Log in / Register
Home arrow Business & Finance arrow The art of RF (riba-free) Islamic banking and finance

Engagement Letter for External Auditors

In its efforts to prudently identify the most capable auditing entities for its various audits, the bank's board of directors must invite and request external auditors to submit engagement letters before commencing audit work. Such a letter is expected to reflect preliminary discussions between the bank's board and/or senior management and the external auditor(s).

The engagement letter(s) will stipulate, among other things, the audit's purpose, its scope, the period to be covered, and the reports the auditor will develop. Schedules or appendixes may accompany the letter to provide the board with more details of the proposed audit. The letter may briefly describe procedures to be used in specific areas. If the scope of the audit is limited in any way, the letter may specify procedures that the auditor will omit. Additionally, the letter would specify if the auditor were expected to render an opinion on the bank's financial statements and/or other bank functions, depending on the type of audit being conducted.

Types and Scope of Various Audits

1. Risk assessments and risk-based auditing. Risk assessment is defined as the means by which the board of directors identifies and evaluates the quantity of the bank's risks and the quality of its controls. An effective risk-based auditing program will cover all of the bank's activities. The frequency and depth of each area's audit will vary according to the area's risk assessment and how serious the impact of that risk is on the bank. All areas of bank activities are included in order to establish the frequency of the audit necessary to mitigate any risk in bank safety and soundness and its reputation.

2. External audit function. The primary role of the external auditor is to independently and objectively review, evaluate, and document its findings about bank activities in order to help the board of directors of the bank and its management maintain and/or improve the efficiency and effectiveness of the bank's risk management, internal controls, and corporate governance.

External auditors must understand the bank's strategic direction, objectives, products, services, operating philosophy, strategy, and processes. The auditors will communicate their findings to the board of directors and to senior management.

3. Objectives. The objectives of external audits are:

a. To provide reasonable testing, review, and analysis of the bank's operations to ensure the effectiveness of internal controls over financial reporting, the accuracy and timeliness in recording transactions, and the accuracy and completeness of financial and regulatory reports.

b. To perform an independent and objective view of the bank's activities, including processes relative to financial reporting and bank operations.

c. To determine whether the bank complies with laws and regulations and adheres to established bank policies and whether management is taking appropriate steps to address control deficiencies.

4. Types of audits. The type of audit commonly referred to as a directors' examination entails specified and/or agreed-upon procedural reviews of the adequacy of internal controls and accuracy of financial information. The independent audit parties can be public accountants, certified internal auditors, certified information systems auditors, bank management firms, bank consulting firms, and/or other parties knowledgeable in banking.

Please note that the frequency of the audits is determined in light of the risk-based audit discussed earlier.

Financial statement audit by a certified public accounting firm, CPA. An independent audit of financial statements should be designed to ensure that the bank's financial reports are prepared in accordance with generally accepted accounting principles (GAAP) and that the independent financial statements are performed in accordance with generally accepted audit standards (GAAS). The scope of the audit will be sufficient to enable the CPA to express an opinion on the bank's financial statements.

The following list represents areas for which the board of directors requires an annual audit.

a. Cash and due from banks

b. Credits (Loans)

c. Allowance for loan and lease losses (ALLL)

d. Premises and equipment

e. Other assets and liabilities

f. Deposits

g. Notes payable

h. Non-interest income

i. Expenses

j. Equity (holding company, if applicable)

k. Tax return

Operational, USA PATRIOT Act, Bank Secrecy Act (BSA), and Office of Foreign Assets Control (OFAC) audits. These types of audits include a review of policies, procedures, and operational controls to determine whether risk management, internal controls, and internal processes are adequate and efficient. Operational audits generally include procedures to test the integrity of accounts, regulatory reports, and other aspects of operations. These audits may also include a review of management and employee compliance with bank policies and procedures. The operational, BSA, and OFAC audits should be scheduled annually at specific times.

Compliance audit. This type of audit determines whether the bank is complying with bank procedures and internal and external regulatory regulations. This audit should be scheduled at least annually — or as frequently as the risk analysis may call for — preferably in the first quarter of the year but no later than the second quarter of the year. It focuses on the bank's adherence to consumers' compliance regulations to ensure that the bank has adequate systems and control procedures to avoid any violations.

Credit (loan) review audit. This type of audit is conducted to assess the quality of the bank's loan portfolio and provide an early alert of problem loans or negative portfolio patterns or trends, as well as the adequacy of and procedure used to calculate allowance for loan and lease losses (ALLL). The ALLL estimation process at the Bank of Whittier is conducted, as discussed earlier, by following a unique risk-based method and a proprietary computer program pioneered by the bank to include in the calculation all risk factors that may have an impact on the various credit facilities. The process will be detailed in Chapter 14.

Information systems, technology, and security audits. These types of audits assess the controls over the bank's electronic data processing and computer-related areas. These audits focus on management, development, support and delivery, data security, and physical security. Information system and technology audits also include a review of computer and client services systems, end-user reports, electronic funds transfers, and service provider activities. This type of audit should test the architecture of the system and should be completed annually in the first quarter of the year. It also helps review and critique security systems used by the bank.

5. Treasury, financial, operations, and loans management monthly certifications. The responsibilities of the operations and loans departments are to certify all general ledger accounts as provided by management to the application — DDAs (demand deposit checking accounts), savings, time deposits, and loans. For example, operations staff will be responsible for certifying all loan systems to the general ledger, and the loans department staff will certify all operations applications to the general ledger. The certifications will be completed according to the certification listing and provided to the CFO monthly before the tenth day of every month.

Audit Response by Management

Management will prepare a written response to the board of directors within 21 days from the date of the submission of the particular audit report and its findings. The management response will outline any deficiencies or concerns outlined by the audit, list the corrective actions already taken, and identify specific recommendations, plans, and the expected time of completion for responding to such recommendations to fix the problems discovered by the audits.

The management response will be sent to the firm that completed the audit. In addition, the OCC (usually during the exam time) and other related regulatory bodies, if needed, will be notified by the bank's chairman of the board of directors as to the different audit findings, the corrective actions already taken, and the actions that will be taken, including expected time of completion.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science