VOLUME ELEVEN INTERNAL AUDIT OF THE STATE BANK

CHAPTER 23
INTERNAL AUDIT OF THE STATE BANK

TABLE OF CONTENTS

23.1 INTRODUCTION
23.1.1 GENERAL
23.1.2 SCOPE AND FORMAT OF THE CHAPTER

23.2 BACKGROUND AND REFERENCE INFORMATION
23.2.1 PURPOSE AND ROLE OF AN INTERNAL AUDIT FUNCTION
23.2.2 ROLE AND STATUS OF THE INTERNAL AUDIT FUNCTION UNDER THE STATE BANK OF SOUTH AUSTRALIA ACT, 1983
23.2.3 EVOLUTION OF THE INTERNAL AUDIT FUNCTION OF BANKS IN RESPONSE TO INDUSTRY GROWTH AND DIVERSIFICATION
23.2.4 GROWTH AND DIVERSIFICATION OF THE STATE BANK FROM 1984 TO 1991
23.2.5 SHORT HISTORY OF THE STATE BANK INTERNAL AUDIT DEPARTMENT

23.3 THE CHARTER OF THE INTERNAL AUDIT FUNCTION AND ITS APPLICATION
23.3.1 INTRODUCTORY COMMENTS
23.3.2 THE CHARTER OF THE INTERNAL AUDIT FUNCTION
23.3.3 REPORTING LINES AND THE ISSUE OF INDEPENDENCE
23.3.4 ACCESS TO INFORMATION

23.4 THE APPROACH AND PROGRAMS OF THE INTERNAL AUDIT FUNCTION
23.4.1 INTERNAL AUDIT PLAN AND PROGRAMS: INTRODUCTORY COMMENTS
23.4.2 INTERNAL AUDIT COVERAGE OF OVERSEAS OPERATIONS
23.4.3 INTERNAL AUDIT COVERAGE OF CORPORATE BANKING
23.4.4 INTERNAL AUDIT COVERAGE OF TREASURY OPERATIONS
23.4.5 INTERNAL AUDIT COVERAGE OF THE BANK GROUP
23.4.6 RISK IMPLICATIONS OF THE BANK'S DEFICIENT INTERNAL AUDIT COVERAGE
23.4.7 AUDIT APPROACH AND METHODOLOGY: PRE 1989
23.4.8 AUDIT APPROACH AND METHODOLOGY: 1989-1991

23.5 RESOURCES AND EXPERTISE IN THE INTERNAL AUDIT DEPARTMENT
23.5.1 INTRODUCTORY COMMENTS: ORGANISATIONAL EVOLUTION OF THE INTERNAL AUDIT DEPARTMENT (1984 TO 1991)
23.5.2 EARLY CONCERNS REGARDING EXPERTISE IN THE INTERNAL AUDIT DEPARTMENT
23.5.3 INTERNAL AUDIT DEPARTMENT'S "SELF AUDIT"
23.5.4 RESTRUCTURE OF THE INTERNAL AUDIT DEPARTMENT 1989-1990

23.6 THE ESTABLISHMENT OF THE AUDIT COMMITTEE
23.6.1 INTRODUCTORY COMMENTS
23.6.2 THE DEBATE OVER THE NEED FOR AN AUDIT COMMITTEE AND THE ESTABLISHMENT OF THAT COMMITTEE

23.7 SUPERVISION AND CONTROL OF THE INTERNAL AUDIT FUNCTION
23.7.1 GENERAL
23.7.2 GROUP MANAGING DIRECTOR
23.7.3 MR K S MATTHEWS
23.7.4 MR K P RUMBELOW
23.7.5 THE BANK BOARD

23.8 MATTERS PARTICULAR TO DIRECTORS COMMON TO BOTH THE BANK AND BENEFICIAL FINANCE CORPORATION LIMITED

23.9 CONCLUSIONS REGARDING THE INTERNAL AUDIT FUNCTION OF THE STATE BANK OF SOUTH AUSTRALIA

23.10 REPORT IN ACCORDANCE WITH TERMS OF APPOINTMENT
23.10.1 TERMS OF APPOINTMENT A
23.10.2 TERMS OF APPOINTMENT C
23.10.3 TERMS OF APPOINTMENT D

23.1 INTRODUCTION

23.1.1 GENERAL

Many large organisations and institutions within the public and private sectors are subject to two categories of audit activity, ie "External" and "Internal" Audit. Although the collective audit activity is directed to facilitating adequate control and accountability of the operations of the particular entity, the objectives of the two categories of audit differ.

The principal emphasis of external audit is to report to the `providers' of funds to the entity on the overall fairness of the entity's financial statements by conducting an independent examination of financial transactions during the period under review, and of the state of affairs of the entity as at the reporting date. The main emphasis of Internal Audit is to assist management in achieving the most efficient operation of the business by determining whether the system of internal controls is functioning effectively in all units of the entity.

This Chapter of the Report addresses the Internal Audit activity of the Bank relevant to Term of Appointment A(g), which requires the Auditor-General, in relation to the period July 1984 to February 1991, to inquire into and report on:

"...

(g) whether the internal audits of the accounts of the Bank ... were appropriate and adequate".

Section 3 of the State Bank of South Australia Act, 1983 defines "accounts":

"... "accounts" means, according to context -

(a) customers' accounts;

(b) statements of income and expenditure and balance sheets, including notes (other than reports of the Board or the auditors of the Bank) attached to, or intended to be read with, any such account:"

Sub-paragraph (b), in referring to the statutory financial statements, in the case of the Bank includes "group accounts" incorporating the financial results of the Bank and its related entities eg Beneficial Finance Corporation Limited ("Beneficial Finance Corporation"); Ayers Finniss Pty Ltd etc.

Additionally, the Internal Audit activity of the Bank is considered under Terms of Appointment A(b), A(c), A(d) and A(e).

Term of Appointment A(b) requires the Auditor-General to investigate and inquire into, and report on, what were the processes which lead the Bank to engage in operations which have resulted in material losses or in the Bank holding significant assets which are non-performing.

In this Investigation, the Bank's continuing involvement during the period under review in Corporate Banking, Overseas, and Treasury Operations, has been regarded as a "process" for the purposes of this Term of Appointment. Additionally, the Internal Audit function within the Bank has been regarded as an integral part of these "processes" and accordingly the adequacy and appropriateness of the Internal Audit function is considered as affecting the "appropriateness" of the "processes" referred to in the Term of Appointment.

Term of Appointment A(d) requires the Auditor-General to investigate and inquire into, and report on, what were the procedures, policies and practices adopted by the Bank in the management of significant assets which are non-performing. In this Investigation the Internal Audit function within the Bank has been regarded as one such "procedure, policy or practice". Term of Appointment A(e) as an adjunct to this directs consideration be made as to whether these procedures, policies and practices were adequate.

The Internal Audit function within the Bank is also considered in relation to Term of Appointment C, which requires the Auditor-General to investigate and inquire into and report with reference to the matters referred to in Terms of Appointment A(b), A(c), A(d), A(e) and A(g):

"... whether the operations, affairs and transactions of the Bank ... and the Bank Group were adequately or properly supervised, directed and controlled by:

(a) the Board of Directors of the Bank

(b) the Chief Executive Officer of the Bank

(c) other officers and employees of the Bank;

(d) the Directors, officers and employees of the members of the Bank Group."

Term of Appointment D is also relevant to the matters dealt with in this Chapter. This Term of Appointment requires the Auditor-General to investigate and inquire into and report in relation to the matters referred to in Terms of Appointment A(b), A(c), A(d), A(e) and A(g):

..."whether the information and reports given by the Chief Executive Officer and other Bank officers to the Board of the Bank:

(a) were under all the circumstances, timely, reliable and adequate;

(b) sufficient to enable the Board to discharge adequately its functions under the Act."

Consistent with the roles and responsibilities ordinarily associated with Internal Audit functions within organisations, Internal Audit within the Bank and Beneficial Finance Corporation did not perform, and were not responsible for, the statutory financial statement audits. Performance of, and responsibility for, the statutory audits rested with the External Auditors.

Although Internal Audit responsibility within the Bank and Beneficial Finance Corporation did not extend to financial statement audits, their respective roles in appraising systems, processes, practices and associated controls, contribute importantly to the integrity of financial information recorded in "accounts" and presented in financial statements.

Since its establishment, the Bank has been subject to both External and Internal Audit activity. In relation to External Audit, Sections 23 and 24 of the State Bank of South Australia Act, 1983, require, on an annual basis, the appointment of two or more independent auditors and audit of the accounts of the Bank. In relation to Internal Audit, the Bank, and each of its various subsidiaries maintained separate Internal Audit functions until July 1990 when the Internal Audit functions of the subsidiaries within the Bank Group were subsumed into the Bank's Internal Audit department which then became known as "Group Internal Audit".

With respect to its own Internal Audit function, the Bank continued for some years after its establishment with an Internal Audit coverage, approach, and methodology, that had been operating within the predecessor merged banks. The principal focus of attention of the department was on the Branch network and EDP systems. In this Chapter, I examine the change in the focus of the Internal Audit department towards the high risk areas of the Bank's operations, namely, Corporate, International, and Treasury.

By February 1991, the State Bank Group's assets stood at $22,400.0M, having grown from a 30 June 1985 figure of $4,100.0M. Over this period, the Bank's own assets had grown from $3,400.0M to $19,200.0M. The rapid and significant growth in the Bank's assets, involving the spread and complex diversification of business activities interstate and overseas, required a standard of Internal Audit that was responsive and professionally capable of assessing the emerging risks and exposures associated with such rapid growth and diversification.

The primary focus of the investigation of the "Bank Group" activities was directed to the Internal Audit functions of the Bank and Beneficial Finance Corporation. This recognises that the State Bank is the controlling entity in respect of Group operations, and that the Bank and Beneficial Finance Corporation represent the principal asset holding entities with non-performing asset and loss exposures.

This Chapter reports on the Internal Audit activity of the Bank, and the incorporation of Internal Audit functions within the Bank's subsidiaries into Group Internal Audit after July 1990. Matters specific to the Internal Audit function within Beneficial Finance Corporation are to be dealt with in a later Report.

23.1.2 SCOPE AND FORMAT OF THE CHAPTER

This Chapter initially considers the purpose and role of an internal audit function within an organisation, and then considers that function in relation to the Bank and the banking industry generally.

As a fully effective Internal Audit function in a banking environment requires unrestricted access to information, and clear and independent reporting lines to senior management and the Board of Directors, these aspects are then considered in relation to the Internal Audit function within the State Bank.

Against the background of the rapid growth of the Bank, its diversification and overseas expansion, this Chapter then considers the approach and programs of the Internal Audit department, and the resources and skill base available to the Bank to effectively deal with its expanding new risk profiles. In this context, attention will be focused on the major shift in strategy of the Internal Audit function of the Bank which occurred in mid 1989.

The matter of the establishment of an Audit Committee had been an issue of contention within the Board, and this Chapter looks at the background to, and the circumstances surrounding, the establishment of an Audit Sub-Committee of the Bank Board.

The Chapter concludes with a statement of my conclusions and recommendations concerning the Internal Audit function.

In this Chapter, a reference to the "Bank Board" is a reference to the Bank Board as constituted at the time of a particular event, act or omission described in the Chapter. Any reference to the "Non-Executive Directors" in relation to the Bank Group (including Beneficial Finance Corporation) is to be taken as a reference to Mr R D E Bakewell, Mrs M V Byrne, Mr R E Hartley, Mr W F Nankivell, Mr A R Prowse, Mr D W Simmons, Mr J D Studdy, Mr K D Williams, Mr L Barrett, Mr K J Hancock, Mr R D Malcolmson, Mr R P Searcy, Mr K Smith, and Mr A G Summers. Where the expression "Non-Executive Directors" is used in relation to the Bank only, that expression includes Mr Bakewell, Mrs Byrne, Mr Hartley, Mr Nankivell, Mr Prowse, Mr Simmons, Mr Barrett, Mr Hancock, Mr Searcy, Mr Smith and Mr Summers.⁽⁾

23.2 BACKGROUND AND REFERENCE INFORMATION

23.2.1 PURPOSE AND ROLE OF AN INTERNAL AUDIT FUNCTION

The Internal Audit function provides an extension of the eyes and ears of management, enabling management to control an organisation's significant and widespread resources. This is achieved by means of Internal Audit feedback on appraisals of the organisation's systems and internal controls. Essentially, Internal Audit, as an instrument of higher management, provides an "early warning signal" to management where a lack of, or a breakdown in, systems and internal controls threatens the assets of the organisation. In well managed organisations, Internal Audit is viewed as an indispensable aid to achieving effective controls.

It is important to recognise that Internal Audit is not a substitute for effective controls. The Board and Executive Management establish an Internal Audit function to contribute to internal control by examining, and evaluating, and reporting to management on its adequacy and effectiveness. Internal Audit activity may lead to the strengthening of internal control as a result of management response to its findings.

An effective Internal Audit function is particularly useful for financial institutions. It reflects the nature of the risks and exposures associated with the business of those institutions. Banks deal in cash, are involved in complex financial arrangements, operate multiple and sophisticated computing systems, and conduct business across the world. These activities present a number of risks and exposures that require constant monitoring and control.

23.2.2 ROLE AND STATUS OF THE INTERNAL AUDIT FUNCTION UNDER THE STATE BANK OF SOUTH AUSTRALIA ACT, 1983

Section 15(2) of the State Bank of South Australia Act, 1983, provides that:

"... the Board shall administer the Bank's affairs in accordance with accepted principles of financial management ..."

The Investigation considered what were "accepted principles of financial management" in relation to the role and status of the Internal Audit function. The following observations are made in texts which I regard as authoritative:

"The continued expansion of modern business had added to the problems of an already heavily burdened company management in maintaining control over widespread operations. The increase in regular activities, the trend toward decentralisation, and greater geographic dispersion have in themselves posed serious challenges to management control.

The new problems have made it necessary to delegate responsibility and authority to many levels of supervision. However, management's responsibility does not end with this allocation of duties. Management cannot delegate its overall responsibility or its accountability. With such wide delegation of duties, Management had to turn to the control specialist, the Internal Auditors, for assistance in maintaining surveillance over the management control network. A systematic program of review and appraisal became necessary to determine that delegated responsibilities were being discharged and that established policies and procedures were being carried out as expected." ⁽⁾

This observation is particularly apposite to the Bank and its Board and Management, given the Bank's strong asset growth, product diversification, and expansion of the Bank's wholesale banking activities overseas to London, Hong Kong, New York, and Auckland.

"Initially, [Internal Auditing] was concerned primarily with protection against payroll fraud and loss of cash and other assets. Subsequently, its scope was extended to include the verification of practically all financial transactions. Today, it is a managerial control concerned not only with the protection and verification of the accuracy of recorded data but also with the review of policies and procedures covering all types of business activities. The ultimate objective is the making of constructive suggestions for increased profits (or reduced costs)." ⁽⁾

The Investigation observed that the scope of the Bank's Internal Audit activities changed fundamentally in 1989, and this is reported in detail in Section 23.5 below.

The broad scope of the Internal Audit function is highlighted in the following extract:

"Any organisation has limited resources with which to achieve its goals. Auditing is one of the processes by which an organisation attempts to ensure an effective use of these resources. Most people would consider that auditing aims to achieve effective use of resources by attempting to eliminate fraudulent activities. This is a very narrow view of the audit function. An audit not only provides the opportunity of verifying that adequate controls exist but it also provides the basis for assessing whether procedures are both efficient and effective.

Auditing fulfils a greater role than merely the examination of operations to ensure compliance with authorised procedures. It also involves an assessment of the efficiency and effectiveness of the systems reflecting the integral role auditing plays within the organisation's overall control system." ⁽⁾

The effectiveness of the Internal Audit function can be affected by its authorities, its ability to access information, its independence and its reporting lines. In this context, the following observation is pertinent:

"The status of the Internal Auditing department will depend to a large extent on its place in the organisation and the support it receives. Top management determines the scope of its responsibilities and the basic policy governing the operation of the department. Support is given to the department when top management makes it known throughout the company that in order to derive full benefits from Internal Auditing full co-operation is expected.

Regardless of the particular place of the Internal Auditing department in the company organisation, it is essential that the department be independent of the functions and departments that it must review and evaluate.

The degree of independence of the Internal Auditing department has a direct relationship to the reporting responsibilities of the Internal Auditing function." ⁽⁾

The above statements of principle are supported by the Auditing Practice Statement AUP 12 which describes the system of internal control within an organisation in the following terms:

"The system of internal control is the plan of organisation and all the methods and procedures adopted by the management of an entity to assist in achieving Management's objective of ensuring as far as practicable the orderly and efficient conduct of its business including adherence to Management policies, the safeguarding of assets, and prevention and detection of fraud and error, the accuracy and completeness of the accounting records and the timely preparation of reliable financial information."

AUP 12 adds that, in carrying out its supervisory responsibility:

"... Management should review the adequacy of internal control on a regular basis to ensure that all significant controls are operating effectively. When an entity has an Internal Audit department, Management may delegate to it some of its supervisory functions especially with respect to the review of internal control ..."

A well organised and hence appropriate system of internal controls in an organisation is vital for the prudent and effective financial management of that organisation. Internal control systems must not only be in place at all times, but must be reviewed from time to time. If Management does not itself carry out this review function, then it must ensure that the organisation's Internal Audit function does do so on a basis that is timely, independent, comprehensive, and with coverage of all risk areas of the organisation's operations. For a Bank, as for all other organisations, the monitoring of the system of internal controls is not a passive role, but one requiring diligent attention by both the Bank Board and Management to ensure the protection of the assets of the organisation

23.2.3 EVOLUTION OF THE INTERNAL AUDIT FUNCTION OF BANKS IN RESPONSE TO INDUSTRY GROWTH AND DIVERSIFICATION

The last ten years have seen a rapid growth in sophistication of Internal Audit techniques which has arisen in response to the need to deal with increased business complexity. This is so particularly in the banking sector, where deregulation has led to diversification of assets, new and complex funding techniques, and widespread geographical operating areas.

The Investigation noted that in the banking sector, there has, in relation to the Internal Audit function, been a move away from the simple counting of cash in the branch (sometimes called "Tick and Turn Over") to sophisticated computer assisted risk-based auditing as a response to the new risk profiles assumed by banks. In particular, the Investigation noted the following features of the Internal Audit function within two nationally operating banks:

(a) the head of Internal Audit department reports directly to the Chief Executive Officer and to the Audit Committee;

(b) Audit Committees have been in operation since at least 1984;

(d) Internal Audit departments cover all operations of the bank, including overseas operations.

