Chương 3 Thông tư 44/2011/TT-NHNN: Kiểm toán nội bộ

Chapter III

INTERNAL AUDIT

Section 1: GENERAL PROVISIONS

Article 8. Objectives and fundamental functions of the internal audit

1. To operate for the safety, efficiency of the credit institution, foreign bank's branch.

2. To check, give independent assessment on the sufficiency, conformity, effectiveness and efficiency of the internal control system for improving and perfecting the internal control system. For the purpose of this objective, the unit performing internal audit is encouranged to consult and participate in the establishment, improvement and completion of the internal control system, providing that the principle of independence and objectiveness as prescribed in this Circular shall not be violated.

3. To identify and prevent any illegal act; improving the effectiveness of the management, administration and operation of the credit institution, foreign bank's branch.

4. To ensure the security of information and continuous operation of the operational information system.

5. To give recommendation in order to improve the efficiency of the systems, processes, regulations, helping to ensure the operation of the credit institution, foreign bank's branch is safe, effective and conformable to the laws.

Article 9. Fundamental principles of internal audit

1. Independence: the organization and operation of internal audit shall be independent from other units, management, operational divisions of the credit institution, foreign bank's branch; the internal auditor shall not be allowed to assume works that are subjects of internal audit; the credit institution is required to ensure that the internal audit shall not be hindered by any intervention in performing the reporting and assessment.

2. Objectiveness: the internal audit division, internal auditor shall be required to ensure the objectiveness, truthfulness, justice and unbias.

3. Professionality: internal auditor must be a person who has essential knowledge, qualification and skill in internal audit, does not concurrently assume other specialized positions or works of the credit institution, foreign bank's branch; the internal auditor should have adequate knowledge to identify signals of fraudulence, knowledge about risk in banking activity and measures of controlling information technology to perform the assigned works. The internal audit division shall have at least 01 auditor who is qualified and skilled to control key information technology and high-tech audits.

Article 10. Requirements for ensuring the fundamental principles of internal audit

1. An internal auditor must be equitable, unbiased and try to avoid any conflict of interests. An internal auditor shall be entitled and obliged to report any problem that is potential to affect his independence and objectiveness relating to the internal audit that is delegated by the head of the internal audit mechanism (hereinafter called the Chief of Internal Audit).

2. The Chief of Internal Audit shall thoroughly grasp, monitor and ensure the independence and objectiveness of the internal auditors. In case where the independence or objectiveness is or may be affected, the Chief of Internal Audit shall notify the Controllers’ Committee.

3. In the internal audit activity, the credit institution, foreign bank's branch shall implement following regulations so as to ensure the independence and objectiveness, to avoid the unfairness, bias and conflict of interests:

a) An internal auditor shall not audit any regulation, internal policy, procedure or process of which the auditor takes the main responsibility in the establishment;

b) The internal auditor has no conflict of interest with the audited unit, division; the internal auditor shall not audit the unit, division of which the manager is a related person of the internal auditor;

c) The internal auditor shall not participate in the audit of the operation, of which the auditor is in charge, or division, which is managed by the auditor in a period of 03 years since the decision that the auditor stops performing the operation or managing the division.

d) To have measures of checking to ensure the independence and objectiveness of the internal audit task immediately during the audit process at the audited unit, division and in the period of preparation, delivery of audit report;

e) Audit recognitions in the internal audit report shall be carefully analysed and based on the collected data, information for the purpose of objectiveness;

g) Result of the function performance of the Chief of Internal Audit shall be checked, reviewed and assessed by the Controllers’ Committee on a regular basis.

h. The internal audit shall be required to preserve the independence and objectiveness in auditing operations, procedures or divisions to which the internal audit provided consultancy previously. In this case, the internal audit shall be entitled and obliged to fully analyse and assess procedures, processes and internal control system. Responsibility for the operations, processes or divisions to which the internal audit provided consultancy previously shall still belong to the leader of the audited unit, division.

4. Credit institutions, foreign bank's branches shall be required to comply with provisions in Paragraph 3 Article 9 and Article 13 of this Circular in order to ensure the speciality of internal audit.

