Internal Audit Survey Lithuanian Banking Sector

July 2009

Consulting and Risk Services

Table of contents

Foreword Executive Summary Objective of the Survey Scope and Respondents of the Survey Key Findings of the Survey Detailed Survey Results Size of Internal Audit Departments and Level of Support from 3rd Party Providers Experience, Qualifications, Training and Staff Retention Audit Planning and Delivery Main Objectives of the Internal Audit Department and the Value It Adds Internal Audit Department Performance Tools, Professional Standards and Methodologies Communication and Reporting About us

3 4 4 4 5 6 6 6 7 9 9 10 11 12

Foreword

Recent years have shown an unprecedented degree of change in the world of Internal Audit. Heads of Internal Audit Departments and risk professionals have been asked to cope with major corporate scandals and economic uncertainty and the changes that these events have had on their organisations and governance processes. In addition, they have had to familiarise themselves and provide assurance on the ever increasing use and complexity of technology. Organisations are also extending beyond their traditional barriers into close and complex relationships with third parties. The green agenda also continues to become more important within organisations as stakeholders demand more assurance on how organizations are responding to public concerns in this area. All of this has meant that the role and responsibilities of the Head of an Internal Audit Department are becoming ever more demanding and who knows what the short term future will bring, as the global economy tightens and the fiscal and monetary authorities take action. These factors impact Internal Audit Departments in a variety of ways, including the skills that need to be obtained and deployed, the quantum of available resources we have to hand and responding to new and emerging business risks.

This brochure provides context arising from the recent Deloitte Lietuva UAB survey which was conducted in order to benchmark the performance of Internal Audit Departments within the Lithuanian Banking industry. It has been a period of unprecedented change which we do not see abating. For internal auditors and risk professionals, coping with such significant change is now business as usual.

Andrew Cross

Director In Charge of Lithuania & Baltic States Consulting and Risk Services Deloitte Lithuania July 2009

Tim Mahon

Managing Partner Deloitte Lithuania July 2009

Internal Audit Survey Lithuanian Banking Sector

Executive Summary

Objective of the Survey The goal of the Internal Audit Survey for banking institutions is to help respondents assess and understand the state of internal audit within their bank relative to their Lithuanian peer group. Internal Audit within the banking sector is a fast growing area that is faced with an ever changing and increasing complex regulatory and technological environment. Financial services institutions, now more than ever, recognize the importance of performance measurements and benchmarks in helping them manage complex systems and processes. Benchmarking with a peer group can assist organizations in identifying those practices that, when adopted and implemented, have the potential to produce superior performance. By summarizing the survey data, collected in the first half of 2009, we were able to determine differences and similarities among the practice of Internal Audit departments of Lithuanian banks, and identify trends.

Scope and Respondents of the Survey The survey covered the following areas: Size of Internal Audit departments and level of support from 3rd party providers; Experience, qualifications and training; Planning and performing audits; Audit planning and delivery; Main objectives of the Internal Audit Department and the value it adds; Internal Audit Department performance; Tools, professional standards and methodologies; and Communication and reporting. This report presents the results of the survey in which 10 of the 11 commercial Lithuanian banks participated. The responses to the survey were provided by the Head of the Internal Audit departments within the banks.

Key Findings of the Survey All of the surveyed Banks have an Internal Audit Department, which on average, consists of 6 full time internal resources. Nearly 70% of the auditors employed by the surveyed banks, hold professional qualifications, with the most common being the Lithuanian Internal Audit Certification. Less than 10% of the auditors hold either the International Certified Internal Auditor or Certified Information Systems Auditor qualifications. For 90% of the surveyed Banks the Head of the Internal Audit Department reports directly to the Audit Committee. 50% of the Banks surveyed have specialist IT auditors and capabilities, with approximately 25% of total audit department time being spent on IT related activities. None of the Banks currently have specialist fraud auditors. 70% of the Banks use specialist 3rd party providers to assist them, typically outsourcing up to 25% of their annual activities. On average, each of the Banks invests 11 days per annum into training each of its auditors. A common issue appears to be the lack of supply of adequate training courses in Lithuania. All of the Internal Audit Departments are performing activities to assess compliance with MiFID requirements. The majority also perform audit activities in respect of Basel II and Bank of Lithuania Act 149 requirements. However, at the current time, there appears to be limited audit activities in the areas of Anti-Money Laundering and protection of personal data. 80% of the Internal Audit Departments indicate that they have recently updated their 2009 plan to reflect new risks driven by the current economic uncertainty, with more emphasis being placed on areas such as credit risk and provisioning, loans and collateral management and liquidity risk.

