Policy SOP Guideline Proactive Measures

1
Table of Contents
1: Purpose of the Internal Audit Policy ................................................................................ 3
2. Internal Audit Charter (IAC) ............................................................................................ 4
3. Audit Committee Charter (ACC)...................................................................................... 8
4: Overview of the Internal Audit Function ........................................................................ 13
A: Introduction ............................................................................................................... 13
B: Mission Statement ...................................................................................................... 13
C: Accessibility .............................................................................................................. 14
D: Scope of Internal Audits ............................................................................................ 14
5: IAD Organogram ........................................................................................................... 14
Reporting Lines .............................................................................................................. 16
6: Code of Ethics adopted by Internal Audit Department ................................................... 16
A: Integrity ..................................................................................................................... 16
B: Objectivity ................................................................................................................. 16
C: Confidentiality ........................................................................................................... 16
D: Competency ............................................................................................................... 17
7: Annual Audit Plan.......................................................................................................... 17
A: Overview ................................................................................................................... 17
8: Fraud Investigations ....................................................................................................... 17
9: Audit Documentation and Quality Control ..................................................................... 17
2
Internal Audit Policy
______________________________________________________________________________________
1: Purpose of the Internal Audit Policy

This policy summarizes the overall function of internal audit department at the First MicroFinance Bank Ltd.
(FMFB or the Bank) and describes the policies and standards which will generally govern the internal audit function.
Notwithstanding the foregoing, deviations from the Policy for certain special projects will only be permitted by the
Board of Directors and the Board Audit Committee.
The Internal Audit Policy will be updated from time to time by the Internal Audit Function (IAF) for review
and concurrence of Audit Committee and propose to Board for their approval. The updates shall reflect the changes
in the polices driven by either changing business requirements, expansion of the Bank’s activities, or amendments in
the applicable laws, policies regulations, or internal auditing standards and readers should ensure that they have the
most up to date Policy which is available with Head Internal Audit. Requests for clarifications of or explanations on
the contents of this Policy should be addressed to the Head Internal Audit. This document is drawn to facilitate the
internal auditors for carrying out audits in an effective and efficient manner. This is not a static document and can be
modified with time to reflect the changes accordingly.
Copies of Internal Audit Policy and any subsequent changes would be shared with the President/CEO. All
appropriate segments of the manual would be shared with the relevant function heads.
The timing for review of policy/procedure:

 Policy: 2 years
 Procedures: as & when required or 2 years
This document is to be treated as confidential, access to which is to be limited to employees who need to
refer it in the performance of their official duties.
No part of this Policy may be photocopied or taken out of office premises without prior permission of the
Board Audit Committee
All Policy document holders are required to return it (if provided in hard form) intact to the Head Internal
Audit on relinquishing their position due to transfer, retirement, resignation or for any other reason.
3
______________________________________________________________________________________
2. Internal Audit Charter (IAC)
The First MicroFinance Bank Ltd.

