Framework on the Relationship Between Bank Supervisors and Banks' External Auditors - October 2004

BANK LICENSING, SUPERVISION & SURVEILLANCE FRAMEWORK ON THE RELATIONSHIP BETWEEN BANK SUPERVISORS AND BANKS’ EXTERNAL AUDITORS 31 OCTOBER 2004

TABLE OF CONTENTS Page No. Preface………………………………………………………………….…… 3 Introduction ……………………………………………………. ………….. 5 Rationale for External Auditors – Bank Supervisor Cooperation ……...5 Responsibilities of the Bank’s Board of Directors and Management..... 6 The Role of the Bank’s External Auditor................................................ 8 Appointment ………………………………………..……………... 9 Disqualification ……………………………………………………...10 Reporting …………………………………………………………….10 Misstatements Arising From Fraud and Error…………….……...11 External Auditors’ Report………………….………………….........12 Meetings between the Reserve Bank & External Auditors....…..14 Independence………………………………………………………….......16 Other Expectations…………………………………………………………18 The Role of the Banking Supervisor ....................................................18 On Going Dialogue with the Accountancy Profession ……..................19 2

1. PREFACE 1.1. In line with the Governor’s mid-term Monetary Policy Statement, this framework provides information and guidance on how the relationship between the Reserve Bank of Zimbabwe and banking institutions’ external auditors can be strengthened to mutual advantage. The primary objective of this framework therefore, is to facilitate mutually beneficial synergies that enable bank supervisors to leverage off external audit work in the control environment of a bank, its risk management infrastructure and risk assessment, in line with the principles of risk based supervision. 1.2. This framework is also intended to provide a better understanding of the nature of the roles of external auditors and bank supervisors. The framework accordingly: 1.2.1.reviews the relationship between the bank supervisors and banks’ external auditors; and 1.2.2.describes ways in which external auditors can add value to the supervisory process. 1.3. The respective roles and responsibilities of the supervisor and external auditors are broadly defined in the Banking Act [Chapter 24:20]. It is hoped that the criteria for the appointment of external auditors will assist audit firms that aspire to be engaged as auditors of banking institutions. By embracing the provisions of this framework, audit firms will have a fair and equal chance of being approved by the Registrar of Banking Institutions. 1.4. Wherever the term “bank(s)” or “banking institution(s)” is used in the framework, it shall also be read to include non-bank financial 3

institutions that are licensed and supervised by the Reserve Bank of Zimbabwe including Bank Holding Companies. 4

2. Introduction 2.1. Banking institutions play a vital role in economic development and, accordingly, the continued strength and stability of the banking system is a matter of general public concern. 2.2. The growing complexity of banking makes it necessary that there be greater mutual understanding between the bank supervisors and external auditors in their respective roles and responsibilities in the risk management process at banking institutions. 2.3. Bank supervisors make use of the results of the auditors’ work, and may also engage external auditors to undertake additional tasks when these tasks contribute to the performance of the central bank’s supervisory role. At the same time, external auditors, in carrying out their function, make use of information provided by bank supervisors to enhance the discharge of their responsibilities in a more diligent and effective manner.
3. Rationale for External Auditor – Bank Supervisor Cooperation 3.1. The increasing complexity in the nature and operations of banking institutions, coupled with major advances in information technology, globalisation and conglomeration, among others, has presented challenges to bank supervisors and external auditors. 3.2. External auditors conduct audits in accordance with applicable ethical and auditing standards, including those calling for independence, objectivity, professional competence, due care, and adequate planning and supervision. Therefore, the auditors’ opinion, lends transparency and credibility to financial statements, thus promoting confidence in the banking system. 5

3.3. External auditors provide important information on the effectiveness of bank internal control systems and governance arrangements. They also reinforce market discipline by enforcing accounting and disclosure standards, hence facilitating informed decision making by the public and other stakeholders. 3.4. Formal cooperation between bank supervisors and external auditors also goes a long way in enhancing the risk-focused approach to bank supervision. This approach is aimed at assuring a comprehensive qualitative and quantitative assessment of a banking institution’s risk profile, having due regard to the size, nature and complexity of the banking institution’s operations. To this end, bank supervisors can leverage off audit work, thereby making the risk assessment process of banks by the supervisors more insightful. This serves to avoid duplication of effort and regulatory burden on banking institutions. 4. Responsibilities of a Bank’s Board of Directors and Management1 4.1. The primary responsibility of maintaining the soundness of individual banks is vested in the board of directors. This responsibility includes, among other things, ensuring that: 1.4.1.1. those entrusted with managing banking institutions have sufficient expertise, integrity and experience; 1.4.1.2. adequate policies, practices and procedures related to the different activities of the bank are established and complied with;

1 This section should be read in conjunction with Corporate Governance Guideline No. 01-2004 BSD 6

1.4.1.3. adequate internal controls and organisational structures are in place; 1.4.1.4. appropriate management information systems are established; 1.4.1.5. the interests of shareholders, depositors and other stakeholders are adequately protected; 1.4.1.6. the bank has appropriate risk management policies and procedures which are adhered to; and 1.4.1.7. statutory and regulatory requirements, including directives regarding among others solvency and liquidity, are observed. 4.2. Management is also responsible for the preparation of financial statements in accordance with the appropriate financial reporting framework and for establishing accounting procedures that provide for the maintenance of documentation that is sufficient to support the financial statements. 4.3. The board is responsible for the appointment of Audit Committees which in turn ensure the existence and maintenance of an adequate system of internal controls. Further, such committees reinforce both the internal control system and internal audit function. In order to enhance the effectiveness of Audit Committees, internal and external auditors should attend meetings of the Audit Committee. 4.4. The responsibilities of the board of directors and management are in no way diminished by the existence of the supervisory role of the Reserve Bank or by a requirement for the bank’s financial statements to be audited by an external auditor. 7

5. The Role of Banks’ External Auditors 5.1. The key responsibilities of banks’ external auditors include: 5.1.1. the expression of an objective opinion on whether the bank’s financial statements are prepared, in all material respects, in accordance with International Financial Reporting Standards and that they are a true and fair reflection of the bank’s financial position; 5.1.2. making recommendations to directors, officers, and the Audit Committee of a bank, on governance, risk management issues, and the appropriateness and adequacy of internal controls; and 5.1.3. the provision of reasonable assurance on the integrity of an institution’s published financial reports, principally for the benefit of stakeholders of the banking institutions. 5.2. In exercising their duty of care, public interest and protection of investors, external auditors should evaluate the following: 5.2.1. the comprehensiveness of accounting policies; 5.2.2. whether the extent of disclosure is adequate to enable full understanding of the financial position and risks facing banking institutions; 5.2.3. the various factors affecting the ability of the banking institution to continue as a going concern; 5.2.4. judgmental items and values included in the financial statements, the possible ranges in estimates and their impact; 5.2.5. the financial institution’s processes for identifying and managing risks facing various elements of the business; 8

5.2.6. off balance sheet structures and transactions and the gross amounts involved; and 5.2.7. disclosure concerning directors and related parties. 5.3. External auditors are expected to perform their duties with due care and skill commensurate with the complexity of the engagement. 5.4. External auditors shall not be exonerated by disclaimer clauses in the statements they endorse if they contain material errors and gross misrepresentation. 6. Appointment of External Auditors 6.1. The Banking Act [Chapter 24.20] empowers the Reserve Bank of Zimbabwe to approve the appointment of an external auditor. In making a determination to approve the appointment of an external auditor, the Reserve Bank of Zimbabwe will consider whether: 6.1.1. the auditor is registered as a public auditor in terms of the Public Accountants and Auditors Act, [Chapter 27:12]; 6.1.2. the auditor has been selected for appointment by the Audit Committee of the banking institution; 6.1.3. the auditor is independent, in fact and appearance, of the bank audited, that is, the auditor is objective and impartial; 6.1.4. the auditor complies with any other applicable ethical requirements; and 6.1.5. the auditor is able to demonstrate a competent quality assurance process which ensures that internal and any 9

externally imposed standards have been complied with. 7. Disqualification of External Auditors 7.1. The Reserve Bank of Zimbabwe will disqualify appointment of external auditors where: 7.1.1. the auditing firm, partner(s) and employees directly involved with the auditee bank have a borrowing relationship with the same; 7.1.2. an employee or partner of the auditor is a director of the banking institution or of any body corporate which controls or is controlled by the banking institution; 7.1.3. an employee or partner of the auditor is an officer or employee of the banking institution or of any associate of the banking institution; and 7.1.4. external auditors no longer comply with the objective criteria outlined in the Banking Act [Chapter 24:20].

