Improving the Shari’ah Audit Function in Islamic Financial Institutions


As Islamic Financial Institutions (IFI) are growing faster it is pertinent to look at various components of their overall corporate governance, which require more clarity and robustness with Shari’ah empirical thoughts. Internal Shari’ah Audit Function is one such area. Several financial regulators, sensing this need, have developed basic principles addressing the issue briefly under Shari’ah governance frameworks.

Internal Shari’ah audit is an independent review of financial and non-financial activity of an IFI; conducted to express an opinion regarding their adherence to Shari’ah Guidelines, principles and, in case of non-Compliance, suggestions for the remedial / consequential measures.

The purpose of the Internal Shari’ah Audit department is to ensure that the system of internal control for Shari’ah Compliance is conceptually sound and effective in implementation, so as to ensure that the goals and objectives for Shari’ah compliance are achieved.

Reporting Line and Structure of Internal Shari’ah Audit Department

Independence is an essential prerequisite for the credibility of an internal Shari’ah Audit Department. The structure and reporting line of Internal Shari’ah Audit plays a vital role in ensuring independence. Interestingly, there is no consensus in the Islamic Finance industry regarding the reporting line within an internal Shari’ah audit.

In some jurisdictions, the Head of Internal Shari’ah Audit reports functionally to the Shari’ah Supervisory Board (SSB) and administratively to the CEO or Head of Islamic banking. Regulators, such as those in Malaysia and Oman, have adopted this perspective. However, such an arrangement could arguably lead to conflict of interest, and the independence of internal Shari’ah audit may face negative pressures.

In contrast, AAOIFI requires that the Head of Internal Shari’ah Audit should be responsible to the Board of Directors. This is similar to the reporting line with respect to the head of Internal Audit.

Furthermore, depending upon the size of an IFI, AAOIFI allows internal Shari’ah audit to be an independent division or part of the internal audit department. A similar approach is adopted in the State Bank of Pakistan’s Shari’ah Governance Framework which allows Islamic Banks to have a separate Shari’ah Audit Department or it may function as part of the Internal Audit Department with a limitation that the internal Shari’ah Audit staff members are dedicated only to Shari’ah audits.

There is a further debate as to whether having a dedicated separate Internal Shari’ah Audit Department secures the inherent purpose of its existence, i.e. examining and assessing the adequacy and effectiveness of internal Shari’ah controls. The worry is that the Head of Internal Audit Department may not confer due weight to Shari’ah compliance issues as he/she will be guided by conventional auditing assessment criteria, a different mindset and giving undue weightage to concepts such as ‘Materiality’ over Shari’ah compliance. The proponents argue that the existence of a separate internal Shari’ah audit function with its Head reporting directly to a Board Audit Committee (BAC) rather than Head of Internal Audit Department will improve its effectiveness.

Taking into account the sensitivity of this area, it is suggested that an IFI should have an independent Internal Shari’ah Audit unit in order to ensure adequate and effective Shari’ah controls. Independence can be assured through reporting either directly or indirectly to the BAC.

What are the main functions of the Internal Shari’ah Audit Department?

The Internal Shari’ah Audit Department encompasses a review of adequacy and effectiveness of internal Shari’ah controls, in an attempt to ascertain whether the system of internal controls placed by management provides reasonable assurance as to effective compliance with Shari’ah rules and principles.

This is accomplished through independently creating a control environment to eliminate non-Shari’ah compliance risk in generating deposits, executing financing transactions, presentation of information, and distribution of profits to the customers.

An internal Shari’ah audit assesses non-Shari’ah compliance risk in relation to compliance with fatawa issued by the Shari’ah Board of the IFI, AAOIFI Shari’ah standards, where applicable, and other relevant guidance including those issued by central bank. Evaluating Shari’ah governance policies and assessment of Shari’ah non-compliance risk in relation to core banking and other IT systems used by the bank including but not limited to profit distribution is also expected from the Internal Shari’ah Audit team.

What are the responsibilities of the Shari’ah audit to the SSB, Shari’ah advisor, BOD and management?

Internal Shari’ah Audit is primarily responsible for reviewing activities of the IFI and assessing the effectiveness and adequacy of internal controls regarding adherence to Shari’ah guidelines. Shari’ah auditors may seek guidance from the SSB for finalization of its scope and methodology. If the auditor finds any material non-compliance, it should be communicated to SSB for their opinion.

To maintain independence, the Shari’ah auditors should report to Board Audit Committee (BAC) either directly or through the Internal Audit Department while obtaining the guidance on Shari’ah issues from the SSB. It should also submit its material Shari’ah audit findings to the Board of Directors. Remedial measures for any contraventions suggested by the SSB or BAC should be shared with  management and departments responsible for Shari’ah compliance of products.

What are the main  differences between the internal Shari’ah audit and the Shari’ah compliance function?

Internal Shari’ah audit is primarily responsible for periodic reviews. It assesses the adequacy and effectiveness of internal controls pertaining to adherence of Shari’ah guidelines issued by either the Central Bank, or the Shari’ah Supervisory Board. It usually works either under Internal Audit Department or as a separate unit which directly reports to the BAC to maintain its independence.

Shari’ah compliance is an ongoing process of monitoring the bank’s overall activities pre and post execution. It aims at ensuring compliance with Shari’ah rules and regulatory frameworks. In addition, guidance is provided on all pertinent Shari’ah matters before and during the transaction. The Shari’ah compliance functions are led by the SSB.  The Shari’ah compliance function, amongst other duties, prepares agenda items for SSB meetings, recording / issuance of meeting minutes, and communication of guidelines. Fatawa. Training, and research can also be a part of the Shari’ah compliance function.

Audit Methodology in Shari’ah Audit

Shar’iah audits helps IFIs to achieve its strategic and operational objectives, and meet its governance responsibilities. This is done through providing independent assurance on the adequacy and effectiveness of the risk management processes and its systems of internal control.

The Shari’ah Audit methodology should drive consistency in audit work by using the following guiding principles:

  • establishing clear accountability at all levels throughout the audit process;
  • sharing best practice;
  • meeting regulatory & Shari’ah requirements;
  • understanding the Business’s risk appetite, customers, operating risks and objectives giving advice that is commercial, pragmatic (i.e. advice is cost-effective and practical) and Shari’ah compliant;
  • using a dynamic risk-assessment process covering the audit universe;
  • auditing similar processes, products, and functions consistently across the bank;
  • working in partnership with other assurance providers (internal and external);
  • using the right skills and resources for the audit assignment;
  • using end-to-end and integrated audits where practical;
  • applying the methodology efficiently and effectively; and
  • meeting minimum standards for auditing the key business risks and controls.

What is Risk Based Shari’ah Audit?

A Shar’iah auditor’s work should be risk-based, unless directed by Regulators or the Audit Committee. The risk assessment process should allow the Shari’ah auditor to develop an audit plan focussing on the areas of highest Shari’ah non-compliance risk. This will permit prioritizing mandatory audits (e.g. those required by Regulators/Shari’ah Board) and audits of highest risks within each function of the organization.

Each auditable area is an audit subject. The Shar’iah auditor will need to assess each subject according to the risk model developed by the IFI.

The internal risk model of an IFI should determine the level of risk in the audit subject. Several factors are weighted and scored for each subject. The overall score indicates whether the audit subject has a high, medium or low inherent risk. It is to be ensured that the rationale for each assessment must be recorded and evidence retained with the audit plan.

For Shari’ah auditors it is important that an overriding element be added in the risk model relating to Shari’ah non-compliance. The assessment of Shari’ah non-compliance risk should be given highest weightage in the overall risk model and should be assessed before other areas of the risk model are assessed. This will help Shari’ah auditors to focus on only those areas that are exposed to significant Shari’ah risk and then rank them according to the other associated risk as mentioned below.

  • Credit;
  • Market;
  • Business/strategic;
  • transaction, people and process;
  • systems;
  • reputation/regulation; and
  • customer.

What are the areas of focus in a Shari’ah audit?

The following areas are normally neglected by the Shari’ah audit teams and hence it is suggested that focus on these areas be made as they may lead to identification of major Shari’ah non-compliance risks:

  • Main functions such as IT system Audits, financial information disclosure impact of accounting entries and pool management.
  • It is also recommended for Shari’ah Audit to conduct visits and ground checks to reasonably assure that transactional documents truly reflect the actual occurrence of events on ground including third party verifications if recommended by the Shari’ah authority of the IFI.
  • In cases of non-performing financing and process of closure of financing relationships the settlements process should accord with Shari’ah guidelines.
  • When selecting an audit sample for the adequacy control, the Shari’ah auditor should include transactions which are not executed to eliminate any non- Shari’ah compliance risk to prevent loss and add value.
  • Non-financial aspects must also be checked such as level of training / understanding of employees.


Mr Zia Akhtar is a Chartered Certified Accountant (ACCA) and Certified Internal Auditor (CIA) with more than 15 years of experience in the field of audit and training. He is currently working as Shariah Auditor with Faysal Bank Pakistan and also holds PGD in Islamic banking. Mr Akhtar has been instrumental in contributing to the skills of auditors and Islamic finance professionals in Pakistan and abroad. His area of interest includes Risk based auditing and establishing Shariah Control clusters. Mr Akhtar is also serving as a member of the working group at AAOIFI Bahrain for developing Internal Shariah Audit standards.


Expert Advice