management in decision making process, (iii) sharpening internal 
auditors’ competence and skills in line with international standards and best practices, (iv) 
closely managing stakeholders’ expectations, and (v) data analytics and process automation at 
a maximum possible extent. 
------------------------------ 
References 
(1) Law on Credit Institutions No. 47/2010/QH12, effective from 1 January 2011, approved by Viet Nam 
National Assembly on 16 June 2010 and the Amendment Law to the Law on Credit Institutions No. 
17/2017/QH17, effective from 15 January 2018, approved by Viet Nam National Assembly on 20 November 
2017. 
(2) VCBS’s Vietnam Banking Reports of years 2011, 2016&2017, viewed at  
(3) Program for Credit Institutions Restructuring Period 2011-2015 (approved under Prime Minister’s 
Decision No. 254/QD-TTg dated on 1 March 2012) 
(4) Program for Credit Institutions Restructuring Combined with Bad Debt Handling Period 2016-2020 
(approved under Prime Minister’s Decision No. 1058/QD-TTg dated 19 July 2017 
(5) Vietnambiz (2017), Governor of State Bank of Viet Nam pointed out 11 reasons for the bad debts viewed at 
https://vietnambiz.vn/thong-doc-le-minh-hung-chi-ra-11-nguyen-nhan-dan-den-no-xau-23308.html 
(6) Circular on Regulation of Internal Control System and Internal Audit of Commercial Bank and Foreign 
Bank Branches No. 44/2011/TT-NHNN dated 29 December 2011. 
(7) Circular on Regulation of Internal Control System of Commercial Bank and Foreign Bank Branches No. 
13/2018/TT-NHNN dated 18 May 2018. 
(8) PWC: Transforming your internal audit through data analytics, viewed at 
https://www.pwc.com/us/en/services/risk-assurance/advanced-risk-compliance-analytics/internal-audit-
analytics.html 
(9) IIA Spain (2013): Internal Audit Function in Large Financial Institutions_An International Benchmarking 
Survey, viewed at https://www.iia.nl/SiteFiles/Financial%20institutions%20survey%20December%202013.pdf 
(10) MetricStream: Report on Internal Audit Best Practices, viewed 
athttps://www.metricstream.com/insights/bestpractices_intaudit.htm 
------------------------------