Charter of Internal Audit Department
DEFINITION AND PURPOSE
Internal audit is an independent and objective assurance, advisory and fraud examination function designed to add
value to FMFB by improving the operations. It assists FMFB in accomplishing its objectives by bringing a systematic
and disciplined approach to evaluate & improve the effectiveness of FMFB’s Governance, Risk Management and
Controls.
Internal Audit department fulfils this role by conducting independent audits and highlighting identified risks which
lead to a report with findings and recommendations addressed, as appropriate, to (a) the levels of management who
need to know and those who are capable of ensuring that action is taken as necessary and (b) the Board Audit
Committee.
Internal Audit is required to adhere to the standards of best professional practice such as those published by the
Institute of Internal Auditors and the relevant reports and recommendations of the Basel Committee on Banking
Supervision.
Internal Audit is an assurance function. It does not relieve management of the responsibility for effective control and
for informing Internal Audit, with immediate effect, of any material lapses in controls or any irregularities.
ORGANIZATION
The Head Internal Audit shall functionally report to the Audit Committee of the Board of Directors and
administratively to the Chief Executive Officer. AC shall approve all decisions regarding the performance evaluation,
appointment, or removal of the Head of Audit as well as the annual compensation, bonus and increments.
AUTHORITY
IAF shall have the authority to openly and independently express its opinion on different affairs of the overall control
environment. Internal Audit staffs shall have immediate, full, free and unrestricted access to all operations, records,
data, minutes of meetings, property and personnel within the bank. All employees shall cooperate fully in making
available any material or information requested by an auditor in the format deemed necessary. However, in case of
any sensitive information, employees may request the Head of Audit to limit sharing or circulation to the Head of
Audit or an auditor above certain grade level. All FMFB employees are required to be candid with the internal audit
staffs at all times and not to conceal any information.
For the purpose of expressing independent assurance, internal audit may from time to time engage external
consultants/ experts to perform specific audit related tasks for which in-house expertise are not available or hiring a
permanent staff is not cost justified. For on boarding such consultants, Bank’s procurement policy must be followed.
INDEPENDENCE AND OBJECTIVITY
The audit activity shall remain free from interference by any element in the organization, including matters of
budget, expenses, audit selection, scope, procedures, frequency, timing, or report content to permit maintenance
of a necessary independent and objective mental attitude.
4
______________________________________________________________________________________
Auditors shall have no direct operational responsibility or authority over any of the activities audited. Accordingly,
auditors will not be involved in implementing internal controls, develop procedures, install systems, prepare records,
or engage in any other activity that may impair auditor’s judgment. This does not, however, exclude auditors in
performing independent consulting engagement.
Auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Auditors must make a balanced assessment of all the
relevant circumstances and must not be unduly influenced by their own interests or by others in forming judgments.
REPORTING
Internal Audit reports regularly on the results of its work to the Audit Committee, which is a Board subcommittee.
The Head Internal Audit is accountable to the Audit Committee for:
a) providing regular assessments of the adequacy and effectiveness of the FMFB’s Governance, risk
management and internal control based on the work of Internal Audit;
b) reporting significant control issues and potential for improving risk management and control processes;
c) providing periodical information on the status and results of the annual audit plan and the sufficiency of
Internal Audit resources.
The Audit Committee approves the plans and reviews the functioning of the Internal Audit to ensure its independence
and overall effectiveness. Internal Audit is independent of the activities it audits to ensure the unbiased judgement
essential to its proper conduct and impartial advice to management. It does not perform line tasks; neither does it
have any direct responsibility for, nor authority over the activities it reviews.
The Audit Committee is responsible to set specific goals for the Head of Internal Audit and perform performance
evaluation against those goals on annual basis.
RESPONSIBILITY
The role of Internal Audit is to understand the key risks of the organization and to examine and evaluate the adequacy
and effectiveness of the system of risk and internal control as operated by the organization. Internal Audit, therefore,
has unrestricted access to all activities undertaken in FMFB in order to review, appraise and report on:
(a) the adequacy and effectiveness of the systems of financial, operational and management control and their
operation in practice in relation to the business risks to be addressed;
(b) the extent of compliance with, relevance of, and financial effect of, policies, standards, plans and
procedures established by the Board and the extent of compliance with external laws and regulations,
including reporting requirements of regulatory bodies; the quality and control environment around the loan
portfolio and the adequacy of provisions;
(c) the extent to which the assets and interests are acquired economically, used efficiently, accounted for and
safeguarded from losses of all kinds arising from waste, extravagance, inefficient administration, poor value
for money, fraud or other cause and that adequate business continuity plans exist;
(d) the suitability, accuracy, reliability and integrity of financial and other management information and the
means used to identify, measure, classify and report such information;
(e) the integrity of processes and systems, including those under development, to ensure that controls offer
adequate protection against error, fraud and loss of all kinds; and that the process aligns with the
5
______________________________________________________________________________________
organization’s strategic goals;

