Evaluation and categorization of findings according to the Minimum Requirements for the Internal Audit Function of Banks 1/2000 (German Federal Financial Supervisory Authority)

Scholz, Christian (2004-12)

Thesis (MBA)- Stellenbosch University, 2004.

Thesis

ENGLISH ABSTRACT: The main object of this study project is clause 14 of the circular 1/2000 "Minimum Requirements for the Internal Audit Function of Banks" of the German Federal Financial Supervisory Authority. It requires that banks have a risk management system, a risk-based audit planning and a risk-based audit procedure. These have initiated the transformation process of the internal audit functions from the traditional audit approach, which is past and present orientated, to the risk-based audit approach, which is future oriented. During audit planning the audit objects are chosen due to their inherent-risk instead of choosing them due to indications of pastrelated information or estimations. To determine the inherent-risk the audit object's risk factors have to be determined and assessed. The aim of the study is to set up a model, which allows the standardized categorization of findings according to the Minimum Requirements for the Internal Audit Function of Banks 1/2000, which requires a categorization of findings into at least three categories: shortcoming, serious shortcoming, and particular grave deficiency. The Minimum Requirements doesn't impose a restriction to the method of categorization. The survey "Categorization of Findings" revealed that all banks are categorizing the findings, but that only a few banks are using an objective method to do so. To ensure a coherent, transparent and objective classification of the findings the classification process has to be standardized. For a standardized classification process the extent of the findings have to be comparable and quantitative. Therefore, techniques and methods have to be applied, which quantifies the extent of the findings making them comparable. In order to find the right method to assess the extent of the finding one has to look at the components of a finding. A finding consists of risk, which is expressed by the occurrence probability and the extent of damage. The occurrence probability and the extent of damage are described by various risk factors, which are quantitative and qualitative. These risk factors have to be objectively evaluated and aggregated to determine the risk and thus, the extent of the finding. The main problems of this assessment are the quantification of the qualitative risk factors and the aggregation of all risk factors. For the quantification of qualitative risk factors the methods three dimensional analysis and the Delphi-Method are most appropriate. These two methods can be used for the evaluation of a quantitative risk factor as well. Furthermore, the methods sensitivity analysis, Monte Carlo simulation, and statistical methods can assist the assessment of qualitative risk factors, but these methods alone are not appropriate for the assessment of qualitative risk factors. When aggregating the assessments of the risk factors a combination of successive comparison and Scoring Model are suitable. The classification of findings for the annual audit report can be conducted by use of the ABC-Analysis. Prior to this, the scored findings have to be weighted according to the importance of the audit object for the company. All findings in class A represent serious shortcomings and particular grave defiCiencies, class B represents shortcomings, and class C negligible shortcomings. The classification process can be assisted by the use of the risk map and the risk portfolio, but the sole use of these methods would not lead to a proper classification.

AFRIKAANSE OPSOMMING: Die hoof doelwit van hierdie studieprojek is klousule 14 van die Sirkuler 1/2000 "Minimum vereistes vir die Interne Oudit funksie van banke" van die Duitse Federale Finansiele Toesighoudende gesag. Dit vereis dat banke 'n risikobestuur sisteem, 'n risiko baseerde oudit plan en risiko baseerde oudit prosedures daar stel. Hierdie verseistes het die transformasie van die interne oudit funksies inisieer, vanaf die tradisionele benadering wat op die verlede en die huidige gefokus het, tot 'n risiko gebaseerde benadering wat op die toekoms gerig is. Gedurende die oudit beplanning word die oudit onderwerpe gekies vanwee hul inherente risikos eerder as vanwee die indikasies van verlede-gebaseerde informasie of estimasies. Om die inherente risikos te bepaal, is dit nodig om die oudit onderwerp se risiko faktore te bepaal en te bereken. Die doeI van die studie is die daarstelling van 'n model vir die gestandardiseerde kategorisering van bevindinge na aanleiding van die "Minimum vereistes vir die Interne Oudit funksie van banke" in ten minste drie kategorie: leemtes, ernstige tekortkominge en spesifieke growwe tekorte. Die Minimum Vereistes beperk nie die metode van kategorisering nie. Die opname "Catagorising of Findings" toon dat al die banke wel hul bevindings kategorieseer maar dat slegs 'n paar banke 'n objektiewe metode hierin toe pas. Om verstaanbare, deursigtige en objektiewe klassifikasie van bevindinge te verseker is dit nodig dat die proses van klassifikasie gestandardiseer word. Vir 'n gestandardiseerde klassifikasie proses moet die resultate van bevindinge vergelykbaar en kwantitatief wees. Hiervoor moet tegnieke en metodes toegepas word wat die resultate van bevindinge kwantifiseer en so vergelykbaar maak. Om die regte metode te vind vir die analisering van die resultate van 'n bevinding, moet daar na die komponente van die bevinding gekyk word. 'n Bevinding bestaan uit risiko wat uitgedruk word as die gebeurlikheidswaarskynlikheid en omvang van skade. Die gebeurlikheidswaarskynlikheid en omvang van skade word beskryf deur 'n verskeidenheid van risiko faktore wat beide kwalitatief en kwantitatief van aard is. Hierdie risiko faktore moet objektief evalueer en saamgevat word om die risiko en so die omvang van die bevinding te bepaal. Die grootste probleem met die analise is die kwantifisering van die kwalitatiewe risiko faktore en die samevatting van al die risiko faktore . Vir die kwatifisering van die kwalitatiewe risiko faktore, is die Drie Dimensionele Analise en die Delphi metodes die mees toepaslikes. Hulle kan ook gebruik word vir die evaluasie van 'n kwantitatiewe risiko faktor. Verder kan die metodes van sensitiwiteitsontleding, Monte Carlo simulasie en ander statistiese metodes ook help met die berekening van kwantitatiewe risiko faktore. Hulle is egter nie toepaslik vir die berekening van kwalitatiewe risiko faktore nie. Met die aggregasie van die analiese van risiko faktore, is die kombinasie van Opeenvolgende Vergelyking en Punte Toekenning modelle ook toepaslik. Die klassifisering van bevindinge vir die jaarlikse oudit verslag kan gedoen word deur die gebruik van ABC-analise. Voorheen moes daar aan die bevindinge gewigte toegeken word in ooreenstemming met die belangrikheid van die oudit onderwerp vir die maatskappy. Alle resultate in klas A verteenwoordig ernstige tekortkominge en besonder gewigtig gebrekkig , klas B verteenwoordig tekortkominge en klas C geringe tekortkominge. Die klasifikasie proses kan bygestaan word deur die gebruik van 'n risiko kaart en risiko portefeulje. Die alleen gebruik van die metodes sal egter nie 'n ordentlike klassifikasie verseker nie.

Please refer to this item in SUNScholar by using the following persistent URL: http://hdl.handle.net/10019.1/70206
This item appears in the following collections: