4.2.1 Sharī‘ah Control Culture

Building and nurturing a strong sharī‘ah control culture is key to emphasizing the importance of sharī‘ah dimensions to an institution and its staff, maintaining awareness concerning the significance of abiding by guidelines that facilitate sharī‘ah compliance, and successfully managing sharī‘ah risk. The BOD, SSB, and senior management take prime responsibility for setting the tone in this regard, cultivating the intended environment, demonstrating commitment to it through their actions, and nourishing it so that it continually develops. Such commitment must not only be portrayed through actions, but also documented and communicated to staff. This communication is necessary to convey to staff their duty in maintaining sharī‘ah compliance and embracing the institution’s culture. Staff need to also recognize that they are expected to play an active role in the process, including reporting cases of sharī‘ah non-compliance by following standard protocol. The BOD, SSB and senior management ought to realize that the tone they choose to adopt with respect to sharī‘ah compliance affects the outlook and behavior of employees. Should the BOD, SSB, and senior management display high regard for sharī‘ah control and genuine concern about sharī‘ah compliance, then staff would also recognize its importance. They would, thus, take it seriously, abide by the controls, and be less prone to making negligent sharī‘ah violations. However, should the BOD, SSB, and senior management demonstrate apathy toward sharī‘ah control, then staff would view it as petty, and demonstrate low levels of commitment to observing controls. This would ultimately lead the institution incurring losses as result of careless employee sharī‘ah violations. With respect to setting the tone at the top and fostering a sharī‘ah control culture, one may argue that the SSB also bears a portion of this responsibility. Its demeanor in handling sharī‘ah issues speaks volumes about the extent to which it considers sharī‘ah violations significant, whether such violations would be tolerated, and the level of discipline it expects the institution and its staff to achieve. Besides identifying sharī‘ah compliance as a requirement for policies, procedures, and activities, the BOD and senior management ought to do their best to promote sharī‘ah-compliant behavior by acknowledging it when it is carried out, as this reinforces its importance in the eyes of employees. The BOD and senior management ought also to be wary of inadvertently contributing to sharī‘ah non-compliant activity by adopting policies or making decisions that would have negative sharī‘ah implications. An example of this is setting an unrealistic performance expectation that would pressure employees to turn a blind eye to sharī‘ah compliance in order to achieve the desired goal.

The BOD and senior management should have a strong understanding of sharī‘ah risk and its effects, as this would help them exercise the appropriate level of supervision needed to control this risk. In this regard, it is crucial for the BOD to ensure that the internal sharī‘ah control system established is commensurate with the level of sharī‘ah risk that the bank faces. The BOD also needs to follow up directly or through a board committee³ with senior management to ensure that appropriate arrangements have been implemented for identifying, measuring, evaluating, monitoring, mitigating, and reporting sharī‘ah risk. These mechanisms should be efficient, effective, and characterized by independence and objectivity. In this vein, it is not enough for the BOD to merely approve the organizational structure of the bank and its associated lines of authority, accountability, and reporting. The BOD too needs to pay careful attention to attracting competent senior employees who would maintain an appropriate level of competency within the different levels of the institution. As sharī‘ah considerations are integral to the design of policies and procedures of different business support functions, they ought to be incorporated into the process of drafting these policies and procedures. For instance, with respect to the human resource function, management ought to ensure that annual employee appraisals are designed to evaluate, among other aspects, whether employees have complied successfully with outlined sharī‘ah guidelines in their duties. This would demonstrate senior management’s commitment to sharī‘ah compliance, and reinforce the ethical sharī‘ah-compliant culture of the institution. In regard to competence, the technical and experience requirements for positions would differ; however, all employees should be required to possess a minimum level of understanding of Islamic banking and its rules. Certain positions, however, would require more in-depth knowledge of Islamic transactional jurisprudence. Management must ensure that the annual training plan of employees not only includes technical training, but also sharī‘ah training on relevant dimensions that pertain to the employee’s role. BOD and SSB members are also expected to stay abreast of industry developments by strengthening their skills and knowledge in a wide range of areas.

4.2.2 Sharī‘ah Risk Identification and Assessment

Chapter 2 illustrated some of the adverse consequences of sharī‘ah risk on institutions practicing Islamic banking and the industry. To safeguard against these consequences, the BOD and senior management should ascertain that the internal sharī‘ah control system is not hindered from achieving its objectives due to unidentified or improperly controlled sharī‘ah risk. To address this issue, it is imperative that banks have a sharī‘ah risk identification and assessment function. As part of the internal sharī‘ah control system, this function would identify sharī‘ah risk causes and events, and analyze the likelihood of their occurrence and their potential impact on the bank. It would also determine the level of preparedness of the bank to mitigate such risk, prioritize the sources of this risk in view of the previously mentioned factors and in relation to each other, and outline controls to overcome shortcomings. For it to be successful, this function would need to comprehensively examine operations, and to revisit its assessment on an ongoing basis. The risky nature of banking, ever-changing participant needs, evolving developments in the internal and external environment, and significance of sharī‘ah compliance to stakeholders are all reasons that would justify these continuous reassessments. In this vein, each of the four sharī‘ah risk causes – people, processes, system, and external events - and their corresponding events, which were outlined in Chapter 2, would need to be considered in these examinations.

