Internal Audit Directorate

Internal Control & Fraud Prevention

Presented by: Melaku Alemu

Manager, Audit Division

April 2022
 Learning objectives
 Obtain basic understanding on Internal Audit Activities
 Obitain basic understanding on risk management
 Obtain basic understanding on internal control
 Obtain basic understanding on fraud & corruption risk
 Be familiar with frequently observed fraud & corruption
incidents
 Be faimiliar with frequently observed internal control
breakdowns, weaknesses and non-compliances

2
Presentation outline

1) Overview on internal audit activities

2) Overview on risk management
3) Overview on internal control concepts
4) Overview on fraud & corruption risk
5) Frequently observed fraud & corruption incidents in
Bunna Bank
6) Frequently observed internal control weaknesses
(inadequacy and ineffectiveness) in Bunna Bank

3
1) Overview on internal audit activity
 What is internal auditing?
Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization's operations. It helps an
organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of risk management,
control, and governance processes (Institute of
Internal Auditors, 2017)

4
Cont…

Basic terms in the internal audit definition:

1)Organizational independence:
The chief audit executive must report to a level within the
organization that allows the internal audit activity to fulfill its
responsibilities. The chief audit executive must confirm to the
board, at least annually, the organizational independence of the
internal audit activity
The internal audit activity must be free from interference in

determining the scope of internal auditing, performing work, and

communicating results. The chief audit executive must disclose
such interference to the board and discuss the implications.

5
Cont…

2) Individual Objectivity:
 Internal auditors must have an impartial, unbiased attitude and
avoid any conflict of interest.
 Internal auditors must refrain from assessing specific operations
for which they were previously responsible. Objectivity is
presumed to be impaired if an internal auditor provides
assurance services for an activity for which the internal auditor
had responsibility within the previous year.

6
Cont...

3) Assurance activity:
 Assurance services involve the internal auditor’s objective assessment
of evidence to provide opinions or conclusions regarding an entity,
operation, function, process, system, or other subject matters.
 The nature and scope of an assurance engagement are determined by
the internal auditor. Generally, three parties are participants in
assurance services:
(1) the person or group directly involved with the entity, operation,
function, process, system, or other subject matter - the process owner,
(2) the person or group making the assessment - the internal auditor,
and
(3) the person or group using the assessment - the user.

7
Cont…

4) Consulting activity:
 Consulting services are advisory in nature and are generally
performed at the specific request of an engagement client.
 The nature and scope of the consulting engagement are subject
to agreement with the engagement client.
 Consulting services generally involve two parties:
(1) the person or group offering the advice - the internal auditor,
and
(2) the person or group seeking and receiving the advice - the
engagement client. When performing consulting services the
internal auditor should maintain objectivity and not assume
management responsibility.

8
Cont…

5) Add value and improve organization’s operations:

 Value is provided by improving opportunities to
achieve bank’s objectives, identifying operational
improvements, and/or reducing risk exposures of
Bunna Bank S.C through both assurance and
consulting services.

9
Cont…

6) A systematic, disciplined approach:

 A systematic and disciplined approach involves
implementation of a risk-based audit approach in all
major audit processes, such as:
 Annual & strategic audit planning,
 Engagement planning
 Conducting the engagement
 Reporting the result of the engagement
 Follow-up rectification of audit findings
 Quality assurance & contineous improvement

10
Cont…
7) Risk management:
 The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management processes.
 The internal audit activity must evaluate risk exposures relating
to the organization’s governance, operations, and information
systems regarding the:
 Achievement of the organization’s strategic objectives.
 Reliability and integrity of financial and operational information.
 Effectiveness and efficiency of operations and programs.
 Safeguarding of assets.
 Compliance with laws, regulations, policies, procedures, and contracts.
 The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk.

11
Cont…

8) Internal Control:
 The internal audit activity must assist the organization in
maintaining effective controls by evaluating their effectiveness
and efficiency and by promoting continuous improvement.
 The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems
regarding the:
 Achievement of the organization’s strategic objectives.
 Reliability and integrity of financial and operational information.
 Effectiveness and efficiency of operations and programs.
 Safeguarding of assets.
 Compliance with laws, regulations, policies, procedures, and contracts.

