,.1. ‘is

INTERNATIONAL MONETARY FUND

MAE Operational PaperMAE OP/99/1

MAE Operational Paper series are for internaland official use of IMF staff and consultants,and are designed to facilitate technicaldiscussions in the field.

The Role of Internal Control andAudit Systems in Supporting

Central Bank Governance and Transparency’

MONETARY AND EXCHANGE AFFAIRS DEPARTMENT

July 1999

‘The views expressed are those of the Monetary and Exchange Affairs Department of theInternational Monetary Fund (IMF) and do not necessarily represent the opinions of theExecutive Directors of the IMF, or other members of the IMF staff. Citations should refer tothe Operational Paper of the W/Monetary and Exchange Af??airs Department.

The Role of Internal Control andAudit Systems in Supporting

Central Bank Governance and Transparencyf

Abstract

Issues of corporate governance, transparency, disclosure, and accountability have come to thefore as international financial institutions seek to support and strengthen stability in economiesand financial markets. As these institutions seek new guidelines and standards, central banks,as national institutions responsible for macro ‘c and financial sector stability, must be atthe forefront of progressing such initiatrv

*Fm then respective countries.

While a sense of public duty may direct a central bank in the right direction, achieving highstandards of corporate governance requires more than mere will. Rather it calls for amechanism, commonly known as a control and audit system, that assists management incontrolling behavior and risks, and in steering a central bank towards successful achievementof its objectives.

This paper discusses good practices in internal control and internal audit systems that cansupport improved governance and transparency in central bank operations. It is based on bothreference material and specific internal control and audit practices of central banks, asrecommended in IMF technical assistance work and delivered at recent MAE Central BankAccounting Workshops.

prepared by John Dalton and Paul Hilbers, Financial Systems and Banking Division, onbehalf of the Monetary and Exchange AfIairs Department (MAE), and authorized fordistribution by V. Sundararajan, Deputy Director (MAE), the editor of the OperationalPaper series. Comments from MAE staff, including William Alexander, Winfiid Blaschke,Claudia Dziobek, Edward Frydl, George Iden, Tonny Lybek, Andreas Lux, Jun Nagayasu,Gabriel Sensenbrenner, and DeLisle Worrell are gratefully acknowledged.

Contents

2-

Page

I. Introduction and Summary . . . . . . . . . . . . . . . . . . . . . . . . 3

II. Internal Control Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7A. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7B. Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8C. Key Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

III. Internal Audit Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A. Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .B. Main Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .C. Review of Internal Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

IV. Control and Audit System Issues for Key Central Bank Operations . . . . . . . . . .A. Policy Formulation and Implementation . . . . . . . . . . . . . . . . . . . . . . . . . .B. Monetary and Foreign Exchange Market Operations . . . . . . . . . . . . . . . .C. Off Balance Sheet Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .D. Currency, Banking, and Payment System Activities . . . . . . . . . . . . . . . . .E. Prudential Supervision and Regulation, and Financial System SurveillanceF. Utilization of Central Bank Resources . . . . . . . . . . . . . . . . . . . . . . . . . . .G. Accounting Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .H. Public Disclosure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

GlossaryofTerms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Appendixes

I.II.III.

Main Features of Internal Control Systems . . . . . . . . . . . . . . . . . . . . . . . . . . .Illustrative Charter of an Internal Audit Unit . . . . . . . . . . . . . . . . . . . . . . . . .Internal Audit Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1313

. 1419

. 21

. 2425282931

. 32. 33. . 34

. 4 049

. . 51

I. INTRODUCTIONANDSIIM~URY

In recent years, international financial and regulatory institutions have increased theirfocus on issues of corporate governance, transparency, accountability and disclosure in orderto support and strengthen stability in economies and financial markets. Considerable work isunder way’ on strengthening financial system architecture, including the development anddissemination of standards and guidelines for the f&nctioni.ng of the financial system, and onimproving accountability and transparency.4

Recent developments in financial markets, including bank and corporate failures, andhigh levels of volatility in prices and financial flows, have increased the risks for any institutionactive in these markets. This has emphasized the importance of appropriate internal riskcontrol systems. In general terms, control systems work to ensure the efficient and effectiveachievement of an organization’s objectives. They do this by assisting management to identifythe risks they face, and providing a framework for controlling behavior so as to keep riskswithin acceptable levels. Internal control systems are primarily designed to address those risks,which may arise as a result of improper or unauthorized actions, fraud, theft, error, accident,or failure to act.

It is important to distinguish between internal control and internal audit, Internalcontrol refers to the mechanisms in place on a permanent basis to control activities in anorganization, both at a central and at a departmental/divisional level. A key component ofeffective internal control is the operation of a solid accounting and information system.Internal audit is the process that “controls the control systems” through regular review of theoperation of controls and reporting to senior management on the effectiveness and efficiencyof the internal control system.

Control and audit are key issues in the Fund’s work on governance as part of itsresponsibilities for surveillance and the support of structural adjustment programs. In addition,the Fund provides technical assistance on central banks’ control and audit functions toimprove the quality of governance, accountability and transparency in central bank operations,and to support structural improvements in the finctioning of central banks in member

‘This work involves a range of projects both within the International Monetary Fund (IMF)and in collaboration with the Bank for International Settlements (US), the InternationalAccounting Standards Committee (IASC), the International Organization of SecuritiesCommissions (IOSCO), the Organization for Economic Cooperation and Development(OECD), and the World Bank.

‘The key important e of good transparency practices of monetary and financial agencies isreflected in the IMF’s draft Code of Good Practices on Transparency in Monetary andFinancial Policies, which is available on its website (www.imf.org/extemal/np/mae/mft/code).

-4-

countries. This paper aims to discuss good practices regarding the main aspects of internalcontrol and internal audit that can support improved governance and transparency in centralbank operations by drawing on the Fund’s technical assistance work in this area. Section IIdescribes the main objectives and features of internal control systems. In Section III, a similarexercise is conducted for internal audit. Section IV discusses key control issues in majorcentral bank operations, including monetary and foreign exchange operations, currency,banking and payment activities, and supervision and financial system surveillance.

The generally accepted good practices regarding intemal,control and audit functions ofa central bank, which are drawn from the Fund’s extensiyetechmcal assistance in this area, aresummarized in Table 1. Most of the underlying prin ’ es are not unique to central banks andcan be applied to financial institutions in general,

fis reflected in the Basle Core Principles

for Effective Banking Supervision.’ However, the implementation of these principles is veryspecific to central banks in light of their special operations and responsibilities, and theimportance of their reputation and credibility for the effectiveness of their actions. In addition,since central banks should practice what they preach, their internal control and audit systemsshould serve as an example and standard for the financial sector as a whole.

I Priorities

Internal control and audit in central banks should particularly focus on those areas thatinvolve high value transfers between the central bank and external parties such as foreignexchange and investment operations; transactions in domestic financial instruments; andcurrency issuance and payments settlement. Within each of these areas, determining thepriorities of specific actions will differ according to the economic environment in which acentral bank operates and by the stage of development reached by the central bank itself For anew central bank operating in, for example, a transition economy the priority would be toestablish a basic set of procedures to control initial operations and information systems thatcan report financial results in accordance with an internationally recognized reportingframework. Similarly, internal audit procedures might be limited to a basic review of theappropriateness and effectiveness of internal control systems.

Development of more sophisticated control, information and audit systems would thenbe sequenced to match the development of central bank operations. Therefore, in moredeveloped central banks, where more robust control and information systems have beenestablished, the priority might shift towards enhancing internal audit processes and techniques.This trend has been noticeable, for example, in central banks in transition economies in Europethat have reached a relatively advanced stage of development in their market based operations.

‘Principle 14 of the Basle Core Principles, for example, specifically addresses the need forbanks to have internal controls and audit systems that are adequate for the nature and scale oftheir operations. More specific guidance on controls systems for commercial banks can befound in the Basle Committee’s “Frameworkfor Internal Control Systems in BankingOrganizations” issued in September 1998.

-!i-

1. Key elements of an internal control system

l internal control procedures, to control operations both quantitatively (e.g., financial limits) andqualitatively (e.g., separation of duties), and by placing responsibility for controls with management ofrespective areas of operation;

l adequate accounting and information systems to put financial information in a useful format foraccurate and timely reporting that facilitates effective management of operations and risks;

l internal audit review, conducted by a separate and independent department to “control the controls”;this includes in particular:l financial audits;l organizational or functional audits;l electronic data processing (FDP) audits.

I2. Essential internal controls

I. govcming bed commitment to a control environment that incorporates best practices of good

corporate governance;management responsibility for operation of control systema;formal authorizations to undertake activities and to control access to information and assets;separation of duties and application of the “four eyes” principle: staff conducting transactions should bedifferent from sta!Tcontrolling transactions;complete and timely maintenance of transaction records;financial and budgetary controls to limit exposures;control measures, that include sampling instead of 100 percent testing,regular review of operating performance and reporting to senior management;controls that promote effective policy formulation and implementation by limiting the risk ofunauthorized access to, or release of, market sensitive information;controls that address &ran&l and other risks, including loss of reputation;a clear policy and timetable for release of financial information;a commitment to honesty and transparency in reporting, including adoption of a code of good practiceson transparency in monetary and financial policies.

3. Internal audit operations

l an internal audit charter establishing the powers and responsibilities of internal auditing;l audit activities to cover: financial, operational, and electronic data processing (EDP) auditing;l four phases: planning, fieldwork, reporting, and follow-up;l collection and documentation of audit evidence &rough inquiry, observation and analysis of records;l audit reporting to management that identities and classifies internal systems in terms of potential

harmful implications, including agreed corrective actions;l regular audit follow-up that involves management of the area responsible for taking corrective action;l regular communication and coordination with the external auditor.

I4. Control of central bank market operations

l coordination of policy decisions and actions to ensure consistency of policy objectives and actions inrespective markets;

l maintenance of confidentiality for all transactions associated with policy actions;l a formal system of financial limits on transactions, instruments, and parties to transactions;l senior management authorization of (new) financial instruments, including off balance sheet financial

iustrumcnts, and of trading partners, incorporating a clear strategy for managing risks, detailedoperational instructions, and consultation with the internal audit function;

- 6 -

4. Control of central bank market operations (continued)

. key operational controls that include: recording of deals by tape, immediate data entry, the “four eyes”principle of supervision, regular reconciliation, clear documentation of dealing rules, and disputeresolution procedures;

l strict separation of duties, in particular, between the dealing room, back office, settlement department,and the accounting function;

l a written code of conduct for dealers regarding, e.g., ethics, rules on acceptance of gifts, and privateaccounffisider trading;

l foreign portfolio investment strategies that are consistent with exchange arrangements and monetarypolicy requirements, in particular in terms of liquidity;

l assessment of foreign portfolio performance against recognized benchmark measures;l appropriate training of central bank staff involved in various dealing, investing, processing, and control

activities.

5. Currency, banking, and payment system controls

l physical security measures to protect financial, human and information assets;l daily balancing of customer accounts and cash holdings, and dual control of bulk cash holdings;l secure communication facilities and computer operations with controls over access by internal and

external parties;. established plans and regular testing of facilities to guarantee system operation and prompt business

resumption in the event of a catastrophe or serious disruption.