(f) the suitability of the organization of the units audited for carrying out their functions, and to ensure that
services are provided in a way which is economical, efficient and effective;
(g) the follow-up action taken to remedy weaknesses identified by Internal Audit review, ensuring that good
practice is identified and communicated widely;
(h) the operation of the organization’s corporate governance arrangements.
Internal Audit Function shall comply with the IIA’s standards. For that matter, internal audit shall develop a check of
the standards and circulate to all Unit Head for continual self-assessment. Audit function shall be quality assessed
annually by the Head of Audit and from an independent external professional firm/consultant every 5 years.
The Head Internal Audit is responsible for the conduct of various activities as detailed below:
a) Provide an independent assessment/opinion, without fear or favour, to the Audit Committee on annual
basis on state of internal controls in the Bank based on the audits conducted during the audit period
supported by specific audit observations/conclusions.
b) Formulate the action plan and ensure its implementation to comply with IIA’s International Standards for
the Professional Practice of Internal Auditing (i.e. IIA Standards).
c) Ensure that the professional training needs of internal auditors are periodically identified & adequately
met; the auditors demonstrate highest ethical and professional standards in performance of their duties
and perform their work with dedication & diligence.
d) Ensure that significant outsourcing arrangements are reviewed to protect Bank’s interests.
e) Ensure that Internal Audit has adequate budget, systems, human resources with relevant qualifications,
expertise, competencies & skills, and other required resources to perform auditing activities.
f) Engage with internal audit teams on regular basis to provide guidance and to ensure that auditors
performing the work have relevant technical and social skills, sufficient knowledge of the work being
audited and are able to perform their responsibilities diligently.
Internal Audit is not relieved of its responsibility in areas of the institution which are subject to review by others such
as external auditors/regulators but must assess the extent to which it can rely upon the work of others and plan its
audits accordingly.
DIGITAL FINANCIAL RISK MANAGEMENT
Since the bank is digitizing its services, internal auditor should cater for related risks in their audit plan. Internal audit
is responsible to assess the potential risk and challenges arising from implementation of the DFI strategy. Internal
audit will conduct a risk assessment of all significant DFI projects and perform risk based audits. At a minimum,
following risks shall be considered:
S. No. Risks Description

