UNOFFICIAL TRANSLATION

Internal Audit Standard

Table of contents

Introduction
Laws and other regulatory and legal documents associated with the Standard
Provisions of the Standard

1. General principles of internal audit of banks

1.1. Definition of internal audit
1.2. Objectives and responsibilities of internal audit function
1.3. Principles of internal audit
1.4. Scope of work of internal audit
1.5. Internal Audit Regulations
2. Internal audit structure of banks
2.1. Internal Audit Committee
2.2. Internal audit department
3. Activities of internal audit department
3.1. Methods of work and types of audit
3.2. Audit plan and risk significance
3.3. Procedures
3.4. Reporting requirements
4. CBA's interactions with internal and external auditors of banks
4.1. CBA's interactions with a bank's Internal Audit Committee and IAD
4.2. CBA's interactions with external auditors
4.3. Interactions between internal auditors and external auditors
4.4. Cooperation between the CBA, external auditors and internal auditors

Internal control aspects of the Standard

 UNOFFICIAL TRANSLATION

Internal Audit Standard

Introduction

The purpose of this Standard is to assist banks in determining the structure, organization and
procedures of internal audit in accordance with the existing laws and regulations, as well as best
international practices and standards.

All banks shall apply this Standard in consistency with their own requirements and conditions.

Laws and other regulatory and legal documents associated with the Standard

The Law «On banks» of Azerbaijan Republic and the «Regulation on internal controls and internal
audit of banks» of the Central Bank of Azerbaijan Republic (hereinafter referred to as the CBA)
require banks to establish an internal audit function and identify the purpose of internal audit as
«providing assurance of existence and adequacy of appropriate controls ensuring the safety of the
bank's assets, and accuracy, completeness and authenticity of the bank's periodic reports presented
to shareholders, regulators and general public».

Provisions of the Standard

1. General principles of internal audit of banks

«Internal audit of banks and the regulator's interactions with auditors» (a Basel Committee
document, August 2001).

1.1. Definition of internal audit

Internal audit is a non-profit service, independent of the bank's executive bodies, established in
order to increase the effectiveness of the bank's internal controls and risk management systems. The
internal audit function assists the bank in accomplishing its goals of evaluating and improving the
effectiveness of risk management, control and governance processes.

Internal audit is a part of regular inspection process of the bank's internal control systems, as well as
the internal controls system ensuring that the bank is operated and managed in a safe and prudential
manner. The internal audit function operates independently of the bank's Supervisory Board and
Management Board.

1.2. Objectives and responsibilities of internal audit function

Objectives and responsibilities of internal audit function primarily require the internal audit
department (hereinafter referred to as the IAD) to inspect, evaluate and report the following areas of
the bank's activities:

 compliance with the existing laws of Azerbaijan Republic and the CBA's regulations;
 risk control and management;
 existence of an internal control system;
 quality procedures in development and introduction of new bank transactions, systems and
processes;
 asset safety/protection systems and procedures;
 UNOFFICIAL TRANSLATION

 systems and procedures to ensure adequacy and accuracy of accounting records;

If necessary, the IAD will recommend amendments to the bank's regulations (internal procedures,
policies and by-laws).

Each IAD employee shall possess profound knowledge of the applicable laws of Azerbaijan
Republic and the CBA's regulations, directives, and the bank's policies.

1.3.Principles of internal audit

Principles of internal audit include:

Continuity. Internal audit activities shall be conducted on a continual basis.

Independence. Internal audit must be an activity not included in the everyday control process.
Independence ensures that internal audit is objective and unbiased.

Impartiality. Internal audit must be unbiased and operate without undue influence.

Professionalism. An internal auditor must possess necessary knowledge and experience to perform
his duties.

Scope of work. The scope of internal audit's work must cover all areas of the bank's operations and
structure.

Confidentiality. Internal auditors must exercise utmost confidentiality with respect to use of
information obtained in course of his work and must not use such information for his personal gain
or to the detriment of the bank's interests.