6. Controls regarding supervision, regulation, and financial system stability functions

l classification and access procedures that protect confidential and sensitive information;l a code of conduct to ensure that staffare free Tom any conflict of interest or undue pressure;l requirements for maintaining professional competencies and knowledge.

7. Information and accounting system controls

l responsibility for central bank wide accounting policies assigned to the Accounting Department, alongwith responsibility for monitoring daily balancing and performance of the systems;

l regular review by information users of accounting system output and format;l daily back up, and separate storage of files, and regular testing of back up systems;. regular communication between the Accounting Department and the internal auditor;. advance planning for implications of major struc.tural changes or challenges (e.g., introduction of new

currencies, Year 2000 date change);l accurate and timely recording of all transactions,

8. Controls on effective and efficient utilization of central bank resources

. a strategic planning process linked to the annual budget planning cycle to control expenditures;l formal delegation of authority to incur expenses, and procedures for authorizing non-budgeted

expenditures;l monthly monitoring and reporting of actual outcomes against budget forecasts, and annual review of

full year outcomes,. accounting systems capable of allocating costs and revenues across specific central bank functions,

departments and projects;. regular monitoring and analysis of the cost of providing key central bank services, including

benchmarking costs with other institutions,

-7-

II. INTERNAL CONTROL SYSTEMS

A. Objectives

Internal control systems are designed to provide reasonable assurance to managementregarding the achievement of objectives in the following broad categories:

. effectiveness and efficiency of operations;l reliability of financial reporting;, compliance with applicable laws and regulations.

Effectiveness and efficiency of operations is essentially about corporate governance.This category addresses how a central bank goes about achieving its basic objectives. Are thebank’s policies and procedures directed towards ensuring that it is doing the right things, andin the right way? Control systems therefore focus on aspects associated with planned andactual performance, operating results, resource utilization, and safeguarding of assets.

Reliability of financial reporting incorporates both governance and transparencyissues. In the absence of reliable information, management’s ability to achieve high standardsof governance becomes increasingly threatened. And the absence of transparent and reliabledisclosure mechanisms significantly reduces proper communication of the results ofmanagement’s governance to the world at large. Thus, this category addresses a range ofquestions about the central bank’s information systems. Does the financial accounting systemproperly record all activities and events? Does management receive adequate information toeffectively manage operations and risks? Do the published financial reports that are released tomarkets explain organization performance and position in a transparent, complete, and timely

-8-

manner? Control systems in this area also focus on how information on activities is collectedand recorded, how it is processed and stored, especially in an electronic environment, and howit is disseminated.

Compliance with applicable laws and regulations also relates to governance issues.Is the central bank complying with the entire body of legal requirements within which it isexpected to operate? Does it face potentially conflicting regulatory requirements? Have therequirements of new laws or regulations been properly interpreted? Control systems aredirected at compliance, by establishing and allocating responsibility to specific areas orindividuals, and by monitoring adherence to controls.

What internal control systems can and cannot do

Internal control systems can help a central bank to achieve its objectives and avoidpitfalls and surprises along the way. And while control systems can operate to assist a centralbank in achieving targets, providing reliable financial reporting, and complying with laws andregulations, they cannot ensure success in each of these areas. This is because controls can becircumvented through collusion, or even overridden by management. Also, factors such as badjudgment, human error, and external events cannot be entirely prevented by internal controlsystems. Thus, internal control systems can provide only reasonable assurance that objectiveswill be achieved, and not a guarantee.

B. Responsibilities

Responsibility for internal controls extends across all levels of a central bank from thegoverning board and senior management to individual employees.

The board of directors and its audit committee provide important oversight over theinternal control system. The audit committee is a high level committee usually appointed bythe board.6 It should ensure that the internal audit function has a written charter, approved bymanagement, which spells out the purpose, authority, and responsibilities of the internalauditor. The board’s insistence that management maintain an effective system of internalcontrols is of great importance; the audit committee demonstrates this interest and theimportance of internal controls by meeting regularly with internal auditor to discuss auditresults.

Management, however, is primarily responsible for the central bank’s internal controlsystem, including its design, implementation, operation, and maintenance. The governor orchairman therefore is ultimately responsible and should assume ownership of the system. Atlower levels of management, financial and accounting officers are central to the way

6There are also instances where the role and composition of an audit committee are specifiedin the central bank law.

.-9-

management exercises financial control, while lime management personnel play important rolesand are accountable for controlling the activities of their respective units.

Employees have a specific responsibility for adhering to the control activities thatgovern their respective operating duties. The core of any central bank is its people and theirindividual attributes, including integrity, ethical values, and confidence in the environment inwhich they operate. They are the engine that drives the bank and the foundation on whicheverything rests. Sometimes referred to as “soft controls,” people with integrity and highethical standards can partially compensate for weaknesses elsewhere in the system of internalcontrols, or when control gaps occur as a result of new activities or situations.

Internal audit and management have different roles in pursuing the common objectiveof a successfil, well-controlled central bank. Internal auditors certainly contribute to theongoing effectiveness of the internal control system but they do not, and cannot, haveresponsibility for establishing or maintaining it, because that is a management responsibility.The internal auditor’s responsibility is to perform audits as a basis for providing managementand the board with information about the adequacy and effectiveness of the bank’s system ofinternal controls, and the quality of performance in carrying out assigned responsibilities.

C. Key Elements

A properly functioning control system requires four main elements:. a sound control environment;t efficient and effective operating controls and procedures;t reliable communication and information systems; andä risk-based audit review and follow up.

A sound control environment

.

The control environment can broadly be described as management’s overall attitude,awareness, and actions regarding internal control and its importance in managing the risksfacing a central bank. A sound control environment signals the importance senior managementattaches to good governance throughout the bank and is exhibited by clear strategic directionand control that comes from the top. The main actions that senior management can take toensure this include:’

. a clear definition of the bank’s objectives and policies, supported by a strategicplanning and budgeting process, which are clearly communicated throughoutthe whole bank;

c an organizational structure that clearly defines the allocation of duties,responsibilities, and lines of reporting;

‘Appendix I discusses each of these aspects in greater detail.

. a risk acceptance policy that is based on sound assessment of all risks facingthe bank, and that is reviewed annually;

. clear communication to staff on the need for an effective control and auditsystem covering all aspects of operations, and the importance of adherence tocontrols;

F adequate information and communication systems to safeguard the flow ofinformation to senior management for both control and disclosure purposes;

. a senior management commitment to a sound control system, through, forexample, the active support of a separate and independent internal auditfunction, and regular audit committee review of control systems.

I Efficient and effective operating controls and procedures

Operating controls and procedures involve a range of ex ante and ex post actions thatare used to assure management that relevant risks are being addressed and protected against,and that proper procedures are being followed, Ex ante actions generally include proceduresto control actions or behavior so as to minimize the risk of an adverse event occurring. Expost actions on the other hand are designed to verii whether policies and procedures havebeen complied with. EC post actions would include regular checking by management thatcontrols are being observed, and reporting to management on performance, exceptions, andobserved breaches of controls. Separately, they can also include internal audit review andreporting.

Responsibility for the development and supervision of operating controls andprocedures must rest with the management of a central bank. Furthermore, while they aredesigned to limit risks, controls must not be so restrictive as to impede the effective andefficient performance of work.

Controls and procedures will, of course, vary across operational areas of a centralbank. Box 2 summarizes the essential operating controls that a central bank should seek toadopt.

Reliable communication and information systems

Communication and information systems are the lifeblood of a control system. Theyprovide the means for communicating goals, objectives, controls, and responsibilitiesthroughout the bank, and for reporting to management, and beyond, on the bank’s behavior,performance, and condition. These systems involve both financial and non-financialinformation. They must be capable of processing and reporting information reliably, accuratelyand on a timely basis so that management has the ability to constantly monitor activities and

where necessary take corrective action. The increasing use of electronic data processingsystems to process, store, and disseminate information introduces benefits in thecommunication process but it also requires a range of specific controls to ensure data securityand integrity.

jrof

- 12-

General controls for information and communication systems include:’. classification controls to limit circulation of highly sensitive information and

reduce risk of “leaks”;t access controls to limit and monitor access to both systems and information;t segregation of duties;. processing controls to ensure all transactions are recorded accurately and on a

timely basis;t audit trails for the reconstruction of events and transactions, along with

controls for storage and retention of records;. ready access by senior management, and internal audit, to the information

system and reports;. preparation of information for public release in accordance with all relevant

laws, regulations and standards.

Some additional specific control measures for EDP systems include:t strategic and financial management control of computing resources to ensure

systems and applications support central bank objectives and business plans;. systems development and implementation controls to ensure that the right

systems are developed, properly tested, and installed securely;. physical and system-based controls that ensure that hardware and software

systems are secure against unauthorized access or operation, and can operateon an error-free and interruption-free basis;

. controls over end-user operations including access by both internal andexternal users, and physical security of equipment and software;

. development and regular review of procedures for the resumption of businessin the event of a catastrophic event or other interruption to operations; and

t development and completion of procedures to ensure that all systems are Year-2000 compliant.

Risk-based audit review and follow up

Risk-based audit review and follow up completes the control system framework byproviding a mechanism for independent examination of the control system according tospecific risks faced by a central bank, and communication to senior management and theBoard on the effectiveness and efficiency of the control system. Internal audit plays a specialrole by providing a verification on the adequacy of internal control procedures in addressingrisks, and the integrity of the financial records of the central bank.

‘Further details on each of the above points can be found in Appendix I.

.,.. I.,;,., --. . . .

: .: : ~‘,-‘* -7, : . . ,.: :I.‘.

Internal audit processes can also be supported by audit committee oversight and byperiodic peer review by independent, external accounting professionals that do not have anaudit relationship with the organization. The following chapter examines in more detail thespecific features of the internal audit process.

III. INTERNAL AUDIT SYSTEMS

A. Objectives

The objective of internal auditing is to assist management of a central bank in theeffective discharge of their responsibilities by providing an independent source of assuranceabout the management of risks and the operation of the control system. Internal auditingfi.rmishes management with analyses, appraisals, recommendations, counsel, and informationconcerning the activities reviewed. The audit objective promotes effective control atreasonable cost.g

An effective internal audit can significantly strengthen the control environment andreduce risks. In a sense, internal auditing “controls” the control process by:

ä examining and assessing the risks a central bank faces, and management’soverall policies for acceptance of risk;

. reviewing whether controls and procedures are appropriate for the risks facedand are in fact being followed; and

. providing a review mechanism to ensure that appropriate action is taken onissues and recommendations arising from the internal audit process.

The risk based approach to internal audit means that it has wide applicability to alltypes of organizations, and avoids the need to establish a “unique” internal audit process foreach type of organization. In the context of central bank operations, for example, any unique

?Institute of Internal Auditors, “Standards for the Professional Practice of Internal Auditing,”Altamonte Springs, Florida, 1995.

,!,’

1 ,: - 14-

features and risks arising from market based monetary and exchange market operations areaddressed in the design and application of the relevant controls. At this point, the role of theinternal auditor becomes somewhat “generic” in terms of the processes used to conduct anaudit. It is essential, however, that the internal auditor has or develops a sound knowledge ofcentral bank operations and key risks so that the auditor can develop relevant and efficientaudit programs, and communicate audit findings and recommendations to management in aclear and understandable manner.

