Policy Statement on Internal Audit

3 August 2008

Prepared by:
Financial Institutions Business and Accounting Policy Office
Regulatory Policy Department
Financial Institutions Policy Group
Tel 0-2283-6876, 0-2283-6928
Fax 0-283-5938
Email: BOPTeam@bot.or.th

BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
 Unofficial Translation
With collaboration between the Bank of Thailand and the Association of International Banks
This translation is for the convenience of those unfamiliar with the Thai language.
Please refer to the Thai text for the official version.
------------------------------------
Policy Statement of the Bank of Thailand
RE: Guidelines for Internal Audit of Financial Institutions
______________________________________________________

1. Rationale
The internal control system and the internal audit system are very important
components to good corporate governance. It is the internal auditor’s essential role
to assess the effectiveness and enhance the standard of the internal control system
of financial institutions which are key requirements in strengthening the stability of
the overall financial system. Therefore, the appropriate internal audit structure of
financial institutions is very important.

The essence of the guideline has not been changed from the existing one.

2. Scope of Application
This Policy Statement shall apply to all financial institutions in accordance
with the laws on financial institutions businesses.

3. Repealed Notification and Circular

The Circular No. BOT. FPG. (21) Wor. 2258/2001 dated 15 October 2001 Re:
Policy Statement on Internal Audit for Financial Institutions shall be repealed.

4. Contents

4.1 Internal Audit Structure

The Bank of Thailand deems that financial institutions should establish an
internal audit department which is appropriate with the volume, characteristic and
scope of financial institutions’ activities. The internal audit department shall be
responsible for reviewing and testing the internal control system and risk
management system. However, if financial institutions find that establishing an
internal audit department may put too much burden on financial institutions, on a
basis of synergy and economies of scale, financial institutions may have the auditor
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
from the Head Office or Group to conduct the internal audit or outsource this activity
to external audit company. In such case, financial institutions shall clearly specify
and notify the Bank of Thailand. In the case of small financial institutions with few
employees and simple operation, the benefits from having internal auditor may not
justify the cost. In this case, financial institutions may utilize independent internal
audit system whereby the staff who performs auditing on a particular activity shall be
independent from such activity. The outcome of the audit shall be reported to the
audit committee or the board of directors. As for financial institutions, which already
have a higher standard of internal audit than this policy statement, may follow the
existing practice.
Financial institutions shall conduct internal audit with independence,
objectivity, professional proficiency, relationship and communication, audit
governance and outsourcing.

4.1.1 Management’s Roles and Responsibilities

Management is responsible for setting up an appropriate internal
audit department commensurate with the size, scope and business characteristic of
the financial institutions for monitoring the adequacy and effectiveness of the
internal audit system and risk management system. In addition, management shall
set out objective, authority, duties and responsibilities of the internal audit
department and clearly defines audit policy which required approval from the audit
committee or the board of directors. Management shall take the importance of this
unit into consideration and shall ensure that the entire organization understands
such importance and is willing to support its independence and the auditors’ status,
as well as, allocate adequate and proper resources and personnel so that the
internal audit department can achieve its objective.

4.1.2 Independence and Objectivity

The internal audit department shall be independent from the audit
activity and shall be able to audit various activities of the organization independently.
The audit report, the recommendation, independence and objectivity of internal
auditor is very important for audit work so that it will allow the internal auditor to
work without prejudice.

(1) Organizational Status

(1.1) The internal audit department should have the
organizational stature and be independent to allow internal auditor to achieve its
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
objective by obtaining support from the management to enhance the cooperation
from the examinee and allow the auditor to work independently without
interference. The Chief Internal Auditor (CIA)’s status shall be equivalent to the chief
of other major departments’ status within the organization. The appointment of,
transfer, setting of compensation, assessments and withdrawal of CIA shall be
decided by the audit committee. In case where the audit committee does not exist,
such actions shall be carried out by the board of directors.

(1.2) CIA shall report directly to the audit committee. In the

case where the audit committee does not exist, such actions shall be carried out by
the board of directors. CIA shall be allowed to meet with the board of directors at all
time. Regular communication will enhance confidence on independency and allow
the audit committee or the board of directors to acknowledge all the matter relating
to auditing.

