LogoRegulatory Alerts
2017-06-15 | 127585

Rules for Forming Internal Control and Internal Audit Systems in Banks and Non-Bank Financial Credit Organizations Regulated by the National Bank of the Kyrgyz Republic

The National Bank of the Kyrgyz Republic issued regulations mandating that banks and regulated financial credit organizations establish comprehensive internal control and audit systems to ensure corporate governance, risk management, and regulatory compliance. These rules require the Board of Directors to actively monitor management performance and risk appetites while enforcing strict separation of duties to prevent conflicts of interest and fraud. The document further details specific operational controls, including pre-transaction, ongoing, and post-transaction checks, as well as rigorous requirements for information security and Shariah compliance auditing.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Return to previous page

Print version

Creation date: 2025-09-16

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic of June 15, 2017 No. 2017-P-12/25-3-(NPA)

RULES

for the formation of an internal control and internal audit system in banks and non-bank financial credit organizations licensed and regulated by the National Bank of the Kyrgyz Republic

(In the edition of the Resolutions of the Board of the NB KR of August 14, 2019 No. 2019-P-12/42-1, August 17, 2022 No. 2022-P-33/52-3, April 12, 2024 No. 2024-P-12/17-2, July 5, 2024 No. 2024-P-12/28-2-(NPA), September 12, 2025 No. 2025-P-12/46-1-(NPA))

  1. General Provisions

  2. These Rules for the formation of an internal control and internal audit system in banks and non-bank financial credit organizations licensed and regulated by the National Bank of the Kyrgyz Republic (hereinafter referred to as the "Rules") establish requirements for organizing an internal control and internal audit system in banks and microfinance companies authorized to attract deposits, including banks and microfinance companies conducting operations in accordance with Islamic principles of banking and financing or having an "Islamic window," in JSC "Financial Company of Credit Unions," guarantee funds (hereinafter referred to as the "Bank"), licensed and regulated by the National Bank of the Kyrgyz Republic (hereinafter referred to as the "National Bank").

(In the edition of the Resolution of the Board of the NB KR of August 17, 2022 No. 2022-P-33/52-3, July 5, 2024 No. 2024-P-12/28-2-(NPA))

  1. The purpose of the Rules is to define requirements for the formation of an internal control system in the Bank, ensuring effective control by the Board of Directors and the Management Board of the Bank over the Bank's activities and financial condition, including by ensuring:
  • proper corporate governance practices and an appropriate level of business ethics and culture;
  • compliance by the Bank and its employees with the requirements of the legislation and normative legal acts of the Kyrgyz Republic;
  • compliance by the Bank and its employees with the requirements of the Bank's policies and other internal documents;
  • effective risk management by the Bank through timely identification, measurement, control, and monitoring to ensure the Bank's capital corresponds to the level of risks it assumes;
  • timely detection and elimination of deficiencies in the Bank's activities and those of its employees;
  • creation of adequate mechanisms in the Bank to address unforeseen or emergency situations.
  1. The following terms are used in the Rules:

Internal Audit is an activity (an independent expert function) for checking and assessing the sufficiency (adequacy) and effectiveness of the Bank's internal control system, carried out by an independent internal audit service created to conduct internal audits and assist the Bank's governing bodies in ensuring effective and safe functioning of the Bank based on an objective assessment and recommendations for improving the Bank's internal control system.

Internal Shariah Audit

– is an activity (an independent expert function) of an independent authorized structural subdivision for internal Shariah audit (or an authorized auditor) (hereinafter – the Internal Shariah Audit Service), created to conduct internal audits and assist the governing bodies and the Shariah Council of the Bank in ensuring effective Shariah governance of the Bank based on an objective assessment and recommendations for improving the Bank's internal control system, regarding the checking and assessment of the sufficiency (adequacy) and effectiveness of the Bank's internal control system concerning the Bank's operations and activities conducted in accordance with Islamic principles of banking and financing.

Internal Control for Compliance with Shariah Standards

– a continuous process conducted by the Bank to ensure the orderly and effective implementation of operations and activities conducted in accordance with Islamic principles of banking and financing, in accordance with the requirements of the legislation of the Kyrgyz Republic, the Bank's internal documents, and Shariah standards.

Internal Control – a continuous process conducted by the Bank to ensure the orderly and effective implementation of activities in accordance with the requirements of the legislation of the Kyrgyz Republic and the Bank's internal documents.

Bank's Internal Control System – a complex (system) of interrelated control measures at all levels of management and areas of the Bank's activity to ensure the achievement of goals and the organization of safe Bank activities.

Conflict of Interest – a situation where a contradiction arises between the personal interest of the Bank's officials and/or its employees and the proper performance of their official powers or the property and other interests of the Bank and/or its employees and/or clients, which may lead to the emergence of risks of adverse consequences for the Bank and/or its clients.