1.4. Scope of work of internal audit

The scope of work of internal audit includes:

 inspection and evaluation of effectiveness and adequacy of internal controls;

 analysis of application and effectiveness of risk management methodologies;
 analysis of financial and management information systems, including electronic information
and payments systems, and banking services;
 inspection of accuracy and authenticity of accounting records and financial statements;
 analysis of asset protection methods;
 review of the bank's risk-weighted capital evaluation system;
 evaluation of performance efficiency and cost-effectiveness;
 examination of performance of specific internal controls and operating procedures;
 review of compliance systems covering regulations and procedures, laws and codes of
conduct;
 verification of whether regulatory reporting is reliable and timely;
 conduct of special researchs.

1.5.Internal Audit Regulations

The Internal Audit Regulations shall describe the objectives, functions and powers of the internal
 UNOFFICIAL TRANSLATION

audit function. The Regulations shall also assist the bank management in reinforcing the internal
audit function's position within the bank's overall structure.
The internal audit regulations shall cover:

 objectives of internal audit;

 role of the IAD;
 rights and responsibilities of the IAD;
 scope of work of internal audit;
 reporting obligations.

2. Internal audit structure of banks

The internal audit function's structure of banks includes an Audit Committee and the bank's IAD.

2.1. Internal Audit Committee

Members of the Audit Committee shall be appointed by the General Meeting of Shareholders.

The Audit Committee shall assist the Supervisory Board and Management Board in ensuring that
efficient internal controls are put in place and are adequate.
The Chairman of the Audit Committee may invite the Chairman of the Management Board, other
members of the Management Board, the IAD Director and external auditors to Committee
meetings.

The Audit Committee shall have the following responsibilities:

 to develop the IAD's By-laws (subject to approval by the Audit Committee);

 to oversee the IAD's activities, including approval of audit plans and resource allocation;
 Interactions with external auditors: to adopt audit work plans, audit findings and
recommendations;
 to advise the Supervisory Board on selection of external auditors;
 to meet and inform regulators on the bank's management structure and operating system;
 to coordinate interactions between the Supervisory Board, Management Board, IAD,
external auditors and regulators;
 to report the Committee's performance to the Supervisory Board on a regular basis.

2.2.Internal audit department

The IAD shall be responsible for performing internal audit functions within the bank. The IAD shall
prepare and implement audit plans, and report audit findings.

The IAD is part of internal controls and independently evaluates the appropriateness of the bank's
compliance with regulatory, governance and supervisory requirements.

2.2.1. Role and responsibilities of the IAD

The IAD is an independent audit function of the bank, responsible for inspecting, evaluating and
reporting the performance of the bank's employees and management.

2.2.2. Scope of work

 UNOFFICIAL TRANSLATION

The IAD shall inspect and evaluate the performance of all business units of the bank. The scope of
work of the internal audit function includes regular evaluation and inspection of effectiveness and
compliance of internal controls, as well as execution of internal control responsibilities and
obligations.

The IAD shall inspect, in particular:

 the bank's compliance with internal policies and risk management (measurable and non-
measurable risks);
 reliability, completeness, accuracy and timeliness of financial and management reports,
including reports presented to external users;
 performance of business unit responsible for ensuring undisrupted and reliable operation of
electronic information systems.

The IAD shall pay particular attention to legal and regulatory requirements governing the bank's
operations, including policies, principles, regulations and directives issued by the regulator with
respect to organization and management issues of banks.

Although the IAD has a broad range of activities, it shall not be involved in developing the bank's
policy, except the internal control policy, and shall not be generally authorized to criticize the bank's
policy and its appropriateness. However, the IAD shall report actual or potential concerns to the
Audit Committee.

If the IAD becomes aware of any management decision taken or to be taken in conflict with the
existing legal and regulatory requirements or the bank's policies and procedures, the Department
Director shall immediately notify the chairman of the Management Board and/or the Supervisory
Board. The IAD Director shall report all such instances to the chairman of the Audit Committee.

