State Bank of Pakistan

The Internal Audit Function (IAF) is an essential element of internal control system of any financial institution (FI) that acts as a ‘Third Line of Defense’ to provide an independent assurance on the state of internal controls. The FIs are operating in a dynamic business environment and are facing evolving risk exposures, which necessitate a dynamic, rather than a static governance and internal audit processes. In order to assist FIs to achieve this objective, State Bank of Pakistan (SBP) has formulated IAF instructions to provide a standardized framework for the establishment and implementation of robust internal audit governance, in line with the international standards and best practices.

2. The following instructions shall be applicable to all FIs irrespective of their size and/or complexity of their operations:

All FIs shall have a Board Audit Committee (BAC) comprising of at least three non-executive directors, including a minimum of one independent director. The independent director shall be the chairperson of the committee who shall not be the chairperson of the board. The board of the FI shall satisfy itself that the majority members of the BAC have a good understanding of accounting, finance and audit related matters; and ensure that at least one member has relevant qualification and experience in the field of audit, accounting and finance.
The BAC shall be governed under the board-approved ‘Audit Committee Charter (ACC)’ – commonly referred to as Terms of Reference (TORs) – that would serve as a ‘blueprint’ for its operations and delineate the basic framework to perform its assigned roles and responsibilities related to the internal controls and other regulatory/statutory requirements.
The BAC shall review and approve ‘Internal Audit Charter’ (IAC) and annual ‘Risk Based Audit Plan’ (RBAP). The BAC/board shall approve budget for IAF that is sufficient to carry out the planned audit activities. In addition, the BAC shall periodically review the utilization of assigned budget and if required, provide additional resources to IAF to perform its activities.
The Chief Internal Auditor (CIA) shall develop an ‘Internal Audit Strategy’ (IAS) to be reviewed by BAC and approved by the board.
The BAC shall ensure that IAF remains equipped with the necessary financial, human, operational, physical and technological resources to carry out its mandated responsibilities as per IAC. Moreover, the BAC shall ensure that internal auditors receive necessary trainings to remain updated on auditing competencies, methodologies, tools and techniques including FI’s products and services.
The BAC shall approve the appointment/re-hiring/renewal of contract and removal of CIA; and approve his/her remuneration, allied benefits, promotion/demotion and other terms of employment. In addition to the minimum qualifications mentioned in relevant code/rules/regulations, the CIA should be a professional having at least 15 years of experience in the field of finance (10 years for DFIs), with at least 5 years of aggregate audit experience in banks/financial institutions at the time of appointment [Applicable for all future appointments/re-hiring/renewals with immediate effect].
The BAC shall formulate and document ‘Key Performance Indicators’ (KPIs) for CIA and evaluate his/her performance against set KPIs on annual basis. The evaluation must ascertain whether IAF and/or CIA is meeting the requirements and/or expectations of stakeholders including the primary responsibility of provision of assurance and value addition to the organization. The evaluation must identify the areas for improvement to enhance IAF’s efficiency and effectiveness. Furthermore, the CEO shall have no role in performance evaluation of CIA including determination of any performance-based bonuses, increments, cash awards or other financial and non-financial benefits, which are to be approved by BAC.
The BAC shall ensure that there are no restrictions on internal auditors’ access to people, information, processes, properties, records, and systems to perform their audit activities with objectivity.
The BAC shall regularly receive and review the summary of significant violations/observations, internal and external frauds, internal control deficiencies, organizational and personal material conflicts of interest, sharia non-compliance issues (wherever applicable) etc. as identified during the audit activities. In addition, it shall review the management’s action plan to ensure that audit observations/recommendations receive proper and timely attention by the senior management.
The BAC shall annually obtain from CIA an independent assessment/opinion on the state of FI’s internal controls based on the audits conducted over the period.
The BAC shall ensure: a) independence of IAF in the organizational structure; b) independence and objectivity of internal auditors; c) optimal utilization of audit resources; d) effectiveness of IAF in FI’s overall governance and internal control framework; e) constructive engagement of IAF with the senior management and auditee units etc.
The CIA, in consultation with BAC, shall devise a comprehensive plan to adopt ‘Risk Based Internal Audit’ approach (if not adopted already) in line with ‘Institute of Internal Auditors’ (IIA) Standards and the best practices by December 31, 2020.
The FI may conduct an internal assessment to identify gaps vis-a-vis the requirements of IIA Standards and IAF instructions/guidelines, in order to prepare an action plan to bridge identified gaps.
The FI shall have its IAF assessed, after every 5 years, from an independent external professional firm/consultant to ensure compliance with IIA Standards. The first such assessment shall be completed within 6 months of the implementation of these guidelines, i.e. June 30, 2020.
In order to maintain independence, the CIA must functionally report to BAC, administratively report to CEO and shall be exempted from rotation requirements as stipulated in BPRD Circular No. 5 of 2015. Moreover, to maintain the stature, the CIA shall be a senior executive with hierarchal position equivalent to business heads.
While designing the annual RBAP, the CIA shall ensure that all areas of regulatory concern are covered adequately with sufficient details. Further, the CIA shall remain aware of major changes taking place in the institutional/structural/operational/technological setup of FI to adapt correspondingly the annual RBAP to evaluate FI’s preparedness for the new and emerging risks.
The CIA shall ensure that the internal auditors have necessary capacity to review the core operations of FI, understand the intricacies of financial and operational circumstances, establish the interlinkages between business processes/functions, challenge management’s assertions on sound footing, and understand regulatory and Sharia requirements (wherever applicable) etc.
The internal auditors should demonstrate highest ethical standards and professional integrity while performing audit activities. All the staff of IAF (including CIA) shall follow FI’s ‘Code of Ethics/Conduct’ as well as ‘Code of Ethics’ established by relevant international standard setting body i.e. IIA. If required, a separate BAC approved code of ethics/conduct may be developed for the internal auditors that addresses, at minimum, aspects of auditor’s independence, objectivity, competence, confidentiality and integrity. Similarly, the CIA shall take all necessary actions to ensure individual independence and objectivity of internal auditors at the assignment/engagement and/or functional levels.
In order to increase the efficiency of IAF and internal auditors, the FI shall put in place an audit system solution capable of handling complete audit process/lifecycle - data collection, risk assessment, audit planning, execution, reporting, and follow-up (not mandatory for DFIs). The system should be capable of supporting every type of audit i.e. operational audit, IT audit, management audit, etc. The required system shall be implemented by December 31, 2020.
The CIA should put in place a robust ‘quality assurance mechanism’ to ensure that the audit reports and the assigned ‘audit ratings/integrated audit ratings’ meet the pre-set quality standards and are backed by sufficient evidences and supporting materials to justify relevant audit findings/conclusions/judgments and ratings.
The CIA must establish a robust follow-up, validation and escalation mechanism for audit findings and corresponding recommendations. The IAF should actively monitor the implementation of audit recommendations and regularly report a summary of compliance status to BAC. The control breaches of critical nature that keep on occurring in at least two audit periods despite repeated audit recommendations should be tagged accordingly and submitted to BAC on regular basis.

3. In addition to the above, the FIs are required to organize internal audit processes/activities as per the attached guidelines keeping in view their size, nature of business and complexities of their operations. The guidelines further reinforce/elaborate above-mentioned requirements and communicate regulatory expectations with respect to the roles and responsibilities of BAC, CIA and functioning of IAF. The FIs are advised to comply with requirements of this circular and guidelines, in letter and spirit, by December 31, 2019, except where otherwise specifically mentioned.

Please acknowledge receipt.