Minimum Internal Audit Standards in Banking Institutions

RESERVE BANK OF ZIMBABWE BANK LICENSING, SUPERVISION & SURVEILLANCE Guideline No. 02 -2004/BSD MINIMUM INTERNAL AUDIT STANDARDS IN BANKING INSTITUTIONS

TABLE OF CONTENTS Page No.

1. Preliminary 3
2. Introduction 4
3. Purpose 7
4. Limitations 7
5. Organisation of the Internal Audit Function 8
6. Professional Proficiency 12
7. Relationship and Communication 16
8. Audit Governance 17
9. Duties and Responsibilities 20
10. Scope of Audit Work 21
11. Reporting and Documentation 25
12. Audit of Critical Areas of Operations 30
13. Effective Date 35

Page 2

1. PRELIMINARY 1.1. Short Title – Minimum Internal Audit Standards in Banking Institutions 1.2. Authorization – This Guideline is issued under the authority of section 45 of the Banking Act [Chapter 24:20]. 1.3. Definitions – Terms used within this Guideline are as defined in the Banking Act[ Chapter 24:20] 1.4. Application – This Guideline applies to all banking and non￾bank financial institutions that are licensed and supervised by the Reserve Bank of Zimbabwe including bank holding companies. The Guideline should be read in conjunction with Guideline No. 01-2004/BSD on Corporate Governance. Page 3

2. INTRODUCTION 2.1. The internal audit function is an integral component of sound corporate governance and risk management practices in banks. It is part of the ongoing monitoring of controls which provides an independent assessment of the adequacy of, and compliance with the bank’s established policies and procedures. As such, the internal audit function assists the board and management of the organization in the effective discharge of their responsibilities. 2.2. Increased competition, pressure to operate profitably or to improve performance, introduction of new financial products and the change in information technologies have heightened operational risk. This is manifested in the numerous frauds reported to the Reserve Bank of Zimbabwe (RBZ). RBZ examinations continue to reveal weaknesses in the records, systems and controls in financial institutions. Therefore, it is incumbent upon the management to enhance and to play a more proactive and meaningful role in achieving sound and stable growth in financial institutions. 2.3. In carrying out the internal audit function, the internal auditor must take cognisance of the following characteristics that generally distinguish banks from other commercial enterprises, and which the auditor must take into account in assessing the level of inherent risk: 2.3.1. Banks have custody of large amounts of monetary items, including cash and negotiable instruments, whose physical Page 4

security has to be safeguarded during transfer and while being stored. They also have custody and control of negotiable instruments and other assets that are readily transferable in electronic form. The liquidity characteristics of these items make banks vulnerable to misappropriation and fraud. Banks therefore need to establish formal operating procedures, well defined limits for individual discretion and rigorous systems of internal control. 2.3.2. They have assets that can rapidly change in value and whose value is often difficult to determine. Consequently, a relatively small decrease in asset values may have a significant effect on capital solvency. 2.3.3. They generally derive a significant amount of their funding from short-term deposits. Loss of confidence by depositors in a bank’s solvency can quickly result in a liquidity crisis. 2.3.4. They have fiduciary duties in respect of the assets they hold that belong to other persons. This may give rise to liability for breach of trust. Banks, therefore, need to establish operating procedures and internal controls designed to ensure that they deal with such assets only in accordance with the terms on which the assets were transferred to the bank. 2.3.5. They engage in large volumes and a variety of transactions whose value may be significant. This necessarily requires complex accounting and internal control systems and widespread use of information technology (IT). Page 5