It is the responsibility of employees to identify the sharī‘ah risk that could arise while they fulfill their tasks, assess this risk, and ensure that it is mitigated. Employees of business units and support functions would best know their field of work, and the risks that they could encounter in the course of performing their duties.

Multiple investigative approaches may be employed to identify these risks. On the one hand, an internal team could be commissioned to study the activities of the unit or function and interview key personnel. On the other hand, employees of the unit or function could be provided with a structured set of questions and instructed to communicate their responses in a confidential manner. These complementary methods would allow business units and functions to diagnose their sharī‘ah risk, while taking into account the multiple perspectives and the diverse input that would be needed for any critical analysis of this nature. Units and functions would then use this information to design and implement appropriate controls to ensure that sharī‘ah risk is suitably managed. As a result of the identification, assessment, and control efforts of the individual units and functions, the bank would be better able to understand and manage its sharī‘ah risk. It is a challenge, nevertheless, to quantify the material effects of many events that could lead to sharī‘ah risk, and such assessment would be subjective in nature. However, we have devised a sharī‘ah risk assessment grid that attempts to identify and measure this risk. This tool will be introduced later on in the chapter. It would be advisable for the bank to include sharī‘ah risk in its Enterprise Risk Management (ERM) framework, as this would enable the BOD and senior management to holistically assess and mitigate it.

The BOD sets the risk appetite for different forms of risks that the bank faces, and this translates into the amount of risk that management is willing to tolerate before taking specific remedial actions. As far as setting risk appetite and tolerance levels for sharī‘ah risk is concerned, it is important to remember that Islamic banks were conceived from customers’ desire to carry out transactions in a sharī‘ah-compliant manner. Hence, sharī‘ah precepts are embedded within the fabric of activities of these banks. Moreover, any income that is generated from sharī‘ah non-compliant activity is considered a loss for the bank, as it is excluded by the SSB and distributed for charitable purposes. For these reasons, the BOD should set the tone that it would not tolerate losses that occur as a result of sharī‘ah contraventions, and should require the rectification of the causes of sharī‘ah violations. To efficiently manage sharī‘ah risk, management needs to prioritize its causes and events, as resources are often limited and choices would have to be made regarding improvement initiatives based on their relative significance. Furthermore, corrective measures need to be cost effective and streamlined, in order not to burden the bank with unnecessary costs or bureaucratic, time-consuming procedures.

4.2.3 Sharī‘ah Control Activities

One of the main components of the internal sharī‘ah control system that would assist it in addressing sharī‘ah risk and achieving its objectives are sharī‘ah control activities. Prior to instituting these, management must clearly visualize the workflow of transactions, services, and activities and identify areas posing sharī‘ah risk that would necessitate such control activities to mitigate this risk. For successful adoption and implementation of these control activities, they would need to be sound, rational, economical, integrated into relevant tasks across the bank, and uniformly upheld irrespective of the person’s position or the circumstances. This last condition would be needed to confirm that control activities are not suspended when transactions pertain to high-ranking individuals, nor would they be compromised due to tight deadlines, budget constraints, or other circumstances that might emerge.

Sample sharī‘ah control activities would include:

• issuing policies and procedures that outline the methodology for submitting a sharī‘ah inquiry to the SSB;
• issuing a fatwa;⁴
• converting a fatwa into a practical process;
• securing SSB approval on a product, service, or activity;
• excluding sharī‘ah non-compliant funds from the bank’s income and dispersing these funds;
• clarifying the sharī‘ah rules that ought to be observed when distributing profits or losses to customers;
• identifying sharī‘ah terms and conditions for contracts and transactions;
• conducting periodic reviews by the BOD and senior management of sharī‘ah reports and securing necessary clarifications through questioning;
• verifying goods delivered against those purchased and invoiced;
• limiting access to sharī‘ah-related data and information to authorized individuals;
• incorporating the SSB approved procedures for executing transactions and their corresponding accounting entries into the bank’s accounting and information systems.

Additionally, segregation of duties is an effective preventive measure and control for averting sharī‘ah violations, and impeding the concealment of sharī‘ah contraventions should they occur. The powers for authorizing, executing, recording, and auditing of transactions ought to be segregated. As such, stages of an activity, be it a transaction or otherwise, should be controlled by different people to prevent any single individual or group from pursuing wrongful sharī‘ah actions without exposing such misconduct, and holding those responsible accountable. A car murabaha⁵ transaction serves as an example. The bank employee communicating with the car dealer and finalizing the car purchase agreement should not be the same employee who thereafter completes the car sale contract with the customer, as the powers to authorize the purchase, record, and issue the financing need not lie within the same hands. The duties must be segregated between different employees to minimize the chances of collusion between the employee, dealer, and customer. Management ought also to rotate employees between functions if it has concerns that an employee being in a single role for a long period of time could lead to misappropriation. As far as SSB members are concerned, since they authorize or legalize structured financing deals, they should not be responsible for auditing these transactions. SSB members are also expected to communicate with the BOD any potential or nascent conflicts of interest that could occur as a result of their serving on the bank’s SSB. Should attempts to resolve these conflicts fail, then the SSB member would be excused in line with the protocols set for this purpose.