(In the edition of the Resolution of the Board of the NB KR of September 12, 2025 No. 2025-P-12/46-1-(NPA))

  1. Organization of the Internal Control System

  2. The organization of the risk management system is formed in accordance with the requirements of the Regulation "On Minimum Requirements for Risk Management in Banks of the Kyrgyz Republic" dated June 15, 2017 No. 2017-P-12/25-8-(NPA) and "On Minimum Requirements for Risk Management in Banks Conducting Operations in Accordance with Islamic Principles of Banking and Financing" dated July 18, 2018 No. 2018-P-12/30-3-(BS).

(In the edition of the Resolution of the Board of the NB KR of September 12, 2025 No. 2025-P-12/46-1-(NPA))

  1. The Bank's internal control system must allow the Bank to continuously identify and assess risks that may adversely affect the achievement of the Bank's activity goals.

  2. The Bank's internal control system must include the following components:

  • an appropriate organizational structure of the Bank, providing for the competence, separation of powers, and responsibility of governing bodies, structural subdivisions, and officials of the Bank, as well as the Bank's remuneration system;
  • an appropriate internal information system and management information system, enabling timely decision-making and ensuring information security;
  • continuous monitoring of the risk management system and risk assessment;
  • appropriate internal control procedures;
  • periodic self-assessment of the internal control system to identify its deficiencies and improve it.
  1. Internal Control is aimed at achieving the following goals by the Bank:
  • efficiency and effectiveness of activities, efficiency of asset and liability management, ensuring the safety of assets, effective risk management;
  • ensuring the accuracy, completeness, objectivity, and timeliness of the preparation and presentation of financial, regulatory, and other reporting for internal and external users;
  • compliance with the legislation of the Kyrgyz Republic and the Bank's internal documents.

  1. The Parent/Banking Holding Company of a banking group is obliged to organize an internal control system in the banking group on a consolidated basis in such a way as to ensure the timely receipt of information about the activities of the participants of the banking group for the purpose of assessing the effectiveness of the activities of such participants and their compliance with the requirements of legislation and internal documents.

  2. The Board of Directors of the Bank is obliged to ensure the proper organization and functioning of the Bank's internal control system and, for the effective performance of assigned duties, must monitor and control risk management issues, the activities of internal audit, internal Shariah audit, and compliance control services, compliance with the requirements of the legislation of the Kyrgyz Republic and internal documents of the Bank, including through authorized Committees on these issues.

(In the edition of the Resolution of the Board of the NB KR of September 12, 2025 No. 2025-P-12/46-1-(NPA))

  1. The Board of Directors of the Bank monitors, controls, and evaluates the activities of the Management Board of the Bank. The Board of Directors of the Bank conducts the following activities:
  1. for the purpose of monitoring, controlling, and evaluating the activities of the Management Board of the Bank, it approves criteria for evaluating the activities of the Management Board of the Bank, which include, but are not limited to the following:
  • compliance of the Bank's activities with internal documents (policies) of the Bank;
  • stability of the Bank's financial condition;
  • efficiency of banking operations;
  • quality of the Bank's work in considering client appeals arising in the process of providing banking services;
  • compliance with the requirements of the legislation of the Kyrgyz Republic;

  1. monitors and controls the compliance of the professional level of the Management Board of the Bank with the types, level of complexity of the Bank's activities, and its risk appetite;

  2. receives management information and hears the report of the Management Board of the Bank on the results of activities, which must contain sufficient/comprehensive information on the following issues (but not limited to them):

  • about the achievement by the Management Board of the Bank of the goals established in the Bank's strategy, indicating, if there are reasons, hindering their achievement;
  • about the assessment of internal and external conditions of the functioning of the Bank and organizations under its control and their changes;
  • about the compliance of the Bank's activities with the strategy and policies approved by the Board of Directors of the Bank;
  • about the level of stability/volatility of the Bank's profitability;
  • about the Bank's profitability in terms of establishing that the Bank's profitability is the result of implementing the Bank's strategy or the result of the Bank's operations that increase short-term profitability but cause risk in the long term;
  • about the state of internal control in terms of its ability to allow the Management Board of the Bank to timely identify incorrect, incomplete, or unauthorized operations, deficiencies in activities to ensure the safety of assets, errors in the formation of financial and regulatory reporting, violations of internal documents of the Bank, legislation of the Kyrgyz Republic, not to allow conflicts of interest, internal abuses, and fraud regarding affiliated structures;
  • about the effectiveness of the Bank's risk management system;
  • about the state and sufficiency of internal models and information systems for managing the Bank and its risks, their ability to effectively carry out the identification, measurement, assessment, and management of risks inherent in the Bank, indicating, if necessary, the need for their optimization;
  • about the assessment of the sufficiency of the Bank's capital to maintain its risk appetite and strategy;
  • about the state of financial reporting in terms of reflecting a complete, accurate, and reliable assessment of the Bank's financial condition;
  • about the control and monitoring of the provision of regulatory reporting to the National Bank in terms of timeliness, accuracy, and completeness;
  • about the compliance of the results of activities and the current risk appetite with the permissible level of risk defined in the Bank's strategy;
  • about the timeliness, completeness, and quality of the elimination by the Management Board of the Bank of violations and deficiencies identified by the compliance control service, internal auditor, internal Shariah auditor, external auditor, authorized structural subdivision for control of compliance with Shariah standards, and banking supervision bodies;

