The State Bank of Pakistan has issued some new standards for financial firms on internal audit and the oversight of the function. The new internal audit guidelines set forth several requirements for how the function is structured and governed.
Banks and other companies that meet the state definition of a financial institution will have until the end of the year to ensure they they have a board-level audit committee, an internal audit charter, and an internal audit function with a chief internal auditor or equivalent. The new standards also create requirements for the structure and reporting lines of the internal audit function.
Pakistani banks and designated financial institutions will need to adopt a board audit committee with at least three non-executive members and one independent director. A majority of the committee members will need to have a “good understanding of accounting, finance and audit related matters; and ensure that at least one member has relevant qualification and experience in the field of audit, accounting and finance,” according to a report in Business Recorder, a financial newspaper based in Karachi. The audit committee will approve the internal audit budget, oversee the hiring and removal of the chief internal auditor and conduct periodic reviews of the internal audit function.
The 17-page internal audit guidelines are fairly prescriptive in nature, covering everything from the rotation of internal auditors within the department to the specifics of the audit planning process.
Internal Audit Guidelines
Among the many requirements of the instructions, some of the provisions include:
- The appointment of a chief internal auditor (CIA) with at least 15 years of experience in the field of finance and at least 5 years of audit experience.
- The CIA should report to the board audit committee functionally and to the CEO administratively and will be exempt from rotation requirements.
- The development of an internal audit strategy by the CIA that is reviewed and approved by the board.
- The formulation of a risk-based audit plan at least annually. (Financial firms with have until the end of 2020 to complete this requirement.)
- A review by the audit committee of the firm’s whistleblower procedures for receiving complaints and concerns about business ethics and practices and controls over financial reporting.
- A mechanism whereby internal auditors are required to disclose any conflict of interest with the activity being audited, arising either from their professional or personal relationships, prior to starting their audit assignments.
The Pakistan State Bank issued the internal audit guidelines in response to recent failures at banking institutions around the world. “In order to save itself from internal controls surprises, it is high time for financial institutions to further invest in building a robust internal control environment that is commensurate with the volume and complexity of its operations, taking into account the specific context under which a financial institution operates and the long-term business objectives that it plans to achieve,” the new guidelines state. 