23.2.4 GROWTH AND DIVERSIFICATION OF THE STATE BANK FROM 1984 TO 1991

As noted earlier in this Chapter, the period under review saw the total assets of the Bank grow from $3,400.0M, as at June 1985 to $19,200.0M, as at February 1991. Over this period of time, total Group assets grew from $4,100.0M to $22,400.0M.

As is noted elsewhere in this Report⁽⁾, the various Strategic Plans and Profit Plans approved by the Bank Board over the period under review emphasised growth and diversification in assets, and geographical expansion into interstate and overseas markets.

At the time of its establishment in July 1984, the Bank's primary focus was retail banking operations. The Bank's focus quickly shifted to Corporate Banking and Treasury operations, with the Corporate portfolio rapidly overhauling the Retail Banking operation in terms of total asset size.

The Bank's growth was rapid, not only within Australia, but also off-shore. As is reported on below, the "tyranny of distance" which came as part of the Bank's expansion into wholesale banking operations in London, Hong Kong, New York, and Auckland, imposed substantial pressures upon the Bank's internal control systems. The growth of the Bank's assets overseas is, in one sense, more dramatic than that on-shore, as the Bank's overseas assets grew from some $200.0M, as at December 1985, to $5,270.0M, as at February 1991.

23.2.5 SHORT HISTORY OF THE STATE BANK INTERNAL AUDIT DEPARTMENT

Over the period from July 1984 to 31 December 1988, Mr H Gates was the head of the Internal Audit department, reporting initially to Mr K P Rumbelow and, from July 1986, to Mr K S Matthews.

At the Bank's inception, its Internal Audit function represented a continuation of a form of Internal Audit activity that operated in the predecessor merged banks. That form of activity principally involved the inspections of retail branch operations and audit of the Bank's EDP systems.⁽⁾

From 1984-1988, the Internal Audit functional procedures within the Bank remained relatively constant, despite significant changes within the Bank's operations. As to the status of the Internal Audit department of the Bank from a management perspective, Mr Gates and Mr Matthews each gave evidence to the Investigation that during this period, Internal Audit was not in their view, highly regarded within the Bank and was not considered to be a dynamic contributor to management control of the Bank's operations.⁽⁾ In their submission to the Investigation however, the Non-Executive Directors said that the Internal Audit department "was always considered by them to be making a significant contribution to management's control of the Bank's operations and was highly regarded by them". I accept that the Bank Board so regarded the Internal Audit department, and that the views of management, as asserted by Mr Matthews and Mr Gates, were not communicated to the Bank Board.

Until September 1987, Internal Audit activity was more focused on retail branch operations of the Bank rather than "Head Office" activities (eg Corporate Banking, Treasury Operations). In September 1987, the Internal Audit department conducted a "self audit" which identified deficiencies in its ability to adequately audit these operations.⁽⁾ After this "self audit" the department moved to increase its attention on wholesale banking operations, and was restructured into three sections, ie Retail Branch Audit, Head Office Audit and Computer Audit. An external professional audit supervisor was sought to manage the Head Office Audit Section, and Mrs Chin was appointed to this position in due course.

After her recruitment into the Internal Audit department in the latter part of 1988, Mrs Chin set about preparing a departmental Strategy, which was ultimately published in January 1989, shortly after she took over from Mr Gates as Head of the Department. This Strategy emphasised an expanded role for Internal Audit, and a priority of focus on high risk areas of the Bank's operations.

Upon her appointment, in January 1989, to the position of Senior Manager, Internal Audit, Mrs Chin commenced implementation of this Strategy which was entitled `Strategy to Provide the Most Effective Internal Audit Services to our Customers - Management'. This Strategy Plan identified the mission of the department, its goals and the steps to be taken to achieve those goals. The implementation of the Strategy was, for the most part, completed by 1990 and included:

(a) adoption of a formal Audit Charter for the Internal Audit department;

(b) a major restructure of the department into seven specialist sections - Treasury/International, Corporate Banking, Personal and Business Banking, Finance/Management Services, Information Systems (Audit and Technical), Research, Development and Administration;

(d) revision and upgrading in audit work performance.

In addition to these developments, in July 1990, the Bank Board approved the establishment of an Audit Committee, and the extension of Internal Audit department activity to cover Bank Group operations. Upon the extension of coverage to Group operations, the position of Senior Manager, Internal Audit, was redesignated Chief Manager, Group Audit, and, with the retirement at this time of Mr Matthews, this position reported to Mr K L Copley (General Manager, Group Finance and Administration).

In late 1990, the Internal Audit department was restructured to cover activities of Group entities. This involved the amalgamation of the Bank's Internal Audit department with other Internal Audit functions operating in other Group entities.

23.3 THE CHARTER OF THE INTERNAL AUDIT FUNCTION AND ITS APPLICATION

23.3.1 INTRODUCTORY COMMENTS

As to where the Internal Audit function fits within an entity's organisational structure varies according to the size of the entity, and the degree of importance attached to the Internal Audit activity.

Regardless of where the Internal Audit function fits within the organisational structure, it should be, and be seen to be, independent of the operations and units it reviews and evaluates. A principle of good organisational management is that no person can be expected to appraise their own work objectively, nor should any person be expected to appraise the work of the executive to whom they are responsible. Given that an important component of Internal Audit activity relates to the financial affairs of an entity, Internal Audit should, ideally, not be responsible to, or report to, the individual who has responsibility for the preparation of the financial reports and other activities that are subject to review and reporting by Internal Audit.

In my opinion, for Internal Audit to be fully effective, the structure must ensure that independence is established by providing direct reporting lines to the Chief Executive Officer and the Bank Board, or its Audit Committee. If the Head of Internal Audit does not report directly to the Bank Board or a Board Committee (eg Audit Committee), Internal Audit should report to the Chief Executive Officer, or to a non-financial Divisional Head, and, in addition, should have direct access to the Bank Board regarding matters that Internal Audit considers vital. In this instance, there should be a dual reporting relationship which includes access to the Bank Board or Audit Committee.

The effectiveness of Internal Audit is not only influenced by the degree of independence according to where the function fits within the organisational structure, but is also dependent on Board and management support. This support needs to be clearly conveyed to all parts of the entity to ensure Internal Audit efforts are not frustrated. In my opinion, in an institution of such public importance as the Bank, communication of the Internal Audit mission and authority should be accomplished through the issue of a formal document sanctioned by the Bank Board, commonly referred to as an "Internal Audit Charter". Subsequent formal memoranda may be issued from time to time to re-assert the role of Internal Audit.

23.3.2 THE CHARTER OF THE INTERNAL AUDIT FUNCTION

An Audit Charter formally enunciates to all parts of the organisation the role, responsibilities, and authority, of Internal Audit. It is also the base document by reference to which management and the Bank Board (or Audit Committee) review the performance of Internal Audit. The document would usually be expected to include statements in relation to:

(a) organisation support for Internal Audit;

(b) objectives for Internal Audit;

(d) independence and Reporting;

(e) authorisation and Access; and

(f) audit Accountability.

The Internal Audit department of the Bank operated from 1 July 1984 to June 1989 without an Audit Charter that had been formally sanctioned by the Executive Committee and the Bank Board. There was, however, no doubt about the authority of officers of the department to require information, as each carried an authority card issued by the Group Managing Director.⁽⁾

A formal Internal Audit Charter was first proposed by Mr Gates in January 1987, in a submission to Mr Matthews. The draft Internal Audit charter contained statements on:

(a) the Bank's policy towards Internal Audit - for example, Internal Audit is to provide assurance to Management that internal accounting controls are adequate and effective in promoting efficiency and protecting the assets of the Bank;

(b) responsibilities and authorities - for example, Manager, Internal Audit, reports directly to the Managing Director in the ordinary conduct of the Bank's business, and reports to the Chief General Manager for administrative purposes; in matters of substantial importance, the Manager, Internal Audit, may report direct to the Board of Directors.

The proposal for the Internal Audit Charter was rejected by Mr Matthews.⁽⁾

In June 1989, Mrs Chin, as part of her strategy for improving the Internal Audit activity of the Bank, prepared a Charter for Internal Audit and a Strategy Paper outlining a major organisation and staff restructure of the Internal Audit department. The Charter and Strategy Paper were presented to the Executive Committee by Mr Matthews on 30 June 1989, and adopted by the Executive Committee. The Charter was "noted" by the Bank Board on 27 July 1989.

In my opinion, the promulgation of an approved formal Internal Audit Charter, in an institution of such public importance as the Bank, would have enhanced the status and general understanding of the authorities and responsibilities of the Internal Audit department. There is, however, no evidence that the Internal Audit department's authorities and responsibilities were not in fact clearly understood in the Bank up until the time of the promulgation of the Internal Audit Charter in June 1989. Furthermore, there is no evidence that the discharge of the functions of the Internal Audit department were in fact hampered by the absence, until June 1989, of an approved formal Internal Audit Charter.

23.3.3 REPORTING LINES AND THE ISSUE OF INDEPENDENCE

Mr Gates reported initially to Mr Rumbelow and later to Mr Matthews, each of whom reported directly to the Managing Director, Mr T M Clark. Mr Gates also had direct access to the Bank Board, which was confirmed at a Joint Board/Executive Conference held on 17-18 October 1986, and evidenced by the following recorded note from that meeting:

"The Manager, Internal Audit be reminded that he has unrestricted access to the Board to discuss any issues which impact on his ability to diligently carry out the audit function within the Bank. In addition, the Manager, Internal Audit be advised to provide a progress report on a half-yearly basis, or whenever he believes that his officers are being impeded or denied access to information by any level of Management when carrying out normal audit practices."

Internal Audit's direct access to the Bank Board was reaffirmed at an Audit Committee meeting on 18 September 1990. The minutes of the meeting record:

"The Chairman explained that the Internal Auditor had direct access to the Group Chairman or Group Deputy Chairman in the event that a satisfactory resolution with management was not possible on a particular issue."

Mr Gates prepared half-yearly Internal Audit reports outlining half-yearly and annual audit activities of the Internal Audit department. The reports approximated three pages and were presented to the Bank Board by Mr Rumbelow, Mr Matthews or, on only some occasions, Mr Gates.⁽⁾

Short reports on the activities of Internal Audit department were also included in the Quarterly Operating Reviews presented to the Bank Board. Mr Gates also met with the Group Managing Director on a quarterly basis, although these meetings did not go ahead if Mr Gates "really didn't have anything particular to mention to him." ⁽⁾

Mrs Chin also had the same right of direct access to the Bank Board enjoyed by Mr Gates. Mrs Chin also met with the Group Managing Director on a regular basis. After July 1989, Internal Audit department reported on a quarterly basis to the Bank Board and these reports were far more detailed and extensive than previously was the case. These reports were prepared by Mrs Chin, and were not edited or amended unless she was consulted, and she agreed with the changes. In each case, Mrs Chin attended the Board meeting to present the Internal Audit department's Quarterly Report to the Bank Board.

The Quarterly Reports presented to the Bank Board after July 1989 contained a precis of the significant Internal Audit department reports prepared during that reporting period. The substantive reports on particular audits conducted were not, as a practice, referred to the Bank Board, but did have a wide circulation to those members of management (and in appropriate cases, the External Auditors) who had a direct interest in the subject matter of the audit review. Although the Investigation received evidence that restrictions were placed upon Internal Audit department in presenting these substantive reports to Directors, this evidence is not uncontested and I am not prepared to proceed to a conclusion that restrictions were in fact placed on Internal Audit department in presenting substantive Internal Audit reports to the Bank Board. At all times, it was open to Directors to approach the department directly for information. During the period from July 1984 to February 1991, only Mr Bakewell and Mr Prowse visited the Internal Audit department to request copies of detailed Internal Audit Reports and to discuss Internal Audit matters generally.⁽⁾

During the period under review, the Internal Audit department reported directly to an executive (Mr Rumbelow, Mr Matthews and Mr Copley) who was also a potential auditee. Not only did the head of Internal Audit department report in this way, but the department budget was required to be approved by the executive concerned prior to the budget's submission to Executive Committee, and the executive was also an integral part of the personnel recruitment and approval process for the Internal Audit department.

Independence of Internal Audit department was a matter of particular concern to Mrs Chin. In June 1990, when Mr Matthews retired, Mrs Chin sought to have a direct reporting line to the Group Managing Director, but, although Mr Clark agreed, in principle, with the concept of a direct reporting line to him, he stated that he did not have the time for Internal Audit to report directly to him.⁽⁾ Following Mr Matthews' retirement, and notwithstanding Mrs Chin's approach to the Group Managing Director, the department was directed by the Group Managing Director to report to Mr Copley, who as General Manager, Group Finance, and Administration, was potentially a significant auditee.

The concern expressed to the Investigation by Mrs Chin as to lack of independence of the department was not shared by either Mr Matthews or Mr Copley.

Mr Matthews expressed the view to the Investigation that he saw Internal Audit reporting to a finance sector as a situation that arose in many organisations.⁽⁾ Mr Copley gave the following evidence in relation to the issue of independence:

"[Mrs Chin] had ready access to the Managing Director. She had ready access to the Audit Committee. She had ready access to the Chairman of the Bank Board at any time that she wanted it, on any issue that she would want to take to them, and at no stage did I restrict her in that regard. And when she was doing an audit of one of the other departments making up my division, I took the view that I stood in the same position there as I stood in when she was doing something in Australian Banking. I stood as the mediator, and if she was having a dispute with the guy heading up the Finance Department, or the person heading up the Legal Department, or whatever else it may have been, then her dispute was between them and I would mediate without taking sides if that - if such a need arose. So there was no - in my view there was no conflict of interest whatsoever in the way in which the role could be run." ⁽⁾

Whilst there is no evidence of the independence of Internal Audit department in fact being compromised by virtue of direct reporting lines to either Mr Rumbelow, Mr Matthews or Mr Copley, the reporting structure is, in my opinion, nonetheless unsound having regard to the potential for the divisional Executive, as a potential auditee, to influence Internal Audit scope, approach, methodology and reporting. Such influence may be exercised by direct interference, or in indirect ways, eg by restricting the budget available to the Department to perform its functions, or by refusing or delaying personnel recruitment which may be seen as essential by the Department for it to discharge its audit programmes.

The potential of the divisional executive to indirectly compromise the independence of Internal Audit is exemplified by the response by Mr Copley to complaints to him by auditee managers about the findings and gradings contained in the Internal Audit department's reports after 1989:

"Mr Copley: The way in which they [auditee managers] were reported and graded [by the Internal Audit department] were considered by people to be unnecessary harsh.

...

Mr Copley: ... What I may have said in the course of conversation [to Mrs Chin] was that people were saying that she was disruptive but I certainly did not say that and did not think that.

Question: Was there an occasion when you said that she was being too harsh in her reports?

Mr Copley: Yes, I would have said that.

...

Mr Copley: ... trying to point out to her [Mrs Chin] that there are two ways you can say things and two ways you can do it and one is to be destructively critical and the other one is to be constructively critical, and trying to get her to tone down her attitude, you know, her approach to make her relationship with the Executive Committee members a more tolerable one." ⁽⁾

Mr Copley may have sought to adopt a "mediation role" as the divisional Executive responsible for Internal Audit, but by doing so, he may well have created the impression that he was prepared to interfere in the proper discharge of the Department's functions and programmes. In my opinion, therefore, the Internal Audit department should have been ordered to report directly to the Chief Executive Officer, and thence to the Bank Board or Audit Committee.

Upon the establishment of the Audit Committee by the Bank Board in June 1990 that Committee was charged with the "duty" to "monitor the effectiveness of the Internal Audit department." ⁽⁾ Furthermore, the independence of the Department was enhanced by the fact that under the terms of formation of the Committee, the Internal Audit department could directly request the Chairman of the Audit Committee, to call a meeting of the Committee.⁽⁾

Whilst the ability of the Head of Internal Audit to request the Chairman of the Audit Committee to call a meeting of the Audit Committee was a significant development in the independence of the Internal Audit department, the fact is that for the whole of the period under review the Internal Audit department reported to a divisional Executive who was potentially an auditee. For the reasons indicated above, however, I am of the opinion that this situation gave rise to the possibility that the independence of the Internal Audit department would be compromised, and, therefore, that the Internal Audit department should have reported directly to the Chief Executive Officer and thence to the Bank Board or Audit Committee. Whilst I regard the Internal Audit department reporting line as structurally unsound more especially in a State Bank with public responsibilities I do not assert that there is evidence of interference in, or compromise of, the discharge by the Internal Audit department of its functions.

23.3.4 ACCESS TO INFORMATION

The draft Internal Audit Charter presented to the Executive Committee in June 1989 vested the right to "full, free and unrestricted access to the [Bank's] records, physical properties and personnel" in the divisional Executive then responsible for the Internal Audit department, viz the Chief General Manager, Group Global Risk Management, who at the time was Mr Matthews.

The Executive Committee minutes record concern over the Charter providing Internal Audit with unrestricted access to records:

"... The charter was briefly discussed and there was some concern expressed that the Internal Audit Department would be given unrestricted access to the organisation's records through the Chief General Manager, Group Risk Management.

It was considered that as Internal Audit Department operated within an approved audit programme through the Chief General Manager, Group Risk Management, who would arbitrate on any issues which arose, there would be limited potential for any conflict of interest to arise where extremely confidential records were maintained ..."⁽⁾

Shortly after the Executive Committee meeting, Mrs Chin approached Mr Clark and expressed her dissatisfaction with the vesting of the right of access solely in the Chief General Manager, Group Global Risk Management, and the Charter, as finally promulgated to Staff on 20 July 1989, vested the right of access additionally in the Senior Manager Internal Audit.

Notwithstanding the plain words of the Internal Audit Charter, the department did not have access to "executive salary information", the records in relation to which were maintained off-site by a chartered accounting firm. With this exception, the principle of free and unrestricted access for Internal Audit was recognised by the Bank Board.⁽⁾

The Investigation noted several situations where Internal Audit department was alleged to have been denied "full free and unrestricted access" to information and personnel. These matters are the subject of conflicting evidence. The following case is an example where denial of access resulted in the Internal Audit department not achieving its audit objectives for a particular audit.

In May 1989, Internal Audit department sought information in relation to certain staff members of the Personal Financial Services department of the Bank. Information required was personal qualifications and experience, terms of employment, and "credibility checks and evidence of qualifications". This last item was relevant to dealers license requirements arising under the Securities Industry (South Australia) Code. Access to this information was denied by Mr G D Abbott, Chief Manager, Group Human Resources.⁽⁾ Mrs Chin's memorandum requesting the information elicited a response from Mr Abbott which included the following:

"I am not aware of any member of your staff who has the requisite formal training in human resource management or the in-depth experience which will enable such an examination to be discharged to a high professional standard.

...

Another matter which is of concern to me is the highly confidential nature of the employment conditions (including remuneration) of these people. Investment Advisors and the Senior Manager are on salaries which are confidential and known only to myself (and certain other identified parties). Employees have been informed, in writing, that any breach of details concerning remuneration and conditions will result in instant dismissal. For this additional reason I am unable to release to you the information you seek.

The above matters have been discussed with the Managing Director who concurs with my view on this matter."

The Investigation noted that a number of personnel identified in the request for information were not "executives" whose records were maintained by the external accountants. Accordingly, the stated reason relating to the confidential nature of the employment conditions of Investment Advisors and the Senior Manager was not an exclusion recognised by the Internal Audit Charter or the Bank Board. In addition, as Mrs Chin pointed out in a memorandum to Mr Matthews on this issue at this time:

"[Mr Abbott's] points about Internal Audit staff not having "the requisite formal training in Human Resource Management or the in-depth experience" further emphasises the point of his lack of understanding of Internal Audit. An Internal Auditor reviews controls and the process of management controls. He does not need to be an expert in the auditee area to evaluate controls and operations. For example an auditor of the Adelaide Casino does not need to be an experienced gambler."

In my opinion this response accurately reflects the role of Internal Audit in evaluating controls and operations. I accept that Mr Abbott was acting in accordance with the directions of Mr Clark in refusing access.

In due course, Mrs Chin approached Mr Clark who confirmed Mr Abbott's decision to deny Internal Audit department access to the information requested. The audit of the Bank's Personal Financial Services department was concluded without the information sought in Mrs Chin's memorandum of May 1989 being provided. It was submitted on behalf of Mr Bakewell that Mrs Chin's difficulty with obtaining access to this information was resolved when she advised Mr Bakewell of this difficulty.

So far as concerns the denial of access to "executive salary information", the explanations advanced by Mr Clark and accepted by the Board for this arrangement are, in my opinion misconceived, and fail to appreciate the need for proper accountability in a publicly owned institution. The fact that this information was maintained "off-site" by a partner in the external auditors firm is no answer, as the external auditors were not, and were not responsible for, carrying out Internal Audit functions for the Bank. This was confirmed to the Bank in a number of "Letters to Management" and "Letters of Engagement." ⁽⁾

Mrs Chin also expressed concern to the Investigation concerning access to Executive Committee minutes.

The minutes of the Executive Committee were prepared in the following manner:

(a) Part A - general distribution.

(b) Part B - distribution restricted to Executive Committee members only.

Over the period under review, Internal Audit department was represented in the Executive Committee by Mr Rumbelow, Mr Matthews and Mr Copley. Mr Gates never attended an Executive Committee meeting, and Mrs Chin attended Executive Committee meetings only for the purpose of presenting particular papers to that Committee. Mr Gates did, however, in January 1987, request that he be permitted to attend Executive Committee meetings as an observer, but his request was denied by Mr Matthews.⁽⁾

For the majority of the period under review, Mr Gates and Mrs Chin received distribution of Part A of the Executive Committee minutes, or a debriefing on matters considered by the Executive Committee, although, for a period of approximately two months in mid 1990, distribution of Part A to Internal Audit was discontinued at the direction of Mr Clark his reason for so directing, as stated by him to Mr Copley, was that he had concerns about the difficulties facing the Bank at that time.⁽⁾ The non-executive directors submitted to me that they were not aware of this.

Part B of the Executive Committee minutes at no time was circulated to the head of the Internal Audit department. Once again, the non-executive directors submitted to me that they were not aware of this.

In their evidence to the Investigation, both Mr Matthews and Mr K L Copley made the point that Part B of the Executive Committee minutes related to matters that were "in the pipeline" and may or may not have come to fruition and so have an effect upon the Bank. An examination of the contents of Part B of the Executive Committee minutes indicates that this was not the case in all instances, and that matters of relevance to the discharge by the Internal Audit department of its functions were contained in Part B. A number of Part B entries examined were relevant to Internal Audit department assessing auditable risk areas.

Both Mr Matthews and Mr Copley also did not see that non-circulation of Part B of the Executive Committee minutes was a restriction upon Internal Audit's full and free access, as it was always open to the head of Internal Audit department to approach Mr Clark or the Board Secretary (who took the Executive Committee minutes) with Mr Clark's approval, to examine items within Part B of the Executive Committee minutes.

Mr Matthews particularly made the point that Internal Audit was not entitled to go on a "fishing expedition" but rather had to have a legitimate reason for examining Part B of the minutes:

"... [If Mrs Chin] had an occasion where she needed to look at Part B, she could have gone to the Board Secretary - and that was the general line anyway, that all minutes were kept by the Board Secretary. I don't know that there was any restriction placed on her at looking at those. I am not aware of any restriction placed on her of looking at those copies and I think what we have to look at is whether they were to be looked at in carrying out a review [of] the Bank's operation. That was the fundamental issue. I mean, Internal Audit didn't have the right to go and look at documents or minutes simply because they wanted to." ⁽⁾

Both Mr Matthews and Mr Copley saw that it was sufficient for Internal Audit department to be informed of matters contained within Part B of the minutes in the manner indicated in the following extracts from their evidence to the Investigation:

(a) Mr Matthews:

"Question: ... but would it not be fair to say that in the context of assessing whether or not a particular audit or audit program should be put into place because of some new risk profile facing the Bank that Internal Audit ought to be made aware of these developments that were recorded in Part B of the minutes?

Mr Matthews: And they were made aware of them when the project came to fruition.

Question: And who made them aware of that?

Mr Matthews: Well, they would then be made aware either through the normal information process that was distributed or through myself. See, a lot of things ... never came to pass that were contained in Part B. They were things that perhaps the Bank was looking at and because of their sensitivity there was a need to restrict the information on a needs to know basis and some of those things never occurred. When a particular project then came - if it came into being then, of course, the general communication process took place." ⁽⁾

(b) Mr Copley:

"Mr Copley: ... I'd say that there was nothing in the minutes which would have assisted her to do her job anyway. Any issue in the minutes, particularly when she was reporting to me, anything was going to be in the minutes that was - well, anything discussed at that meeting that required Mrs Chin's input, I raised with her anyway so the denial of her not actually seeing minutes to the meetings would have made no difference in my opinion to her ability to do her job."

Notwithstanding this evidence, I am of the opinion that the Internal Audit department should not have had to rely on its divisional Executive to inform it of relevant matters in Part B of the Executive Committee Minutes, in particular in relation to determining auditable risk areas. The flaw in Mr Matthews' and Mr Copley's reasoning that Internal Audit department could always ask for access is the fact that the department would not, by definition, know what to ask access for.

As indicated above, the matter of the Internal Audit department's free and unrestricted access to the information in the Bank, particularly during the period after Mrs Chin assumed responsibility for the Internal Audit department, was the subject of a considerable body of evidence given to the Investigation. This evidence, in essential respects, was conflicting, and the only instance in relation to which I am satisfied that there was a denial of access contrary to the mandate of the Internal Audit department is that reported above in relation to the audit of Personal Financial Services. That single extant case, however, does not present itself as an intrusion executed in exceptional circumstances, but as the exercise of a power by an executive outside of the Audit department who treated the power as unavailable.

Whilst I regard the arrangements for access to Part B of the Executive Committee minutes as a structural unsoundness, I make it clear that I am not saying that there was in fact any evidence of any occasion on which a request for access to Part B of the Executive Committee minutes was denied. Nor am I saying that there is any evidence that these arrangements, in a case able to be identified, in fact interfered with or compromised the discharge by the Internal Audit department of its functions.

As to the matter of access to executive salary information, as noted above, this exception was endorsed by the Bank Board, and in my opinion, was wrong. There is however, no evidence before the Investigation to suggest that this arrangement was not in fact properly administered by the external agency.

As noted above in relation to the audit of Personal Financial Services, the refusal to give access occurred in relation to staff who were not "executives" whose records were maintained by the external auditors.

23.4 THE APPROACH AND PROGRAMS OF THE INTERNAL AUDIT FUNCTION

23.4.1 INTERNAL AUDIT PLAN AND PROGRAMS: INTRODUCTORY COMMENTS

The scope of activity or audit coverage of an Internal Audit department is governed by the authority given to the department by the Bank Board and Executive Management of the entity. The scope of auditing activities would also be influenced by the capabilities of the staff of the Internal Audit department.

The Internal Audit department can make its most valuable contribution to the entity it serves where it has the capability to provide audit cover of all significant areas of the entity and has unrestricted authority to effect that coverage, and raise issues for management consideration.

The rapid and significant growth in the Bank Group's assets and liabilities involving the geographical spread and complex diversification of its business activities, required a standard and scope of audit that was responsive and professionally capable of assessing the additional risks and exposures that existed.

During the period 1984 to 1988, Internal Audit activity had as its primary focus the Retail Bank branch operations with reviews undertaken of some less complex areas of Head Office operations (eg Stationery; Corporate Wardrobe). Audit examinations were essentially `compliance' oriented (practices comply with approved policies and procedures) and `process' oriented (activity or practice is adequately controlled). During this period, the divisional executive responsible for the Internal Audit department was initially Mr Rumbelow and, from July 1986, Mr Matthews.

In the early years after the Bank's establishment, Internal Audit recognized the need to include as part of the audit programme the operational and systems issues arising from the merger itself. In evidence to the Investigation, Mr Gates said:

"... but in the first years - at least 3 years - it was just a battle to stay afloat for the organisation because of the large unprecedented or, how we say, astronomical growth and totally inadequate system." ⁽⁾

From an early stage, Mr Gates was concerned about internal systems in Corporate Banking, particularly given the rapid growth of the corporate book.⁽⁾ At this time, head office audits were fitted in between branch office audit attendances, and were conducted by auditors in the General Audit section; whatever attention was given to Corporate Banking focused upon compliance issues and fees and repayments collection. Internal Audit involvement in assessment of the adequacy of internal control systems in relation to "credit risk", and other wholesale banking business risk or asset quality was, on the basis of the documents available to the Investigation, minimal. In a memo dated 15 July 1985 to the Manager, Internal Audit, the "Audit Manager, Branch Inspector" reported, in relation to an audit of "corporate/international", that "there is no system operating to determine industry exposure". In a memo, dated 5 February 1986, addressed to the Manager, Internal Audit, the same bank officer reported that:

"Industry exposure reports are being produced on a monthly basis. There have been some problems in determining classifications in coding between different corporate managers but these are being resolved."

This report also drew attention to the lack of a "comprehensive Procedures Manual to cover all aspects and operations of Corporate." In the January 1987 paper submitted to Mr Matthews, which contained the draft Internal Audit charter, Mr Gates had recommended the transfer to the Internal Audit department of officers qualified to carry out lending review. This proposal, however, was, like the draft Charter, also rejected by Mr Matthews.

In August 1987, Mr Gates, for the first time, submitted to the Board of Directors a proposed Internal Audit strategy, in this case, for the financial year 1987-88.⁽⁾

Sub-paragraph 1.2 of this proposed strategy described the ongoing aims of Internal Audit department in the following way:

"... within resources available, to provide assurance to Management that,

. financial statements and reports comply with Bank policy and generally accepted accounting principles;

. internal accounting controls are adequate and effective in protecting the assets of the Bank;

. the Bank's resources, both human and capital, are being utilised in the most effective and efficient manner;

. operational policies promoting the well-being of the Bank are implemented."

This strategy emphasised a new focus for the department in conducting "operational audits" which was described in the strategy paper as:

"... a systematic process of evaluating an organisation's effectiveness, efficiency and economy of operations under Management's control and reporting to the appropriate person the results of the evaluation along with recommendations for improvement."

This paper was significant in that it acknowledged that Treasury and Capital Markets and Corporate/International were amongst the high risk and exposure areas of the Bank. The paper noted that a substantial commitment to training and development would be required for Internal Audit staff. This paper also recommended the appointment of a professional auditor, at supervisor level, with adequate experience to perform a co-ordinating, supervisory, and training, role for major audits in head office.

The January 1989 Strategy Plan for Internal Audit department formulated by Mrs Chin proposed an expanded audit scope, as follows:

". Provide auditing services to Companies in the Group, internationally and interstate.

. Audit all activities as identified in [sic] audit risk analysis basis."

From 1989 the scope and type of audit activity was expanded considerably. The extension of scope and category of review undertaken commenced concurrently with the organisation and staff restructure of the department in the latter part of 1989.

This restructure which was, generally, in place by June 1990, established the professional environment and capability for the department to perform more complex reviews than those of a `compliance' and `process' type. In July 1990, the establishment of an Audit Committee, and the extension of the Bank's Internal Audit activity to cover all entities of the State Bank Group, further influenced and expanded the scope and types of review performed.

During the latter part of 1989 and throughout 1990, (facilitated by upgraded audit methodology), audit activity was extended gradually to focus on all risk areas of the Bank Group. The types of review performed widened from `compliance' and `process' audit activities to cover `operational' (operations and programs are being carried out as planned) and investigational matters.

The Internal Audit department Quarterly Report for the period July to September 1989, which was presented to the Bank Board on 23 November 1989, was tabled with a covering memorandum from Mr Matthews which noted that:

"With the restructuring of the Internal Audit department, a new approach has been adopted. The scope and type of Internal Audit has developed to place more emphasis now on some areas of the business than was previously the case. In addition to the normal compliance audit, a significant amount of work revolved around risk analysis/management asset protection and operational efficiency. It is appropriate that a more detailed report be presented and this should help us to better understand the control aspects necessary for us to manage our business in the most effective way."

This covering memorandum also invited directors to contact Mr Matthews to discuss any aspect of the Quarterly Report.

This Quarterly Report was presented to the Executive Committee on 26 October 1989, under cover of a memorandum which similarly noted the shift in the scope and type of Internal Audit to be conducted within the Bank.

In addition, the December 1989 Quarterly Report to the Bank Board from Internal Audit commented on the change in audit focus:

"The change of audit approach towards risk assessment as well as incorporating value for money audit techniques has had a mixed reception amongst management. After a brief period of uncertainty and apprehension, management has quickly accepted the benefits of a more effective audit service ..."

23.4.2 INTERNAL AUDIT COVERAGE OF OVERSEAS OPERATIONS

From the time the Bank Board approved the International Banking strategy in January 1985, the Bank actively pursued a strategy of growth and diversification overseas.⁽⁾

The materiality, mix of assets, and rapid growth in offshore operations, together with their remoteness of location from South Australia, in my opinion, demanded the highest achievable standard of control to be exercised over their operations, and Internal Audit was a critical element of management control in this matter.

London branch commenced its wholesale banking operations in October 1985, yet the first time an Internal Audit department review of that office was conducted was April/May 1989. By this time London branch assets had grown to approximately GBP 540.0M providing full wholesale banking services, with particular emphasis on off-balance sheet trading, corporate lending and foreign exchange.⁽⁾ The objectives of the April 1989 audit included:

"To conduct an independent review of management control systems and practice as a basis for identifying ways of improving efficiency, effectiveness and minimising financial risks.

To review the adequacy of systems and procedures established by management to safeguard assets and making appropriate recommendations for improvement."

Prior to the first on site audit conducted by Internal Audit department of the London branch in April/May 1989, the external auditors of the London branch, Messrs KPMG Peat Marwick McLintock, performed certain Internal Audit functions in accordance with the requirements of the Bank of England. The maintenance of adequate records and systems was a statutory requirement for authorisation under the United Kingdom Banking Act, 1987. The review of internal control systems conducted by the London branch external auditors was required to be carried out in accordance with the Bank of England's Notice to Institutions BSD/1987/2, which was issued in September 1987. The Bank's London branch was required to report annually to the Bank of England in accordance with this Notice, and the reporting accountants were required to form an opinion on whether the Bank's accounting and other records and internal control systems had been maintained by management, during the period examined, in accordance with the Bank of England's interpretation of the requirements of the Banking Act (United Kingdom).

The Notice issued by the Bank of England pointed out that the Bank did not require reporting accountants to report all omissions, weaknesses, and failures, however minor, and the existence, nature, scope, and effectiveness of records and systems. Rather, the Bank of England required reporting accountants to report those omissions, weaknesses and failures which individually or collectively were, in the opinion the reporting accountants, significant, and resulted in there not being reasonable assurance that the requirements specified by the Bank of England in the Notice were satisfied.

In the Notice, the Bank of England advised that its general requirements in relation to internal control systems included the requirement that internal control systems should provide reasonable assurance that, amongst other things, the business is planned, and conducted in an orderly, prudent, and cost effective manner, in adherence to established policies, and that management is able to monitor, on a regular and timely basis, inter alia, the adequacy of the institution's capital, liquidity and profitability and the quality of its assets. In accordance with the requirements of the Bank of England, KPMG Peat Marwick McLintock's reports on internal control systems were copied to the Chief Manager of the London branch.

Hong Kong operations were established in April 1987, and the first Internal Audit review was carried out in June 1990. The review objectives included the two objectives cited above in respect of the London branch audit.⁽⁾

New York branch was opened in November 1988, and the first Internal Audit review of the internal operations of that office occurred in May 1989, by which time the total assets of that office had grown to $US 483.0M (as against a budget of $US 240.0M).⁽⁾

The initial reviews of London branch and New York branch by Internal Audit department in April/May 1989 were basic compliance audits, however, the pattern for a risk based approach to auditing of the overseas offices had been established.

Later, more in-depth Internal Audit reviews of the internal control systems in London and New York were conducted by Internal Audit department. The 1990 audit of London Treasury and the 1990 audit of the New York Corporate Book are covered in more detail in Chapter 19 - "The Overseas Operations of the State Bank" of this Report.

So far as the Bank's management was concerned, supervision and review of the internal control systems for London branch was in the hands of KPMG Peat Marwick McLintock, the external auditors for the London branch. Mr Matthews had this to say in evidence concerning the role of the external auditors reviewing control systems in London branch:

"... in terms of that early aspect of our overseas operations which was basically London Office, that was being audited by the external auditors and their reports indicated that the systems were appropriate. It wasn't a clear audit report obviously, because there are always things that need to be done, but in that context, you have to look at it in that overall context that audit was a joint - there was a joint audit by internal and external audit, and in this instance the external auditors were doing the audit at that particular function [ie London Branch].

Question: The systems and controls audit?

Mr Matthews: Yes. That was part of their overall audit. I mean, they had to sign off on the financial and accounting treatment of London Office and obviously they would have looked at their systems and controls.

Question: When you say sign off, is that in relation to the reports that the London Office made to the Bank of England?

Mr Matthews: Yes it was, as part of that and as part of the overall Bank's accounting and reporting.