(In the edition of the Resolution of the Board of the NB KR of September 12, 2025 No. 2025-P-12/46-1-(NPA))

  • about the execution by the Management Board of the Bank of recommendations from compliance control, risk management, internal audit, internal Shariah audit services, as well as external audit, the authorized structural subdivision for control of compliance with Shariah standards, and banking supervision bodies.

(In the edition of the Resolution of the Board of the NB KR of September 12, 2025 No. 2025-P-12/46-1-(NPA))

Depending on the results of a comprehensive discussion and assessment, the Board of Directors of the Bank makes appropriate decisions on each issue aimed at improving the Bank's activities and ensuring the financial stability of the Bank, indicating the need to develop and/or implement specific measures, responsible persons, and deadlines for their implementation, and assigns the relevant authorized person(s) to carry out monitoring and control of the execution of the Board of Directors' decisions.

  1. An appropriate control environment is established for all structural subdivisions of the Bank, branches, and subsidiary companies of the Bank.

  2. An effective internal control system must ensure constant identification (detection), assessment of risks accompanying the Bank's activities, and the adoption of adequate and timely measures to minimize risks. The internal control system must be adjusted as any new or previously uncontrolled risks are identified (for example, due to the introduction of new financial services and products, etc.).

  3. Control measures include a set of control actions and responsibilities of all levels of management and execution of the Bank's operations and must ensure appropriate control over the distribution of powers and duties in the conduct of the Bank's operations and transactions.

Control actions must be an integral part of the daily actions of all Bank employees and be reflected in all Bank operations.

  1. Requirements for Internal Control Procedures

  2. Internal documents containing internal control policies, methodologies, and procedures must be developed and approved in the Bank. These documents must be consistent, have an appropriate degree of detail according to the scale and complexity of the Bank's activities, and be applied uniformly in all its subdivisions.

The specified internal documents must be assessed at least once a year according to significant changes in the Bank's activities and condition, and based on the assessment results, appropriate adjustments must be made if necessary.

  1. To ensure the effectiveness of control measures, the Management Board of the Bank carries out:
  • timely dissemination of relevant internal documents (policies, procedures) to those Bank employees who must use them in the process of their work;
  • organization of training for Bank employees on relevant internal control procedures of the Bank. Training includes explaining the interrelationship between the performance of individual duties of each employee and the general tasks provided for in the Bank's policy.
  1. The Bank is obliged to carry out preliminary control before the actual completion of banking and other operations (transactions) and uses the following types of internal control:
  • in the field of selection of Bank officials subject to approval by the National Bank, through careful analysis of qualifications and professional experience in the financial-economic and/or legal sphere necessary to perform specific work (official duties), and selection of the most prepared and qualified specialists with impeccable reputation from among candidates;
  • in the field of attracting and placing funds through preliminary analysis of the efficiency of operations conducted by the Bank by determining optimal means and methods for their implementation in order to prevent or limit possible losses;
  • in the field of material resources by ensuring the Bank with the necessary technical means, equipment, modern automated information systems, and technologies based on the financial capabilities of the Bank and in accordance with the Bank's internal documents;
  • in the field of separation of duties and powers through the development and approval of uniform internal documents defining methodologies, procedures, order of conducting banking and other operations (transactions), tasks, functions, and powers of subdivisions (business lines, business processes) and their heads, job descriptions of employees, as well as establishing and regularly reviewing limits and other restrictions;
  • in other areas defined in the Bank's internal documents.

  1. Ongoing control over banking and other operations (transactions) carried out and other activities, compliance with established procedures for making decisions on the implementation of banking and other operations (transactions), and established document flow is carried out during the Bank's operating day in the process of the employee performing their assigned duties. Ongoing control is conducted to prevent facts of deviation from the requirements of legislation, internal documents of the Bank, timely and accurate reflection of banking and other operations (transactions) in accounting, ensuring the targeted use of funds, and the safety of the Bank's property.

  2. Subsequent control is carried out after the completion of banking and other operations (transactions). In the process of subsequent control, the justification and correctness of the completion of operations (transactions) are checked, compliance of documents with established forms and requirements for their formatting, compliance of duties performed by employees with their job descriptions, compliance with established procedures for checking, approving, and certifying documents, the effectiveness of ensuring information security is evaluated, the distribution of duties among employees is analyzed, causal relationships of violations and deficiencies are identified, and measures to eliminate them are determined; planned and forecasted indicators are adjusted.

