2.7 INTERNAL CONTROLS AND EXTERNAL AUDIT

Most research works identify the failure of risk management and internal control systems as the primary causes of financial crises. 54 As a corollary, it is argued that if proper risk management and internal control systems (ICSs) were in place, most of these crises would perhaps have been averted. The external audit system further strengthens internal controls by supplementing the operational soundness of these systems. Hence these systems working together play an extremely important role in the stability and soundness of financial institutions.

The importance of these systems is even greater in the Islamic financial services industry because of its unique PLS system along with new products and procedures, not well known even to all the practitioners, and the need for Shar ī‘ah compliance. Therefore, supervisory oversight in these institutions should aim at ensuring the existence of effective internal controls and external audit. It should also aim at motivating these institutions to remove on an ongoing basis the deficiencies that they happen to have in these systems.

Internal control systems must ensure the achievement of three distinct and clear objectives. First, they must aim at enhancing the performance of the organisation by utilising its assets and growth potential optimally and also ensuring the participation of all personnel with integrity, sincerity and honesty.

54 See, for example, BCBS, Framework for Internal Controls in Banking Organizations, 1998.

Second, they must aim at ensuring the preparation, up-dating and availability of all reliable information which is considered to be important for raising the efficiency and competitiveness of the organisation and for serving the interests of its owners and investors. Third, they must ensure full compliance of the organisation with the laws, regulations, standard business ethics, and social values.

The ICSs must be put in place by the organisation’s governing board and senior management, and must be practiced and complied with at all levels and by all individuals working for the organisation. It is the responsibility of the internal auditor to ensure that such a comprehensive implementation of the systems is in place.

The effectiveness of ICSs depends on a number of factors. First and foremost, the board and senior management of the organisation must not only appreciate the immense importance of internal control functions but also be committed to the development of a culture of effective ICSs. Second, the ICSs must be committed to the recognition and assessment of all the risks faced by the organisation, such as credit risks, liquidity risks, market risks, operational risks, compliance risks, technology risks, etc., and the management must ensure that the organisation has credible systems in place to control these risks. The ICSs must continuously verify the integrity of risk management systems of the organisation and ensure that periodic risk reports are regularly prepared and

followed up carefully with back testing. 55 Third, the ICSs must ensure that there is no conflict of interest within the various offices of the organisation and that the ICSs do not themselves create hindrances in the smooth operation of these offices. For example, it is the responsibility of the information technology (IT) office to develop for the organisation a credible IT system that is the best available for the control of various risks and for the proper functioning of different offices, approval processes, and delegation of authority. Fourth, the ICSs must ensure that all the required information is not only easily and systematically available about the organisation, including its financial affairs, profitability and operations, but also that it is fully reliable. Similarly the organisation must also maintain external data critical for its own operations. Fifth, the ICSs for Islamic banks must be vigilant so that the operations of the organisation are in conformity

55 Back testing refers to the practice of applying the valuation or risk forecasting model based on historical data to help appraise the model’s possible usefulness when current and future

data are used.

with the Shar ī‘ah. Finally, the ICSs must be dynamic in their review process, self- evaluation, and adoption of policies for overcoming deficiencies on an ongoing basis.

External audit helps in making the ICSs dynamic, effective, and reliable in many ways. First, it provides for a review and verification process for the integrity of the ICSs. Second, it brings in objectivity by being external and relatively independent of the organisation’s management. Third, it provides for cross- checking of the critical information provided by the management to outsiders, irrespective of whether they are individuals, organisations, or the market. Fourth, it ensures compliance with international standards, which is most important for comparability and market discipline.

Since ICSs play an extremely important role in the stability and efficiency of a banking organisation, supervisory oversight is indispensable on an ongoing basis to ensure the credibility of such control systems and to remove the existing deficiencies over a reasonable period. ICSs tend to be weaker in organisations which do not have credible governance systems, a phenomenon which appears to be endemic in the banks of many developing countries, and Islamic banks do not seem to be an exception. It is the responsibility of supervisory authorities to set minimum governance standards for Islamic banks so that they are compelled to develop ICSs on professional criteria. It is also the responsibility of supervisory authorities to motivate these institutions to develop credible risk management cultures within their organisations.