Guidance relating to the abovementioned sharī‘ah control activities may be taken from numerous sources such as laws and regulatory requirements of authorities in the bank’s jurisdiction, standards issued by the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) as well as those issued by respective international and local accounting and auditing boards, the sharī‘ah governance systems principles issued by the Islamic Financial Services Board (IFSB), SSB decisions and fatawa, and market conventions. But before senior management promulgates its sharī‘ah controls, they need to be reviewed by the SSB and approved by the BOD. Parties involved are encouraged to ruminate on the specificities of the bank, such as the number of operations it runs and the geographical location of these operations, and assess the effects of these characteristics on sharī‘ah controls and compliance.

4.2.4 Sharī‘ah Associated Information and Communication

Internal and external stakeholders require regular sharī‘ah information about the activities of the Islamic bank. Such information is needed to assess the extent of sharī‘ah compliance of the bank’s activities with the AAOIFI standards, prescribed policies and procedures etc., manage sharī‘ah risk, and take corrective measures to address areas of weakness. It is no surprise then for the internal sharī‘ah control system to have as one of its objectives the production of high-grade sharī‘ah information. The quality of this information is crucial, since different recipients use it for decision-making purposes, and this in turn has an effect on the internal sharī‘ah control system as a whole. For instance, based on information from sharī‘ah reports that evidences sharī‘ah violations, the SSB would exclude income generated from non-compliant activities and allocate such funds to charity. If sharī‘ah reports were not accurate, then they would lead to the misstatement of losses. Given the adverse effects of poor quality sharī‘ah information, it is important for processes to be in place to document, acquire, and transmit timely sharī‘ah information that is relevant, accurate, and complete. This would not be possible without a conscious decision by the bank to be transparent on sharī‘ah matters. Most Islamic banking institutions have yet to fully commit to this transparency. The scarcity of sharī‘ah information available for external stakeholders is good evidence of this. It is rare for instance to find an Islamic bank publishing details about its SSB’s activities, such as the number of meetings held, contracts approved, fatawa issued, products ratified, policies and procedures endorsed. With this being the case, regulators have a big role to play in requiring Islamic banks to provide a minimum level of disclosure on sharī‘ah matters, otherwise they would be penalized.

Besides assigning responsibility for sharī‘ah control activities to the appropriate business units and support functions, senior management needs to ensure that this responsibility and any corresponding tasks are clearly documented and communicated to these parties. This is needed to enable parties to clearly understand their obligations before holding them accountable for discharging their duties. Since all employees contribute to the robustness of the internal sharī‘ah control system, it is necessary for management to raise employee awareness that the system would only be able to achieve its defined objectives and be successful if all employees invest in it. This would require them to observe the outlined sharī‘ah controls, and facilitate the flow of sharī‘ah information within the prescribed communication channels. In other words, the BOD and management would set the expectations, and ensure that this collective employee duty is continuously reinforced and embedded in the bank’s culture.

When establishing channels of communication for sharī‘ah information, all the departments across the bank would be included, as well as the BOD or its audit and governance committee and the SSB.⁶ The internal sharī‘ah audit function would play a key role in ensuring that this coordination is maintained. Similarly, it would stay up-to-date with the information coming from other departments to stay abreast of the developments. These lines of communication would equip personnel with complete, reliable, unbiased, constructive, and timely information needed to enable them to observe their sharī‘ah duties and take prompt action. The channels would not just be needed to enable top-down reporting in order to flag mishaps that could divert the system from achieving its objectives, but also for bottom-up reporting that would allow employees to inquire about sharī‘ah rulings in situations where no such guidance had been issued. This preventative measure, which would save bank employees from making mistakes, would be needed for extraordinary instances that employees could encounter when executing a transaction. Given the speed with which banking transactions occur, this inquiry process would only succeed if it were efficient. Otherwise, it would become a major hurdle for the bank, and result in an increase in the time required to execute activities.

Another consideration when devising communication channels is that employees must be capable of reporting errors without fear of job loss or retaliation for pursuing such action. A hotline or similar arrangement that would allow confidential reporting of sharī‘ah concerns or violations to the audit and governance committee and the SSB could be employed to provide privacy. The independence and anonymity of the hotline must be maintained to give full assurance of confidentiality to those reporting violations that they would not be negatively affected. Also, maintaining communication with external stakeholders is necessary to promote transparency on sharī‘ah matters, as discussed earlier. Should supervisors require banks to abide by a minimum standard in their sharī‘ah reports, then banks would be obliged to comply. However, in case regulators choose not to set such a standard, then it would be essential for management to ensure maximum transparency so that market discipline can be maintained. Additionally, Islamic banks should be careful of inadequacies in or the complete lack of communication of sharī‘ah responsibilities to personnel. Such communication is essential for ensuring that employees are fully informed of expectations and aware that sharī‘ah monitoring is an integral duty that has to be observed in all activities. Employees, BODs, and SSB members would be expected to maintain the confidentiality of this information, and to report breaches to the appropriate level of authority.

4.2.5 Sharī‘ah Monitoring of Activities

In order to protect the Islamic bank against losses that could result from uncontrolled sharī‘ah risk, the BOD, senior management, and other stakeholders require regular assurance that the internal sharī‘ah control system is operating as intended. Thus, the system has to be monitored for it to be able to achieve its defined goals. This monitoring is a means of evaluating the system’s functioning and appropriateness in light of organizational, regulatory, and other developments. Such monitoring could take different forms. One such form is for it to be integrated into the daily activities of business units and support functions, and observed on an ongoing basis. This type of real-time monitoring allows for sharī‘ah mistakes to be captured rapidly and errors rectified promptly. At different levels of the bank, managers who are aware of the sharī‘ah guidelines relevant to their department’s activities would be required to carry out such monitoring and remain watchful. Senior management would need to ensure that the bank is equipped with the necessary requirements (human or technological) for effecting this monitoring. For instance, a reliable information system commensurate with the needs of the bank that would flag sharī‘ah violations occurring over the course of performing activities would support managers in discharging their sharī‘ah monitoring duties. Additionally, management’s monitoring activities and corrective actions should be adequately documented and communicated.

Another form of monitoring that would occur less frequently is performing evaluations of the internal sharī‘ah control system, and reviewing transactions on a periodic basis to check conformity with sharī‘ah precepts. This assessment of sharī‘ah controls, in contrast to the previous form of monitoring, would provide an independent appraisal of the overall system, and a comprehensive examination of its issues. The bank’s internal sharī‘ah audit function would be capable of performing this task, and determining the extent of sharī‘ah compliance of transactions. Through these activities, function staff would identify transactional errors in addition to system shortcomings and opportunities for enhancement. Findings and recommendations would be reported to management. The latter would examine the results of evaluations, draft a plan of corrective actions to be taken, and obtain approval to proceed with it. Complete results would be reported to the BOD or its audit and governance committee, SSB, senior management, and other assurance functions. Management would also be required to guarantee execution of the agreed-upon corrective action plan, and the internal sharī‘ah audit function would periodically follow up on progress.

4.2.6 Evaluation of Internal Sharī‘ah Control System by Banking Supervisors

The importance of having a robust internal sharī‘ah control system cannot be overestimated; thus, banking supervisors should play an active role in evaluating such a system as part of their routine monitoring. Doing so is within the bounds of prudence and has many benefits. For example, it would help supervisors in their overall attempt to comprehensively rate the bank’s systems and risk profile, as the strength of the internal sharī‘ah control system would impact these assessments and have direct consequences. Such monitoring would also reinforce the significance of the internal sharī‘ah control system in the eyes of the BOD and senior management, and help protect against the adverse effects of uncontrolled sharī‘ah risk by prompting proactive vigilance and action.

Mutual benefits exist in establishing a healthy level of communication between the banking supervisor and the internal sharī‘ah audit function. For supervisors, this interaction would help them distinguish the sharī‘ah risk events that the bank faces, understand how the bank has chosen to mitigate the risks, and recognize areas of weakness and ensure that they are being observed. While such communication would help supervisors form a better understanding of the core sharī‘ah issues facing the bank, it would also help the bank strengthen its internal sharī‘ah control system.

As part of their evaluation of the bank’s internal sharī‘ah control system, supervisors should undertake a general assessment of sharī‘ah controls. Furthermore, they should scrutinize any controls that have been associated with losses in the past to ensure that they have not weakened since their rectification. Areas of the bank that have undergone changes should also be closely examined to establish the effect of these changes on sharī‘ah controls, and determine if a need exists to upgrade such controls. Within a bank setting, the following changes are examples worthy of consideration:

(1) a changed operating environment; (2) new personnel; (3) new or revamped information systems; (4) areas/activities experiencing rapid growth; (5) new technology; (6) new lines, products, activities (particularly complex ones); (7) corporate restructurings, mergers and acquisitions; and (8) expansion or acquisition of foreign operations.⁷

Depending on the scope and objective of the appraisal, the banking supervisor may utilize different approaches, which could be combined, to conduct its assessment. For instance, supervisors could evaluate the internal sharī‘ah audit function in relation to its expectations by reviewing the following items:

• strategic plans;
• charter;
• reporting line;
• level of independence and authority;
• scope of work and audit plans;
• competence and experience of its staff;
• extent of work that it outsources and the effect of such outsourcing.

Using a grading scale for such an evaluation would allow supervisors to perform cross-bank comparisons. To verify the suitability and effectiveness of the system and get a good indication of areas of weakness and threats, banking supervisors could also scrutinize the methodology used by the internal sharī‘ah audit function to perform its duties, converse with its staff, review sharī‘ah dimensions of policies and procedures, test sharī‘ah controls, and inspect the function’s reports and audit work papers. However, this supervisory assessment should not be considered as a substitute for the BOD’s own evaluation of the internal sharī‘ah audit function that would typically be conducted through the audit and governance committee or external auditor. Furthermore, the supervisor’s lack of identification of deficiencies in the function or system should not be taken to mean that these deficiencies do not exist as they could have been erroneously overlooked.

An alternative approach that supervisors could adopt would be to provide banks with a checklist that would allow each bank to evaluate its controls and report its results. Despite this being a self-evaluation that would be open to biases, specific areas of concern could be validated by the supervisor through on-site visits, should a need arise for doing so. Another method would be to require a periodic external auditor assessment of the internal sharī‘ah control system.⁸

Regardless of the technique used, the results of the supervisory evaluation would be reported to the BOD, which is then required to develop a remedial plan to address weaknesses and concerns within a reasonable time frame. Internally, the BOD would request senior management to investigate concerns and propose remedial measures. In doing so, the internal sharī‘ah audit function should be consulted on the proposed measures. However, it is the responsibility of management to devise the rectification plan and share it with the BOD and the SSB. Once these entities are satisfied with the plan, the BOD would submit it to the supervisor for consideration. Should the supervisor deem the plan suitable, then it would approve it, but if not, then it would require modifications to be made. To follow up on the implementation of the plan, the supervisor would require the bank to provide timely progress reports at different milestones highlighting the steps completed. Such validation is essential to guaranteeing that concerns are adequately resolved in practice, and not just on paper. Should the supervisor find the progress of the bank unsatisfactory, then it would escalate its actions in line with the set protocols. For instance, if the bank is headquartered in another country, then the supervisor could find it necessary to communicate its concerns about the bank to its counterparts in the bank’s home country.

4.3.1 Purpose, Responsibility, and Authority

The internal sharī‘ah audit function is a cornerstone of the internal sharī‘ah control system. Hence, it is fundamental to the system’s success. The objective of this function is to assess the sharī‘ah audit activities of the bank, and contribute to improving sharī‘ah compliance. This is accomplished through evaluating and presenting recommendations regarding the effectiveness and efficiency of the internal sharī‘ah control and risk management systems, compliance of activities with SSB fatawa, AAOIFI sharī‘ah standards, and other relevant guidance, consistency of sharī‘ah governance policies and measures with legal and regulatory requirements and industry guidance, and sharī‘ah compliance of the bank’s information system. These independent and objective assessments, which would be reported to the BOD, SSB, senior management, other internal assurance functions, and banking supervisors upon their request, would be conducted in a systematic and disciplined manner in order to assist the bank in achieving its goals. The function, hence, is valuable to internal and external stakeholders. The internal sharī‘ah audit function would also offer support services. These would include coordinating the activities of the SSB and assisting it in researching juristic rulings, participating in employee training, sharī‘ah audit planning, coordinating with the external sharī‘ah audit firm and banking supervisors, and monitoring of recommendations and action plans. Moreover, the function would provide advisory services to management, without assuming management responsibility, such as offering input on new processes and sharī‘ah controls, participating in management committees, and assisting in sharī‘ah risk identification and monitoring.

The head of internal sharī‘ah audit would consult with key stakeholders prior to preparing the function’s charter, as this would help in understanding and managing expectations. Prior to its issuance, the charter would need to be endorsed by senior management, an opinion thereon given by the SSB, and approved by the BOD. The charter would include the function’s purpose, responsibility, and authority. It should permit the function unrestricted access to documents, personnel, etc. relevant to its tasks. The charter should determine the function’s position within the bank in order to identify its line of reporting, set the scope of activities for the function, and outline the standards which will be followed. It would be reviewed annually, updated as necessary, and made accessible to staff on the bank’s internal website.

4.3.2 ISAF in Practice

In practice, the industry has yet to agree on standard terminology for naming this function. Sharī‘ah audit, sharī‘ah control, sharī‘ah compliance, sharī‘ah review, and simply plain sharī‘ah, are some examples of names that have been used to refer to this function in different Islamic banks. AAOIFI chooses to call it sharī‘ah review; however, sharī‘ah audit is a more suitable title as it succinctly states the objective of the function. Furthermore, it would be in line with already established audit terminology, namely, internal audit.

A more important consideration than the name of the function is the scope of its responsibilities. In many banks this function may be found mainly reviewing transactions to assess the extent of compliance of activities with SSB fatawa and AAOIFI sharī‘ah standards. With the exception of support and advisory activities, other previously mentioned function duties, such as investigating the strength of sharī‘ah controls put in place by management, are weakly performed in many Islamic banks.

