shariah audit - bank islam's · pdf filestrictly private & confidential page 1...

Strictly Private & Confidential

SHARIAH AUDIT - Bank Islam's Practice

Aligning Shariah Audit to IPPF and COSO ERM

30 April 2013

1) • Shariah Governance Structure

2) • Shariah Audit’s Roles & Responsibilities

3) • Shariah Audit Process & Methodology

4) • Shariah Audit Scope & Coverage

5) • Major Challenge in Shariah Audit

6) • Major Issues in Managing Shariah Risk

7) • Bank Negara Malaysia’s Minimum Expectation on Shariah Audit

Shariah Audit Unit, Internal Audit Division

AGENDA

SHARIAH AS OVERARCHING PRINCIPLE IN BANK ISLAM

SHARIAH SUPERVISORY COUNCIL (SSC) (Oversight accountability on Shariah

matters)

BOARD OF DIRECTORS

(Overall oversight on Shariah governance structure & Shariah

compliance) BOARD RISK COMMITTEE

AUDIT & EXAMINATION

COMMITTEE (AEC)

MANAGEMENT •  Ensure execution of business & operations are in accordance with

Shariah principles. •  Provide necessary resources, infrastructure, enablers to the SSC.

Shariah Risk Management Control Function: Identify, measure, monitor, report & control Shariah non-compliance risk

Shariah Review Function: Review business operation on regular basis to ensure Shariah compliance.

Shariah Research Functions: Conduct in-depth Shariah research prior to submission to SSC.

Shariah Audit (SA) Function: Provide independent assessment & objective assurance designed to value add & improve Bank Islam adherence to Shariah


RISK MGT DIVISION

Shariah Secretariat Functions: Secretary to SSC

Shariah Governance Framework of Bank Islam

Boa

rd L

evel

M

anag

emen

t Le

vel

Exe

cutiv

e Le

vel

Shariah Supervisory

Council

Board of Directors

Board Risk Committee

MRCC

ORCC*

Shariah Div (Shariah

Rev/ Research/

Secretariat)

Audit & Examination Committee

Internal Audit Div (Shariah

audit)

Zakat Committee

Managing Director

Note: SCRM – Shariah Compliance Risk Management MRCC – Management Risk Control Committee ORCC – Operational Risk Control Committee – Administratively – Functionally * w.e.f July 2012. Previously Shariah non compliance risk was over sighted by Shariah Compliance Risk Control Committee.

Shariah Review

Committee

Shariah Audit Unit Shariah Audit Unit, Internal Audit Division

Shariah Compliance

Risk

Risk Mgt Div

Shariah Governance Reporting Structure

AGENDA






6) • Major Issue in Managing Shariah Risk




Shariah Audit Roles & Responsibilities


Shariah Audit Roles & Responsibilities

Risk Management Approach Adopted by Bank Islam

1st LINE OF DEFENCE

Risk Owner or Risk Taking Units i.e. BU/SU

(including Business Heads, BMs, BRO/SRO/

DORC/All Staff)

2nd LINE OF DEFENCE

ORMD and ORCC

3rd LINE OF DEFENCE

Internal Audit Division

Provide INDEPENDENT ASSURANCE to Board of

Directors and Senior Management that Risk

Management Processes and Tools are effectively

implemented.

Responsible for ONGOING OVERSIGHT of risk & control at day

to day work level

ESTABLISH and MAINTAIN ORM Framework,

assessing, monitoring, reporting and controlling

risk on a bank-wide level.

AGENDA



3) • Shariah Audit Methodology & Process


5) • Major Challenges in Performing Shariah Audit

6) • Major Issue in Managing Shariah Risk




Risk Based Shariah Audit Methodology

Mgt of Shariah Risk in

Minimizing Potential

Loss

Criticality of Shariah risk Exposure

Quality/ Adequacy of Controls

& Risk Mitigant In

Place

Shariah Audit Methodology



•  Possible failures to comply with Shariah principles/ requirements or in other words possible incidences of Shariah non-compliance.

Shariah Risk

•  Shariah rulings and decisions issued by Shariah Advisory Council of BNM and Shariah committee of the IFI respectively and as determined by other relevant bodies.

Shariah Principles/

Requirements

•  Any action taken by the management, the board, and other parties to manage risk and increase the likelihood that established objectives and goals will be achieved. Management plans, organizes and directs the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved.

