FINAL REPORT

Internal Auditing

Based on the course’s material and your own understanding,

do research and out how major banks in Vietnam have
implemented internal controls as tools for risk prevention
and/or performance improvement. What are the limitations
for those institutions?

Lecturer : MA. Ngo Tri Trung

Class : AC2015D&E
Program : Analyzing, Accounting and Auditing
Group : 2

Ha Noi, 17th May 2019

 GROUP MEMBERS

1. Bùi Thị Thùy Linh

2. Đặng Khánh Linh
3. Hoàng Thị Phương Linh
4. Ngô Thanh Tùng
5. Trịnh Thị Trang
6. Nguyễn Thị Khánh Huyền
7. Vũ Phương Thảo
Contents
I. INTRODUCTION: .................................................................................................................................... 1
II. THE IMPLEMENTATION INTERNAL CONTROL OF CREDIT ACTIVITIES OF SOME MAJOR BANKS IN
VIETNAM: ...................................................................................................................................................... 3
1. Joint Stock Commercial Bank for Investment and Development of Vietnam (BIDV): ...................... 3
1.1 Current status of internal control of credit activities at BIDV: ................................................. 3
1.2 Assessment of internal control of credit activities at BIDV: ................................................... 10
2. Vietnam Joint Stock Commercial Bank for Industry and Trade (Vietinbank): ................................ 12
I. INTRODUCTION:
All enterprises aim to perform effectively, manage the business risks,
comply with laws and regulations, and prepare reliable financial statements.
However, during the operations, they expose to the potential risk of not
achieving these objectives due to weaknesses of managers, staff or a third
person that cause risks and reduce their performance. Building IC is one of the
solutions to evaluate and manage risks, improve performance effectiveness and
achieve business objectives. In recent years, the commercial bank system in
Vietnam has considerably developed in term of asset size, branch-office system,
products and services, and the information technology system. However,
besides growth in size and profit, the bank system is facing many limits,
weaknesses and has potential risks. While the banking system tends to expand
in size, its performance is unstable, and lots of risks arise and need to be
resolved like bad debt, potential bankruptcy of banks. One of the urging
strategic solutions is to establish and upgrade IC of commercial banks
(Podpiera, R., 2006). IC becomes an important self-defense system against
risks, which enhances effectiveness of banks’ performance. In general, banking
system faces the following risks: risk from non-performing loans, liquidity risk,
currency risk and risk from connected-lending. To reduce this negative impact
of these risks, Vietnam should combine many resolutions to manage effectively
such risks.

The Committee of Sponsoring Organizations (COSO) of the Tread way

Commission’ s Internal Control-- Integrated Framework is an example of one
such method that many banks have found to be useful. Although this framework
is used by multi-billion dollar financial institutions, it is flexible enough to work
effectively at a bank with only $25 million in total assets as well. The COSO
framework includes five internal control elements. These elements can be
tailored based on the size and complexity of the bank.

- Control Environment – The board of directors and senior managers are

responsible for identifying the bank’s key business strategies, objectives,
and goals. Board members should tailor the control framework to
 influence the bank’s philosophy, culture, and ethics with the goal of
establishing and maintaining an appropriate control environment.
- Risk Assessment – The board of directors and senior managers should
timely assess the risks at the entity level as well as the risks inherent in
the activities and processes managed. After identifying the risks, the
board of directors and senior managers should determine the bank’s risk
tolerance and establish risk measurement practices that are appropriate
for their organization.
- Control Activities – Control activities can consist of a mix of
preventative and detective controls and can be manual or automated.
Control activities are performed at all levels of the entity, at various
stages within business processes, and across the technology environment.
As risk exposures change, management should determine whether new
and/or altered control activities are needed to manage the level of risk.
- Information and Communication – Information required to successfully
achieve the organization's control objectives should typically be stored in
a management information system and disseminated to bank personnel as
appropriate in a timely manner. Sensitive information also needs to be
protected and controlled.
- Monitoring Activities – Monitoring of controls is often carried out within
the business lines and by the audit function. Results of business line self-
assessments and audit reviews should be communicated to the board and
senior management in a timely manner. However, some smaller banks do
not have an independent internal audit department. If a bank does not
have an internal audit department, the bank should ensure appropriate
review activities are built into operations, are ongoing, and are performed
relative to the nature and scope of its activities. In addition to assessing
the effectiveness of controls, monitoring activities often help institutions
identify and manage areas with higher risk. For example, periodic fair
lending assessments of loan denials and comparative file reviews are
important to assist institutions in identifying, managing, and controlling
their fair lending risk.
II. THE IMPLEMENTATION INTERNAL CONTROL OF CREDIT
ACTIVITIES OF SOME MAJOR BANKS IN VIETNAM:

1. Joint Stock Commercial Bank for Investment and Development of

Vietnam (BIDV):

1.1Current status of internal control of credit activities at BIDV:

a. Control environment:
- The Board of Directors of BIDV is aware of the importance of credit
activities for the bank's survival and the need to manage and control credit
risks. BIDV has organized an internal audit and internal control according to
the regulations of the State Bank and the bank's management requirements.
Senior managers uphold the principles of banking business respect the law
and the necessity of building a risk management model suitable to BIDV's
operation characteristics. At the same time unified the sense of compliance
laws and respect business ethics rules throughout all levels management,
management of the bank.
- The organizational model of implementing credit control shows the effort to
achieve transparency, completeness and professionalism, with the depth of
the parts in the approval apparatus:

- At BIDV, the credit granting process for customers is carried out in the
sequence of steps including: Credit proposal; Credit risk assessment; Credit
approval; signing a credit contract and accounting for disbursement /
guarantee issuance.
- The Executive Board determines that the control culture is an essential
component of the internal control system and makes an important
contribution to ensuring an effective internal control system of the Bank.
b. Risk assessment:
- BIDV has established a Risk Management Committee, including a Credit
Risk Management Division, which specializes in dealing with issues, related
to risk management in credit activities. The tasks undertaken by the Risk
Management Committee include: (i) advising and advising the Board of
Directors on risk management strategies and policies; (ii) advise the Board
of Directors in planning policies and mechanisms in risk management across
the system; (iii) approving the method of valuation of risks and risk limits
according to its authority.
- BIDV measures credit risk through indicators such as overdue debt ratios,
bad debt ratios, risk of loss of capital, risk coverage factors ... which are
most commonly used only bad debt. The use of bad debt indicators has
many advantages such as the scale and ratio of irrecoverable capital of a loan
portfolio, depending on the size of bad debt the bank can use the risk reserve
fund. Profit or equity to compensate. However, the use of these indicators is
limited only to indicate the level of risk of the Bank at the time in the past
could not predict the risk of a loan before granting credit.
- BIDV controls and manages credit risks through building the jurisdiction of
each branch based on the effectiveness, actual credit quality of each branch
and assessing the management capacity of each branch. , assess the potential
of each region. The Bank builds a customer policy to screen, select good
customers, and have appropriate and consistent behavioral policies for each
customer.
- Some other internal management assessment support tools are used to
manage credit risk such as structured debt management program, accrued
interest rate analysis, debt classification.
- Based on the assessment results, credit risk measurement, BIDV
implemented measures to prevent, minimize and overcome credit risks such
as editing, perfecting policies and professional regulations; Arranging,
arranging, rotating and training cadres; Upgrading information technology
system to support credit risk management and warning ...
- BIDV controls and manages credit risk by setting credit limits corresponding
to the level of risk that the Bank can accept for each customer, for each
industry sector as well as setting up medium and long-term credit limits are
in line with capital mobilization structure.
c. Control activities:
- BIDV has issued policies, regulations, regulations and credit process.
Internal control is designed, installed, implemented immediately in every
step of the credit process, at all units and departments in the Bank.
- Credit operation process is set up for inspection and control posts; ensure
cross-checking mechanism between individuals and departments; ensure that
each step in the business process must have at least two participants (a
person performing the transaction, a person who controls the transaction),
absolutely not allowing any individual to conduct it alone and decide a
business process, a specific transaction, except for transactions within the
limits allowed by the Bank in accordance with law.
- Model of internal control activities of credit activities at BIDV:

d. Information and Communication:

- The process of collecting, processing and storing credit activity information:

- In order to collect internal information in credit operations, BIDV has

developed and issued a system of internal management reports for each
Board / Branch in the Bank and set the time for each report to provide a
timely, reasonable and reliable information on credit activities and
compliance of the Bank. Management reports can be created manually or
extracted from SIBS system software and business module of loan module,
trade finance module, and guarantee module.
- In order to collect external information, the Bank develops a program for
training and development which facilitates and provides financial support for
participating staff and external programs and workshops. This program not
only helps employees who have the conditions to study, improve their
knowledge and achieve the necessary diplomas and degrees for their jobs,
but also helps qualified employees gather external information. At the same
time, the Internal Audit Department periodically updates changes in the
relevant legal provisions of credit activities to update the Bank's current
internal audit policies.
- BIDV has deployed online technology throughout the system, ensuring that
all branches and units in the bank's system can exploit information, share
customer database and update information. Time in the processing system.
 Information transmission line is connected throughout the system so that the
units in the system can exchange and communicate information about the
bank's policies, the operation of each place through BIDV internal website.
- BIDV also pays great attention to the management and confidentiality of
information within the Bank. Regulations on management and secret
protection of information No. 1606 / QD-HDQT on September 19, 2013 set
out the principle of requiring all employees to arbitrarily approach, exploit,
use and supply granting information without the consent of the authorized
person. Information is classified into confidential information, limited access
information, internal circulation information, and other information and for
each type of information, specific instructions for use.
- BIDV also established information channels to exchange with external
partners. Information channel from the Credit Information Center (CIC) of
the State Bank of Vietnam provides all information about customer loans at
credit institutions, including positive and negative information to help BIDV
refinement. Customers before making a loan decision to prevent limiting
risks, ensuring system safety. Information channel from the Supervision
Agency of the Bank provides outstanding issues in credit operations as well
as the operation of the internal control system through the results of
supervision inspection at BIDV's units. Information channel to exchange
information with the Tax Administration to grasp the situation of tax arrears,
tax violations of enterprises with a loan relationship at BIDV.
e. Monitoring:
- At BIDV, the Internal Audit apparatus are set up to regularly assess the
whole operation of the bank, including the effectiveness of the design and
operation of internal control policies and procedures.
- Centralized inspection and internal audit model:
- The Inspection and Supervision Board is a unit set up by the Board of
Directors of BIDV with a structure of 06 professional divisions including 4
Inspection and Supervision Divisions 1,2,3,4 with the function of checking
and supervising. Comprehensive supervision of the activities of the Boards /
Centers at BIDV Head Office and branches and transaction offices by
location and area.
- The functions of the Inspection and Supervision Board are as follows:
 Supervise the key activities of the Boards / Centers at the Head
Office, member units; assess safety, compliance, potential risks and
propose solutions and remedies.
 Examine the compliance with the provisions of law, regulations,
operational procedures, internal regulations of BIDV;
 Advice to help members of the Steering Committee to fight against
corruption, bank crime prevention as prescribed.
 Focal point to advise and direct and / or directly verify and propose
solutions to resolve complaints and denunciations of units in the
system under the jurisdiction of BIDV.
- Internal Audit Department under the Supervisory Board (established under
the Decision No. 168 / QD-HDQT dated May 2, 2012 of the Board of
Directors and re-established under Decision No. 1254 / QD-HĐQT dated 01
month 8, 2013) with eleven (11) officers (not including the Chief of Internal
Audit Department who is also part-time by the Supervisory Board member).
According to the Operation Regulation No. 168 / QD-HDQT dated May 2,
2012 of the Board of Directors of BIDV, the Internal Audit Department
performs 2 basic functions: internal audit and assisting the Inspection
Committee. Some tasks need to be performed with specific role as internal
audit:
 Prepare an annual or unexpected internal audit plan and carry out
internal audit activities according to plan or unexpected audit at the
request of the Association
 Board of Management, Supervisory Board; implement policies,
procedures and inspection procedures
 internal math has been approved, ensuring quality and efficiency;
 To examine, review and evaluate independently and objectively all
BIDV's units, departments and activities based on the level of risk and
influence on BIDV's operations;
 Proposing measures to correct and remedy errors; propose handling
violations; propose measures to improve, improve the effectiveness
and efficiency of the internal control system;
 Establish a record of competency and requirements required for
internal auditors as a basis for recruitment, promotion, staff rotation
and professional support; make recruitment plans and arrange
adequate personnel to ensure continuous monitoring work; continuous
training to improve and ensure professional capacity for internal
auditors;
 Maintain regular consultation and exchange with independent auditing
organization, State Bank (Banking Inspection and Supervision
Agency, State Bank branch) to ensure effective cooperation fruit; is
the coordinating unit, coordinating with external agencies for jobs
related to the functions and tasks of the internal audit;
 Monitoring the process of hiring independent auditors; supervising the
process of performing the work of independent auditors; evaluate the