1 Strategic Actual losses that result from the pursuit of an unsuccessful business plan or the
potential losses resulting from missed opportunities e.g. Ineffective products, failure to
respond to change in the business environment, or inadequate resource allocation.
2 Regulatory Regulatory risk refers to the risks associated with complying (or not complying) with
regulatory guidelines and rules, such as anti-money laundering/ combating financing of
terrorism, Know Your Customer, data privacy, account and transaction limits, trust
accounts, and regulations regarding the use of agents. Regulatory risk also includes
broader rules relating to the operation of a particular institution such as, for example,
licensing, capital and liquidity.
6
______________________________________________________________________________________
3 Operational Operational risk is inherent in any business and refers to risks associated with products,
business practices, damage to physical assets, as well as the execution, delivery and
process management of the service.
4 Technology Technology risk refers to implications such as inability to conduct digital transactions
resulting in financial loss and reputational and fraud risk.
5 Financial Financial risk refers to direct or indirect financial losses specific to the financial
management of the DFS. This includes liquidity, credit, interest rate and concentration
risk.
6 Political Political risk is the possibility that political decisions, events, or conditions, will
significantly affect the profitability of business or the expected value of a given
economic action.
7 Fraud Operational and technology risk can cause fraud risk, and fraud can lead to financial
risk. Fraud is also a significant driver of reputational risk.
8 Reputational Reputational risk refers to the risk of losses from damage to the image of the bank,
leading to a reduction of trust from clients and regulators.
9 Vendor/ Deficiencies in the procurement process or partnerships whereby the vendor or partner
Partnership fails to play a role that is key to the success of DFS, or is ill-equipped or unmotivated.
INTERNAL AUDIT ADVISORY SERVICES
Purpose of Internal Audit Advisory Service is to analyse a situation and/or provide guidance and advice to
management. Internal audit shall provide advisory services on request of the Management, Audit Committee or the
Board. However, internal audit shall not assume management responsibility in any circumstances. Advisory services
shall be directed toward facilitation rather than assurance and include training, systems development reviews,
performance and control self-assessment, draft policy reviews, counselling, and advice related to controls, risk
management and governance.
Advisory services shall be provided after fulfilling the needs/requirements of audit’s primary function of assurance.
Decision for provision of advisory services and its extent shall rest with AC (in consultation with CEO & CIA) but
allocation of audit resources to consultancy/advisory services shall not be more than 10% of total audit resources at
any given point in time.
In conducting advisory services, Internal Audit Function shall ensure that the independence and objectivity of internal
auditors conducting the engagement are not impaired and internal auditors exercise due professional care in conducting
the service.
7
______________________________________________________________________________________
3. Audit Committee Charter (ACC)
1. Overall Purpose / Objectives
ACC serves as serve as a ‘blueprint’ for AC’s operation and delineate the basic framework for performing
its assigned roles and responsibilities. The Audit Committee shall assist the Board in fulfilling its oversight
responsibilities of the Bank’s corporate governance processes. The Audit Committee will review the adequacy and
effectiveness of the Bank’s internal control environment including operational controls, integrity and
adequacy of financial reporting system, compliance and risk management framework, review and appraise the audit
efforts of the Bank’s external auditors and internal audit function; and review the Bank’s process for
monitoring compliance with relevant laws and regulations emanating from time to time.
The Audit Committee shall monitor the qualifications and ensure that the independence and performance of the
External Auditor and the Head Internal Audit is not compromised.
In performing its duties, the Audit Committee shall maintain effective working relationships with the Board of
directors, management, and the internal and external auditors.
2. Authority
The Board authorises the Audit Committee, within the scope of its roles and responsibilities to:
 Have direct access to the Bank’s management and employees and receive regular reports from the Internal Audit,
External Auditor, and the regulators;
 Have the power to authorize investigations into any matter within the Audit Committee’s scope of
responsibilities;
 Seek any information it requires from:
o any employee (and all employees are directed to co-operate with any request made by the Audit
Committee);
o external parties;
 Obtain outside legal or other professional advice.
 Have complete authority & independence to perform its roles & responsibilities by either utilizing internal or
external resources (if need be). Besides, the AC should ensure independence of any investigations/disciplinary
actions against HIA & internal auditors.
The Audit Committee’s responsibility is one of oversight, recognizing that management is responsible for preparing
the financial statements of the bank and for developing and maintaining systems of internal controls. The Audit
Committee is responsible for the oversight of the External Auditor. The External Auditor shall report directly to the
Audit Committee but are ultimately accountable to the Board1 for their audit of FMFB’s financial statements.
While the Audit Committee has the responsibilities and powers set forth in this charter, it is not the duty of the Audit
Committee to plan or conduct audits or to produce financial statements. Nor is it the duty of the Audit Committee to
conduct investigations.
The Audit Committee shall have such other responsibilities as are required by applicable law or regulation and any
other responsibilities delegated to it by the Board from time to time.
1
The Board may, at its discretion, delegate this task to an Audit Committee of the Board.
8
______________________________________________________________________________________
3. Membership, Tenure and Meetings
3.1 Composition and tenure
The Audit Committee (the Committee) will comprise of at least three non-executive directors, including a
minimum of one independent director. The independent director shall be the chairperson of the committee
who shall not be the chairperson of the board. Majority of the members shall have a good understanding of
accounting, finance and audit related matters including at least one member with relevant qualification and
experience in the field of audit, accounting and finance.
The Board of Directors appoints the Chairperson/Chairman of the Committee from amongst the Board
members, the Chairperson of the Audit Committee shall also be a non-Executive & Independent Director. The
Chairman of the Board shall not be appointed as Chairman of the Audit Committee.
To perform his or her role effectively, each Audit Committee member will obtain an understanding of the
detailed responsibilities of Audit Committee membership as well as the Bank’s business, operations, and
risks. The Board shall satisfy itself such that at least one member of the audit committee has relevant
financial skill/expertise and experience.
The committee members cannot serve on audit committees of more than two other companies
simultaneously.
The names of members of the Audit Committee shall be disclosed in each annual report of the Bank. The
Committee will appoint Head Internal Audit as Secretary. The Committee shall be supported by the Head
Internal Audit (and such executives from the Internal Audit as he shall consider appropriate) who will
perform the role as the Secretary of the Committee and who shall produce such papers and minutes of the
Committee’s meetings as are appropriate and circulate them to all members of the Committee.
The term of the Committee as well as term of Chairman Audit Committee