(1.3) CIA shall set out the responsibilities for the personnel
or subdivision within the internal audit department and shall submit and obtain
approval from the management, the audit committee and the board of directors
before exercising. The responsibilities shall be set according to the size, characteristic
and complexity of the activities, as well as the objective and scope of the internal
audit.
(1.4) Internal auditors shall not be responsible for other
activities aside from auditing. In general, personnel in other department shall not be
assigned to work in the internal audit department. However, in a special case, the
internal audit department may, temporarily, seek advice from other department for
specific tasks. In addition, internal auditor shall have unlimited access to the
necessary data, assets, personnel and financial institutions’ office. Otherwise,
internal auditor shall submit a written notification to the audit committee or the
board of directors immediately to resolve the problem with the management.

Internal audit department shall receive data and

documents required for auditing, orders and management decision which may
directly or indirectly impact the auditing, and changes to internal control system in a
timely manner. Besides, every department within the organization shall immediately
report to the internal audit department of severe error or damages or there is a
doubt that such damage may incur in the department.

BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
 (2) Objectivity
(2.1) Objectivity means an independent state of mind, which
will allow the internal auditor to exercise judgment opinion and recommendation
without bias.

(2.2) Internal auditor shall comply as follow:

- avoid conflict of interest resulting from professional
or personal relationship or audit activities;
- shall not have authority or hold responsibilities to
the audited assignment;
- shall not be assigned to audit on the activities
which the auditor has involved before becoming an auditor unless the auditor has
performed an independent auditing in between or the auditor has withdrawn from
such activities for more than 1 year;
- may provide recommendations or opinions
regarding new controlling systems or reviewing of rules before implementing as long
as such actions do not dilute the independency of the internal audit department.

4.1.3 Professional Proficiency

Mainly, the effectiveness of the internal audit depends on the
quality and experience of the auditors who should possess appropriate qualification
and necessary training, together with continuously educate in professional field in
order to be able to keep up with the development in financial sector.

(1) Resources
Internal audit department shall obtain adequate resources in
order to carry out its tasks efficiently. The CIA shall estimate the required amount of
resources according to the size and complexity of the financial institutions’
operation. The required amount of resources shall be approved by the audit
committee or the board of directors. In addition, CIA shall set up an appropriate
guideline for recruiting internal auditors. For the special area, CIA may hire specialist
or consultant to ensure the efficiency of the auditing.

(2) Qualification, knowledge, experience and expertise

(2.1) The required educational background and expertise for
CIA may differ depending on the size and complexity of financial institutions’
operation. CIA shall obtain education or profession background in relevant fields
such as finance, banking, accounting and internal control, etc. and gain sufficient
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
experience in auditing for the position. However, the management may appoint a
suitable person without such qualification to be the CIA. In addition, the CIA shall be
extensively knowledgeable in the business, organization, communication and other
expertise as well.

(2.2) The internal auditor shall obtain knowledge and gain

experience in accordance with the scope of work and level of responsibility. Internal
auditor shall obtain understanding of the audited assignment, the most up-to-date
rules and regulation of the financial institutions, financial institutions’ organization
structure, financial institutions’ general operation, financial institutions’ operational
risk, as well as, be able to exercise the most up-to-date internal audit professional
standard. In addition, internal audit department shall appoint persons who expertise
in accounting standard, law, notifications and circulars of the Bank of Thailand and
other state organizations and regulation of the related associations to be the
consultant of the internal audit department.

(3) Supervision
Supervision is a continuing process starting from planning to
concluding the audit result and following up on the recommended improvement.
The CIA shall ensure that the objective of the auditing which is specified on the audit
program has been fulfilled. CIA shall also set the appropriate time frame for each
audit assignment in accordance with the characteristic and complexity of the
assignment.