In the context of central bank operations, internal audit review could include, but notbe limited to, consideration of the following aspects of control system operation:

l success or otherwise in the achievement of the objectives, functions, andactivities of each area or department;

. identification by management of risks and development of policies for theircontrol;

. the adequacy of the system of internal controls in all areas but with prime focuson high risk operations such as those involving high value transactions withexternal parties;”

, compliance with policies and operative procedures;, the existence of proper safeguards to protect assets and to prevent or discover

fraud;. efficiency of resource utilization and the quality of services or results;, the reliability of EDP and other information processing systems, and the

information produced by them;. the accuracy of accounting records and processes, and the fairness of financial

information reported to management and external parties;l reporting to senior management of audit findings and recommendations for

improving control system operation.

B. Main Elements

Effective internal audit requires attention to the following main elements:. an audit charter establishing the independence and role of the unit;. professionally qualified staff organized into three main units capable of

undertaking financial, operational, and EDP audits;t an annual audit plan based on risk analysis of key central bank operations;. careful and balanced attention to the planning, fieldwork, reporting, and follow

up phases of individual audits; and. summarized, yet concise, and continuous communication with management on

the operation of the control system.

‘qncluding, for example, foreign exchange dealing and investment operations, currencyissuance, domestic monetary operations, operation of large value and real time settlementsystems, payment of central bank expenditures.

Internal audit charter

The independence and effective functioning of internal audit is drawn from the powersgiven to it by the governing board, typically through an internal audit charter. A format ofsuch a charter as used by a central bank is contained in Appendix II; the main points coveredby the charter should include:

. a definition of the role of the internal audit unit;

. accountability of the head of internal audit to the governor and governingboard;

. conth-mation that the internal audit process does not relieve managers of theirresponsibility for the maintenance and improvement of the systems under theircontrol;

. freedom of access by audit staff to all systems, staff, and information;

. maintenance of audit objectivity and independence;b professional standards for the conduct of audit work; andl broad specification of audit activities.

Organization and staffing

To maintain independence, the internal audit unit is usually separate from otherfunctions and departments in a central bank’s organizational structure, with the Head ofInternal Audit having a direct reporting line to the governor. While there is no universalbenchmark model for the organization of an internal audit unit, modem practice has tended toadopt a structure that incorporates audit activities into three broad groupings withresponsibility for:

. financial audit;

. operating audit; and

. electronic data processing (ZDP) audit.

The financial audit responsibility is associated with examining the financial control ofrisks, along with compliance with internal and external rules and regulations. A prime focus isthe proper operation of a central bank’s information and accounting system to ensure thattransactions are properly authorized, recorded and reported. Operating audit responsibilitiesare more concerned with issues of efiiciency and effectiveness in the pursuit of objectives, andare sometimes referred to as performance audits. Accordingly, such audits focus on whethercontrols are cost effective, whether functions can be performed differently to achieve moreefficient utilization of resources, and whether existing rules and regulations are appropriate inthe context of changing operations.” EDP Audit responsibilities are usually assigned to a

.

“Such an audit structure can also be found in the IMF, where the Office of Internal Audit andInspection is charged with a broad range of responsibilities including: financial audits; internalorganization reviews which examine whether the IMF is organized and carrying out its

(continued.. .)

- 16-

separate group within an internal audit unit to focus on the structure, development, operation,and security of EDP systems.

The actual size of an audit unit in terms of staff will very much depend on the size of acentral bank, the risks it faces, and the extent to which automated facilities are used tomonitor operations and controls. Current benchmark levels for staffing indicate that thereshould be one internal audit staff per 100-200 staff members in a central bank.

Audit operations

The annual audit plan

It is the responsibility of the Head of Internal Audit to develop an annual audit workplan that typically covers the following activities:

. definition of all units within the bank that are subject to audit;

. assessment of the risks cotionting each unit to be audited;

. determination of audit priorities;

. completion of a plan incorporating a schedule and staffutilization and budgetof costs.

The complete annual audit plan, along with the required budget, should be reviewedby senior management and presented to the audit committee for approval. It should beexpected that lower priority audits will be supplanted by unexpected demands which ariseduring the year. Alternatively, additional funds and staff resources could be authorized. At theend of the year, internal auditing should report to the audit committee on the accomplishmentof the annual plan, explaining variances from the plan and from the original approved budget.

The individual audit process

The individual audit process consists of four stages:l planning;. fieldwork;. reporting; and. follow up.

During planning the type and scope of the audit is firmed up, a detailed audit programdeveloped, and specific staff resources needed to accomplish the program identified. The firststep involves review of available information including reports from prior audits and follow-upactivity. Flowcharts of major work flows should be developed or updated, and trends in key

il(, . .continued)responsibilities in the most efficient manner; anld effectiveness reviews which provide anevaluation of the function and work of specific aspects of Fund operations; see Brau (1997).

,- 17-

performance indicators should be monitored. Unless it is a surprise audit,” it is often useful tohave a preliminary meeting with management, perform a walk-through test of transactions inthe area to be audited, and review some of the more important documents or outputs.Management should be asked about any problems they are encountering or concerns theymight have. Particular attention should be given to any recent or anticipated changes whichwould affect the unit.

The fieldwork phase of the audit begins with a brief written announcement addressedto management of the area being audited that outlines the scope and general objectives of theaudit. Staff auditors carry out the audit steps detailed in the audit program. Work papers areprepared to record and summarize the information collected by the auditor, and analyticalwork performed to reach conclusions. These papers allow audit management to oversee thework of auditors and provide critical evidence in cases of fraud or major control failure.

Good communication with management is important during the fieldwork phase. Opencommunication channels provide valuable information and encourage individuals to informauditors of problems they are encountering and which prevent them from accomplishing theirassigned duties. During fieldwork, audit management must also be prepared to expand thescope of the audit and invest more time when serious issues are uncovered. Conversely, somesteps may be eliminated where partial work indicates all is in order.

Audit reporting provides feedback to line and senior management on how well theyare meeting their respective responsibilities for developing, implementing, and maintaining aneffective system of internal controls. Reports include a detailed description of deficiencies,weaknesses and opportunities to tirther improve controls. In cases where fraud, theft, orserious error has occurred, the audit report should also identify the specific factors that gaverise to the situation, and whether in the auditor’s view some form of sanction, internaldisciplinary action, or criminal prosecution should be pursued.13

A well-designed audit report stimulates responsible management to take correctiveactions by including an agreed set of actions that are to be taken. Clarity in the audit report isessential to avoid confusion, anger and loss of confidence in the audit f?mction. Both the

“In a modem risk based control system, the need for surprise audits is reduced by the regularreview by both management and internal audit of control awareness and adherence. The“surprise” element has become more a matter of management supervision than a regularfeature of internal audit operations. Surprise audits may be necessary, however, in situationswhere fraud or serious irregularities are suspected. By their nature they can not be specificallyidentified at the time an audit plan is developed, but the plan should contain sufficientflexibility to accommodate a surprise audit should the need for one arise.

13Any such action would, however, be a matter for management to decide upon.

- 18 -

quality of communications with management during the report preparation phase, and theclarity of the report will have a great bearing on the amount of time needed for follow up.

The nature, frequency and timing of follow-up is dependent on many factors, includingthe type of audit report issued and the relationship which exists between auditing andmanagement. Management may be asked to provide written responses to each audit issuewithin prescribed time frames. There can also be a requirement that certain categories offindings be resolved within certain time periods. Internal auditing should be responsible tocontinue following up on identified audit issues until they are successfully resolved.

Communication with management

The internal auditor has a responsibilit,y to communicate with all levels of management,the highest level being with the governor and governing board. At intermediate and lowerlevels, internal audit sttihave a responsibility to maintain open communication with themanagement of individual work areas regardless of whether an audit is being conducted ornot. Clear and effective communication between the internal auditor and management, at anylevel, is essential to ensure that:

. relevant information is conveyed to the right people;

. audit findings and recommendations are clearly understood;

. there is agreement on actions that need to be taken; and

. that responsibility for action is correctly and clearly assigned.

Communication with senior management occurs on a continuous cycle, commencingwith the development and submission of the annual audit plan for approval and finishing withan end year review of control system performance and audit activities. During the year,reporting involves providing summary reports on major findings of individual audits andregular updating on progress with finalization (of actions and issues arising from previousaudits.

Communication with departmental and line management can occur in several ways,Audit action establishes one form of contact that will be ongoing both during and followingthe audit. At the commencement of the audit, it is important that management of the areaunderstands the audit objectives, and how the work will proceed. During the audit,management may also need to discuss with the auditor particular control issues and findingsthat arise, and possible actions to resolve problems or introduce new measures. Following theaudit, and depending on the scope of audit findings, there may be a need for ongoingcommunication to finalize issues raised.

Beyond the area of specific individual audits, communication can and should extend toregular dialogue between the auditor and managers of important operational and high riskareas. Management should be encouraged, for example, to seek the internal auditor’s views onproposed changes to procedures, or to seek the internal auditor’s participation in project

c

teams for new systems development and implementation. And management should always bewilling to initiate contact with internal audit when their own supervision of controls indicatesthat some failure in controls may have occurred or that changes are necessary. The existenceof a regular internal audit cycle does not absolve management of the need to superviseoperations in their area of responsibility, to propose possible improvements, and to seek, ifnecessary, assistance from the internal auditor in resolving control issues.

C. Review of Internal Audit

Audit Committees

An audit committee is a high level committee that assists the senior management andgoverning board of a central bank in fXilling their obligations. They usually have theauthority to call for information and explanations Corn the bank’s management, to contactauditees, to monitor and review internal audit work programs and reports, and to liaise withthe external auditor.

Membership is usually limited to a small group (around five people) drawn from thesenior management of the bank, as well as representatives with professional experiencebeyond the bank. The chairman of the committee should be a senior member of the governingboard, such as the deputy governor.

A key responsibility of the committee is to monitor internal control over the keyfinancial and operating risks of the bank. Since the committee can not physically achieve this,it carries out its monitoring through oversight of the internal auditing process. Thus, it has aspecial relationship with the Head of Internal Audit who should report regularly to thecommittee, but would not be a member of the committee. The committee may also have

II

- 20 -

additional specific responsibilities for monitoring the preparation of the Bank’s financialstatements, and the work and any recommendations of the external auditors.

External audit

The prime focus of the work of an external audit is the financial accounting system,specifically whether the auditor is able to express a truly independent opinion on the truth andfairness of the financial statements.14 In forming their opinion the external auditor must makean assessment of the control systems in an organization. Thus, the management letter providedby an external auditor may contain observations and recommendations on the internal controland internal audit systems.

In many countries, external auditors work closely with the internal auditor and rely, inpart or substantially, on work performed by the internal auditor. Accordingly, the internalauditor can be expected to have regular and ongoing communication with the external auditoron the internal audit work program and audit results.

International Standards on Auditing provide specific guidance to the external auditorfor assessing the quality and reliability of the work of the internal auditor.” These standardsrequire the external auditor to gain an understanding of the internal auditing function and toevaluate and test the work of internal audit.