8. Reporting 8.1. Matters Requiring Prompt Reporting 8.2. External auditors are required to report promptly to the Reserve Bank of Zimbabwe any of the following: 8.2.1. facts or decisions that constitute a material breach of laws or regulations; 8.2.2. information that indicates failure to fulfill any of the requirements for a banking licence; 10

8.2.3. any indications that may affect the bank’s ability to continue as a going concern; 8.2.4. matters of serious conflict within the decision-making bodies; 8.2.5. the intention of the auditor to resign or the removal of the auditor from office; 8.2.6. where after discussing the audit findings with a bank, they conclude that they will give a negative (‘adverse’) opinion as opposed to one qualified by exceptions; and 8.2.7. material adverse changes in current or potential risks of the bank’s business. 8.3. The basic responsibility for supplying complete and accurate information to the banking supervisor must remain with the bank’s management. 8.4. Misstatement arising from fraud and error 8.4.1. The external auditors should apply audit approaches, techniques and procedures designed to obtain reasonable assurance that material misstatements arising from fraud and error are detected. Therefore when the auditor determines that such material misstatements exist, the auditor is required to disclose this information to the Reserve Bank of Zimbabwe. 8.5. External Auditors’ Reports 8.5.1. When the auditor discovers misstatements material to the financial statements, including the use of an inappropriate accounting policy or asset valuation or a failure to disclose essential information, the auditor 11

must request management to adjust the financial statements to correct the misstatement. If management refuses to make the correction, the auditor should inform the Reserve Bank of Zimbabwe and must issue a qualified or an adverse opinion on the financial statements. 8.5.2. Furthermore, external auditors should issue a qualified opinion or a disclaimer of opinion if management has not provided the auditor with all the information or explanations that the auditor requires. 8.5.3. The reports by external auditors to the Reserve Bank of Zimbabwe shall include: a) an outline of the key audit findings (including appendices); b) a description of any significant trends; c) a discussion of the exceptions which, in the external auditors’ view, are most significant; d) background information on the business area of the report, including an organizational structure, and where appropriate the nature and approximate volume of transactions. e) a tailored description of the key risks as they apply to that business and are faced by the bank, and based on the bank’s particular business characteristics; f) a risk matrix indicating the risk profile of the banking institution; 12

g) a description of the key controls including an overall assessment of the control environment in each area of business examined; and h) an outline of the work undertaken in fulfilling the requirements of the scope of the report and any scope limitations. 8.5.4. Alongside the audit report, bank supervisors may require auditors to provide detailed information on specific matters such as: a) the audit approach in general (planning, the extent of the review coverage of subsidiaries/branches, materiality levels); b) the quality of internal controls (with or without an opinion) and the reliability and continuity of IT systems; c) certain accounting items such as unrealized gains and loses, contingent liabilities, and provisions; d) related party transactions; e) compliance with prudential requirements such as capital adequacy ratio, prudential lending limits or money laundering procedures; and f) the adequacy of the method used by the bank to prepare reports for bank supervisor and the accuracy of the information contained in the reports. 8.5.5. In normal circumstances and unless the Reserve Bank of Zimbabwe specifies a different reporting deadline, the Reserve Bank of Zimbabwe requires the external auditors’ report together with any written 13

comments from the bank’s management within three months of the end of the period examined. 8.5.6. The external auditors should give bank management sufficient time to comment on the audit report.

9. Meetings Between Reserve Bank and External Auditors 9.1. In view of the mutually beneficial relationship between external auditors and bank supervisors, there is an imperative need for a sound interface between the two parties. The co-operation between the Reserve Bank of Zimbabwe and external auditors will take various forms: 9.1.1. periodic meetings between the supervisor and external auditors; and 9.1.2. exchange of specific information. 9.2. In addition, formal and structured meetings are critical in order to enhance understanding of banking institutions’ corporate governance arrangements and system of internal control which is of mutual interest to both parties. 9.3. Tripartite Meetings 9.3.1. The Reserve Bank of Zimbabwe will hold tripartite meetings with external auditors and banking institutions at least semi annually. 9.3.2. During these meetings, each party provides information about areas of mutual interest and deliberations will be focused on the following; a) the financial condition of the bank; 14

b) the results of work by both Reserve Bank of Zimbabwe and external auditors; c) responsibilities for corrective work; and d) implementation of internal and external auditors’ recommendations. 9.4. Bilateral Meetings 9.4.1. The Reserve Bank of Zimbabwe and external auditors will from time to time convene meetings to discuss issues of mutual interest. Furthermore, pre-exam and post-exam meetings will be held as part of the risk focused examination approach. The purpose of these meetings is to discuss the key challenges facing the banking institution, progress made in implementing internal and external audit concerns as well as discussing any regulatory concerns. 9.4.2. Meetings between the external auditor and the bank supervisor may be attended by representatives of the bank. 9.4.3. Confidentiality of information obtained by the external auditor through professional relationships with other audit clients will be protected. 9.4.4. To the extent possible, communication should be made in writing, so that they form part of the bank’s records to which the other party should have access. 9.4.5. The normal relationship between the external auditor and the audited bank will be safeguarded. The bank will be advised of the information flows between the 15