Question: So you had - at the time, during this time that we are talking about you had no doubt that the external auditors well knew that part of their brief was to look at and report upon internal systems and controls.

Mr Matthews: The external auditors were quite aware that there was no Internal Audit at that function and as such, as part of their audit scope then they would be expected to do that.

Question: And you would have no doubt that they were aware of that?

Mr Matthews: I have no doubt of it." ⁽⁾

Mr Gates similarly saw the external auditors carrying the responsibility for reviewing internal systems and controls in London branch; in May 1987, however, he began to agitate for an on-site inspection of the London branch.

"Question: Was that your understanding that London Office was an external audit responsibility not covered by Internal Audit?

Mr Gates: At that point, yes ...

Question: Did you have a concern that the external auditor was looked to carry out Internal Audit functions of the London Branch?

Mr Gates: He hadn't been specifically asked to conduct Internal Audit but he'd been asked to look at certain things.

...

Mr Gates: Because it had been going three years and like we'd been relying on the external auditor and, yes, they could be asked to do additional work but it's not the same because we know it's important that we - the Bank - within the Bank gets the feel of what's going on and the people at that branch. If it's got all various risks - remoteness, etc, the type of dealings that goes in - they could be ultra vires their authorities and next thing you know you'd be hit with the bill ...⁽⁾

...

Mr Gates: ... there's no way I would say that Peat Marwick McLintock's audit of London Office could be construed as in place of Internal Audit ... we needed to get inside the office and get a feel for the operation and the people etc ..." ⁽⁾

Ultimately, in November 1988, Mr Gates submitted to Mr Clark a proposal to send two Internal Auditors to conduct a review of the London and New York operations in February/March 1989. This was approved, in principle, by Mr Clark although the auditors did not, in fact, attend at the London and New York branches until April/May 1989.

Whilst Mr Gates was concerned about the need for Internal Audit involvement in an on-site review of the operations of the London branch, given the physical remoteness from head office, and the growth and diversification of that branch, Mr Matthews was not concerned who performed the review of controls and systems, so long as some review was carried out:

"Question: ... Do I take it what you're saying is that still at this point of time [September 1987] in respect of overseas operations you were relying upon the external auditors to carry out any necessary Internal Audit type functions?

Mr Matthews: You keep using the term "to carry out Internal Audit functions" and I don't think that's correct. What we're talking about is an audit and effect - looking at the effectiveness of the controls and the protection of assets, the protection of - the flow of income, the expenses and so on. Now, whether that function is carried out by a group of auditors from the external auditors or a group of auditors from the Internal Auditors, from the Management and the Board's viewpoint, they want to know that it's being carried out. So to infer that it was a responsibility of Internal Audit is not correct. What we need to ensure is that somebody was carrying out the task, and in this case it was the external auditors." ⁽⁾

The external auditors of the London branch carried out the external audit of that branch in addition to reporting to the Bank of England in accordance with the Bank of England's requirements. In relation to the audits conducted by the external auditors of the London branch, their letters to management contained a qualification as to the reliance which could be placed on reviews of internal control systems. In their letter to management dated 5 March 1987, the external auditors of the London branch qualified the Bank's reliance upon matters contained in that letter to management in the following terms:

"The primary purpose of our audit is to enable us to express an opinion on the accounts. Our examination of the accounting records is carried out on a test basis and it should not be relied upon to disclose errors or irregularities which are not material in relation to the accounts. It must be emphasised that weaknesses in the system of accounting and internal controls may facilitate defalcations which our normal audit test checks will not necessarily detect."

Mr Matthews felt confident that the external auditors could be relied upon by Management in reviewing internal systems and controls in a general sense not just for review of controls and systems. This position, however, is not supportable in view of the role performed by the External Auditors in relation to the financial statements, as was confirmed by the head office External Auditors, Messrs Touche Ross & Co and Messrs KPMG Peat Marwick Hungerfords, in a letter dated 2 May 1988 addressed to Mr Matthews relating to their engagement as auditors of the Bank, which, amongst other things, stated:

"In accordance with normal practice, our audit is planned primarily to enable us to express a professional opinion on the annual accounts. It should not be relied on to disclose all material internal control weaknesses, fraud, defalcations, errors or other irregularities. However, we will continue to report to senior management any matters of concern and any material weaknesses in the systems of accounting and internal control which come to our attention in the course of our audit procedures."

Messrs KPMG Peat Marwick Hungerfords and Touche Ross & Co in a letter to Mr Matthews, dated 13 December 1989, concerning the audit of the Bank for the year ended 30 June 1989, reiterated that management could not rely on them as a substitute for an adequate and appropriate Internal Audit function:

"From our letter of engagement ... it should be appreciated that our audit procedures are designed primarily to enable us to form an opinion on the financial statements. It should not be relied on to disclose all material internal control weaknesses, fraud, defalcations, errors or other irregularities. We aim however, to use our knowledge of the Bank gained during our work to make comments and suggestions and to report any matters of concern which come to our attention in the course of our audit procedures."

To Management's knowledge, from the express and clear representations from the External Auditors, the Bank was not entitled to rely upon the external auditors as a substitute for an effective Internal Audit function in respect of the overseas branches. The growth and diversification of the overseas branches and the difficulties for effective management of these operations, called for the introduction, at an early stage, of an adequate and appropriate Internal Audit "on site" activity. In October 1987, the Reserve Bank of Australia had expressed, directly, to Mr Clark its concern about monitoring of internal control systems in the London branch.⁽⁾ In May 1988, the Reserve Bank of Australia advised Mr Matthews of its concerns for the effectiveness of internal control systems, given the Bank's growth, particularly, in overseas operations.⁽⁾

The seriousness of management's failure to ensure an adequate and appropriate Internal Audit function for the overseas branches of the bank is compounded by the fact that no asset quality review, in respect of the assets of the overseas branches, was conducted by any function independent of management, until mid 1990, when the Bank's wholesale credit inspection unit conducted the first credit inspection of any of the Bank's overseas branches. This inspection was of the London branch.

When Internal Audit conducted substantive reviews of the London and New York corporate books in 1990, the reports raised substantial issues of "asset quality" even though this was not seen by Mr Mallett as the proper province of the Internal Audit department.

A proposal for the establishment of the wholesale credit inspection unit was put forward by Mr Mallett in a memorandum, to the Group Managing Director and to the Director Australian Banking, in February 1990, and Mr Mallett's memorandum is noteworthy for its concession that, up until that time management's focus of attention was upon growth and profitability, rather than the prudential or risk control aspect of its operations.

In his memorandum, Mr Mallett said:

"We have to date, deliberately chosen not to introduce a credit inspection procedure for the wholesale side of the Bank. This has centred around several issues, one being the dynamic growth of the business and our concentration on this area rather than a review of the credit implications and another, that with little delegation of authority, arguably credit review could only question senior management's decisions."

Mr Mallett's memorandum also noted that:

"It is a common practice in all major banks globally, to have a dedicated lending inspection team who, operating under appropriate policy guidelines, review on an annual basis, all lending activity."

At the end of the day, not only was Management unjustifiably content to rely upon the external auditors of the London branch to carry out reviews of internal systems and controls in lieu of an adequate and appropriate Internal Audit function, it was also content to let the offshore assets grow without asset quality review until mid 1990. These failures demonstrate, in my opinion, a lack of appreciation that the State Bank was an institution that was publicly accountable to the people of South Australia, and that the highest standards of internal review and accountability should have been operative at all times.

On all the evidence available to me, I am satisfied that prudential control of the Bank's rapidly growing and diversifying overseas assets was not a priority for the Management of the Bank, whereas, in the circumstances, such controls were essential if the affairs of the Bank were to be conducted in accordance with accepted principles of financial management. The Bank Board cannot escape some responsibility for this failure.

In oral evidence to my Investigation, in support of their written submissions to me, certain of the non-executive directors, gave evidence of their understanding that KPMG Peat Marwick McLintock had been engaged to perform the Internal Audit function in respect of the London branch. Notwithstanding this, in view of all the evidence available, I am satisfied that the absence of on-site audit by the Internal Audit department of the overseas branches (and in particular London) until May 1989, and the failure to actively monitor and be satisfied as to the effective discharge of the responsibility, is a substantial failure by the Bank Board, the Group Managing Director, Mr Clark and Mr Matthews in relation to their respective duties to the Bank. In my opinion, each of the above mentioned failed to adequately or properly supervise, direct and control the affairs of the Bank in this matter.

23.4.3 INTERNAL AUDIT COVERAGE OF CORPORATE BANKING

Corporate Banking in Australia was, during the period under review, an area of significant asset growth for the Bank.

As noted above, what Internal Audit attention was paid to the Corporate Banking area was not in the nature of an operational audit in the sense previously indicated. Internal Audit department's focus was primarily upon compliance issues and verification of receipt of fees and loan repayments.

It was not until June 1990, that the Internal Audit department undertook an overview survey of the Corporate Banking department for the purpose of identifying the auditable areas of risk, and to formulate Audit Plans for subsequent review of those risk areas. Although some work had been performed previously, the overview survey represented the first full Internal Audit analysis of Corporate Banking, and the survey report noted that lending had increased in this area from $400.0M in 1984 to $5,000.0M at June 1990.

The September 1990 Quarterly Report to the Bank Board from Internal Audit included the following comments in regard to certain areas of Corporate and Commercial Banking that had been reviewed subsequent to the performance of the overview survey:

"The current economic climate continues to pressure the business sector and has resulted in a number of major corporate collapses. The effect of these collapses is now impacting on the commercial business sector and will be a major concern for the finance industry over the near future.

Audit identifies the high priority for Global policies and procedures to manage the expanded State Bank Group activities. Of concern is the lack of progress in developing a Global Risk Management System. The Commitment Register serves Australian Banking and is to incorporate Beneficial Finance Assets while the Limits System serves International Banking. There is currently no common system ..."

Specifically, in relation to the "Commitment Register":

"The Commitment Register is continually being developed to meet the Bank's requirement ..."

"Resources and co-ordination have been lacking. This has resulted in delay of progress and inaccurate information ..."

"The Commitment Register has considerable potential to provide the Group with instant exposure information and to become an invaluable management tool."

The ability of the Bank to control its funding, and readily to determine its financial position is of paramount importance, and, as is noted in the September 1990 Quarterly Report to the Bank Board, is substantially facilitated through the adequate maintenance of a "Commitment Register", which provides detailed analysis of the financing commitments of the Bank.

The main emphasis of Internal Audits that had been undertaken, related to assessing compliance with approved policies and procedures but did not extend to judgement assessment of asset quality and the adequacy of security. Mr Gate's suggestion for a loan inspection function within Internal Audit was rejected by Mr Matthews in February 1987; a separate function, however, quite independent of Internal Audit, was eventually established in early 1990, to perform specific reviews of asset quality. By this latter date, problems associated with asset quality had crystallised, and it was a matter, in my opinion, of "too little too late".

The Investigation noted that the matter of Internal Audit department's involvement in asset quality issues in the Corporate Banking area within Australia, was a matter of substantial contention between Mrs Chin and Mr Paddison, particularly in the latter half of 1990. Whilst matters relating to the control of credit in the Bank are dealt with in a separate Chapter of this Report, for the purposes of this Chapter it is significant that, in a memorandum from Mr Paddison (at that time Chief General Manager, Australian Banking) to Mrs Chin (then Chief Manager, Group Audit) dated 21 September 1990, Mr Paddison expressed his view that Internal Audit department should not have any involvement in credit or pricing issues.

In the memorandum, Mr Paddison said:

"In my view it is inappropriate for audit department to concern itself with how these responsibilities [credit and pricing] are divided and exercised. These matters are the proper responsibilities of the Executive of the Bank.

Audit has the responsibility to ensure that in the context of the agreed management framework that responsibilities and accountabilities for which management holds formal delegation on which clear control policy does or should exist are being appropriately discharged.

To make investigations and judgements beyond that is, in my opinion, usurping the prerogative and responsibility of line Management.

I would wish to sound a word of caution that I will most strongly resist the intrusion of Group Audit into areas which I believe are the proper province of management.

I will not contemplate Group Audit intruding on Australian Banking divisional management's responsibilities by seeking, offering or attempting to influence operational responsibility allocation or judgement about appropriateness of assignment of duties or functions."

Mr Paddison's opposition to Internal Audit department's review of "asset quality" in Corporate Banking, coupled with the failure to secure a review of "asset quality" by a function independent of management, in my opinion, reflects adversely on the discharge, by Mr Paddison, of his responsibilities for the prudential management of this portfolio of the Bank's assets. In his submission to the Investigation⁽⁾, Mr Paddison asserted that the memorandum was not written to promote "anti-audit sentiments within the Bank", and that the Report was circulated only to Mrs Chin with a copy to Mr Clark. Mr Paddison also submitted:

"By the preparation of this memorandum Mr Paddison was stating his position clearly in an effort to combat the dogmatic approach adopted by Mrs Chin and her managers in relation to the issues raised [at a meeting which took place shortly prior to the preparation of the memorandum]. His views were voiced not to restrict the Audit Department but to maintain the commercial and objective position of the Department by confirming its separate and independent existence from the role of management."

Notwithstanding Mr Paddison's submission, I regard the words of the memorandum as plainly "warning off" Mrs Chin and the Internal Audit department from investigating the matters the subject of the memorandum. In my opinion, his actions in this particular matter do not reflect what would be expected of a senior executive on an important matter of accountability.

As the divisional Executive responsible for the Internal Audit department, Mr Matthews should, in the circumstances, have been active in securing an effective Internal Audit function, but failed to do so. The Investigation is satisfied that Mr Clark was, throughout the period under review, fully aware of the lack of Internal Audit attention to the corporate banking area.

Given the nature and growth of the corporate banking operations of the Bank over the period July 1984 to June 1990 and for the reasons indicated above, , in my opinion, the Bank Board, Mr Clark, and Mr Matthews failed in their respective obligations to secure adequate and appropriate Internal Audit coverage of this high risk area of the Bank's operations. The seriousness of this failure is compounded by the fact that no asset quality review in respect of Corporate Banking's portfolio was conducted by any function independent of management until 1990. Certain of the Non-Executive Directors gave evidence of their belief, arising from Management's reports, that Internal Audit department was adequately covering the Corporate Banking area.⁽⁾ Whilst accepting that this was the belief of the Non-Executive Directors, nevertheless, I am of the opinion that the Bank Board cannot escape some responsibility for the failure to ensure that effective Internal Audit of this risk area of the Bank's activities was being undertaken, and accordingly failed to adequately or properly supervise, direct and control the affairs of the Bank in this matter.

Management's failure to secure an adequate Internal Audit function operating in relation to the Bank's Corporate Banking activities demonstrates, in my opinion, their lack of appreciation of the State Bank as a publicly accountable finance institution requiring the highest standards of internal review and accountability being operative at all times.

On all the evidence available to me, I am satisfied that the prudential control of the Bank's rapidly growing and diversifying Corporate Banking activities was not a priority for Management, whereas, in the circumstances, such controls were essential if the affairs of the Bank were to be conducted in accordance with "accepted principles of financial management."

23.4.4 INTERNAL AUDIT COVERAGE OF TREASURY OPERATIONS

London and New York Treasury operations were first subjected to Internal Audit review in May 1989.

In June 1989 Mrs Chin commissioned KPMG Peat Marwick Hungerfords to undertake a review of the adequacy of the Treasury/International Internal Audit function. The consultant's report noted:

"Treasury and International audit work has focused more on compliance with defined procedures and obtaining an understanding of operations rather than a critical analysis of the risks associated with State Bank's operations and the corresponding management and accounting control practices that are, or should be, in place. As a consequence, there has been little attention given to macro policy issues and only limited emphasis upon evaluating the true effectiveness of existing procedures.

The key areas where the scope of the review and findings have been inadequate are in evaluating the adequacy of management information and prudential control practices. There has for example been a tendency to simply establish if there is or is not a limit in place rather than to evaluate whether:

. the limit in place addresses all the corresponding financial risks;

. compliance with the limit is being reviewed by Management independent of the trading operation; and

. the systems used to measure exposure relative to limits are reliable."

Shortly afterwards, the consultant was engaged to undertake a full review of Treasury activities, and the consultant presented his report on the review in September 1989. The report raised a number of concerns in relation to Treasury risk management policies and practices. Matters arising from this report relevant to the Terms of Appointment are dealt with in more detail in Chapter 7 - "Treasury and the Management of Assets and Liabilities at the State Bank" of this Report.

Having regard to the findings of the consultant's report, I am of the opinion that Treasury operations is a major area where Internal Audit coverage was misconceived and hence not appropriate or adequate. In my view, Mr Clark and Mr Matthews failed in their respective obligations to secure appropriate and adequate Internal Audit coverage of this high risk area of the Bank's operations. This failure, as in the case of matters related earlier concerning coverage of Corporate Banking and International Operations, demonstrates, in my opinion, a lack of appreciation on the part of Mr Clark and Mr Matthews of the State Bank as a publicly accountable finance institution requiring the highest standards of internal review and accountability being operative at all times.

So far as concerns the Bank Board, certain of the Non-Executive Directors gave evidence that they understood, from management's reports, that Internal Audit department was adequately covering the Bank's Treasury Operations.⁽⁾ Whilst accepting that this was the belief of the Non-Executive Directors, nevertheless, I am of the opinion that the Bank Board cannot escape some responsibility for this failure and accordingly failed to adequately or properly supervise and control the affairs of the bank in this matter.

23.4.5 INTERNAL AUDIT COVERAGE OF THE BANK GROUP

The Bank Board's meeting of 28 June 1990 approved the extension of the Internal Audit activity of the Bank to cover operations of all entities comprising the State Bank Group. At the time of this approval, Beneficial Finance Corporation had an established Internal Audit department with seven staff. Most of the other related entities had some form of Internal Audit process which was small in size. By way of example, Oceanic Capital Corporation Limited and Executor Trustee Limited each had one Internal Auditor.

The practical extension of the Bank's Internal Audit activity to Group entities occurred during the latter part of 1990, as indicated in the table below. Overview surveys of the related entities' operations were undertaken to identify auditable areas of risk, establish Audit Plans and determine audit resource requirements.