The majority of the Internal Audit Departments plan to perform an audit of their Banks governance processes in 2009. 40% of the Internal Audit Departments fully delivered their 2008 audit activities in accordance with plan, with the majority of the remaining Departments delivering at least 75% of their planned activities. All of the Departments base their work on the Standards of the Institute of Internal Auditors. However, 60% of the Departments, at the time of survey, had not implemented the updated Standards that became effective on 1 January 2009. 60% of the Internal Audit Departments have formally defined and documented their Internal Audit policies, procedures and methodologies (i.e. Internal Audit Manual). The surveyed Internal Audit Departments indicated that their main value drivers were: To assist management to improve the effectiveness and efficiency of their Banks internal controls; To assure compliance with external regulations and internal policies and procedures; and To assist the Bank to increase the operational efficiency of its processes and activities. A variety of methodologies and approaches are used to evaluate and improve Internal Audit Department performance, with 70% of the Departments using established key performance indicators. 60% of the Departments indicated that an independent external quality assessment had been performed within the last two years. A further 20% will perform such an assessment within the next two years.

Internal Audit Survey Lithuanian Banking Sector

Detailed Survey Results

Size of Internal Audit Departments and Level of Support from 3rd Party Providers In total the 10 Banks that participated in the survey employ 57 internal auditors, with 6 of the resources specialising in IT audit. None of the Banks employ an internal audit resource specialising in fraud and investigations. The largest Internal Audit Department currently consists of 15 auditors and the smallest of 1 auditor (See Figure 1).
Figure 1. Number of staff in Internal Audit Department 10% 20%

Experience, Qualifications, Training and Staff Retention On average, each non IT internal auditor employed by the Banks that participated in this survey has 6 years of relevant work experience (maximum: 9 years of experience, minimum: 3 years of experience). Auditors specialising in IT appear to be less experienced, with an average of 4 years of experience (See Figure 2).
Figure 2. Average years of experience of each internal auditor Non-IT auditors 10% 40% 10% 20% IT auditors

30%

50%

20%

Less than 2 years 40% 1-2 resources 3-5 resources 6-9 resources 10 or more resources 2-5 years 6-8 years More than 8 years

50% of the Banks surveyed have at least 1 IT audit specialist. 70% of the surveyed Banks use specialist 3rd party providers to assist them to perform and deliver their internal audit activities, on average outsourcing up to 25% of their annual activities.

69% of the internal auditors employed by the 0 surveyed Banks hold professional qualifications. By 5 far the most common is the Lithuanian Internal Audit Certification, held by 54% of the internal auditors. Other qualifications held include: International Certified Internal Auditor (7%); Certified Information System Auditor (2%); Chartered Certified Accountant (ACCA) (2%); Lithuanian Sworn Auditor (2%); and Certified Financial Services Auditor (2%).
0 average, each 30 the40 20 60 70 80 On 10 of Banks50 invests 11 days per

10

15

20

25

80 0 20 40 60

annum into training each of its internal auditors (maximum: 30 days, minimum: 5 days). 90% of the Banks stated that at the current time it was difficult 80 100 to find adequate internal audit training courses in Lithuania. The survey showed that the most important factors for retaining Internal Audit resources within the Banks are possibilities for professional development, compensation and challenging assignments. Opportunities to rotate into other positions within the business and recognizing and rewarding performance are also considered as having high importance (See Figure 3).

20

0 40 50

10

20

30

40

50

0 0

10 10

20 20

30 30

40 40

50 50 60 70 80

20

30

Figure 3. The most important factors for retaining Internal Audit resources 90% 80% 80% 60% 50% 30% 30%

5 10 15 20 Audit Planning and 0 Delivery 70% of the Banks indicate that there is a high level of interaction between their Internal Audit Department and their risk management and compliance functions, with proactive sharing of risk and control information. Only 1 of the 10 Banks indicated that there is no interaction between these functions.

