Professional Documents
Culture Documents
April 2022
Learning objectives
Obtain basic understanding on Internal Audit Activities
Obitain basic understanding on risk management
Obtain basic understanding on internal control
Obtain basic understanding on fraud & corruption risk
Be familiar with frequently observed fraud & corruption
incidents
Be faimiliar with frequently observed internal control
breakdowns, weaknesses and non-compliances
2
Presentation outline
3
1) Overview on internal audit activity
What is internal auditing?
Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization's operations. It helps an
organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of risk management,
control, and governance processes (Institute of
Internal Auditors, 2017)
4
Cont…
5
Cont…
2) Individual Objectivity:
Internal auditors must have an impartial, unbiased attitude and
avoid any conflict of interest.
Internal auditors must refrain from assessing specific operations
for which they were previously responsible. Objectivity is
presumed to be impaired if an internal auditor provides
assurance services for an activity for which the internal auditor
had responsibility within the previous year.
6
Cont...
3) Assurance activity:
Assurance services involve the internal auditor’s objective assessment
of evidence to provide opinions or conclusions regarding an entity,
operation, function, process, system, or other subject matters.
The nature and scope of an assurance engagement are determined by
the internal auditor. Generally, three parties are participants in
assurance services:
(1) the person or group directly involved with the entity, operation,
function, process, system, or other subject matter - the process owner,
(2) the person or group making the assessment - the internal auditor,
and
(3) the person or group using the assessment - the user.
7
Cont…
4) Consulting activity:
Consulting services are advisory in nature and are generally
performed at the specific request of an engagement client.
The nature and scope of the consulting engagement are subject
to agreement with the engagement client.
Consulting services generally involve two parties:
(1) the person or group offering the advice - the internal auditor,
and
(2) the person or group seeking and receiving the advice - the
engagement client. When performing consulting services the
internal auditor should maintain objectivity and not assume
management responsibility.
8
Cont…
9
Cont…
10
Cont…
7) Risk management:
The internal audit activity must evaluate the effectiveness and
contribute to the improvement of risk management processes.
The internal audit activity must evaluate risk exposures relating
to the organization’s governance, operations, and information
systems regarding the:
Achievement of the organization’s strategic objectives.
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and contracts.
The internal audit activity must evaluate the potential for the
occurrence of fraud and how the organization manages fraud risk.
11
Cont…
8) Internal Control:
The internal audit activity must assist the organization in
maintaining effective controls by evaluating their effectiveness
and efficiency and by promoting continuous improvement.
The internal audit activity must evaluate the adequacy and
effectiveness of controls in responding to risks within the
organization’s governance, operations, and information systems
regarding the:
Achievement of the organization’s strategic objectives.
Reliability and integrity of financial and operational information.
Effectiveness and efficiency of operations and programs.
Safeguarding of assets.
Compliance with laws, regulations, policies, procedures, and contracts.
12
Cont…
9) Governance:
The internal audit activity must assess and make appropriate
recommendations to improve the organization’s governance
processes for:
Making strategic and operational decisions.
Overseeing risk management and control.
Promoting appropriate ethics and values within the organization.
Ensuring effective organizational performance management and
accountability.
Communicating risk and control information to appropriate areas of the
organization.
Coordinating the activities of, and communicating information among, the
board, external and internal auditors, other assurance providers, and
management.
13
14
2. Overview on Risk Management
What is Risk?
The possibility of an event occurring that will have an
impact on the achievement of objectives/goals.
Risk is measured in terms of impact and likelihood.
Financial loss
15
Cont…
Types of objectives:
Strategic, Operational, Reporting & Compliance
16
Cont…
2)Credit risk
3)Liquidity risk
4)Market risk:
5)Operational risk
6)Compliance risk
17
Cont…
Strategic/ business risk: is the risk associated
with poor business planning, decision making,
execution of the plan/decision, resource allocation.
Strategic & business risks are similar; however they
differ in the duration and importance of the dicsion.
Credit risk: possibility of loss arise from borrower
default to repay what is owed or counterparty failure
to meet its obligations. It also arises from
commitments (off-balance sheet items).
18
Cont…
Liquidity risk: possibility of loss arise from inability
to meet its obligation or investment needs without
incurring unacceptable loss/cost.
Market risk: possibility of loss in on- and off-balance
sheet positions arise from movements in market
prices. It is a name given to a group of risks that arise
from changes in:
Interest rates
Foreign exchange rates
Equity price
Commodity price
19
Cont…
Operational risk: possibility of loss resulting from
inadequate or failed:
Internal process
People
Systems/ technology
External events
Compliance risk: possibility of loss resulting from
non-compliance with legal & regulatory requirements.
Activity (identify at least three risk events in your area of responsibility
& determine its risk category)
20
3) Overview on Internal Control Concepts
What is control?
Any action taken by management , the board, and other
parties to enhance risk management and increase the
likelihood that established objectives and goals will be
achieved.
Management plans, organizes, and directs the performance
21
Cont…
What is internal control?
Internal controls are the mechanisms, rules, and
procedures implemented by a company to ensure
the integrity of financial and accounting information,
promote accountability, and prevent fraud.
Besides complying with laws and regulations and
preventing employees from stealing assets or
committing fraud, internal controls can help improve
operational efficiency by improving the accuracy
and timeliness of financial reporting.
22
Cont…
A process —effected by those charged with
governance, management and other personnel—
designed to provide reasonable assurance that the
following objectives are being achieved:
23
Cont…
Increase accountability
24
Cont…
Board of Directors:
Provides governance, guidance, oversight
Management:
- plans, organizes, and directs ... sufficient actions
- periodically reviews its objectives and goals
- establishes/maintains an organizational culture
25
Cont…
Internal auditors:
evaluate the whole management process of planning,
26
Cont…
27
Cont…
Management authorization/approvals
Training
28
Cont…
Reconciliations
Periodic audits
29
Cont…
Activity-2:
1) Identify one control from each type (preventive,
detective & corrective types) in your area of
responsibilities).
2) Identify one potential risk event including the internal
controls that the Bank implemented to prevent, detect
& correct this risk.
30
4) Overview on fraud & corruption risk
Corruption/ bribery
31
Cont…
Corruption: is dishonest activity in which a person
abuses his/her position of trust in order to achieve
some personal gain or advantage for themselves, or
provide an advantage/disadvantage for another
person. Bribery is one type of corruption.
Corruption is an element of fraud what makes it
different from other type of fraud is it usually
involves abuse of power/ position of trust.
32
Cont…
Bribery: is the offering, giving, receiving, or
soliciting of any item of value to influence the actions
of an official or other person in charge of a public or
an organization duty.
Bribery is one type of corruption what makes it
different from other type of corruption is it involves
receiving of offerings to make unlawful decision or
action.
33
Cont…
Examples of fraudulent acts include, but are not limited
to, the following;
Embezzlement
35
Cont…
Pressure (or motive)
can be imposed due to
Personal financial problems; unforeseen expenses
36
Cont…
Opportunity
is generally provided through weaknesses in the internal
controls. Some examples include inadequate or no
Supervision and review
Separation of duties
Management approval
System controls
Poor security on company property
Little fear of exposure & likelihood of detection
Unclear policies with regard to acceptable behavior
37
Cont…
Rationalization
occurs when the individual develops a justification for
their fraudulent activities. The rationalization varies
by case and individual.
necessary – especially when done for the business
harmless – because the victim is large enough to
absorb the impact
justified – because “the victim deserved it” or “because
I was mistreated”
“I really need this money and I will pay it back when I
get my salary or bonus”
“Other people are doing it”
38
Cont…
Breaking the three aspects of fraud is the key to
fraud deterrence. This entails removing one of the
elements in the fraud triangle in order to reduce the
likelihood of fraudulent activities. From the three
elements, removal of opportunity is most directly
affected by the system of internal control and
generally provides the most actionable route to
deterrence of fraud.