will coincide with the term of the Board i.e. for a period of three years.
3.2 Meetings
Meetings will be held a minimum of 4 times per year
The Committee may take decisions by a simple majority of the vote of members participating in the meeting.
Members may not abstain from voting.
A meeting of the Committee shall also be held, if requested by the external auditors or the Head of Internal
Audit.
The Committee may invite other Directors and members of the Bank’s management or professional
advisors/consultants to attend the meeting on a need basis.
Minutes will be circulated to all Directors and as appropriate to attendees after approval of
Chairperson/Chairman.
3.3 Quorum
Quorum of the meeting shall be 2 members attending in-person, over phone or online. In the event of a
difficulty in achieving a quorum, other non-executive directors may be co-opted for individual meetings,
9
______________________________________________________________________________________
subject to the approval of the Audit Committee Chair. The decisions of BAC will be by consensus, failing
which by a majority vote, the Chairperson will have the casting vote.
4. Responsibilities of Management
4.1 The management will ensure that all information, relevant to the Committee for discharging its responsibilities,
are provided in sufficient detail and in a timely manner to the Committee at least seven days prior to the
meetings, except in the case of emergency meetings, where the notice period may be reduced or waived. The
Committee will have the right to request management to provide additional information and may require any
member of management to attend its meetings.
5. Responsibilities of the Audit Committee
The Committee will carry out various responsibilities related to financial statements, internal control, internal and
external audit, compliance related and reporting and other responsibilities narrated below:
(a) Financial Statements
(i) Review significant accounting and reporting issues, including complex or unusual transactions and
highly judgmental areas, going-concern assumption, and recent professional and regulatory
pronouncements, and understand their impact on the financial statements.
(ii) Review with management and the external auditors the results of the audit, including any difficulties
encountered.
(iii) Review the annual financial statements, and consider whether they are complete, consistent with
information known to committee members and reflect appropriate accounting principles.
(iv) Review with management and the external auditors all matters required to be communicated to the
committee under Generally Accepted Auditing Standards.
(v) Understand how management develops interim financial information, and the nature and extent of
internal and external auditors’ involvement.
(vi) Review interim financial reports with management and the external auditors before filing with
regulatory authorities, and consider whether they are complete and consistent with the information
known to committee members.
(b) Internal Control
(i) Consider the effectiveness of the Bank’s internal control over annual and interim financial reporting,
including information technology security and control.
(ii) Understand the scope of internal and external auditors' review of internal control over financial
reporting, and obtain reports on significant findings and recommendations, together with management's
responses.
(iii) Review critical process & control design gaps identified during independent evaluation by the bank’s
Internal Audit Department as well as by the external stakeholders such as the consultants, external
auditors and State Bank of Pakistan and monitoring remediation status thereof.
(iv) Reviewing significant violations reported in relation to the best practices of corporate governance
identified by Internal / External Audit and/or any other regulatory body and monitoring resolution
thereof.
(c) Internal Audit
(i) Review ‘Internal Audit Strategy’ (IAS) and recommend for Board approval.
(ii) Review with management and the Head Internal Audit (HIA) the Audit Policy & Procedures, plans,
activities, staffing, and organizational structure of the internal audit function, if AC needs to discuss.
10
______________________________________________________________________________________
(iii) Approve the appointment/re-hiring/renewal of contract and removal of Head Internal Auditor; and
approve his/her remuneration, allied benefits, promotion/demotion and other terms of employment.
(iv) Formulate and document ‘Key Performance Indicators’ (KPIs) for Head Internal Audit and evaluate
his/her performance against set KPIs on annual basis. The evaluation must ascertain whether Head
Internal Audit is meeting the requirements and/or expectations of stakeholders including the primary
responsibility of provision of assurance and value addition to the organization. The evaluation must
identify the areas for improvement to enhance Internal Audit’s efficiency and effectiveness.
Furthermore, the CEO shall have no role in performance evaluation of Head Internal Audit including
determination of any performance-based bonuses, increments, cash awards or other financial and non-
financial benefits, which are to be approved by AC.
(v) Ensure that Internal Audit remains equipped with the necessary financial, human, operational, physical
and technological resources to carry out its mandated responsibilities as per Internal Audit Charter.
Moreover, the AC shall ensure that internal auditors receive necessary trainings to remain updated on
auditing competencies, methodologies, tools and techniques including FI’s products and services.
(vi) The AC shall ensure on internal auditors’ unrestricted access to people, information, processes,
properties, records, and systems to perform their audit activities with objectivity.
(vii) Review the effectiveness of the internal audit function, including compliance with The Institute of
Internal Auditors' Standards for the Professional Practice of Internal Auditing, applicable laws and
regulations and internal policies.
(viii) The AC shall regularly receive and review the summary of significant violations/observations, internal
and external frauds, internal control deficiencies, organizational and personal material conflicts of
interest, etc. as identified during the audit activities. In addition, it shall review the management’s
action plan to ensure that audit observations/recommendations receive proper and timely attention by
the senior management.
(ix) Receive and review summary of reported violations identified through internal audit activities and
follow-up actions taken by management to ensure that audit observations/recommendations receive
proper and timely attention by senior management. The AC should also review the trends of audit
observation from multiple dimensions to have deep insights into state of internal controls and must set
specific, time bound action points/indicators to monitor improvements
(x) Take up with the President/CEO major findings of audits and internal investigations and management's
response thereto where required.
(xi) On a regular basis, meet separately with the HIA to discuss any matters that the committee or HIA
believes should be discussed privately. The HIA will coordinate with the committee to schedule such
meetings and will also maintain minutes of such meetings.
(xii) Review and approve Internal Audit budget that is sufficient to carry out the planned audit activities. In
addition, the AC shall periodically review the utilization of assigned budget and if required, provide
additional resources to Internal Audit to perform its activities.
(xiii) The AC shall annually obtain from CIA an independent assessment/opinion on the state of FI’s internal
controls based on the audits conducted over the period.
(xiv) The AC shall ensure:
a) independence of Internal Audit Function in the organizational structure;