(4) Code of ethics of internal auditor

Financial institutions shall prepare a written code of ethics for
internal auditors. The code of ethics shall state that internal audits should perform
their works with professional care, independence, objective and honesty. The
auditors shall also maintain themselves in the utmost ethical standards, avoid
conflicts of interest, keep secret of all data from auditing and not exploit such data
for any person’s interest. Moreover, they should act in accordance with the
notifications and circulars of the Bank of Thailand, laws, and regulations of the
relevant associations.

(5) Training
The audit committee and the board of directors shall arrange a
necessary training for the internal auditors. Internal audit department shall prepare a
continuous education and training program or internal auditors to enhance their
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
auditing standard and technical skills, as well as to allow them to apply new auditing
techniques to be in line with the business trend and development. The CIA shall
organize the on-the-job-training for new auditors under supervision of knowledgeable
and experienced auditors. CIA should also set up a budget for the training by
consulting the audit committee or the board of directors and the chief executive
officer (CEO). Apart from the training arranged by the financial institutions, internal
auditors shall continuously acquire additional knowledge themselves to enhance
their skills.

4.1.4 Relationship and Communication

Internal auditors shall maintain good relationship with the
management, examinee and shall constantly communicate with external auditor and
the Bank of Thailand.

(1) Management
Respect and cooperation shall be prevailed between the
management and internal auditors. Consulting with management may reveal the
critical point which CIA should concern. Internal auditors shall exercise special
expertise in giving value added advice to the management.

(2) Examinee
Internal auditors shall maintain good relationship with the
examinees in order to obtain their cooperation which will allow the internal auditors
to carry out the auditing smoothly. However, the internal auditors shall maintain
their neutral position during the auditing.

(3) External Auditors

Internal auditors shall maintain good relationship with the
external auditors and shall set up a meeting periodically such as meeting for
reviewing audit plans, prioritizing audit assignments, reviewing internal control, setting
up an audit scope in order to avoid redundancy.

(4) The Bank of Thailand and State Organization Supervisor

(4.1) The internal auditors shall immediately report to the
audit committee, the board of directors, CEO and the Bank of Thailand through the
reporting line of the organization once discover an anomaly that may cause serious
damages to the operation and financial status of the financial institutions, such as,
unlawful acts, irregular transaction, errors, inefficiency, waste, conflict of interest, as
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
well as, fundamental weakness which may cause the internal control system to
collapse.
The internal auditors shall monitor and see whether
the management has amended the anomalies as discovered by the Bank of Thailand.
In case that there is no revision, the internal auditors shall submit the report to the
supervisor through the reporting line of the organization including the Bank of
Thailand.

(4.2) The internal auditors shall fully cooperate with other

relevant government agencies.

4.1.5 Audit Governance

The CIA shall ensure that the auditing work has been carried out in
accordance with the sound internal auditing standards, such as Standard for the
Professional Practice of Internal Auditing of the Institute of Internal Auditors. The CIA
shall also set up audit charter, audit plan, audit manual, audit program and internal
control questionnaires (ICQ). Even though such documents may be differently called,
as long as they serve the same purpose, they are acceptable.

(1) Audit Charter

The audit charter is an official document which specifies
objective, scope, authorities, roles and responsibilities, independency and status of
internal audit department within the organization, as well as, CIA’s responsibilities.
CIA shall submit the audit charter to the audit committee or the board of directors
for approval. The audit charter shall be distributed within the organization to notify
all employees of the internal auditor’s roles and responsibilities and to ratify the
status and authority of the internal audit department. CIA shall periodically review
the audit charter and make amendment if necessary.
(2) Audit Plan
(2.1) The audit plan is the most important document for
auditing. CIA shall prepare audit plan as a tool to set out a guideline for audit control
and evaluation of internal audit department. The time frame of such plan depends
on the size and complexity of financial institutions’ operation. The audit plan shall
reveal the audit objective, audited area, scope, audit frequency, resource required
and time frame of the each audit assignment. The audit plan shall be risk oriented.
CIA shall assess the risk of the area which will be audited in order to set out audit
technique, prioritize the audit assignment, frequency and scope of audit. The audit
technique shall be documented and reviewed regularly. In general, the audit cycle of
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
the audited area shall be once a year. If the financial institutions have an efficient risk
assessment system, CIA may consider set up the audit cycle for insignificant areas
differently. CIA shall include the management audit to the audit plan.

(2.2) The audit plan and material changes to the plan shall
be approved by the audit committee or the board of directors. Such plan shall be
flexible enough to response to the priority changes or necessity and shall be
reviewed regularly. In addition, the progression of the plan shall be reported to the
audit committee or the board of directors periodically.

(3) Audit Manual

Audit manual is a document used as a guideline and reference
for internal auditors in performing audit. It will also use as a tool to train new
auditors. CIA shall be responsible for ensuring that the manual contains clear detail
and sufficient significant essence for carrying out major financial institutions’
operation. In addition, CIA shall periodically improve the manual to be in line with
the improvement on new audit technique and changes in circumstance.

(4) Audit Program and Internal Control Questionnaires (ICQ)

Financial institutions should establish the audit program, which
clarifies the objective and procedures (step-by-step) of the internal audit assignment
and internal control questionnaires. Both audit program and ICQ shall contain
sufficient details and shall be flexible enough to support audited items and allow
improvement to be inline with the new development in the industry. The well-
designed audit program and ICQ will enable the auditing to be systematic.

(5) Quality Assurance

(5.1) CIA shall establish a quality assurance program for
evaluating on internal audit’s performance which will give more confidence on the
information to the internal audit and relevant parties.
(5.2) The quality assurance program may be a quality test
among the colleagues and shall be reviewed every 3-5 years by independent parties
such as external auditors or audit committee.

4.1.6 Outsourcing the internal audit activities

Financial institutions may partially or totally outsource the internal
audit duty from the audit company due to the lower cost and/or better service if
such company has a good operational structure and good management. However,
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
the Bank of Thailand has concerned that outsourcing internal audit to external
parties may have adverse impact to financial institutions’ stability.

Therefore, the Bank of Thailand has required the financial

institutions which want to outsource the internal audit to external auditors to notify
the Bank of Thailand of such action. The outsourced company shall not relate to the
management or the board of directors and shall not gain interest from the
organization in order to prevent conflict of interest. The Bank of Thailand has
expected that financial institutions will conduct the analysis of impact on outsourcing
such activity to external company to the overall risk profile, including financial
institutions’ internal control system. The board of directors and management still
hold responsibility for the effectiveness and adequacy of internal control system and
internal audit and such responsibilities are not transferable.

The Bank of Thailand may request for the audit report and relevant
working papers which prepared by the external auditors. Financial institutions shall
prove to the Bank of Thailand that the outsourced company obtains adequate
expertise, sound financial status, independence and independent from the audit
assignment. In addition, such company should have adequate auditors with
knowledgeable and experience. The reporting process between the outsourced
company and financial institutions shall be clearly defined to support
communication in case there is a problem arising from auditing. Financial institutions
shall continuously assess, monitor and build a good relationship with the outsourced
company.

Financial institutions which outsource the internal audit to external

company shall have a written contract with specified objective and scope of work,
access to data, documents, personnel and office, including assumptions and
regulation, ownership and the proper way to keep the working papers and
confidential information obtained during the audit. Financial institutions shall
establish a contingency plan in case the outsourced company can no longer provide
the service. The Bank of Thailand does not permit financial institutions to outsource
internal audit to the company which currently provide the annual financial
statement review for the financial institutions to ensure the independency of internal
audit from the financial statement review. Thus, having the same company perform
both assignments is not appropriate.

BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
 In case financial institutions assign partial or entire internal audit to
regional internal audit or Head Office internal audit under the same entity, this does
not consider an outsourced internal audit.
In this regard, financial institutions shall refer to the BOT
notification No. FPG 8/ 2557 Re: Regulations on Outsourcing of Financial
Institutions

4.2 Roles and Responsibilities

Major role of the internal audit department is independently assessing of
financial institutions’ various activities. Internal audit plays a major role in assisting
management on establishing and maintaining the best internal control environment
possible for the financial institutions. A good internal control environment will
ensure that financial institutions have complied with the law and regulation, looked
after and protected their assets, kept adequate documents, prevented or identified
fraud, errors and irregularities from the beginning. It will also ensure that financial
institutions have operated efficiently.
Major roles and responsibilities of internal auditors are necessary for
enhancing financial institutions’ stability.

