AUDIT POLICY MANUAL FOR RURAL AND COMMUNITY BANKS (JULY …

AUDIT POLICY MANUAL FOR RURAL AND COMMUNITY BANKS (JULY 2018)

FINANCING GHANAIAN AGRICULTURE PROJECT (USAID FinGAP)

JULY 2018

This publication was produced for review by the United States Agency for International Development/Ghana mission by The Palladium Group.

FINANCING GHANAIAN AGRICULTURE PROJECT (USAID FinGAP) AUDIT POLICY MANUAL FOR RURAL AND COMMUNITY BANKS, JULY 2018

AUDIT POLICY MANUAL FOR RURAL AND COMMUNITY BANKS

(JULY 2018)

DISCLAIMER

This report is made possible by the generous support of the American people through the United States Agency for International Development (USAID). The contents are the responsibility of The Palladium Group and do not necessarily reflect the views of USAID or the United States Government.


CONTENTS ACRONYMS & ABBREVIATIONS 3

1.0 BACKGROUND 4

2.0 NATURE OF INTERNAL AUDIT ACTIVITY 10

3.0 DEVELOPING THE PLAN OF ENGAGEMENTS 13

4.0 FOCUSED AUDIT 16

5.0 INTERNAL AUDIT OPERATIONAL PROCEDURES 19

6.0 EXTERNAL AUDIT AND ASSESSMENT PROCESS 37

2 | P a g e


ACRONYMS & ABBREVIATIONS NDZ Northern Development Zone

NSEZ Northern Savannah Ecological Zone

QSM Quality System Management

RCBs Rural and Community Banks

SADA Savannah Accelerated Development Authority

USAID United States Agency for International Development

USAID FinGAP USAID Financing Ghanaian Agricultural Project

3 | P a g e


1.0 BACKGROUND 1.1 DEFINITIONS

Internal Control System refers to all the policies and procedures adopted by an institution to help ensure, as far as is practical, the orderly and efficient conduct of its business.

Control environment is the overall attitude, awareness, and actions of the Board of directors and managers regarding the internal control system and its importance.

Control Activities are policies and procedures (in addition to the control environment) that management have established to achieve the entity’s specific objectives.

Risk is anything that endangers the institution’s achievement of an objective.

1.2 ROLE OF INTERNAL AUDIT

Internal auditing activity is primarily directed at improving internal control. Under the Regulatory Framework, internal control is broadly defined as a process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

It is to assist management in achieving efficient and effective operational performance in running the organization. The function aims to add value, improve operational efficiency, economy and effectiveness of management processes, risk management, and internal controls. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the governance processes.

Management is responsible for internal controls. Managers establish policies and processes to help the organization achieve specific objectives in each of these categories. The roles of internal auditors are to perform audits to evaluate whether the policies and processes are designed and operating effectively and to provide recommendations for improvement.

1.3 GUIDING PRINCIPLES

Internal Control is designed to achieve the following three organizational objectives: • Efficiency and effectiveness of operations; • Reliability of financial reporting; and • Compliance with applicable laws and regulations.

Factors reflected in the control environment include:

4 | P a g e

http://en.wikipedia.org/wiki/Internal_control

http://en.wikipedia.org/wiki/Committee_of_Sponsoring_Organizations_of_the_Treadway_Commission

http://en.wikipedia.org/wiki/Corporate_governance


• The function of the Board of Directors and its Committees, • Management’s philosophy and operating style, • The organizational structure and methods of assigning authority and responsibility, • Management’s control system, including the internal audit function, • Personnel policies and procedures, and segregation of duties, • Management communication, • Response to fraud.

1.4 RESPONSIBILITY FOR DETECTION OF ERRORS OR IRREGULARITIES

The management of the bank is responsible for establishing and maintaining controls to discourage perpetuation of fraud. Internal Audit is responsible for examining and evaluating the adequacy and effectiveness of those controls. Audit procedures alone are not designed to guarantee the detection of fraud. An error is an unintentional mistake in financial statements which includes mathematical or clerical mistakes in the underlying records and accounting data from which the financial statements or other reports are prepared, mistakes in the application of accounting principles, and oversight or misinterpretation of facts that existed at the time the reports were prepared. An irregularity is an intentional distortion of financial statements or other reported data or the misappropriation of assets. If the Head of Internal Audit (HIA) believes that a material error or an irregularity exists in an area under review or in any other area of the bank, the implications of the error or irregularity and its disposition should be reviewed with the responsible General Manager. As soon as it has been determined that an irregularity does exist, the Head of Internal Audit, will notify the Audit Committee of the Board of Directors that an irregularity has been identified and the audit steps needed to determine the extent of the problem.

1.5 ROLES AND RESPONSIBILITIES

Roles and responsibilities are separated as follows: The Board of Directors, through its Board Risk and Audit Committees, is responsible for the Internal Control Policy of the Company.

1. The General Manager is accountable to the Board of Directors for developing and implementing the internal control framework.

2. The management of the Company is responsible for the development and implementation of control activities that ensure that:

5 | P a g e


• Financial records and relevant databases accurately reflect actual operational activities including, client transactions and balances, interest and charges;

• Assets are safeguarded from unauthorized use or disposition; • Irregularities and fraud are prevented, and if they occur, can be detected,

reported and corrected.

1.6 SERVICES PROVIDED BY INTERNAL AUDIT

Internal Audit’s primary activity is the implementation of a program of regular audits of the bank business operations, as outlined below. However, the complete range of services provided by Internal Audit may also include special projects and consultations as directed by the Board.

a) Operational Audits. Operational audits consist of critical reviews of operating processes and procedures and internal controls that mitigate area specific risks. These audits examine the use of resources to determine if they are being used in the most effective and efficient manner to fulfill the rural bank’s mission and objectives. b) Compliance Audits. These audits determine the degree to which areas within the bank adhere to mandated Government and bank’s policies and practices. Other regulatory agencies are also included within compliance audits (e.g., BOG, EPA, Fire Services, and GRA etc.). Recommendations usually require improvements in processes and controls used to ensure compliance with regulations. c) Financial Audits. These audits review accounting and financial transactions to determine if commitments, authorizations, and the receipt and disbursement of funds are properly and accurately recorded and reported. This type of audit also determines if there are sufficient controls over cash and other assets and that there are adequate process controls over the acquisition and use of resources. Unlike external financial audits, internal financial audits do not prepare or express professional opinions on the financial statement fairness. d) Investigative Audits. These audits are conducted to identify existing control weaknesses, assist in determining the amount of loss and recommending corrective measures to prevent additional losses. Internal Audit will also work with outside agencies to determine if misconduct occurred at the rural bank. These types of investigations can encompass misuse of the rural bank’s funds or assets, fraud, or potential conflicts of interest. e) Technology Audits. Technology audits are usually comprised of reviews of disaster recovery plans, system back up procedures and the general security of data and of the physical plant. The purpose of these audits is to evaluate the accuracy, effectiveness and efficiency of the bank’s electronic and information processing systems.