Peer review of audit systems

Peer review, a feature of the accounting and auditing profession for many years,16 canbe an additional mechanism for reviewing and improving a central bank’s internal auditsystems. In a sense, it is similar in concept to an “external audit” of the internal audit system;its basic purpose being to provide an independent view on whether the t?.mction is followingrecognized best practices and standards of internal auditing, and whether all relevant areas ofrisk to an organization are being properly addressed. In this context, the peer review processis entirely separate from, and goes substantially beyond, any work an external auditor may doin evaluating the work of an internal auditor, as part of their financial statements audit

14The majority of audits performed by external auditors are financial statements audits,although the external auditors may also perform operational audits or audits covering selectedprocedures agreed upon between the auditor and client.

“International Standard on Auditing, No. 610, “Considering the Work of Internal Auditing,”International Federation of Accountants, New York, NY, 1997.

16For example the American Institute of Certified Practicing Accountants requires allmembers engaged in public practice to participate in a peer review program, conducted inaccordance with standards established by the Institute.

_-.’

:_

processes. The timing of peer reviews, generally once every three to five years, is also lessfrequent than the annual external audit cycle.

Commissioning a peer review of an internal audit function would typically involveselection of a suitably qualified external party, such as a leading accounting firm, to conduct areview of and to report its findings to the senior management of the organization reviewed.Ideally, the firm selected should not have an existing client relationship, in particular throughan external audit engagement, with the organization being reviewed. Peer review findings areusually treated as contidential and not disclosed to the public, although an organization mightdisclose in a general way that a peer review has been conducted and any changes made.”

IV. CONTROLANDAUDITSYSTEMI~SUESFORKEYCENTRALBANKOPERATIONS

The unique nature of key central bank objectives and responsibilities can expose acentral bank to risks that extend beyond financial and market-based risks to thoseencompassing more abstract elements such as loss of reputation and credibility. Accordingly,central bank control systems must focus on protecting against all risks that can threaten notonly the achievement of objectives, but also the autonomy and independence of the centralbank generally.‘* This can be achieved by examining each of the following aspects of centralbank operations:

b policy formulation and implementation;t monetary and foreign exchange market operations;b off balance sheet operations;l currency, banking, and payments activities;. prudential supervision and regulation,rg and financial sector surveillance;ä utilization of central bank resources;ä accounting systems; andä public disclosure. .

Crucial to the operation of control systems in each of these areas is the existence ofexpert staff and systems. It is management’s responsibility to ensure that the quality and skillsof these staff and systems are not only maintained but continuously reviewed to ensure that

“For example, the Reserve Bank of Australia noted in its 1998 Annual Report, that a peerreview of internal audit had been conducted and that the composition of the Audit Committeehad been changed in response to one of the recommendations contained in the review.

%IAE Operational Paper 98/l, “Elements of Central Bank Autonomy and Accountability’provides further guidance on these aspects and the objectives of an autonomous central bank.

r?If the central bank has no supervisory or regulatory responsibilities, the recommendationsapply to the country’s supervisory agency.

,

I - 22 -

best practices are being used to pursue the central banks objectives in each key area. Internalaudit has a special role to play here by reviewing the steps management has taken in thisregard. While the internal audit function may not necessarily examine and evaluate actualprocedures of expert systems, it can be expected to examine the extent to which theseprocedures embody best practice. Thus, for example, operational style audits of central bankoperations may involve the study of “comparator” organizations to identify similarities anddifferences in like practices and processes. The comparative process generally can also includemanagement initiated peer reviews of specialist and expert systems on a periodic basis.

Box 5 summarizes control measures for the key areas of central bank operations and isfollowed by further detail on each area.

- 23 - .

\ .,.., ,, ,,

.._ . . . . ,---,..-. -.-.--

._.

j;:, ..,..,

.‘<.. _

:: :,;,::.. : .-r”::..>” 5.‘. ;;. :<‘,.y f.,: :;-, 1:5. _C..

,,... y”.: :“‘+r.. . . . ..‘Y. :” .cc..::‘~-:-.

:“’ ” :.

‘.‘,,.‘,.’ :

- 24 -

A. Policy Formulation and Implementation

Central bank policy formulation and implementation requires controls that aredesigned to support good governance and transparency. External controls may exist in theform of legislative requirements for regular reporting to the Parliament by the central bank.This reporting is designed to ensure both accountability and assurance of integrity by thecentral bank in its policy actions and performance, Adoption of a code of good practices thatembodies such reporting provides one form of control, and some relevant aspects to beconsidered in the context of transparency of central bank operations are contained in Box 6.

Within the central bank, internal controls may be used to protect the integrity of thepolicy formulation and decision making process, and the security of information relating tothat process. This is essential to avoid premature release of information, damage to thereputation of the central bank, and actions that might impair the effectiveness and efficiency ofpolicy objectives, or give an unfair advantage to one particular group of market participants.

Internal audit review of controls in this area examines not so much the decisionmaking process, but rather the steps management has taken to ensure that the process is basedon well-founded principles and that the actual controls established by management have beenfollowed. Some specific control mechanisms that are relevant in this area include:

l specific delegations of authority by the governing board that establish relevantauthority to approve policy recommendations and implement necessary actions;

. secrecy and confidentiality requirements that are specified in the conditions ofservice for staffl,

c a bank-wide policy on classification of official documents that limits circulationof highly sensitive documents on a need-to-know basis only;

. procedures for recording, storing, and tracking the circulation of official minutesand documents;

. secure transmission of information (e.g., specially sealed envelopes, encryptionof electronically transferred information);

. a security awareness policy aimed at keeping stti aware of the need to protectinformation and guard against unauthorized release of information.

. procedures for handling enquiries from the media and public generally, and forreleasing information on important policy decisions and actions.

B. Monetary and Foreign Exchange Market Operations

Market operations are the means by which policy decisions are implemented andinternal controls are concerned with issues of both governance and transparency. Underlyingtransactions can be very large, can occur in foreign markets in different time zones; and haveseveral counter-parties. Moreover, the nature of central bank policy actions may require that

..:.:‘;’

::..:. (’ ,.

;:-..- _. .‘:,,. ,‘-

. ..,’

- 26 -

transactions be undertaken regardless of the likely profit or loss outcome. In fact, operationsmay even incur substantial costs for a central bank.20

Financial controls are essential for good governance, by ensuring that the righttransactions are undertaken, and that they are performed properly. And where losses result,controls must also ensure that such losses are properly measured and recorded so that theycan be reported in a transparent manner. Non financial controls are also relevant, particularlythose relating to the security of information associated with transactions. Central bank marketoperations must, necessarily, result in sizeable changes to the portfolio of central bank assetsand liabilities. Accordingly, a range of controls is required to ensure that assets are properlymanaged, are adequately protected, and available to meet policy needs.

Controls are particularly relevant in the context of central bank responsibilities formanaging a country’s foreign exchange reserves. In this case, the assets concerned are locatedin another country, often under the supervision of a foreign agent or custodian, andinformation flows may be subject to delay. Inadequate attention to financial limits and controlscan expose a central bank to the risk of losses that go well beyond what a bank might beprepared to accept as part of its policy stance in foreign exchange markets. Accordingly, bothinternal and external auditors must pay close attention to foreign exchange operations whendetermining the adequacy and observance of control systems, and the financial reporting ofthe results of operations. Important internal controls relating to central bank foreign reservesmanagement responsibilities are shown in Box 7.

From the perspective of transparency, accounting controls are essential in ensuringthat the accounting system fully captures all transactions, can properly record and reflect thetrue economic substance of operations, and disclose financial information in a manner that isunderstandable to the readers of financial statements,

The high risks associated with this area of central bank operations makes this a primearea for internal audit attention. Generally both the domestic and foreign exchange operationsareas could expect to be audited regularly throughout the course of a year.21 External auditors

2Qomestic market operations to sterilize foreign capital inflows are one such case where, forexample, the costs of such operations can be significantly higher than the returns on thecounterpart foreign exchange acquired by the bank. Furthermore, because central banks holdlarge open positions in foreign currencies and marketable instruments, valuation losses canoccur whenever market values of assets fall below their original cost, or liabilities increaseabove initially recorded values.

?ntemal audit work during the year would involve both on- and off-site audit work. Whereelectronic systems are used for processing transactions, much of the internal audit checkingand testing of transactions can be done using computers systems and without the need for

(continued.. .)

- 27 -

.

_ :. _ .r:.:‘.!-‘:*~: ._,_. ,-“T;‘l ‘.“.. -. :

.,._ ._ .: . :

. ,._. ..‘.

.._. :

should also pay particular attention to control systems, and verification of all balances withexternal parties arising from these operations.

In addition to the general control mechanisms noted earlier, some important controlprocedures relating to monetary and exchange market operations include:

. inter-departmental coordination to ensure that domestic and foreign marketCmctions are consistent in terms of policy objectives, and do not give rise toconflicting actions in, or messages to, financial markets;

. regular assessment of risk associated with markets and financial instruments usedby the bank,

. specification of approved marketable financial instruments in which the bank maytransact;

21(. . .continued)interrupting actual work processes in audited areas,

. -28 -

l a formal system of limits on the value of transactions that can be undertaken byany one individual or function, eligible trading instruments, and major risksincluding market, counterparty, country, currency, liquidity, and interest raterisks;

t proper recording (e.g., tape recording, sequential numberiig of transactions) ofdealing operations to ensure an adequate verification or audit trail;

. separation of duties between dealing areas, settlement o&es, and accountingunits;

. established procedures for dealing with claims for late settlement or undueenrichment;

. regular reconciliation of accounting records with statements received fromdealing counter parties and custodians; and

c specific embargoes on timing, and procedures, for the release of information onmarket operations to limit the risk of early release, market confusion, orspeculation.

The fact that central bank operations can also give rise to financial losses also requiresspecial reporting arrangements to ensure that senior management is aware of the magnitude oflosses and is able to properly explain the reasons for the losses. While the general subject ofthe policy implications of central bank losses goes beyond the scope of this paper, it needs tobe recognized that the absence of a reliable system for monitoring and reporting the sourceand scope of financial losses may significantly hinder a central bank’s ability to properlyimplement its monetary policy objectives.22

I C. Off-Balance Sheet Operations

Developments in financial instruments, technology, and markets generally have seenincreased use of off balance instruments in central bank operations. Central banks have longengaged in more traditional off balance sheet activities such as forward exchange transactions,letter of credit facilities, and guarantees for customers. More recently, central banks have usedderivative financial instruments in hedging interest rate and currency risks on their foreignportfolios and some have also used futures in their exchange market activities.

Off balance sheet activities can also have significant implications for the central bank’smanagement and availability of international reserves. Consideration of these implications aswell as more general debate about the appropriateness and extent of such activities for centralbank operations, however, goes beyond the scope of this paper. From the perspective of

22Financial losses may imply a transfer of liquidity from the central bank to the private sector.Uncontrolled or unchecked, such losses may become so large as to impair the operations ofthe very policy actions that gave rise to the losses in the first place. For further discussion ofthe policy implications and remedies of central bank losses see Leone (1993) and Vaez-Zadeh(1991).

,,._. 1 .i .._,._ ‘.

;, ..,. .::.

-29- II

control systems, it is important that the implications of derivative and other offbalance sheetfinancial operations be addressed by central bank management, Some relevant controlmeasures include:

. a board approved strategic policy on the use, or otherwise, of derivative financialinstruments and risk limits;

. specification of the particular types of off balance sheet activities and instrumentsthat may be used;

l documented procedures for selection and approval of particular instruments priorto commencement of any actual transactions;

. appropriate risk limits covering instrument and market, currency, andcounterpart;

P thorough staff training on instruments, underlying markets, transactionprocessing, position measurement, and value at risk analysis;

b regular reporting on activities, positions, and value at risk, along with“programmed” reporting when potential losses approach risk limits.

Internal audit review of off balance sheet operations does not always occur as aseparate process. Rather, the internal auditor would look for instances of such activities inconducting the planning stage for an audit of a specific area, such as foreign exchange dealingand investment operations. To the extent that central banks are involved in off-balance sheetoperations of some magnitude, both internal and external audit review would generally occuron an annual basis, with the internal auditor focusing on control effectiveness and the externalauditor focusing on the truth and fairness of the resulting financial information that isdisclosed in the financial statements.

D. Currency, Banking, and Payment System Activities

Currency, banking, and payment system related activities involve a mix of policy andtransaction based operations that have relevance for both governance and transparency. Policyaspects are particularly relevant where the central bank has responsibility for the surveillanceand/or operation of the domestic payment system. Strategic controls are necessary to ensurethat the central bank properly addresses the various risks in the payment system, and appliessystem policies on an even handed basis.

At the operational level, central bank involvement in payment system processing andsettlement will involve transactions of high value and/or high volumes.D Operating controlstherefore must ensure that central bank systems are Eree from risk ofinterruption and canprocess and record payment system transactions on the due date. Failure of controls to ensure,for example, error and interruption free processing could undermine confidence in the centralbank’s “control” of the system, and could also lead to financial loss through compensationpayments.

=Por further detail on payment system issues of relevance for a central bank see Hilbers andRoberts (1998), MAE Operational Paper 9812, Payment system Reform.

.

I,4

30 -

Currency and banking operations involve transactions in major liabilities and assets ofa central bank. A key focus is protecting currency from illegal circulation or theft,Accordingly, physical security controls play a large role in storage, processing and distributionof currency. Accounting controls are also used to track values and movement of currency.Banking operations largely require accounting controls to properly record and processcustomer transactions including, where central bank lending operations exist, credit controland monitoring procedures.

Internal audit review of these areas will vary. Where new systems, such as a real timegross settlement system, are being developed the internal auditor would be expected to beinvolved in all stages of planning, development, and implementation. In ongoing operations,the audit cycle for both payment systems, and for currency and banking operations wouldgenerally involve an annual audit inspection. Accompanying this would be ongoing auditmonitoring of processing systems to verify that such systems are in constant operation andproperly handling the bank’s relationships with external parties.

Some relevant controls that need to be considered in each of the abovementionedareas include:

t strategic controls in the form of organizational structure and managementdelegations that set clear responsibility for payment system monitoring and riskanalysis;

t clear organizational separation between payment system supervision and bankingfunctions by, for example, a Payment System Policy and SurveillanceDepartment that is separate from the Banking Services Department;

. a strategic planning process for development of new payment system facilities;

.I

a requirement for executive board approval of new projects and bankingproducts;

/ c secure communication facilities for computer based connections with otherparticipants in payment systems, including controls over access, equipment anddata standards, and firewall protection over incoming transmissions;

. established plans and regular testing of facilities to guarantee continued systemoperation (e.g., through uninterruptable power supply, and full-time back upsystems);

. regular and exception reporting on system operation and events (e.g., systemdowntime, participant problems);

. documented procedures for operating on and maintaining customer accounts;c periodic checking of staff compliance with procedures for handling cash and

customer accounts;l daily balancing of movements in, and periodic verification (e.g., physical

counting) of, cash holdings;t dual control over holdings and movements in bulk cash;. documented procedures for processing and authorization of all credit facilities;t continuous EDP-based monitoring by internal audit of “temporary” and other

accounts (e.g., suspense accounts, transit accounts, reclassified loan accounts).

:-:.,

‘.

1

-31-

E. Prudential Supervision and Regulation, and Financial System Surveillance

Central bank responsibilities for prudential supervision and financial systemsurveillance can result in the central bank holding especially sensitive information on individualfinancial institutions, and the system generally. Good governance requires proper handling ofinformation to avoid improper disclosure that may lead to inappropriate behavior in marketsand misinterpretation of central bank actions. Controls must ensure utmost confidentiality ofinformation, in particular on individual institutions’ data, through tight classification andaccess controls. This extends to having established procedures on who may clear informationfor release and who may be a bank spokesperson in handling media and other enquiries.24

Good governance also requires a control mechanism such as a code of conduct toensure that central bank staff are free from any conflict of interest or undue pressure. Suchpressures may arise from financial connections to banks, or from obvious or politicalafIiliations. The code may also require some form of annual reporting by senior staffto theGoverning Board on changes in their personal assets and liabilities.

Emergency support provided to the financial sector, or individual institutions,introduces risks for a central bank that extend well beyond those associated with “normal”credit operations. While it may not be possible to accurately predict the necessity for a centralbank to provide such facilities, it is possible to develop a “game plan” of likely responses tovarying circumstances. Such contingency planning is in effect a control measure aimed atproviding early identification of particular types of risks, and acceptable responses. It alsoreduces the risk of incorrect or hasty decision making when a crisis unfolds.

Internal audit review of controls in this area may tend to focus more on non-financialaspects of central bank operations, such as procedures for handling sensitive information,maintenance of confidentiality, the existence and adequacy of contingency planning, andcompliance with a code of conduct. The auditor may also examine the steps taken bymanagement to ensure that staff maintain their professional competencies and remain abreastof developments in supervisory techniques. Where audit of non-financial aspects is concerned,the audit cycle may be less frequent than for other areas of central bank operations involvingfinancial flows and exposures. This would change, however, if a central bank becameconfronted with an emerging financial crisis or found itself having to provide emergencyfinancial support to banks.

“These observations are also relevant in cases where an organization other than the centralbank is responsible for prudential regulation and supervision of banks.

25The annual reports of the Bank of Canada, the Reserve Bank of Australia, and the ReserveBank of New Zealand each provide useful illustrations in this regard. These reports and thoseof many other central banks can be accessed through the Internet using, for example, linksprovided on the BIS website noted in the reference section of this paper.

f

- 32 -

F. Utilization of Central Bank Resources

Effective and efficient utilization of a central bank’s human, financial, and tangibleresources is a prime component of good governance and also facilitates improvedtransparency in central bank performance and management. While central banks do not have aprofit maximization objective, they must nonetheless seek to make the best use of theirresources. Measures of performance, therefore, tend to focus on how well central bankscontrol an,d utilize resources in achieving their macroeconomic objectives. Control systemstypically are directed towards controlling consumption of resources (i.e., expenditure control),and minimizing risks of financial losses. Increasingly, central banks are disclosing through theirannual reports and other publications the steps they take to improve the utilization of theresources under their control.25

The internal audit process can involve both financial and operational audit processes inthis area. Financial auditing is used to establish the effectiveness of the management planningand control process in avoiding losses and may, in part, occur as part of the annual audit cycleof the financial accounting system. Operational auditing, on the other hand, may occur lessfrequently and focus more on whether management has attempted to follow best practices toachieve effective and efficient utilization of central bank resources. Some specific controlfeatures used by central banks include:

. a strategic planning process that includes current year and medium term“business” planning, across key central bank functions;

. a board commitment to continuous improvement in utilization of central bankresources;

. a formal bank-wide budget process that sets annual expenditure forecasts foroperating expenses, capital expenditures, and multi-year projects and, as well,forecasts of operating revenues;

. a formal process of delegating approval to incur expenses within budget limits toheads of functions or departments, along with procedures for approval of non-budgeted expenditures;

. regular, usually monthly, monitoring of actual expenditures with budgetamounts, and analysis of any variances;

. annual review of budget and actual outcomes along with procedures to ensurethat any unused budget funds are saved for future periods to avoid “spend it orlose it” practices from developing. Similarly, any proposals to “carry over”unused funds should be resubmitted as part of the budget process for the nextperiod and not treated as an automatic addition to the next budget;

-33 - I

. accounting systems that are capable of allocating both direct and overhead coststo individual departments, functions, or activities so as to produce meaningfulmeasures of the costs of performing specific functions;

. fill cost recovery pricing of those services (e.g., banking, payments, book entry,currency) that are provided in competition with commercial providers of similarservices;

b regular monitoring of the costs of providing key central bank services andoutputs;

t comparison or bench marking of central bank services, costs, and revenues withother organizations;

. continuous monitoring of business processes, and associated control measures,to remove unnecessary or duplicate procedures.

G. Accounting Systems

Reliable accounting systems are essential for the operation of control systems thatsupport good governance, and for financial transparency of central bank operations. Strategiccontrols are necessary in the form of relevant accounting policies that are consistent withinternational best practice.?‘j Procedural controls are necessary for ensuring reliability ofsystem operations, timely recording and reporting of information, controlled access toaccounting records and related systems, and proper classification levels that limit the risk ofunauthorized access to, or distribution of, information. EDP systems must be protected by thefull range of controls, as discussed earlier, that guarantee system integrity and availability.

For the accounting system there is also a need for special supervisory controls throughthe accounting department which must ensure that:

responsibility for development of accounting policies and procedures is assigned *cto one central unit such as the accounting department, notwithstanding thatactual accounting operations may be decentralized in the bank;

. accounting policies apply to all operations, and accounting procedures arefollowed consistently by all areas of the central bank;

. the operation of the accounting system is supervised on a daily basis by theaccounting department;

. specific aspects of supervision cover daily balancing of accounts with promptcorrection of any imbalances, completeness and accuracy of accounting entries,production of daily and periodic reports, maintenance and changes to generalledger accounts, and operation of the computerized accounting system;

26This term generally applies to policies that are consistent with international accountingstandards (IAS) as promulgated by the International Accounting Standards Committee or,where no IAS exist, practices generally adopted by banks that are consistent with theunderlying principles of IAS.

- 34 -

. there is effective communication and coordination between the accountingdepartment and the other areas of the central bank that are responsible forentering data into the accounting system;

. regular reviews are made of the usefulness of internal accounting reports to usersin other departments; and

. there is open and regular communication between the accounting department andthe internal auditor.

Reflecting the critical role of financial information in the control process, it is notsurprising that internal audit has an ongoing relationship with the accounting system and theaccounting department. Similarly, the external auditor would look to the operation of both theaccounting control system and the adequacy of the internal audit process in forming theiropinion on the financial statements that form the basis of the public disclosures of a centralbank.

H. Public Disclosure

Achieving transparency of central bank operations and governance requires aframework of accountability and clear communication that applies to all public disclosures of acentral bank. A sound control system will most certainly provide the basis for the reliability,completeness and timeliness of information contained in public disclosures, but some specificcontrols are needed to ensure a transparent representation of the facts in all publicdisclosures.27 These control measures include:

. a senior management commitment to a policy of honesty and transparency inreporting;

l a clearly announced schedule for the release of major economic and financialinformation;

. a process of “listening to the markets” to gauge reaction to central bankdisclosures and to ascertain the extent to which additional information could beprovided;

t regular review of the form and content of annual reports, annual financialstatements, and other publications to ensure that information for general releaseis presented with clarity and relative simplicity;

. disclosure of information that goes beyond the strict requirements of laws, orstandards, in order to provide a proper understanding of central bank operations.

