Chief of : Role1 and Responsibility Assessment Tool2 Part of the IFC’s Advanced Methodology for Financial Institutions

ACCEPTABLE BETTER Desirable BEST PRACTICE I. Personal Quali- 1. Integrity – under- 1. Same.3 1. Same. 1. Same. fication stands Duties of Loy- 2. Same. 2. Same. 2. Same. alty and Care. 3. Same. 3. Same. 3. Same. 2. Communication 4. Same. 4. Same. 4. Same. skills. 3. Honest and ethical. 4. Commitment to pro- fessional auditing standards. II. General 1. Adequate audit train- 1. Same. 1. Same, and holds in- 1. Same, and specifically Knowledge and ing. Licensed auditor 2. Same. ternationally accepted related to financial Professional in jurisdictions re- relevant certification, institutions (e.g., Skills quiring such licens- e.g., CPA, CFA, CIA, etc. banking examina- ing. 2. Same. tion). 2. Is familiar with the 3. Ability to lead and 2. Same. BIS’s Framework for manage auditing staff. 3. Same. Internal Control in 4. Knowledge of relevant 4. Same. Banking Organiza- standards, accounting, tions. financial and man-

1 The roles of Chief of Internal Audit, and Chief Risk Officer are intertwined. The key distinction for the Chief of Internal Audit versus the others is that the others implement the compliance and risk programs, whereas the role of internal audit is to test the adequacy of those very pro- grams. In all cases, the relevant functions should be coordinated so that no gaps are left. 2 Prepared by Sinclair Capital, a G3 affiliate. 3 “Same” indicates that the recommendation of the identical number in the column immediately to the left is carried over into the column. Should the recommenda- tion be only partially identical, any differences are italicized.

IFC’s Advanced Methodology for Financial Institutions Chief Internal Audit Role and Responsibility Assessment Tool 1 ACCEPTABLE BETTER Desirable BEST PRACTICE agement reporting, and regulations in all jurisdictions in which the Bank operates. III. Appointment 1. Appointed by CEO or 1. Same. 1. Same. 1. Same. CRO. 2. Audit Committee of 2. Audit Committee of Board opines on ap- Board has formal ap- pointment (and re- proval on appoint- moval). ment (and removal). IV. Reporting Line 1. Not responsible for 1. Same. 1. Same. 1. Same. and Accountabil- other duties that 2. Reports directly to 2. Same. 2. Same. ity could create conflicts the Audit Committee of interest. of Board, with ad- 2. Reports to CEO and ministrative over- has unfettered access sight provided by an to the Audit Commit- appropriate execu- tee of Board. tive officer of the Bank. V. Reporting 1. All audit reports cir- 1. Same. 1. Same. 1. Same. culated to senior 2. Same. 2. Same. 2. Same. management as well 3. Same. 3. Same. 3. Same. as line management 4. Receives notice of all 4. Same. responsible for the Board Audit Commit- 5. Same. area audited. tee meetings. 6. Same, and allowed at 2. Significant findings 5. Meets the Audit all meetings an op- circulated to Board Committee at least portunity to meet Audit Committee. once annually without with Committee with- 3. Submits periodic in- management pre- out management pre- ternal reports and sent.4 sent.

4 See Section IX, (point 10 in “Desirable”) of the Audit and Compliance Committee Charter Assessment Tool of the IFC’s Advanced Methodology for Financial Institu- tions.