2.2.3. Rights of the IAD

The IAD shall have the following rights:

 to request any information from previous periods necessary for audit;

 to get any necessary documents relating to operations from the audited or previous periods;
 to check and ascertain existence of cash, other financial valuables, securities, special
reportable forms, inventories, fixed assets, equipment and other assets in audited business
units of the bank (branch office, division, representative office);
 to inspect any and all assets under lease agreements, possession, sales and other agreements
and deals closed with legal entities and individuals;
 to analyze and review soft and hard copies of documents related to operations of the audited
business unit (branch office, division, representative office);
 to request any explanations from the bank's executive officers regarding the accounting
treatment and specifics of any operation;
 to verify whether actions and operations of the bank's employees are in compliance with the
existing laws and regulatory requirements, and to obtain written documents on the bank's
internal decisions identifying the bank's policy and strategy, decision-making procedures,
accounting and reporting procedures;
 to inquire customers on the bank's operations, in accordance with the existing laws of
Azerbaijan Republic.
 UNOFFICIAL TRANSLATION

2.2.4. Non-audit work policy

The impartiality requirement to the IAD shall not preclude the Chairman of the Management Board
from getting the IAD's opinion on special internal control issues. For example, the IAD's opinion
may be used in connection with restructuring, introduction of significant and new bank products,
establishment or reorganization of risk control systems, review of management information systems
and other issues.

Furthermore, the management shall be responsible for application and subsequent development of
such measures. Advisory services are a supplementary function that does not affect the IAD's main
duties and independence.

In addition, the Chairman of the Management Board or another executive officer, with his approval,
may engage the IAD in activities not related to internal audit. For example:

 evaluation of assets of entities the bank has business relationships with;

 review and assessment of financial statements of other entities;
 inspection and assessment of legal entities to be acquired.

Such activities require a written permission from the Supervisory Board and approval from the
Audit Committee Chairman. The IAD shall check whether it has time and skills necessary to
perform such tasks. Such assignments shall be planned for and shall be performed with the same
degree of quality as audit work.

2.2.5. Confidentiality

In course of audits IAD staff are authorized to access confidential information about the bank, its
executives and employees. Such confidential/private information may include, among others:

 salary of executive officers and other employees;

 financial position information of customers;
 property and investments owned by the bank;
 profitability of branch offices;
 future plans of the bank (chief executive officers);
 investigation of counterfeits and possible legal actions.

IAD staff shall exercise utmost caution and confidentiality when using such information in course
of their work. IAD staff shall not use such information in any manner that is in conflict with the
laws of Azerbaijan Republic, the Central Bank's regulation and the bank's internal policies, or to the
detriment of the bank.

2.2.6. Professionalism of the IAD staff

IAD staff must be qualified and competent. The nature of the IAD's work may require high
technical and communication skills.

Important technical skills required for IAD staff include:

 UNOFFICIAL TRANSLATION

 knowledge and experience of application of International Financial Reporting Standards

(IFRS);
 internal audit skills;
 high level qualifications in development and evaluation of internal control systems and
procedures;
 latest knowledge of International Standards on Auditing (ISA) and business of banking.

Important communication skills include:

 ability to preserve independence;

 observance and fact-finding skills;
 problem solution skills and ability to reach agreement on audit findings;
 reporting and correspondence skills.

2.2.7. Exclusive work of internal audit staff

In avoidance of any doubts of the internal audit function's independence, internal audit staff may not
work for any other business units of the bank or substitute any executive officer of the bank.

3. Performance of internal audit department

3.1. Methods of work and types of audit

The internal audit department shall develop audit plans, check and evaluate information available,
discuss the results with the bank's competent executive body, provide recommendations and follow-
up on their execution.

There are various types of internal audit, including, but not limited to the following:

 Financial audit: designed to evaluate the credibility of the accounting system and records,
as well as financial statements;
 Compliance audit: designed to evaluate the quality and adequacy of systems and
procedures put in place to ensure compliance with laws, regulations, policies and
procedures;
 Operations audit: designed to evaluate the quality and adequacy of systems and
procedures, thoroughly analyze the organizational structure and assess the adequacy of audit
methods and resources;
 Management audit: designed to evaluate the quality of the management's treatment of risks
and controls.

The IAD is authorized to inspect and evaluate the bank's performance in all areas of the bank's
structure. In this view, the internal audit department should not focus only on one type of audit, but
employ the type of audit most appropriate given the objectives of audit in each individual case.
Furthermore, the IAD's activities should not be limited to auditing the bank's departments — special
attention should be given to auditing all functions of the bank's areas of business.