25

30

35

20

40 60 Percentage of surveyed Banks

80

100

In respect of successful delivery of the 2008 Internal Audit Plan, 40% of the Banks Internal Audit Departments fully delivered their Plan on time and 50% of the Departments delivered at least 75% of their Plan (See Figure 4).
0 5 10 15 20 25 30 35
Figure 4. Proportion of the 2008 Internal Audit Plan delivered 10%

Providing professional development Compensation Challenging assignments Opportunities to rotate into other positions within the business Recognizing and rewarding performance Flexible work schedules Other

50% 40%

20

40

The survey participants indicated that it currently takes, on average, 55 days to recruit a new internal audit resource. This time period is expected to decline during 50periods of economic and business uncertainty.
40 60 80 100

0 10 20 30 Delivered 100% of 2008 Internal Audit Plan

Delivered 75-99% of 2008 Internal Audit Plan Delivered 50-74% of 2008 Internal Audit Plan

40

50

60

70

80

10 8 6 4 2

0 10 20 50 80 On average, 25% of30 Banks Internal 60 the 40 Audit 70 activities related to assessing controls over IT and Information Systems (See Figure 5).
Figure 5. Proportion of the actual work related to IT activities 50%

0 20

60 70 80

10

20

30

0 40 50 30%

10 60

70

20 80

30

40

50

60

10%

10%

20

40

10

20

30

40

50

10

20

30

40

50

Percentage of surveyed Banks More than 50%

10

15

20

25

30

35

40

40-50% 10 15 20-39% 10-19% 0

20 20

25 30

30 0 40 50 20 60 40

10

60
8 6 4 7

80

10

Internal Audit Survey Lithuanian Banking Sector

10

15

40 50 60 70

60 80

80

100

On average,15% of the Banks Internal Audit activities 0 20 related to investigating potential fraud and assessing anti-fraud control frameworks (See Figure 6).
Figure 6. Proportion of the actual work related to fraud reviews 50%

40

Figure 7. Other regulatory driven audits

60

80

100

80% 80% 20% 20% 10% 10%

20% 10% 20%

10

20

30

40

50

60

70

80

Percentage of surveyed Banks Act No. 149 on Internal Control and Risk Management issued by the Bank of Lithuania

10%

50

10

20

30

40

50

Basel II regulations Law on Prevention of Money Laundering No. VIII-275 Law on Legal Protection of Personal Data No. X-1444 Law on Banks No. IX-2085 10 8 Law on Financial Institutions No. IX-1068 Act No. 125 and 148 on Internal Audit issued by the Bank of Lithuania

10

20

30

40

50

Percentage of surveyed Banks More than 50% 20-39% 10-19% Less than 10%

20

All of the Banks Internal Audit Plans include activities to 6 assess compliance and controls in respect of the Markets in Financial Instruments Directive (MiFID). 4
2 All of the Banks also perform other regulatory audits (See Figure 7). Notably: 0 80% perform audits in respect of Basel II 0 10 20 30 40 50 60 70 80 requirements and compliance with the Bank of Lithuanias Act 149 Internal Control and Risk Management requirements 20% perform audits in respect of compliance with Anti Money Laundering and Protection of Personal Data regulations

The survey showed that the Banks are planning to perform an audit of their governance process and systems in 2009 with 70% of the surveyed Banks answering 0 10 20 30 40 50 positively. 80% of the surveyed Banks indicated that they have recently updated their 2009 Internal Audit Plan in order to reflect and address new risks driven by the current economic uncertainty, with specific focus being placed on credit risk and provisioning, loans and collateral management and liquidity risk.

60

10

20

20

25

30

35

40

10

15

20

25

30 0 20 40 60 80

10

15

20

25

30

35

40

10

15

20

25

30

10

20

30

40

50

60

70

80

10

20

30

40

50

60

10

15

20

25

30

35

50

60

70

80

Main Objectives of the Internal Audit Department and the Value It Adds 40 90% of the surveyed Banks indicated that the most 60 80 100 important objective of the Internal Audit Department is to improve the Banks internal controls. The following other 0 20 40 objectives were also highlighted as being important and areas of focus: Improving the efficiency of the Bank and its processes; Assessing compliance with external requirements and regulations; and Assessing compliance with internal policies and 30 40 50 60 procedures. The main areas of Internal Audit activity that are perceived as adding the most value to the Banks (See Figure 8) are as follows: The development of risk management and control frameworks; The development of internal control solutions; and Increasing the operational efficiency of processes and activities.
0
Figure 8. Internal Audit Department activities perceived as 20 40 60 80 100 adding the most value 70% 70% 70% 50% 50% 40% 40% 10% 10%

Internal Audit Department Performance A variety of methodologies and approaches are used by the surveyed Banks to evaluate and improve the performance of their Internal Audit Departments (See Figure 9). The most popular are as follows: 60 80 100 An external quality assessment of the Department (in accordance with IIA Standards); Specific performance feedback received from Executive and Senior management and auditees; Level of success in the delivery of the annual Internal Audit Plan; and The number of significant control related findings identified.
0 10 30 40 50 60 70 80 Figure20 Key methodologies and approaches used to 9. measure the performance of the Internal Audit Department
60% 50% 40% 40% 30%

