Entire Section | Rulebook

Back

Custom print

Link

Text Only

Rich Text

Print

Location:

HC-10 HC-10 Internal Audit

HC-10.1 HC-10.1 Internal Audit

HC-10.1.1
Islamic bank licensees must establish an effective and independent internal audit function (IAF).

Added: April 2023

HC-10.1.2
The Audit Committee remains ultimately responsible for the IAF regardless of whether internal audit activities are outsourced.

Added: April 2023

HC-10.1.3
The Board, Audit Committee and senior management must:

(a) Promote a strong and robust internal control environment within the licensee;

(b) Provide the IAF staff full and unconditional access to all files, records, data, documents, systems, properties, subsidiaries and overseas branches of the licensee;

(c) Require that all internal audit findings and recommendations are resolved within a reasonable period of time to be set based on level and magnitude of risk;

(d) Allocate sufficient annual budget to support the IAF’s activities and plans; and

(e) Inform the IAF of new developments, initiatives, projects, products and operational changes.

Added: April 2023

HC-10.1.4
All Bahraini Islamic bank licensees must have an internal audit charter which must be drawn up and reviewed annually by the head of internal audit and approved by the Board or Audit Committee. It must be available to all internal stakeholders, and to external stakeholders in case of a listed bank.

Added: April 2023

HC-10.1.5
The internal audit charter must establish, at a minimum:

(a) The IAF’s standing within the licensee, its authority, responsibilities and relations with other control functions in a manner that promotes the effectiveness of the function;

(b) The purpose and scope of the IAF;

(c) The obligation of the internal auditors to communicate the results of their engagements and a description of how and to whom this must be done (reporting line);

(d) The criteria for when and how the IAF may outsource some of its engagements to external experts;

(e) The terms and conditions according to which the IAF can be called upon to provide consulting or advisory services or to carry out other special tasks without creating a conflict with its core function;

(f) The responsibility and accountability of the head of internal audit;

(g) The requirement to comply with the international standard on internal audit issued by The Institute of Internal Auditor; and

(h) Procedures for the coordination of the IAF with the external auditor.

Added: April 2023

HC-10.1.6
The IAF must:

(a) Be independent of all functions;

(b) Have sufficient standing and authority within the licensee;

(c) Have sufficient skilled resources to be able to judge outcomes and make an impact at the highest level of the organization;

(d) Be able to perform its assignments on its own initiative in all areas and functions of the licensee based on the audit plan established by the head of the IAF and approved by the audit committee;

(e) Be free to report its findings and assessments internally;

(f) Independently review and evaluate the effectiveness and efficiency of all functions, internal controls, risk management, internal risk and finance models, governance framework, policies, procedures, systems and processes, including the licensee’s outsourced activities and its subsidiaries (including SPVs) and local and overseas branches, and must ensure adequate coverage of matters of regulatory interest within the audit plan;

(g) Develop an independent and informed view of the risks faced by the licensee based on its access to all licensee records and data, its enquiries and its professional competence;

(h) Discuss its views, findings and conclusions directly with the audit committee and, if necessary, with the board of directors at their routine quarterly meetings; and

(i) Not be involved in designing, selecting, implementing or operating specific internal control measures. However, the independence of the IAF must not prevent senior management from requesting input from the IAF on matters related to risk and internal controls. Nevertheless, the development and implementation of internal controls must remain the responsibility of management.

Added: April 2023

HC-10.1.7
Licensees must appoint a head of internal audit who shall:

(a) Report directly to the Audit Committee and administratively to the CEO;

(b) Demonstrate appropriate leadership and have the necessary personal characteristics and professional skills to fulfil his responsibility for maintaining the function’s independence and objectivity;

(c) Inform senior management of all significant findings so that timely corrective actions can be taken, and subsequently, he must follow up with senior management on the outcome of those corrective measures;

(d) Report quarterly to the Audit Committee the status of pending findings;

(e) Arrange appropriate ongoing training for the internal audit staff to meet the growing technical complexity of the Islamic bank licensee’s activities and the increasing diversity of tasks that need to be undertaken as a result of the introduction of new products and processes and other developments in the financial sector;

(f) Establish an annual internal audit plan approved by the audit committee. The plan must be based on a robust risk assessment, including direct or indirect input from the board, audit committee and senior management;

(g) Develop and maintain appropriate tools to assess the quality of the IAF; and

(h) Define, in a banking group structure, the group’s internal audit strategy, determine the organisation of the internal audit function both at the parent’s and the subsidiary’s level (in consultation with these entities’ respective audit committees and in accordance with local laws) and formulate the internal audit principles, the audit methodology and quality assurance measures. He must also determine the audit scope for every internal audit exercise, by the parent’s internal audit function, for every subsidiary on an annual basis in compliance with local regulations and incorporate local knowledge and experience.

Added: April 2023

HC-10.1.8
The head of IAF should, whenever practicable and without jeopardising competence and expertise, periodically rotate internal audit staff within the internal audit function.

Added: April 2023

HC-10.1.9
The CBB may at its own discretion communicate directly with the head of the IAF to discuss issues of material concerns related to risks, compliance and internal controls.

Added: April 2023

HC-10.1.10
Internal audit reports must be provided to the audit committee without management filtering.

Added: April 2023

HC-10.1.11
All internal audit staff must:

(a) Apply the care and skills expected of a reasonably prudent and competent professional. Due professional care does not imply infallibility. Internal auditors having limited competence and experience in a particular area must be appropriately supervised by more experienced staff;

(b) Avoid conflicts of interest. Internal auditors appointed from within the licensee must not engage in auditing activities for which they have had previous responsibility before a one year “cooling off” period has elapsed;

(c) Act with integrity (being straightforward, honest and truthful);

(d) Be diligent in the protection of information acquired in the course of their duties and must not use it for personal gain or malicious action;

(e) Adhere to the code of ethics of the licensee, the institute of internal auditors and any other relevant professional or standard setting body;

(f) Collectively be competent to examine all areas in which the licensee operates; and

(g) Adhere to international professional standards established by the institute of internal auditors.

Added: April 2023

Location:

HC-10 HC-10 Internal Audit

HC-10.1 HC-10.1 Internal Audit

HC-10.1.1

HC-10.1.2

HC-10.1.3

HC-10.1.4

HC-10.1.5

HC-10.1.6

HC-10.1.7

HC-10.1.8

HC-10.1.9

HC-10.1.10

HC-10.1.11