Financial institutions: SBP formulates instructions on internal audit function

The State Bank of Pakistan (SBP) has formulated Internal Audit Function (IAF) instructions for Financial Institutions (FIs) to provide a standardized framework for the establishment and implementation of robust internal audit governance.
As per these instructions all FIs will be required to set up a Board Audit Committee (BAC) comprising at least three non-executive directors, including a minimum of one independent director.
The independent director will be the chairperson of the committee and the board of the FI will satisfy itself that the majority members of the BAC have a good understanding of accounting, finance and audit related matters; and ensure that at least one member has relevant qualification and experience in the field of audit, accounting and finance.
The BAC will review and approve 'Internal Audit Charter' (IAC) and annual 'Risk Based Audit Plan' (RBAP).
The BAC/board will also approve budget for IAF that is sufficient to carry out the planned audit activities. In addition, the BAC will periodically review the utilization of assigned budget and if required, provide additional resources to IAF to perform its activities.
The BAC will approve the appointment/re-hiring/renewal of contract and removal of Chief Internal Auditor (CIA) and approve his/her remuneration, allied benefits, promotion/demotion and other terms of employment.
In addition, the CIA should be a professional having at least 15 years of experience in the field of finance (10 years for DFIs), with at least 5 years of aggregate audit experience in financial institutions at the time of appointment. The CIA will develop an 'Internal Audit Strategy' (IAS) to be reviewed by BAC and approved by the board.
The BAC will ensure that there are no restrictions on internal auditors' access to people, information, processes, properties, records, and systems to perform their audit activities with objectivity.
The BAC will regularly receive and review the summary of significant violations/observations, internal and external frauds, internal control deficiencies, organizational and personal material conflicts of interest, Shariah non-compliance issues etc. In addition, it will review the management's action plan to ensure that audit observations/recommendations receive proper and timely attention by the senior management.
The CIA, in consultation with BAC, will devise a comprehensive plan to adopt 'Risk Based Internal Audit' approach in line with 'Institute of Internal Auditors' (IIA) Standards and the best practices by December 31, 2020.
The CIA functionally report to BAC and administratively report to CEO, while he will be exempted from rotation requirements.
In addition to the above, the FIs are required to organize internal audit processes/activities as per the attached guidelines keeping in view their size, nature of business and complexities of their operations.
The SBP has also issued guidelines, which further reinforce/elaborated the requirements and communicate regulatory expectations with respect to the roles and responsibilities of BAC, CIA and functioning of IAF.
According to circular, the IAF is an essential element of internal control system of any financial institution (FI) that acts as a "Third Line of Defense" to provide an independent assurance on the state of internal controls. The FIs are operating in a dynamic business environment and are facing evolving risk exposures, which necessitate dynamic, rather than static governance and internal audit processes, it added.
Therefore, in line with the international standards and best practices the SBP has formulated IAF instructions for the establishment of robust internal audit governance. The SBP has advised FIs to comply with requirements of guidelines, in letter and spirit, by December 31, 2019.