20

40

20

40 10%
10% 10%

20% 60

80

100

10

20 30 40 Percentage of surveyed Banks

50

60

An external quality assessment of the Department (in accordance with IIA Standards) Specific performance feedback received from Executive and Senior management and auditees Level of success in delivery of the annual Internal Audit Plan The number of significant control related findings identified Other Number of Interal Audit Department recommendations fully implemented Length of time to perform audit Cost savings / cash flow improvements identified 25 30 Internal or self assessment of quality 0 20

10

20

30 40 50 60 Percentage of surveyed Banks

70

80

15

20

Development of risk management and control frameworks 25 30 35 40 0 5 10 15 Development of control solutions Increase the operational efficiency of processes and activities Address and resolve key business risks Assist the development of secure IT systems Ensure compliance Support the achievement of key business objectives Enhance customer service procedures Ensure effective financial reporting

20

0 40 60 80 100

10

20

30

40

50

60

70

80

0 10 20 30 40 50 60 Internal Audit Survey Lithuanian Banking Sector

70
9

80

10 8 6 4 2 0

10

15

20

25

30

35

10 20 30 40 50 60 70 80

80

70% of the Banks have established key performance indicators for measuring and monitoring their Internal 100 Audit Department. 60% of the Banks surveyed indicated that an external quality assessment of their Internal Audit Department has been performed within the last two years. On average, they intend to repeat the external quality assessment within the next 3-5 years. In respect of the remaining 40% that have not undergone an external quality assessment: 20% expect to perform an external quality assessment in the near future (1 to 2 years); and 20% are not planning for such an assessment to 0 10 20 30 40 be performed. The surveyed Banks indicate that the two key areas for improving the performance of their Internal Audit departments (See Figure 10) are as follows: Increased focus and attention on assessing the adequacy of internal controls to mitigate key business risks; and 10 20 5 More training and 15 development of the 25 and 30 skills knowledge of its internal auditors.
Figure 10. Areas of improvement for Internal Audit Department 0

On average, the surveyed Banks are expecting to invest up to LTL 50,000 per annum into enhancing and developing their Internal Audit Departments. Tools, Professional Standards and Methodologies 50% of the surveyed Banks use Internal Audit tools and technology such as ACL and other data interrogation software, automated working papers, knowledge 0 5 10 15 20 25 30 35 40 databases, automated risk assessment tools and planning tools. All of the surveyed Banks Internal Audit Departments base their work on the Standards of the Institute of Internal Auditors. However, only 40% of the Banks 50 60 70 80 Internal Audit Departments have implemented the updated Standards of the Institute of Internal Auditors, which became effective on 1 January 2009. The majority of the Banks with specialist IT internal auditors use CobiT standards as the 0 base for their IT 20 internal audit activities. Other professional standards being used include ISO and ITIL. 60% of the surveyed Banks have also developed their own internal methodologies for performing Internal Audit activities (See Figure 11).
30 40 50 60
Figure 11. Use of professional standards 100% 80% 60% 60% 40%

10

15

40

60

80

10

20

30

40

10 70%
70%

20

30% 30% 20% 20% 10%

0
40

10

20

30

40

50

60

70

80
30%

Percentage of surveyed Banks 0 5 10 15 20 25 30 Increased focus and attention on assessing the adequacy of internal controls to mitigate key business risks More training and development of the skills and knowledge of its internal auditors Improving communication with management Implementing IT tools Improvement of Internal Audit Department methodologies and processes Recruitment of more resources Other

0 80 100

20

40

60

20
IIA standards CobiT

40 60 Percentage of surveyed Banks

Internal methodologies for performing Internal Audit Other ISO 27000 / ISO 17799 ITIL

0
10

10

20

30

40

50

60

70

80

10

20

30

40

50

60

70

80

4 2 0

10 20 30 40 50 60 70 80

40

Communication and Reporting For 90% of the surveyed Banks, the Head of the Internal Audit Department reports directly to the Audit Committee. However, due to a number of the Lithuanian Banks being part of foreign based banking groups, a number Head of Internal Audit also report to the Group Head of Internal Audit, Chief Executive Officer or Board (See Figure 12).
Figure 12. Reporting

60

80

100

Figure 13. Frequency of discussions or reporting of issues to the Board or Audit Committee

10

15

20

25

30

30%

30%

20%

20% 90%

0
40% Weekly

10 15 20 Percentage of surveyed Banks

25

30

Monthly 30% Quarterly Less, infrequently 20%

0 100

20

Percentage of surveyed Banks

40

60

80

100

Audit Committee Group Head of Internal Audit Chief Executive Officer Board

10

20

30

40

50

60

70

80

70

The Directors of Internal Audit Department of the surveyed Banks indicate that: They have good communication and information flow with the Banks Executive and Senior Management, in respect of current and emerging business issues and concerns; They receive the appropriate level of support from the Banks Audit Committee, Executive 80 Management and Senior Management. On average, the Directors of the Internal Audit Departments report, meet and discuss audit and business issues with the Audit Committee and Management Board every month. 2 of the 10 Banks perform these activities on a weekly basis (See Figure 13).

Internal Audit Survey Lithuanian Banking Sector

11

About us

For more information please contact: Tim Mahon Managing Partner Deloitte Lithuania Tel.: +370 5 255 3002 E-mail: tmahon@deloitteCE.com Andrew Cross Director in Charge of Lithuania and Baltic States Consulting and Risk Services Deloitte Lithuania Tel.: +370 5 255 3014 E-mail: andcross@deloitteCE.com Gediminas Minkus Project Leader for Capital Market Services Deloitte Lithuania Tel.: +370 5 255 3021 E-mail: gminkus@deloitteCE.com Dominyka Sakalauskait Project Leader for Internal Audit Services Deloitte Lithuania Tel.: +370 5 255 3016 E-mail: dsakalauskaite@deloitteCE.com Dainius Guys Project Leader for IT / IS Services Deloitte Lithuania Tel.: +370 5 255 3018 E-mail: dguzys@deloitteCE.com Laura Puodinait Project Leader for Consulting and Optimisation Services Deloitte Lithuania Tel.: +370 5 255 3013 E-mail: lpuodziunaite@deloitteCE.com

Deloitte Lithuania is one of the leading professional services organisations in the country, delivering world-class audit, tax & legal, consulting financial advisory and enterprise risk services. The practice serves many of the countrys largest companies, public institutions and successful, fast-growing companies Our internationally experienced professionals strive to deliver seamless, consistent services wherever our clients operate. Our Lithuanian practice is part of our regional firm, Deloitte Central Europe. Deloitte Central Europe has approximately 4,000 employees in 17 countries providing international and local services across the borders of the region. Our regional firm in Central Europe is a member of our international organisation, Deloitte Touche Tohmatsu. Deloitte delivers measurable value to our clients through a global network of diverse professionals who bring unmatched depth and breadth of expertise. With 14 years of operations in Lithuania, we are a fast growing and dynamic firm and enjoy the distinction of being a market leader in respect of audit and consulting services. Our major strength is our ability to render comprehensive services covering all principal areas of concern to businesses. Our services are coordinated by a lead client service partner and are rendered by individual professional partners and managers within the firm. Another competitive edge of our firm stems from the industry and technical expertise of our local and foreign professionals. As a result of the regional structure of Deloitte, we are able, as and when necessary, to draw upon the experience of our specialists in the Central European region and other professionals from our global network.

12

These materials and the information contained herein are provided by Deloitte Lithuania and are intended to provide general information on a particular subject or subjects and are not an exhaustive treatment of such subject(s). Accordingly, the information in these materials is not intended to constitute accounting, tax, legal, investment, consulting, or other professional advice or services. The information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser. These materials and the information contained therein are provided as is, Deloitte Lithuania makes no express or implied representations or warranties regarding these materials or the information contained therein. Without limiting the foregoing, Deloitte Lithuania does not warrant that the materials or information contained therein will be error-free or will meet any particular criteria of performance or quality. Deloitte Lithuania expressly disclaims all implied warranties, including, without limitation, warranties of merchantability, title, fitness for a particular purpose, noninfringement, compatibility, security, and accuracy. Your use of these materials and information contained therein is at your own risk, and you assume full responsibility and risk of loss resulting from the use thereof. Deloitte Lithuania will not be liable for any special, indirect, incidental, consequential, or punitive damages or any other damages whatsoever, whether in an action of contract, statute, tort (including, without limitation, negligence), or otherwise, relating to the use of these materials or the information contained therein. If any of the foregoing is not fully enforceable for any reason, the remainder shall nonetheless continue to apply. *** Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in 140 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloittes 165,000 professionals are committed to becoming the standard of excellence. Deloittes professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an environment of continuous learning, challenging experiences, and enriching career opportunities. Deloittes professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/lt/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. Member of Deloitte Touche Tohmatsu 2009 Deloitte Lithuania