6 | P a g e


1.7 PROFESSIONAL PROFICIENCY

Professional proficiency is the responsibility of the individual auditor. The Head of Internal Audit (HIA) will assign each audit to the individual who possesses the necessary knowledge and skills to conduct the audit properly.

The Internal Audit staff has a professional obligation to schedule and attend ongoing professional education forums to ensure they maintain academic proficiency and to advance professionally.

The Head of Internal Audit (HIA) is responsible for providing appropriate audit supervision. Supervision is a continuing process, initiated with the planning process and concluding with the completion of the audit assignment. The Head of Internal Audit will document evidence of supervision and review on all audits. This may be accomplished by signing off on all work papers and audit documents.

1.8 INTERNAL AUDIT FUNCTIONS IN RISK MANAGEMENT

Internal auditing function in Risk management is to monitor and evaluate the effectiveness of the rural bank's Risk management processes. Risk management relates to how the bank sets objectives, identifies, analyzes, and responds to those risks that could potentially impact its ability to realize the bank’s objectives. Under the Standard Enterprise Risk Management (ERM) Framework, risks fall under four main categories, which are:

• strategic, • operational, • financial reporting, and • legal/regulatory categories.

Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include:

• strategic planning, • marketing planning, • capital planning, • budgeting, • hedging, • incentive payout structure, and • credit/lending practices.

Regulations also require extensive risk assessment of financial reporting processes. The rural bank’s corporate legal counsel will often prepare comprehensive assessments of the current and potential litigation the bank faces. Internal auditors are to evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal

7 | P a g e


auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks. In the bank, major strategic initiatives will be implemented to achieve objectives and drive changes. As a member of senior management, the Head of Internal Audit (HIA) may participate in status updates on these major initiatives. This places the HIA in the position to report on many of the major risks the organization faces to the Board Audit Committee, or ensure management's reporting is effective for that purpose. The Internal auditors are to help Management of the rural bank to establish and maintain Enterprise Risk Management processes. The Internal audit department is also to play an important role in helping Management of the rural bank to execute a top-down risk assessment. In these latter two areas, internal auditors typically are part of the risk assessment team in an advisory role.

1.9 INTERNAL AUDIT FUNCTION IN CORPORATE GOVERNANCE

Internal auditing activity as it relates to an RCB’s corporate governance is generally informal, accomplished primarily through participation in meetings and discussions with members of the bank’s Board of Directors. Corporate governance is a combination of processes and organizational structures implemented by the bank’s Board of Directors to inform, direct, manage, and monitor the RCB’s resources, strategies, and policies towards the achievement of the organization’s objectives.

The internal audit department is to be considered one of the "four pillars" of corporate governance, the other pillars being the Board of Directors, management, and the external auditors.

A primary focus area of internal auditing as it relates to corporate governance is helping the Audit Committee of the RCB’s Board of Directors to perform its responsibilities effectively. This may include reporting critical internal control problems, informing the Committee privately on the capabilities of key managers, suggesting questions or topics for the Audit Committee's meeting agendas, and coordinating carefully with the external auditor and management to ensure the Committee receives effective information.

1.10 LIMITATIONS OF INTERNAL CONTROL

Internal control is meant to provide reasonable (not absolute) assurance of mitigating risks and promoting organizational objectives. Limitations of internal control include:

• Cost vs. Benefit - The cost of implementing a control should not exceed the benefit. • Abnormalities - Controls are typically directed towards normal, everyday transactions: the

extraordinary transactions may not be covered by normal controls.

8 | P a g e

http://en.wikipedia.org/wiki/Corporate_governance


• Human error - This factor will always be present to some degree. • Collusion - If a control is dependent on segregation of duties, internal controls can be

circumvented when two or more of those responsible work together to purposely defraud the organization.

9 | P a g e


2.0 NATURE OF INTERNAL AUDIT ACTIVITY

2.1 OVERVIEW

Based on a risk assessment of the rural banks, internal auditors, management, and oversight Boards will determine where to focus internal auditing efforts (the focus prioritization is part of the annual/multi-year audit planning; usually, the audit plan is proposed by the General Manager, Internal Audit for the approval of the Audit Committee or Board of Directors).

The rural bank internal auditing activities will generally be conducted as one or more discrete assignments. The internal audit department assignment will involve the following steps:

1. Establish and communicate the scope and objectives for the audit to appropriate management. 2. Develop an understanding of the business area under review. This includes objectives,

measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.

3. Describe the key risks facing the business activities within the scope of the audit. 4. Identify control procedures used to ensure each key risk and transaction type is properly

controlled and monitored. 5. Develop and execute a risk-based sampling and testing approach to determine whether the

most important controls are operating as intended. 6. Report problems identified and negotiate action plans with management to address the

problems. 7. Follow up on reported findings at appropriate intervals. Internal audit departments maintain a

follow-up database for this purpose.

Audit assignment length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.

By analyzing and recommending business improvements in the banks critical areas, internal auditors are expected to assist the rural bank to meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors will be trained forming part of the rural banks internal audit department to review information technology controls.

2.2 INTERNAL AUDIT REPORTS

Internal auditors will issue reports at the end of each audit assignment that summarize their findings, recommendations, and any responses or action plans from management.

10 | P a g e

http://en.wikipedia.org/wiki/Risk_assessment

http://en.wikipedia.org/wiki/Information_technology_controls


The Internal audit report should have the following features:

• Disclose findings: present findings both favorable and unfavorable in a concise manner so that management is apprised of the situation.

• Description of findings: adverse findings should be described in detail. It could be internal control weakness, gaps, violations of procedures or any other audit concern. Each finding must be provable. Auditor beliefs without proper documentation will not be carried to the report.

• Suggestions and recommendations: the auditor should make suggestions for prevention or correction of the deficiencies or gaps identified.

• Auditor’s comments: the auditors may wish to provide clarifications on any of the issues reported or state the constraints or mitigating circumstances.

INTERNAL AUDIT REPORT-CONTENTS

• Internal audit report should contain: observations and comments of the auditor, the audit findings, and recommendations for improvements.

• Internal auditor’s report should contain a clear written expression of significant observations, suggestions/recommendations based on the policies, processes, risks, controls, and transaction processing taken as a whole and management’s response.

INTERNAL AUDIT REPORT-COMMUNICATION

The auditor should make management aware, as soon as practical and at an appropriate level of responsibility, of any material weaknesses in the design or operation of the internal control systems which have come to his attention. The communication of material weaknesses to management would ordinarily be in writing, as part of the internal audit report. The report should also specify that only weaknesses which have come to his attention as a result of the audit have been reported and that examination has been designed to determine the adequacy of internal control for management purposes.

The auditor in his report to management, should provide:

a) A description of the significant deficiency or material weakness in internal controls. b) His opinion on the possible effect of such weakness possible on the bank’s control

environment. The audit report will have an executive summary, a body that includes the specific issues or findings identified and related recommendations or action plans, and appendix information such as detailed graphs and charts. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's," which are:

1. Condition: What is the particular problem identified?

11 | P a g e


2. Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.

3. Cause: Why did the problem occur? 4. Consequence: What is the risk/negative outcome (or opportunity foregone) because of the

finding? 5. Corrective action: What should management do about the finding? What have they agreed to

do and by when?

The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting, or legal/regulatory compliance.

They may relate to effectiveness (i.e., whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs). Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements.

2.3 IMPLEMENTATION OF AUDIT RECOMMENDATIONS

The internal audit department shall monitor and document the speedy rectification of the deficiencies identified in an audit and the appropriate implementation of the recommendation; a follow-up audit may be necessary. If the major deficiencies in a specific area have not been remedied within a reasonable time, the head of internal audit shall first inform the manager responsible for the area concerned in writing. If the deficiencies are not remedied at all, the Board and the Managing Director shall be informed in writing of the deficiencies not yet remedied and the recommendations not yet implemented no later than the time of the next summary report.

12 | P a g e

http://en.wikipedia.org/wiki/Regulatory_compliance


3.0 DEVELOPING THE PLAN OF ENGAGEMENTS

3.1 OVERVIEW

Internal audit department standards will require the development of a plan of audit engagements (assignments) based on a risk assessment, updated at least annually. The inputs from the RCB’s senior management and Board will be included in this process. Other departments such as Finance, Operations, and Credit will be included in the plan of engagements throughout the year as risks or organizational priorities change.

This effort helps ensure the audit activity is aligned with the bank’s objectives by answering two key questions:

• First, what goals is the bank trying to accomplish in the upcoming period? • Second, how can the Internal Audit Department assist the bank in achieving these goals?

Internal auditors will often conduct a series of interviews of senior management to identify potential engagements. Changes in people, processes, or systems often generate audit project ideas. Various documents will be reviewed, such as strategic plans, financial reports, consulting studies, etc. Furthermore, the results of prior audits and resolution of open issues are considered. For example, Even if a business area is important, prior audit work and the nature and status of open issues may render further audit effort unnecessary.

The preliminary plan of engagements is documented and prioritized. Audit resources and expertise are then considered and a final plan is presented to senior management and the Audit Committee. The presentations vary based on the needs of the stakeholders and may include the following:

• Summary of key goals, risks and corresponding major audits, to illustrate alignment; • Analyses of audit effort along a variety of dimensions (e.g., by business segment, standard objective

category, IT, vs. prior year, etc.) along with commentary regarding changes; • Brief description of critical potential audit engagements identified; • Audit engagements requested but not planned for execution due to prioritization and resources; • Required co-sourcing effort, typically where outside expertise is required or during peak periods; • Coordination with other risk functions, such as legal, compliance, or insurance, to ensure coverage

of key organizational risks; • Update on audit staffing levels, experience, and certification; and • Appendix materials, such as planning approach, assumptions (e.g., days per auditor and staffing level)

and brief descriptions of all planned audits and related prioritization.

13 | P a g e

http://en.wikipedia.org/wiki/Risk_assessment


3.2 BEST PRACTICES IN INTERNAL AUDIT DEPARTMENT

MEASURING THE INTERNAL AUDIT FUNCTION

The measurement of the internal audit function can involve a balanced scorecard approach. Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult to measure. “Customer surveys” sent to key managers after each audit engagement or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys. Understanding the expectations of senior management and the audit committee represent important steps in developing a performance measurement process, as well as how such measures help align the audit function with the bank’s priorities.

Quantitative measures can also be used to measure the function’s level of execution and qualifications of its personnel. Key measures include:

1. Plan completion: This is a measure of the degree to which the annual plan of engagements is completed, measured at a point in time. This may be measured using the number of audit engagements completed, weighted by the planned size of each assignment, with estimates for audits in-progress. Measured throughout the year, it is compared against the percentage of the year elapsed.

2. Report issuance: This is a measure of the time elapsed from completion of testing to issuance of the final audit report, including management’s action plans. This can be measured in average days or percentage of reports issued within a certain standard, such as 30 days. Establishing expectations for the timing of management’s response to report recommendations is critical. In addition, the scope and degree of change involved in the report’s action plans are key variables.

3. Issue closure: Reported audit findings are often called “issues” or “deficiencies.” Professional standards require audit functions to track reported findings to resolution, which effectively requires the maintenance of an issues follow-up database. The number of days that reported issues remains open, or open after their agreed-upon closure date, are key measures. In addition, reporting database statistics such as the number of issues open (unresolved), closed (resolved), and issues opened/closed during a given period are useful statistics.

4. Staff qualifications: This can be measured through the percentage of staff with professional certifications, graduate degrees, and overall years of experience.

14 | P a g e

http://en.wikipedia.org/wiki/Balanced_scorecard


5. Staff utilization rate: This is measured as the percentage of time spent on audit engagements, as opposed to administrative time such as training or vacation. Many internal audit departments track time by audit engagement. This is typically captured in a database or spreadsheet.

6. Staffing level: The number of positions filled relative to the authorized staffing level. Due to the challenge of finding qualified staff, departments may have rotational programs to bring in management to complete tours in the function or be "guest" auditors. Audit departments also "co-source," meaning they obtain contract auditors from a service provider.

3.3 DEVELOPING AND RETAINING INTERNAL AUDIT STAFF

Developing and retaining quality professionals is a key concern in the profession. Key methods for developing and retaining internal audit staff personnel include:

• Providing challenging, varied assignments. • Ensuring quality supervision. • Ensuring staff participate in audit engagements from start to finish, to learn all phases of the audit

process. • Providing opportunities to lead assignments. • Participating in departmental improvement task forces, such as preparation for a quality assurance

review. • Participating in the recruiting and interviewing process for new staff. • Rotating through various audit teams (in larger departments) or audits of various businesses. • Providing both outside training (e.g., seminars) and in-house training (e.g., company systems) for two

weeks/year. • Participation in annual risk assessment activities, whether asking key questions or just taking notes.

3.4 REPORTING OF CRITICAL FINDINGS

The Head of Internal Audit typically reports the most critical issues to the Board Audit Committee monthly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the Bank. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgement to select appropriate issues for the Audit Committee's attention and to describe them in the proper context.

15 | P a g e

http://en.wikipedia.org/wiki/Audit_Committee


4.0 FOCUSED AUDIT

4.1 OVERVIEW

To conduct a more in-depth audit of suspected problem areas, use the following procedures: • Outlines, • Checklists, and • Sample forms.

The targeted processes should be chosen from the general or “overview” audit or problems that have surfaced. Use the planning guides as stated above. RISK ASSESSMENT AND CONTROL ACTIVITIES Risk Assessments and Control Activities should be analyzed and developed for each of the following transaction cycles:

• Revenue Cycle – the set of activities and transactions included in the production of revenue. For Banks this includes fees and interest revenue pertaining to credit operations, savings, and insurance.

• Expenditure Cycle – the set of activities and transactions included in acquiring goods and services.

• Conversion Cycle – the set of activities and transactions included in holding and managing fixed assets.

• Treasury/Financing Cycle – the set of activities and transactions included in holding and managing cash and investment assets.

To implement the cycle approach the Bank should:

• Outline the transactions and activities for each cycle.

• Identify the potential risks at each point.

• Prioritize the risks by likelihood, frequency, and impact.

• Identify the appropriate standards to reduce the risks.

• Establish and implement controls.

• Monitor compliance with established controls.

Specific control activities for each cycle should be addressed in the respective finance and operating policies for:

16 | P a g e


• Client Records (e.g., lending, saving, etc.)

• Expenditures

• Purchasing Fixed Assets

• Cash Management

• Funding

4.2 PERFORMING THE AUDIT

There is no single right way to do an audit. Auditing is about understanding requirements, looking for opportunities for improvement, looking for best practices, asking questions, gathering information, analyzing what’s seen and heard, forming opinions, and reaching conclusions. This effort requires that auditors be prepared, fair, objective, impartial, and, above all, exercise good judgment. Remember that audits are not only to find what procedures need improvement, but an auditor also should recognize outstanding efforts and practices by individuals and note them in their report. AUDIT PROCEDURES:

• Hold an opening meeting with the person in charge of the area to be audited. • Things to be done at this meeting include introducing all parties and reviewing the audit

objectives and scope, as well as putting the audited party at ease with the whole process. This meeting can be short and held anywhere.

• Carefully observe the process and final output. Here the auditor probes to assess the degree to which the processes are operating in conformance with the requirements of the company’s QSM.

• Ask questions. It is important to ask open-ended questions since the answers are rich in information about process performance and personnel competence. An open-ended question is one that requires more than a yes or no answer.

• Gather objective evidence of the extent to which requirements are or are not being met. For example, if loan officers are collecting processing fees, is this required to be documented? Ask to see this documentation to ensure that it is being done and done properly.

• Keep good notes. Good notes will minimize the struggles to remember what was observed at various auditing points.

• Analyze objective evidence, looking for opportunities for improvement. • Auditors should ask themselves questions such as, is the process operating under controlled

conditions? Is there an opportunity for improving the process? Are the requirements outlined in the company QSM being met or exceeded?

• Take all aspects of the audit into account prior to reaching a conclusion. Is a failure observed to be an isolated event or is it systemic? Are there any areas that should be noted for consideration of action to improve performance, such as lowering cost, reducing rework, or improving output? Are there any individuals or crews who displayed uncommon diligence, professionalism, or attitude that merits special recognition?

17 | P a g e


• Hold a closing meeting with the person in charge of the audited area. It would also be a good idea to have the General Manager at this meeting. At this closing meeting, auditors should share their overall opinion on what they have observed, outlining the negative and positive observations. Explain the process for corrective action on any significant adverse findings. To the best of their abilities, auditors at this time should also try to resolve any disagreements the person in charge may have with the auditor’s conclusions.

4.3 DOCUMENTATION

Documentation can be the most difficult part of the audit. This is where auditors write down their findings in a clear, concise, and brief summary of facts. As it was stated before, it is important to document both the good and bad observations. Documenting positive findings can be an effective tool in reinforcing good performance. These documented facts must be truthful, objective, apply to the scope of the audit, and must be written in a way that all parties involved can understand them. The findings must simply show that they comply with the requirements of the QSM or they do not. The audit report is the official record of the audit and should contain:

• Scope and criteria of audit. • Listed objectives of audit. • Auditor’s name and area being audited (remember not to use names except that of the auditor). • Date and location of audit. • Findings and positive practices. • An overall closing statement, which could include action items for area reviewed.

4.3.1 RETENTION OF AUDIT DOCUMENTS

All audit reports and work documents shall be kept for five years.

18 | P a g e


5.0 INTERNAL AUDIT OPERATIONAL PROCEDURES

5.1OVERVIEW

The RCB’s Internal Audit department shall cover all operational areas of the bank that will include but not limited to the following:

1. General Internal Controls procedures 2. Assignment of New Clients and Client Management 3. Loan disbursements and repayment procedures 4. Client savings accounts management procedures 5. Loan portfolio provisions for doubtful debts and write off procedures 6. Finance and General recordkeeping procedures 7. Bank and Cash transactions procedures and controls 8. Fixed Assets acquisitions, management and disposal controls and procedures 9. Financial statements procedures 10. Maintenance of proper books of accounts 11. Implementation of External auditors recommendations and Management Letters 12. Implementation of Board of Directors and board sub-committees recommendations 13. Board of Directors minutes and meeting procedures 14. Authorization controls and limits 15. Management of internal and external debt 16. Share capital issues controls 17. Compliance of regulatory reporting to Bank of Ghana, 18. Compliance of regulatory reporting to ARB Apex Bank, 19. Compliance of regulatory reporting to Ghana Revenue Agency Board 20. Other compliance areas such as Association of Rural and Community Banks 21. Short and Long term investments decisions and management including Fixed Deposits 22. Anti-Money Laundering 23. Business Continuity and Disaster Recovery Procedures

19 | P a g e


5.2 SAMPLE CHECKLIST

1.Security and General Controls Y N N/A Remarks Date In Charge

i) Do the windows permit a clear view of the bank’s interior and are they kept reasonably unobstructed?

ii) Have exterior lights been installed to illuminate all darkened or shadowed areas around the RCB‘s buildings?

iii) Is the vault area illuminated at night?

iv) Is there an emergency lighting source?

v) Are the locks on exterior doors and windows tamper-resistant?

vi) Are doors and windows equipped with steel bars or other burglar-resistant materials?

vii) Are all unusual entrances (air conditioner intakes, manholes, skylights, and the like) protected by an alarm, steel bars, or other?

viii) Is there a regular procedure for securing side and back doors while the bank office is open for business?

ix) Is there a documented procedure for opening and closing the building and vaults that protects against attacks?

x) Are armed guards on duty in the lobby during banking hours?

xi) Are there alarm-activating devices at lobby teller stations?

xii) Is there an emergency power supply for use if the regular supply fails?

xiii) Are vaults made of steel-reinforced concrete?

xiv) Are vaults equipped with a dial combination lock, a time lock, and a substantial lockable day gate?

xv) Are safes too heavy for relatively easy removal, and are they securely anchored to the premises?

20 | P a g e


xvi) Are safe doors equipped with a combination lock?

xvii) Are the vault walls, floor, ceiling, and door protected by an alarm system?

xviii) Are the vault walls, floor, ceiling, and door protected by an alarm system?

xix) Is the vault equipped with an alarm or telephone so that an employee locked in the vault can sound an alert?

xx) Is opening of the vault under dual control?

xxi) Are there standard operating procedures for the safe transit of cash not needed at each office?

xxii) Are precautions taken to prevent theft of all unissued forms, checks, drafts, and the like?

xxiii) Are tellers and other lobby personnel regularly trained in robbery and post robbery procedures?

xxiv) Is there enough fire evacuation plan and fire tenders’ free movement?

xxv) Is there any plan for the Fire Services personnel to have regular fire inspection of all the company premises?

xxvi) Is there enough flood protection plan to avoid halting of work due to flood?

xxvii) Is there enough back up services to all company data?

2.New Clients and Client Management

Y N N/A Remarks Date In Charge

i) Do all clients have a membership card and number?

ii) Is the client an individual, group or corporate client?

iii) Are documentations covering registration and location on file?

iv) Is the cartography well detailed enough to trace client business location or resident?

v) Is the client telephone number(s) or call cards maintained on client file and at Unit Manager’s office?

21 | P a g e


vi) Is there any common identification item to be used to trace client business location?

vii) Are there any maintenance procedures to retained clients?

viii) Are there pay point centers in the units and if yes, is the location traceable?

vix) Check for communication between clients and the staff of the unit

x) Is there any means available to clients to lodge complaints?

xi) Is there any procedure to follow up client complaints?

3.Loan Disbursement and Repayments


i)Do all loan applications have signature or thumbprint of the borrower, and have the borrower’s photograph attached

ii)Check if the relationship officer submits the loan application to the unit manager and the unit credit committee for approval before disbursement

iii)Check authorization limit to the approved loan if it is within the approval limit of the unit

iv) Are all precondition procedures such as client savings been cleared before approval of loan application?

v) Does the client have any outstanding balance from any previous loan disbursed?

vi) Does the cashier initial against the signature of the loan officer, the unit manager and the branch manager on all loan approval before releasing cash for disbursement?

vii) Does the file contain each loan disbursement voucher?

viii) Do the loan officer and the unit manager sign each voucher?

vix) Does the cashier keep the last copy and gives the original and the first copies to the loan officer?

x) Check if loans to be approved by either management or the board credit committee have been referred to them for approval?

22 | P a g e


xi)If all loan amounts have not been disbursed as per the credit committee report, check: If the amount on the individual loan agreements have been amended to reflect the actual cash amount disbursed and then signed by the Unit manager, the credit committee members and loan officer and the client. Is the disbursement voucher amended to reflect the correct amount disbursed, and is it signed by the unit manager and the credit committee member and the treasurer?

xii) Do all the beneficiaries of the disbursed loan sign to acknowledge receipt of receiving the loan?

xiii) Do the names and customer numbers, total number of clients and the amount borrowed, as recorded in the various loan agreements match the data recorded in the loan portfolio?

xiv) Does the Treasurer/cashier check and count the cash handed over by the unit manager for confirmation of the amount received match with amount paid?

xv) Is the cash received from bank or vault arranged by denomination?

xvi) Does the Unit manager issue receipt to the treasurer covering the amount received for disbursement?

xvii) Is there a guarantor with details including photos attached to all loan application forms?

xviii) Do the loan officers receive collection expectation from the unit manager daily?

xix) Do the unit managers record daily the amount of cash being expected from clients through relationship officers?

xx)Does the Unit Administrator reconcile daily the cash received from the loan officers with the bank pay in slips and the cash on hand not banked?

xxi) Are all repayments including prepayments by clients recorded and receipts issued?

23 | P a g e


xxii) Are bank pay in slips produced to support all cash banked and are they properly filed?

xxiii) Does the relationship officer issue receipt covering cash receipt from clients and maintained copy on file for inspection?

xix) Does the cashier receive money from relationship officers after the unit managers reconcile and sign the return sheet?

xx) Does the cashier issue receipt to relationship officer after counting and agreeing the cash received?

xxi) Is cash received lodged in the safe immediately after counting?

xxii) Does the Bookkeeper update the cash books, the cash ledger and the daily cash position daily before the end of each working day?

xxiii) Do separate members of staff perform cashiering and accounting functions?

xxiv) Does the Unit manager ensure that the cashier does not have access to the accounting records, especially those related to cash transactions?

xxv) Is the watch list generated daily?

xxvi) Does the Unit manager reconcile cash receipt, banked and entered in the cash books and cash ledger daily?

xxvii) Is there any action on loans in arrears prompt and continuous?

xxviii) Do two relationship officers move to collect loan arrears to avoid potential disagreements with clients

xxix) Does the unit manager personally visit clients in arrears and in default?

xxx) Is the amount of cash from arrears collected recorded in the teller accounts and posted to cash on hand?

xxxi) Are the credit risk systems and procedures being followed?

xxiv) Does the Unit manager ensure that the cashier does not have access to the accounting records, especially

24 | P a g e


those related to cash transactions?

xxv) Is the watch list generated daily?

xxvi) Does the Unit manager reconcile cash receipt, banked and entered in the cash books and cash ledger daily?

xxvii) Is there any action on loans in arrears prompt and continuous?

xxviii) Do two relationship officers move to collect loan arrears to avoid potential disagreements with clients

xxix) Does the unit manager personally visit clients in arrears and in default?

xxx) Is the amount of cash from arrears collected recorded in the teller accounts and posted to cash on hand?

xxxi) Are the credit risk systems and procedures being followed?

4. Client Savings, Collaterals, and Securities

Y

N

N/A

Remarks

Date

In Charge

i) Does the teller verify that the addition and subtraction is correct before beginning the next transaction?

ii) Are the clients encouraged to report any passbook discrepancies to someone other than the teller or cashier?

iii) Are tellers expected to perform their job with low error rate? E.g., errors less than 5%

iv) Is teller/cashier monthly salaries partially based on his or her level of errors?

v) Check the maximum cash limit to be held by the cashier

vi) Is the maximum cash position reasonable?

vii) Does the maximum amount sufficiently limit initial risk of loss to the bank?

25 | P a g e


5. Loan Portfolio Provision and Write off

N N/A Remarks Date In Charge

I)Check company policies in relation to the calculation of provision for bad and doubtful debt

ii)Cross reference the policy with that of the regulatory requirements from Bank of Ghana

iii)Check if client savings balances have been considered before applying the provision rates

iv)Calculate the provision amount and compare to the amount shown by the Risk department

v)Compare the provision amount with the expected amount and establish and difference, if any

6. General Ledger, Vouchers, Payment/Other Record Keepings


i) Is one employee designated to daily verify all voucher entries to ensure details are posted correctly to the accounts?

ii)Does he/she check the “brought forward” and “carried forward” debit and credit figures to ensure they are correct?

iii) Does the Manager scrutinize each balance in the ledgers daily to ensure that they are correct account balances are reflected?

iv) Is one employee designated to ensure that all general subsidiary ledger vouchers are fully completed?

v) Have all vouchers been approved and initialed or signed, as needed, by all parties?

vi) When bills are paid in cash, is a receipt issued for the amount?

vii) Are full details recorded on vouchers for unit, branch and Head Office expense?

viii) Are all paid vouchers cancelled or perforated immediately after posting to prevent their re-use?

ix) Is there written, independent subsidiary records kept for each general ledger account?

x) Check if the subsidiary ledgers such as savings and loan ledgers, bank and investment ledgers and fixed assets depreciation records balance with the respective general ledger accounts monthly.

26 | P a g e


xi) Are all cash advances paid to out-of-office staff properly authorized and not excessive?

xii)Check if the records are in compliance with the statutory and regulatory requirements

xiii)Check if all cash receipts, check books, general journals and share or investment certificates are in sequential order

xix) Are all previous cash advances resolved within five days of an employee’s return to the office, and before new cash advance is granted?

xx) Check for the records on loan delinquency reports, dormant saving accounts and negative savings accounts.

7. Operational Manuals Y N N/A Remarks Date In Charge

i) Do the Unit Manager and Branch Manager keep master copies of the operations and administration manuals?

ii) Are all sections of the operations manual present and in the correct order in the binder, and is the index up to date?

iii) Does each staff member have copies of the manuals that relate directly to his or her job?

iv) Do all employees understand the sections relevant to their job?

V) Do all departments abide by the operations manuals?

8)Non-Current Assets a)Land and Buildings


i) Are the premises or the building easy to locate?

ii) Are natural disasters rare at the location? Are fire extinguishers available?

iii) Is the building or the premises secure against crime? Does it have permanent, solid

27 | P a g e


walls, ceiling and floors? Is the location in a low crime district?

iv) Is the gate locked overnight, with adequate security personnel on site?

v) Are all doors and windows well secured to prohibit forced entry?

vi) Are at least two different keys required to lock the building’s doors?

vii) Are at least two different keys required to unlock the strong room (Safe room) doors?

viii) Is the strong room secured to prohibit forced entry?

b)Safe

Y

N

N/A

Remarks

Date

Remarks

I) Is the safe fixed to the wall or floor to prevent easy removal?

ii) Do safe custodians issue receipts for all cash received, and are copies of the receipts kept in the safe?

iii) Are all changes of custodian for safe key and combination, and the date and time of each change, recorded in a register?

iv) Are the safe keys and combinations held separately at all times by senior staff?

v)Do outgoing and incoming safe custodians sign next to the change entries?

vi) Do duplicate keys and combinations exist?

Vii) Are there written procedures to access the duplicates?

Viii) Are receipts kept whenever duplicate keys or combinations leave or enter the safe?

ix) Is more than one custodian present when the safe is opened?

x) Before the safe is opened, are the main door(s) and the door to the strong room locked?

c)Computers and Other

Y

N

N/A

Remarks

Date

In Charge

28 | P a g e


Fixed Assets

I) Do fixed assets such as Computers, desks, filing cabinets, furniture, etc. values agreed with the listed or fixed assets register value?

Ii) Apart from wear-and-tear, are the furniture, equipment and machines well protected and in good condition?

iii) Are company motor vehicles and motorbike keys left at the premises after close of work?

iv) Is the fuel log maintained to record all fuel purchases?

v) Do staff with motor bikes wear helmets and other protective materials when riding?

VI) Do all fixed assets have a Fixed Assets Number clearly written on them in ink?

vii) Are all computers, printers and keyboards covered to protect them when not in use?

viii) Are all vehicle and bike business visits, destinations, mileage, and times of departure and return recorded?

vix) Do company vehicles carry only staff members and management committee members?

xx) Are vehicles cleaned regularly, maintained, and in good condition?

xxi) Are all fixed assets fully insured comprehensively with third party damages?

xxii) Are all repair bills reasonable and subject to competitive bidding?

9. Cash Records and Controls


i) Are all cash movements to and from the safe recorded in a cash book?

ii) Are entries in the cashbook and on receipts recorded in both numbers and words?

29 | P a g e


iii) Is all the cash kept in a locked vault or safe during nonbanking hours?

iv) Do the words and figures in all entries agree?

v) Do receipts for cash received into the vault prepared in triplicates? Does the final copy remain in the receipt book?

vi) Are the receipts in the receipt book in ascending order?

vii) When receipts are cancelled, are all three copies left in the receipt book?

viii) Is all cash in safe arranged in denomination, appropriately sealed, and the amount labeled on each bundle?

ix) Does the total cash count reconcile with the recorded total in the cashbook, the cash journal, and in the daily cash position register?

x) Is the cash limit for units and branches in writing?

xi) Is the unit and branch cash limit observed?

xii) Is the vault protected by an adequate burglary and/or robbery alarm system?

xiii) Is all cash not counted well separated from counted cash?

xiv) Did you undertake a random check of at least 50% of all cash transactions in the cashbook to confirm that the entries are correct?

10) Human Resources Y N N/A Remarks Date In Charge

i) Do all staff have files with the HR department?

ii) Do all employees have appointment letters and are on their individual files?

iii)Check employee files if it contain the application letters, interview result, and

30 | P a g e


qualification, appointment letters and salary scale iv)Are the files separated into staff in employment and staff member no longer with the company?

v) Do employees who resign, terminated, or dismissed from employment participate in an exit interview?

vi) Does management implement recommendations from employee exit interviews?

vii)Check if queries, suspension, promotion letters, etc. are kept on employee files

viii) On recruitment, who made the request for staff?

ix)Is there a quota for staff establishment approved by the Board of Directors

x) Are staff members holding the requisite qualification for their positions?

xi) Is there a capacity building program and budget for employees?

xii) Is management in compliance with staff welfare policies approved by the Board of Directors?

xiii) Are security background checks conducted on employees before recruitment?

xiv) Are there adequate bonding for employees who carry money?

11. Monitoring Revenue and Income


i) Do Unit/Branch Manager reconcile all entries to the interest income earned account?

ii) Is the watch list and expectation records available?

iii) Check to establish differences between expectation and actual and compare with the Unit manager’s records

31 | P a g e


iv) Are fee income records reconciled with the number of loan disbursements?

v) Does the rate applied on the loan through the accounting software system agree with actual rate given by management?

vi) Are all paying customer provided with receipt upon payment?

vii) Did you verify, by doing a sample check, that all the loans granted by the unit/branch is to genuine identities or clients?

viii) Did you verify, by doing a sample check, that there were no loans granted by proxy?

ix) What is the number and value of loans in arrears? Please check for arrears list from Risk and Rigor

x) Is the number of loans outstanding equal to or less than the number of unit/branch clients?

xi) Does the total value of the current outstanding loans agree with the value shown on the latest return submitted from the unit/Branch?

12. Insurance Y N N/A Remarks Date In Charge

i) Has the bank’s insurance policy been approved by the board of directors?

ii) Does the insurance policy call for formal analysis and consideration of all insurable risks and types of coverage?

iii) Are all insurance policies retained in an orderly file, and are all riders and endorsements attached to the policies?

iv) Are policy expiration dates properly recorded to assure prompt payment of renewal premiums?

v) Are all policies renewed and properly in the name of the rural bank?

32 | P a g e


13. Computer Processing and Emergency Preparedness

Y N N/A Remarks

i) Are computer operations performed where they cannot be seen by the general public and unauthorized visitors?

ii) Does the server room have heat or smoke detectors, temperature and humidity control equipment, water sensors, and alternate power supply (UPS system)?

iii) Are emergency plans for computer processing included in the bank’s emergency preparedness plans?

iv) Do emergency plans include procedures for the safe storage of data files and documents?

v) Do emergency procedures include power-off procedures, restart, and recovery procedures for equipment failure?

vi) Does the contingency plan specify conditions for off-site processing?

vii) Is there a policy for retention of backup data files to ensure that adequate recovery capability exists?

viii) Are there operating manuals for the system and users, including error messages with appropriate responses, restart, and recovery procedures?

vix) Are programmers prohibited from running test programs against live production files?

x) Have controls been established for each source of data entering the automated system?

xi) Is output reconciled to input by persons not responsible for the data entry?

xii) Are parameter changes properly approved, documented, and tested?

xiii) Are parameter changes reported and reviewed by an appropriate officer?

xiv) Is access controlled by user IDs and passwords that are tracked by the system and reported?

xx) Are changes to access levels reviewed by an appropriate officer not responsible and without ability to initiate such changes?

xxi) Are controls in place for vendor supplied changes to ensure proper installation?

xxii) Does the rural bank have a formal emergency preparedness plan that has been reviewed and approved by the board of directors?

xxiii) Does the plan provide for alternate physical facilities in the event that the rural bank’s office or other vital facilities are destroyed?

iv) Is there a plan for continuity of business and data recovery and is it up to date?

33 | P a g e


14. Customer Accounts Records Control Y N N/A Remarks

i) Do all customers have records in the computer software with numbers, location, identification pictures, and location directions?

ii) Are customers with loans recorded with the loan date, amount, interest, number of installments, and repayment dates?

Iii) Are customer payments receipted and posted into the systems?

iv) Are all customers issued with passbooks and based on units and branches?

v) Are passbook recordings being done on the field covering repayments made by customers?

vi) Are all customers classified under pay points with loan officers assigned to each pay point?

vii) Are all penalties chargeable against clients recorded and receipts given?

viii) Are all general ledger control accounts balancing with the customer ledgers?

vix) Are customer phone contacts list being kept at the branch manager’s office with updates?

xx) Are customer reclassifications based on repayment status being observed and done?

xxi) Are zero balances being observed before new loan processing commences?

xxii) Are all customers with savings products only identifiable?

xxiii) Are all customers assigned to a particular loan product recorded?

xiv) Are all offsets recorded and posted into the system?

xv) Are all offsets properly authorized and signed?

15. Pre Voucher Audit for Revenue and Capital Expenditure

Y N N/A Remarks

i) Check on the status /authorization of the person raising the payment voucher

ii) Check for the expenditure type being processed

Recurrent Expenditure, check the following:

i) Is the expenditure in the approved budget?

34 | P a g e


ii) If yes, does the balance outstanding cover the disbursement?

iii) If no, is authorization from the Board of Directors received?

iv) Is the payment authorized by the Executive Director?

v) Is it an accrued expense being paid? If yes, is the proper accrued code selected?

vi) If no, is the proper expense code selected?

vii) Are other relevant documents requesting for the release of the funds attached?

viii) Is approval given on the attached documents?

ix) Is the payment a one-time type?

x) Is the payment covering the full invoice value?

xi) Is the payment an installment of an invoice amount?

xii)If it is an installment payment, is the number of installments being made indicated and the outstanding installments being shown?

xiii) Are withholding taxes being applied?

xiv) Is the voucher signed by the person raising it?

xv) Is the voucher checked and approved before internal audit clearance?

Capital Expenditure, check the following:

i) Is the expenditure covered by the running budget?

ii) If no, has approval being sorted from the Board of Directors of the Board Finance Committee?

iii) Is there detail documentation covering the item being purchased?

iv) Have enough consultations from other suppliers been done to ensure quality and reasonable prices for the capital goods?

v) Is the payment a one-time type?

vi) Is the payment covering the full invoice value?

vii) Is the payment an installment of an invoice amount?

viii) If it is an installment payment, is the number of installments being made indicated and the outstanding installments shown?

ix) Are withholding taxes being applied?

x) Is the voucher signed by the person raising it?

35 | P a g e


xi) Is the voucher checked and approved before internal audit clearance?

36 | P a g e


6.0 EXTERNAL AUDIT AND ASSESSMENT PROCESS

6.1 DEFINITIONS:

An external audit is a formal and independent review of an entity’s financial statements, records, transactions, and operations performed by professional accountants to:

• Lend credibility to the financial statements and other management reports, • Ensure accountability for donor funds, and • Identify weaknesses in internal controls and systems.

Partners and staff of the independent professional firms annually express an opinion on accounts produced by reporting units. External audits are required either to satisfy statutory or Central Bank requirements. 6.2 COMMON EXTERNAL AUDIT SERVICES

This includes:

• Annual financial statement audit - confirms that the financial statements are free from material misstatement. Output: Audit report, including an opinion, financial statements, and notes.

• Special purpose audit - generally to audit compliance with donor requirements, including use of funds.

• Agreed-upon procedures - obtains detailed results of specific testing procedures for selected transactions or account balances.

6.3 KEY AUDIT COMMUNICATIONS

These include:

• Terms of reference: A document that lists the client’s requirements and on which the audit firms will base their proposal.

• Engagement letter: A letter signed by the auditors and Company management which provides detail of the services to be performed and each party's respective responsibilities

• Management letter: A letter from the auditors to Company management and Board of Directors, which contains constructive comments that management can use to improve operations or internal controls.

• External Rating: Separate from an audit, an external rating is an independent evaluation of Company. The evaluation may include operational effectiveness, financial position and ratios, social impact, as well as other aspects of operations.

37 | P a g e


6.4 APPOINTMENT AND DISMISSAL OF AUDITORS.

RCB’s must comply with local statutory and regulatory requirements concerning the appointment and dismissal of auditors.

The appointment and dismissal of auditors is a serious matter and should only be undertaken by the Board of Directors and Shareholders.

If management is dissatisfied with their auditors they should take the matter up in the first instance with the partner of the firm of auditors that deals with the bank and report to the Board and Shareholders for the firm’s removal.

6.5 AUDIT COMMITTEES

The function of the Audit Committee of the Board of Directors, so far as it affects the statutory audit, is:

a) To review and discuss the audit plan with the external auditors.

b) To review the level of audit.

c) To discuss with the external auditors any problems encountered in the course of the audit, and to ensure that steps were taken to resolve them.

d) To receive quarterly report from the Internal Audit function and ascertain that the auditors have no reservations on any matters arising from the audit.

e) To review matters of significance arising from the external auditors' Management Letters.

The Committee therefore acts as a semi-independent review and control body to ensure that pertinent matters are brought to the Board's attention. The Committee also reviews the efficiency and effectiveness of the internal inspection function and reviews periodic reports from the Head of Internal Audit.

6.6 INTERNAL CONTROL AND EXTERNAL AUDIT

Despite certain similarities in the way in which the Internal Control Department and the External Auditors operate there are fundamental differences in their respective objectives.

The External Auditors are seeking to determine if the accounts are "true and fair." Errors or fraud may have occurred which have not been noted by the auditors but providing such errors or frauds are not material in the context of the accounts, this will not preclude them from correctly expressing the opinion that the accounts show a "true and fair" view of the unit's accounts. Thus the External Auditors do not set out to detect fraud, errors, or departures from the bank's accounting function per se, though their testing should reveal any material frauds, errors, or departures from bank procedures.

38 | P a g e


Internal Audit or Internal Control function shall be independent of management. The Internal Auditor must report to the Board to ensure independence of management. Their brief include the prevention or limitation of loss to the bank arising from:

a) Non-compliance with the bank's, statutory, regulatory or fiscal requirements.

b) Forgery or other malpractice, however caused.

c) Deficiencies in controls and/or physical security arrangements.

To ensure the highest standards of Internal Control, the Internal Control Department will carry out ad hoc series of high level reviews and in-depth inspections of departments. All such inspections/reviews shall be carried out without notice and will be subject to written report identifying areas of weakness and non-compliance. Management must comment on all points raised and correct all deficiencies within the prescribed time.

The Internal Control Department is responsible to the Bank's Board by providing the comfort that control systems and compliance standards within the individual business functions are satisfactory. For their part, External Auditors will be required, as part of their audit, to independently review the work undertaken by the Internal Control Department.

As indicated above, part of the External Auditor's work will involve reviews of the reports produced by the Internal Control Departments. These reports are not normally designed for use by External Auditors, but may be used by them as part of their auditing procedures. External Auditors often rely on other professionals for the audit of the financial statements of their clients. Reliance on internal auditors results in cost savings to the client. Technical competence and scope of function are the two most important criteria that external auditors consider in their reliance on internal auditors.

6.7 AUDIT PLANNING

Any effective audit must be planned, and the bank must ensure that there are pre-audit meetings between management and the external auditors. These meetings should seek to establish when the auditors will be arriving and any special requirement the auditors may have (such as special computer reports, security passes, etc.). Management should also take this opportunity to review the bank's performance during the year with the auditors and inform them of any potential difficulties that may be experienced.

Management must also obtain an estimate of the costs of the audit, as well as a breakdown of hours worked/estimated to be worked by each grade of the audit staff, together with the expenses of the audit. Any excessive increase over budgeted fees or previous years' fees must be justified prior to start of the audit. The auditors must also be informed each year that if they experience any delays which will result in additional costs being incurred, management must be informed immediately. Likewise, any increase in the scope of the audit from one year to the next must be justified in advance.

39 | P a g e


6.8 MANAGEMENT LETTERS

As part of the external audit the auditors will normally produce a Management Letter which will outline major weaknesses found in internal control systems. This letter should be discussed by the auditors with management who should:

a) Agree the factual accuracy.

b) Comment on suggestions for improvement.

c) Take action to introduce any improvements suggested which are acceptable either by:

I. implementing those suggestions falling within the scope of their authority, or

II. forwarding recommendations to the Audit Committee.

6.9 LETTERS OF REPRESENTATION

It is sometimes the practice of auditors as part of their audit to seek Letters of Representation (sometimes referred to as “Letters of Comfort”) from the bank at the end of the audit. These letters are usually requested by the auditors to confirm material matters where knowledge of the facts is confined to management or where the matter is principally one of judgement and opinion and where the auditor is not able to obtain independent corroborative evidence.

6.10 AUDIT FEES

Audit fees are monitored and reported to the Audit Committee and the Board. If fees are seen to be out of line with the competition the auditors will be asked to justify their fees. Management must receive a time/cost analysis from their auditors in advance of the start of the audit as well as a budgeted fee to be submitted to the Audit Committee/Board. It should be noted that both audit expenses and fees should be (separately) submitted to the Board – fees paid to the audit firms for other services i.e., bookkeeping, accountancy help, tax work, etc. should not be included as part of audit fees. Any excess fees, i.e., above that estimate submitted to the bank by the auditor, should not be paid until management has been satisfied by their auditors that the excess could not have been reasonably foreseen. Any increase of audit fee from the previous year (both budget and actual fee) should be justified by the auditors.

6.11 ENGAGEMENT OF EXTERNAL AUDITORS

The external auditor is engaged by, and ultimately responsible to, the Board of Directors and shareholders. It is crucial for the Board to be involved in the planning and oversight of the external audit. This is done by the audit committee of the Board.

40 | P a g e


The process of commissioning an external audit begins by determining a scope of work that will form the basis for the terms of reference for the engagement.

The terms of reference are generally approved by the full Board.

Audit work required will depend on the size of Company and will range from agreed-upon testing procedures to full financial statement audits.

Audit firms are chosen based on the following:

• Ability to meet the requirements of the terms of reference (including timing) • Local and/or international reputation for quality (fairness/objectivity) • Price as compared to competing bids for the same engagement

All parties (lenders, grantors, regulators, owners) may require financial statements prepared in accordance with IFRS. Company should avoid by all means Qualified, Adverse, or Disclaimer of opinions on their financial statements.

Company should also avoid any reporting by the external audit of material weaknesses over internal controls.

Company management should try to solve any misunderstandings with the external auditors and help to issue an unqualified audit report.

If there are disputes that cannot be solved between Company management and the external auditors, Company management should contact ARB Apex Audit team for assistance.

41 | P a g e

Documents

AUDIT POLICY MANUAL FOR RURAL AND COMMUNITY BANKS (JULY …