Article 11. Ensuring the quality of the internal audit activity

1. The credit institution, foreign bank's branch shall have a process of following up and assessing the quality of the internal audit activity. The credit institution, foreign bank's branch shall be required to carry out internal assessment to the activity of the internal audit so as to ensure the quality of the internal audit.

Internal assessment to the internal audit activity means the self-assessment of the internal audit activity at the end of the audit and the annual self-assessment to the overall internal audit activity that is performed by the very internal audit division so as to ensure the quality of the internal audit activity.

2. The annual internal audit assessment result shall be reported to the Controllers' Committee and recognized in the annual internal audit report.

Section 2: ORGANIZATION AND OPERATION OF INTERNAL AUDIT

Article 12. Organization of the internal audit

1. The internal audit of a credit institution (except for the case as stipulated in Paragraph 2 of this Article) shall be organized in a uniform and vertical system, or organized as an internal audit division at the head office, depending on the scale, level, scope and operation features of the credit institution. Internal audit shall be under the direct management of and be subject to the direction of the Controllers' Committee.

2. For a People’s credit fund that only has 01 specialized controller but not a Controllers’ Committee, the internal audit of the People’s credit fund shall be performed by the specialized controller.

3. Basing on the scale, level and operation feature of the credit institution and upon the proposal of the Controllers' Committee, the Board of Directors, Board of Members shall decide the organization of the internal audit apparatus, the regime on salary, bonus, responsibility allowances applicable to internal auditors, Chief and Deputy Chief of the internal audit.

4. The internal audit division of a foreign bank's branch may be assumed by the internal audit division of the head office or regional head office, providing that it is conformable to provisions in Paragraph 1 Article 89 of the Law on Credit institutions.

Article 13. Standards for internal auditors, Chief and Deputy Chief of internal audit

1. An internal auditor shall be required to fully satisfy the following standards:

a) To have honest character, consciousness of compliance with applicable laws;

b) To have general knowledge, understanding about the laws, business administration and banking operations;

c) To have bachelor degree or higher in appropriate speciality, to have adequate knowledge and regularly be updated with areas they are assigned to perform internal audit; for a people's credit fund, the internal auditor shall be required to have qualification of college level in appropriate speciality;

d) To be capable of collecting, analyzing, assessing and synthesizing information;

dd) To have knowledge and skills of the internal audit;

e) To have experience of working in financial, banking area or working in audit for at least 03 years; the internal auditor of a people's credit fund have have experience of working in financial, banking area or working in audit for at least 01 year;

g) To comply with rules on professional virtue as provided for in Article 22 of this Circular;

h) Other standards as provided for by the credit institution.

2. For an information technology auditor, in addition to standards as prescribed in Paragraph 1 of this Article, he must have experience of working in information technology for at least 03 years.

3. Besides standards as stated in points a, b, d, dd, g and h Paragraph 1 of this Article, the Chief and Deputy Chief of the internal audit shall, at least, have bachelor degree in banking, finance, accounting, auditing and have experience of working in financial, banking area for at least 05 years. For a people's credit fund, the Chief of internal audit shall, at least, have qualification of college level in banking, finance, accounting, auditing and have experience of working in financial, banking area for at least 02 years.

Article 14. Appointment, dismissal of titles of internal audit

1. Chief of the internal audit shall be appointed, dismissed by the Board of Directors, Board of Members of the credit institution upon request of the Head of the Controllers' Committee; or appointed, dismissed by a Competent person of the parent bank for a foreign bank’s branch.

2. The Deputy Chief of Internal Audit and other titles of the internal audit shall be appointed, dismissed by the Board of Directors, Board of Members upon request of the Chief of Controllers’ Committee on the basis of the recommendation of the Chief of Internal Audit; or appointed, dismissed by the General Director (Director) of the foreign bank’s branch.

Article 15. Scope of internal audit

Scope of internal audit activity shall include:

1. Auditing all activities, professional processes and units, departments of the credit institution, foreign bank's branch;

2. Unexpeced auditing and providing advices upon the request of the Board of Directors, Board of Members, Controllers' Committee, General Director (Director).

Article 16. Contents of the internal audit

1. Main contents of the internal audit activity shall be to assess the adequacy, effectiveness and efficiency of the internal control system.