Types of audit conducted by the IAD shall be determined by the IAD Director, taking account of
risk assessments (including evaluation of internal control environment), external audit findings,
regulatory inspection findings or other applicable facts and findings. Audits are classified as
follows:
 UNOFFICIAL TRANSLATION

Type Description
Audit The objective of audit is to establish sufficient grounds for giving an
opinion on the system of internal controls. An audit consistes of a
detailed investigation of financial and opetional control aspects.
Limited inspection The scope of a limited inspection has a smaller coverage as opposed
to a full-scale audit and may be initiated by the IAD Director or
included in the annual Audit Plan. A limited inspection may turn into
a full-scale audit, based on its preliminary findings.
Monitoring/Regular audit Surveys, observation, analysis of trends and monitoring of main risk
indicators.
Special project Long-term, detailed projects beyond the regular scope of audit. The
IAD Director shall determine the scope of inspection and objectives
of work.
Ad-hoc project A short-term, limited scope inspection focusing on certain risks and
issues inconsistent with the regular audit scope. The Management
Board shall determine the scope and require a project, as necessary.

Note: If the Management Board announces that a special project is needed that is beyond the scope
of the annual audit plan or the regular audit activities, such special project shall be given
preferential treatment. The IAD Director shall notify the Audit Committee's Chairman of the need
to conduct a special project that requires amendments to the audit plan (e.g., to increase the
timeframe allocated in the audit plan for special projects). The IAD Director shall consult with the
Audit Committee's Chairman on unusual or difficult requirements.

3.2. Audit plan and significance of risks

The IAD Director shall develop an annual audit plan for all projects to be implemented. The audit
plan shall specify the time and duration of the planned audit. This plan shall be grounded in a
consistent assessment of control risks confirming the internal auditor's understanding of the bank's
important activities and associated risks.

The IAD Director shall define the principles of risk assessment methodology in writing and shall
make regular amendments and additions to such principles in order to reflect the changes in the
system or process of internal controls and to include new areas of activities. Risk
assessment/analysis shall cover all areas and structure of the bank, including the overall internal
control system. Based in risk assessments, the annual audit plan shall developed, considering the
level of risk inherent in the areas of the bank's business to be audited.

A risk-based audit shall cover both financial and operational risks of the bank, as well as make the
operation of the IAD with limited resources more effective. The objective of this approach is to
ensure that the IAD's resources are focused on areas of high risk or that would benefit from audit
the most. Lower risk areas are usually audited less frequently and comprehensively.

The audit plan shall include:

 UNOFFICIAL TRANSLATION

 developments and innovations anticipated in the audit plan period;

 high level risks arising primarily from new activities;
 need to audit all important activities and components of the bank within an acceptable
timeframe.

The audit plan must be realistic. It shall identify the time budget, conveyance of opinions and
training courses for other projects and activities such as special inspections at the management's
request. The plan shall also specify the required number of staff, their qualifications and other
abilities. The audit plan shall be regularly reviewed and revised, as necessary.

The audit plan shall be subject to approval by the Audit Committee. The Management Board shall
coordinate the IAD's budget with the Audit Committee and shall be responsible for providing the
resources required under the audit plan.

3.3.Procedures

3.3.1. Auditing procedures

Audit procedures of a bank shall be divided in the following components:

 Planning procedures;
 Fact-finding procedures;
 Documentation procedures;
 Inspection procedures;
 Evaluation procedures;
 Finding identification procedures;
 Reporting procedures.

Audit procedures shall be divided in the following categories:

1. Compliance procedures — Designed to verify whether internal controls exist and are
complied with.
2. Substantive procedures — Designed to verify whether reported balances and amounts are
accurate.

Audit work inside the bank is mostly related to compliance procedures. These procedures verify
whether internal policies are existent and applied in an effective and consistent manner.

Procedures used to get information on internal control policies include:

 Survey and presentation;
 Observation;
 Examination of supporting and other documents;
 Follow-up implementation of control policies.

Substantive procedures are designed to verify the accuracy of accounting records and reports, as
well as the authenticity of the balance sheet. An example of such procedures is the verification of
customer account entries against the supporting documents.