4.2.1 Adequacy and effectiveness of internal control system

Internal auditors are responsible for reviewing the rules of financial
institutions to ensure that financial institutions have sufficient internal control and
the existing internal control system is effective, feasible and has been complied with.
The review and internal control testing shall be performed regularly to ensure that
the internal control system works properly which will promote the financial
institutions’ business strategy to become successful. Reliability and accuracy of
financial data, along with the tool to identify, measure, classify and report of such
data shall be assessed to ensure the effectiveness of the Management Information
System (MIS).

4.2.2 Compliance with the policy, rules, laws and regulations

In auditing, internal auditors shall evaluate whether or not financial
institutions have complied with the laws, regulations, notifications and circulars of
the Bank of Thailand and of other government agencies including stipulations of
relevant association. Besides, internal auditors shall review the compliance of
financial institutions’ operation with financial institutions’ policy and rules, except in
case where financial institutions have other department performed such assessment

BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
and review separately from the internal audit department, that department shall be
responsible for such matters.

4.2.3 Detection for frauds, errors, omissions and irregularities

Preventing and examining for frauds, errors, omissions and
irregularities from the beginning is a duty of the management. By implementing the
internal control system regularly will reduce, but not eliminate, the number of
frauds, errors, omissions and irregularities. Therefore, in assessing stability and
adequacy of internal control system, internal auditors shall be alert especially when
there is a change in financial circumstance which may reduce the efficiency of the
existing internal control system or increase the risk from frauds and errors. In
addition, internal auditors shall take a part in setting consequences resulting from
operational errors or frauds, or be a member of the discipline consideration
committee.

4.2.4 Management Audit

Internal auditors shall provide value added services to the
management by reviewing whether the resources have been utilized efficiently,
effectively and economically or not, including reviewing of working system and
general management system which will be an information for assessing
management’s work on managing working system and regulation to ensure that the
works have been carried out to achieve financial institutions’ objective and goal.

4.2.5 Information System Audit

Using computer in work has changed the way financial institutions’
data processes and storages. Currently, some financial institutions provide service
through electronic means. Therefore, the internal auditor must evaluate the
information technology system to ensure that the internal control is sufficient,
efficient and covers all activities undertaken with the computer so that the data
would be reliable, the data system would be safe, and have the necessary
protection against the risk of frauds and errors is in place. Moreover, internal auditors
should pay attention to IT risk management as well.

In assessing IT system, internal auditors shall be knowledgeable in

the matter to be able to work efficiency. In practice, some financial institutions may
hire auditors with expertise in computers to perform assessment. The auditors
without this expertise will have to spend some time learning the matter and may
cause damage to the organization.
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
 4.2.6 Consultative Role
Due to the fact that financial institutions have carried out more
diverse and complex activities, coupled with more competition, internal auditors
may be asked to give advice in launching of new products, new operating systems
and the risks associated with such matter to ensure that the necessary control is
exercised. However, this consultative role shall be reported to the management
beforehand so that the auditors will not be considered less independent.

4.3 Scope of internal audit work

In general, internal audit work should cover all activities of the financial
institutions including the branches, and the activities in which the financial
institutions have outsourced to external parties.

The scope of audit work is the minimum audit work to be undertaken by

the auditors. The CIA shall verify that each audit work covers and is composed of
sufficient details on the risk factor of such activity. After considering the risk level of
each audited area, the CIA shall decide whether to extend or reduce the scope of
the audit. This decision should be made in writing. Moreover, the internal auditor
shall properly consider the random sampling level of audits to meet the objectives
of the audit.