b) independence and objectivity of internal auditors;
c) optimal utilization of audit resources;
d) effectiveness of Internal Audit Function in overall governance and internal control framework;
e) constructive engagement of Internal Audit Function with the senior management and auditee units
xiii) AC shall have Internal Audit Function assessed, after every 5 years, from an independent external
professional firm/consultant to ensure compliance with IIA Standards.
xiv) Report to board any significant matters identified by internal/external auditors that warrant board’s
immediate attention.
11
______________________________________________________________________________________
xv) Review effectiveness of whistle blowing procedures for receiving (through internal or external sources)
complaints/concerns regarding business ethics/conduct practices, governance & risk management
practices, controls over financial reporting, auditing practices etc. The AC must ensure that such
concerns are treated confidentially and that the reporting employee(s) are protected and not penalized in
any manner whatsoever. The AC should ensure that employees remain aware of it) existence of such
procedures, ii) the procedure to utilize it and iii) are encouraged to be a ‘whistleblower’.
xvi) AC shall comply with all the relevant code/regulations (where applicable) with respect to establishment,
composition, frequency of meetings and other related matters pertaining to the AC. Besides, in order to
be effective, the AC members should, on collective basis, remain aware of latest trends and best practices
of internal auditing enabling them to rigorously evaluate the effectiveness of audit processes and perform
their roles & responsibilities more diligently.
(d) External Audit
(i) Recommend to the Board of Directors the appointment of external auditors and consider any questions
of resignation or removal of external auditors.
(ii) Review the external auditors' proposed audit scope and approach, including coordination of audit effort
with internal audit.
(iii) Review the performance of the external auditors.
(iv) Review audit fees and provision of any service by external auditors to the Bank in addition to audit of
its financial statements.
(v) Review and confirm the independence of the external auditors.
(vi) Ensure that, on an ongoing basis, the relationship with the external auditors meets all current
international standards applicable to a proper bank/auditor relationship.
(vii) It must meet with the external auditors in the absence of management.
(e) Compliance
(i) Review the status of compliance on exceptions/irregularities reported by regulating agencies (e.g. SBP
inspections etc.) and external and internal auditors.
(ii) Review of audit report/management letter issued by regulatory bodies, external auditors and any other
government agencies.
(f) Other Responsibilities
In addition to above, the Committee may also like to review the following:
(i) Perform other activities related to these TOR as requested by the Board of Directors.
(ii) Institute and oversee special investigations as needed.
(iii) Review and assess the adequacy of the committee’s TOR as and when need arises, requesting Board
approval for proposed changes.
(iv) Evaluate the committee's and individual members' performance on a regular basis.
(v) Review of IRAF for recommending to the board for approval
(vi) Facilitate Board in establishing an unambiguous & observable ‘tone at the top’ for strong and effective
system of internal controls based on & supported by strong ethical practices, culture, comprehensive
policies, procedures, processes and technological systems.
(vii) Provide its fullest support to Internal Audit Function and internal auditors to perform their mandated
activities independently and in objective manner.
AC members, in discharging their duties shall establish, maintain and promote regular communication with
senior management regarding deficiencies in internal controls; review actions taken by management to address
identified deficiencies and ascertain new developments to achieve a uniform organization-wide commitment/buy-
12
______________________________________________________________________________________
in for implementation of strong and effective internal controls. AC members shall meet with members of the
management in-person or over phone/ video calls and discuss issues raised by internal auditors, external auditors,
regulators or other issues as required.
The Board should, on an annual basis, review the performance & effectiveness of AC against the roles &
responsibilities set forth in the charter and take immediate actions to fill the gaps. In this regard, the Head Internal
Audit shall develop a checklist of roles and responsibilities of the Charter and provide to the members of Audit
Committee for self- assessment. The checklist shall cover various requirements as set out in the charter for
measuring performance and effectiveness of the Audit Committee. After self-assessment, the checklist shall be
presented to the Board for review of performance and effectiveness. Any discrepancy identified by the Board
shall be marked for immediate rectification.
6. Review of TORs
The Committee will review its Terms of Reference after every three years or earlier if required and the document
requires approval of Board of Directors (BOD).
4: Overview of the Internal Audit Function

