Xavier Potier, risk assurance director, and Mai Tran Bao Anh, financial services assurance senior manager at PwC Vietnam |
Why is the implementation of Circular 13 important for banks and their IA function?
As an emerging economy, Vietnam has seen its banking and financial markets develop quite rapidly. However, we have also witnessed deep-rooted issues in the industry, to which many banks have not promptly taken appropriate actions. These challenges point to shortcomings in monitoring and controlling risks.
Circular 13, which takes effect on January 1, 2019, has developed a comprehensive and consistent legal framework for senior management oversight, internal control, RM, internal capital adequacy assessment process (ICAAP), and IA of commercial banks. The circular helps banks to comply with international standards and best practices. It will also improve the effectiveness of inspection and supervision by the State Bank over commercial banks in order to reduce losses, insolvency risk, and avoid the potential collapse of the banking system.
In accordance with Circular 13 and international standards, the role of IA as the last line of defense in the governance system will become more important. The IA function is responsible for conducting independent audits and assessments of the bank’s compliance with internal policies and regulations. In addition, it also reviews and assesses the compliance of internal policies with state regulations. Circular 13 also stipulates better mechanisms for co-operation between management, the first and second lines of defense, and IA.
What challenges hamper the IA function in meeting the requirements of Circular 13 and international standards?
The IA function will likely face a number of challenges in terms of procedures, human resources, and technology application.
First, procedures will need to be standardised and risk-based to identify and assess key risks in banking operations. Under the definition of the Institute of Internal Auditors (IIA), risk-based IA is a methodology that links internal auditing to an organisation’s overall RM framework. This helps the IA function to provide reasonable assurance to the board of management that RM processes are operating effectively and are not excessively risk-taking. The current IA plans are primarily based on credit and operational risk assessment, excluding other risks in banking operations. However, in the coming time, the annual IA plan should cover tasks such as building a risk profile at the bank level, identifying departments which may be subjected to IA, and planning audits (frequency and schedules). Besides, the design of audit programmes for RM system, including RM framework, risk appetite, credit risk, operational risk, market risk, liquidity risk, concentration risk, interest rate risk, and ICAAP, is really challenging for banks.
Second, internal auditors will need to improve their capabilities to meet the requirements of the IA function. At present, there is a shortage of experts with experience in IT, RM, and ICAAP following Basel II. Generally, internal auditors at Vietnamese banks lack knowledge of mathematical model development and of credit risk and market RM theory. Many of them do not have enough training and practical experience to fulfil their function.
The third challenge is the lack of supporting application tools and IT systems to conduct IA effectively. According to the IIA’s standards, for the sake of prudence, internal auditors must consider the application of technology and data analysis techniques in auditing. Many IA functions in local organisations are not equipped with the right tools for monitoring audit works and quality, yet such tools are needed to ensure effective and efficient audit as well as provide an early warning system for abnormal indicators in high-risk areas of the banking operations.
So how should banks start their IA transformation?
Banks should conduct assessments of the current IA function and analyse gaps in comparison with Vietnamese regulations and international practices. Areas of assessment include organisational structure of the IA function; policies, procedures, and methodologies of IA; qualifications and skills of auditors; and information technology, just to name a few.
Afterwards, banks should develop their own methodologies, strategic and annual plans, IA framework, forms of audit report, and assessment criteria for audit findings. Banks should design audit programmes for the RM system, including stress-testing.
Simultaneously, the IA function needs to be enhanced in terms of both quantity and quality through appropriate recruitment and training. Large banks are recommended to use their personnel to carry out IA. However, outsourcing some activities can help banks quickly access professionals with in-depth knowledge and also deal with temporary shortages in human resources. Whether IA is outsourced or not, the board of management remains ultimately responsible for IA.
Furthermore, banks should invest in new technologies to support IA operations. They should build up an early warning system to help the IA function identify and prevent potential errors. Internal auditors should be able to apply information technology to support the management of audit activities and data analysis to optimise the resources and performance of the IA function.
Based on our observations in Vietnam, some commercial banks, including state-owned ones, have implemented or completed projects to enhance the IA function. These often also cover the audit of information technology and the application of IT solutions in IA. This shows that more banks are acknowledging the increasingly important role of the IA function as the last line of defense to deal with risks in banking operations.
How can PwC help?
PwC has advised commercial banks in Vietnam on enhancing the capabilities of the IA function and provided the methodology for banks to improve the capacity of IT system auditing. In addition, PwC has also implemented projects related to Basel II for leading commercial banks in Vietnam, such as Basel II gap analysis, roadmap development, enhancement of credit, market RM, and setting of risk appetite for Pillar 1 and 2.
What the stars mean:
★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional