Internal Audit Survey Lithuanian Banking Sector

8/6/2019 Internal Audit Survey Lithuanian Banking Sector

1/13

Consulting and Risk Services

Internal AuditSurvey

Lithuanian Banking

Sector

July 2009


2/13

2

Table of contents

Foreword 3

Executive Summary 4

Objective o the Survey 4

Scope and Respondents o the Survey 4

Key Findings o the Survey 5

Detailed Survey Results 6

Size o Internal Audit Departments and Level o Support rom 3rd PartyProviders 6

Experience, Qualifcations, Training and Sta Retention 6

Audit Planning and Delivery 7

Main Objectives o the Internal Audit Department and the ValueIt Adds 9

Internal Audit Department Perormance 9

Tools, Proessional Standards and Methodologies 10

Communication and Reporting 11

About us 12


3/13

3Internal Audit Survey Lithuanian Banking Sector

Foreword

Recent years have shown an unprecedented degree

o change in the world o Internal Audit. Heads o

Internal Audit Departments and risk proessionals

have been asked to cope with major corporate

scandals and economic uncertainty and the changes

that these events have had on their organisations

and governance processes. In addition, they have

had to amiliarise themselves and provide assurance

on the ever increasing use and complexity o

technology. Organisations are also extending beyondtheir traditional barriers into close and complex

relationships with third parties. The green agenda

also continues to become more important within

organisations as stakeholders demand more assurance

on how organizations are responding to public

concerns in this area.

All o this has meant that the role and responsibilities

o the Head o an Internal Audit Department are

becoming ever more demanding and who knows

what the short term uture will bring, as the global

economy tightens and the scal and monetary

authorities take action. These actors impact Internal

Audit Departments in a variety o ways, including

the skills that need to be obtained and deployed, the

quantum o available resources we have to hand and

responding to new and emerging business risks.

This brochure provides context arising rom the recent

Deloitte Lietuva UAB survey which was conducted in

order to benchmark the perormance o Internal Audit

Departments within the Lithuanian Banking industry.

It has been a period o unprecedented change which

we do not see abating. For internal auditors and risk

proessionals, coping with such signicant change is

now business as usual.

Andrew Cross

Director In Charge o Lithuania & Baltic States

Consulting and Risk Services

Deloitte Lithuania

July 2009

Tim Mahon

Managing Partner

Deloitte Lithuania

July 2009


4/13

4

Executive Summary

Objective o the Survey

The goal o the Internal Audit Survey or banking

institutions is to help respondents assess and understand

the state o internal audit within their bank relative to

their Lithuanian peer group.

Internal Audit within the banking sector is a ast growing

area that is aced with an ever changing and increasing

complex regulatory and technological environment.

Financial services institutions, now more than ever,recognize the importance o perormance measurements

and benchmarks in helping them manage complex

systems and processes. Benchmarking with a peer

group can assist organizations in identiying those

practices that, when adopted and implemented, have

the potential to produce superior perormance.

By summarizing the survey data, collected in the rst

hal o 2009, we were able to determine dierences

and similarities among the practice o Internal Audit

departments o Lithuanian banks, and identiy trends.

Scope and Respondents o the Survey

The survey covered the ollowing areas:

Size o Internal Audit departments and level o

support rom 3rd party providers;

Experience, qualications and training;

Planning and perorming audits;

Audit planning and delivery;

Main objectives o the Internal Audit

Department and the value it adds;

Internal Audit Department perormance;Tools, proessional standards and

methodologies; and

Communication and reporting.

This report presents the results o the survey

in which 10 o the 11 commercial Lithuanian

banks participated. The responses to the survey

were provided by the Head o the Internal Audit

departments within the banks.


5/13


Key Findings o the Survey

All o the surveyed Banks have an Internal Audit

Department, which on average, consists o 6 ull time

internal resources. Nearly 70% o the auditors employed

by the surveyed banks, hold proessional qualications,

with the most common being the Lithuanian Internal

Audit Certication. Less than 10% o the auditors hold

either the International Certied Internal Auditor or

Certied Inormation Systems Auditor qualications.

For 90% o the surveyed Banks the Head o the

Internal Audit Department reports directly to the Audit

Committee.

50% o the Banks surveyed have specialist IT auditors

and capabilities, with approximately 25% o total audit

department time being spent on IT related activities.

None o the Banks currently have specialist raud

auditors.

70% o the Banks use specialist 3rd party providers to

assist them, typically outsourcing up to 25% o their

annual activities.

On average, each o the Banks invests 11 days per

annum into training each o its auditors. A common

issue appears to be the lack o supply o adequate

training courses in Lithuania.

All o the Internal Audit Departments are perorming

activities to assess compliance with MiFID requirements.

The majority also perorm audit activities in respect o

Basel II and Bank o Lithuania Act 149 requirements.

However, at the current time, there appears to be

limited audit activities in the areas o Anti-MoneyLaundering and protection o personal data.

80% o the Internal Audit Departments indicate that

they have recently updated their 2009 plan to refect

new risks driven by the current economic uncertainty,

with more emphasis being placed on areas such

as credit risk and provisioning, loans and collateral

management and liquidity risk.

The majority o the Internal Audit Departments plan to

perorm an audit o their Banks governance processes

in 2009.

40% o the Internal Audit Departments ully delivered

their 2008 audit activities in accordance with plan, with

the majority o the remaining Departments delivering at

least 75% o their planned activities.

All o the Departments base their work on the Standardso the Institute o Internal Auditors. However, 60%

o the Departments, at the time o survey, had not

implemented the updated Standards that became

eective on 1 January 2009. 60% o the Internal Audit

Departments have ormally dened and documented

their Internal Audit policies, procedures and

methodologies (i.e. Internal Audit Manual).

The surveyed Internal Audit Departments indicated that

their main value drivers were:

To assist management to improve the

eectiveness and eciency o their Banks internal

controls;

To assure compliance with external regulations

and internal policies and procedures; and

To assist the Bank to increase the operational

eciency o its processes and activities.

A variety o methodologies and approaches are used

to evaluate and improve Internal Audit Department

perormance, with 70% o the Departments using

established key perormance indicators. 60% o the

Departments indicated that an independent external

quality assessment had been perormed within the

last two years. A urther 20% will perorm such anassessment within the next two years.


6/13


7/13


The survey participants indicated that it currently takes,on average, 55 days to recruit a new internal audit

resource. This time period is expected to decline during

periods o economic and business uncertainty.

0 20 40 60 80 100

Figure 3. The most important actors or retaining Internal

Audit resources

90%

80%

60%

80%

50%

30%

30%

Providing proessional development

Compensation

Opportunities to rotate into other positions within the business

Challenging assignments

Recognizing and rewarding perormance

Flexible work schedules

Other

Percentage o surveyed Banks

Figure 4. Proportion o the 2008 Internal Audit

Plan delivered

40%

Delivered 100% o 2008 Internal Audit Plan

Delivered 75-99% o 2008 Internal Audit Plan

Delivered 50-74% o 2008 Internal Audit Plan

50%

10%

Audit Planning and Delivery

70% o the Banks indicate that there is a high level o

interaction between their Internal Audit Department and

their risk management and compliance unctions, with

proactive sharing o risk and control inormation. Only

1 o the 10 Banks indicated that there is no interaction

between these unctions.

In respect o successul delivery o the 2008 Internal

Audit Plan, 40% o the Banks Internal AuditDepartments ully delivered their Plan on time and 50%

o the Departments delivered at least 75% o their Plan

(See Figure 4).

On average, 25% o the Banks Internal Audit activities

related to assessing controls over IT and Inormation

Systems (See Figure 5).

0 10 20 30 40 50

Figure 5. Proportion o the actual work related to IT

activities

More than 50%

30%

50%

10%

10%

40-50%

20-39%

10-19%



8/13

8

0 10 20 30 40 50

Figure 6. Proportion o the actual work related to

raud reviews

More than 50%

20%

50%

20%

10%

20-39%

10-19%

Less than 10%

On average,15% o the Banks Internal Audit activities

related to investigating potential raud and assessing

anti-raud control rameworks (See Figure 6).


0 10 20 30 40 50 60 70 80

Figure 7. Other regulatory driven audits


Act No. 149 on Internal Control and Risk Management issued bythe Bank o Lithuania

Basel II regulations

Law on Legal Protection o Personal Data No. X-1444

Law on Prevention o Money Laundering No. VIII-275

Act No. 125 and 148 on Internal Audit issued by the Bank oLithuania

Law on Banks No. IX-2085

Law on Financial Institutions No. IX-1068

80%

80%

20%

20%

10%

10%

10%

All o the Banks Internal Audit Plans include activities to

assess compliance and controls in respect o the Markets

in Financial Instruments Directive (MiFID).

All o the Banks also perorm other regulatory audits

(See Figure 7). Notably:

80% perorm audits in respect o Basel II

requirements and compliance with the Bank o

Lithuanias Act 149 Internal Control and Risk

Management requirements

20% perorm audits in respect o compliance

with Anti Money Laundering and Protection o

Personal Data regulations

The survey showed that the Banks are planning to

perorm an audit o their governance process and systems

in 2009 with 70% o the surveyed Banks answering

positively.

80% o the surveyed Banks indicated that they have

recently updated their 2009 Internal Audit Plan in order

to refect and address new risks driven by the current

economic uncertainty, with specic ocus being placed

on credit risk and provisioning, loans and collateral

management and liquidity risk.


9/13


Main Objectives o the Internal Audit Department

and the Value It Adds

90% o the surveyed Banks indicated that the most

important objective o the Internal Audit Department is to

improve the Banks internal controls. The ollowing other

objectives were also highlighted as being important and

areas o ocus:

Improving the eciency o the Bank and its

processes;

Assessing compliance with external requirementsand regulations; and

Assessing compliance with internal policies and

procedures.

The main areas o Internal Audit activity that are

perceived as adding the most value to the Banks (See

Figure 8) are as ollows:

The development o risk management and control

rameworks;

The development o internal control solutions; and

Increasing the operational eciency o processes

and activities.

0 10 20 30 40 50 60 70 80

Figure 8. Internal Audit Department activities perceived as

adding the most value

70%

70%

50%

40%

70%

50%

10%

10%

40%

Development o risk management and control rameworks

Development o control solutions

Address and resolve key business risks

Ensure eective nancial reporting

Support the achievement o key business objectives

Increase the operational eciency o processes and activities

Assist the development o secure IT systems

Enhance customer service procedures

Ensure compliance


0 10 20 30 40 50 60

Figure 9. Key methodologies and approaches used to

measure the perormance o the Internal Audit Department

10%

40%

50%

10%

40%

20%

10%

60%

30%

Length o time to perorm audit

The number o signicant control related ndings identied

Specic perormance eedback received rom Executive and Seniormanagement and auditees

Cost savings / cash fow improvements identied

Level o success in delivery o the annual Internal Audit Plan

Number o Interal Audit Department recommendations ullyimplemented

Internal or sel assessment o quality

An external quality assessment o the Department (in accordancewith IIA Standards)

Other


Internal Audit Department Perormance

A variety o methodologies and approaches are used

by the surveyed Banks to evaluate and improve the

perormance o their Internal Audit Departments (See

Figure 9). The most popular are as ollows:

An external quality assessment o the Department

(in accordance with IIA Standards);

Specic perormance eedback received rom

Executive and Senior management and auditees;

Level o success in the delivery o the annualInternal Audit Plan; and

The number o signicant control related ndings

identied.


10/13

10

70% o the Banks have established key perormance

indicators or measuring and monitoring their Internal

Audit Department.

60% o the Banks surveyed indicated that an external

quality assessment o their Internal Audit Department has

been perormed within the last two years. On average,

they intend to repeat the external quality assessment

within the next 3-5 years. In respect o the remaining

40% that have not undergone an external qualityassessment:

20% expect to perorm an external quality

assessment in the near uture (1 to 2 years); and

20% are not planning or such an assessment to

be perormed.

The surveyed Banks indicate that the two key areas

or improving the perormance o their Internal Audit

departments (See Figure 10) are as ollows:

Increased ocus and attention on assessing the

adequacy o internal controls to mitigate key

business risks; and

More training and development o the skills and

knowledge o its internal auditors.

0 20 40 60 80 100

Figure 11. Use o proessional standards

60%

60%

30%

40%

80%

100%

Other

Internal methodologies or perorming Internal Audit

ITIL

ISO 27000 / ISO 17799

CobiT

IIA standards


0 10 20 30 40 50 60 70 80

Figure 10. Areas o improvement or Internal Audit

Department

Improving communication with management

30%

20%

70%

20%

70%

30%

10%

Improvement o Internal Audit Department methodologies andprocesses

Increased ocus and attention on assessing the adequacy ointernal controls to mitigate key business risks

Recruitment o more resources

More training and development o the skills and knowledge o itsinternal auditors

Implementing IT tools

Other


On average, the surveyed Banks are expecting to

invest up to LTL 50,000 per annum into enhancing and

developing their Internal Audit Departments.

Tools, Proessional Standards and Methodologies

50% o the surveyed Banks use Internal Audit tools and

technology such as ACL and other data interrogation

sotware, automated working papers, knowledge

databases, automated risk assessment tools and

planning tools.

All o the surveyed Banks Internal Audit Departments

base their work on the Standards o the Institute o

Internal Auditors. However, only 40% o the Banks

Internal Audit Departments have implemented the

updated Standards o the Institute o Internal Auditors,

which became eective on 1 January 2009.

The majority o the Banks with specialist IT internal

auditors use CobiT standards as the base or their IT

internal audit activities. Other proessional standards

being used include ISO and ITIL.

60% o the surveyed Banks have also developed their

own internal methodologies or perorming Internal

Audit activities (See Figure 11).


11/13


0 20 40 60 80 100

Figure 12. Reporting

Audit Committee

Group Head o Internal Audit

Board

Chie Executive Ocer

90%

40%

30%

20%

Communication and Reporting

For 90% o the surveyed Banks, the Head o the

Internal Audit Department reports directly to the

Audit Committee. However, due to a number o the

Lithuanian Banks being part o oreign based banking

groups, a number Head o Internal Audit also report

to the Group Head o Internal Audit, Chie Executive

Ocer or Board (See Figure 12).


The Directors o Internal Audit Department o the

surveyed Banks indicate that:

They have good communication and

inormation fow with the Banks Executive and

Senior Management, in respect o current and

emerging business issues and concerns;

They receive the appropriate level o support

rom the Banks Audit Committee, ExecutiveManagement and Senior Management.

On average, the Directors o the Internal Audit

Departments report, meet and discuss audit and

business issues with the Audit Committee and

Management Board every month. 2 o the 10 Banks

perorm these activities on a weekly basis

(See Figure 13).

0 5 10 15 20 25 30

Figure 13. Frequency o d iscussions or reporting o issues

to the Board or Audit Committee

30%

30%

20%

20%

Weekly

Monthly

Quarterly

Less, inrequently



12/13

12

About us

Deloitte Lithuania is one o the leading

proessional services organisations in the

country, delivering world-class audit, tax & legal,

consulting fnancial advisory and enterprise

risk services. The practice serves many o the

countrys largest companies, public institutions

and successul, ast-growing companies

Our internationally experienced proessionals strive to

deliver seamless, consistent services wherever our clientsoperate.

Our Lithuanian practice is part o our regional rm,

Deloitte Central Europe.

Deloitte Central Europe has approximately 4,000

employees in 17 countries providing international and

local services across the borders o the region.

Our regional rm in Central Europe is a member o our

international organisation, Deloitte Touche Tohmatsu.

Deloitte delivers measurable value to our clients through

a global network o diverse proessionals who bring

unmatched depth and breadth o expertise.

With 14 years o operations in Lithuania, we are a ast

growing and dynamic rm and enjoy the distinction o

being a market leader in respect o audit and consulting

services.

Our major strength is our ability to render

comprehensive services covering all principal areas o

concern to businesses. Our services are coordinated by a

lead client service partner and are rendered by individualproessional partners and managers within the rm.

Another competitive edge o our rm stems rom the

industry and technical expertise o our local and oreign

proessionals. As a result o the regional structure o

Deloitte, we are able, as and when necessary, to draw

upon the experience o our specialists in the Central

European region and other proessionals rom our global

network.

For more inormation please contact:

Tim MahonManaging PartnerDeloitte Lithuania

Tel.: +370 5 255 3002E-mail: [email protected]

Andrew CrossDirector in Charge o Lithuania and Baltic StatesConsulting and Risk Services

Deloitte LithuaniaTel.: +370 5 255 3014E-mail: [email protected]

Gediminas MinkusProject Leader or Capital Market ServicesDeloitte LithuaniaTel.: +370 5 255 3021

E-mail: [email protected]

Dominyka SakalauskaitProject Leader or Internal Audit Services

Deloitte LithuaniaTel.: +370 5 255 3016


Dainius GuysProject Leader or IT / IS ServicesDeloitte Lithuania

Tel.: +370 5 255 3018E-mail: [email protected]

Laura PuodinaitProject Leader or Consulting and Optimisation ServicesDeloitte LithuaniaTel.: +370 5 255 3013



13/13

These materials and the inormation contained herein are provided by Deloitte Lithuania and are intended to provide general

inormation on a particular subject or subjects and are not an exhaustive treatment o such subject(s).

Accordingly, the inormation in these materials is not intended to constitute accounting, tax, legal, investment, consulting, or other

proessional advice or services. The inormation is not intended to be relied upon as the sole basis or any decision which may aect

you or your business. Beore making any decision or taking any action that might aect your personal nances or business, you

should consult a qualied proessional adviser.

These materials and the inormation contained therein are provided as is, Deloitte Lithuania makes no express or implied

representations or warranties regarding these materials or the inormation contained therein. Without limiting the oregoing,

Deloitte Lithuania does not warrant that the materials or inormation contained therein will be error-ree or will meet any particular

criteria o perormance or quality. Deloitte Lithuania expressly disclaims all implied warranties, including, without limitation,

warranties o merchantability, title, tness or a particular purpose, noninringement, compatibility, security, and accuracy.

Your use o these mater ials and inormation contained therein is at your own risk, and you assume ull responsibility and risk

o loss resulting rom the use thereo. Deloitte Lithuania will not be liable or any special, ind irect, incidental, consequential, or

punitive damages or any other damages whatsoever, whether in an action o contract, statute, tort (including, without limitation,

negligence), or otherwise, relating to the use o these materials or the inormation contained therein.

I any o the oregoing is not ully enorceable or any reason, the remainder shall nonetheless continue to apply.

***

Deloitte provides audit, tax, consulting, and nancial advisory services to public and private clients spanning multiple industries.

With a globally connected network o member rms in 140 countries, Deloitte brings world-class capabilities and deep local

expertise to help clients succeed wherever they operate. Deloittes 165,000 proessionals are committed to becoming the standard

o excellence.

Deloittes proessionals are unied by a collaborative culture that osters integrity, outstanding value to markets and clients,

commitment to each other, and strength rom cultural diversity. They enjoy an environment o continuous learning, challenging

experiences, and enriching career opportunities. Deloittes proessionals are dedicated to strengthening corporate responsibility,

building public trust, and making a positive impact in their communities.

Deloitte reers to one or more o Deloitte Touche Tohmatsu, a Swiss Verein, and its network o member rms, each o which isa legally separate and independent entity. Please see www.deloitte.com/lt/about or a detailed description o the legal structure o

Deloitte Touche Tohmatsu and its member rms.

Member o Deloitte Touche Tohmatsu

2009 Deloitte Lithuania

Documents

Internal Audit Survey Lithuanian Banking Sector