4.3.1 Assessment on adequacy and effectiveness of internal control

system
The management shall be responsible for establishing a strong
internal control system for the stability of the financial institution. The efficient
internal control system will reduce risk resulting from fraud, errors, omissions and
other irregularities. The internal auditor should have a proper understanding,
assessing and testing of the internal control system. The scope of audit work shall
cover the effectiveness of the internal control system, reliability, and accuracy of
financial data, prevention and detection of fraud, errors, omissions and other
irregularities from the beginning, together with, the instruments used to protect
property.

(1) Effectiveness of internal control system

The effectiveness of the internal control system partly
depends on the environment of the overall control of the financial institution.
However, the environment of the control alone will not guarantee that the internal
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
control system would be effective. The internal auditors shall consider other factors
which would affect the environment of the control at each audited area. The scope
and frequency in the audit depends on the risk factor of the audited area. Such risk
factor is obtained from assessing the risk made during the audit planning. If the
audited area presents high risk, the scope of the audit shall be extended. The
internal auditors shall review the internal control system until they are satisfied that
the system is effective and is in line with the plan.

(2) Reliability and accuracy of data

The internal auditor should verify the relevance, reliability and
accuracy of the financial data and operation, together with, the instruments used to
identify, measure, classify and report the data. Moreover, the internal auditor shall
examine whether the data has been submitted to the management for decision
making on a timely manner or not. For the special audited area, the internal auditor
shall comply as follows:
(2.1) Check and ensure that the memorandum and financial
reports and operations comprise accurate and reliable data, in time with the
situation, complete and are relevant and are in line with the accounting standards;
(2.2) Consider if the control regulations on keeping of
documents and the reports are sufficient and effective;
(2.3) Assess the compilation procedures and storage of data;
(2.4) Check if the report submitted to the Bank of Thailand is
accurate, reliable and on time;
(2.5) Check the accuracy of the accounting records and
reconciliation.

(3) Safeguarding of Assets

The internal auditor should verify whether there is sufficient
control in safeguarding financial institutions’ assets from theft, fire and abuse. In
some cases the internal auditors shall also verify the existence of the assets. In this
regard, asset means asset which the financial institution is a beneficiary.

(4) Detection for frauds, errors, omissions and irregularities

(4.1) An efficient internal audit system will help decrease,
but would not eliminate, frauds, errors, omissions and other irregularities. Risk
resulting from the failure to follow the internal control as planned still exists. In
addition, internal audit system may not be effective if the frauds are originated from
complicity among the employees or from the wrong doing of the management. Even
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
though the internal auditors are not responsible for auditing fraud, errors, omissions
and other irregularities, they shall still audit with caution and shall be alert in
auditing transactions involving a large amount of cash or high risk.
(4.2) The internal auditor should decide which audited area
presents high risk of fraud, errors, omissions and other irregularities. At the same time,
the auditors should extend the audited area to cover those risk area.

(4.3) During the audit if there is a significant error found in

the control or if the auditors receive information from within or outside of the
organization regarding doubtful activities, the internal auditors shall extend the scope
of audit to verify whether or not there are frauds, errors, omissions and other
irregularities. If there is sufficient evidence showing that there may be a fraud or
some serious irregularities, further investigation should be made. The management of
the financial institutions and the Bank of Thailand shall be informed of the result of
the investigation. Furthermore, the internal auditors should help the management in
reviewing and improving the control system to prevent a recurrence of the same
type of fraud or irregularities in the future.

4.3.2 Compliance with the policy, rules, laws and regulations

All financial institutions shall ensure that the laws, regulations,
notifications, together with, the policies and internal rules have been complied with.
The scope of audit shall cover the compliance with the followings:
(1) The Financial Institutions Businesses Act B.E. 2551,
Exchange Control Law B.E. 2485, Notification of the Exchange Control Officer,
Ministerial Regulations and Finance Ministry’s Notification, together with, other
relevant laws and regulations.
(2) Notifications, orders and circulars of the Bank of Thailand
and regulations of relevant associations.
(3) Approved internal policy and rules.

4.3.3 Sufficiency and Effectiveness of the Risk Management

System
(1) Risk management system is very important for financial
institutions. Due to a higher competition, more complexity operational and financial
innovations, the management should develop a risk management system to ensure
that the risk exposure has been measured, monitored and controlled adequately.
The risk management system should be in line with the size, scope and complexity

BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
of the financial institutions’ activity and the risk level acceptable by the financial
institutions.

