Back Custom print Link Text Only Rich Text Print

  • HC-6.5 HC-6.5 Internal Audit

    • Introduction

      Added: April 2018

      • HC-6.5.1

        Islamic bank licensee's must establish and implement an effective internal audit function which provides an independent and objective assurance to the board of directors and senior management on the quality and effectiveness of a bank's internal control, risk management and governance systems and processes, to protect the bank and its reputation.

        Added: April 2018

      • HC-6.5.2

        The internal audit function must develop an independent and informed view of the risks faced by the bank based on its access to all bank records and data, its enquiries, and its professional competence. The internal audit function must discuss its views, findings and conclusions directly with the audit committee and, if necessary with the board of directors at their routine quarterly meetings, thereby helping the board to oversee senior management.

        Added: April 2018

      • HC-6.5.3

        In this Section, all references to the board of directors may also be taken as referring to the bank's audit committee where the audit committee is mandated to carry out such functions on the board's behalf.

        Added: April 2018

      • HC-6.5.4

        For branches of foreign bank licensee's, and where no local board of directors exists, all references in this Module to the board of directors should be interpreted as the Head Office/ Regional Office.

        Added: April 2018

      • HC-6.5.5

        This Section applies in its entirety to all locally incorporated banks, including those within a banking group, and to holding companies whose subsidiaries are predominantly banks. While Module LR requires that all banks including branches must have an internal auditor as a controlled function in the Kingdom, only Paragraphs HC-6.5.7 to HC-6.5.23, HC-6.5.28 to HC-6.5.42 and HC-6.5.69 to HC-6.5.70 would be directly applicable to branches of foreign bank licensee's in Bahrain in terms of the internal audit function located here. Branches should ensure that equivalent arrangements are in place at the parent level for other requirements in this Section and these arrangements provide for an effective internal audit function over activities conducted under the Bahrain license.

        Added: April 2018

      • HC-6.5.6

        The extent of application of this Section must be commensurate with the significance, complexity and international presence of the bank (principle of proportionality).

        Added: April 2018

      • HC-6.5.7

        The key features for the effective operation of an internal audit function are:

        (a) Independence and objectivity;
        (b) Professional competence and due professional care; and
        (c) Professional ethics
        Added: April 2018

    • Independence and Objectivity

      • HC-6.5.8

        Islamic bank licensees internal audit function must be independent of the audited activities. This means that the internal audit is independent of all functions including compliance, risk management and financial control functions. The internal audit function must also have sufficient standing and authority within the bank and must operate according to sound principles.

        Added: April 2018

      • HC-6.5.9

        The internal audit function must report directly to the audit committee and administratively to the CEO, thereby providing a framework for internal auditors to carry out their assignments with objectivity.

        Added: April 2018

      • HC-6.5.10

        The internal audit function must be able to perform its assignments on its own initiative in all areas and functions of the bank based on the audit plan established by the head of the internal audit function and approved by the board of directors or audit committee. It must be free to report its findings and assessments internally through clear reporting lines. The head of internal audit must demonstrate appropriate leadership and have the necessary personal characteristics and professional skills to fulfill his or her responsibility for maintaining the function's independence and objectivity.

        Added: April 2018

      • HC-6.5.11

        The internal audit function must not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the internal audit function must not prevent senior management from requesting input from internal audit on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls must remain the responsibility of management.

        Added: April 2018

      • HC-6.5.12

        Islamic bank licensees should, whenever practicable and without jeopardising competence and expertise, periodically rotate internal audit staff within the internal audit function.

        Added: April 2018

    • Professional Competence and Due Professional Care

      • HC-6.5.13

        The head of internal audit must have the responsibility for acquiring human resources with sufficient qualifications and skills to effectively deliver on the mandate for professional competence and to audit to the required level. He/she must continually assess and monitor the skills necessary to do so. The skills required for senior internal auditors must include the abilities to judge outcomes and make an impact at the highest level of the organisation.

        Added: April 2018

      • HC-6.5.14

        For purposes of Paragraph HC-6.5.13, professional competence depends on the auditor's capacity to collect and understand information, to examine and evaluate audit evidence and to communicate with the stakeholders of the internal audit function.