Internal Controls



The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control Components


Shariah Audit Process



Annual Audit

Planning

Audit Assignment

Planning Shariah

Audit Plan

Annual Audit Planning o Will be performed in the last quarter of the financial year end.

o Performs Shariah risk assessment on the Audit Universe (i.e. all audit centers/ clients)

o Develops/ Updates Shariah Risk Profiles & Shariah Audit Program.

o Determine the number of audit assignment to be conducted through out the next 12 months (risk areas against audit resources)

o Table to Audit & Examination Committee (AEC) and Shariah Committee (SC) for approval & endorsement.



ANNUAL SHARIAH RISK ASSESSMENT

Determine/ Understand the Audit Universe (list of audit centers/ clients)

Identify the Shariah Requirements/ Principles

(Shariah Risk Profiles)

Group the Shariah Risk Profiles into the common Shariah Risk Area.

Prioritize the Audit Center/ Client (Map against the Shariah Risk Area)



Shariah Risk Areas

Aqad Execution

(Touch Point) Product

Structure

Product Development

Product Documentations

Accounting Treatment (i.e.

Income/ Ta’widh/ Ibra’

Marketing Collateral &

Advertisement

Zakat (Computation

/ Payment/ Distribution)

Manual/ Procedures

(Shariah Requirements)

Dress Code



Shariah Audit Reference

•  Rulings and decisions of the Shariah Advisory Councils of Central Bank of Malaysia (or BNM) and Securities Commission of Malaysia (or SC);

•  Guidelines issued by BNM and SC, e.g. Shariah Parameter; •  Other relevant and applicable pronouncement issued by BNM; •  Rulings and decisions of the Bank’s Shariah Supervisory Council

(SSC) and Shariah Review Committee (SRC); and •  Approved product manuals / standard operating procedures /

internal guidelines pertaining to Shariah Compliance.



Annual Audit

Planning

Audit Assignment

Planning Shariah

Audit Plan

Audit Assignment Planning o Will be performed prior to execution of an individual audit fieldwork/ assignment.

o Reassess the Shariah risk on an audit center to be audited.

o Determine: •  Area of risk to be prioritized; •  Type resources & expertise required to carry out the audit exercise in the most

efficient and effective way; •  Audit Fieldwork Period; •  Scope of the Shariah Audit

o Obtain the Audit Authority Letter from Chief Internal Auditor/ Head of Internal Audit.



PRE-AUDIT SHARIAH RISK ASSESSMENT

Understand the activities/ operational/ IT processes of an audit center/ client

Review & Update the Shariah Risk Profiles

(New Shariah Requirements)

Update the Shariah Audit Program (if necessary)



Audit Program (Sample)

Risk Description

Shariah Requirements Reference Audit Testing

(Comply/ Not Comply)

Risk of Non-Shariah Compliance in Execution of Aqad/ Contract

(Trade Finance – Bank Guarantee)

The issuance of Bank Guarantee (BG) is subject to the following:   Acquisition of Shariah compliant assets.   Asset to be acquired for Shariah compliant activities.   Guarantee the performance of Shariah compliant activities/ transactions.

Bank Guarantee-i Secured 1:1 Against Cash Deposit Program Manual V5/2011, page 12 & 13.

Kafalah Aqad must be properly executed by the Bank and customer.

Kafalah Contract Guideline (Shariah/ SD9/ V2/2012) approved by SRC on 10MAY12.



Executed on a “Stand- Alone”

basis Jointly executed with Operations, Credits,

Head Office & Subsidiary Audit

Audit Execution (Fieldwork)



Audit Tools/ Techniques

Examine Documents

Interview

Observation

Questionnaires

Walkthrough

Data Mining



Objectives of Shariah Audit Report

•  Report the Shariah non-compliance or potential Shariah non-compliance events/ activities/ transactions.

•  Highlight the causal factor that lead to the Shariah non-compliance

•  Asses the degree of risk & impact to the Bank as a whole. •  Recommend corrective actions & improvements. •  Suggest the timelines for rectifications. •  Conclude the state of internal control system & risk management

process.