2. Depending on the scale, level of risks as well as specific requirements of each credit institution, the internal auditors may check, assess the following contents:

a. The level of adequacy, the effectiveness and efficiency of the internal control system.

b. The application, the effectiveness and efficiency of the implementation of risk management policies and processes of the credit institution, including the processes which are implemented via the information technology system.

c. The adequacy, accuracy and security of the management information system and the financial information system, including the electronic information system and electronic banking service.

d. The adequacy, timeliness, truthfulness, reasonableness and accuracy of the accounting system and financial statements.

dd. The compliance with provisions of laws, regulations on prudential ratios in activities of the credit institution, foreign bank’s branch, internal provisions, professional operation processes, rules, professional virtue rules.

e. Internal regimes, policies, processes, regualtions, organizational structure of the credit institution, foreign bank’s branch.

g. Measures for ensuring the assets’ security; giving recommendations in order to improve the efficiency of systems, processes, regulations, helping to ensure the operation of the credit institution, foreign bank’s branch is safe, efficient and conformable with laws;

h. To assess the economicality and efficiency of the activities, the economicality and efficiency of the use of resources, through which the appropriateness level between the achieved results and proposed objectives shall be determined.

i. To perform other contents relating to the functions, duties of the internal auditor upon request of the Controllers' Committee, the Board of Directors, Board of Members;

k. In addition to provisions as stipulated in points a, b, c, d, dd, e, g, h and i in Paragraph 2 hereinabove, a foreign bank’s branch shall be required to audit in line with regulations of the parent bank in conformity with provisions of this Circular.

Article 17. Performance method of the internal audit

1. Performance method of the internal audit shall be “risk-oriented” auditing method, priority shall be given to resources concentration for auditing units, departments, processes which are considered as highly risky.

2. Internal auditor shall define, analyse, measure risks and draw up risk profile for each operation of the credit institution, foreign bank’s branch. The risk profile shall include all potential risks, possible effects of those risks on the operation of the credit institution, foreign bank’s branch and occurrence possibility of those risks. Basing on the valuation of the effect, possibility of the risk occurrence; each risk shall be classified into high, or medium or low risks. The measurement, classification of risks shall be performed on an annual basis at the minimum.

3. The result of risk measurement shall be the basis for the Chief of internal audit to work with the Controllers' Committee, the General Director (Director) and the Board of Directors, Board of Members in the preparation of the annual internal audit plan. All the risks shall be rated by descending order, activities which are considered as highly risky shall be given the priority to concentrate more resources, more time on the auditing, priority to perform the auditing first and more regular than those with low risk exposures.

4. The internal audit plan must be drawn up basing on the risk measurement results and must be updated, amended and adjusted in accordance with the development, changes in the operation of the credit institution, foreign bank’s branch and changes of accompanied risks.

Section 3: DUTIES, AUTHORITIES AND RESPONSIBILITIES OF THE INTERNAL AUDIT DIVISION

Article 18. Duties of the Internal audit division

1. To set up operational processes of internal audit at the credit institution for submission to the Controllers’ Committee for review and approval after reporting to the Board of Directors, Board of Members.

2. To make annual or unexpected plan on internal audit and perform internal audit activities

in line with the plan or unexpected audit upon request by the Board of Directors, Board of Members, Controllers’ Committee; to perform the approved policies, processes and procedures of internal audit on the basis of ensuring the quality and efficiency.

3. To perform independent, objective inspection, verification, review for all units, divisions, activities of the credit institution, foreign bank's branch (policies, procedures, processes or problems incurred in the operation) basing on the risk level (high, low or medium) and the impact on the credit institution’s operation. In respect of any matter that may cause bad effect to the credit institution’s operation, the internal auditor should make timely report on the nature and its impact on the credit institution’s operation and suggest practical recommendations to prevent and overcome these matters.

4. To suggest measures for correcting and overcoming shortcomigs; suggest the settlement of violations; recommend measures for completing, enhancing the effectiveness, efficiency of the internal control system

5. To valuate the correspondence of activities in order to prevent, surmount already reported weak points; activities for the purpose of completing the internal inspection, control system and follow up them till these issues are satisfactorily settled

6. To prepare audit report; timely inform and submit the results of internal audit in accordance with provisions in Articles 26, 27 and 28 of this Circular.