2.3.6. Transactions can often be directly initiated and completed by the customer without any intervention by the bank’s employees, for example over the Internet or through automated teller machines. 2.3.7. They often assume significant commitments without any initial transfer of funds other than, in some cases, the payment of fees. These commitments may involve only memorandum accounting entries. Consequently their existence may be difficult to detect. 2.3.8. They are regulated by governmental authorities whose regulatory requirements influence the accounting principles that banks follow. Non-compliance with regulatory requirements, for example, capital adequacy requirements, could have implications for the bank’s financial statements or the disclosures therein. 2.3.9. They deal in complex financial instruments, some of which may need to be recorded at fair value in the financial statements. There is therefore need to establish appropriate valuation and risk management procedures. The effectiveness of these procedures depends on the appropriateness of the methodologies and mathematical models selected, access to reliable current and historical market information, and the maintenance of data integrity. 2.4. It is against this background of the centrality of the internal audit function in the risk management process in banking institutions that the Reserve Bank is issuing these Guidelines Page 6

on Minimum Audit Standards for Internal Auditors of Banking Institutions. 3. PURPOSE The Guidelines are issued to meet the following objectives:- 3.1. To improve the quality and effectiveness of the internal audit function; 3.2. To outline the role, duties and responsibilities of internal auditors to the board of directors (board), all levels of management and the external auditors; and 3.3. To provide uniform practice on internal auditing which would serve as a benchmark for guidance and measurement of the effectiveness of the internal audit function. 4. LIMITATIONS 4.1. These Guidelines serve as a general guide for the internal auditors of financial institutions. They are not intended to provide comprehensive discussion of all possible matters or situations of audit significance that the internal auditors may encounter in the course of auditing. 4.2. The Guidelines are also not meant to be exhaustive nor intended to provide detailed audit steps required to perform the audit of every operational area of financial institutions. The internal auditors should be guided by the authoritative Page 7

pronouncements issued by the relevant professional accounting and auditing bodies. 5. ORGANISATION OF THE INTERNAL AUDIT FUNCTION 5.1. Overview 5.1.1. Internal auditors play an important functional role in helping to establish and maintain the best possible internal control environment at their financial institutions. An effective internal audit function is crucial to ensure a sound financial system as a whole. Important consideration has to be given to the organization of the internal audit function in the financial institution to ensure its effectiveness. 5.1.2. Financial conglomerates, by virtue of their nature and size of operations, may find the establishment of an internal audit department too onerous. For reasons of synergy and economies of scale, these may use the services of the group internal auditors. 5.2. Audit Committee 5.2.1. An Audit Committee shall comprise of non-executive directors who shall be appointed by the board of the financial institution. The chairman of the Audit Committee shall be an Page 8

independent non-executive director and shall not be the chairman of the board. 5.2.2. The role of the Audit Committee in the context of the Guideline is to provide an avenue for the internal audit department to effectively communicate findings and should be in line with the provisions of the Banking Act [Chapter 24:20]. 5.3. Independence 5.3.1. The independence of internal auditors is an important prerequisite for the proper conduct of audits so as to render impartial and unbiased judgments. 5.3.2. The organizational and reporting structure of the internal audit function shall ensure that the function is independent of the activities audited and should also be independent from the everyday internal control process. This means that internal audit is given an appropriate standing within the bank and carries out its assignments with objectivity and impartiality. 5.3.3. The internal audit department should be able to exercise its assignment on its own initiative in all departments, establishments and functions of the bank. It must be free to report its findings and appraisals and to disclose them internally. Page 9

5.3.4. The principle of independence entails that the head of the internal audit department has the authority to communicate directly on his/her own initiative, to the board, the chairman of the board of directors, board audit committee or the external auditors where appropriate, according to the provisions of the audit charter. 5.3.5. INTERNAL AUDIT REPORTING STRUCTURE The reporting lines of the internal audit function in all cases must be clearly defined as follows: Chief Executive Officer Audit Committee 5.3.6. The status of the internal audit department within a bank’s overall organizational structure should be sufficient and distinct to permit the internal auditors to accomplish their Functional Reporting Administrative Reporting Internal Audit Function Page 10