Date of Integration

Introduction with State Bank

Entity to State Bank Group Internal Audit

Beneficial Finance March 1984 November 1990

Executor Trustee September 1984 October 1990

Day Cutten Pring Dean July 1985/1988 December 1990

Ayers Finniss Group September 1987 December 1990

Oceanic Group March 1988 July-Sept. 1990

United Banking Group June 1990 February 1991

The Board Paper of 15 June 1990 `Group Internal Audit Services', which was presented to the Bank Board Meeting on 28 June 1990, recommending the extension of the Bank's Internal Audit activity to Group entities, outlined a number of benefits to the adoption of the State Bank Group approach, notably:

"a. Maximise the contribution of specialist skills in the Bank's Audit Department to the Group as a whole.

b. Enable risk analysis and control evaluation to be more effectively covered on a Group basis.

c. Provide auditing services to the Group Companies that currently do not have auditing functions.

d. Maintain consistency in the quality of auditing services across the Group.

e. Provide consistent internal control standards in the Group.

f. Contribute towards the containment and effective minimisation of external audit fees.

g. Provide more exposure and development to staff of the individual units."

As early as January 1987, Mr Gates had recommended to Mr Matthews that the Internal Audit departments of the State Bank Group be brought under the overall control and authority of a Chief Manager, Internal Audit, the suggestion being not to physically integrate the separate Internal Audit units, but to arrange secondments between the units on a regular basis. The proposal was, however, that the Chief Manager, Internal Audit, be directly responsible for State Bank Internal Audit, as well as the overall Group Internal Audit. This proposal by Mr Gates was rejected by Mr Matthews.⁽⁾

I note that the benefits stated in the Paper to the Bank Board in June 1990 were, in my opinion, no less relevant than in July 1984, when the Bank commenced operations with its major subsidiary, Beneficial Finance Corporation. I acknowledge that the Bank's major subsidiaries, namely Beneficial Finance Corporation, Executor Trustee and Oceanic maintained their own Internal Audit departments prior to establishment of Group Internal Audit.

23.4.6 RISK IMPLICATIONS OF THE BANK'S DEFICIENT INTERNAL AUDIT COVERAGE

The failure by Management to secure an adequate and appropriate Internal Audit coverage of the high risk areas of the Bank's operations, namely, Corporate Banking, International and Treasury, until the times indicated above is a substantial non-compliance with its obligations to ensure the protection of the Bank's assets, and to ensure the maintenance of an effective and relevant internal control system for the Bank in these areas of operation.

As noted above, the growth and diversity of the Bank's operations in these areas gave rise to significant risk exposures, and called for the highest level of effective and relevant internal controls, and regular and thorough reviews of these internal controls in order to protect the interests of the Bank.

This failure by Management is compounded by the fact that the Bank did not have in place a credit inspection function until mid 1990.

Particularly in relation to the overseas operations, there was a need for effective controls kept constantly up to date with the changing nature of operations, and vigorously and regularly reviewed for their effectiveness.

In addition, the rapid expansion of the Bank Group called for an Internal Audit function authorised, and able to take a "Group risk" perspective in reviewing and reporting on the Group's internal control systems.

As typified by Mr Mallett's memorandum of February 1990, Management was too busy concentrating on growth and profits to worry about the prudential controls necessary to ensure the necessary protection of the Bank's significant and widespread assets.

Other chapters of this Report deal with the non-performing asset position of the Bank as at the end of the period under review. The risk to the Bank's assets was always significant, and Management failed to act with the degree of diligence required, having regard to the risk profiles of the Bank's operations.

On all the evidence available to me, I am of the opinion that until mid 1990, the Internal Audit coverage of the Bank's Corporate Banking, Treasury, and International Operations, was misconceived and neither appropriate nor adequate as regards the procedures, policies, and practices, adopted.

23.4.7 AUDIT APPROACH AND METHODOLOGY: PRE 1989

In my opinion, an Internal Audit department that operates within an entity without restriction of scope is charged with the responsibility of achieving a satisfactory audit coverage of the many significant areas of the entity's operations and procedures. Furthermore, the degree and extent to which the Internal Audit department can adequately appraise and advise management on, for example, the effectiveness of controls operating in the various areas of the entity, is not only dependent on the level and quality of staff resources, but also, on the approach and methodology employed in performing examination tasks.

The performance of quality and efficient Internal Audits requires, in my opinion, the application of an audit methodology that incorporates a structured and documented approach to the planning, conduct, and reporting, of audit assignments. This methodology should include risk assessments to prioritise areas to be subjected to audit, and a consistent basis of approach to various aspects of operations, regardless of the area subject to audit. The approach to transactions and systems reviews to assess compliance with approved policies and procedures, including computer audit analysis to assess the adequacy of internal control and integrity of financial data, should all be components of the methodology.

An internally initiated Operational Audit by the Internal Audit department of its own operations in the latter part of 1987 (which is dealt with in more detail in Section 23.5.3 below) identified shortcomings relating to the effectiveness of the Internal Audit activity with respect to audit approach and practice. Essentially those issues related to:

(a) audit resource emphasis on Retail Bank branch operations, rather than the allocation of resources between branch operations and Head Office areas (viz Treasury, Corporate Banking) based on assessment of risk and exposures;

(b) ineffective integration of general audit and computer audit resources and methodology in the planning and performance of audits; and

(c) limitations and weaknesses in the planning, conduct (including documentation of work performed) and the control of audit tasks.

In addition, the department had no formal and structured records system which provided standards for permanent and temporary retention of various administrative and audit documentation.

Although only limited documentation relative to this period was available for review by my Investigation, certain retained documentation (including Handbook; Operational Audit Report of 1987; Audit Reports) provides a general insight into the audit approach and methodology adopted during this period.

In general terms:

(a) Internal Audit department focus was on Retail Bank branch operations with some areas of Head Office, subject to compliance audit and fees and revenue collection. The selection of Head Office audits, up until mid 1987, was not based on an Audit Plan approach involving identification, documentation, and risk priority assessment of auditable areas.

(b) Audits of Head Office operations performed by General Audit staff were directed to determining compliance with approved policies and procedures rather than the adequacy of internal control systems. Audits undertaken by Computer Audit staff were directed to testing the accuracy of data produced by Retail Bank computer related systems and reviewing controls at the central computing facility.

(c) Computer Audit staff provided system generated information to General Audit staff on a needs basis, for use in the conduct of audits. Computer literacy of General Audit staff was minimal. In addition, Computer Audit staff and General Audit staff operated independently of each other. There was little integration of skills in the performance of audits.

(d) Audit staff prepared working papers documenting work performed.

(e) Reports were prepared on audit tasks and submitted for response to auditee management, and reports summarising the activities of the department on a half-yearly and annual basis were prepared by Mr Gates, and presented to the Bank Board. Reports to the Bank Board covering two to three pages were basic documents, relating summary information on the status and general conclusions of Retail Bank branch audits, and general summary conclusions of compliance audits of less complex areas of Head Office. The reports were not such as to be helpful in understanding issues arising in the context of audit activities, and did not discuss and analyse issues relating to the changing nature and material risks of operations of the Bank.

(f) No Budget/Actual Time recording and monitoring of auditable area tasks was properly and accurately undertaken until October 1987.

The independent consultant commissioned by Mrs Chin in June 1989 to review the Treasury/International Internal Audit function confirmed the need not only to develop the skill level of staff of the department, but also to improve audit approach and methodology:

"... Treasury and International audit work has focused more on compliance with defined procedures and obtaining an understanding of operations rather than a critical analysis of the risks associated with State Bank's operations and the corresponding management and accounting control practices that are, or should be, in place ..."

"the audit procedures adopted are frequently principally substantive in nature and often fail to adequately test internal controls ..."

"no use is made of Computer Assisted Audit Techniques [Computer Audit Programs] ..."

"audit techniques need to be refined. These include enhancing the existing audit programs, training in basic audit concepts, establishing standards in areas of working papers ..."

"We also recommend that Internal Audit adopt a grading system for its reports ..."

In his submissions to the Investigation, Mr Gates acknowledged that at the time of the establishment of the Bank, audit methodology was primarily a "tick and check" type of operation. Mr Gates, however, submitted that during the period 1984 to 1988 there were improvements and changes introduced. Mr Gates pointed to preliminary surveys of head office areas to identify risks and auditable areas. He also drew attention to a pilot operational audit of Card Services department, using an integrated audit team of computer audit and head office audit staff, which commenced in July or August 1988. Mr Gates also drew attention to a proposed strategy for the Internal Audit department for the financial years 1988/1991 which he prepared in September 1988.

In their submissions to the Investigation, Mr Clark and Mr Matthews also drew attention to steps taken during the period 1984 to 1988 to improve the Internal Audit department's approach and methodology in relation to the high risk areas of the Bank's operations.

I acknowledge that some steps were taken by Mr Gates, Mr Matthews and Mr Clark. In my opinion, however having regard to the significant asset growth and expansion of operations of the Bank during this period, particularly in relation to Corporate Banking, and International and Treasury, Mr Clark and Mr Matthews demonstrated not only a lack of appropriate urgency in introducing into the high risk areas of the Bank's operations an audit approach and methodology directed towards full and effective reviews of internal control systems, but, also failed to appreciate the critical importance of this function in the operational affairs of the Bank.

23.4.8 AUDIT APPROACH AND METHODOLOGY: 1989-1991

Mrs Chin's Strategy Plan of January 1989, which identified the steps to be taken over the subsequent months to improve the quality of Internal Audit activity, proposed a change in audit approach and methodology, as follows:

"Change of Audit Methodology

. 20/80 ratio in audit risk analysis to be applied. ⁽⁾

. Audit program to be related to risk analysis above.

. Standard methodology to be developed to assist auditors to perform work professionally.

. Integrate work with IS (Information Systems) to ensure common approach and maximise use of resources.

. Improve audit reports in quality and presentation.

. Time management of costs.

. To develop work teams rather than individual auditor basis.

. To change attitude of staff and ensure enthusiasm.

. To develop skills of staff in self management, human relations, making presentations etc."

In addition, the strategy plan included the proposal to:

"Set up Permanent Files and Central Filing system to increase the effectiveness of audit work." ⁽⁾

Concurrent with the other important steps taken to improve the quality of the Bank's Internal Audit activity, notably an organisation and staffing restructure, significant upgrading of audit approach and methodology was effected in line with the strategy plan in the latter part of 1989 and throughout 1990.

The following indicates the Internal Audit department's audit approach and methodology after January 1989.

(a) Audit Planning

The department implemented an Audit Planning framework based on a risk priority assessment approach involving the identification and documentation of all auditable areas of risk; formulation of annual plans of coverage of auditable areas relative to priorities and risks; and preparation of quarterly plans detailing staff assigned to auditable areas on a week to week basis.

(b) Performance of Audit

The department was restructured into a number of specialist sections reflecting, respectively the business areas of risks of the Bank. Computer audit staff were integrated into the respective sections' audit teams, facilitating the effectiveness of audit planning and audit work performance.

In addition:

(i) Personal computers were introduced to branch and off-site audits, resulting in a fully automated operation.

(ii) Audit programs and checklists were developed to facilitate review of auditable areas.

(iii) Computer Assisted Audit Techniques (Computer Audit Programs) were developed for other areas of banking activity, in addition to Retail Bank related systems (viz Treasury, Corporate Banking).

(iv) A standard audit documentation methodology utilised by a major Chartered Accounting Firm, was adopted by the department to ensure a high degree of professionalism and productivity.

(c) Control of Audits

The department implemented a Time Management System to monitor staff resource time and productivity, and developed a Job Status Control report to aid control of activities.

(d) Record Systems

Permanent and Non-Permanent recorded filing systems, with retention standard periods, were introduced.

(e) Internal Audit Standards

A Staff Audit Handbook, detailing Policies of the Internal Audit department and Standards for audit work, was produced and promulgated to audit staff for guidance.

(f) Reporting on Audits

Reporting to auditee management and the Bank Board was significantly upgraded. Reporting to the Bank Board on the activities of the department changed in frequency from half-yearly to quarterly, commencing the quarter ending September 1989. In addition, reports became comprehensive in scope, coverage, and findings, and are results oriented. Reports provided gradings in respect of the auditable areas reviewed, and commented on in the reports. The gradings applied were:

(i) excellent (E): criteria included complete adherence to policies and procedures and outstanding internal controls;

(ii) satisfactory plus (S+): criteria included adherence to policies and procedures and above average internal controls;

(iii) satisfactory (S): criteria included general adherence to policy and procedures and adequate internal controls;

(iv) satisfactory minus (S-): criteria included a number of policy and procedures not adhered to and inadequate internal controls; and

(v) unsatisfactory (U): criteria included substantial non-adherence to policy and procedures and major breakdown in controls. This category also included as a criterion that there was a high risk and possible extensive loss to the Bank.

The above developments were a substantial improvement over the pre-1989 departmental approach in methodology, and, after some five years of operations, placed the department's approach and methodology on a footing that enabled the department to properly discharge its functions.

23.5 RESOURCES AND EXPERTISE IN THE INTERNAL AUDIT DEPARTMENT

23.5.1 INTRODUCTORY COMMENTS: ORGANISATIONAL EVOLUTION OF THE INTERNAL AUDIT DEPARTMENT (1984 TO 1991)

Internal Audit must be able to perform audits in all auditable risk areas of significant units of an entity before it can be considered to be effectively servicing the entity. An effective Internal Audit will be able to demonstrate, to management and operating personnel, an ability to be able to assist them to achieve their goals by assisting, advising and providing counsel. Success will not be achieved without an Internal Audit department that is adequately staffed with competent people. An Internal Audit department may serve as a training ground for future executives, or may be viewed as a career field in itself, with few members moving into line management.

23.5.2 EARLY CONCERNS REGARDING EXPERTISE IN THE INTERNAL AUDIT DEPARTMENT

In my opinion, the Bank Board was put on notice as early as August 1985 that there were concerns as to whether the staff of the department possessed sufficient skill to effectively audit all areas of risk of the Bank's operations. The External Auditors of the Bank commented at the Bank Board Meeting held on 22 August 1985, that:

"There was a need to increase the expertise of the Bank's Internal Auditors in the area of Corporate and International, Data Processing and Foreign Exchange and Money Market operations." ⁽⁾

In evidence to the Investigation, Mr Barrett and Mr Simmons said that they understood the external auditor's comments not to be a reflection of a lack of expertise in the past but as a recognition of a need in the future.

The Bank Board had already, in January of 1985, approved an International Banking Strategy, which involved a move by London branch into wholesale banking operations (indeed at the time of the auditor's comment, this new operation was about to commence), as well as the opening of other branches in New York and Hong Kong. By this time also the Bank Board had approved a Strategic Plan which stated:

"... there is every reason to believe that business opportunities for corporate can be dramatically expanded once we have substantial London representation." ⁽⁾

The growth and diversification strategy for overseas operations was also reflected in the 1985-86 Profit Plan, which the Bank Board had approved only the month before.⁽⁾

The auditors' comments prompted a request by the Group Managing Director, on 30 October 1985, for the external auditors to make an assessment of the Bank's Internal Audit Department's capability in regard to Corporate and International Banking, Foreign Exchange and Money Market Dealings, and Data Processing operations.

The external auditors reported back to the Group Managing Director, in a letter dated 22 April 1986, which said:

"Since your letter, considerable work has been undertaken by the Internal Audit department and ourselves to establish the best possible audit coverage in relation to these areas of the Bank's activities ...".

The external auditors' review reported in relation to each of the nominated operational areas as follows:

(a) Corporate

The external auditors made available copies of the Peat Marwick Mitchell International Bank Practice Guide to assist in the preparation of appropriate Internal Audit documentation in this area.

Detailed documentation had been produced including explanatory notes on the accounting system and its operation, and relevant audit programs and sampling requirements.

The external auditors reported:

"We have always been satisfied that [the nominated Internal Auditor] has sufficient experience to carry out the necessary audit procedures in this area and with the clarification and codification of the Internal Audit requirements, we would expect to be satisfied with the quality of the work being undertaken, subject to continued use of the documentation developed."

(b) International

Audit procedures relating to the audit of this department were drafted, but required further refinement and review through testing. The review included this following observation:

"Progress has been somewhat slower in this department due to the initial lack of proper procedures/instruction manuals (now in the course of preparation) and the fact that the allocated Internal Auditors were concentrating their attention on the corporate area.

We will monitor the development of the Internal Audit function in this department to establish that the proposed audit program is adequate and to ensure that any necessary amendments to documentation and the program are effected."

There is no evidence of the external auditors' monitoring the Internal Audit department in this respect.

(c) Foreign Exchange and Money Market Dealings

Systems descriptions, details of objectives and controls, and proposed audit procedures, had been reviewed by the external auditors. The external auditors reported:

"We believe that the personnel involved have the ability to satisfactorily carry out the necessary audit procedures in this area but emphasise that the documentation will need continual review and amendment to cope with the constant changes in the nature of foreign exchange in money market transactions."

(d) Data processing operations

The review recorded that two additional data processing auditors had been recruited and three trainee data processing auditors would commence with the Bank in the near future. The review referred to the:

"... excellent work being performed and planned by the Bank's DP audit section. Their skills and the continuity of their efforts have contributed greatly to maintaining a satisfactory audit scope without the need for excessive external audit involvement".

The review concluded:

"Overall, it is our assessment that the Internal Audit documentation and procedures which have now been put in place, together with our proposed external audit overview and testing will afford the optimum audit coverage which can reasonably be expected. However, it cannot be too strongly emphasised that the most effective safeguards to the Bank will be provided by strict control of the "quality" of the transactions and dealings which it undertakes. This "quality" is seen to be measured by the credit worthiness of the parties with whom the Bank transacts its business and the best possible authorisation, recording and reporting of transactions."

At its meeting on 24 April 1986, the Bank Board was advised of the External Auditors letter of 22 April 1986, with the Bank Board Minutes recording the following:

"In response to a Director's question concerning the effectiveness of existing Internal Audit procedures applicable to the International, Foreign Exchange and Money Market areas, the Managing Director reported that correspondence received on the 23rd April 1986 from the Bank's external Auditors indicated their satisfaction with existing audit procedures. Audit staff would continue to consult with the external Auditors to ensure minimum audit standards are maintained." ⁽⁾

Having regard to this response to a specific query, the Non-Executive Directors were, in my opinion, entitled to accept that, at this time, ie early 1986, with respect to the matters mentioned, the Internal Audit coverage was adequate.

Up until September 1987, the Internal Audit department structure essentially comprised two sections:

(a) a retail branch audit section (which also undertook whatever head office audits were conducted); and

(b) a computer audit section (information systems audit).

During this period, auditors within the retail branch audit section spent most of their time conducting the branch audits, and whatever time was left available was used in conducting head office audits. The lack of a specialised focus, together with time constraints and actual lack of training and experience, placed real pressures on the department, and, as noted by Mr Gates in his evidence to the Investigation:

"... They've been out and been to a large branch audit and then come in - come in to do work for a week or two on their various areas in the head office, whether it be corporate, international, depending on where their office was involved. Generally speaking, I felt that ... it wasn't ideal. It could be improved on, ... it needed improvement and I think a far more professional approach was - came out of this by dedicating specifically the people to the task in question.