7. To develop, amend, supplement, complete the method of internal audit and operation scope of the internal audit activity in order to be able to update and catch up with the development of banking activity

8. To implement the process of ensuring quality of the internal audit work.

9. To set up a profile of ability level and requirements necessary for the internal auditor to make basis for recruitment, promotion, transfer of officers and fostering professional

10. To maintain the regular consultancy, discussion with the independent audit organization, the State Bank (Banking Inspection and Supervision Department, State Bank's branch) for the purpose of the efficient cooperation; to act as a unit that regulates, coordinates with external agencies for works relating to the function, assignment of the internal auditors.

11. To provide advice to the Managers, the Board of Directors, Board of Members of the credit institution, foreign bank's branch and operational divisions to carry out projects on setting up, new application or amendment of important operational processes; management and administration regime; process of risk identification, measurement and assessment, risk management, method of capital valuation; the accounting and information system; to perform new operations, products providing that the independence of the internal audit activity is not affected.

12. To perform other functions assigned by the Board of Directors, Board of Members, Controllers’ Committee.

Article 19. Authorities of the Internal audit division

1. To be fully equipped with necessary resources (human resource, financial resource and other necessary facilities).

2. To be entitled to take the initiative in performing their assignment under the approved auditing plan.

3. To be fully, timely supplied with all information, documents, files which are necessary for the internal audit activity.

4. To be entitled to access, review all operational processes, assets in the performance of audit activity.

5. To be entitled to approach, interview all officers, staff of the credit institution, foreign bank's branch for issues relating to the audited contents.

6. To be entitled to receive materials, documents and meeting minutes of the Board of Directors, Board of Members, Controllers' Committee, Managers, Executive Officers relating to the internal audit activity.

7. To be entitled to attend internal meetings in line with provisions of applicable laws, or in conformity with regulations in the Charter, internal regulations of the credit institution, foreign bank's branch.

8. To be entitled to supervise, evaluate and follow up the correction, overcoming, completion by the leaders of units, divisions in respect of issues which are recognized and recommended by the internal auditors.

9. To be protected from any acts of non-cooperation of the audited unit.

10. Internal auditors shall be entitled to regular training as to operational knowledge in order to be qualifiable and professional in performance of the assigned duties.

11. Other authorities in accordance with provisions of applicable laws.

Article 20. Responsibilities of the Internal audit division

1. To keep secret of the information, documents in accordance with current provisions of laws, of this Circular, of the Charter and of the Internal Regulation on internal audit of the credit institution, foreign bank's branch.

2 To take responsibility to the Controllers' Committee for the result of the internal audit activity; for the assessments, conclusions, petitions, proposals in the internal audit report.

3. To follow up the performance results of petitions after the internal audit of units, divisions of the credit institution, foreign bank's branch.

Section 4: POLICY AND PLAN OF INTERNAL AUDIT

Article 21. Policies on internal audit

1. Internal audit policy shall be an official basis and guidance for the internal audit activity and for each internal auditor. Policy on internal audit shall include an internal regulation on internal audit, a set of professional virtue rules, internal regulations on the organization and operation of internal audit, a process on internal audit and related provisions.

2. The internal regulation on internal audit should have an overview of the guideline, purpose, scope of operation, position, authority, function, assignment of the internal auditors in the credit institution, foreign bank's branch and relationship with other units, divisions; in which there are requirements of the independence, objectiveness, fundamental principles, requirements of the professional level and the assurance of quality of the internal audit activity. The internal regulation on internal audit of the credit institution, foreign bank's branch shall be established on the basis of the conformity with provisions of this Circular and current provisions of applicable laws.

3. The process on internal audit shall stipulate processes and provide detailed guidance on the method of risk evaluation, preparation of an annual internal audit plan, plan for each audit session, mode of the audit performance, preparation and submission of an auditing report, archive of internal audit files, materials. The process on internal audit may be provided for in the Internal Regulation on internal audit.

4. Based on provisions of this Circular, the credit institutions, foreign bank's branches shall draw up their policies and processes on internal audit in line with their specific operation characteristics. The credit institutions, foreign bank's branches are encouraged to apply international rules on internal audit providing that they are not in contrary to provisions of this Circular.

Article 22. Professional virtue rules

1. The credit institution, foreign bank's branch shall draw up a set of rules on professional virtue and ensure the maintenance of those rules in order to develop culture of professional virtue within the credit institution in general, and in the implementation of the internal audit work in particular. Internal auditors shall be required to comply with the rules on professional virtue in the performance of the internal audit and consultancy work.

2. An internal auditor shall be obliged to implement and maintain at least the following professional virtue rules:

a) To be truthful: An internal auditor must carry out their work truthfully, carefully and responsibly; comply with laws and perform all works publicly in accordance with provisions of applicable laws and of the profession; shall not deliberately involve in any illegal activity, or take part in activities that may result in the loss of prestige for the internal audit profession or for the credit institution; always respect and strive to make efficient contribution to proper and lawful objectives of the credit institution, foreign bank's branch;

b) To be objective: An internal auditor must express their professional objectiveness as best as he can during the collection, assessment and communication of information about activities or processes, systems that have been or are being audited. An internal auditor should give their fair assessment for all related issues and not be affected by private objectives, interests or by any person when giving their comment, assessment.

c) To be confidential: An internal auditor should respect the value and the ownership of received information, shall not be permitted to disclose the information without the valid authorization unless they are obliged to disclose the information in accordance with provisions of applicable laws and internal regulations of the credit institution, foreign bank's branch.

d) To be responsible: An internal auditor must always be highly responsible, strive to learn, continuously develop his professonal capacity, apply all the gained knowledge, skills and experiences to perform the internal audit in the most efficient manner;

dd) To be cautious: An internal auditor must always be careful and have necessary skills of a cautious auditor by paying more attention to the followings:

- Necessary time limit for finishing the proposed targets;

- The complexity, necessity or importance of the issues so as to apply the proper process;

- The conformity and efficiency of management and operation processes;

- Probability of serious mistake, illegal acts;

- Expense on operation in relation to potential benefits.

3. The Chief of Internal Audit shall, apart from ensuring professional virtue rules as stipulated in Paragraph 2 of this Article, take measures for following up, assessment, management in order to ensure the compliance with the rules on professional virtue by internal auditors.

Article 23. Annual internal audit plan

1. Basing on the scale, the growth rate, risk level of activities and available resources (human, financial resources, ect), the Chief of Internal Audit shall draw up an annual internal audit plan, including the audit scope, audit objectives, audit time and the allocation of resources.

2. The annual internal audit plan of a credit institution, foreign bank's branch must satisfy following requirements:

a) Risk based orientation: operations and units, managing and professional operation departments with high risk level must be audited at least once a year;

b) Ensuring the comprehensiveness: all operational processes, units, managing, professional operation departments of the credit institution shall be audited; processes, units, departments that have been evaluated as having the lowest risk exposure shall be audited on the basis of every three (03) years at the minimum;

c) A sufficient time fund shall be made up for the performance of unexpected audit sessions upon request of the Controllers' Committee, or upon availability of information about the signal of violation, signal of high risk of audited subjects;

d) The adjustment may be made where there is a basic change in the operation scale, risk development or current resources.

3. The internal audit plan for the following year shall be submitted to the Board of Directors, Board of Members, Controllers' Committee, General Director (Director) of the credit institution before 30 November of every year; Before 31 December of every year, the Controllers' Committee of the credit institution shall submit this audit plan to the State Bank (Banking Inspection and Supervision Department, State Bank's branch). Internal audit plan of a people's credit fund shall only be submitted to the State Bank's branch.

Article 24. Approval of policy on internal audit and internal audit plan

1. Policy on internal audit (excluding internal regulation on the organization and operation of internal audit) shall be discussed with the General Director (Director) by the Controllers’ Committee and approved and signed for issuance by the Chief of the Controllers’ Committee after having reported to the Chairman of the Board of Directors, Chairman of Board of Members.

2. Internal regulation on the organization and operation of the internal audit shall be approved and signed for issuance by the Chairman of Board of Directors, Chairman of Board of Members on the basis of the proposal of the Controllers' Committee.

3. The internal audit plan shall be discussed with the General Director (Director) by the Controllers’ Committee and approved by the Chief of the Controllers’ Committee on the basis of agreement with the Chairman of Board of Directors, Chairman of Board of Members.