audit objectives. Internal auditors should have the support of the management in order to gain the cooperation of the auditees and to perform their work free from interference. The position of the head of internal audit should be equivalent to the status of other key functional heads to enable him to deal effectively with his peers and superiors when discharging his duties and responsibilities. The appointment, remuneration, performance appraisal, transfer and dismissal of the head of internal audit should be decided by the Audit Committee. 5.3.7. Internal auditors shall have unrestricted access to the institution’s records, assets, personnel and premises which are necessary for the proper conduct of the audit. Any restriction should be promptly communicated in writing to the Audit Committee for the latter to resolve with the management. 5.4. Objectivity 5.4.1. Objectivity is an independent mental attitude which would enable the internal auditors to exercise judgment, express opinions and present recommendations with impartiality. 5.4.2. The internal auditors should at the least observe the following principles:- Page 11

a. Avoid any conflict of interest situation arising either from their professional or personal relationships in an organization or activity which is subject to audit; b. Have no authority or responsibility over any unit or activity that is being audited; c. Should not be assigned to audit operational areas which they were previously involved as non-audit staff until an independent audit has been conducted during the intervening period; and d. Act only in advisory capacity when recommending controls on new systems or reviewing procedures prior to their implementation. 5.4.3. The internal audit function must be subject to an independent review by an independent party. This function can be carried out by an external auditor or the Audit Committee. 6. PROFESSIONAL PROFICIENCY 6.1. The effectiveness of the internal audit function depends substantially on the quality, training and experience of the audit staff. Professional competence is assessed taking into account the nature of the role and the auditors' capacity to collect information to examine, to evaluate and to communicate. Page 12

6.2. In this respect cognisance is taken of the ability of the auditor to understand the growing technical complexity of a bank's activities and the increasing diversity of tasks that need to be undertaken by the internal audit department as a result of developments in the financial sector. 6.3. The internal audit staff should be suitably qualified and be provided with the necessary training and continuing professional education for the purpose of enhancing or enriching their audit and relevant technical skills. 6.4. Resources 6.4.1. The head of internal audit, in consultation with the CEO, shall decide on the right resources required for the internal audit department taking into consideration the size and complexity of operations of the financial institution. The level of the resources required should be justified and endorsed by the Audit Committee. 6.4.2. The head of internal audit must establish suitable criteria for the recruitment of the internal audit staff. The effectiveness of the internal audit function may be enhanced by the use of specialist staff or consultants, particularly in highly technical areas e.g. I.T. and new complex synthetic products. Page 13

6.5. Qualification, Knowledge, Experience and Skills 6.5.1. The academic background and expertise required of the head of internal audit varies depending on the size and complexity of the financial institution’s operations. Commensurate with his position in the organizational hierarchy, the head of internal audit should possess relevant academic/professional qualifications and sufficient audit experience. The head of internal audit should also have in￾depth knowledge of the business and organizational, technical, communication and other relevant skills. 6.5.2. Internal auditors should be proficient in applying approved auditing guidelines and accounting standards, legal and regulatory requirements, directives and guidelines issued by RBZ and other authorities, and other rules and regulations issued by the relevant associations of the banking industry. 6.6. Supervision 6.6.1. Supervision is a continuing process from planning to the conclusion of the audit assignment. The head of internal audit is responsible for the audit performed by his subordinates. The head of internal audit should ensure that the audit objectives stated in the approved audit programme have been achieved. Page 14

6.6.2. The head of internal audit should set milestones for each audit assignment (i.e. from the commencement of the assignment to the issuance of the audit report) after considering its nature and complexity. 6.7. Professional Ethics 6.7.1. Internal auditors should at all times exercise due professional care when discharging their duties and responsibilities. They should carry out their work independently, objectively, professionally and with utmost good faith. Internal auditors should subject themselves to the highest ethical standards and avoid any conflict of interest situation. 6.7.2. Internal auditors are required to maintain strict confidentiality with regard to all information obtained in the course of their work and must not use any privileged information for personal gain. They should comply with RBZ guidelines, relevant laws and regulations and the requirements of relevant professional bodies. 6.8. Training 6.8.1. The Audit Committee has a responsibility to ensure that the internal audit staff receives the necessary training to perform the audit work. There should be a programme of continuing Page 15

education and training to enable internal auditors to keep abreast with the business trends and developments as well as to upgrade and enhance their technical skills. 6.8.2. The head of internal audit should ensure that on-the-job training is provided to new recruits under the supervision of competent and experienced internal auditors. Training should be a planned and continuous process for all levels of internal audit staff. The head of internal audit, in consultation with the Audit Committee and the CEO, should determine the budget requirements for the training needs of the internal audit department. 7. RELATIONSHIP AND COMMUNICATION 7.1. Internal auditors should have a constructive working relationship and be in constant communication with management, external auditors and the RBZ. Regular meetings should be held with the external auditors on areas of common concerns such as audit planning, audit priorities and scope to avoid duplication of effort. 7.2. The head of internal audit should monitor all corrective actions taken by management with regard to RBZ examination findings and report to RBZ any instances where corrective actions have not been taken. Page 16

8. AUDIT GOVERNANCE 8.1. The internal audit department should have an audit charter, audit plan, audit manual, audit programme and internal control questionnaires in place. Although these documents may be called by different names and differ in comprehensiveness, the underlying principle is that they serve the intended purpose. 8.2. Audit Charter 8.2.1. The internal audit function must be guided by a formal Audit Charter, which identifies: a. the objectives, scope purpose and independence of the internal audit function; b. the internal audit department's position within the organization, its powers, responsibilities and relations with other functions; and c. the accountability of the head of the internal audit department. 8.2.2. The Charter shall be drawn up, and reviewed periodically, by the internal audit department; it must be approved by senior management and subsequently confirmed by the board of directors as part of its supervisory role. Page 17

8.2.3. The Charter shall also state the terms and conditions according to which the internal auditor may provide consulting and other advisory services. 8.2.4. The audit charter must be approved by the Audit Committee and endorsed by the board so that the internal audit function may be effectively discharged. 8.3. Audit Plan 8.3.1. The head of internal audit should develop an audit plan as a means of directing and controlling the audit work. The audit strategic plan may range from one to five years depending on the size and complexity of operations. 8.3.2. The plan shall set out the audit objectives, auditable areas, scope of coverage, frequency of audit, resources required and duration of each audit assignment. The head of internal audit should assess the risks of the auditable areas before determining the audit frequency and scope of coverage. 8.3.3. The head of internal audit shall establish the principles of the risk assessment methodology in writing and regularly update them to reflect the changes to the system of internal control or work process, and to incorporate new lines of business. As a general guide, the audit cycle for all auditable areas should be at least once a year. Page 18

8.3.4. The head of internal audit, however, has the discretion to determine the audit cycle for auditable areas deemed not critical if the financial institution has an effective risk assessment system in place. 8.3.5. The head of internal audit should also include management audit in the audit plan. The audit plan must be endorsed by the Audit Committee, approved by the board and should be flexible to respond to changing priorities or needs. 8.4. Manual 8.4.1. The audit manual provides the audit department personnel with a set of audit standards for guidance and reference. It also serves as a valuable training aid for new recruits. The audit manual should contain written audit policies, objectives, standard procedures and programmes. 8.4.2. The head of internal audit should ensure that the audit manual is comprehensive enough to cover at least the major operations of the financial institution and is reviewed periodically to reflect corporate, regulatory and industry trends. Page 19

8.5. Audit Programme and Internal Control Questionnaires 8.5.1. The audit programme shall set out detailed step-by-step audit procedures for each auditable area which should be supplemented by the internal control questionnaire. Both the audit programme and internal control questionnaire should be comprehensive and tailored to keep abreast with the current developments relevant to the industry. 8.5.2. A well-designed audit programme and internal control questionnaire should provide a systematic audit approach. In addition, the internal auditors’ sound judgment and analytical skills are essential in ensuring a high quality audit. 9. DUTIES AND RESPONSIBILITIES 9.1. The core function of an internal audit department is to perform an independent appraisal of the financial institution’s activities as a service to management. The internal audit function plays an important role in helping management to establish and maintain the best possible internal control environment within the financial institution. Page 20

9.2. A sound internal control environment would ensure: 9.2.1. Adequacy and effectiveness of the internal control system, 9.2.2. Compliance with policies, procedures, rules, guidelines, directives, laws and regulations, 9.2.3. Detection of frauds, errors, omissions and any other irregularities, 9.2.4. Management audit, 9.2.5. Information systems audit, 9.2.6. Participative and consultative role in the development of new products and systems. 10. SCOPE OF AUDIT WORK 10.1. The audit scope should entail the examination and evaluation of all functions and activities of the financial institution including control features, operational systems and procedures as well as assessment of the quality of management performance in discharging their duties and responsibilities. 10.2. The scope of audit work covered under this part should not be construed to be exhaustive but serves to provide the minimum scope to be covered under audit assignment. The head of internal audit should ensure that sufficient coverage and depth are given to each audit assignment based on the assigned risk factors. The head of internal audit, after Page 21

having considered the level of risk for each auditable area, should decide whether to expand or limit the audit scope. Such decision should be properly documented. 10.3. The internal auditors should also decide on the appropriate level of audit sampling in order to achieve their audit objectives. The internal auditors should be guided by the International Auditing Guideline on Audit Sampling. 10.4. The audit scope should cover: 10.4.1. Evaluation And Appraisal Of The Internal Control System: The audit scope should cover the effectiveness of the system of internal control, the reliability and integrity of MIS, the prevention or timely detection of frauds, errors, omissions and other irregularities, and the means for the safeguarding of assets. 10.4.2. Compliance with Policies, Procedures, Rules, Guidelines, Directives, Laws And Regulations: All financial institutions should ensure strict compliance with all applicable laws and regulations, guidelines, directives, reporting requirements and internal policies and operating procedures. The audit scope should cover the financial institution’s compliance with:- a. Banking Act, Banking Regulations and other applicable statutes and regulations; Page 22

b. Guidelines, directives and circulars issued by RBZ and pronouncements or rules issued by the relevant associations; and c. Internally approved policies and operational procedures as well as the soundness and effectiveness of the compliance function. 10.4.3. Adequacy and Effectiveness of Risk Management System: In view of increasing competition, complexities of operations and financial innovations, management should develop a formalized system to ensure that risk exposures are identified and adequately measured, monitored and controlled. The risk management system should be commensurate with the scope, size and complexity of the financial institution’s activities and the level of risk a financial institution is prepared to assume. In assessing the overall risk management system, the auditor should review the following to ensure:- a. Effective management supervision is practiced by the board and its delegated authorities; b. Procedures that identify and quantify the level of risk on a timely basis are in place; c. Limits or other controls are in place to manage the risk; d. Reports to management accurately present the nature and level of risk taken and any non-compliance with approved policies and limits; Page 23

e. Responsibilities for managing individual risks are clearly identified; and f. Procedures relating to the calculation and allocation of capital to risks are in place. g. A risk matrix adequately capturing the institution’s risk profile prepared and updated as necessary. 10.4.4. Effective and Efficient Use of Resources: Internal auditors should play a proactive role in determining the financial institution’s optimum utilization of resources in the accomplishment of the organisation’s overall objectives and goals. 10.4.5. Accomplishment Of Set Goals And Objectives: In evaluating the accomplishment of set goals and objectives, the internal auditors’ scope should cover the entire operations or a sub-section thereof to determine whether:- a. Objectives and goals are clearly set and measurable; b. Objectives and goals have been articulated and communicated to all staff and are being met; c. Adequate controls are established for measuring and reporting the accomplishment of objectives and goals; d. An effective control mechanism is implemented to monitor actual performance against budget. Any significant variances are analyzed, investigated and promptly reported to the management and the board; Page 24