... It's a long haul to get people without really any audit - specialised training in audit into some of these things [head office audits]." ⁽⁾

23.5.3 INTERNAL AUDIT DEPARTMENT'S "SELF AUDIT"

In August 1987, the Internal Audit department submitted a strategy plan to the Bank Board which indicated a shift in emphasis to "operational audits". The first area targeted for an operational audit was the Internal Audit department itself, the review being conducted over the period August to September 1987 by three officers of the department.

On 17 September 1987, an "Operational Audit Report on the Internal Audit department of the State Bank of South Australia" (the "Operational Review") was prepared⁽⁾ which highlighted a number of significant organisation, staffing, and operational, concerns, notably:

(a) Poor Staff Morale

"In our opinion there are acute personnel problems in the general audit area. 92% of general auditors interviewed, confirmed the above."

(b) Limited career path and promotional opportunities and minimal job satisfaction

"Dumping Ground - staff are concerned that the Internal Audit Department is used for retraining and a means to accommodate managers who have reached the limits of their competence. 92% of the Senior Management respondents stated that Internal Audit Department should not be used for this purpose." ⁽⁾

(c) Poor Accountability for Time

"In our opinion field auditors are not accountable for their time. A program book is maintained on a weekly basis but is not accurate."

(d) Inadequate Performance Measurement

"It is our opinion that generally the performance measurement of field auditors is inadequate. There is no documentation in relation to an individuals performance ..."

(e) Inadequate audit coverage and lack of technical proficiency in Head Office areas, viz Corporate Banking, Treasury and Capital Markets, International and Finance departments:

"In our opinion only approximately 27% of human resources were devoted to Head Office audits for the financial year ended 1986-87.

Although auditors are programmed to perform Head Office audits on a regular basis the actual time spent on those audits is minimal.

Concern was expressed by 83% of field auditors interviewed as to their technical proficiency in Head Office areas.

It is our opinion that because of this lack of confidence Head Office audits are avoided.

The examination of Head Office work papers revealed that the review of Head Office audits is inadequate".

The Operational Review was not presented to the Bank Board, but the Internal Audit half-yearly report, for the period ended 31 December 1987, presented to the Bank Board Meeting on 28 February 1988, indicated that an operational audit of the Internal Audit department had been conducted, with the resultant restructure of the department to place "more audit emphasis to the increasingly complex activities of Corporate Banking, Treasury and Capital Markets, International and Finance Departments". The restructure involved the establishment of a Head Office Audit section additional to the Retail branch and Computer Audit sections.

The half-yearly report, signed by Mr Gates and Mr Matthews, did not provide to the Board any details of the concerns identified during the operational audit as reported in the Operational Review.

The Investigation did not reveal any substantial disagreement by Mr Matthews or Mr Gates with the findings of the operational audit, although Mr Matthews did qualify his view in the following respect:

"Mr Matthews: ... I think that the Report was probably being overly-critical, self critical and I think that there were one or two people who saw this as a "political" exercise.⁽⁾

Question: Are you suggesting ... it was to an extent self serving, the tone, the self criticism?

Mr Matthews: I think partly so, yes, but having said all that I think you know the points that people were making about career paths and so on within the overall Bank structure could be seen to be true because of the way the Bank worked in moving people between various classification levels and I think - so from that aspect yes there's some truth in the situation." ⁽⁾

The Internal Audit Half Yearly Report to the Bank Board, for the period ended 31 December 1987, also included a status report on reviews of head office department in accordance with the audit plans which had been established in November 1987. The Report stated that:

"... several [reviews of head office departments] had been completed but the program is behind schedule due to staff changes and sick leave. Major areas are expected to be completed by the end of June 1988."

In my opinion, Mr Clark and Mr Matthews, should have reported the findings of the Operational Review to the Bank Board in more detail, as this document contained information of material significance to the Board in discharging its obligations to maintain the highest standards of internal review and accountability in accordance with the Bank's position as a Government guaranteed financial institution. This failure on the part of Mr Clark and Mr Matthews deprived the Bank Board of the opportunity to give directions to Management for remedying the identified deficiencies within a timetable stipulated by the Bank Board. The importance of the need for urgent attention to the findings in the circumstances can hardly be over-estimated, given that the deficiencies were identified in relation to the areas of the Bank's operations that were of the highest risk. I am satisfied, however, that in presenting the Internal Audit department's Half Yearly Report for the period ended 31 December 1987, Mr Clark and Mr Matthews were not intending to intentionally mislead or deceive the Bank Board. Nevertheless, there is no doubt in my mind that this failure to alert the Board mislead the Board.

During a Bank Board meeting held on 25 August 1988, the Bank Board questioned Mr Gates whether he "considered that the department had sufficient resources to carry out its functions and were informed that the Bank was recruiting staff in specialist audit areas such as treasury and that provided the current expertise was retained within the department, then the resources were adequate." ⁽⁾

At this same meeting, the Bank Board was presented with an Internal Audit Report for the year ended 30 June 1988, which stated under the heading "Treasury and International", the following:

"The audit covered the following sections -

- Short Term Money market

- Foreign Exchange

- Capital Markets

- International Banking

...

From the sample tests made the work standards and controls in Treasury and International were considered satisfactory."

Having regard to all the evidence, I regard the September 1987 Operational Review of the Internal Audit department was both a comprehensive and necessary review which was vital to the Department's capacity to carry out its essential role within the Bank. Its findings as to the Department's lack of attention to Internal Audit activity within the high risk areas of the Bank's operations are borne out by other evidence obtained during the course of the Investigation.

The Operational Review comprehensively indicated deficiencies in the Department's resource and skill base, structure, Internal Audit coverage, and general Internal Audit approach and methodology. Mr Gates, Mr Matthews and Mr Clark were, as a result of this review, left in no doubt that the highest priority was required in this area of the Bank's administration to rectify the deficiencies identified in the review.

After receipt of the Operational Review, Mr Gates, without waiting for the formal restructure of the department to be approved, moved to create two audit teams to form the proposed Head Office Audit section, one of the teams being responsible for the audit of Corporate, Treasury and International. These arrangements were implemented in October 1987. The formal restructure of the department was in due course approved. Initial attempts to externally recruit a professional Internal Auditor to lead the new Head Office Audit section were, however unsuccessful. After readvertising the position, Mrs Chin was, in due course, selected and joined the Bank in late 1988.

After January 1989 the pace of change within the Department, both structurally and in relation to its audit coverage, approach, and methodology, was substantially increased with Mrs Chin's activities clearly reflecting her appreciation of the urgent need to provide to the Bank an adequate and appropriate Internal Audit function.

23.5.4 RESTRUCTURE OF THE INTERNAL AUDIT DEPARTMENT 1989-1990

Shortly after Mrs Chin took over as head of Internal Audit department from Mr Gates in January 1989, a further internal analysis of staffing skills relative to the department's requirements was undertaken. Subsequently, in June 1989, Mrs Chin and Mr Matthews submitted to the Executive Committee a "Strategy Paper for Internal Audit department" which proposed a major reorganisation and staffing restructure for the Internal Audit department.

The Strategy Paper, essentially proposed:

"It is intended that the establishment of 40 staff be reduced to 31. The 31 staff establishment is based on the following plan:

(a) The department is organised into 7 sections with specialised staff to meet the audit requirements of the new structure of the Bank.

(b) An integrated project approach is adopted where audits involve a variety of disciplines, viz Lending, Accounting and Information Systems auditing skills.

(c) The layers of Management have been reduced to enhance effectiveness of control and communication.

The Audit scope has been expanded considerably to include operational and process auditing as well as compliance and system integrity auditing. However, audits will be conducted on a risk analysis basis with emphasis given to the impact on the organisation.

In order to be effective with the lower staff establishment, it will be necessary to staff the Department with high quality people.

This paper recommends the staffing of the Department as follows:

(a) A core group of career Internal Auditors. This will consist of specialist professionals from various disciplines such as Treasury, Corporate, Lending, Information Systems and finance. This core group will ensure continuity in the Department and will provide training in Internal Auditing to other staff.

Internal Audit specialists should be paid as professionals on market value in order to ensure that adequate skills are available to the Department.

If suitable personnel are not available within the organisation, it will be necessary to recruit externally.

(b) A proportion of the staff establishment will consist of selected staff with potential for senior management. These people will be at various stages of their career development. They will be specially invited to spend 1-2 years in Internal Audit Department. During this period they will be put through intensive training in internal control and given exposure to all areas of auditing eg a Corporate manager would be trained in all aspects of control in lending and exposure to Treasury, Information Systems and Financial auditing.

At the end of the period in Internal Audit the staff will have a greater appreciation of internal control requirements, and an awareness of the potential risks within the Bank. They will also gain an understanding of the Bank's activities as a whole.

They will return to line function with enhanced career prospects. A Manager with such Internal Audit experience and training will be highly valued by the Bank.

This arrangement will ensure that Internal Audit Department has a constant flow of high quality staff who can contribute to the improvement of the Bank's operations."

The organisation and staffing restructure of the department commenced in the latter part of 1989 and was principally implemented by June 1990. The staff establishment was reduced to the thirty-one positions, and a high turnover of staff was experienced to place the department on a more professional footing by June 1990.

The internal analysis of staffing skills conducted prior to the submission of the Strategy Paper had indicated the need to improve the quality and skill level within the department. The concerns in relation to the capacity of the department to audit Treasury and International was such as to prompt the commissioning of KPMG Peat Marwick Hungerfords in June 1989, to undertake a review of the Treasury and International Internal Audit function of the Bank. The report clearly indicated the pressing need for improvement in the Treasury and International Internal Audit capacity as the following extract from the report shows:

"The review has concluded that the existing T & I [Treasury and International] audit function is not sufficiently effective in discharging its responsibilities for the proper review of the risk and controls associated with State Bank's treasury operations. Whilst adequate coverage is provided of the detailed operational aspects, the scope of the work is superficial and not sufficiently qualitative."

"Notwithstanding these concerns, substantial progress has been achieved in converting the approach to the T&I audit from one with a purely financial audit emphasis into a more operationally based approach. This is a major cultural change and some problems are to be expected. However, the full effectiveness of this conversion has yet to be achieved, and is unlikely to be achieved unless the action items in this report are addressed; viz:

. employing an experienced Treasury auditor to co-ordinate the day to day and strategic activities of the T&I audit function;

. restructuring the T&I audit program to enhance its effectiveness and efficiency ...;

. providing training in basic operational audit concepts such as the treatment and investigation of errors detected during the audit process; and

. establishing standards addressing such matters as sampling, workpaper preparation and review."

A summary of the findings of the consultant were reported to the Bank Board in the Quarterly Internal Audit Report for the period 1 July 1989 - 30 September 1989.

The Bank Board Minutes⁽⁾ record that a summary of the implementation of the matters contained in the internal quarterly report would be provided at a future Board Meeting.

The quarterly report to the Bank Board for the period October to December 1989 reported on implementation of the findings of the review of the Treasury and International Audit Function which noted amongst other things that Internal Audit department was conducting a survey of risks in the Treasury/International banking areas with the objective of formulating an audit plan and that negotiations were concluded with the appointment of an experienced Treasury Audit Manager.

In June 1990, Mrs Chin submitted a `Progress Report' to Mr Clark and Mr Matthews on the strategy which had been pursued since early 1989. The report commented in part in relation to staffing:

". The established numbers were reduced from 40 to 31, to the bare minimum to establish the actual requirements. For the major part of this review period the number was running at less than 25."

". ... A turnover of approximately 75% was required. Apart from the IS [Information Systems] Auditors, most of the Auditors were from the Retail Banking Network. There were no qualified accountants. Most of the staff had no previous experience in Internal Auditing. It was unrealistic to expect them to perform Wholesale Banking and Financial audits. With the assistance of Personnel Department they were relocated back into the Retail Network in a very sensitive manner."

In June 1990, the Board of Directors approved⁽⁾ the extension of the Internal Audit department activity to cover "Bank Group" operations, and this required a further restructure of the department. The restructure involved the amalgamation of the Bank's Internal Audit function with functions in other Group entities.

The Bank Board was informed of progress being made in achieving an appropriate and adequate Internal Audit function within the Bank in the Quarterly Report tabled at the Bank Board Meeting of 26 July 1990. The Minutes record:

"The Group Managing Director informed Directors that progress and upgrading of the Internal Audit function had only been achieved in the last 18 months. Previously, the general function of Internal Audit was very much a checking and reconciling process. The department had significantly been improved since that time with the recruitment of audit professionals and a refocus on departmental objectives.

Directors noted the Quarterly Audit Report."

It is clear from the above that the extent of the restructuring and refocussing of the Department after 1989 was radical, and was needed to be so because of deficiencies entrenched in the Department over the years from July 1984 to July 1989.

For the reasons indicated above in this Chapter I am of the opinion that a fully effective Internal Audit function within the Bank was not in place until mid 1990, just under three years from the time of the Operational Audit Review of the Internal Audit department.

I am, however, satisfied that, after Mrs Chin's appointment as the head of the Internal Audit department, Mrs Chin moved with the required sense of urgency to restructure and refocus the department given the inherent deficiencies that were acknowledged at that time. These changes were achieved despite a general lack of interest (if not suspicion of, and antagonism towards) the department by certain members of Management.⁽⁾

I am of the opinion that, so far as concerns the skill and experience base of the Internal Audit department in the period July 1984 to December 1988, the Bank's procedures, policies and practices were not adequate.

23.6 THE ESTABLISHMENT OF THE AUDIT COMMITTEE

23.6.1 INTRODUCTORY COMMENTS

During the 1980's, many organisations, in both the Public and Private sectors, established Audit Committees to improve the effectiveness of their respective organisation's accountability process.

An Audit Committee is a committee of a Board of Directors, with the primary role of assisting the Board in the discharge of its responsibilities for financial reporting (including statutory and ethical matters) and maintaining a system of internal control. The objectives of an Audit Committee vary for each organisation, but include the following:

(a) to improve the quality of financial reporting;

(b) to ensure the Board makes informed decisions regarding accounting policies, practices and disclosures; and

The size of the Audit Committee is normally dependant on the nature of its responsibilities. Membership is usually three to five people, with a majority of Non-Executive Directors. Non-Executive Directors bring to the Audit Committee an independent viewpoint, the opportunity to pursue issues in greater depth than would be possible at a normal Board meeting, and may also act as a confidential sounding board for the Chairman on such matters as executive remuneration, succession and management structure.

The working relationship between the Audit Committee and Internal Audit should enhance the effectiveness of the Internal Audit activity. The combination of Board Director membership on the Audit Committee, and regular reporting by Internal Audit to the Committee, provides an opportunity for frankness and communication of issues relating to the organisation's internal systems and controls.

On 28 June 1990 the Bank Board considered a paper proposing the establishment of an Audit Committee. This paper observed:

"It has become established practice for major corporations and banks to operate an Audit Committee of the Board.

...

The normal functions performed by an Audit Committee are as follows:

1. Oversight of compliance with statutory responsibilities relating to financial disclosure.

2. Oversight of the company and group internal accounting controls.

3. Review of the Internal Audit department and its activities.

4. To act as the Board's liaison with the External Auditors.

5. To discuss the annual audit plan with the External Auditors.

6. To review the annual report and information derived from the audit.

7. To review the half yearly financial information." ⁽⁾

The Bank Board approved the establishment of an Audit Committee to:

"... consider matters relating to the financial affairs of the Bank, Group Companies and the Group internal and external audit." ⁽⁾

23.6.2 THE DEBATE OVER THE NEED FOR AN AUDIT COMMITTEE AND THE ESTABLISHMENT OF THAT COMMITTEE

The formation of an Audit Committee of the Bank had been considered and discussed at Board and management level of the Bank for two or three years prior to the approval of the establishment of the Audit Committee.

In evidence to the Investigation, a number of Directors of the Bank Board asserted that the issue of establishing an Audit Committee had been raised on a number of occasions and was met with strong opposition from Mr Clark:

(a) Former Chairman Mr Barrett:

"Question: But it was fair to say the Group Managing Director was a bit against the idea of having an Audit Committee?"

"Mr Barrett: Yes, he was, Yes."

(b) Former Deputy Chairman Mr Bakewell:

"Tim was opposed to Audit Committees, very much so."

"He [Tim Clark] disagreed with the concept and said that the Board itself should be the Audit Committee ..."

(d) Mr Searcy:

"... he [Tim Clark] didn't want an Audit Committee."

(e) Mr Simmons:

"... it was certainly something which he [Tim Clark] didn't favour."

Mr Clark, in a statement to the Royal Commission, acknowledged his initial opposition to the establishment of an Audit Committee:

"I had been against it [the establishment of an Audit Committee] as I thought that all directors should take equal responsibility for these "review" functions and that delegation of this responsibility might be counter-productive."

At the Bank Board Meeting held on 27 July 1989, the formation of an Audit Committee was suggested by a Director, but not approved. The Board Minutes record:

"The formation of a Board audit sub-committee was suggested by a Director, however, it was considered that management should further review the matter and prepare a report for a later Board meeting."

In response to the request of the Bank Board, an Information Paper titled `Audit Committees' was presented to the Bank Board Meeting held on 28 September 1989. The Information Paper, prepared by Mr Matthews, and, which had been "noted" by the Executive Committee, concluded that with the level of contact being maintained by the Bank Board with the Internal and External Auditors, the Bank Board:

"... is effectively acting as the "Audit Committee". Provided that appropriate time is allocated at Board meetings for discussion with the external auditors, and given the overall responsibility of all directors for the financial affairs of the organisation, it is considered that the present arrangement should continue."

On this occasion, the Bank Board did not move to establish an Audit Committee. The minutes record that:

"... it was appropriate for the Board to meet on a half-yearly basis with the Bank's internal and external auditors following completion of the half-yearly and annual financial accounts."

In the months following the September 1989 Board meeting, Mr Simmons made inquiries of the Bank's External Auditors and Mrs Chin regarding the operations and composition of Audit Committees. On 10 November 1989, Mr T J Whimpress, Partner, Peat Marwick Hungerfords, and one of the Bank's external auditors, wrote to Mr Simmons advising him of the results of a survey conducted of major commercial banks, State banks, and other banks, in relation to audit committees. This survey indicated that a number of the major banks had formal audit committees. Most State and other banks noted in the survey generally did not have audit committees.

In March 1990, Mr Simmons informed Mr Clark that he had decided to seek the establishment of an Audit Committee, and at the Bank's Strategic Planning Conference in March 1990, Mr Clark informed key management personnel that an Audit Committee was to be established.