A possible reason for such weakness is the lack of exposure or training of many sharī‘ah audit function heads on the fundamentals of performing these other tasks. Many of these individuals are graduates of sharī‘ah colleges who were not formally trained to oversee audit responsibilities. In terms of career progression, a good number of them could be considered budding scholars with aspirations to serve on SSBs of banks. Such a goal is reasonable as the extensive exposure that these individuals receive when leading the sharī‘ah audit function equips them with a strong understanding of the intricacies of banking and allows them to mesh practice with their sharī‘ah knowledge. After a few years of experience, these individuals are often found to have been able to bridge the gap that exists between these two disciplines. This makes them sought after by other SSB members who do not have the same in-depth understanding of banking transactions, as well as BODs and management teams seeking scholars fluent in banking language in addition to being proficient in sharī‘ah. Instances of these aspiring SSB members finally making the jump from heading the sharī‘ah audit function to serving on the SSB of the bank have proved to be successful. In fact, so much so that some of them now chair SSBs of banks.

4.3.3 Importance of Independence and Objectivity

For the internal sharī‘ah audit function to be credible, it has to be independent. Independence means to be free from circumstances that would compromise the ability of the function to perform its duties impartially. To this end, the function must occupy a suitable position within the institution to allow it to perform its duties independently without interference or impediments that would limit its activities, the way it performs them, or its ability to communicate with others. While administrative reporting to the CEO or head of Islamic banking in the case of an Islamic window would be acceptable, functional reporting to these individuals would not, as it could lead to hindering the function’s independence and objectivity. AAOIFI, hence, has established that the head of internal sharī‘ah audit is responsible, like the chief of internal audit, to the BOD. Interestingly, there is no consensus in the industry regarding the line of reporting of the head of internal sharī‘ah audit. In many Islamic banks, the person reports functionally to the SSB and administratively to the CEO or head of Islamic banking, as in the case of an Islamic window. Some regulators, such as those in Malaysia and Oman, have adopted this perspective. However, such an arrangement could lead to conflict of interest issues and subject the independence and objectivity of the function to negative pressures.

Earlier we demonstrated how the sharī‘ah compliance obligation of the bank could translate into practical responsibilities for the audit and governance committee of the BOD. If we espouse AAOIFI’s view regarding reporting to the BOD, then we should also clarify that the head of the internal sharī‘ah audit function must have unrestricted access to senior management, the SSB, the external sharī‘ah audit firm, and banking supervisors. Furthermore, depending on the report, the head of the function would furnish these entities with periodic reports and updates. The person would also engage them in regular discussions to reinforce the function’s independence, and promote two-way communication on sharī‘ah matters. Establishing this type of interaction would help strengthen the status of the function, foster a collaborative environment on sharī‘ah issues, and provide assurance that all parties are working towards the same sharī‘ah audit plan. It would also permit the function to report on critical developments that could require reconsideration of policies or decisions, or adjustment of the plan, and help provide the opportunity to elaborate on reported results and clarify ambiguities, thereby reducing misunderstandings. As mentioned earlier, gaining unhampered access to information etc. is crucial to being able to discharge duties. Furthermore, a review of the function’s independence should be conducted and confirmed to the BOD at least on an annual basis.

In performing their duties, staff of the function must ensure that they are objective. This entails maintaining an impartial attitude that would not permit their judgments to be influenced by considerations that ultimately compromise the integrity of their findings. In this vein, they must be aware of conflicts of interest that could arise. It is not necessary for the conflict of interest to materialize into wrongdoing for it to be a matter of concern. The possibility of its becoming reality is sufficient for it to be of concern. Thus, objectivity or independence issues that arise at any level of the function must be dealt with and reported promptly to ensure due monitoring.

4.3.4 Planning for Sharī‘ah Audit

4.3.5 Engagement Program Execution

In implementing the engagement program, sharī‘ah auditors need to abide by the function’s code of ethics, AAOIFI’s internal sharī‘ah review standard (GSIFI No. 3), other applicable standards, and pertinent policies and procedures, including protocols for the collection, analysis, evaluation, and documentation of information. Such policies and procedures are meant to guide auditors’ work and judgment, as well as maintain a certain level of quality. Sharī‘ah audit information collected needs to be sufficient (factual, adequate, and assuring), reliable (the best that could be obtained using the most suitable techniques), relevant (substantiate findings and recommendations), and useful (helps the bank meet its goals).¹⁰ Furthermore, observations made should document the causes of issues, instead of merely pointing them out without befitting analysis and evaluation, in order to create valuable perceptions that would serve as a solid basis for any corrective actions that need be taken. Given the position of the internal sharī‘ah audit function, its independence, objectivity, and holistic understanding of sharī‘ah matters of the bank, it is the most capable entity within the institution to determine root causes of sharī‘ah issues without prejudice. This in a sense obliges the function to fulfill this role, which is valuable as it helps the bank in achieving its objectives. Perhaps the best technique to conduct this analysis is flowcharting, as it would provide a clear picture of the sequence of events and documents generated in the course of an activity. This analysis could sometimes be more complicated than anticipated, or it could require more time or skills than the function is able to offer. In such cases the function head would either request additional resources or recommend that it be outsourced. Besides identifying the root causes, sharī‘ah auditors would also recommend possible courses of action for management to undertake to resolve issues. It is the duty of management to evaluate the feasibility of these recommendations, and implement the most suitable alternative. It is advisable for sharī‘ah auditors to meet with the audited activity manager at least once during the engagement to update the person about the progress made and any issues that might have arisen.