A: Introduction
As defined by the Institute of Internal Auditors (IIA), “Internal Auditing is an independent, objective assurance and
consulting activity designed to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of
risk management, control, and governance processes.”
Risk can be defined as the combination of the probability of an event and its consequences (Institute of Risk
Management-UK). In all types of undertaking, there is the potential for events and consequences that constitute
opportunities for benefit (upside) or threats to success (downside).
Risk Management is increasingly recognized as being concerned with both positive and negative aspects of risk.
Therefore this standard considers risk from both perspectives.
Risk Management is defined as “the deliberate acceptance of risk for the fulfilment of the organization’s objectives. It
involves making informed decisions regarding the trade-off between risk and reward, and using various financial and
other tools to earn a satisfactory risk adjusted returns.”
The (FMFB) supports the Internal Audit Department (IAD) as defined by its charter (See Chapter 2: Internal Audit
Charter) as an independent appraisal function to examine and evaluate the financial and operational activities of the
institution.
The IAD also assesses compliance with rules, regulations, systems, policies, and procedures prescribed by the
institution and / or by the regulatory authorities or donors. It is an important and integral part of the control system of
the Bank, which ensures that necessary controls are in place in financial and operational activities of the Bank.
Internal Audit, with objectivity, directly provides to the top management analysis, appraisal, observations, and
recommendations concerning the activities it reviews.
B: Mission Statement
Using their knowledge, experience and professional judgment, the Internal Audit Department would strive to
strengthen the internal control environment throughout the organization, by furnishing:
13
______________________________________________________________________________________
 On-going risk assessments,

 Constructive recommendations and analysis,
 Reliable opinions; and
 Reports to the management and the Audit Committee of the Board on adequacy of internal controls, the
accuracy, reliability and propriety of transactions, the extent to which assets are accounted for and
safeguarded, and the level of compliance with institutional policies, laws and regulations.
The internal audit department follow the relevant clauses of The Institute of Internal Auditor's Professional Practices
Framework, the International Standards for the Professional Practice of Internal Auditing (Standards) which outline
the tenets of the internal audit profession.
C: Accessibility
The role of Internal Audit is to understand the key risks of the organisation and to examine and evaluate the adequacy
and effectiveness of the system of risk management and internal control as operated by the organisation. Internal
Audit, therefore, has unrestricted access to all activities undertaken in the organisation, and personnel relevant to the
undertaking of an audit.
The department has the authority to audit all parts of the Bank and shall have complete access to any of the records,
physical properties, and personnel relevant to the performance of an audit. Documents and information given to
auditors will be handled as prudently as it would be by those employees normally accountable for them.
The department will have no direct responsibility or authority for any of the activities or operations it reviews. It
should not develop and install procedures or sign off any policy documents, prepare records, or engage in activities
that would normally be reviewed by auditors.
D: Scope of Internal Audits
The internal audit function’s scope of operations is by its very nature quite expansive. The internal audit function will
assist the institution in fulfilling its vision, mission, strategic initiatives, and objectives, while adhering to its core
values, by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of enterprise-wide
risk management, internal control systems, and governance processes.
5: IAD Organogram
IAD will follow an organogram that suits its requirements and shall ensure that required skills are acquired through
hiring and training. The Head Internal Audit may change the reporting lines as required with information to the Audit
Committee.
14
______________________________________________________________________________________
15
______________________________________________________________________________________
Reporting Lines
The internal audit activity has a dual reporting relationship. The Head Internal Audit reports functionally to the Board
Audit Committee for strategic direction, reinforcement and accountability and to Executive Management for
assistance in establishing direction, support, and administrative interface. The Head Internal Audit meets with the
Audit Committee minimum 4 times in a year. (See Chapter II for the Charter of the Board Audit Committee for
details on their responsibilities to the Board)
6: Code of Ethics adopted by Internal Audit Department