e. Management has considered the strengths, weaknesses, opportunities and threats of the respective operation or programme; f. The achievement of set objectives and goals is in compliance with policies, plans, procedures, laws and regulations; and g. The underlying assumptions used by management in developing business plans and strategies are appropriate and reasonable. 11. REPORTING AND DOCUMENTATION 11.1. Internal audit reports provide a formal means of communicating audit results and recommended actions to management and the Audit Committee. Audit reports provide an avenue for the Audit Committee to highlight significant weaknesses and the management’s proposed remedial measures to the board. The management’s responsiveness to internal auditors’ recommendations for reducing risks, strengthening internal controls and correcting errors should be the desired result of the audit reports. 11.2. It is of primary importance that in the course of the audit, should the internal auditors uncover major issues or frauds that would significantly affect the financial institution’s financial position or operations, they shall immediately Page 25

inform management to ensure prompt corrective actions are taken. 11.3. Audit Report 11.3.1. A signed report should be issued after the completion of each audit assignment irrespective of the significance of the issues raised. The internal auditors should discuss the audit results and the recommendations thereof with the auditee before the financial audit report is issued. The discussion should be carried out with those individuals who are knowledgeable of detailed operations and those who can authorize the implementation of corrective actions. 11.3.2. Management comments shall be incorporated in the financial audit report. The head of internal audit should review and approve the final audit report before it is presented to the Audit Committee. 11.3.3. A copy of the final audit report should be forwarded to the Audit Committee, the auditee, the CEO and the bank should forward such report to the RBZ on a timely basis. 11.3.4. Where the completion of an audit is likely to take a longer period, an interim audit report may be issued to communicate any significant issues which require management’s immediate attention. The Audit Committee and the CEO should be kept informed of the issues as well as the progress of the audit. Discretion as to whether an Page 26

interim audit report is warranted rests with the head of internal audit. 11.3.5. The head of internal audit shall ensure that an audit report is of sufficient quality so as to command management’s attention. In order to communicate the audit results effectively, the following standards should be adopted:- a. The audit report shall be objective, clear, concise, constructive and timely; and b. The structure of the audit report shall include the following:- • An executive summary; • Date of report and period covered by the audit; • The scope and objectives of the audit; • The significance and magnitude of the problems or issues; • The causes of the problems or issues; • Recommended solutions or preventive actions; • Auditee’s comments on the issues and recommendations, and remedial measures taken or proposed to be taken to address the audit issues; • Management’s achievements noted during the audit; and • Overall conclusion. Page 27

11.4. Action and Follow-Up on Audit Recommendations 11.4.1. Management shall treat all audit findings and recommendations seriously. Management’s response to the audit findings should be included in the report. The internal auditors should monitor whether appropriate actions have been taken. 11.4.2. Management’s plan of corrective actions and implementation time-table for completion should be developed and jointly agreed upon by management and the auditee. The status of the corrective actions should be monitored and reported to the Audit Committee and the CEO so that follow-up action can be taken to inform the appropriate levels of management on outstanding audit issues. 11.5. Reporting of Significant Findings and Frauds 11.5.1. The internal auditors shall immediately report to the Audit Committee and the CEO any significant audit findings uncovered in the course of audit. RBZ should also be promptly informed of such findings. Significant financial findings are those that would have an adverse impact on the financial performance and condition of the financial institution. Significant non-financial findings represent fundamental weaknesses that could lead to the collapse of the financial institution’s system of internal control. Page 28

11.5.2. The interim audit report shall incorporate preliminary summary findings, the impact or potential impact on the financial position and operations of the financial institution, and the proposed actions to be carried out by the internal auditors to investigate the matters. 11.6. Control and Filing of Audit Reports and Working Papers 11.6.1. The internal audit reports and working papers should be treated confidentially. The internal audit reports should only be disclosed to those persons authorized by the Audit Committee. As the internal audit working papers provide evidence of audit coverage and documentation of audit trails, they should be properly filed and stored. 11.6.2. To ensure systematic filing and control of audit reports and working papers, the following minimum procedures should be observed:- a. The format for the working papers should be standardized; b. There should be adequate referencing to identify the audit records, files and working papers created; and c. There should be a system for filing and retrieving past reports and working papers. Page 29