(2) Financial institutions dealing with derivatives shall have a

good risk management system. Risk management system for the derivatives shall be
included in the overall risk management system of the financial institutions so that
financial institutions will be able to efficiently manage its risk exposure.

(3) The audits of the risk management system that financial

institutions shall pay special attention to on a regular basis are as follows:
(3.1) The board of directors and the risk management
committee appointed by the financial institutions perform the effective supervision;
(3.2) Rules on specifying and measuring risk in a timely
manner;
(3.3) Setting of limit and other controls to manage the
risk;
(3.4) Report to the management shall present the
actual characteristic and risk level of the financial institutions, including the
notification of nonconforming to the policy and limitations;
(3.5) The risk management duties have been clearly
stated;
(3.6) Rule on the calculation and allocation of capital
to risks.

(4) The internal auditor shall establish a rule for assessing

accuracy of risk measurement, sufficiency of control system and reporting, as well as
conforming to the approved policy and rules.

4.3.4 Utilizing resources effectively, efficiently and economically

(1) One of the objectives of financial institutions is to
increase profit by utilizing resources efficiently, effectively and economically. The
management is responsible for setting up a measurement standard, benchmark or
productivity indices to measure returns from utilizing such resources. The
measurement standard, benchmark or productivity indices shall be approved by the
board of directors.

(2) The internal auditors shall be proactive in determining

whether or not financial institutions have maximized the benefits of using the
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
resources to achieve objective and goal. Such role is a value added service to the
management; therefore, internal auditors shall extend their responsibility to cover
the management audit as well.

(3) In management audit, internal auditors shall examine

(3.1) whether or not the planning, assessment,
delegation of authority and resources utilization control system is effective;
(3.2) whether or not the standard is set for measuring
the economy, efficiency and effectiveness of resources utilization and whether or not
such standards have been conformed to;
(3.3) whether or not the deviations from the
standard have been identified, analyzed and communicate to responsible person;
(3.4) whether or not the remedies have been
implemented.

(4) In management audit, internal auditors shall examine

whether the management has used the resources in such a way that it does not
maximize the benefits, does not generate revenues, obtains unreasonable cost and
uses too many or not enough human resources. The internal auditors shall ensure
that the management has established an action plan to correct such mistakes and
internal auditors shall follow-up the result to ensure that the action plan has been in
place.

4.3.5 Achieving the set objective and goal

(1) The board of directors is responsible for setting up a
business plan and strategies to achieve financial institutions’ overall objective and
goal set by the board of directors. The management shall be responsible for setting
up operational objective and goal, prepare and implement rules of control, as well
as manage to meet the expected outcomes.

(2) In order to assess the achievement of objective and goal,

the scope of internal audit shall cover all operational aspects to ensure that
(2.1) the objective and goal have been clearly set
and measurable;
(2.2) all employees have been informed and
understand and conform to such objective and goal;
(2.3) there is adequate control on measuring and
reporting of outcome;
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
 (2.4) there is a use of efficiency control measures to
monitor actual outcome against the budget, the important deviations have been
analyzed, investigated and reported to the management and the board of directors
immediately;
(2.5) the management has considered strengths,
weaknesses, opportunities and threats of the operations;
(2.6) the achieving of the objective and goal has
been complied with the internal policy, plans, rules, laws and regulations;
(2.7) the assumptions of the management used in
setting a plan and strategies are appropriate and reasonable.

4.4 Reporting and preparing of documents

The audit report is an official document presenting audit results and the
recommendations to the management and the audit committee. The fact that the
management accepts the recommendations of the internal auditor in regard with the
reduction of risk, the strengthening of the internal audit system and the remedies of
the errors, is the result that financial institutions has wished for.

Once an error is discovered in the internal control system, the internal

auditors shall inform the appropriate management. If frauds or anything which would
materially affect the financial position or operation of the financial institution is
found, the internal auditor shall immediately inform the audit committee and the
senior management to ensure that remedies will be made in time.