Substantive procedures include:

 Survey and presentation;
 Analytical procedures;
 Comprehensive check of operations and balances;
 UNOFFICIAL TRANSLATION

 Examination of supporting and other documents;

 Physical inspection;
 External assurance;
 Follow-up/repeated implementation.

3.3.2. Inspection procedures

Presented below is a list of general auditing procedures to be considered by the IAD when
developing audit tests:

a) Survey and presentation

A survey includes getting both verbal and written information or presentations from unit managers
and other employees. Surveys may have following objectives:
 to obtain information about the operations of the audited area;
 to obtain evidence on the reliability of systems;
 to obtain clarifications on issues arising in course of audit.

Information obtained through surveys and presentation may require certain substantiation.

b) Observation

Observation of various internal procedures/policies composing the systems is helpful for:

 obtaining evidence of enforcement of control procedures where there are no documentary
evidence to confirm that they are implemented or even exist;
 obtaining evidence of enforcement of other procedures/policies. The quality of this type of
evidence is better when the internal auditor does not only observe, but also discusses the
specifics of their responsibilities with unit managers engaged in the audit;
 obtaining evidence of existence, quality and condition of the bank's assets.

Observation generally provides the best reliable evidence available at the time of observation,
however it does not provide any evidence of activities in other periods. Consequently, if observation
obtains evidence of control, assurance of consistent application of control procedures and policies
throughout the period requires additional efforts.

c) Analytical procedures

Analytical procedures includes examination and evaluation of information by using comparisons

against other necessary information. Analytical procedures are used to identify the following:
 Unexpected differences/mismatches;
 Lack of expected differences;
 Possible errors;
 Possible irregularities or illegal actions;
 Other unusual or unrepeated transactions or events.

Analytical procedures include:

 General rationale verifications — Verification of the rationale of a balance or an amount
using internal and external data for approximation. For example, calculation of the
approximate interest accrual on a customer account using the average monthly account
balance and average monthly interest rates, and subsequent reconciliation of the
 UNOFFICIAL TRANSLATION

approximation against the actual numbers.

 Trend analysis — Analysis of comparable information over a certain period of time in order
to identify inconsistent periods.
 Factor analysis — For example, the correlation between the number of staff and the total
payroll expenses.
 Administrative analysis — Application of administration and service knowledge to
evaluate the logic of information.

d) Inspection of documents and records

Documents and other records reflecting operations or balances are inspected in order to substantive
evidence or evidence of control. Substantive evidence substantiates the accuracy of receipts of
individual systems reflecting operations or balances. Internal audit is able to identify whether
controls are used properly by checking documents to obtain evidence of existence of signatures or
other indicators.

e) Physical inspection

Counting or physical inspection of tangible assets (such as cash) and reconciliation of the results
against the bank's accounting records can, in most cases, provide direct evidence of existence of
such assets. In addition, internal auditors should remember that although a physical inspection does
ascertain the existence of assets, it does not ascertain who the assets belong to. Additional
inspections may be required to ascertain who the assets belong to.

f) Repeated implementation

Repeated implementation means repetition of control procedures and operating functions in order to
ensure the accuracy of operations. Repeated implementation can provide evidence in two areas:
 Evidence of mathematical accuracy and proper processing of data. This evidence may be
obtained by verifying the calculations or by making independent calculations.
 Evidence of deficiencies in the control system or breach of control procedures. This
evidence is obtained by identifying errors unidentifiable by the control system.

Evidence of existence and effectiveness of internal controls is usually obtained by observing the
staff responsible for survey and controls, and by verifying the evidence of compliance such as
repeated implementation and approvals or signatures for individual transactions. If deficiencies are
found in previous transactions, repeated implementation of control (for example, reconciliation of
currency exchange receipts against cash payment records) may provide evidence of both
effectiveness of controls (if the deficiency is detected and removed) and ineffectiveness of controls.
If no deficiencies are found in previous transactions, repeated implementation would not be able to
detect ineffective internal controls, nor cases of ineffective implementation of controls.

g) Audit sample

Audit sampling implies an examination of representative sample elements (of a set of information
about the object of audit). Thus, results of an examination of a sample can be applied to the entire
unit. Audit sample is usually used when examination of all elements is inefficient.

3.4.Reporting requirements

Reporting serves the following purposes:

 UNOFFICIAL TRANSLATION

 to inform the management about important issues arising as a result of each internal audit in
a short period of time;
 to verify whether control systems are satisfactory;
 if problems exist, to persuade unit managers of the need to act upon the recommendations to
improve the unit's performance and controls;
 to ensure that official and written notes on agreements with the management exist in order to
address issues arising as a result of internal audit and to make improvements as
recommended;
 to give advice on the adequacy of control systems and effectiveness of the organization's
internal control arrangements to the management.

The contents, format, time and users of the report shall be determined in writing and comply with
the bank's procedures.

Each audit report:

 shall specify the objective, scope and findings of audit and, if necessary, the auditor's
opinion;
 shall be written in an objective, clear, concise, constructive form and presented on time;
 agreement on audit findings and measures to act upon recommendations shall be included in
the audit plan.

All audit reports shall have the following characteristics:

 Accurate — All reports shall be based on facts. It is essential to maintain confidence in the
internal audit department and each auditor by preparing fact-based, unbiased and objective
reports.
 Clear— All reports must be clear and comprehensible. It is very important not to use
assumptions or verbal comments to fill in gaps in the report. A report must be sufficiently
clear without a need to additional explanations and commentary.
 Quantifiable — All notes must be as quantitative as possible in order to describe the effects
and seriousness of issues presented.
 Concise — All reports must be to the point. This does not necessarily mean that a report
should be brief.
 Fair — All reports should be user-sensitive. Focus should be placed on improving the
current condition, not on criticizing past events or individuals.
 Timely — All reports must be published in a timely manner after completion of audit.
Typical timeline is two weeks.
 Present solutions — All reports must specify who, how and when should address the
deficiencies identified. Efficiency is lost when accountability is not established.

Internal audit reports must be kept confidential and may not be disclosed or divulged outside or
inside the bank without the IAD Director's approval.

4. CBA's interactions with internal and external auditors of banks

Banks shall develop and put in place an effective internal control system in consistency with the
balance sheet and off-balance sheet risks, nature and complexity of operations, as well as changes in
the bank's market conditions and operating environment. If the internal controls are inadequate in
relation to the risks arising as a result of the bank's operations, the CBA shall hold appropriate
discussions with bank executives and shall supervise the banks' measures to improve their internal
controls.
 UNOFFICIAL TRANSLATION

Evaluation of internal controls of banks (together with the effectiveness of internal controls) is part
of the CBA's banking supervision activities. The CBA shall identify whether bank executives pay
attention to problems identified in internal control processes. The CBA requires that bank pay
special attention to the following issues when evaluating their internal control systems:
 Activities or circumstances historically associated with internal control breaches;
 Internal control aspects of changes in the bank's operating environment, for example:
- new management or new senior staff;
 new or reorganized information systems;
 rapidly developing areas/activities;
 new technologies;
 new operations or activities (especially sophisticated ones);
 corporate reconstruction, mergers and acquisitions; and
 establishment of new branch offices and divisions, incorporation or acquisition of new
enterprises, expansion of their business (including effects of changes in relevant
economic and regulatory environment);

4.1. CBA's interactions with the bank's Internal Audit Committee and IAD

The CBA shall hold regular consultations with internal auditors of banks to discuss risk areas
identified and measures taken.

Although internal audit has a broad coverage, it does not define the bank's policy, and, except
internal control-related procedures, does not ascertain the authenticity of such procedures and
policies. If bank management takes decisions in conflict with the existing laws or regulations or the
bank's internal policies and procedures, the IAD Director shall notify the Chairman of the Audit
Committee, the Management Board, and, if necessary, the Supervisory Board. Furthermore, internal
auditors may notify the IAD Director of any cases of incorrect, inattentive and damaging actions of
individual staff members of the bank.

Thus, the CBA expects the IAD to respond quickly and efficiently to any instances of fraudulent
and illegal activities detected or suspected. This is an important prudential issue because non-
prudential procedures and actions may adversely impact depositors and other creditors,
shareholders, as well as the proper operation of the credit system.