The inaugural meeting of the Audit Committee was held on 13 July 1990. Membership of the Committee comprised Mr Bakewell (Chairman of the Audit Committee), Mr Prowse, Mr Searcy, Mr Simmons (Chairman of the Bank Board - ex officio) and Mr Clark. Mr Copley, Mrs Chin and the External Auditors attended meetings of the Committee. A quorum for the Committee consisted of at least three Non-Executive Directors.

The Terms of Reference of the Audit Committee, provided a wide ranging brief to enquire into the financial affairs of the Bank.

The Terms of Reference were:

"The Audit Committee shall consider any matters relating to the financial affairs of the Bank and its Group of Companies and to the Group Internal and External Audit, that it determines to be desirable. In addition, the Audit Committee shall examine any other matters referred to it by the Board." ⁽⁾

The particular duties conferred on the Audit Committee included:

"To review management procedures designed to monitor the effectiveness of the systems of accounting and internal control.

To monitor the effectiveness of the group audit function".

Under the chairmanship of Mr Bakewell, the Audit Committee quickly became active, meeting on seven occasions from its inaugural meeting, on 13 July 1990, until February 1991.

The Investigation's review of the minutes of the Audit Committee indicate that the opportunity to obtain a better grip on issues arising out of Internal Audit's reviews was not lost. At its meeting on 20 November 1990, the Committee considered the Quarterly Group Audit Report for the period 1 July 1990 to 30 September 1990, and directed that modification be made to the Report, highlighting matters of concern. Overall, the Investigation's review of the Audit Committee Minutes indicated a far wider ranging and more in-depth consideration of issues by directors in that environment than had previously been the case in the forum of the full Bank Board.

The Audit Committee provided a far more focussed and dedicated environment for dealing with Internal Audit matters with a continuous attendance by the head of Internal Audit throughout the whole of the meeting of the Audit Committee. Meetings of the Audit Committee provided a forum for Internal Audit department to be pro-active in relation to matters on that Committee's agenda, rather than simply being reactive as it was in the Bank Board forum by simply answering specific questions put by Directors.

23.7 SUPERVISION AND CONTROL OF THE INTERNAL AUDIT FUNCTION

23.7.1 GENERAL

Internal Audit department, after 1989, presented detailed reports of findings, together with recommendations for follow-up action by management to the Bank's senior management, and reported upon these detailed reports in Quarterly Reports to the Executive Committee and to the Bank Board. Prior to this, the Internal Audit department presented reports to the Executive Committee and the Bank Board in both Quarterly Operating Reviews and in Half Yearly reports.

From the time of the Quarterly Report for January to March 1990, the Executive Summary in the Quarterly Report contained a summary of audit reports indicating the audit grading conferred on the area which was the subject of the audit. In a number of instances, specific accounts were the subject of a report, and the grading thereof indicated to the Executive Committee and the Bank Board in the Executive Summary.

So far as the Bank's executive management is concerned, recommended remedial action by auditee managers was noted in the substantive audit reports and progress on implementation of remedial action was reported in the Quarterly Reports to the Executive Committee and the Bank Board where follow-up audits had been conducted. This Chapter does not consider the outcomes of the process of follow-up of remedial action, but does note that a system was in place whereby the head of the Internal Audit department dealt directly with the auditee manager concerned and, as may have been appropriate, Mr Matthews or Mr Copley acted as "mediator".⁽⁾

23.7.2 GROUP MANAGING DIRECTOR

I am of the opinion that a direct reporting line to the Group Managing Director would have significantly ameliorated or prevented what Mrs Chin described as the "attrition process of dispute" in relation to her dealings with auditee managers.⁽⁾ For the Internal Audit function of the Bank to have operated effectively, any "mediator" in disputes between the Internal Audit department and auditee managers should have been a person who was not himself or herself potentially an auditee. By directing Internal Audit to report to an intermediate divisional executive, the Group Managing Director cut himself off from more direct involvement in matters effecting the Bank's internal control mechanisms.

Notwithstanding the above, I am satisfied that Mr Clark was generally supportive of the activities of the Internal Audit department with both Mr Gates and Mrs Chin having direct access to him.

In his Submission to the Investigation, Mr Clark conceded that, by 1987, the Bank had grown and expanded into many areas where the Internal Audit department "probably did not have appropriate experience." ⁽⁾ In his Submission to the Investigation, Mr Clark also stated that the degree of urgency applied to the deficiencies in the Internal Audit department was based on his assessment at the time that there were no problems requiring any greater level of urgency. Mr Clark acknowledges that "it is now apparent that the Bank was growing too quickly and that this growth outstripped its internal resources, [however] this was not obvious or apparent to senior executives at the time." ⁽⁾ In my opinion Mr Clark should have been aware of the need for a greater level of urgency in attending to the deficiencies in the Internal Audit department. In this matter, he failed to demonstrate an appreciation of the critical importance of the need for a comprehensive and effective Internal Audit function within the Bank.

In relation to reporting to the Bank Board, whilst I have referred in this Chapter to circumstances where, in my opinion, more comprehensive reports should have been made to the Bank Board, I am satisfied that, to the extent to which the Bank Board may have been mislead, or not provided with all information that in my opinion, was necessary for the proper discharge by the Bank Board of its obligations, this was not deliberately intended by Mr Clark. It remains true that his indifference to the shortcomings in the reports should have engaged his attention and prompted him to correct them.

23.7.3 MR K S MATTHEWS

For the predominant part of the period under review, Mr Matthews was the executive responsible for the Internal Audit department. His role as the responsible divisional executive is examined throughout this Chapter.

The striking feature of his management is the absence of a sense of urgency in bringing the Internal Audit department "up to the mark". The Investigation accepts that Mr Matthews had to bear in mind the personnel issues and structures operating within the Bank, but in evidence to the Investigation, he acknowledged that he had concerns about the Department for a substantial period of time, and that progress in bringing the Department "up to the mark" was slow:

"Question: Were you specifically concerned about the fact that up until [1987] ... that the Bank did not have an effective Internal Audit function to deal with head office type audits rather than the branch audits?

Mr Matthews: I was concerned, yes, that we [the Bank] were moving in this direction [into high risk areas of Corporate Banking etc] and that we were slow in developing our Internal Audit function, hence my comments to Internal Audit about shifting focus of their audit from branch based retail based into these other areas and developing their skills to conduct appropriate audits in these areas." ⁽⁾

Mr Matthews, who left the Bank during 1990, saw the lack of availability of suitably qualified people as one of the major factors behind the Bank's deficiencies in its Internal Audit capacity.

"Question: [Can I take it then from your evidence that] while perhaps the development of the new style, the new approach into risk based auditing was a little late, it was certainly moving in the right direction and gaining momentum by the time you left the Bank.

Mr Matthews: Yes I believe that it was. You know, perhaps it wasn't moving as fast as we would have liked it to have moved, but it was certainly moving and I believe that it was pointing in the correct direction. It's the lack of availability of people was one of the major factors that, given all of that, I believe that what we were doing was correct." ⁽⁾

Mr Gates gave evidence to the Investigation of his frustration in seeking to obtain from Mr Matthews support for initiatives which would have enhanced the status and operational effectiveness of the department. An example of this is the rejection, by Mr Matthews in January 1987, of the various proposals contained in Mr Gates' memorandum on the Internal Audit function of the Bank.

In his Submission to the Inquiry, Mr Matthews pointed to steps taken to improve the operational effectiveness of the Internal Audit department, in particular staff training. Mr Matthews also pointed to his "frustration in trying to recruit trained staff in the "open market".

I accept that Mr Matthews was taking steps to remedy what he perceived to be deficiencies in the Internal Audit department having regard to the growth and diversification of the Bank. Mr Matthews, like Mr Clark, however, in my opinion, failed to respond with the required level of urgency to deal with these issues. In this matter, he, as was the case with Mr Clark, failed to demonstrate an appreciation of the critical importance of the need for a comprehensive and effective Internal Audit function within the Bank.

In this Chapter I have expressed the opinion that certain reports by Mr Matthews to the Bank Board were not as comprehensive as they should have been, and that such reports may have mislead the Bank Board or failed to provide information which in my opinion, was necessary if the Bank Board were properly to discharge its obligations. I am however satisfied, that in no case did Mr Matthews intend to mislead the Board or to deliberately conceal material information. As is the case with Mr Clark, it remains true that his indifference to the shortcomings in the reports should have engaged his attention and prompted him to correct them.

23.7.4 MR K P RUMBELOW

Mr Rumbelow was the divisional executive responsible for the Internal Audit department during the period July 1984 to June 1986.

During this period, the deficiencies in the department's audit coverage, approach and methodology, and skill and experience base, were apparent; the primary focus of the department's audit coverage was the Retail branch network.

I am however satisfied, that attention was being given by the Internal Audit department in consultation with the external auditors; the outcome was evidenced by the external auditors letter to Mr Clark, in March 1986, referred to earlier in this Chapter. I acknowledge also the impact on the priorities of the Internal Audit department in the circumstances that existed in the immediate post merger period.

23.7.5 THE BANK BOARD

The Bank Board received regular reports in relation to Internal Audit activities throughout the period under review by the Investigation. This information was provided quarterly, with varying degrees of detail over the period under review. As I have indicated above in this Chapter, there were occasions when, in my opinion, more information should have been provided to the Bank Board; I am satisfied that management did not intend to mislead or conceal material information from the Bank Board.

An objective reading of the various reports to the Bank Board indicates some Internal Audit activity in relation to each of the Bank's high risk areas of operation. The Non-Executive Directors have given evidence to the Investigation, which I accept, that they understood from the reports presented to the Bank Board that Internal Audit activity was focussed in the Bank's high risk areas of Corporate, Treasury and International.

Coupled with this flow of information were a number of statements made by management to the Bank Board indicating adequacy and effectiveness of the Internal Audit function. These statements were made in March 1986 in relation to the review conducted by the external auditors and reported in their letter to Mr Clark of March 1986, and in August 1988 in relation to the half yearly report to June 1988. In addition, the Non-Executive Directors gave evidence that they were comforted in seeing, in the August 1987 Strategy Paper presented to the Bank Board, that management was moving appropriately to ensure an adequate and effective Internal Audit function.

I am satisfied that, until mid 1989, the Bank Board had no reason to doubt the adequacy and effectiveness of the Internal Audit function. Whilst Mrs Chin's Strategy Plan and her various reports to the Bank Board may have cast doubt upon the efficacy of the Internal Audit function prior to her appointment as head of Internal Audit department, it was at the same time obvious that the department was moving with a sense of urgency to remedy deficiencies identified.

The former Chairman of the Bank Board, Mr Barrett, gave the following evidence in relation to the Bank Board's approach towards Internal Audit:

"Mr Barrett: ... The Board fully appreciated the importance of the Internal Audit role ... While I was Chairman of the Board I had an understanding with the Chief Internal Auditor of the Bank, by the name of Howard Gates at that time, that he always had the right to come to me as Chairman if he had any problems but he never did actually so I presume everything was working to his satisfaction.

Question: Did the Board see any need for the scope of Internal Audit to change, given the significant change in the underlying activities of the Bank?

Mr Barrett: Yes, yes. It was never formally discussed at a Board meeting but I'm sure the Board members would appreciate the need for this to change and I would have thought the Manager of the Internal Audit department would have been conscious of these things and put into Management for resources to expand his operations but it never came to the Board, to my knowledge.

Question: Are you saying, there, Mr Barrett, that notwithstanding the degree of those changes that if the Internal Audit and Management don't come and ask for some sort of review of their role, then there isn't one that's required?

Mr Barrett: Well, from a Board member's point of view, yes, yes, yes." ⁽⁾

Throughout his term as a director, Mr Bakewell was aware of the deficiencies in the Internal Audit department in relation to its skill base, coverage and approach and methodology:

"Mr Bakewell: ... [In 1983] the two previous banks formed Internal Audit. The function was mainly confined to branch banking audit and it was mainly of what might be termed a compliance nature in the audit structure of doing things, were they complying. [In 1988] they had 40 people on the staff of which only a very limited number were in any way qualified. The main objective was passbook banking in the sense of checking passbooks, checking the branches on the regularity of the carrying out of their functions, surprise branch visits to see if the petty cash was right, if that's the way to put it, or there'd been no bigger loans given.

And was only in the period after that, when Margaret [Chin] was recruited I think in September [1988] that the review pattern came into effect and the staff gradually built up to when I left the Bank it was 51 but they were in the majority at that stage qualified people. ... [From the time of joining the Bank in 1985] Internal Audit was probably the least of my particular concerns. We did get from Howard Gates quarterly reports to us on the audit situation but they were not very, without downgrading him, meaningful pieces of paper.

Margaret Chin's first reports came forward in a much more logical presentation fashion, the quarterly and the yearly reports, and the audit plans we were starting to get certainly made you realise that audit was there. [In 1985, 1986, 1987] your reports were very meaningless.

...

Mr Bakewell: ... [Internal Audit department] weren't seen as a very valuable unit of information in the first few years.

Question: Seen by whom Mr Bakewell? By Management or the Board?

Mr Bakewell: I think it's fair to say at least by me but my colleagues might have different views. I didn't really look to them in those early years. Perhaps I should have done but I didn't."

In later evidence Mr Bakewell further explained these comments as follows:

"...

Mr Bakewell: Yes, Mr MacPherson. I must admit to be slightly horrified. I do not mean that I was necessarily misquoted because no doubt some of this is on tape or however it goes on, but certainly in the context of it because some of this is incorrect, because the - - -

Mr Abbott: I would like to take it bit by bit and qualify it in any way you would like to, perhaps sentence by sentence.

Mr Bakewell: Well, it implies that in 83 the two banks had Internal Audit. I think I already made earlier in the conference that the one in the State Bank - the one in the old Savings Bank, I am sorry, was certainly earlier than that, and the one in the State Bank was not formed - the old State Bank, was not formed until 83. It is true that in those particular early days it was confined to what might be termed compliance banking.

I am not sure how people are doing things, how the petty cash was and, you know, the delegations that were being followed up, but going to the first two sentences, really it starts in 85, the Savings Bank, 83 with the old State Bank. The next sentence in brackets is 88. They had 40 people on the staff. I qualify that because I am not quite sure on the 40 people, what date that was.

Mr Abbott: It does not - - -

Mr Bakewell: At that stage of the game I did have the opportunity of having had all the figures at the tip of my hand. In 88 they were not limited, as far as I was aware, to purely looking at passbook banking or - sorry.

Mr Abbott: Mr Bakewell, the thrust of that first paragraph is that when Internal Audit go up - sorry, was commenced in the State Bank and during its early years, it did not do much by way in Internal Audit. It did mainly work by way of what you would call a compliance nature. Now, was that your understanding of Internal Audit under Mr Gates?

Mr Bakewell: That was not what I was trying to say.

Mr Abbott: Right. Well, you - - -

Mr Bakewell: Because in the period between 75 and 83-4, Mr Barrett, who had taken over in 80 as chairman of the old Savings Bank, upgraded quite considerably the interface between what was then called - it was not called Internal Audit, it was called something else, and the external auditors. The old State Bank's auditor would have been the Auditor-General of the day, with an arrangement as to what Internal Audit arrangements were to be made, subject to the Auditor-General, the external auditors.

Clearly when the bank was amalgamated in 84, I cannot comment because I was not a director of the bank at that stage, as to what structure they had, but when I joined the bank and attended my first board meeting in 85, my understanding was that they had gone considerably further forward than compliance banking, into an area of more active audit of the areas of the bank, and this was borne out by Mr Gates at the various meetings, or Mr Rumbelow, where he would make his report to the board, Internal Audit report, so I have no reason to think - well, I did not certainly mean to put it in that way, as it is there.

Mr Abbott: In any event, you wish to correct any impression that this has given, that you or other members of the board held that the Internal Audit section under Mr Gates, was merely a compliance section.

Mr Bakewell: No

Mr Abbott: And as far as you were aware was actually conducting - - -

Mr Bakewell: Well, this is impression we got and this is the way things appeared.

Mr Abbott: I am sorry, what is the impression?

Mr Bakewell: Well, that Mr Gates indicated that he had access and was covering those areas of the bank and that the chairman would ask him if he had access, etcetera, and he implied that he did.

Mr Abbott: And you understood that all property and Internal Audit functions were being carried out?

Mr Bakewell: Yes.

Mr Abbott: Now, at the bottom of page 80, the quote from you, continuing the quote from you says:

We did get from Howard Gates quarterly reports to us on the audit situation but they were not very, without downgrading him, meaningful pieces of paper.

What did you mean by that?

Mr Bakewell: Well, I was chairman of the audit committee of another company and we were getting at that stage some quite meaningful information put up to us and Gates, while he gave us the information as agreed through management, was not getting into the nitty-gritty but I could not relate the company I was involved with because it was dealing in different things completely to the bank's needs. Clearly, the external auditors were quite confident that the areas that were necessary were being covered because they raised no query and the external auditors, as I said earlier, had to approve anyway the plan of the Internal Auditors and it is accentuated, Mr Chairman, because once Margaret Chin who was an experienced auditor with IFC Malaysia came in you then got a total different picture and in looking backwards you can realise now that the papers you were getting from Gates were not as meaningful as they could be. So what I am trying to get at is that at the time perhaps they seemed quite reasonable, but once I started getting something more significant I realised that we had not been getting what we should have been getting.

Mr Abbott: And is that why at page 81 you say, referrable to the years 85, 86 and 87 that the board's reports on Internal Audit were very meaningless?

Mr Bakewell: Yes, perhaps that is - - -

Mr Abbott: Is that meaningless compared to Mrs Chin?

Mr Bakewell: To Mrs Chin, that is what I really - - -

Mr Abbott: That is a hindsight view not a view at the time?

Mr Bakewell: No, not at the time.

Mr Abbott: I do not mean that at the time what I saw within the circumstances and the time element seemed reasonable.

Mr Costello: Well, is this the position, as the report says, that the Gates reports were not meaningful in the sense that Mrs Chin's were, namely, that hers were presented in a logical fashion.

Mr Bakewell: Yes, I am not sure that even "logical" is a good way of putting it. It was a more thorough and more detailed - - -

Mr Abbott: More fleshed out.

Mr Bakewell: More fleshed out and raising the points that directors should be aware of. That is the way to do it. I mean, she was an experienced Internal Auditor, president of the Malaysian Internal Audit for a number of years ..." ⁽⁾

I am satisfied that the internal audit procedures were less than satisfactory prior to Mrs Chin's appointment.

In considering whether or not the directors of the Bank discharged their collective and individual responsibilities to the Bank in relation to the Internal Audit function, I have had regard to the decision in AWA Limited V George Richard Daniels trading as Deloitte Haskins and Sells.