At the end of the day, the quality of a central bank’s governance and public disclosureabout its performance becomes the basis on which it is judged. Effective and efficient internalcontrol and audit systems provide the support management needs to ensure that its standardsfor organizational “behavior” are the right ones, and that the results of operations are properlyconveyed to all interested parties.

27See also section A and Box 6.

~. .A: ,.. . .,,/

::‘. :;. :

-

References

American Institute of CPAs, 1998, Frameworkfor Internal Control.

Australian Society of CPAs, 1998, Australian Auditing Stanhr& (Melbourne).

Basle Committee on Banking Supervision, September 1997, Core Principles for EffectiveBanking Supervision (Basle).

Basle Committee on Banking Supervision, September 1998, Frameworkfor Internal ControlSystems in Banking Organizations (B asle) .

Brau, Eduard, November 3, 1997, iX4F Evaluation is Broad and Continuous, interview inIMF Survey (Washington: International Monetary Fund).

Committee on Financial Aspects of Corporate Governance, 1992, The Financial Aspects ofCorporate Governance, Cadbury Report 1992, the London Stock Exchange(London).

European Monetary Institute, Banking Supervisory Sub-Committee, 1997, InternaZ ControlSystems of Credit Institutions (Frankfurt).

Hilbers, Paul, and Nick Roberts, 1998, “Payment System Reform,” LMF Operational PaperOP/98/2 (Washington: International Monetary Fund).

International Accounting Standards Committee, 1998, International Accounting Stan&&(London).

International Federation of Accountants, 1997, Codification of International Stanhrh onAuditing and International Auditing Practice Statements (New York).

International Monetary Fund papers prepared for Monetary and Exchange AtTairsDepartment-sponsored workshops on Central Bank Accounting and Audit:Major Elements of Internal Control and Audit, April 14-18, 1997, Joint Vienna

Institute, Vienna, Austria.Practical Aspects of Internal Control and Audit, October 13-l 7, 1997, Joint Vienna

Institute, Vienna, Austria.Internal Control and Auditing at Central Banks, November 17-2 1, 1997, Peoples

Bank of China, Guangzhou, China.

International Monetary Fund, February 2, 1999, Draft Code of Good Practices onTransparency in Monetary and Financial Policies, (Washington: InternationalMonetary Fund MAE),

-36 -

International Monetary Fund, January 1998, World Economic and Financial Surveys, Towarda Framework for Financial Stability (Washington).

Institute of Internal Auditors, 1998, Statements on Internal Auditing Standards (AltamonteSprings, Florida).

Institute of Internal Auditors, 1995, Stan&r& for the Professional Practice of InternalAuditing (Altamonte Springs, Florida).

Leone, Alfiedo, 1993, “Institutional and Operational Aspects of Central Bank Losses,” IMFPaper on Policy Analysis and Assessment 93/14, September, (Washington:International Monetary Fund).

Lybek, Tonny, 1998, “Elements of Central Bank Autonomy and Accountability,” MAEOperational Paper OP/98/1 (Washington: International Monetary Fund).

Organization for Economic Cooperation and Development, OECD Principles of CorporateGovernance, 1999 (Paris).

Reserve Bank of Australia, 1998, I998 Report and Financial Statements, August, (Sydney,Australia).

Vaez-Zadeh, Reza, 1991, “Implications and Remedies of Central Bank Losses,” in TheEvolving Role of Central Banks, ed. by Patrick Downes and Reza Vaez-Zadeh,(Washington: International Monetary Fund).

Internet Addresses

Bank for International Settlementsht@x4ivww. bis. org

Financial Accounting Standards Board (FASB)http:/%vww. rutgers. edu/Accounting,raw/$asb/home. htm

Institute of Internal Auditorshttp:/&ww. theiia. erg/

International Accounting Standards Committee (IASC)http://www.iasc.org.uk

International Federation of Accountants (IFAC)ht~:/www, $ac. erg

International Monetary Fund (IMF)http://www.imf.org

.: . . . _- .; _. ;:,.., ._ : ‘.

Glossary of Terms

Accounting system - a series of tasks and records of an entity which are processed as a meansof maintaining financial records. These systems identify, assemble, analyze, calculate, class@,record, summarize, and report transactions and other events.

Annual report - a report on an annual basis which includes its audited financial statementstogether with the audit report thereon.

Audit - examination of the finctioning of an organization and the reporting on its &n&oing,including in financial terms, in relation to identified guidelines and objectives (cf. financialorganizational audits).

Audit committee - a small, high level committee that monitors internal control procedures.

Auditplan - a description of the expected scope and nature of an audit with sufficient detailto guide the development of an audit program.

Auditprogram - sets out the nature, timing, and extent of planned audit procedures requiredto implement an overall audit plan. The program serves as a set of instructions to assistantsinvolved in the audit and as a means of control over the proper execution of the work.

Auditor - the person with final responsibility for an audit. The term can also refer to an auditfirm.

Computer assisted audit techniques (CAAlJ - the application of audit procedures using thecomputer as an audit tool.

Confirmation - a positive resp’onse to an inquiry to corroborate information contained in theaccounting records.

Control environment - the overall attitude, awareness, and actions of directors andmanagement regarding the internal control system and its importance in the entity.

Cont& risk - the risk that material misstatements could occur in an account balance or classoftransactions and will not be prevented or detected on a timely basis by the internal controlsystem.

Detective controls - actions taken to detect and correct undesirable or inappropriate eventswhich have already occurred. They focus on what went wrong and who was responsible, afterthe fact (cf. Preventive controls).

Error - an unintentional mistake in financial statements (cf. Fraud).

_ . . , . __ ....,‘. _. “; ‘: ..,_ . ..’ r:: ‘*~‘~-,-~~-,..~Ir~~: ,.-’ .: -.-I :’ . . .:,. .,.I.

. ::-.: . .: ‘. ..,

: “. - .’:

: ,.’.2:-

?,

. .,. ‘(‘.

..‘, ._.,., ,. . .

-: .‘.‘L .: ,.;-,.-y,:’ y: ,:::, .*

;, . . . ..e. ,,.., .‘:.:j;:,;:,. : :’ ‘.f ;’

.:

- 3 8 -

.

Exception report - a report that identifies situations in which exception criteria are breachedor authority limits exceeded. These reports assist institutions to concentrate their efforts onexceptional situations.

Financial audit - audit of the financial statements and related financial controls (cf.Organizational audit).

Financial statements - the balance sheet, income statements or profit and loss accounts,statements of changes in financial position, notes and other statements and explanatory

material which are identified as being part of the financial statements.

Financial statement assertion - assertions by management, explicit or otherwise, that areembodied in the financial statements concerning, for example: existence of assets; rights andobligations; occurrence of transactions and events; completeness of records; valuation ofassets; income and expense measurement on a proper basis of accrual; presentation anddisclosure in accordance with an applicable framework.

Fraud - an intentional act by one or more individuals in management, employees, or thirdparties, which results in a misrepresentation of financial statements (cf. Error).

Generalpurposefinancial report - a report intended to meet the information needs commonto users who are unable to command the preparation of reports tailored to satisfy, specifically,all of their information needs.

Going concern basis - an assumption that an entity will continue in existence for theforeseeable future and that there is no intention or need to liquidate or curtail operations. As aresult, assets are valued on the basis of continued use rather than at liquidation value.

Governance - the relationships, including in terms of accountability, between anorganization’s management, its board, its shareholders and other stakeholders that encompassthe way organization objectives are set, decisions are made, and accountability for actionsmaintained.

Internal auditing - an internal appraisal activity that includes examining, evaluating andmonitoring the adequacy and effectiveness of the accounting and internal control systems.

Internal control system - all the policies and procedures (internal controls) adopted by themanagement of an entity to assist in achieving management’s objective of ensuring: theorderly and efficient conduct of its business; adherence to management policies includingcompliance with all applicable laws and regulations; the safeguarding of assets; prevention anddetection of fraud and error; the accuracy and completeness of accounting records; and thetimely preparation of financial information,

Irregularities - a term used in auditing when referring to any of the following: fraud; otherillegal acts; other acts of contravention or non-compliance; intentional but not fraudulent orother illegal misstatements; errors.

Management information system - mechanisms for gathering and producing informationabout an entity’s business, the state of affairs and risks to which it is exposed, and fordistributing the information to appropriate individuals or groups within the entity in a formthat enables them to monitor, review, and act upon the information in carrying out theirduties.

MateriaI weakness - the weaknesses in internal control that could have a material affect onthe financial statements. Information is material if its omission or misstatement could effect theeconomic decisions of users taken on the basis of the financial statements.

Opinion - an auditor’s clear, written expression of an opinion on the financial statements. Anunqualified opinion is expressed when the auditor concludes that the financial statements givea true and fair view (or are presented fairly in all material respects) in accordance with anidentified reporting framework.

Organizational audit - audit of the functioning of an organization in relation to its objectivesand of the effectiveness and efficiency of controls (cf. Financial audit).

Peer review - in the context of internal auditing, an independent review conducted byappropriately qualified professionals on whether the internal audit function is followingrecognized best practices and standards of internal auditing, and whether all relevant areas ofrisk to an organization are being properly addressed.

Preventative controls - controls designed to provide reasonable assurance that errors orillegal acts do not occur (cf. Detective controls).

Reconciliation - the process of verifying and agreeing information from separate sources thatrelate to one account, or class of accounts or transactions, in order to confirm the accuracyand consistency of accounting records.

Sampling - the application of audit procedures to less than 100 percent of the items within anaccount balance or class of transactions to enable the auditor to obtain and evaluate auditevidence.

Transparency - a process by which information about existing conditions, decisions, andactions is made accessible, visible, and understandable.

Walk-through test - the tracing of a few transactions through the accounting and informationsystem.

Working papers - a record of the auditor’s planning; nature, timing and extent of auditingprocedures performed; results of such procedures; and conclusions drawn. Working “papers”may be in the form of data stored on paper, film, electronic media, or other material.

:

- 40 - APPENDIX 1

MAINFEATURESOFINTEFWALCONTROLSYSTEMS

Controls exist at all levels and in all hnctions of an organization. Their form may varyfrom broad principles at the strategic level, to detailed operating procedures at the work place.This appendix examines the main features that are necessary for the effective and efficientoperation of the control environment, operating controls and information systems componentsof a control system outlined in Chapter II.

The control environment

The control environment in effect sets the strategic framework on which the detailedpractices, procedures of the control system are based. Accordingly it is essential that there isclarity in organizational purpose and structure along with unambiguity in the delegation ofresponsibilities and powers. This requires a range of actions and standards set by the governingboard and senior management of a central bank that includes:

c a clear definition of objectives and policies, supported by a strategic planning andbudgeting process which are clearly communicated throughout the whole bank;

. an organization structure that clearly defines the allocation of duties,responsibilities, and lines of reporting;

. a risk acceptance policy that is based on an assessment of all risks facing the centralbank and is reviewed annually;

. adequate information and communication systems to safeguard the flow ofinformation to senior management for both control and disclosure purposes;

t a senior management commitment to a sound control system, through, for example,the active support of a separate and independent internal audit function, and regularaudit committee review of control systems.