4.2. CBA's interactions with external auditors

External auditors provide a positive input to the quality of internal control systems by holding
discussions with the Audit Committee, Management Board and Supervisory Board, audit activities
and improvement proposals for internal controls.

External auditors must possess knowledge of internal control systems sufficient to give assurance of
accuracy of a bank's financial statements. External auditors shall report any deficiencies identified
to bank management and regulators. The CBA requires senior executives and the Audit Committee
to take measures to address any internal control deficiencies identified by external auditors.

There are a number of areas where regulators and external auditors may benefit from each other's
work. External auditors may get helpful understanding of information provided by the regulator, for
example, management meetings or other meetings with the bank as a result of an onsite inspection.
The regulator may require external auditors to give an opinion on the IAD's performance.

The CBA may appoint an external auditor for a special inspection of a bank. Related areas include:
 UNOFFICIAL TRANSLATION

 prudential reporting methods used by the bank;

 adequacy of the structure and performance of the internal control system (including the
internal audit department);
 the bank's compliance;
 opinion on compliance with accounting rules.

In some cases, external auditors may be aware of important information relating to the regulator or
requiring immediate actions on its part. Such information includes:
 the bank's failure to meet any of its licensing requirements;
 there is a serious conflict inside the bank's decision-making bodies or the chief executive
officer suddenly resigns;
 significant non-compliance with laws and regulations or the bank's charter;
 the auditor intends to resign or there is an intention to dismiss the auditor;
 negative changes in the risks inherent in the bank's business and the risks are likely to
increase in the future.

If the external auditor becomes aware of any of the above described, he must immediately notify the
CBA. External auditors shall be held liable for providing unsubstantiated and biased information.

4.3.Interactions between internal auditors and external auditors

Information provided by the internal auditor may be helpful for determining the specifics, time and
scope of external audit procedures. Still, the external auditor shall have the exclusive responsibility
for giving an auditor's opinion on financial statements. The external auditor should be authorized to
use significant internal audit reports and data. The internal auditor must notify the external auditor
of any important issues that may affect the latter's work. The external auditor also, in his turn, shall
inform the internal auditor of any important issues that may affect the internal auditor's work.

From external audit standpoint, collaboration with the bank's internal audit working team provides
many benefits. These would include an opportunity to get profound information and knowledge
about the bank's operations and activities, and to avoid repeating the internal auditors' work in terms
of inspecting the bank's operations. In addition, this cooperation would enable the external auditor
to expand the coverage of the bank's audit function. This cooperation should be especially helpful
when the number and complexity of the bank's services and operations of branch offices, and the
scope of audit work required as a result tend to increase.

Cooperation between external auditors and internal auditor is grounded in equal understanding and
audit expertise. IAD staff and external auditor can benefit from cooperative work by learning from
each other.

The external auditor's opinion on how much the internal audit function should be relied on when
determining the time, scope and type of external audit procedures shall be identified as a result of an
initial assessment of the internal audit function. As the level of reliability gross, this cooperation
should bring material benefits to both parties as indicated in the table below.

Phase 1 Activities supervised and managed by

external auditors
IAD staff report to the workplace as indicated in
the external audit's work program and are
supervised by the senior member of the external
 UNOFFICIAL TRANSLATION

audit team. The external audit team can use this

work subsequently to ascertain the
completeness, reliability and accuracy of the
bank's financial statements.
Phase 2 Performance of activities managed by
external auditor
IAD staff, when reporting to the workplace
indicated in the external audit work program,
operate without supervision by the external
audit team. This is possible when external
auditors are not on the premises. The external
auditors will determine a timeframe for
completion of such work and will analyze the
work performed in order to ascertain the
completeness, accuracy and reliability of the
bank's financial statements. Before their
cooperation can reach this level, the external
audit team will evaluate the performance of the
Internal Audit staff.
Phase 3 External auditors' reliance on standard
internal audit procedures
External auditors may decide to rely on the
IAD's work and thus reduce the amount of work
to be done. For example, if an internal audit was
conducted at a branch office of the bank and the
external auditors find the quality and results of
that audit satisfactory, the external auditors may
decide not to audit this branch office at the year-
end, or conduct a limited audit.