Internal auditors are expected to apply and uphold the ethical principles applicable to the profession and conduct their
work accordingly as per FMFB Code of Ethics and Business Conduct.
A: Integrity
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. For
further details refer to procedure document.
B: Objectivity
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Internal auditors make a balanced assessment of all the
relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
Internal auditors:
2.1 Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
assessment. This participation includes those activities or relationships that may be in conflict with the interests of the
organization.
2.2 Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3 Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under
review.
C: Confidentiality
Internal auditors respect the value and ownership of information they receive and do not disclose information without
appropriate authority unless there is a legal or professional obligation to do so.
Internal Auditors:
3.1 Shall be prudent in the use and protection of information acquired in the course of their duties.
16
______________________________________________________________________________________
3.2 Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental
to the legitimate and ethical objectives of the organization.
D: Competency
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing services.
Internal auditors:
4.1 Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2 Shall perform internal auditing services in accordance with the International Standards for the Professional
Practice of Internal Auditing.
4.3 Shall continually improve their proficiency and the effectiveness and quality of their services.
7: Annual Audit Plan

A: Overview
Internal Audit prepares an Audit Plan annually. This plan includes the planned audit missions for the year, their
objectives, priority and resource availability. The plan is approved by the Board Audit Committee.
The Annual Audit Plan may be revised during the year in light of the Board Audit Committee’s suggestions, new
priorities and changes in the Banks activities. Any subsequent change is approved by the Board Audit Committee.
Internal auditors are often required to undertake special/unplanned assignments. The annual plan shall cater for such
requirements by keeping aside some man-days.
For any assistance sought from IAD by the management in which major time required and is being not accounted for
in the annual audit plan, permission from AC would be sought for the conduct of the work.
8: Fraud Investigations
The basic objective of an investigation is to determine whether a fraud has been committed or legislation or
regulations breached, and identify the control weaknesses and recommend improvements where necessary. There is
no statutory obligation on internal auditors to search for fraud and irregularities, however, the possibility of the
existence of fraud must be factored in the auditor's approach to any audit.
9: Audit Documentation and Quality Control

IAD will ensure that all documentation is adequately maintained and Quality Control for which working
papers will also be maintained.
17

Policy SOP Guideline Proactive Measures

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Policy SOP Guideline Proactive Measures

Uploaded by

Copyright:

Available Formats

1

1: Purpose of the Internal Audit Policy

The timing for review of policy/procedure:

2. Internal Audit Charter (IAC)

The First MicroFinance Bank Ltd.

INDEPENDENCE AND OBJECTIVITY

organization’s strategic goals;

(h) the operation of the organization’s corporate governance arrangements.

DIGITAL FINANCIAL RISK MANAGEMENT

S. No. Risks Description

INTERNAL AUDIT ADVISORY SERVICES

3. Audit Committee Charter (ACC)

1. Overall Purpose / Objectives

3. Membership, Tenure and Meetings

3.1 Composition and tenure

The term of the Committee as well as term of Chairman Audit Committee

Meetings will be held a minimum of 4 times per year

5. Responsibilities of the Audit Committee

(a) Financial Statements

(b) Internal Control

(c) Internal Audit

a) independence of Internal Audit Function in the organizational structure;

(d) External Audit

(f) Other Responsibilities

4: Overview of the Internal Audit Function

 On-going risk assessments,

D: Scope of Internal Audits

6: Code of Ethics adopted by Internal Audit Department

7: Annual Audit Plan

9: Audit Documentation and Quality Control

You might also like