12
Cont…

9) Governance:
 The internal audit activity must assess and make appropriate
recommendations to improve the organization’s governance
processes for:
 Making strategic and operational decisions.
 Overseeing risk management and control.
 Promoting appropriate ethics and values within the organization.
 Ensuring effective organizational performance management and
accountability.
 Communicating risk and control information to appropriate areas of the
organization.
 Coordinating the activities of, and communicating information among, the
board, external and internal auditors, other assurance providers, and
management.

13
14
2. Overview on Risk Management

What is Risk?
The possibility of an event occurring that will have an
impact on the achievement of objectives/goals. 
Risk is measured in terms of impact and likelihood.

What is risk event?

A potential event whose occurrence could result in:
Failure to attain objectives

Financial loss

Reputational loss ( e.g. loss of credibility, undermining

of image and loss of public confidence)

15
Cont…

What is risk management?

A process to identify, assess, manage, and control
potential events or situations, to provide reasonable
assurance regarding the achievement of the
organization's objectives.

Types of objectives:
Strategic, Operational, Reporting & Compliance

16
Cont…

Risk categories of Bunna Bank

1)Strategic/ business risk

2)Credit risk

3)Liquidity risk

4)Market risk:

Interest rate risk

Foreign exchange rate risk

5)Operational risk

6)Compliance risk

17
Cont…
 Strategic/ business risk: is the risk associated
with poor business planning, decision making,
execution of the plan/decision, resource allocation.
 Strategic & business risks are similar; however they
differ in the duration and importance of the dicsion.
 Credit risk: possibility of loss arise from borrower
default to repay what is owed or counterparty failure
to meet its obligations. It also arises from
commitments (off-balance sheet items).

18
Cont…
 Liquidity risk: possibility of loss arise from inability
to meet its obligation or investment needs without
incurring unacceptable loss/cost.
 Market risk: possibility of loss in on- and off-balance
sheet positions arise from movements in market
prices. It is a name given to a group of risks that arise
from changes in:
 Interest rates
 Foreign exchange rates
 Equity price
 Commodity price

19
Cont…
 Operational risk: possibility of loss resulting from
inadequate or failed:
 Internal process
 People
 Systems/ technology
 External events
 Compliance risk: possibility of loss resulting from
non-compliance with legal & regulatory requirements.
 Activity (identify at least three risk events in your area of responsibility
& determine its risk category)

20
3) Overview on Internal Control Concepts

What is control?
 Any action taken by management , the board, and other
parties to enhance risk management and increase the
likelihood that established objectives and goals will be
achieved.
Management plans, organizes, and directs the performance

of sufficient actions to provide reasonable assurance that

objectives and goals will be achieved.
The policies, procedures, and activities that are part of a

control framework, designed to ensure that risks are

contained within the risk tolerances established by the risk
management process
Source: IIA Standards - Glossery

21
Cont…
What is internal control?
 Internal controls are the mechanisms, rules, and
procedures implemented by a company to ensure
the integrity of financial and accounting information,
promote accountability, and prevent fraud.
 Besides complying with laws and regulations and
preventing employees from stealing assets or
committing fraud, internal controls can help improve
operational efficiency by improving the accuracy
and timeliness of financial reporting.

22
Cont…
A process —effected by those charged with
governance, management and other personnel—
designed to provide reasonable assurance that the
following objectives are being achieved:

1)Achievement of the organization’s strategic objectives.

2)Reliability and integrity of financial and operational
information.
3)Effectiveness and efficiency of operations and
programs.
4)Safeguarding of assets.
5)Compliance with laws, regulations, policies,
procedures, and contracts.

23
Cont…

Benefits of internal controls:

Ensure performance

Increase accountability

Safeguard scarce resources

Deter fraud and abuse

Meet legal requirements

24
Cont…

Who is responsible for internal control:

Everyone in an organization has responsibility for
internal control to some extent (let’s give example of ours respective
internal control role).

Board of Directors:
Provides governance, guidance, oversight

Management:
- plans, organizes, and directs ... sufficient actions
- periodically reviews its objectives and goals
- establishes/maintains an organizational culture

25
Cont…

Internal auditors:
 evaluate the whole management process of planning,

organizing, and directing.

 provide information to appraise the overall
management process.