        Added: April 2018

      • HC-6.5.15

        The head of internal audit must ensure that internal audit staff acquire appropriate ongoing training in order to meet the growing technical complexity of the Islamic Bank licensee's activities and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes within the Islamic Bank licensee and other developments in the financial sector.

        Added: April 2018

      • HC-6.5.16

        The internal audit function collectively must be competent to examine all areas in which the bank operates. When internal audit is outsourced, the head of internal audit/coordinator must ensure that the use of those experts does not compromise the independence and objectivity of the internal audit function.

        Added: April 2018

      • HC-6.5.17

        For purposes of Paragraph HC-6.5.16, the coordinator must be an approved person within the Islamic Bank licensee.

        Added: April 2018

      • HC-6.5.18

        The head of internal audit/coordinator should ensure that, whenever practical, the relevant knowledge input from an expert is assimilated into the organisation. This may be possible by having one or more members of the bank's internal audit staff participate in the external expert's work.

        Added: April 2018

      • HC-6.5.19

        Internal auditors must apply the care and skills expected of a reasonably prudent and competent professional. Due professional care does not imply infallibility; however, internal auditors having limited competence and experience in a particular area must be appropriately supervised by more experienced internal auditors.

        Added: April 2018

    • Professional Ethics

      • HC-6.5.20

        Internal auditors must act with integrity. Integrity includes, being straightforward, honest and truthful.

        Added: April 2018

      • HC-6.5.21

        Internal auditors must respect the confidentiality of information acquired in the course of their duties. They must not use that information (particularly 'confidential information' as defined in Article 116 of the CBB Law) for personal gain or malicious action and must be diligent in the protection of information acquired.

        Added: April 2018

      • HC-6.5.22

        The head of the internal audit function and all internal auditors must avoid conflicts of interest (see Section HC-2.3). Internally recruited internal auditors must not engage in auditing activities for which they have had previous responsibility before a one year "cooling off" period has elapsed.

        Added: April 2018

      • HC-6.5.23

        Internal auditors must adhere to the code of ethics of both the bank and The Institute of Internal Auditors (see Section HC-2.2).

        Added: April 2018

    • Internal Audit Charter

      • HC-6.5.24

        All Bahraini Islamic bank licensee's must have an internal audit charter that articulates the purpose, standing and authority of the internal audit function within the bank in a manner that promotes an effective internal audit function as described in Paragraph HC-6.5.1.

        Added: April 2018

      • HC-6.5.25

        The charter must be drawn up and reviewed annually by the head of internal audit and approved by the board of directors or audit committee. It must be available to all internal stakeholders and, in certain circumstances, such as listed entities, to external stakeholders.

        Added: April 2018

      • HC-6.5.26

        At a minimum, the internal audit charter must establish:

        (a) The internal audit function's standing within the bank, its authority, its responsibilities and its relations with other control functions in a manner that promotes the effectiveness of the function as described in Paragraphs HC-6.5.1 and HC-6.5.2;
        (b) The purpose and scope of the internal audit function;
        (c) The key features of the internal audit function described in Paragraphs HC-6.5.8 to HC-6.5.23;
        (d) The obligation of the internal auditors to communicate the results of their engagements and a description of how and to whom this must be done (reporting line);
        (e) The criteria for when and how the internal audit function may outsource some of its engagements to external experts;
        (f) The terms and conditions according to which the internal audit function can be called upon to provide consulting or advisory services or to carry out other special tasks;
        (g) The responsibility and accountability of the head of internal audit;
        (h) A requirement to comply with sound internal auditing standards; and
        (i) Procedures for the coordination of the internal audit function with the external auditor.
        Added: April 2018

      • HC-6.5.27

        The charter must empower the internal audit function, whenever relevant to the performance of its assignments and discharge of its duties, to initiate direct communication with any member of staff, to examine any activity or entity of the bank, and to have full and unconditional access to any records, files, data and physical properties of the bank. This includes access to management information systems and records and the minutes of board and sub-board committee meetings and all consultative and decision-making committees.

        Added: April 2018

    • Scope of Activity

      • HC-6.5.28

        The scope of internal audit activities must include the examination and evaluation of the effectiveness of the internal control, risk management and governance systems and processes of the entire bank, including the bank's outsourced activities and its subsidiaries (including SPVs) and branches.

        Added: April 2018

      • HC-6.5.29

        The internal audit function must independently evaluate the:

        (a) Effectiveness and efficiency of internal control, risk management and governance systems and processes created by the business units and support functions in the context of both current and potential or actual emerging risks and provide assurance on these systems and processes;
        (b) Reliability, effectiveness and integrity of management information systems and processes (including relevance, accuracy, completeness, availability, confidentiality and comprehensiveness of data);
        (c) Monitoring of compliance with laws and regulations, including any requirements from the CBB; and
        (d) Safeguarding of assets.
        Added: April 2018

      • HC-6.5.30

        The head of internal audit must establish, prior to year-end an annual internal audit plan. It must be based on a robust risk assessment (including direct or indirect input from senior management and the board).

        Added: April 2018

      • HC-6.5.31

        The audit committee's approval of the audit plan also requires that an appropriate budget will be available to support the internal audit function's activities.

        Added: April 2018

      • HC-6.5.32

        The scope of the internal audit function's activities must ensure adequate coverage of matters of regulatory interest within the audit plan.

        Added: April 2018

    • Risk Management

      • HC-6.5.33

        Internal audit must include in its scope the following aspects of risk management:

        (a) The organisation and mandates of the risk management function including market, credit, liquidity, interest rate and operational risks;
        (b) Evaluation of risk appetite, escalation and reporting of issues and decisions taken by the risk management function;
        (c) The adequacy of risk management systems and processes for identifying, measuring, assessing, controlling, responding to, and reporting on all the risks resulting from the bank's activities;
        (d) The integrity of the risk management information systems, including the accuracy, reliability and completeness of the data used;
        (e) The approval and maintenance of risk models including verification of the consistency, timeliness, independence and reliability of data sources used in such models;
        (f) Information technology and information security;
        (g) The bank's system for identifying and measuring its regulatory capital and assessing the adequacy of its capital resources in relation to the bank's risk exposures and established minimum ratios; and
        (h) The review of management's process for stress testing its capital levels, taking into account the frequency of such exercises, their purpose (e.g., internal monitoring vs. regulator imposed), the reasonableness of scenarios and the underlying assumptions employed, and the reliability of the processes used.
        Added: April 2018

      • HC-6.5.34

        When the risk management function has not informed the board of directors about the existence of a significant divergence of views between senior management and the risk management function regarding the level of risk faced by the bank, the head of internal audit must inform the audit committee about this divergence.

        Added: April 2018

    • Capital Adequacy and Liquidity

      • HC-6.5.35

        The internal audit must review the bank's system for identifying and measuring its regulatory capital and assessing the adequacy of its capital resources in relation to the bank's risk exposures and established minimum ratios.

        Added: April 2018

      • HC-6.5.36

        Internal audit must review management's process for stress testing its capital levels.

        Added: April 2018

      • HC-6.5.37

        Internal audit must review the effectiveness of the bank's systems and processes for measuring and monitoring its liquidity positions in relation to its risk profile, external environment, and minimum regulatory requirements including the requirement set out in Paragraph CA-1.3.4.

        Added: April 2018

    • Regulatory and Internal Reporting

      • HC-6.5.38

        The internal audit function must regularly evaluate the effectiveness of the process by which the risk and reporting functions interact to produce timely, accurate, reliable and relevant reports for both internal management and the CBB. Such reports include, but not limited to, the PIR and public disclosure requirements included in the CBB Rulebook, Module PD.

        Added: April 2018

    • Compliance

      • HC-6.5.39

        The internal audit function must periodically review the scope of the activities of the compliance function using the risk-based approach. The audit of the compliance function must include an assessment of how effectively it fulfils its responsibilities.

        Added: April 2018

    • Finance

      • HC-6.5.40

        The internal audit function must periodically review the controls over the bank's finance function using the risk-based approach.

        Added: April 2018

      • HC-6.5.41

        The internal audit function must devote sufficient resources to evaluate the valuation control environment, availability and reliability of information or evidence used in the valuation process and the reliability of estimated fair values. This is achieved through reviewing the independent price verification processes and testing valuations of significant transactions.