IFC’s Advanced Methodology for Financial Institutions Chief Internal Audit Role and Responsibility Assessment Tool 2

ACCEPTABLE BETTER Desirable BEST PRACTICE summaries of audits 6. Attends all Board Au- to the management dit Committee meet- team as well as to the ings at company’s ex- Chairman of the pense. Board and the Chairman of the Au- dit Committee. VI. Resources 1. Ensues that Internal 1. Same. 1. Same. 1. Same. Audit function has 2. Same. 2. Same. 2. Same. adequate expertise 3. Ensures that ongoing 3. Same. 3. Same. and resources to ful- training is provided 4. Working with Audit 4. Same. fill its responsibili- to all internal audit Committee and Exter- 5. Encourage/assisst ties staff. nal Auditor, assesses staff to obtain inter- 2. Ability to contract organization’s audit national certification. appropriate external culture and designs assistance. training programs to address gaps. VII. Responsibility - 1. Reviews adequacy of 1. Same. 1. Same. 1. Same. Internal Audit internal controls. 2. Same. 2. Same. 2. Same. & Control Envi- 2. Reviews implemen- 3. Same. 3. Same, consistent with 3. Same. ronment5 tation of internal 4. Same, coordinates annual work plan pre- 4. Same. controls. audit operations with sented to and ap- 5. Same. 3. Periodically audits activities of the Ex- proved by Board of 6. Same. banking and other ternal Auditor. Directors. 7. Same. business operations. 5. Ensures follow-up 4. Same. 8. Same. 4. Implements the an- mechanism to de- 5. Same, and non- 9. Same. nual work plan for termine if audit rec- implementation is- 10. Same. internal audit with a ommendations (both sues raised with 11. Ensures that the fixed plan of activi- internal and exter- Board. Bank has adequate

5 Even if the Internal Audit function is fully or partly outsourced, the Chief of Internal Audit is ultimately responsible and accountable for ensuring the quality of in- ternal audits.

IFC’s Advanced Methodology for Financial Institutions Chief Internal Audit Role and Responsibility Assessment Tool 3

ACCEPTABLE BETTER Desirable BEST PRACTICE ties but also allowing nal) are implemented 6. Same. methods by which for appropriate in- within appropriate 7. Annual work plan is concerns about con- vestigation time for and agreed timeta- based on a risk-based trols/accounting matters that emerge ble.6 analysis. /fraud /malfeasance, over the year. 6. Same. 8. Regularly benchmarks etc. can come to light, 5. Responds to matters methods and tools e.g. phone “tip” lines, that emerge from against peers to find e-mail access, and appropriate refer- areas able to be im- mailbox to provide ring bodies (the proved. complaints or sug- , 9. Monitors for evolving gestions. CEO and other senior best practice in the 12. Ensures that internal executives). areas of audit, fraud audit team’s inde- 6. Assists the Board prevention and inter- pendent and objec- with establishing nal controls. tive assurance and ethics policy and 10. Monitors public policy consulting functions whistle blowing pro- initiatives likely to add value to the cedures. impact the Bank’s Bank’s operations. business environ- 13. Cooperates with in- ment. ternal and external legal advisors and risk control units on investigations into major control issues. 14. Positive working re- lationship with rele- vant regulators and professional associa- tions (e.g., Institute of Internal Auditors). VIII. Responsibility 1. Periodically reviews 1. Same. 1. Same. 1. Same.

6 Such audit recommendations are included most importantly in the Management Letters provided by the External Auditors.

IFC’s Advanced Methodology for Financial Institutions Chief Internal Audit Role and Responsibility Assessment Tool 4

ACCEPTABLE BETTER Desirable BEST PRACTICE - Accounting and recommends 2. Ensures compliance 2. Same. 2. Same. Policies and updates in corporate of internal audit with 3. Works with Audit Procedures7 accounting policies professional stand- Committee Chairman and procedures ards. to ensure Committee framework. and the Bank are abreast of material pending changes un- der consideration by accounting standard setters. 4. Works with the Audit Committee, monitors the adequacy of ex- ternal reporting practices against peers.

7 For more details on the role of the Chief of Internal Audit in risk management, see “The Role of Internal Auditing in Enterprise-wide Risk Management”, the Institute of Internal Auditors, September 29, 2004 (available at www.theiia.org/download.cfm?file=283).

IFC’s Advanced Methodology for Financial Institutions Chief Internal Audit Role and Responsibility Assessment Tool 5