Sharī‘ah auditors should be careful not to arrive at conclusions that are not supported by their working papers. The working papers, which establish the extent of compliance with the code of ethics, GSIFI No. 3, and policies and procedures, have extensive coverage of activities starting with planning and ending with follow-up. The working papers afford many benefits. Beyond assisting sharī‘ah auditors in their work, facilitating the auditing process, and outlining the background documents required for engagements, the working papers would be needed for quality assurance, external party evaluations, and assessing engagement objectives. It is the responsibility of the sharī‘ah audit function head to develop policies and procedures for the retention of records that would be compatible with legal and regulatory requirements. It is also important for the head to standardize working papers to enhance the efficiency of the function, and adequately supervise engagements. Appendix 4.2 provides some sample sharī‘ah audit checklists that could contribute towards this effort. Nevertheless, the methodology for executing a single transaction, such as a murabaha, could often differ from one bank to the other. Hence, the function head has to develop or adapt checklists to meet the bank’s needs.

4.3.6 Communicating Findings

Upon completion of the fieldwork, sharī‘ah auditors would prepare their draft report and share it with the internal sharī‘ah audit function head for review before using it as basis for discussion in an exit interview with the manager of the audited activity. In their communications, sharī‘ah auditors would be expected to offer findings that are value adding, accurate (correct, exact, and grounded in reality), objective (unprejudiced), clear (comprehendible, logical, and with sufficient background), concise (brief), constructive (useful and affirmative tone), complete (includes all the necessary and relevant details), and timely (opportune).¹¹ Sharing the draft report and engaging in an exit interview with the audited activity manager before issuing the final report would open a window of opportunity for preliminary results and recommendations to be discussed, misunderstandings to be corrected, clarifications to be offered, and reasonableness of recommendations to be evaluated. Management could ask for permission to review the working papers, and the function head should grant such access.

Once this correspondence has taken place and any changes required to findings and recommendations have been made in light of such discussions, sharī‘ah auditors would prepare the final draft that would be sent to the manager of the audited activity. The latter would then formally respond by agreeing or disagreeing with the findings and recommendations. Moreover, in the response, the manager would outline a detailed action plan that would include the time frame for implementing remedial actions, and specify the individuals who would be responsible for carrying out these actions. The internal sharī‘ah audit function head would then review management’s response, and meet with the SSB or at a minimum the executive member of the SSB to resolve any issues pertaining to the interpretation of sharī‘ah rules. To reiterate, as there is no consistency in the industry, and SSB members could also be responsible for auditing in many cases, then in such a scenario the internal sharī‘ah audit function head would present the final draft of the observations and responses to the SSB for comment and approval.

Thereafter, the internal sharī‘ah audit function head would issue, sign, and send the final report to the chairman and members of the audit and governance committee, while copying in the manager of the audited activity, his supervisor, the CEO, other assurance functions, and the SSB. At this stage there should not be any points of disagreement, as they would have already been resolved with the manager directly or at the meeting with the SSB or its executive member. Besides detailing the purpose and scope of the engagement, the report would include the observations, recommendations, and action plans, and would clearly detail conclusions. In case of engagement non-conformance with the function’s code of ethics, AAOIFI’s internal sharī‘ah review standard (GSIFI No. 3), or other protocols, then the specific breaches, the reasoning behind them, and their impact would be stated in the report. The function could claim that its activities comply with the code of ethics, AAOIFI’s internal sharī‘ah review standard (GSIFI No. 3), and other protocols only if it could demonstrate that results from the sharī‘ah quality assurance program corroborate such a claim. Similarly, if the function head gives an overall opinion, then it must be backed up by solid evidence.

Depending on the function head’s agreement with internal stakeholders on the content of reports, they could be provided with detailed copies of engagement findings, summaries, or both. The frequency of reporting, whether upon completion of work, or on a quarterly basis, and the method for furnishing such reports, would also be agreed upon. If matters require urgent attention, then the function head would not wait until the end of the engagement to report them. Moreover, significant sharī‘ah breaches involving senior management would be separately reported to the SSB, BOD, and, depending on protocol, banking supervisors. Besides reporting on engagements and outsourced activities, the function head would also periodically report on the internal sharī‘ah audit charter, and the function’s performance relative to the annual plan. This is necessary in order to update stakeholders about progress, highlight any variations from the plan, clarify reasoning for these variations, and detail any actions that have been or are to be taken. In this vein, it would be important for the function head to develop the format of reports and protocols for their distribution, taking into account stakeholders’ expectations. Banking supervisors and the external sharī‘ah audit firm would require access to reports and records, and the function head should ensure compliance with policies and procedures when providing such access. If other external parties require access and the function head has doubts about granting them such access, then the head would consult with legal counsel. Finally, communication policies should be assessed periodically to determine whether they need modification.

