Risk based internal auditing within Greek banks: a case study approach

Internal Audit functions within Greek banks are imposed both by the Greek law for publicly listed enterprises (Law 3016/17.5.2002), as well as by the Bank of Greece (Bank of Greece Governor’s Act. Number 2577/9-3-2006). Based on the traditional approach of internal audit within Greek Banks, an inspection of branches and credit on a tick and check (compliance) basis was conducted. Recent research (Koutoupis and Tsamis, Fourth European Academic Conference on Internal Audit and Corporate Governance. Cass Business School, London, United Kingdom, 2006) comes to a conclusion that this approach does not result in adequate coverage of risks. In addition, new international regulations and best practices such as basel committee on banking supervision requirements, COSO enterprise risk management (ERM) suggested framework, as well as The Institute of internal auditors standards for professional practice of internal auditing (standards) were in most cases partially or fully ignored by the vast majority of Greek banks. However, minimum requirements regarding the operation of internal audit functions have been set up by the Bank of Greece, which in most cases are followed by the Greek banks, as well as periodically assessed by the above banking regulator. Risk based internal audit (RBIA) was an unknown concept for the vast majority of publicly listed and non-listed Greek enterprises until very recently. Only Greek subsidiaries of US and UK enterprises were aware of the RBIA audit concept (including big foreign banks which operate in Greece as subsidiaries), as they were periodically audited by group audit functions as an immediate result of relevant risk assessments. Also, the majority of Greek publicly listed enterprises use the audit cycle approach in developing their long term (3 year) and annual audit plans, which means that they audit specific business cycles and activities within a predefined time interval (1–3 years). Audit planning is based on the head’s of internal audit and internal auditors experience without formal application of risk assessment and audit planning techniques. All Greek banks that participated in the corporate governance and internal auditing survey (Koutoupis, Third European Academic Conference on Internal Audit and Corporate Governance, 2005) stated that they follow a risk-based audit approach and develop risk based audit plans; however the vast majority of them could not prove it through a clearly documented risk assessment and risk-based audit plan. Sarbanes–Oxley Act (2002) directed National Bank of Greece to adjust its audit planning process to a risk based one. Also, other big Greek banks (case study 1–3) are now either considering or adopting a RBIA approach, mostly because of Bank of Greece pressures. internal audit functions within small banks still follow the audit cycle approach. In this paper, current status of Greek banks RBIA approach will be discussed based on relevant references, as well as on three case study examples. This research will be based on relevant literature review, as well as authors’ professional experience in past and current projects related to risk assessment, audit planning and RBIA. Specifically, RBIA approach will be critically evaluated based on three big Greek banks analysis on a case study format and benchmark against basel requirements, ERM and standards for professional practice of internal auditing. Based on the relevant assessment, best practices and recommendations for improvement will be identified.