39
Cont…
Governing rules: fraud & corruption are governed by the
following proclamation & directives:
Proclamation no. 1236/2021: the establishment of the Federal
of public organization
Resolution 58/4: United Nation conventions against corruption
40
Cont…
41
Cont…
2) Preventive policies:
Conduct periodic ethics & fraud awareness training to
all board members, management members and staff
Stablish system to periodically identify fraud risks in all
areas and processes of the Bank; and
Ensure adequacy and effectiveness of internal control
system for identified exposures
42
Cont…
43
5) Frequently observed fraud & corruption
incidents in BB
1) Internal fraud
Cash embezzlement
Customer account embezzlement
Guarantee embezzlement
CPO embezzlement
ATM card/ PIN Mailer embezzlement
44
Cont…
2. External fraud
Customer account embezzlement
Guarantee embezzlement
Cheque forgery
Counterfeit notes
Who is participating in the Fraud acts
Internal (Staffs)
External
Combined
And some other(Former staffs with important
information)
45
6) Frequently observed internal control
Discrepancies
1) Cash operation:
Risks:
Cash shortage/overage incident
Exceed cash holding/transit limit
Ambush/robbery during transit
Counterfeit bank notes
Paying to the wrong person
Burglary of strong room/vault
Failure to comply regulatory requirement
Control weaknesses & non-compliances
Cash register book is not checked and signed by responsible
cashier/supervisor in charge.
46
Cont…
Cash surrender book not used and signed by the responsible
staffs for cash movement made b/n tellers & cashier and
Manager & Cashier or vice versa.
The vault left open to the cashier instead of giving certain
amount needed for daily cash transaction i.e. which violates
dual cash control of vault.
Cash is not sorted, verified, wrapped, signed and stamped as
well as used for payment.
Cash holding and transit above insured limits.
Cash shortage/overage incidents not recorded on cash
discrepancy register book
47
Cont…
Cash shortage/overage incidents exceeding Birr 1,000.00 not
reported immediately and all shortage/overage incidents not
reported quarterly to the concerned H.O. Directorates.
Warning letter not served/ penalty not levied as per employee
regulation for cash shortage/overage incident.
Cash vault and strong room keys not securely held as well as
duplicate keys kept in wrong hands.
Dual control over ATM machine not implemented.
Not submitting vault code to Bank CEO with sealed postage.
48
Cont…
Paying cash without debiting customers’ account especially
for staffs who have no sufficient available balance in their
account.
Not putting debit stoppage on indemnity accounts opened.
Linking indemnity account to mobile banking service and
manipulating the account.
Holding and managing rubber stamps and keys with respect
to their register books of the Branch have to be done
properly.
49
Cont…
Proper handing and taking over of rubber stamps not conducted
in case of staffs change.
Extra keys to be sent to H.O. organs not submitted accordingly
and timely.
Cash indemnity amount credited to employees saving account
before indemnity balance reached Birr 10,000.00.
Cash safe box not utilized.
Forex license not obtained/ expired.
Forex cash sold without valid passport, visa, air ticket.
50
Cont…
51
Cont…
Negotiable Instruments like cheque book, revenue stamp,
guarantee certificate, CPOs, etc. not periodically counted,
checked and balanced against the corresponding G/L/ tracer.
Printed normal/ standard cheques not delivered to account
holders and cost of cheque book not collected timely.
Stock of Guarantee certificates not managed as per guideline
stipulate by Domestic Banking Directorate.
Not filling account opening formats properly like missing basic
information and signature and crossing stamps
Customer accounts are not opened as per the rules and
guidelines stipulated in Domestic Banking Operation manual and
NBE Directives which may lead for penalty.
Missing basic requirements and formalities like photo, ID and
TIN copy
52
Cont…
Fail for signing of account holders on A/C opening register book while
they receiving passbooks.
Files and documents and customer information not handled properly on
various documents like mandate file and file box.
Lack or getting concerned top mgt. approval for interest rate to be
applied for Fixed Time Deposit.
Issuing A/C balance confirmation letter beyond the available balance of
the account.
Not blocking accounts for court orders and proposed security for
guarantee issuance.
Not taking measure for NSF cheque issuers as per the NBE Directive for
Cheque Account Operation Directives SBB/64/2016 Dated November
23, 2016
ATM card & PIN Mailer distribution has to be done simultaneously and
with proper registration and signing
53
Cont…
3)Credit operations:
Risks:
Borrowers default
Portfolio concentration
Unable to recover the loan from sale of collateral
Late installment payments
Failure to comply with NBE requirements
Failure to comply with tax authority requirements
Receiving of bribes from credit customers
Revenue linkage (not applying the terms & tariffs)
Control weaknesses & non-compliances:
54
Cont…
Not fulfilling basic documents like (SCAF, Recent financial
statement & audited financial statements of borrower, Credit
Information and valid tax clearance certificate in the name of
borrowers, mortgagers and related individuals or parties.
Involved with the loan request.