4.3.7 Following Up and Post-Engagement

The internal sharī‘ah audit function’s engagement work would also include following up on sharī‘ah recommendations that it, the SSB, external sharī‘ah audit, and banking supervisors have made, and to verify that management has satisfactorily taken necessary corrective actions within the required time period. High-level policies and procedures for conducting this monitoring, escalating matters, and documenting such work would need to be drafted by the function head. These details would then be customized for each engagement based on the circumstances by taking into account specifics, such as the priority of the risk, complexity of recommended actions, costs involved, time requirements, and other factors that could have an impact. This entails that in certain instances follow-up be more regular than in others. Moreover, it could mean that an activity be halted until its associated problems are remedied. Sharī‘ah auditors along with the function head would evaluate the action plan suggested by management, in response to recommendations offered, to determine its adequacy. The proposed plan along with the function’s analysis of it, if found to be satisfactory, would be presented to the SSB to provide its opinion, to ensure that no sharī‘ah aspects have been neglected. Should the plan be sound, then management would proceed with implementation and report on progress periodically. Similarly, the function would report to senior management, the BOD, and the SSB regarding these developments. Finally, to ensure that the function learns from each of its engagements, it should develop a system for soliciting feedback. This would be helpful in evaluating clients’ satisfaction level, identifying shortcomings, and discovering areas for improvement. An online questionnaire could be a mechanism for gathering feedback. This information would then be analyzed to derive lessons and improve the performance of the function.

4.3.8 Sharī‘ah Audit Quality Assurance Program

In order to verify that the duties of the internal sharī‘ah audit function are being performed in an effective and efficient manner in line with the function’s prescribed policies and procedures, code of ethics, and AAOIFI’s internal sharī‘ah review standard (GSIFI No. 3), the function head is required to design a program that would integrate sharī‘ah quality assurance into the entire activities of the function. The program, which would be reviewed annually and would require the commitment of function staff, would also examine the appropriateness of the internal sharī‘ah audit charter and risks facing the function, and the adequacy of the sharī‘ah audit universe. It would also assess the extent to which the function adds value by improving the internal sharī‘ah control and risk management systems, governance measures, and sharī‘ah compliance of the management information system and the bank.

The sharī‘ah audit quality assurance program would arrive at its objective through internal and external assessments. Internal assessments would judge quality effectiveness through monitoring and periodic self-evaluations. The function head would integrate unbroken monitoring of processes within procedures through the supervision of engagement planning and execution tasks, as well as the preparation and endorsement of working papers and reports. Other techniques could also be used, such as completing a checklist to verify conformity with procedures, recording time spent on different activities, and soliciting client feedback. This monitoring would be complemented with periodic self-evaluations at the engagement and function levels. These self-evaluations would help the function to establish areas for improvement and devise a well-defined action plan for implementation. The self-evaluations would assess the function’s conformity with GSIFI No. 3, the code of ethics, the internal sharī‘ah audit charter, and policies and procedures. A sharī‘ah conformity scale should be developed for this purpose. This scale would take into account the objectives of each activity, criteria for each objective, and quality assurance process for each criterion. The self-evaluations would also serve to determine the adequacy of the aforementioned items as well as of supervision, in addition to appraising performance and the value addition provided to the bank. The self-evaluations could be effected by undertaking stakeholder surveys, conducting interviews, comparing performance measures against benchmarks, juxtaposing function activities with intended objectives, and inspecting working papers. Overall, the pronged approach to internal assessment would contribute towards a fairly extensive appraisal.

Although internal assessments are beneficial, they are insufficient as they lack an independent evaluation provided by an external party. To supply this missing assurance, a qualified independent external assessor would be hired to perform an external assessment of the effectiveness, efficiency, and conformity with standards of the entire activities of the function. It is industry practice to conduct this external quality assessment every five years. Such an external party would only be able to produce a competent and objective appraisal if it understands the duties as well as the practices of internal sharī‘ah audit, and has experience in performing these evaluations. The head of internal sharī‘ah audit would agree with the audit and governance committee on the frequency of this external evaluation, the criteria of the evaluating party, and the budget for conducting such an assessment. Results of the external assessment and periodic self-evaluations of the internal sharī‘ah audit function would be reported to the BOD, SSB, and senior management after completion. Those relating to monitoring, however, would be communicated at least once a year. The head of the function would elaborate in such communication on how recommendations would be translated into an action plan.