The procedure for carrying out preliminary, ongoing, and subsequent control must be established by the Bank in internal documents in accordance with the specifics of the tasks being solved.

  1. Control actions include at least the following:
  • control carried out by the Board of Directors/Management Board of the Bank, by requesting reports and information on the results of activities of structural subdivisions, explanations by heads of structural subdivisions for the purpose of identifying deficiencies in internal control, violations, errors;
  • control carried out by the Shariah Council, by receiving reports from risk management services, internal Shariah audit, and the authorized structural subdivision for control of compliance with Shariah standards;

(In the edition of the Resolution of the Board of the NB KR of September 12, 2025 No. 2025-P-12/46-1-(NPA))

  • control actions carried out by heads of structural subdivisions of the Bank, by checking reports of subordinate employees on a constant and periodic (daily, weekly, and/or monthly) basis;
  • physical presence control, carried out by checking restrictions on access to material assets (cash, securities, etc.), counting material assets, separation of responsibility for storage and use of material assets, ensuring security of premises for storing material assets;
  • legal control, carried out by expert assessment of contractual relations in banking and other operations (transactions) and other activities;
  • verification for compliance with established limits;
  • a system for approving and sanctioning operations and transactions, checking their proper reflection in accounting and reporting;
  • technological control, carried out in the process of preparing and implementing banking and other operations (transactions) and other activities in automated mode by checking compliance with relevant technical codes and standards in the field of information systems and information technologies;
  • monitoring the activities of the service provider organization under an outsourcing agreement;
  • checking compliance with the Bank's policies and procedures in the conduct of the Bank's operations and transactions.
  1. Control actions within the framework of the separation of duties must contribute to the exclusion of conflict of interest and conditions for its occurrence, the commission of unlawful actions, as well as preventing the provision to the same structural subdivision or employee of the opportunity:
  • to carry out banking operations and other transactions and simultaneously reflect them in accounting;
  • to sanction the payment of funds and carry out their actual payment;
  • to assess the accuracy and completeness of documents presented when issuing a loan, and to monitor the repayment of the loan;
  • to carry out actions in any other areas of activity where a conflict of interest may arise.

  1. Spheres of potential conflicts of interest must be defined, minimized, and subject to independent tracking.

  2. To ensure the separation of responsibility in making any decisions and in conducting operations, and thereby ensure protection against fraudulent actions, no employee should conduct operations from start to finish (for example, an employee responsible for approving a loan should not be allowed to conduct cash-and-carry operations for issuing the loan, or an employee sanctioning the conduct of an operation should not carry out the reconciliation of balances for this operation with the general ledger).

  3. The internal control system must be provided with qualified specialists, necessary information systems, and software-hardware means allowing the collection, processing, analysis, transmission, and protection of information used for internal control.

The Bank must carry out constant analysis of existing information systems for their ability to ensure the functioning of the internal control system in accordance with the requirements established by these Rules, and timely carry out the necessary refinement (updating) of these systems or implement new ones.

  1. The procedure for control over management and ensuring safe information flows, including the procedure for protection against unauthorized access and dissemination of confidential information, as well as against the use of confidential information for personal purposes, is established by internal documents of the Bank taking into account these Rules and applies to all areas of activity and operations of the Bank. For this, the Bank must:

  1. possess adequate and comprehensive financial and other necessary data in operational mode, as well as possess information about events and market conditions that may affect decision-making by the Bank's management;

  2. ensure internal control over automated information systems and technical means, including:

  • general control of automated systems, which provides for control of computer systems (control over the main computer, client-server system, and end-user workstations, etc.), conducted for the purpose of ensuring uninterrupted and continuous operation. General control consists of procedures for data backup (copying) and procedures for restoring the functions of automated information systems carried out by the Bank, carrying out support during the use of automated information systems, including determining rules for the acquisition, development, and maintenance (support) of software, the procedure for carrying out control over the security of physical access;

  • software control, which is carried out by automated procedures built into application programs, as well as manually carried out procedures controlling the processing of banking operations and other transactions (control editing, control of logical access, internal procedures for data backup and restoration, control of the creation of transit accounts (accounts where funds are temporarily stored), control of records manually deleted in information systems, etc.).

(In the edition of the Resolution of the Board of the NB KR of April 12, 2024 No. 2024-P-12/17-2)

  1. Control over the timeliness, accuracy, and sufficiency of the Bank's financial information requires checking at least the following:
  • the accounting system in the Bank for compliance with International Financial Reporting Standards and the requirements of the legislation of the Kyrgyz Republic;
  • in
Share