bank supervisor and the auditor. In general, information requests will be made through the bank. 10. Independence of External Auditors 10.1. The auditors’ professional ethics and code of conduct prescribe minimum conditions such as integrity, objectivity, independence, confidentiality, avoidance of conflict of interest, and the need to carry out work with due care, skill and diligence. 10.2. The external auditors’ objectivity and independence is undermined when auditors provide non-audit services/ consulting services to banking institutions and bank holding companies that they audit. In this regard, external auditors should not provide other services whose nature and quality will impair objectivity. 10.3. Furthermore, objectivity and independence becomes blurred if external auditors borrow from institutions that they audit. 10.4. In all cases external auditors should ensure that they are not involved in the management or decision making of the banking institution. 10.5. The external audit firm should diversify their clientele base in order to avoid over reliance on fees from one banking institution or group of connected institutions. 10.6. The annual audit fees derived from an audit performed on a banking institution or group of connected institutions shall not exceed 10% of the total gross fees of the firm as a whole or as shall be determined from time to time by the Reserve Bank of Zimbabwe in consultation with relevant stakeholders. 16

10.7. Except with the approval of the Reserve Bank of Zimbabwe, a banking institution shall not appoint the same person or partnership as its auditor in Zimbabwe for a continuous period of more than five years in any eight year period. 11. Other Expectations 11.1. The Reserve Bank of Zimbabwe may, on a need basis, engage external auditors to carry out specific assignments to assist bank supervisors in discharging their supervisory functions, for example special investigations, curatorships and liquidations. 11.2. The Reserve Bank of Zimbabwe may also request external auditors to validate supervisory information submitted through prudential returns (e.g. solo and consolidated supervision returns on the condition and performance of banking institutions). The requests will be made in terms of the Banking Act [Chapter 24:20] or under a separate contractual agreement. The agreements will take into account any conflict of interest. 11.3. External auditors will be required to form an opinion as to whether the information contained in the returns is completely and accurately extracted from the accounting and other records and prepared in accordance with Reserve Bank of Zimbabwe’s reporting instructions. 11.4. In addition, the Reserve Bank of Zimbabwe may periodically require external auditors to form an opinion on the adequacy of the systems of control with regard to accuracy of information contained in the bank’s records and, its transfer to the returns. 17

11.5. The respective roles and responsibilities of the supervisor and the auditors in the above circumstances will be clearly defined by the Reserve Bank of Zimbabwe. 11.6. The Reserve Bank of Zimbabwe shall be specific on the standards against which the bank’s performance will be measured. Similarly, wherever possible, some understanding must be reached regarding the concept of materiality. 11.7. If the external auditor resigns from the audit or is disengaged by the bank, this fact, and the reasons for the resignation, should be communicated to the Reserve Bank of Zimbabwe by the auditor. 12. The Role of the Bank Supervisor 12.1. The key objective of prudential supervision is to ensure the safety and soundness of the financial system and hence, protection of depositors’ funds. To this end, detailed requirements are prescribed to ensure that banking institutions operate within prudent parameters. Supervisors also ensure the adequacy of internal control systems, accuracy and completeness of the accounting records, and the timely preparation of reliable financial information. 12.2. In addition to the above, the Reserve Bank of Zimbabwe: 12.2.1. provides reporting instructions to banks that clearly establish accounting standards to be used in preparing supervisory reports. Such standards are based on International Financial Report Standards. 12.2.2. requires banks to utilise valuation rules that are consistent, realistic and prudent, taking account of 18

current values where relevant, and that profits are net of appropriate provisions; 12.2.3. where appropriate, establishes the scope and standards to be achieved in external audits of individual banks; 12.2.4. requires banks to produce annual audited financial statements based on International Financial Reporting Standards. 12.2.5. requires prior approval for publication of half-year and year-end accounts. This serves as a sound basis for market discipline. 13. Ongoing Dialogue with the Accountancy Profession 13.1. In order to maximise synergies between the Reserve Bank of Zimbabwe and banks’ external auditors, discussions on current areas of supervisory concern will take place between the Bank and the accounting profession on a continuing basis. This will be achieved through periodic discussions at the national level on areas of mutual concern, for example accounting policies and auditing standards in general and specific audit procedures in particular. 13.2. Continuing dialogue between supervisory agencies and the profession will significantly contribute towards the harmonisation of accounting standards and improvement in the general standard of audits. 19

13.3. Discussions between bank supervisors and professional accountancy bodies will also include major auditing issues and topical accounting areas, such as the appropriate accounting techniques for newly developed instruments, and other aspects of financial innovation. These discussions will assist in banks’ adoption of the most appropriate accounting policies. 14. Effective Date This framework is effective from 31 October 2004. Queries relating to this framework should be directed to the Division Chief, Bank Licensing, Supervision & Surveillance on 703000 ext 11133. N. Mataruka Division Chief Bank Licensing, Supervision & Surveillance. 20