Corporate Governance 2004

In line with the objectives and commitments enshrined in the mid-term Monetary Policy Statement regarding the issuance of certain guidelines to the Banking Sector and the public at large, I hereby issue two guidelines as follows:

1. Bank Licensing, Supervision and Surveillance -
2. Bank Licensing, Supervision and Surveillance - Corporate Governance Minimum Internal Audit Standards in Banking Institutions BANK LICENSING, SUPERVISION AND SURVEILLANCE CORPORATE GOVERNANCE Guideline No. 01-2004/BSD 1 INTRODUCTION PREFACE 2 SOUND CORPORATE GOVERNANCE 3 IMPLEMENTATION OF THE GUIDELINE 4 EFFECTIVE DATE 1 Dr. C.L. Dhliwayo Bank Licensing, Supervision & Surveillance, Exchange Control & Anti - Money Laundering Deputy Governor -

Preface

1. Short title
2. Authorisation
3. Application
4. Definitions Corporate Governance The Guideline is issued under the authority of section 45 of the Banking Act [Chapter 24: 20]. This Guideline applies to all banking and non banking institutions. Wherever the term "bank(s)" or "banking institution(s)" is used in the guideline, it shall also be read to include non-bank financial institutions that are licensed and supervised by the Reserve Bank including Bank Holding Companies. The Guideline covers a variety of governance related issues. However should there be additional areas arising out of the particular circumstances of the bank that merit coverage, the board will be responsible for ensuring that relevant governance systems and practices are implemented. means an independent function that identifies, assesses, advises on, monitors and reports on the institution's compliance risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to reputation an institution may suffer as a result of its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice. ' ' means a non-executive director who is not a shareholder or a representative of a shareholder, has not been employed by the banking institution and or bank holding company in any executive capacity for the preceding three financial years, and has no significant contractual relationship with, or interest in, the banking institution and or bank holding company. means an individual not involved in the day-to-day management and not a full time salaried employee of a banking institution or of its subsidiaries. An individual in the full time employment of the bank holding company or its subsidiaries, other than the institution concerned, would also be considered to be a non-executive director of the institution concerned, unless such individual, by his conduct or executive authority, could be construed to be directing the day to day management of the institution and its subsidiaries. includes any company, co-operative, private business corporation, syndicate or association of persons in which the individual has a significant interest, or is the largest single shareholder, including any person who has entered into an agreement or arrangement with the first mentioned person, relating to the acquisition, holding or disposal of, or the exercising of voting rights in respect of shares in the banking institution in question. includes any (i) subsidiary or holding company and any other company of which that holding company is a subsidiary, (ii) associate of the company. The following terms used in this Guideline shall be taken to have the meaning assigned to them hereunder. 'Compliance Function' Independent Non-Executive Director 'Non-Executive Director' 'Related Interest' in relation to an individual 'Related Interest', in relation to a company, Wherever the word "he" appears it shall be taken to include she and vice versa. 2 1.1 2.1 3.1 3.2 (a) 4.1 4.2 4.3

