Risk based internal auditing within Greek banks: a case study approach

  • PDF / 306,530 Bytes
  • 30 Pages / 439.37 x 666.142 pts Page_size
  • 58 Downloads / 177 Views

DOWNLOAD

REPORT


Risk based internal auditing within Greek banks: a case study approach Andreas G. Koutoupis Æ Anastasios Tsamis

Published online: 1 October 2008  Springer Science+Business Media, LLC. 2008

Abstract Internal Audit functions within Greek banks are imposed both by the Greek law for publicly listed enterprises (Law 3016/17.5.2002), as well as by the Bank of Greece (Bank of Greece Governor’s Act. Number 2577/9-3-2006). Based on the traditional approach of internal audit within Greek Banks, an inspection of branches and credit on a tick and check (compliance) basis was conducted. Recent research (Koutoupis and Tsamis, Fourth European Academic Conference on Internal Audit and Corporate Governance. Cass Business School, London, United Kingdom, 2006) comes to a conclusion that this approach does not result in adequate coverage of risks. In addition, new international regulations and best practices such as basel committee on banking supervision requirements, COSO enterprise risk management (ERM) suggested framework, as well as The Institute of internal auditors standards for professional practice of internal auditing (standards) were in most cases partially or fully ignored by the vast majority of Greek banks. However, minimum requirements regarding the operation of internal audit functions have been set up by the Bank of Greece, which in most cases are followed by the Greek banks, as well as periodically assessed by the above banking regulator. Risk based internal audit (RBIA) was an unknown concept for the vast majority of publicly listed and non-listed Greek enterprises until very recently. Only Greek subsidiaries of US and UK enterprises were aware of the RBIA audit concept (including big foreign banks which operate in Greece as subsidiaries), as they were periodically audited by group audit functions as an immediate result of relevant risk assessments. Also, the majority of Greek publicly listed enterprises use the audit cycle approach in developing their long term (3 year) and annual audit plans, which means that they A. G. Koutoupis (&)  A. Tsamis Department of Public Administration, Auditing & Taxation Sector, Panteion University of Social and Political Sciences, 268 Kifisias st., Chalandri, Athens, Greece e-mail: [email protected] A. Tsamis e-mail: [email protected]

123

102

A. G. Koutoupis, A. Tsamis

audit specific business cycles and activities within a predefined time interval (1–3 years). Audit planning is based on the head’s of internal audit and internal auditors experience without formal application of risk assessment and audit planning techniques. All Greek banks that participated in the corporate governance and internal auditing survey (Koutoupis, Third European Academic Conference on Internal Audit and Corporate Governance, 2005) stated that they follow a risk-based audit approach and develop risk based audit plans; however the vast majority of them could not prove it through a clearly documented risk assessment and riskbased audit plan. Sarbanes–Oxley Act (2002) directed National Bank