26
Cont…

The three Lines of Defense model of internal control:

First line of defense: management control is the first line
of defense in risk management. E.g. process owner
(directorates, districts, branches), staff, etc
Second line of defense: the various risk control and
compliance over- sight functions established by
management. E.g. Risk & Compliance Management
Directorate, IT security.
Third line of defense: independent assurance is the
third line of defense. E.g. Internal auditor, external
auditor, regulator, etc

27
Cont…

Internal control can be classified as:

1)Preventive controls: controls focus on preventing errors or
exceptions. Such preventive controls are:
 Standard policies and procedures

 Proper segregation of duties

 Management authorization/approvals

 Checks validity of inputs to the system

 Restrict data access to authorized person only

 Run antivirus software on computers

 Training

28
Cont…

2) Detective controls: controls are designed to identify an

error or exception after it has occurred. Such detective
controls are:
 Exception reports

 Reconciliations

 Periodic audits

3. Corrective controls: are designed to correct errors or

irregularities that have been detected.
 Contingent planning
 Backup procedures
 Adjustment transactions

29
Cont…
 Activity-2:
1) Identify one control from each type (preventive,
detective & corrective types) in your area of
responsibilities).
2) Identify one potential risk event including the internal
controls that the Bank implemented to prevent, detect
& correct this risk.

30
4) Overview on fraud & corruption risk

Definition of fraud & corruption:

Fraud: is an intentional act or omission committed with
the intention of gaining dishonest or unlawful
advantage for the party committing the fraud or for
other parties. Usually involves using deception &
concealment. The term fraud commonly includes
actives such as:
Theft

Embezzlement/ misappropriation/ misuse

Corruption/ bribery

31
Cont…
 Corruption: is dishonest activity in which a person
abuses his/her position of trust in order to achieve
some personal gain or advantage for themselves, or
provide an advantage/disadvantage for another
person. Bribery is one type of corruption.
 Corruption is an element of fraud what makes it
different from other type of fraud is it usually
involves abuse of power/ position of trust.

32
Cont…
 Bribery: is the offering, giving, receiving, or
soliciting of any item of value to influence the actions
of an official or other person in charge of a public or
an organization duty.
 Bribery is one type of corruption what makes it
different from other type of corruption is it involves
receiving of offerings to make unlawful decision or
action.

33
Cont…
Examples of fraudulent acts include, but are not limited
to, the following;
Embezzlement

 Forgery or alteration of documents

Unauthorized alteration or manipulation of Files. (Hard
and Soft copy)
 Fraudulent Financial reporting
Misappropriation or misuse of resources (e.g. Funds,
supplies, equipment, services, and assets of the entity)
Authorization or receipt of unearned wages or
benefits.
34
Cont…

Why do people commit fraud?

35
Cont…
 Pressure (or motive)
can be imposed due to
 Personal financial problems; unforeseen expenses

 Personal vices/addictions such as gambling, drugs,

shopping, etc
 Unrealistic deadlines and performance goals

36
Cont…
 Opportunity
is generally provided through weaknesses in the internal
controls. Some examples include inadequate or no
 Supervision and review

 Separation of duties
 Management approval
 System controls
 Poor security on company property
 Little fear of exposure & likelihood of detection
 Unclear policies with regard to acceptable behavior

37
Cont…
 Rationalization
occurs when the individual develops a justification for
their fraudulent activities. The rationalization varies
by case and individual.
 necessary – especially when done for the business
 harmless – because the victim is large enough to
absorb the impact
 justified – because “the victim deserved it” or “because
I was mistreated”
 “I really need this money and I will pay it back when I
get my salary or bonus”
 “Other people are doing it”
38
Cont…
 Breaking the three aspects of fraud is the key to
fraud deterrence. This entails removing one of the
elements in the fraud triangle in order to reduce the
likelihood of fraudulent activities. From the three
elements, removal of opportunity is most directly
affected by the system of internal control and
generally provides the most actionable route to
deterrence of fraud.