4. Within a period of 10 working days since the approval, the internal audit policy, internal audit plan of the credit institution, foreign bank's branch (except for the internal audit plan as provided for in Paragraph 3 Article 23 of this Circular) shall be sent to the State Bank

(Banking Inspection and Supervision Department) for information and follow-up; People's credit fund shall only send to State Bank's branch. The State Bank shall be entitled to contribute its opinion or ask to amend some contents of the internal audit policy if provisions of this Circular have not been satisfied yet.

Article 25. Performance of the internal audit plan

1. The Chief of Internal Audit shall organize the implementation of the annual internal audit plan and special unexpected audits upon the request of the Board of Directors, Board of Members, Controllers' Committee and General Director (Director).

2. Scope, cycle and method of auditing, auditing process must assure that the auditing result truly reflects the actual situation of the audited contents.

Section 5: REGIME ON REPORTING AND ARCHIEVE OF INTERNAL AUDIT RECORDS, DOCUMENTS

Article 26. Audit report

1. The internal audit division of the credit institution shall timely draw up, complete and send an audit report to the Board of Directors, Board of Members, Controllers' Committee, General Director (Director) and audited units, divisions within a period of one month at the maximum since the ending of each audit.

2. The audit report must clearly state: audited contents, scope of the audit; assessments, conclusions of the audited contents and bases of the opinions; shortcomings, error, violation, explanations of the subjects of audit; recommendig methods for error correction, overcoming and violation settlement; recommending methods fopr rationalizing, improving the operational process; completing the risk management mechanism, organizational structure of the credit institution (if any).

3. An audit report must be supported by the opinion of the leadership of the audited unit, division. In the event where the audited unit does not agree with the audit result, the internal audit report should state clearly the disagreement of the audited unit and the reason thereof.

Article 27. Irregular report

1. The Chief of Internal Audit shall make an irregular report in accordance with following provisions:

a. Immediately reporting to the Controllers' Committee, Board of Directors, Board of Members, General Director (Director), State Bank (Banking Inspection and Supervision Department, State Bank's branch) if any serious violation is detected or where any high risk exposure that may cause bad effect to the operation of the credit institution is realized.

b. Timely informing the Manager of the unit whose the activity is audited if the shortcomings stated in the audit report are not timely corrected and overcome after a prescribed period of time.

c. After having informed the Manager of the unit of which the activity is audited in accordance with provisions in Point b of this Paragraph, if the relevant shortcomings have not been corrected and surmounted yet, they must be timely reported in writing to the Controllers' Committee, the Board of Directors, Board of Members and General Director (Director) of the credit institution.

2. In the event where the internal audit of a foreign bank's branch is undertaken by the internal audit of the head office or regional office, the Parent bank of that foreign bank's branch shall be required to promptly report the State Bank (Banking Inspection and Supervision Department, State Bank's branch) if any serious violation is detected or where any high risk exposure that may cause bad effect to the operation of the foreign bank's branch is realized.

Article 28. Annual audit report

1. After 45 days at the latest since the ending of the fiscal year, the Chief of the internal auditor shall send a general report on the performance result of the internal audit plan in the previous year to the Controllers' Committee, the Board of Directors, Board of Members, the General Director (Director). The general report on the performance result of the internal audit plan of the previous year shall state clearly: the proposed audit plan; the already performed audit activities; serious shortcomings, violations that have been detected; methods proposed by the internal auditors for the correction and overcoming of the shortcomings, violations; assessment of the internal inspection, control system relating to audited activities and proposals for the perfection of the internal inspection, control system; the performance of methods, petition, recommendations of the internal auditors.

2. After 60 days at the latest since the ending of the fiscal year, the Controllers' Committee of the credit institution shall send a general report on the performance result of the internal audit plan of the previous year with contents as provided for in Paragraph 1 of this Article to the State Bank of Vietnam (Banking Inspection and Supervision Department, State Bank's branch). A people's credit fund shall submit its general report on the internal audit result of the previous year to the State Bank's branch.

Article 29. Archive of internal records, documents

1. Audit reports and audit records, documents shall be archived at the internal audit division in accordance with provisions of applicable laws.

2. Files, documents of each audit shall be recorded as written documents, archived by order so that individuals, organizations that are competent to exploit (who have professional qualification and knowledge of banking activity) can understand the audit works, the result of the audit.