Not collecting consent letter for holding Tax-free collateral from
ERCA and holding the item for not allowed loan use.
Fail to authenticate Power of Attorney from issuing government
body and refrain to request legal advice from Legal Service
Directorate in case of ambiguity
Not concluding loan and mortgage contracts accordingly, and
missing basic relevant information like collateral particular and
covenants or wrong information recording in the contract signed
Not signed by borrower, spouse and witness
55
Cont…
Not registering collateral by the responsible organ or disbursing
loan prior to collateral registration
Holding unapproved building with wrong LHC No. as a
collateral
Making collateral replacement without the consent and approval
of the credit-approving organ.
Granting staff Mortgage loan beyond the allowable monthly loan
repayment amount.
Not securing (signing) personal guarantee contract for ESL
granted.
56
Cont…
Not collecting credit service related fees and charges, like:
covenant/appraisal fee, property estimation fee, loan
administration fee as per the Terms and Tariff of the Bank
Late and default penalty interest not collected on non-
performing loans
Failure to collect 1% stamp duty charge for collateral
held/mortgage contract
Not insuring and not renewing insurance policy of collateral
ahead of time.
Not serving reminders accordingly for sick loans and not
submitting NPL loans for amicable solution to the Credit follow-
up and/or Legal Service Directorate.
57
Cont…
Not implementing and complying with conditions set on the LAF
conditioned for loan approval
Lack of strong loan follow-up on term loans, O/D facility
utilization and taking action according to repayment and O/D
utilization assessment
Not properly follow-up TOD facilities and their on time
settlement
Not keeping security documents of like Loan & Mortgage
contracts, LHC, plan, ownership booklet, Share certificate,
insurance policies, collateral registration and other pertinent
documents in fireproof safe for proper safety
58
Cont…
59
Cont…
fulfilled
60
Cont…
5)Accounting of transactions:
Risks:
Erroneous transactions/ inter-post
Abnormal balance
61
Cont…
Not regularly reconcile suspense accounts balance against the
respective G/L controlling accounts and not holding proper
tracer.
Long outstanding items not checked and examined periodically
and action not taken as per the Accounting manual of the Bank
Abnormal balances not timely cleared
Long outstanding CPO payables not transferred to Finance
Directorate
Appropriate accounts are not affected
62
Cont…
Branches have no practice of checking daily transaction tickets
against daily posting journal regularly in order to ensure the
correctness of transactions executed.
No proper filing and custody of daily tickets not to be exposed
for lost, deterioration and damage
63
Cont…
64
Cont…
Lack of pertinent employee records
Disclosure of confidential employee records
Misuse of the Bank’s working hours
Failure to comply labor law
Over/under payment of staff benefits
Paying staff benefit before/after pay day
Failure to comply with tax authority requirements
Lack of objective evaluation system
Failure to comply with performance appraisal procedure
of the bank
Failure to comply with employee regulation of the Bank
65
Cont…
66
Cont…
Paying allowances above the policy of the bank
Not timely paying employee income tax to the tax
authority
67
Cont…
7)Facility management:
Risks:
Loss of facility/ error on facility records
Unused/ idle facility
Fire accident
Natural hazard
Vehicle accident
Failure to meet work units' facility requirement
Breakdown/ malfunction/ deterioration of facilities
Lack of accountability
Burglary/ unauthorized entrance to facility
Interruption of utility supplies
68
Cont…
Office record
Fixed assets physically found in the branch but missed on head
office record
Banking Service hours and renewed license not displayed in visible
places
Security searching devices not functional
69
Cont…
9)Performance management:
Risks:
Unable to meet deposit mobilization target
Un-able to meet foreign exchange resource mobilization target
Un-able to meet profitability target
Exceeding expense budget
Control weaknesses and non-compliances:
Not engaging in deposit mobilization as expected as a result significant
variation noted as compared with the plan
Not effective in generating foreign currency from remittance and
recruiting exporters
Exceeding the budget on controllable expenses
70
Fraud incidents
Guarantee Related
Loan Related
Cash Related
Account Opening
Account Activation
Document Related
Signature and Key Related
Materials(ATM Cards and Pin Mailers/Guarantee Certificate/Cheque
Books/
71
Thank You!!
"Vision without action is a daydream,
Action without vision is a nightmare"
Japanese proverb
72