39
Cont…
Governing rules: fraud & corruption are governed by the
following proclamation & directives:
Proclamation no. 1236/2021: the establishment of the Federal

Ethics & Anti-Corruption Commission (FEACC)

Criminal code

NBE directive no. SBB/59/2014: fraud monitoring directives

FEACC directive no. 23/2013: issued establish Ethics Liaison Unit

of public organization
Resolution 58/4: United Nation conventions against corruption

40
Cont…

Bunna Bank fraud & corruption prevention & control

policy:
1)General policy:
 Everyone is responsible for fraud prevention &
reporting
 Documented policy & procedures
 Implement segregation of conflicting duties, proper
authorization procedure, etc
 Zero tolerance to fraud & corruption

41
Cont…

2) Preventive policies:
 Conduct periodic ethics & fraud awareness training to
all board members, management members and staff
 Stablish system to periodically identify fraud risks in all
areas and processes of the Bank; and
 Ensure adequacy and effectiveness of internal control
system for identified exposures

42
Cont…

3) Detection & reporting policy:

 Suspected & actual fraud cases shall be reported to
immediate supervisor or internal audit & Quality
Assurance & Anti-Corruption Division if the fraud is
related to corruption
 The reported cases shall be communicated to the CEO
for appropriate action such as:
 Audit investigation
 Discipline committee
 Police investigation

43
5) Frequently observed fraud & corruption
incidents in BB

1) Internal fraud
 Cash embezzlement
 Customer account embezzlement
 Guarantee embezzlement
 CPO embezzlement
 ATM card/ PIN Mailer embezzlement

44
Cont…

2. External fraud
 Customer account embezzlement
 Guarantee embezzlement
 Cheque forgery
 Counterfeit notes
Who is participating in the Fraud acts
 Internal (Staffs)
 External
 Combined
 And some other(Former staffs with important
information)

45
6) Frequently observed internal control
Discrepancies

1) Cash operation:
 Risks:
 Cash shortage/overage incident
 Exceed cash holding/transit limit
 Ambush/robbery during transit
 Counterfeit bank notes
 Paying to the wrong person
 Burglary of strong room/vault
 Failure to comply regulatory requirement
 Control weaknesses & non-compliances
 Cash register book is not checked and signed by responsible
cashier/supervisor in charge.

46
Cont…
 Cash surrender book not used and signed by the responsible
staffs for cash movement made b/n tellers & cashier and
Manager & Cashier or vice versa.
 The vault left open to the cashier instead of giving certain
amount needed for daily cash transaction i.e. which violates
dual cash control of vault.
 Cash is not sorted, verified, wrapped, signed and stamped as
well as used for payment.
 Cash holding and transit above insured limits.
 Cash shortage/overage incidents not recorded on cash
discrepancy register book

47
Cont…
 Cash shortage/overage incidents exceeding Birr 1,000.00 not
reported immediately and all shortage/overage incidents not
reported quarterly to the concerned H.O. Directorates.
 Warning letter not served/ penalty not levied as per employee
regulation for cash shortage/overage incident.
 Cash vault and strong room keys not securely held as well as
duplicate keys kept in wrong hands.
 Dual control over ATM machine not implemented.
 Not submitting vault code to Bank CEO with sealed postage.

48
Cont…
 Paying cash without debiting customers’ account especially
for staffs who have no sufficient available balance in their
account.
 Not putting debit stoppage on indemnity accounts opened.
 Linking indemnity account to mobile banking service and
manipulating the account.
 Holding and managing rubber stamps and keys with respect
to their register books of the Branch have to be done
properly.

49
Cont…
 Proper handing and taking over of rubber stamps not conducted
in case of staffs change.
 Extra keys to be sent to H.O. organs not submitted accordingly
and timely.
 Cash indemnity amount credited to employees saving account
before indemnity balance reached Birr 10,000.00.
 Cash safe box not utilized.
 Forex license not obtained/ expired.
 Forex cash sold without valid passport, visa, air ticket.

50
Cont…

1)Domestic banking operation:

Risks:
 Account opened for illegal activities
 Theft from customer account

 Fraudulent settlement of CPOs

 Erroneous/fraudulent fund transfer

 Loss of security items/ negotiable instruments

 Loss of ATM cards & PIN Mailers

 Failure to comply with NBE/FIC requirements

 Misuse/disclosure of customer information

Control weaknesses & non-compliances:

51
Cont…
 Negotiable Instruments like cheque book, revenue stamp,
guarantee certificate, CPOs, etc. not periodically counted,
checked and balanced against the corresponding G/L/ tracer.
 Printed normal/ standard cheques not delivered to account
holders and cost of cheque book not collected timely.
 Stock of Guarantee certificates not managed as per guideline
stipulate by Domestic Banking Directorate.
 Not filling account opening formats properly like missing basic
information and signature and crossing stamps
 Customer accounts are not opened as per the rules and
guidelines stipulated in Domestic Banking Operation manual and
NBE Directives which may lead for penalty.
 Missing basic requirements and formalities like photo, ID and
TIN copy

52
Cont…
 Fail for signing of account holders on A/C opening register book while
they receiving passbooks.
 Files and documents and customer information not handled properly on
various documents like mandate file and file box.
 Lack or getting concerned top mgt. approval for interest rate to be
applied for Fixed Time Deposit.
 Issuing A/C balance confirmation letter beyond the available balance of
the account.
 Not blocking accounts for court orders and proposed security for
guarantee issuance.
 Not taking measure for NSF cheque issuers as per the NBE Directive for
Cheque Account Operation Directives SBB/64/2016 Dated November
23, 2016
 ATM card & PIN Mailer distribution has to be done simultaneously and
with proper registration and signing

53
Cont…

3)Credit operations:
Risks:
 Borrowers default
 Portfolio concentration
 Unable to recover the loan from sale of collateral
 Late installment payments
 Failure to comply with NBE requirements
 Failure to comply with tax authority requirements
 Receiving of bribes from credit customers
 Revenue linkage (not applying the terms & tariffs)
Control weaknesses & non-compliances:

54
Cont…
 Not fulfilling basic documents like (SCAF, Recent financial
statement & audited financial statements of borrower, Credit
Information and valid tax clearance certificate in the name of
borrowers, mortgagers and related individuals or parties.
Involved with the loan request.
 Not collecting consent letter for holding Tax-free collateral from
ERCA and holding the item for not allowed loan use.
 Fail to authenticate Power of Attorney from issuing government
body and refrain to request legal advice from Legal Service
Directorate in case of ambiguity
 Not concluding loan and mortgage contracts accordingly, and
missing basic relevant information like collateral particular and
covenants or wrong information recording in the contract signed
 Not signed by borrower, spouse and witness

55
Cont…
 Not registering collateral by the responsible organ or disbursing
loan prior to collateral registration
 Holding unapproved building with wrong LHC No. as a
collateral
 Making collateral replacement without the consent and approval
of the credit-approving organ.
 Granting staff Mortgage loan beyond the allowable monthly loan
repayment amount.
 Not securing (signing) personal guarantee contract for ESL
granted.

56
Cont…
 Not collecting credit service related fees and charges, like:
covenant/appraisal fee, property estimation fee, loan
administration fee as per the Terms and Tariff of the Bank
 Late and default penalty interest not collected on non-
performing loans
 Failure to collect 1% stamp duty charge for collateral
held/mortgage contract
 Not insuring and not renewing insurance policy of collateral
ahead of time.
 Not serving reminders accordingly for sick loans and not
submitting NPL loans for amicable solution to the Credit follow-
up and/or Legal Service Directorate.

57
Cont…
 Not implementing and complying with conditions set on the LAF
conditioned for loan approval
 Lack of strong loan follow-up on term loans, O/D facility
utilization and taking action according to repayment and O/D
utilization assessment
 Not properly follow-up TOD facilities and their on time
settlement
 Not keeping security documents of like Loan & Mortgage
contracts, LHC, plan, ownership booklet, Share certificate,
insurance policies, collateral registration and other pertinent
documents in fireproof safe for proper safety

58
Cont…

4)International banking operations:

Risks:
 Counterparty default
 Receipt of illegal money
 Paying remitted money to wrong person
 Not finalizing payments on remittance organization system
 Receiving counterfeit notes
 Cash shortage/overage incident(FCY)
 Concentration of funds by currency type/country
 Adverse change in exchange rate/ revaluation loss
 Foreign currency liquidity crunch/ high commitment
 Erroneous/fraudulent fund transfer
 Failure to comply with NBE/Remittance Organization’s requirements

59
Cont…

Control weakness & non-compliances:

Un-cleared effect foreign claims not timely responded by IBD
Payments to beneficiaries not finalized on Remittance
Organization’s system
Payments made to wrong person

Purchasing foreign currency without having NBE license

Facilities like exchange rate display, detecting machine, etc not

fulfilled

60
Cont…

5)Accounting of transactions:
Risks:
 Erroneous transactions/ inter-post

 Loss of source documents/ evidence

 Un-reconciled book balance difference

 Abnormal balance

 Long outstanding receivable/ payable balances

Control weaknesses and non-compliances:

61
Cont…
 Not regularly reconcile suspense accounts balance against the
respective G/L controlling accounts and not holding proper
tracer.
 Long outstanding items not checked and examined periodically
and action not taken as per the Accounting manual of the Bank
 Abnormal balances not timely cleared
 Long outstanding CPO payables not transferred to Finance
Directorate
 Appropriate accounts are not affected

62
Cont…
 Branches have no practice of checking daily transaction tickets
against daily posting journal regularly in order to ensure the
correctness of transactions executed.
 No proper filing and custody of daily tickets not to be exposed
for lost, deterioration and damage

63
Cont…

6)Human resource management:

Risks:
 Lack of necessary knowledge & skill
 Unable to attract skilled & knowledgeable employee
 Delay to fill vacant posts
 Selection of employee with fraudulent credential
 Selection of ineligible employee
 Employee misconduct/ unethical behavior/ practice
 Low staff moral/ employees’ disengagement/ dissatisfaction
 Key staff turnover/ unable to retain key staff/ talent
 Unexpected employee benefit related liability
 Employment lawsuit
 Exposure to occupational health & safety risk

64
Cont…
 Lack of pertinent employee records
 Disclosure of confidential employee records
 Misuse of the Bank’s working hours
 Failure to comply labor law
 Over/under payment of staff benefits
 Paying staff benefit before/after pay day
 Failure to comply with tax authority requirements
 Lack of objective evaluation system
 Failure to comply with performance appraisal procedure
of the bank
 Failure to comply with employee regulation of the Bank

65
Cont…

Control weaknesses & non-compliances:

 Basic documents of staffs like periodical performance,
promotion and warning letters not kept in there personal file
of the Branch
Staff attendance and working hour punctuality not managed

properly and attendance sheet not signed by supervisors

timely.
Paying salary prior to pay day

Not deducting indemnity for absent days

Not including taxable items upon tax calculation

Unethical behavior of employees

66
Cont…
 Paying allowances above the policy of the bank
 Not timely paying employee income tax to the tax
authority

67
Cont…

7)Facility management:
Risks:
 Loss of facility/ error on facility records
 Unused/ idle facility
 Fire accident
 Natural hazard
 Vehicle accident
 Failure to meet work units' facility requirement
 Breakdown/ malfunction/ deterioration of facilities
 Lack of accountability
 Burglary/ unauthorized entrance to facility
 Interruption of utility supplies

68
Cont…

Control weakness and non-compliances:

Fire extinguisher found expired not refilled timely.
Some F/A are not functional and not tagged and those not

functional/ damaged not timely sent for maintenance/ disposal

Fixed assets not physically found in the branch but exist in Head

Office record
Fixed assets physically found in the branch but missed on head

office record
Banking Service hours and renewed license not displayed in visible

places
Security searching devices not functional

Some branches securities have not yet provided gun

69
Cont…

9)Performance management:
Risks:
 Unable to meet deposit mobilization target
 Un-able to meet foreign exchange resource mobilization target
 Un-able to meet profitability target
 Exceeding expense budget
Control weaknesses and non-compliances:
 Not engaging in deposit mobilization as expected as a result significant
variation noted as compared with the plan
 Not effective in generating foreign currency from remittance and
recruiting exporters
 Exceeding the budget on controllable expenses

70
 Fraud incidents
 Guarantee Related
 Loan Related
 Cash Related
 Account Opening
 Account Activation
 Document Related
 Signature and Key Related
 Materials(ATM Cards and Pin Mailers/Guarantee Certificate/Cheque
Books/

71
 Thank You!!
"Vision without action is a daydream,
Action without vision is a nightmare"
Japanese proverb

72