Presented below are some areas where external auditors can use internal audit work and
information:
 flowcharts or narrative descriptions of the accounting system;
 findings of an assessment survey of internal controls or a survey sheet for internal controls;
 examination of control of the accounting system;
 substantive inspection of elements of the financial statements;
 the external auditor's decision to visit a branch office, based on the information provided by
the internal auditor;
 decision to check the computer system, based on the information provided by the internal
auditor.

The IAD Director shall ensure that the work performed by internal auditor does not unnecessarily
duplicate or repeat the work performed by external auditors. Coordination of audit efforts covers the
following areas: regular meetings to discuss issues of mutual interest; sharing audit reports and
management reports; establishing common understanding of audit facilities, methods and terms.

4.4. Cooperation between the CBA, external auditors and internal auditors.

The CBA and the bank's auditors share common interests and objectives.
 The CBA's stability interest coincides with the «going concern» requirement of auditors;
 UNOFFICIAL TRANSLATION

 The CBA's interest in having an efficient system of internal controls as the foundation of
safe and sound management is consistent with the auditors' requirements for complete and
accurate financial statements;
 Both CBA and auditors require satisfactory performance and quality of the accounting
system.

Cooperation between external auditors, internal auditors and the CBA serves the purpose of
increasing the effectiveness and efficiency of work for all parties involved. This cooperation should
be based on regular meeting of the CBA with external and internal auditors. The CBA may invite
senior bank executives to such meetings. In these meetings each party should provide information
about areas of common interest and special attention should be given to areas to be audited and the
timing of work. Furthermore, the parties should discuss the bank's measures to implement the
recommendations given by external and internal auditors.

Collaboration implies that there is mutual confidence and trust among the CBA, the bank and
external auditors. The CBA expects the senior bank management to report any decisions, facts or
events that may have a significant effect on the bank's condition.

Internal control aspects of the Standard

Strong internal controls, including internal audit and external auditor represent a part of efficient
corporate governance. Internal audit is a part of the continuous process of inspection of the bank's
internal control systems.

An effective internal control system is an essential component of the bank's governance, safety and
soundness. A strong internal control system can assist in accomplishing goals and objectives, long-
term profitability plans and preparing reliable financial statements and management reports.

Such a system can also ensure the bank's compliance with the laws and regulations, directives,
plans, internal procedures and policies, and assist in minimizing the risks of unexpected damages or
losses that may have an adverse effect on the bank's reputation.

The main objectives of internal controls are to provide:

 reliability and completeness of information;
 compliance with regulations, plans, procedures, laws, rules and contracts;
 asset protection;
 efficient and effective use of resources;
 accomplishment of goals and objectives set for operations or plans.

Control is an effort taken by the management in order to increase the likelihood of correct and
adequate accomplishment of goals and responsibilities identified. The management plans, arranges
and orders implementation of a number of measures to sufficiently assure that goals and objectives
identified are met. Thus, control is a result of proper planning, organization and direction by the
management.

There are three types of internal control: preventive/proactive control (prevents undesirable events
from happening), identification control (identifies and removes undesirable events that took place),
management control (causes or enables desirable events to happen).

An effective system of internal controls requires the adequate and detailed internal financial,
operational and compliance information, as well as external market environment data is made
 UNOFFICIAL TRANSLATION

available on events and circumstances considered important for decision-making. Such information
should be provided in a reliable and timely manner, and prepared in a usable and appropriate
format.

An effective internal control system requires that reliable information systems are available that
cover all important areas of the bank's activities. Security of such systems and other systems that
store and use data electronically must be provided, controlled and supported with appropriate
contingency/emergency action plans.

An effective internal control system requires that the bank's employees comply with and understand
the rules and procedures affecting their duties and authorities, as well as that effective
communication channels are established to communicate other necessary information to relevant
staff members.

Overall effectiveness of the bank's internal control system must be checked on a regular basis. Risk
controls should be a part of the regular assessments conducted by the internal auditors.

Operationally independent, appropriately trained and competent employees must conduct an

effective and comprehensive audit of the internal control system. The internal audit function, as part
of inspection of the internal control system, must report directly to the Audit Committee or the
Management Board, as well as the top management of the bank.