11.7. Retention of Audit Reports and Working Papers 11.7.1. As a minimum requirement, the audit working papers on the routine audit should be retained until the next audit is carried out on the same auditable area. Reports and working papers on investigation matters should be retained for at least seven years or such period until the matter is closed. 11.7.2. All internal audit reports, however, should be retained for at least three years or until the next audit report on the same auditable area is completed. 12. AUDIT OF CRITICAL AREAS OF OPERATIONS 12.1. Internal auditors should focus their attention and direct their available resources to those operations or units which entail significant risks that may have an adverse impact on the operations and financial condition of the financial institution. 12.2. The critical operational areas identified are Credit Operations, Treasury Operations, Derivatives, Investment in Debt and Equity Securities and, Information Systems. These critical areas of operations are not meant to be exhaustive and the internal auditors should also identify and review other operational areas deemed to be critical to the specific business undertaken by the financial institution. Page 30

12.3. In reviewing the critical areas of the operations, it is vital that the audit coverage is comprehensive. The internal auditors should extend their scope if serious unsatisfactory features are uncovered in the course of the audit. 12.4. Important features to consider when auditing different critical areas are highlighted below: 12.4.1. Credit Operations: When auditing the credit operations internal auditors shall put more emphasis on the: a. Credit strategy; b. Risk inherent in the credit operations; c. Policies and procedures; d. Security and legal documentation; e. Credit disbursement, administration, monitoring and effective recovery system; f. Accounting and financial reporting; g. Provisioning; h. Compliance with legal and regulatory requirements. Page 31

12.4.2. Treasury Operations: The control areas to be checked include: a. Risk inherent in treasury operations; b. Adequacy of and compliance with established policies and procedures; c. Assets and liabilities management; d. Accounting and financial reporting; e. Compliance with legal and regulatory requirements. 12.4.3. Derivatives: To carry out their audit effectively, internal auditors should be conversant and knowledgeable about the derivative products and transactions, and must be guided by comprehensive audit manuals and programmes. Internal auditors should be conversant with: a. Risk inherent in derivatives; b. Policies and procedures; c. Accounting and financial reporting; d. Legal and regulatory requirements; 12.4.4. Investment In Debt and Equity Securities a. A financial institution’s investment in debt and equity securities normally involves participation in two main financial markets namely, the capital market and the money and foreign exchange market. A typical Page 32

investment portfolio usually consists of public debt securities, equity securities (quoted and unquoted), equity–link securities, and private debt securities. Equity securities and private debt securities may also be acquired in the primary market or as a result of underwriting commitment. In banking institutions, equity securities are also acquired in satisfaction of debt and through debt-equity conversion. b. Investment and trading securities may account for a sizeable proportion of the financial institution’s assets and hence, securities of inferior quality may have an adverse impact on the financial institution’s financial condition. Hence the internal auditors should be conversant with: • Investment strategy; • Risk inherent in investment; • Policies and procedures; • Accounting and financial reporting; • Legal and regulatory requirements. Page 33

12.4.5. Information Systems a. The financial institution shall have an effective information system audit function to evaluate the internal controls of the computerized system. b. The information system auditors should review the effectiveness of information systems in supporting the business activities of the financial institution and the adequacy of controls over the information system management, systems development and programming, computer operations and security, teleprocessing and data integrity. In reviewing information systems auditors should pay particular attention to issues such as: • Computer operations procedures and physical controls; • Computer security e.g. password issuance and maintenance, follow up on access violation; • System reliability and availability; • Disaster recovery plan; • Alternative processing site. Page 34

13. Effective Date These guidelines are effective from 30 September 2004. Questions relating to these guidelines should be addressed to the Division Chief, Bank Licensing, Supervision & Surveillance, Reserve Bank of Zimbabwe,

Telephone 703 000 Ext. 11133.

N. Mataruka Division Chief Bank Licensing, Supervision & Surveillance Page 35