It is difficult to envisage a control system being effective in the absence of any of thesestrategic elements. Where objectives are concerned, it is essential that there is an integratedprocess for translating strategic objectives into specific goals and targets at lower levels in thecentral bank and for building up bank-wide “business” plans and budgets. This integration isessential if the management planning and budgeting system is to properly consolidate all of theactivities of specific activities and tinctions to provide an accurate and total picture of thebank’s planned operations.

Clearly defined duties, responsibilities and reporting lines work to reduce the risks ofunauthorized transactions occurring, of failure to take action when required, of events beingoverlooked because of poorly defined lines of communications, or of events failing to bereported to senior management. They are an integral part of a central bank’s planning andbudget reporting systems.

Implicit in this area is a close attention to the separation of duties principle in everyrespect so that actual observance reflects the substance of the principle. This may involve a

-4l- tiPEND& f

range of control measures, particularly where several closely connected individuals operate indifferent areas associated with a particular process.B

Modem control systems must include a formal procedure for periodically assessingimportant riskji facing a central bank and determining acceptable levels of r&k that the bank isprepared to endure. Periodical review is essential for ensuring that new or emerging risks do notgo undetected. Risk acceptance levels and policy must be set at a strategic level to avoidindividual areas taking risks that, while perhaps acceptable from their own perspective, mayhave financial and reputation costs beyond those the governing board of the bank is prepared toaccept.

Control systems are dependent upon reliable information systems. Thesesystems coverfinancial and non-financial information that is reported both internally and externally. Theaccounting system should be the main source of all financial information; the existence of soundaccounting policies and procedures along with regular audit examination works to ensure thatfinancial information produced by this system is reliable, timely, and readily understood.Financial and non-financial information is essential for keeping senior management informed onorganization performance and control system effectiveness. Ensuring the reliability ofinformation systems also requires that proper controls are in place for the security, andoperation of the bank’s electronic and manual irlformation processing systems.

Finally, senior management commitment to a sound control system is essential forensuring bar&wide acceptance of, and compliance with, the control system. It can beevidenced by the importance management attaches to regular risk review, and the setting andmonitoring of annual plans and performance. It will also be evidenced through the creation andsupport of a clearly separate and independent internal audit unit, and an &dit’committee.

,, .

Operati.ng contrdls‘,.

Operatio&l controls typically exist in the form of procedures that relate to speciiicprocesses, or individual positions associated with a process. They can be financial and non-financial, but both have the same objective, namely, to control activities so as to achieveperformance or output goals while keeping risks within acceptable limits. Common types ofoperational controls include:

. effective segregation of duties to avoid control of operations by any one individual;

. application of the “four eyes” principle;

. documentation of operational procedures to ensure stti awareness and observanceof relevant procedures;

. documentation of delegated powers, and authorities for individual positions;

. restrictions on access to information and assets to prevent unauthorized access;

“Regard may need to be made, for example, to close family connections between staffmembers, or to family ‘or other business connections between bank staff and members of otherorganizations with whom the central bank transacts.

- 42 - APPENDIX I

. appropriate staff training so that. staff capabilities are commensurate with theirresponsibilities;

. proper and timely recording of all transactions;

. financial limits on specific activities and individuals;

. budget limits on expenditures, with specific procedures for non-budgetedexpenditures;

. security procedures for protection of human, information and tangible assets;

. development of business resumption plans for unforseen or catastrophic events;l regular review of operating performance against plan targets or objectives;. regular checking to verify that procedures are being followed;t regular reporting to keep senior management aware of performance, control

monitoring, and any operating exceptions, or breaches of controls; and. periodic review of controls and iactual work practices.

Separation of duties reflects the basic principle of internal control that no individualshould be allowed to dominate a transaction or process from start to finish. This principle isreflected in an organizational structure that assigns specific responsibilities fordifferent parts ofa process to separate departments. It can also be seen in individual departments of a centralbank, such as a foreign exchange dealing room where dealing is separated from confirmationand settlement of transactions. In an accounting system, for example, data entry, entryauthorization, and account reconciliation are all performed by different individuals.

The “four eyes principle” operates in partnership with the segregation principle. It 1ensures that the work of one person is supervised or checked by another. Supervision may beimmediate or subsequent, the timing largely depending on the value and risk associated with aparticular activity. In the dealing room environment examples of the principle are when a chiefdealer monitors positions of individual dealers, or when back office staff check exchange ratesand calculations used in deals. In the accounnng environment examples include when the personauthorizing an entry checks the coding of the: person who prepared the accounting entry, orwhen the reconciliation clerk verifies an account balance between the accounting records and abank statement.

Documentation and awareness of pmcedures is crucial to ensure that staff not onlyknow specific procedures, but can refer to them when in doubt or when training other staffThere should also be a bank-wide standard fcr issuing and numbering procedures orinstructions, along with a central record of all procedures and manuals that are in force.Responsibility for the preparation of procedures and manuals can be assigned to specificoperational areas, but a universal standard and central reference point reduces the possibility ofduplicate or conflicting instructions being issued. Also, it facilitates audit review of controlprocedures that are current at a point on time.

Another aspect of documentation concerns delegated powers, and authorities. Centralbanks in particular rely on proper maintenance of lists of delegations and authorized signingofficers in their dealings with domestic and foreign financial institutions, and other largecustomers. Internally, budget management systems also include arrangements for delegating

- 43 - APPEND; I ’

responsibility within budget parameters. Documentation can take the form of authorized lists,lists of duties for specific positions, and more generally descriptions of Cmctions andresponsibilities of a specific department or division. Such records would normally be maintainedby the respective department concerned, and which would also have the responsibility forkeeping the records up to date.

Delegations and authorizations can be used to place restrictions on access toinformation and assets. Restriction on access to information can be in the form of a hierarchyof access levels that reflect sensitivity of information and relative “need to know” status ofusers. Such restrictions work to reduce the risk of, for example, unauthorized release ofinformation that may bring embarrassment or loss of reputation to a central bank. Restrictionson access to assets for financial control purposes often take the form of limits on who isauthorized to sell or dispose of assets, and on the actual value of a transaction that any oneindividual can undertake. This works to reduce the risk of financial loss from unauthorizeddisposal or removal of assets, or from transactions exceeding authorized amounts. Accesscontrols can also take the form of limits on who can access particular areas and systems as ameans of providing both physical and technical security.

Fundamental to the observance of all controls is appropriate staff training so that staffare aware of their responsibilities, and that their skills match those responsibilities. Proper staffselection procedures may work to achieve a balance in skills and responsibilities. Likewise,regular performance monitoring and skills assessment can be used to identify any particularskills gaps or training needs that have arisen. Responsibility for staff awareness and training inprocedures rests with every individual who is responsible for supervising the work of anotherperson and, more generally, with the management of each department.

One basic but important financial control involves the proper and timely recording ofall transactions. Adherence to this basic rule significantly reduces the possibility of transactionsgoing unrecorded. One way of achieving this control is through a related procedure involvingtransactions that are recorded and entered into the accounting system by the area responsible forthe transactions; subject of course to maintaining appropriate separation of duties betweentransaction initiators and transactions recorders. This ensures that those people most familiarwith the modalities of a particular activity have responsibility for its proper execution,completion, and recording.

Setting financial limits on specific activities and individuals provides a mechanism formanagement to place limits on possible risk exposures arising from high volume or high valuetransactions. Typically, such limits are applied in those operations that create assets andliabilities, or off-balance sheet exposures, and which are not subject to budgetary limits.Relevant examples for central banks involve limits set for dealing rooms, and lendingoperations. Limits can be set with regard to counterparty or borrower, dealer, currency,country, or financial instmment.

Another important financial control occurs through budget limits on expenditures. Thiscontrol is directed more towards efficient and effective utilization of resources, but also works

- 44 - APPENDIX I

to minimize risk through a disciplined approach to analyzing and estimating likely claims oncentral bank resources. Limits in budgets are set at various levels, normally in accordance withkey functions, and cost centers as determined the organization structure and responsibilities.Budget systems typically include a regular (usually monthly) process for monitoring actualexpenditures and revenues against budget forecasts, along with requirements that unbudgetedexpenditures (either current or capital) receive separate approval before they are incurred.

Security procedures are a form of non-financial controls that are designed to protect theimportant assets of a central bank-its workforce and valuable assets. Developing the right mixof access controls and security equipment requires a careful analysis of the threats and risks thatare likely to arise from both internal and external sources. Central banks like other organizationssometimes tend to develop extensive measures to prevent unauthorized access or intrusion fromexternal sources, but ignore the threats that may come form internal sources such as intentionalleaking of information, theft, and sabotage. Finally, in developing necessary security measures, itwill be necessary to have controls that provide a secure working environment but which are notso restrictive as to impair effective work performance.

Business resumption planning is a special form of control aimed at ensuring businesscontinuity following an unexpected events or interruption to operations. This can involveidentifying specific measures necessary to provide back up in the event of failure of one or morecritical systems, and is particularly relevant where central banks rely on computerized systemsfor all work control and processing. In this context a resumption plan involving, for example,off site back up of files and systems provides a guarantee of business continuity and reduced riskof financial loss. Plans are also required for more catastrophic circumstances such as destructionof a building, or major interruption to all operating capability so that basic operating capabilitycan be restored in a specified minimum period of time.

In addition to budget based review of performance, control systems can also includeregular review of operating performance against plan targets or objectives, where non-financial targets are involved. One common example is the setting and review of individualperformance targets as part of a staff appraisal system and, at a higher level, review andanalysis of departmental or project performance against business plan targets.

Management needs to know that controls are being followed, and this can be achievedthrough regular checking. While periodic internal audit review may identify control weaknessesor periodic breaches, management’s responsibility for the continuous operation of internalcontrols requires that it has processes in place to monitor observance of controls morefrequently than the regular audit cycle. Regular checking can be done through a series ofperiodic checks by supervisors to ensure that appropriate controls, and that certain proceduralchecks have been followed. This can be summarized in a report to management that outlines thespecific control requirement, the nature of the periodic check undertaken, and the officerresponsible for performing the check. Internal auditors frequently review such lists and reportsin making a risk-based assessment of areas to be audited and the audit frequency.

- 45 - APPENDIX I’

Regular reporting to senior management involves both standard reports provided on aregular basis and exception reports. They may be prepared by: the accounting system (through,for example, budget reports); managers of specific work areas (reporting exceptionalcircumstances or new risks); the internal auditor (reporting on the effectiveness of controls in aparticular area) and; where financial statements are concerned, the external auditor. Where anaudit committee has also been formed, it may require a regular review of control systemperformance by the internal auditor, along with an update on progress in implementingrecommendations from previous audits. The reporting process enables senior management to beaware of general performance against plans, whether any serious breaches of controls haveoccurred, and whether new risks have arisen that the Bank must address.

Periodic review of controls and actual work practices is an ongoing responsibility ofmanagement. In a changing work environment, new work practices may fast eclipse controlsand periodic checking may identify that certain controls are no longer followed or required.Alternatively, periodic review may identity that new work practices have been introduced inwhich case there is a need to determine the extent to which the formal documentation ofcontrols needs to be modified to reflect latest practices.

