Financial Services Volunteer Corps Project Description ALBANIA Date Submitted July 15, 2004 Date Approved: August 3, 2004
Project Name: Training on IT Auditing Techniques Counterpart Institution: Bank of Albania – Bank Supervision and Internal Audit Departments Project Number 04-16-113-223-1-01 Implementation Date: 3rd or 4th Quarter 2004
Counterpart FSVC- New York FSVC- Albania Contact: Klodian Shehu Program Officer: Mary Craig Regional Director: Anthony Randazzo Title: Director, Bank Supervision Dept. 800 Third Avenue, 11th floor Program Officer: Andrew Hebeler Phone: (355-4) 222153 New York, NY 10022 FSVC c/o Tirana Business Center Fax: (355-4) 223558 Phone: 212-771-1410 Phone: (355-4) 256292 ext 117 Email: [email protected] Fax: 212-421-2162 Fax: (355-4) 256291 Email: [email protected] E-mail: [email protected]
I. EXECUTIVE SUMMARY Problem: Both the Internal Audit (IAD) and Bank Supervision (BSD) Departments of the Bank of Albania (BoA) are currently trying to improve their ability to effectively assess the safety and soundness of IT systems. The Bank Supervision Department has designated members of its bank examination staff as IT inspection specialists and is now working to develop their expertise in this area. Recent FSVC training to BSD staff has provided general consultations on the functions of a bank IT inspection unit as well as more targeted training on screening for security risk within IT systems.
The Internal Audit Department is responsible for managing risk within the BoA. One important aspect of this function includes managing the risks posed by IT systems within the BoA. The ultimate goal of this function is to preserve the integrity and security of the IT systems used by the BoA, including the new Real Time Gross Settlement (RTGS) payments system. The IAD currently has one staff member responsible for establishing and auditing the internal controls of IT systems. While he has an IT background and has received some IT system audit training, he does not have extensive experience in the preparation and execution of IT system audits. Given that important role played by both departments in fulfilling the mission of the BoA, both the IAD and BSD would greatly benefit from more advanced training in the area of IT system auditing (ITSA). ITSA involves the use of specialized auditing tools (programs) that focus on certain types of operating systems or databases. Such tools are used to verify that security policies are being properly applied and that the proper risk control measures are in place.
Proposed Solution: FSVC will arrange for two Volunteers to spend one week with the BoA to provide in- house training in the field of ITSA. In order to make the training as practical as possible, the BoA IT Department will make available its own systems and facilities as a testing environment for the knowledge gained though the training. As this training is valuable to IT Department staff, members of this department will also be invited to take part.
Expected Outputs: The Volunteers are expected to:
Prior to departure:
Become familiar with the systems used by the BoA in order to tailor the training to the types of systems that will be audited in the testing environment (conference calls with the IT Unit will be arranged prior to departure).
Once in country:
Provide classroom training in ITSA to the staff of the BSD IT Unit as well as staff from the Information Technology and Internal Audit Departments on the auditing of the selected IT systems within BoA.
Work with the participants to test the IT system audit skills presented in the course of the lectures in order to reinforce the training provided.
More technical information regarding the systems that will be used as a testing environment will be provided to the Volunteer prior to the start of this assignment. Expected Outcomes and Results: Formal training in IT system auditing will enhance the examination skills of the BSD IT Inspectors and the IT system audit capacity of the Internal Audit Department. Knowledge of IT system auditing will improve the quality and consistency of the IT system examinations performed by bank examiners, thereby helping to guarantee the safety and soundness of the banking system. Such training will also enable the staff of the IAD to manage risks within the BoA and ensure that policies related to IT security are properly enforced. As a result, both bank examiners and internal auditors will be able to manage the operational risks of IT systems within the banking system more effectively.
II. STRUCTURE
Project Type & Location: The project will take place on-site in Tirana.
Time-frame & Implementation Date Flexibility: The project will take place in the third or fourth quarter of 2004.
Participants: Sokol Qeraxhiu, Director IT Department Dhimitraq Pllaha, Internal Audit IT specialist Alma Thimo, Bank Supervision IT inspection specialist Ilir Pustina, Bank Supervision IT inspection specialist Merita Bejtj, Bank Supervision IT inspection specialist
Additional staff from the IT and Internal Audit departments will likely be invited to participate in this training.
III. VOLUNTEERS
Number Required: Two Volunteers are required for this project.
Background/Experience/Skills: The advisors should have at least 4-5 years experience in information technology system auditing. Previous experience with auditing Oracle databases and the security of diverse operating systems is important. Ideally, the advisors should hold CISA, CISSP, CITP or similar certification and have an understanding of information system auditing methodologies and standards (COBIT, FFIEC, ISO, BS etc.). Familiarity with information security is also important. Strong interpersonal skills and previous experience working in transition countries is beneficial but not required.
IV. INSTITUTIONAL CONTEXT Counterpart Institution Information: The Bank of Albania is a public legal entity accountable to the People’s Assembly (parliament.) The principle objective of the BoA is to maintain price stability. The BoA has a number of secondary objectives mentioned in the law, including the promotion of liquidity, solvency, and the proper functioning of a stable market-oriented banking system The BoA is responsible for formulating and implementing monetary policy and exchange rate policy, licensing and supervising the banking system, managing official foreign exchange reserves, promoting the smooth operation of the payments system and acting as the fiscal agent of the government of Albania.
The Supervisory Council is the supreme decision-making authority of the BoA and is composed of nine members who are appointed by the Peoples’ Assembly. The Governor is the chairman of the Supervisory Council and is the chief executive officer of the BoA. Council members serve a term of seven years, and are eligible for reappointment. The law outlines the conditions under which members may be removed from office. The Governor is responsible for formulating and proposing all monetary, credit and foreign exchange policies to the Council, and has ultimate responsibility for the execution of all Council decisions. In addition, the People’s Assembly elects and Inspector General, who serves a five-year term, and is in charge of the Audit Department of the BoA. The Audit Department exercises internal audit control over the administration and operations of the Bank of Albania, and ensures its operations are in conformity with all applicable laws and regulations.
The Bank of Albania may accept deposits from the Government of the Republic of Albania, and make payments on behalf of the government from these deposits. The BoA may make loans to the government of Albania under strict terms, not exceeding a maturity of six months. Loans must be collateralized with debt securities and may generally not exceed 5% of the total average revenues of the government.
Banking Supervision Department: The BSD is divided into two main sections, the Licensing Unit and the Examination Unit. The Licensing unit is responsible the licensing and registration of banks wishing to operate in Albania, as well as the drafting and review of banking regulations. The Examination Unit is responsible for monitoring banks’ activities by conducting both on and off site inspections. The BSD supervises the 15 commercial banks operating in Albania, as well as other non-bank financial institutions, such as Savings and Credit Associations.
FSVC extends an array of assistance to the BSD, the focus of which has been a periodic advisor, Mr. Don Schmid, who from June 2002 to June 2004 provided intermittent on-the-job training to the bank examiners during on-site inspections. Aspects of this training included: monitoring assignments; training on the methodologies and the practical skills needed to conduct thorough examinations; and ensuring that appropriate supervisory policies and procedures are routinely implemented. In addition, the Advisor has worked to ensure that on-site inspections include a thorough review of anti-money laundering compliance programs adopted by commercial banks. Mr. Schmid has also worked closely with FSVC staff to ensure consistency and continuity in FSVC’s full program of technical assistance to the Supervision Department. In this regard, he has assisted in the design and implementation of short-term assistance activities. The activities include the design and implementation of a quality assurance process, the design and establishment of an electronic database for supervision, assistance in foreign bank supervision, creation of a bank supervision training and development program, internal controls training, and training in anti-money laundering procedures.
Audit of BoA IT Systems: In addition to its general auditing functions the Internal Audit Department is responsible for auditing the IT Department and the IT systems of each of the BoA’s departments such as the Oracle database used by the Accounting Department and the Inforex system used by the Monetary Operations Department for tracking the sale of Treasury bills and other monetary transactions. The IA Department will also be responsible for auditing the newly installed RTGS system, known as the Albanian Interbank Payment System (AIPS). Current IT audits focus on identifying and assessing systemic risks, and reviewing information systems controls and system security. The IT Specialist of the IAD also audits application systems software and data records (input, output, and data processing). CobiT is used to review and improve internal control standards.
The Monetary Operations Department’s Inforex system bears the greatest similarity to the new AIPS. The new AIPS however has many features which necessitate special audit training for IAD staff.
Rationale: Highly specialized and up-to-date knowledge in the field of information technology and systems is essential to ensuring the credibility of BSD IT examiners and their ability to examine information systems in banks, thus helping maintain the safety and soundness of the banking system. The same level of expertise must be developed to conduct audits of IT systems within the BoA, enabling audit staff to identify areas of potential risk that threaten the Central Bank. FSVC Program Strategy: This project falls under USAID Strategic Objective 1.3 “Growth in number of Self-Sustaining Enterprises.” USAID has asked FSVC to create a program of technical assistance to the supervision department that will address both the needs of the department in meeting the WB obligations and to continue the work done to date by the Banking Supervision Program (under a Barents contract and set to expire in September 2002).
Past FSVC Activity: FSVC has provided training to the BSD IT Inspection Specialist first through consultations at the Croatian National Bank, where she received a general overview of the operations, structure and procedures of the IT inspection unit. In April 2004 the Specialist then took part in intensive training on IT security, provided by the SANS institute in Munich. Previous training to the Internal Audit Department includes a two weeks consultation by an audit specialist who worked closely with the Inspector General and her staff, reviewing the current policies and procedures of the Internal Audit Department, and making recommendations for improvements. Based in part on those recommendations, further consultations were provided in the form of the on the job training during the audit of the Accounting Department. This training allowed the FSVC volunteer to assess the level of implementation of the previous recommendations, and to provide further guidance on areas for improvement.
Other Technical Assistance: The US Treasury is not providing advice to the Bank of Albania, but is currently advising the Ministry of Finance (MoF) on sovereign debt management and has placed a full time Financial Crimes Enforcement Advisor with Financial Intelligence Unit at the MoF.
The IMF is funding a resident advisor, Lou San Felice since August 2003. This advisor’s efforts are focused on banking supervision and Anti-Money Laundering, cooperatively with FSVC. In 2004 IMF AML expert Terry Donovan made two visits to work with Mr. San Felice and BSD inspectors to develop examination procedures. The IMF and World Bank both provide advisors in different areas on a periodic basis. Recent missions have included advisors on the implementation of an RTGS system and automated clearinghouse system (which the World Bank has agreed to finance.)
V. RELATIONSHIP TO MACRO-ECONOMIC REFORM From the end of World War II until the fall of communism in 1992, Albania remained one of the most centralized and isolated states of the so-called former Eastern Bloc. Political and economic ties with the rest of the world were kept to an absolute minimum, and all forms of private ownership were forbidden. Economic activity was completely controlled by the state, and infrastructure deteriorated over time from the lack of capital investments. Although Albania has made notable progress in the course of its transition since 1992, the legacies of autarchy and extreme state control are still felt today. For this reason, Albania can be classified as both a transition and a developing country. The initial shock caused by the change in the political and economic regime in the early 1990’s was profound. Output fell by an estimated 40 percent, inflation rose to 240 percent and unemployment rose to 27 percent in 1992. With assistance from international financial institutions, the government undertook a dynamic stabilization and structural reform program. These policies reduced macroeconomic imbalances and curbed inflation. Structural measures were designed to rapidly transform the economy, and resulted in the privatization of nearly all shops, small enterprises and agricultural land. Most price controls were also abolished. These measures also resulted in the unification of the exchange rate and the liberalization of trade and payments. As a result, GDP was able to grow at an annual rate of about 9 percent between 1993- 1995 and inflation declined to 6 percent in 1995. The Albanian economy experienced two significant shocks since the start of transition. The first was the so- called pyramid scheme crisis in 1997 and the second was the war in neighboring Kosovo in 1999. The collapse of the pyramid schemes in early 1997 triggered large-scale civil disturbances and riots. By some estimates, some $1.5 - 2 billion was invested in these schemes, which were offering investors 20-30% interest per month. Following their collapse, the security situation quickly deteriorated and the resulting collapse in public order forced diplomatic missions to evacuate. The effects of the crisis were profound. Inflation soared and the currency depreciated over 40 percent. International trade and assistance declined and widespread looting and theft inflicted severe damage to Albania’s economy and international reputation. Elections were held in mid-1997 with foreign assistance, and a new government was put in place. A post- crisis recovery program curbed the fiscal deficit and inflation, and steps were taken to wind-down the pyramid schemes. Political stability was only partially restored however, and in 1998 conflicts between opposing political parties led to civil unrest. This, in addition to the threat of international terrorism, forced a temporary evacuation of diplomatic missions in September 1998. The crisis, however, was short-lived. A new government took office in October and was able to restore public order, and GDP actually rose 8% by the end of 1998. The conflict in Kosovo delivered a second shock to the economy in March 1999. Some 400,000 refugees entered the country by May, putting a significant strain on infrastructure and government resources. Although international relief organizations and a NATO military presence helped to contain the crisis and maintain public order, the economy suffered from a temporary lack of investment and a disruption in foreign trade. The crisis did however result in an increase in consumption. The Bank of Albania estimates that some $US 59 million entered the economy through the hard currency spending of refugees on food, housing and other essential items. Since 1998, the economic and political situation has steadily improved. The currency has remained stable and the rate of inflation has remained low. Moreover, GDP has grown steadily by an average of about 6-7 percent per year.
Institutional/Functional Reform: The Bank of Albania is striving to become a modern, market-oriented central bank. Reform goals of the Bank of Albania include: the adoption of international bank supervision standards, the establishment of a modern payments system, the implementation of an automated accounting system, improving research and forecasting abilities, and the adoption of modern personnel performance standards.
VI. PROJECT NUMBER
Fill in the appropriate project codes for this Project Description.
Year 04 2004
Grant 16 Albania
Location 113 Albania
Function/sub-function 223 Information Technology – Central Bank
Activity 1 In - Country
Counterpart 01 Central Bank