4.4.1 Working Papers

Working papers are documents in paper form or other
electronic form that the internal auditors have prepared during the auditing to record
work details. The working papers comprised data used in the auditing, the scope of
audit, methodology, data from assessment and analysis and audit result. Such
documents will be used as a guideline in preparing reports and as an evidence of the
internal auditors’ performance. The contents of the working papers should be
complete with sufficient details to support that that the auditing has been carried
out appropriately and accurately. The contents should be clear and easy to
understand. In addition, the working papers shall be of the same format.

4.4.2 Audit Reporting

(1) After completion of each audit assignment, the internal
auditors shall rapidly issue a report. The internal auditors shall consult the
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
management regarding the results and recommendations and shall compile the feed
back of the management into the final audit report as well. The CIA shall review and
approve the final audit reports as well as distribute them to the relevant parties in a
timely manner.

(2) In case where the auditing has not been completed,

however, an error or a fraud is found, with sufficient supporting evidences and such
error or fraud shall not be ignored due to the adverse impact to the organization,
internal auditors shall issue an interim audit report to inform the management on the
concerned topics and recommend urgent improvement. The audit committee and
CEO shall also be immediately informed on such matter as well as progression on
auditing. Whether the interim audit report should be issued or not is up to the CIA’s
decision.

(3) Even though the format and contents of the audit

report may vary according to the organization or type of audit, however, the report
shall comprise the objective, scope, audit result and recommendation of the internal
auditors.

(4) The audit report shall be accurate, direct, clear,

concise, resourceful and on-time.

(5) The internal audit department shall report to the board

of directors or the audit committee of the effectiveness of the internal control
system on a regular basis. In addition, CIA shall report the internal audit
department’s performance at the end of the year by determining whether the
internal audit department has performed according to the plan or not and if not,
explanations shall be provided. Also, CIA shall report on important matter founds
and recommendations for that year.

4.4.3 Compliance with the recommendation and Follow-up

(1) The management shall pay attention to the matter
found and also the recommendations and shall resolve the mistake instantly.
Internal auditors shall follow-up on whether the recommendations have been
complied with, unless the management understands and is willing to take the risk.

(2) The management and examinees shall work together in

preparing remedy plan and timeframe of implementing such plan. In addition,
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check
the management shall follow-up and reports the progress of implementing of the
remedy plan to the board of directors and the audit committee.

4.4.4 Reporting of important matters and frauds

(1) The internal auditors shall report the audit committee,
the board of directors, CEO and the Bank of Thailand, in the order set out by the
financial institutions, as soon as an important matter which may cause adverse
impact to the financial institutions’ operation and financial status, such as irregular
transactions, unlawful actions, errors, inefficiency, waste, conflict of interests,
fundamental weaknesses which may cause the internal control system of financial
institutions to collapse. Such report shall include the fundamental discovery,
impacts or possible impacts to the financial institutions’ operation and financial
status, as well as the internal auditors’ investigation on such matters.

(2) Detail report shall be submitted to the audit committee,

the board of directors, CEO and the Bank of Thailand, in the order set up by the
financial institutions as soon as the audit has been completed. In addition, the
progress on management’s performance may be reported to correct the weakness
and prevent the reoccurrence of such events.

4.4.5 Control and keeping of audit reports and working papers

The CIA has the right to disclose the audit result and working
papers to the external auditors or the Bank of Thailand. Apart from these two parties,
financial institutions shall keep the report as secret and financial institutions shall
disclose it only with an approval from the board of directors or the audit committee.
As the working papers comprise evidences on the scope of audit work and various
data used in the audit, there should be a system handling filing and retrieving of such
audited documents in the past.

4.4.6 Keeping of audit reports and working papers

The CIA shall set out a time frame for keeping the documents
and such timeframe shall be in line with the guideline of the organization and
relevant laws or regulations so that it can be used as a reference or for legal action.

5. Effective Date

This Policy Statement shall come into force with effect from 4 August 2008
onwards.
BOT Policy Statement Re: Internal Audit of Financial Institutions (11 September 2018) -check