        Added: April 2018

      • HC-6.5.42

        The internal audit function must, as a minimum, also include the following aspects in its scope:

        (a) The organisation and mandate of the finance function;
        (b) The adequacy and integrity of underlying financial data and finance systems and processes for completely identifying, capturing, measuring and reporting key data such as profit or loss, valuations of financial instruments and impairment allowances;
        (c) The approval and maintenance of pricing models including verification of the consistency, timeliness, independence and reliability of data sources used in such models;
        (d) Controls in place to prevent and detect trading irregularities; and
        (e) Balance sheet controls including key reconciliations performed and actions taken (e.g. adjustments).
        Added: April 2018

    • Permanency of the Internal Audit Function

      • HC-6.5.43

        The internal audit function must be structured consistent with Paragraphs HC-6.5.61 to HC-6.5.65. Senior management and the board must ensure that the internal audit function is permanent and commensurate with the size, the nature and complexity of the bank's operations.

        Added: April 2018

      • HC-6.5.44

        Where the head of internal audit function ceases to act in this capacity, the CBB will meet with him/her to discuss the reasons.

        Added: April 2018

    • Responsibilities of the Board of Directors and Senior Management

      • HC-6.5.45

        Islamic bank licensees board of directors must ensure that senior management establishes and maintains an adequate, effective and efficient internal control system (see HC-1.2.3(c)) and accordingly, the board must support the internal audit function in discharging its duties effectively.

        Added: April 2018

      • HC-6.5.46

        The board of directors must review at least annually, the effectiveness and efficiency of the internal control system based, in part, on information provided by the internal audit function (see HC-1.2.10).

        Added: April 2018

      • HC-6.5.47

        The board of directors, its audit committee and senior management must promote a strong internal control environment supported and assessed by a sound internal audit function.

        Added: April 2018

      • HC-6.5.48

        As part of their oversight responsibilities, the audit committee must review the performance of the internal audit function.

        Added: April 2018

      • HC-6.5.49

        Every five years, the audit committee must commission an independent external quality assurance review of the internal audit function.

        Added: April 2018

      • HC-6.5.50

        Senior management must inform the internal audit function of new developments, initiatives, projects, products and operational changes.

        Added: April 2018

      • HC-6.5.51

        Senior management must ensure that all internal audit findings and recommendations are resolved within six months for high risk/critical issues and 12 months for any other issues from the issue date of the subject internal audit report.

        Added: April 2018

      • HC-6.5.52

        Senior management must ensure that the head of internal audit has the necessary resources, financial and otherwise, available to carry out his or her duties commensurate with the annual internal audit plan, scope and budget approved by the audit committee.

        Added: April 2018

    • Responsibilities of the Audit Committee in relation to the Internal Audit Function

      • HC-6.5.53

        The audit committee must oversee the bank's internal audit function (see also Paragraph HC-3.2.3).

        Added: April 2018

      • HC-6.5.54

        The bank's audit committee and the internal audit function must develop and maintain their own tools to assess the quality of the internal audit function.

        Added: April 2018

      • HC-6.5.55

        The audit committee must ensure that the internal audit function is able to discharge its responsibilities in an independent manner, consistent with Paragraph HC-6.5.8. It must review and approve the audit plan, its scope, and the budget of the internal audit function. It must also review audit reports and ensure that senior management is taking necessary and timely corrective actions to address control weaknesses, compliance issues with policies, laws and regulations, and other concerns identified and reported by the internal audit function.

        Added: April 2018

    • Management of the Internal Audit Function

      • HC-6.5.56

        The head of the internal audit function must ensure that the function complies with The Institute of Internal Auditors' International Standards for the Professional Practice of Internal Auditing.

        Added: April 2018

      • HC-6.5.57

        The audit committee must ensure that the head of the internal audit function is a person of integrity. This means that he or she will be able to perform his or her work with honesty, diligence and responsibility. It also implies that this person observes the law and has not been a party to any illegal activity. The head of internal audit must also ensure that the members of internal audit staff are persons of integrity.

