S&ST: Tell us something about your education and professional background?
Armughan Ahmed Kausar: I had a great childhood. My father was in the Armed Forces, so we used to move around quite a lot. After my father’s retirement, we finally settled in Karachi. I did my Chartered Accountancy from Karachi in 2000 from Price water house Coopers and went abroad the same year. I worked abroad for eighteen years. I spent nine out of these eighteen years in Ernst & Young and Goldman Sachs. The remaining nine years were spent in the Middle East, predominantly working for EY. I came back to Pakistan in April last year and joined Habib Bank Limited (HBL). I must say here that for my generation HBL’s brand name is huge. I remember we used to come and see the HBL Plaza during our childhood on occasions like 14th August when the plaza was illuminated. When this opportunity came along, I was very passionate about it, as it was an excellent opportunity for me to come back and serve the country. I also had a firm belief that the things I want to achieve will be fully supported by the organization.
S&ST: What are your core responsibilities as the Chief Internal Auditor (CIA) at HBL?
My key responsibility in the current role is to provide independent assurance. Some of the other responsibilities include helping management doing consultancy work, supporting them in other initiatives and becoming more of a business partner to help improve the overall control environment.
S&ST: How important is the role of internal audit in any organization and the banking sector in particular?
The importance of internal audit is determined by whether it is being treated just as a statuary requirement or whether the organization really wants to transform itself through the audit function. In the banking sector, particularly in this part of the world internal audit has attained a very critical role. It is upon internal audit to make itself more relevant by being more dynamic. We do that by understanding the risks better and by working on all those things that are changing around us. Another important factor to make this function more relevant is by having a complete understanding of the process along with subject matter expertise.
S&ST: What are some of the key risk areas when it comes to the banking sector?
The landscape of banking has shifted in the last ten to fifteen years. In the United Kingdom, there was a crisis in the banking sector in 2008-09 and it persisted until 2012-13. They learned their lesson from that particular crisis and changed the dynamics of the regulatory environment. The regulators’ DNA, practices and fundamentals that were around for over a hundred years were changed.
When I moved to the Middle East in 2013 the goal posts started to change there as well. All the big players in the Middle East were focusing on Anti-Money Laundering (AML), transformations, compliance and regulatory reporting, which changed the landscape of the industry. Right now, Pakistan is in a position (due to various factors) that we need to redefine the banking sector.
As far as the risks are concerned they are very similar to the risks in the West and the Middle East. In no particular order, if I were to list the risks they would be cyber crime, transaction monitoring, Know Your Customer (KYC) and AML. Change and transformation is not just an international desire but also our local political desire and what the regulator wants. Some of the traditional risks like credit risk and operational risk are still there but they have now gone down in the pecking order.
S&ST: How is it ensured that all key areas are addressed in the formulation of the annual audit plan?
I’ll answer this but first, consider HBL’s footprint. We have over 1750 branches all over Pakistan. We have more than 15,000 employees. Our operations are huge and have been historically decentralized so we run a formal risk assessment. The assessment looks at all our historic risks, internal audit reports of the past few years, reports of external consultants, regulatory findings, self-assessment of management on their own risks and the emerging risks. All this data is put into a model that has risk themes into multiple risk areas and we roll it up into all our thirty-five functions or mega processes in the organization. After analyzing through this bottom-up approach, we also carry out analysis based on a top-bottom approach.
We take into consideration what is happening in Pakistan and what are risks aligned to the global risk environment. All the identified risk factors are then analyzed at the organizational level, where, we classify the information into high-risk, medium-risk and low-risk areas. For instance, international locations are a high-risk area for us due to international regulatory pressure, so, in such a case we audit everything. We make a similar judgment about all our 1,800 branches. To support this process, we have a policy framework that has been approved by the audit committee. The results are then socialized with the management without impairing our independence; however, the ultimate authority is the audit committee. They go through the risk assessments, develop an understanding of those risks and at times disagree with the findings.
So, input from all angles is taken to come up with the right audit plan. After this, our audit universe would maybe be one thousand auditable units in one year. This is how much effort goes into carrying out a risk assessment. Furthermore, this process is time intensive.
S&ST: How do you ensure that audit observations are acted upon?
There are multiple facets to it. Ideally, the governance structure within an organization should be firm and forums should be available to the internal auditor to raise issues. Individuals amongst the top brass of organizations’ chair such forums, usually the President. Problems are raised at such forums and unless there is a difference of opinion on any matter the President directs the relevant department heads to fix the issues. However, the most fundamental aspect is reporting and escalation to the board audit committee.
S&ST: What is the importance of independence and objectivity in any banks’ internal audit function?
Independence and objectivity are the most fundamental things when it comes to the internal audit function. Independence matters in both letter and spirit. Perceptions (even if they are wrong) that we are close to the business or we are soft when it comes to tackling issues impairs the audit process. That is why our reporting structure is independent and it reports to the board audit committee. However, it should be kept in mind that independence does not mean that you don’t listen to others.
S&ST: Losses from operational risk have been quite significant in the banking industry globally. Most of these losses stem from preventable mistakes. How can operational risk be minimized?
Operational risk came into the picture after the 2000s. In my personal view if you analyze these risks they come and hit those areas where channeling is happening with an external stakeholder. Whether it is your customer, lawyer, your product being distributed or the information technology channel, operational risk has the biggest impact. In our part of the world, we do have an understanding of operational risk but there is no embedment of it. This means that if you want to control the operational risk, you must make the risk taker the owner of it. You must make the risk taker understand that they are the best controller and identifier of the risk.
S&ST: What exactly is the concept of internal control, and what is its importance?
The starting point for internal control is the control environment i.e. what is the tone at the top. This includes what the board is saying and what the management is telling you. The second part is about how the risk is being assessed and whether all functions assessing their risks. Third, are the control activities, fourth is reporting and the fifth is monitoring. These are some of the fundamentals of internal control however they can vary slightly from one organization to another. An important thing to consider is that there has been a paradigm shift in the world in terms of the control environment and we need to move up to that scale.
S&ST: In today’s global marketplace, the banking sector has greatly expanded the scope and complexity of its activities and faces an ever-changing and complex regulatory environment. What are some of the challenges that you are faced with in terms of regulatory compliance?
The biggest challenge we have in terms of regulatory compliance are the raft of reporting we have to manage, the multiple regulations and multiple requirements. The second issue comes due to the fact that our economy largely remains undocumented. Unless it is properly documented you cannot possibly make the banks documented. The third aspect is that of automation which requires investment in systems as well as people managing them.
S&ST: Pakistan was officially placed on the Financial Action Task Force (FATF) ‘grey list’ last year (which for now doesn’t come with any sanctions). Has this impacted the banking sector in Pakistan in any way?
Broadly speaking there would not be any major impact at the economy level, if we look at what happened the last time we were on the list. However, when it comes to the banking sector this kind of rating impacts how the external world sees us and how they want to deal with us. For external players operating in the Pakistani market, it would definitely pose new questions because of the risks attached to it.
S&ST: There is a view that deficiencies in our banking system were one of the reasons that we ended up on the grey list. Do you agree with this perception?
I look at it differently. If you look at our country’s economy, it is largely undocumented. Documentation of even our property transactions is very limited. As banks, we are merely a reflection of how the broader economy is operating (or how the broader society is). But we do realize that as banks we need to improve how we do things. We are transforming and changing how we manage stuff but at the same time, there is dire need of a cultural shift in our economy as well as society.
S&ST: A major scandal to hit the banking sector last year was the discovery of thousands of fake accounts. Reportedly, transactions in excess of PKR 54 billion were made through such fake accounts. On the face of it, this scandal hints at serious deficiencies in terms of regulatory compliance on part of the banks that were involved in this scandal. What is your take on this particular scandal?
The scandal has reinforced the need for the banking sector to move towards more automation in processes. For instance, we have a great database at National Database and Registration Authority (NADRA) and we have to link everything to that. There are lessons to learn for everybody and we need to start doing things differently at a national level as well as in the banking sector. We also need to make sure that such mistakes are not repeated in the future.
S&ST: Cyber security is a major concern among managers of the global financial system. Last year a few Pakistani banks were also hit by a data breach. In your view, how serious is the threat from cybercriminals and is the banking sector prepared for this particular challenge?
Cyber security is a very serious risk for the banking industry in Pakistan and banking professionals are aware of it. It is a threat that has a huge financial cost and has the potential to take a bank out of the market. The risk posed by cyber criminals is massive and one of the major reasons for it is that it is a threat that is continuously evolving. Continuous monitoring of this threat is of paramount importance for the banking sector. Whether you are in audit or information security, continuous monitoring is important. Your reaction to an attack is also crucial and timely intervention can greatly limit the damage.
S&ST: Foreign-exchange rates in Pakistan have fluctuated in recent months. The country has also relied heavily on financial aid from friendly countries and the ambiguity with regards to approaching IMF also persisted for months. Do these factors collectively pose a serious market risk?
Clarity helps in any economy and that is a forgone rule. Currently, we are in a much better position than where we were a few months ago. But since we are an import-based economy changes in foreign exchange rates do affect us. However, the structural reforms that have been undertaken in recent months were a need of time and will have a positive effect in the long run.
S&ST: Does Pakistan’s fraught economic condition pose a systemic risk for the banking sector?
If you look at the recent Moody’s report they have identified a number of risks. In this high-interest environment regime, it is difficult to repay the money, so there are inflationary pressures. Then there are numerous other factors at play like foreign exchange reserves, consumption of consumers getting squeezed and business being impacted. There is pressure on the economy at large. But these risks can be mitigated with structural reforms, subsidies and an increase in remittances. To sum it up, yes, it is going to be tough for a couple of years but at the same sorting of our fundamentals was on the cards for a long time and this is where we are heading.
S&ST: Compared to other regional countries how do you view the regulatory environment in Pakistan?
The State Bank of Pakistan (SBP) has a heavy focus on national level objectives. They are coming up with the right guidelines and frameworks with regards to audit, compliance and consumers. I have the full support for the way, the manner and the measure the SBP has come out. As recipients, it is now up to us (the banking sector) to make sure that we step up our game and provide SBP with the right tailwind in support of its efforts.
S&ST: There is a view that the banking sector in Pakistan seriously needs to improve corporate governance. What is your take on this and how important is the role of corporate governance?
Yes, there is still room for improvement but a lot has changed in the last few years in terms of structuring of organizations, reporting and how we view ourselves in terms of self-assessment. So, like I said things have already improved but like in other sectors, there is always room for further improvement.
S&ST: How do you see the future of Pakistan’s banking sector both in the short and long term?
In the short term, there would be challenges due to numerous factors such as the transnational efforts and focus on governance, risk and compliance that are already in motion. As far as the long-term future is concerned I am very optimistic provided there is consistency in the fundamental changes that have been undertaken.
S&ST: Do you have any message/advice for the government or the central bank when it comes to the policies/regulations in the banking sector?
I think what we need to do is make the mood positive and the message of positivist needs to be reinforced time and again. There are challenges, but we need to have a positive outlook and consistency in long-term policies.