In this case, the Chief Justice of the Commercial division of the New South Wales Supreme Court, Mr Justice Rogers, made the following observations in relation to directors' duties:

"Conventional wisdom held that a director need not exhibit, in the performance of duties, a greater degree of care, skill and diligence than may reasonably be expected from a person of his or her knowledge or experience ... More recent wisdom has suggested that it is of the essence of the responsibilities of directors that they take reasonable steps to place themselves in a position to guide and monitor the management of the company ... Directors should bring an informed and independent judgement to bear on the various matters that come to the Board for decision.

Of particular relevance in this case is the proposition that a director properly performing his duty and having previously been put on enquiry would want to know the up-to-date position about matters.

The Chairman is responsible to a greater extent than any other director for the performance of the Board as a whole and each member of it. The Chairman has the primary responsibility of selecting matters and documents to be brought to the Board's attention, for formulating the policy of the Board and promoting the position of the company."

On the basis of the evidence available to me I am satisfied that the Bank Board did not take a sufficiently active interest in the Internal Audit function of the Bank as was called for having regard to the Bank's growth and diversification.

As is dealt with in detail in Section 23.8, those directors who were also directors of Beneficial Finance Corporation were especially put on notice as to the deficiencies in the Bank's Internal Audit function.

In my opinion, the Bank Board failed in its duty to ensure that the Internal Audit of the accounts of the Bank were "adequate and appropriate". In particular, the Bank Board failed to give to Management any adequate direction and failed to exercise the required level of control and supervision over Management in respect of the Internal Audit function of the Bank until mid 1990.

23.8 MATTERS PARTICULAR TO DIRECTORS COMMON TO BOTH THE BANK AND BENEFICIAL FINANCE CORPORATION LIMITED

During the period under review, the following directors were common to both the Bank and Beneficial Finance Corporation:

(a) Mr D W Simmons;

(b) Mr T M Clark;

(d) Mr R P Searcy;

(e) Mr A R Prowse; and

(f) Mr A G Summers.

Matters relating to the Internal Audit function within Beneficial Finance Corporation are to be the subject of a later report to be made by me. For the purpose of this Report, I note that by way of comparison that from the time Beneficial Finance Corporation became a subsidiary of the Bank, the coverage and standard of reporting by the Beneficial Finance Corporation Internal Audit department to the Beneficial Finance Corporation Board informed the Board of operational and strategic matters considered significant by the department and, most importantly, put the Beneficial Finance Corporation Board on notice as to adverse findings in the department's substantive audit reports. As an example, the Internal Audit Report to the Beneficial Finance Corporation Board for the period August to December 1984 indicated the following matters:

(a) Audit Coverage

This coverage was divided into branches, nationwide, head office, termination of employment and special audits.

(b) Grading System

The gradings applied were Excellent (E), Satisfactory Plus (S+), Satisfactory (S), Satisfactory Minus (S-) and Unsatisfactory (U).

(c) Grading Summary

A grading summary was included, which indicated the latest audit grading together with the previous audit grading for comparative purposes.

(d) Reports on Specific Audits

Summaries of the audit findings and recommendations as appropriate were included.

As a comparison, the Bank's Internal Audit Report for the quarter ended December 1984 contains no gradings or gradings comparison table and, on the whole, the commentary is in the nature of a status report on audits rather than a report of findings and recommendations.

A review of the respective Internal Audit reports to the Beneficial Finance Corporation Board indicates that, from the time of Beneficial Finance Corporation becoming a subsidiary of the Bank, the Internal Audit department targeted that company's risk areas for Internal Audit attention and, in addition, were responsive, in a planning, staffing, and structural sense to the company's change in strategic and operational focus, and to its consequent changing risk profiles.

A grading system was not incorporated into the Internal Audit Reports to the Bank Board until the quarterly report for the period January to March 1990. A grading system permits a consideration of control systems by reference to standard benchmarks, and facilitates comparative assessment and historical development in relation to the internal control systems. A comparative grading analysis was, at no time up until the end of the period under review, introduced for the benefit of the Bank Board.

In evidence to the Inquiry⁽⁾, Mr Searcy said that some of the common Directors did express the belief that the Internal Audit Reporting System in Beneficial Finance Corporation "was a much better system than the system used by State Bank" and that Mr Searcy recalled this occurring "probably in about 1987".

23.9 CONCLUSIONS REGARDING THE INTERNAL AUDIT FUNCTION OF THE STATE BANK OF SOUTH AUSTRALIA

In the examination of whether or not the Internal Audits of the accounts of the Bank were "appropriate and adequate", particular regard has been paid to the following matters:

(a) Internal Audit Charter;

(b) reporting lines and the issue of independence;

(d) audit coverage of risk areas of operation;

(e) approach and methodology;

(f) resources and expertise in the Internal Audit department; and

(g) establishment of an audit committee.

In addition to a consideration whether the operations, affairs, and transactions, of the Bank, and of the Bank Group, were adequately or properly supervised, directed, and controlled, attention was also directed to the following matters:

(a) the nature and volume of information passing between the various levels of Management through to the Bank Board;

(b) the completeness of this information; and

With respect to the matters referred to in items (a) to (g) above regarding the appropriateness and adequacy of Internal Audit, my general conclusions are as stated hereunder.

(a) Internal Audit Charter

In my opinion whilst the promulgation of an approved formal Internal Audit Charter would have enhanced the status and general understanding of the authorities and responsibilities of the Internal Audit department throughout the Bank, I am satisfied that the absence, until June 1989, of such a Charter did not interfere with or compromise the discharge by the Internal Audit department of its functions.

(b) Reporting Lines and the Issues of Independence

The requirement for the Internal Audit department to report to a divisional executive who was potentially a significant auditee, in my opinion, was a structural deficiency in the organisational arrangements within the Bank. There is, however, no evidence that this structural deficiency in fact interfered with or compromised the discharge by the Internal Audit department of its functions.

(c) Access to Information

The Internal Audit department had authority for "full, free and unrestricted access to the [Bank's] records, physical properties and personnel" subject to the Bank Board endorsed exception in relation to "executive salary information" which was maintained off site by a firm of chartered accountants. In my opinion, such an authority was essential for the Internal Audit department to discharge its functions for the full and effective review of the internal control systems of the Bank. I regard the exception relating to "executive salary information" as constituting an unreasonable restriction upon the Internal Audit department's authority to access information and, in my opinion, the explanation advanced by Mr Clark and the Board members who gave evidence to my investigation indicates a failure to appreciate the need for proper accountability in a publicly owned institution.

Subject to the above, and with the exception of the matters noted in relation to the audit of Personal Financial Services as discussed in Section 23.3.4 above and in relation to Part B of the Executive Committee Minutes, I am of the opinion that throughout the period under review by the Investigation the Internal Audit department had appropriate access to information to enable it to discharge its functions.

(d) Internal Audit Coverage

For the first four years of the Bank's operations, Internal Audit coverage of the Corporate Banking and Treasury Operations was, in my opinion, neither appropriate nor adequate. Internal Audit department attention to the retail branch network and the EDP environment of the Bank was, no doubt, appropriate, given the operational issues arising immediately post-merger. Corporate Banking and Treasury were areas of significant growth and diversification.

Treasury Operations were growing and diversifying into areas, not only of assisting in the asset and liability management process, (ie liquidity management, interest rate risk management), but also into dealing purely for profit making purposes. These areas clearly called for appropriate and adequate coverage by Internal Audit. In my opinion, it was not until mid 1989 that an appropriate and adequate Internal Audit function was brought to bear in Treasury. In my opinion, it was not until mid 1990 that an appropriate and adequate Internal Audit function was brought to bear in relation to Corporate Banking.

(e) Audit Approach and Methodology

The change in audit methodology that occurred in early 1989 went hand in glove with the refocus of attention on high risk areas of the Bank's operations.

In my opinion, during the period July 1984 to the end of 1988, the Internal Audit approach and methodology was a continuation of that which had applied in the predecessor merged banks, and was not appropriate or adequate to deal with the changing risk profiles facing the Bank. The situation began to significantly improve after 1989, but with appropriate lead time required to bring to bear an effective function, it was not until 1990 that the department's approach and methodology reasonably matched the risk profiles, and the internal control system demands of the Bank at that time.

(f) Resources and Expertise in the Internal Audit Department

The resources and expertise available in the Internal Audit department to carry out full operational audits of high risk head office operations was a major problem for the Bank. I am satisfied that the deficiencies in the Internal Audit department skill and experience base were apparent to Mr Clark and Mr Matthews, and that steps were being taken both in terms of training and recruitment to attend to these deficiencies. The rate of change and improvement, however, was in my opinion, not in keeping with the demands on the Internal Audit department flowing from the Bank's growth and diversification.

(g) Establishment of the Audit Committee

In my opinion, meetings of the full Bank Board provided only a limited forum for dealing with matters relating to Internal Audit, given the internal control system demands arising out of the Bank's growth and diversification.

The Audit Committee was a more focused and dedicated environment for dealing with Internal Audit matters; moreover, the head of Internal Audit was in attendance throughout the whole of the meeting of the Audit Committee. In addition, meetings of the Audit Committee provided a forum for the Internal Audit department to be pro-active in relation to matters on that Committee's agenda, rather than simply being reactive, as was the case at meetings of the Bank Board.

I am satisfied, however, that the failure by the Bank to establish an Audit committee until June 1990 did not of itself render the Internal Audits of the accounts of the Bank not appropriate or not adequate.

(h) Supervision, Direction and Control

With respect to the matter of the supervision, direction and control of Internal Audit and the matters referred to in items (i), (ii) and (iii) above my general conclusions are as stated hereunder:

(i) Mrs M Chin

I am satisfied that Mrs Chin fully and diligently attended to the discharge of her responsibilities to the best of her ability.

(ii) Mr H Gates

The deficiencies of the Internal Audit department in relation to its resources and expertise, approach and methodology, and audit coverage, were well known to senior management of the Bank.

In his evidence to the Investigation, Mr Gates was open and frank about the deficiencies in both his own and his department's skill and experience base to carry out head office audits.

In any event, Mr Gates saw that, after the merger, the initial priority for the department's attention was on the retail side of its operations and computer systems. Mr Gates did, however, feel a growing sense of concern about the Bank's risk profiles, with its expanding corporate book and moves overseas. His attempts to improve the scope, approach and methodology, and standing, of the department in January 1987 were rejected by Mr Matthews. One of the proposals rejected, as noted in the body of this Chapter, was the introduction of a form of credit inspection capacity within the department.

I am satisfied that Mr Gates fully and diligently attended to the discharge of his responsibilities to the best of his ability.

(iii) Mr K P Rumbelow

As noted above, the period during which Mr Rumbelow was the divisional executive responsible for the Internal Audit department was the immediate post-merger period. Mr Rumbelow was responsible for the department up until June 1986, and whilst this was a period of growth and diversification, this was not as great as occurred during Mr Matthews' term as divisional executive responsible for the department.

I am satisfied that, in the circumstances then prevailing in the Bank, Mr Rumbelow adequately discharged his responsibilities.

(iv) Mr K S Matthews

Mr Matthews, as the executive responsible for the Internal Audit department, for the majority of the period under review, he did not display the sense of urgency in upgrading the capacities of the Internal Audit department to carry out Internal Audits of the high risk areas of the Bank's operations as, is my opinion, was then required in the circumstances of the Bank. As I have stated in Section 23.7.3 above, in this matter he failed to demonstrate an appreciation of the critical importance of the need for a comprehensive and effective Internal Audit function within the Bank.

So far as the Bank's overseas operations were concerned and, in particular, the failure to conduct an on-site Internal Audit of the London branch operations between the period August 1985 and May 1989, Mr Matthews gave evidence of his reliance upon the external auditors of the London branch to carry out a review of the branch's internal systems and controls. It was clear, however, both in relation to the London branch and in relation to the Bank generally, that the external auditors were conducting only a limited review of internal systems and controls. Mr Matthews could not have failed to understand that this was the case, as the advice from the external auditors was clear on this matter. Whilst a review of internal systems and controls was conducted by Messrs KPMG Peat Marwick McClintock for the purposes of reporting to the Bank of England, that review was specifically for that purpose and not for Management's purposes generally. The involvement of KPMG Peat Marwick McClintock was not a substitute for having an adequate Internal Audit function brought to bear by way of an on-site inspection of the overseas branch's operations.

Given Mr Matthews' long experience as a banker, his very senior position within the Bank structure, his regular attendance at Board meetings, and his awareness of the Bank's new and developing risk profiles, his attitude towards the deficiencies that must have been apparent to him in the Internal Audit department has not, in my opinion been adequately explained.

(v) Mr S G Paddison

For the reasons indicated in Section 23.4.3 above, I am of the opinion that Mr Paddison's actions in relation to his memorandum to Mrs Chin, dated 21 September 1990 do not reflect what would be expected of a senior executive on an important matter of accountability.

(vi) Group Managing Director

Mr Clark had little direct involvement in the Internal Audit function of the Bank. Mrs Chin gave evidence to the Investigation that Mr Clark was supportive of the developments in Internal Audit although Mr Clark's denial of access to information in relation to the Internal Audit of Personal Financial Services department stands out in this respect. Mr Clark did receive regular direct briefings by the head of Internal Audit department over the period under review in addition to his involvement in reviewing Internal Audit reports presented to the Executive Committee, and in approving Internal Audit reports for presentation to the Bank Board. On all of the evidence available to me, I am satisfied that Mr Clark was fully appraised of the department's inactivity in the area of head office audits.

As the interface between Management and the Bank Board, Mr Clark was best placed to ensure that the inadequacies in the Internal Audit department, its audit coverage, and its approach and methodology, were remedied. I am, however, of the opinion, that Mr Clark did not display the sense of urgency in upgrading the capacities of the Internal Audit department to carry out Internal Audits of the high risks areas of the Bank's operations as, in my opinion, was required in the circumstances of the Bank throughout the period under review. As I have stated in Section 23.7.2, in this matter he failed to demonstrate an appreciation of the critical importance of the need for a comprehensive and effective Internal Audit function within the Bank.

(vii) Bank Board

Throughout the period under review, the Bank Board received a consistent flow of information concerning the Internal Audit department's activities. The Bank Board was, also, from time to time reassured by management that the department had adequate resources, and was adopting strategies to protect the interests of the Bank and to assure integrity of internal control systems.

For the reasons stated in this Chapter the Internal Audit function was not adequate to meet the needs of the bank in a number of major risk areas of its operations. The Board cannot escape some responsibility for the situation. The deficiencies with respect to Internal Audit were of a serious nature having regard to the type of business being transacted by the Bank. The Board was placated by management assurances in circumstances when, in my opinion, a vigilant Board, probing the assurances of management, would have elicited information to demonstrate that there were serious gaps in the Internal Audit coverage of important risk areas within the Bank.

In the circumstances, I am of the opinion, that the Board of Directors of the bank failed to adequately supervise, direct and control the affairs of the Bank regarding its Internal Audit operations.

23.10 REPORT IN ACCORDANCE WITH TERMS OF APPOINTMENT

23.10.1 TERMS OF APPOINTMENT A

I have investigated and enquired into matters relating to the Internal Audit function of the Bank, as directed in Term of Appointment A(g). For the reasons indicated in this Chapter, I hereby report that, in my opinion, the Internal Audits of the accounts of the Bank during the periods indicated in the Chapter, were not appropriate and were not adequate in relation to:

(a) access to "Executive Salary Information";

(b) Internal Audit coverage of Corporate Banking, International and Treasury;

(d) the resources and expertise in the Internal Audit department.

In the Introduction to this Chapter, I referred to the fact that Internal Audit is considered under Terms of Appointment A(b), A(c), A(d) and A(e). This is because, in my opinion, the function was an integral part of the processes of the Bank. In my opinion, for the reasons discussed in this Chapter, the processes relating to the discharge of the Internal Audit function were not appropriate, and were not adequate during the periods indicated in the Chapter. Although the the failure of Internal Audit function cannot in itself be said to have been solely responsible for the losses reported as at February 1991 and the holding of significant non-performing assets, nevertheless, when taken into account with other functional deficiencies, it was a contributing factor, and I find accordingly.

23.10.2 TERMS OF APPOINTMENT C

I have also, as directed by my Term of Appointment C investigated and inquired into matters relating to the supervision, direction and control of the Internal Audit function within the Bank. For the reasons indicated in this Chapter, I herewith report that, in my opinion:

(a) the operations, affairs and transactions of the Bank with reference to the Internal Audit function were not adequately or properly supervised, directed and controlled by the Board of Directors of the Bank, the Chief Executive Officer (Mr T M Clark) and Mr K S Matthews; and

(b) the operations, affairs and transactions of the Bank with reference to Internal Audits of Corporate Banking, were not adequately or properly supervised, directed and controlled by Mr S G Paddison.

23.10.3 TERMS OF APPOINTMENT D

I have further, as directed by my Term of Appointment D, investigated and inquired into whether the information and reports, given by the Chief Executive Officer, Mr T M Clark, and other officers of the Bank to the Bank Board, were in all the circumstances timely, reliable, and adequate, and sufficient to enable the Board to discharge adequately its functions under the Act. For the reasons indicated in this Chapter, I am of the opinion that the information and reports given by the Chief Executive Officer (Mr T M Clark) and Mr K S Matthews to the Bank Board were not, under all the circumstances, timely, reliable, and adequate, and were not sufficient to enable the Board to discharge adequately its functions under the Act.

CHAPTER 23 INTERNAL AUDIT OF THE STATE BANK

23.1 INTRODUCTION

23.2 BACKGROUND AND REFERENCE INFORMATION

23.3 THE CHARTER OF THE INTERNAL AUDIT FUNCTION AND ITS APPLICATION

23.4 THE APPROACH AND PROGRAMS OF THE INTERNAL AUDIT FUNCTION

23.5 RESOURCES AND EXPERTISE IN THE INTERNAL AUDIT DEPARTMENT

23.6 THE ESTABLISHMENT OF THE AUDIT COMMITTEE

23.7 SUPERVISION AND CONTROL OF THE INTERNAL AUDIT FUNCTION

23.8 MATTERS PARTICULAR TO DIRECTORS COMMON TO BOTH THE BANK AND BENEFICIAL FINANCE CORPORATION LIMITED

23.9 CONCLUSIONS REGARDING THE INTERNAL AUDIT FUNCTION OF THE STATE BANK OF SOUTH AUSTRALIA

23.10 REPORT IN ACCORDANCE WITH TERMS OF APPOINTMENT

Stay informed about our work

CHAPTER 23
INTERNAL AUDIT OF THE STATE BANK