Shariah Audit Report

Table to Audit & Examination Committee

Extend to Shariah Committee (or Sub Committee) through Head, Shariah

Division for deliberation & further action

Extend to Head of respective audit center for further action



FOLLOW-UP OF SHARIAH AUDIT ISSUES

Shariah Compliance Risk Management (Track the Rectification Efforts using the Shariah Non-

Compliance (SNC) Tracking Report)

Shariah Committee (or Sub Committee) and Operational Risk Control Committee

(Oversee the Rectification Efforts)

Shariah Audit (Follow-up will be conducted on monthly basis and

the rectification status will presented to Audit Committee)

AGENDA










Shariah Audit Scopes

1. To assess the effectiveness of the Shariah oversight function & reporting structure.

2. To ascertain the degree of compliance with Shariah principles/ requirements.

3. To ascertain , review & test the system of internal controls of the Bank’s activities & operations.

4. To ensure the effectiveness of process and mechanism/ tools in managing Shariah risk.

5. To ensure the workflow procedures make the most efficient use of resources.

6. To ensure the promptness on addressing any identified Shariah non-compliant activities / events/ transactions


Shariah Audit Coverage

Shariah Audit’s

Business Partner

Bank Islam’s Head Office Functions & Branches

Bank Islam’s Wholly Owned

Subsidiaries

BIMB Holdings &

Subsidiaries (except for

Takaful business)


Shariah Audit Coverage

Shariah Audit

Management of Shariah Risk/

Shariah Governance

Shariah Compliance

Testing

Functions related to Shariah risk management e.g. o  Shariah Secretariat. o  Shariah Research. o  Shariah Review. o  Shariah Risk Mgt. o  Shariah Compliance Review. o  Product Development. o  Organization & Methods. o  Human Resource.

Shariah concerns related to activities & operations of the Bank e.g. o  Mgt of the product life cycle. o  Product structure of deposit,

financing, investment, services.

o  Transactional banking processes e.g. Trade Finance, Treasury, Financing & etc.

o  Sales & marketing activities o  Accounting treatment &

system.

AGENDA










Major Challenge in Shariah Audit

Shariah Audit Resources (Quantity & Quality)

•  What is the ideal number of Shariah Auditors for an Islamic Financial Institution (IFI)?

•  Depends on the competency level of Shariah Auditors and the size of an IFI.


Major Challenge in Shariah Audit

Competency (Adequate

Knowledge/ Skills)

Islamic Banking

Operations (Products/ Processes/

System)

Shariah (Fiqh Muamalat)

Auditing Techniques &

Practices Accounting Principles

Commercial/ Company

Laws

Risk Management

AGENDA










Major Issues in Managing Shariah Risk

Major Issues in Managing Shariah

Risk

Absence/ Incomprehensive “Shariah Risk

Profiles”

Absence/ Incomprehensive Tools for Risk

Detection/ Management

Performance of Shariah

Committee Members

Poor Dissemination of Shariah Rulings/

Decision

Inadequate Staff

Knowledge on Shariah

Requirements

Ineffective Shariah Review

Function

Shariah Risk Mgt Function

not Independent

Wrong Advice by Shariah Advisory Function

AGENDA









SHARIAH GOVERNANCE FRAMEWORK’S REQUIREMENTS

1.   Direct reporting to AEC and dotted line to SSC.

2.   To provide an independent assessment & objective assurance.

3.   Shariah auditor must have adequate Shariah-related knowledge & training.

4.   Group Shariah audit must be augmented in line with its responsibility.

5.   Shariah audit may be conducted:- i.   As part of the IFI’s audit on specialized areas; or ii.   According to the risk level; iii.   Materiality of the impact of Shariah non-compliance.

6.   AEC upon consultation with SSC shall determine the deliverable of Shariah audit function.

7.   Deliverables shall be consistent with accepted auditing standards.


Bank Negara Malaysia’s Minimum Expectation

SHARIAH GOVERNANCE FRAMEWORK’S REQUIREMENTS

8.   Scope of SA shall cover all aspects of the business operations and activities:- i.   Financial statements (FS); ii.   Org structure, people, process & IT application syst. (ITAS); iii.   Review on adequacy of the Shariah governance process.

9.   Process of SA shall be designed to enable the IFI to assess the implementation of sound and effective internal control system for Shariah compliance:- i.   Understand the business activities; ii.   Develop comprehensive Audit Program/ Plan; iii.   Making reference to relevant sources; iv.   Conduct audit on periodical basis; v.   Communicate audit report to AEC and SC; vi.  Provide recommendation on rectification; vii.  Following-up on the implementation.

10. IFI may outsource the SA function & audit cost shall be borne by the IFI.


Bank Negara Malaysia’s Minimum Expectation

THANK YOU

www.bankislam.com.my