        Added: April 2018

    • Reporting Lines of the Internal Audit Function

      • HC-6.5.58

        The internal audit function must be accountable to the audit committee, on all matters related to the performance of its mandate as described in the internal audit charter. It must also promptly inform the CEO and other related Heads of Functions about its findings.

        Added: April 2018

      • HC-6.5.59

        The internal audit function must inform senior management of all significant findings so that timely corrective actions can be taken. Subsequently, the internal audit function must follow up with senior management on the outcome of these corrective measures. The head of the internal audit function must quarterly report to the audit committee, the status of pending findings.

        Added: April 2018

    • The Relationship between the Internal Audit, Compliance and Risk Management Functions

      • HC-6.5.60

        The relationship between a bank's business units, the support functions and the internal audit function can be explained using the three lines of defence model. The business units are the first line of defence. They undertake the management of risks within assigned limits of risk exposure and are responsible and accountable for identifying, assessing and controlling the risks of their business. The second line of defence includes the support functions, such as risk management, compliance, legal, human resources, finance, operations, and technology. Each of these functions, in close relationship with the business units, ensures that risks in the business units have been appropriately identified and managed. The business support functions work closely to help define strategy, implement bank policies and procedures, and collect information to create a bank-wide view of risks. The third line of defence is the internal audit function that independently assesses the effectiveness of the controls over the processes created in the first and second lines of defence and provides assurance on these processes. The responsibility for internal control does not transfer from one line of defence to the next line.

        Added: April 2018

    • Internal Audit within a Group or Holding Company Structure

      • HC-6.5.61

        The internal auditors who perform the internal audit work at the bank must report to the bank's audit committee, or its equivalent, and to the group or holding company's head of internal audit.

        Added: April 2018

      • HC-6.5.62

        To facilitate a consistent approach to internal audit across all the banks within a banking organisation, the board of directors of each bank within a banking group or holding company structure should ensure that either:

        (a) The bank has its own internal audit function, which should be accountable to the bank's board and should report to the banking group or holding company's head of internal audit; or
        (b) The banking group or holding company's internal audit function performs internal audit activities of sufficient scope at the bank to enable the board to satisfy its fiduciary and legal responsibilities.
        Added: April 2018

      • HC-6.5.63

        The board of directors and senior management of the parent bank in a banking group must ensure that an adequate and effective internal audit function is established across the banking organisation and must ensure that internal audit policies and practices are appropriate to the structure, business activities and risks of all of the components of the group or holding company.

        Added: April 2018

      • HC-6.5.64

        The head of internal audit at the level of the parent bank must define the group or holding company's internal audit strategy, determine the organisation of the internal audit function both at the parent and subsidiary bank levels (in consultation with these entities' respective audit committees and in accordance with local laws) and formulate the internal audit principles, which include the audit methodology and quality assurance measures.

        Added: April 2018

      • HC-6.5.65

        The group or holding company's internal audit function must determine the audit scope for the banking organisation. In doing so, it must comply with local legal and regulatory provisions and incorporate local knowledge and experience.

        Added: April 2018

    • Outsourcing of Internal Audit Activities

      • HC-6.5.66

        Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for the internal audit function.

        Added: April 2018

      • HC-6.5.67

        The head of internal audit/coordinator must maintain adequate oversight and ensure that any outsourcing providers comply with the principles of the bank's internal audit charter.

        Added: April 2018

      • HC-6.5.68

        To preserve independence, the head of internal audit/coordinator must ensure that the outsourcing provider has not been previously engaged in a consulting engagement in the same area within the bank unless a one year "cooling-off" period has elapsed. Subsequently, those experts who participated in an internal audit engagement must not provide consulting services to a function of the bank they have audited within the previous 12 months. Additionally, banks must not outsource internal audit activities to their own external audit firm (see OM-3).

        Added: April 2018

    • Communication between the CBB and the Internal Audit Function

      • HC-6.5.69

        The bank's internal auditor must have formal regular communication with the CBB to (i) discuss the risk areas identified, (ii) understand the risk mitigation measures taken by the bank, and (iii) monitor the bank's response to weaknesses identified.

        Added: April 2018

      • HC-6.5.70

        At least two weeks prior to the prudential meeting date, all internal audit reports issued since the last prudential meeting must be submitted to the CBB supervisory point of contact.

        Added: April 2018