Information systems

Successful operation of any control system depends on the smooth “two-way” flow ofreliable, relevant, and timely information; from the communication of objectives, plans andcontrols down through the central bank to the reporting back to management on performance,exceptions, and the operation of the control system. Information systems can range from simplemanual record based systems to integrated electronic systems, depending on the size andcomplexity of a central banks activities. Thus a set of controls is necessary to protect thesystem itself, and the information stored on it. General controls for information systems include:

. classification controls to limit circulation of highly sensitive information and reducerisk of “leaks”;

. access controls to limit and monitor access to both systems and information;

. segregation of duties;

. processing controls to ensure all transactions are recorded accurately and on atimely basis;

. audit trails for the reconstruction of events and transactions, along with controls forstorage and retention of records;

. ready access by senior management to the information system and reports;

. preparation of information for public release in accordance with all relevant laws,regulations and standards.

For computerized information systems an additional range of controls are required toensure the integrity and continuity of the system, to prevent unauthorized access or usage ofboth hardware and software, and to protect electronic files from accidental or deliberatedestruction. Specific controls can be grouped under one of the following categories:

. computing resource management;

. systems development and implementation;

.

- 46 - APPENDIX I

. operation of hardware and software systems;ä end-user operations; andl business resumption planning.

Computing resource management controls focus on the hardware and systems softwareplatforms that support the various application systems used by a central bank. Soundmanagement of these computer resources is integral to ensuring that technology objectives arealigned with organizational objectives. Controls in this area focus on establishing a soundstrategic plan, financial control of systems development and operation, and management controlof changes to operating systems and software. Some specific controls include:

, a strategic planning process that identifies key system requirements of anorganization that are consistent with a central bank’s business plans;

. a multi-year budget including financial forecasts of system needs, annual operatingcosts, and training needs;

t documented service agreements with external service providers;. bar&wide procedures for selection and introduction of new systems hardware and

software-otherwise known as change control procedures.

Systems development and implementation controls are associated with the process ofidentifying specific system components and developing and installing necessary applications.This is a critical area since poor development and installation procedures can have a long lastingeffect on system effectiveness and efficiency. Relevant controls in this area include:

t a documented system development process covering appointment of projectmanagers, and steering committees, project reporting and review, and project signOE,

t internal audit participation in the development and implementation process for eachnew system or project;

t procedures and criteria for selection and acquisition of application systems fromthird parties;

t procedures for proper and thorough testing and conversion before new any systemis signed off for implementation

F complete documentation of new or revised systems;. proper maintenance of, and restriction of access to, systems documentation;l procedures for, and documentation, of changes to application systems to ensure

that only authorized people can change critical application and operating systems.

Controls over the operation of hardware and software systems area are designed toensure systems are used for authorized purposes only and that they operate on an error-free andinterruption-free basis. Controls involve both physical and computer-based procedurescovering:

. physical (e.g., secure pass-coded access doors) and system (e.g., passwords) basedaccess controls that limit access to authorized personnel only;

. separation of duties between EDP systems development; EDP processing, changecontrol staff, and maintenance personnel;

..: .’ + ‘:_,..., .-

.- 47 - APPENDIX I

. availability of utilities for mainframe equipment and related system components onan uninterrupted basis;

. logging of access and information requested by user;

. automatic log-off for unsuccessful or inactive system use;b automatic back up of system files;. system based checking of completeness and accuracy of data entered and

processed;. internal audit access to systems for EDP based auditing and control monitoring.

End-user operation of information systems can occur over a wide range ofenvironments that extend beyond the traditional centralized information systems arena.Applications and data processing environments may include Local Area Networks (LAN’s),Wide Area Networks (WAN’s), remote access facilities, and stand alone computers. Theseenvironments introduce a specific set of risks, controls, and audit considerations, in addition tothe range of risks evident in a centralized mainframe environment. Some specific controls inthese areas include:

b strengthened access controls (passwords, random codes) to restrict unauthorizedaccess by external sources through dial-up modems or other telecommunicationconnections;

. system protection measures such as encryption, computer “fire walls,” and virusdetection software to limit risks associated with external communications;

. physical security measures to protect stand alone hardware and software located inuser areas from theft, alteration, or erasure;

b proper authorization and testing of any user requested software prior to installationon system accessible micro-computers.

Business resumption planning is an essential tool for ensuring that a central bank cancontinue critical operations in the event of an interruption in processing. Such interruptions cantake the form of a major catastrophe, some unforseen event triggered by an external source, orother failures within a central bank. The prime objective under these circumstances is theresumption of business as quickly as possible to limit reputation and financial losses, and toproperly service user information requirements. Some relevant controls in this area include:

b development of a strategy for minimum periods for business resumption;. development, testing, and documentation of recovery procedures under various

business interruption scenarios (e.g., temporary loss of facilities; destruction ofequipment or buildings; failure of critical externally-provided services);

. off-site backup of data and programs, and if necessary processing;

. regular testing of all backup systems and procedures, including those for “coolsites” located outside a central bank’s own facilities;

. periodic internal audit review of resumption plans and preparedness.

One additional specific issue for 1999 concerns preparedness for the Year 2000 datechange. With the new century rapidly approaching it is critical that every organization, includingcentral banks ensure that their own systems, as well as those of their business partners, arecentury date compliant. To be fully compliant ah organizations will need to assess what changes

.

.

<I Lr -48 - APPENDIX I

need to be made to their computer software and hardware to avoid errors when encountering atwo-digit date field (“00” =I900 instead of 2000), and test changes prior to implementation.This is not an insignificant issue as virtually all organizations worldwide are affected in someway.

Consideration of the full impact of this issue for control systems is beyond the scope ofthis paper, but additional information of specific relevance for central banks can be found in thework of The Joint Year 2000 Committee,2g which can be accessed through the BIS Internet site,http:/-. bis. org.

*‘This council comprising the Basle Committee on Banking Supervision, the Committee onPayment and Settlement Systems, the International Association of Insurance Supervisors, andthe International Organization of Securities Commissions, has released several papers on theYear 2000 issue. The Committee’s June 1998 paper “Supervisory Guidance on theIndependent Assessment of Financial Institution Year 2000 Preparations” published by theBank for International Settlements, provides guidance on important questions that need to beaddressed.

:.:. ,. :’ ; :_

**

,

- 49 - APPENDIX II

~LUSTRATIVECHARTEROFANINTERNAL AUIHTUNIT

Role

The Internal Audit Unit’s role is to carry out independent reviews of existing or proposedsystems and procedures throughout the Bank. The Unit will evaluate the effectiveness andefficiency of all important systems of internal control and performance monitoring.

Accountability

The Head of Internal Audit is responsible to and reports directly to the functionalGovernor and also to the Audit Committee of the Board of Directors. The Head of InternalAudit has direct access to the Governor as and when needed.

Responsibility for Systems

Internal Audit personnel have no direct responsibility for systems and procedures. Auditrecommendations are not directives and do not relieve managers of their responsibility formaintenance and improvement of the systems under their control.

Access

Personnel of the Internal Audit Unit, in the performance of the audit function, will begranted unlimited access to all of the Bank’s activities, records, property, and staff members,within restrictions imposed by the need for control (such as dual access). Internal Audit staff areaware that they are accountable for the safekeeping and confidentiality of any documents orinformation acquired during an audit.

Objectivity and Independence

All audit work and subsequent reporting will be carried out in an objective manner. Carewill be taken to ensure the independence of Internal Audit personnel is not compromised,especially where their services are specifically sought by Departments.

Standards

All Internal Auditing will be conducted in accordance with the objectives and policies ofthe Bank. The Ethics and Standards of the Institute of Internal Auditors, the Society ofAccountants, and the EDP Auditors Association will be observed.

.

.

I ..

,

Specific Activities

- 50 - APPENDIX II

Audit activities include but will not necessarily be confined to:. evaluating the quality of existing and proposed management and financial control

systems;t testing the operation of those systems and the reliability and integrity of information

and transactions generated;. testing the adequacy of controls for safeguarding the assets of the Bank and, when

appropriate, verifying the existence of assets;. testing compliance with policies, plans procedures, laws, and regulations governing

the Banks operations;. conducting reviews of the effective and efficient use of the Bank’s resources and

making appropriate recommendations to management;. performing special reviews when requested by management;. liaison with the Bank’s external auditors on the audit program.

pate issued]

[Authorizing signature, for example Governor’s signature]

[Authorizing name and title]

-51- APPENDIX III ’

INTERNALAUDITTECHNIQUES

Internal auditors use a range of techniques to perform their work efficiently andeffectively, including:

. statistical sampling;

. control self assessment;t computer assisted auditing techniques; and. modeling.

Statistical sampling is a mathematically correct way of drawing conclusions about largepopulations from limited tests. In practice, the time and cost necessary to perform statisticalsampling is rarely justified and judgment sampling is used much more often. For instance, theauditor may decide to review the largest transactions, the most sensitive, the most unusual, orthose that occur just before or tier the year closes. Valid conclusions may be inferred fromsuch samples even though they cannot be stated with statistical precision.

Control self-assessment (CSA) is one of the fastest growing techniques used by internalauditors. In CSA, the internal audit department facilitates groups of managers and employees inevaluating their system of internal controls and/or evaluating their organizations from a controlperspective. One form of CSA starts with a major performance objective selected bymanagement, along with sub-objectives necessary to achieve the overall objective. Classmembers identify obstacles to achieving each of the sub-objectives. They also note successeswhich have already been achieved and conditions which enable them to be successful. A secondform of CSA presents a series of pre-defined control statements which are considered desirableacross the entire organization. For example, “clear procedures exist on how to perform ourjobs.” Individuals register their opinions anonymously on how closely their organization ismeeting the desired state of affairs. The difference between the desired and actual state of affairsrepresents the opportunity for improvement. The combined output can be assembled andpresented to management as a special audit report.

CSA does not replace traditional auditing activities, but complements them. Someorganizations use CSA prior to scheduled audits to identifl areas which should be firtherexplored with traditional auditing techniques. Care must be taken however to ensure that theconfidences shared by CSA participants are not violated.

Computer assisted auditing techniques (CAAT) is another rapidly growing area. Withincreasing amounts of information being captured, initiated, and stored in electronic form,GUT software tools can be used to select, extract, sort, manipulate, and test dataelectronically against defined criteria. As central banks become more dependent on automatedapplications, more internal audit time needs to be devoted to assessing and managing the relatedrisks. One of the major risks is that approved software codes will be destroyed or modified,accidentally or deliberately. CAAT software can compare computer code against previouslysecured source code and extract any differences for examination by a trained computer auditor.Performing this task through manual visual inspection would be almost impossible. CAAT

c

. ‘<. .

.- I

,

- 52 - APPENDIX III

software can also be used in continuous audit monitoring to flag any system activity which fallsoutside prescribed parameters. There is, however, a fine line between viewing such software asan audit tool or as part of management’s basic control system and this serves to emphasize thatauditing and management need to work in close partnership to ensure desired results.

Formal models are often developed by the internal audit function. For example, a riskmodel would list all relevant risks with appropriate weights, while an internal control evaluationmodel would include factors bearing on all the elements of internal control. Models areextremely helpful in structuring information, and ensuring factors of major importance are notoverlooked. Assignment of weights to factors in a model helps ensure consistency and abalanced perspective. Quantified models permit analysis of trends over time and comparisonsand rankings between dissimilar organizations, The value of a model is enhanced when groupsof auditors pool their knowledge to evaluate an area and later discuss results with management.