performance of the independent audit.
1.2Assessment of internal control of credit activities at BIDV:
a. Control activities:
- The Board of Directors regularly pays attention to credit quality control.
Directing units in the whole system to strengthen credit management, credit
quality control.
- Create a culture of awareness and risk control in each employee of BIDV:
Each individual, from the customer specialist to the staff of the support
units, must comply with regulations; processes and sense of responsibility
assess, detect risks early and find ways to prevent risks arising. That is, risk
management is implemented by the whole system, not the sole responsibility
of the risk management division.
- Professional ethics of officials is increasingly focused: Professional ethics
standards through the Code, regulations on style and working space, through
which the Board of Directors and employees are evaluated according to
BIDV's ethical standards.
b. Risk assessment:
- In all cases of exceeding the limit of risk control, it will be promptly
reported to the authorized level of approval (the Board of Directors or the
Director General) and at the same time propose effective measures to return
to the state within micro limit of risk control in the shortest time. The
departments / units with the function of risk management at the Head Office
are responsible for monitoring and managing each type of risk according to
the management profession (vertical system).
- The process of credit quality review allows for early forecasting of changes
in the financial situation and repayment capacity of partners based on
qualitative and quantitative factors. The credit limit for each customer is
established through the use of a credit rating system, in which each customer
is ranked at a risk level. This level of risk can be revised and updated
regularly.
c. Control activities:
- Strict credit control regulations have limited the possibility of operational
risks. Currently, BIDV manages operational risks by a number of internal
measures such as two-handed inspection on multiple areas, responsibility
isolation, access rights decentralization, multi-story transaction approval ...
 to ensure information security. Of banks and customers, preventing the use
of bank assets for wrong purposes.
- The establishment of control buttons in the credit process is quite
reasonable, effectively preventing fraud through the moderator's censorship
in most important control points: loan decision, resolution decision the bank,
the decision to extend the debt and decide to settle the loan.
- The control procedures are relatively reasonable, contributing to the
restriction of frauds in credit activities. Control procedures are built on the
"two-handed" principle, ensuring mutual supervision in professional
activities.
d. Information and communication:
- With modern technology infrastructure, BIDV has established a risk
prevention information system; transparent network within BIDV system
allows units to exchange and collect data, analyze creditworthiness level of
economic units, serve well for the work for borrowing, improving credit
quality, reducing risks for BIDV.
- With the management information system, computer network is
strengthened; upgrading both capacity and quality of communication is a
great support for the improvement of reporting and statistical information
between BIDV and the State Bank. , between BIDV branches and
headquarters to help the direction and administration of the entire system are
more responsive, accurate and timely.
e. Monitoring:
- Monitoring Activity: Initial monitoring has been effective. Monthly and
quarterly, the Inspection and Supervision Board shall supervise and evaluate
the implementation, progress and results of implementation of the direction
and administration contents of the Board of Directors and the Chairman of
the Board; at the same time, implementing topics to monitor the results of
implementation of major plans and programs of BIDV.
- Supervisory Board act as a focal point to implement many tests at the units.
Through the inspection, a number of errors and operational errors in the
credit work have been detected at the units and petitioned units to correct in
time. Based on the inspection results, proposals and recommendations have
been made to help the Executive Board supplement and correct the
shortcomings in the credit mechanism, policies, regulations and professional
 processes to limit the risks born during the operation. In the case of errors,
major violations have proposed appropriate forms of treatment, increasing
deterrence and reducing violations of units in the system. Test results are the
basis for risk warning, institutional completion and regulation, process and
proposal arrange the handling of responsibilities for staff in the system

2. Vietnam Joint Stock Commercial Bank for Industry and Trade

(Vietinbank):

2.1LIMITATIONS OF INTERNAL AUDIT:

a. LIMITATIONS:
- Some bank officials, including high-ranking bank leaders, have not really
valued integrity and moral values.
- The function of risk management, identification, assessment and response to
risks in banking business of the internal control system is still limited.
- The principles of control operation design have not been fully complied
with.
- The supervising role of internal audit for the internal control system is still
limited, not timely discovering the shortcomings of the internal control
system to overcome.
b. THE REASONS OF LIMITATIONS:
- There are no guidelines on models and methods for evaluating internal
control systems in Vietnamese commercial banks.
- The internal control system is still limited, not keeping up with the
development of banking activities.
- The shortage of personnel with experience in auditing: Currently there are
many commercial banks with very few auditors, not suitable for scale.
- Lack of assessment of internal control systems from independent auditing
companies.
- The skills of judging the problems in the audit process of the internal
auditors are still limited.
- Inadequacies in the system of professional standards and related legal
provisions.
- Coordination between state management agencies (State Bank Inspectorate
and Supervision Agency, Ministry of Finance ...), tight commercial banks
and auditing companies