1.1 1.2 1.3 1.4 1.4.1 1.4.2 1.4.3 1.4.4 1.4.5 1.4.6 1.4.7 1.4.8 1.4.9 1.4.10 1.4.11 1.4.12 1.4.13 1.5 1.5.1 RiskManagement 1.5.2 Regulatory Requirements Public confidence is the cornerstone of a stable banking system. As the custodian of public funds, the management of a banking institution must exhibit impeccable integrity and professionalism in their conduct so as to engender public confidence in the safety of their deposits. With the broadening and deepening of the country's financial infrastructure, the need for an effective board of directors to assume full responsibility for the overall management of each and every banking institution is more crucial now than ever before. Because of a bank's special position of trust in the national economy, corporate governance is a matter of paramount importance. Banks are highly leveraged institutions, with most of their funds coming from depositors and creditors. They provide basic financial services to the public, financing to commercial enterprises, and access to the payments system. Increasing globalisation of financial markets, emergence of conglomerate structures, technological advances and innovations in financial products have added to the complexity of risk management in the banking sector. For these reasons, the quality of corporate governance expected of banking institutions is high. Corporate From a banking and financial sector perspective, corporate governance involves the manner in which the business and affairs of individual institutions are governed by their boards of directors and senior management, affecting how banking institutions: set corporate objectives (including generating economic returns to owners); set risk management policies and procedures; ensure that the day-to-day operations of the business are carried out efficiently and with integrity; protect the interests of depositors and other recognized stakeholders; align corporate activities and behaviour with the expectation that the banking institutions will operate in a safe and sound manner; and in compliance with applicable laws and regulations; implement corporate values, codes of conduct and other standards of appropriate behaviour and systems used to ensure compliance with the aforementioned; articulate corporate strategy against which the success of the overall enterprise and the contribution of individuals are measured; clearly assign responsibilities and decision-making authorities, incorporating a hierarchy of required approvals from individuals to the board of directors; establish mechanisms for interaction and co-operation amongst the board of directors, senior management and the auditors; implement strong internal control systems, including internal and external audit functions, risk management and compliance functions and other checks and balances, independent of business lines; monitor risk exposures where conflicts of interest are likely to be particularly great, including business relationships with borrowers affiliated with the banking institution, large shareholders, senior management, or key decision makers within the institution; offer financial and managerial incentives in the form of compensation, promotion and recognition to senior management, business line management and employees; and implement appropriate information flows internally and to the public. The following have significant implications on corporate governance: - Good corporate governance structures promote effective identification, measurement, monitoring and management of all material business risks. Banking institutions differ from most companies in terms of their nature and range of their business risks, and the adverse consequences that would follow if these risks are poorly managed. Banking institutions face a wide range of risks, many of them complex in nature. These risks include credit risk, market risk, compliance risk, reputational risk, settlement risk and business continuity risks. If the risks are poorly identified and managed, they expose the institutions to potential distress. Banking institutions are required to comply with a large number of regulatory requirements including prudential governance refers to the processes and structures used to direct and manage the business and affairs of an institution with the objective of ensuring its safety and soundness and enhancing shareholder value. The process and structure define the division of power and establish mechanisms for achieving accountability between board of directors, management and shareholders, while protecting the interests of depositors and taking into account the effects on other stakeholders, such as creditors, employees, customers and the community. requirements and various reporting obligations. There is, therefore, a need for the corporate governance framework to include systems for ensuring that all statutory and regulatory requirements are being adhered to and highlight potential or actual breaches if and when they occur. An essential complement to sound corporate governance is the implementation of robust financial disclosure requirements for corporates and banking institutions. Financial disclosure is essential as a means of strengthening the accountability of directors and senior management and enhancing the incentives for risk management. It is also essential for market participants and observers particularly the larger creditors of banks, news media, financial analysts and rating agencies to effectively monitor the performance and soundness of banking institutions and to exercise appropriate discipline on those institutions which do not perform well or fail to meet acceptable prudential standards. It is increasingly being recognised that market discipline can play an important role in promoting financial system stability and in encouraging the maintenance of sound corporate governance and risk management practices. Banks and corporates are more likely to be attentive to risk management in an environment where poor risk management and financial performance are penalised by the market, and strong risk management and financial performance are rewarded by the market. In the longer term, effective market discipline is likely to enhance financial stability and efficiency by strengthening the incentives for the efficient management of risks and by weeding out poor performers. 1.5.3 High Quality Financial Disclosure 1.5.4 Market Discipline 1 Introduction 3

2.1 Authority and Duties of Shareholders 2.1.1 2.1.2 2.1.3 2.2 Leadership of the Banking Institution 2.2.1 2.2.2 2.3 Separation of Owners andManagers 2.3.1 2.3.2 2.3.3 2.4 Role and Functions of the Board 2.4.1 2.4.2 2.4.3 2.4.3.1 2.4.3.2 2.4.4 Duties and Responsibilities of the Board 2.4.4.1 2.4.4.2 To ensure that the banking institution has adequate systems 2.4.4.3 Select and appoint senior executive officers 2.4.4.4 Establish and ensure the effective functioning of Board and Management Committees in key areas; 2.4.4.5 Set up an effective internal audit department 2.4.4.6 Set up an independent Compliance Function 2.4.4.7 beneficial influence 2.4.4.8 Supervise the affairs of the banking institution, and be regularly informed of the banking institution's condition and policies in ensuring that the banking institution is soundly managed. 2.4.4.9 Adopt and follow sound policies and objectives which have been fully deliberated. Shareholders of banking institutions shall jointly and severally protect, preserve and actively exercise the supreme authority of the institution in general meetings. They have a duty, jointly and severally, to exercise that supreme authority to: Ensure that only competent and reliable persons who can add value to the banking institution are elected or appointed to the board of directors; Ensure that the board of directors is constantly held accountable and responsible for the efficient and effective governance of the banking institution. Change the composition of a board of directors that does not perform to expectation or in accordance with the mandate of the institution. The board of directors shall exercise leadership, enterprise, integrity and shrewd judgment in directing the banking institution so as to achieve continuing viability for the banking institution and shall always act in the best interest of the institution. There shall be a clearly accepted division of responsibilities at the head of the banking institution, which will ensure a balance of power and authority such that no one individual has unfettered powers of decision. In terms of section 18(3) of the Banking Act [Chapter 24:20], the chairman of the board of a banking institution shall not be an officer of the institution. Preferably, the chairperson should be an independent non-executive director. The board of directors of the banking subsidiary and its bank holding company shall be distinctly separate, with separate chairpersons. No shareholder with a ten per centum (10%) or more shareholding in a banking institution or bank holding company shall form part of management of the banking institution or bank holding company. No shareholder with a ten per centum (10%) or more shareholding in a banking institution shall be appointed as Chairperson or Deputy Chairperson of the board of directors of a banking institution or bank holding company. No An important aspect of the functions is the identification of key risk areas and key performance indicators. The board must have a Charter, which as a minimum should clearly set out: • The adoption of strategic plans, • Monitoring of operational performance and management, • Determination of policy and processes to ensure effective risk management and internal control, and • Communication policy and director selection, orientation and evaluation. The board of directors of a banking institution shall comprise technically competent persons of integrity with a strong sense of professionalism, fostering and practicing the highest standards of banking and finance. In this regard, it is expected that the board of directors shall fulfill the following: Ensure that through a managed and effective process, board appointments are made that provide a mix of proficient directors, each of whom is able to add value and bring independent judgment to bear on the decision-making process; and Determine the institution's purpose and values, determine the strategy to achieve its purpose and to implement its values in order to ensure it survives and thrives. The major duties and responsibilities of the board of directors of a banking institution are as follows: To ensure that there are adequate policies in place that are aimed at improving the banking institution's profit performance and ensuring fulfillment of the banking institution's strategic plans; to identify, measure, monitor and manage key risks facing the banking institution; who are qualified and competent to administer the affairs of the banking institution effectively and soundly; , staffed with qualified personnel to perform internal audit functions, covering the traditional function of financial audit as well as the function of management audit; and approve the bank's compliance policy, including a charter or other formal document. It shall be the duty of the board to ensure that the Reserve Bank is informed, should the Head of Compliance leave that position and the reasons thereof. At least once a year, the board or committee of the board shall review the bank's compliance policy and its ongoing implementation to assess the extent to which the bank is managing its compliance risk effectively. Ensure that the banking institution has a on the economic well-being of its community. Directors have a continuing responsibility to the community to provide those banking services and facilities which will be conducive to well-balanced economic growth; The directors of a banking institution are entrusted with the handling and investment of public funds. Consequently, the supervisory commitment required from them entails a higher degree of wisdom, prudence, good business judgment and competence than that of directors of other types of companies. They should commit sufficient time to be fully informed of the condition of the business, the direction they are steering the institution, and apply immediate remedial measures when the need arises. The board should meet at least once a quarter to deliberate on the performance of the banking institutions and to provide policy direction and guidance for the management. Although directors may delegate certain authority to senior officers, they are ultimately accountable for the banking institution's operations. They should retain a record of the minutes of board meetings and a record of remedial actions by directors. Minutes should accurately capture contributions of every member; The directors must provide clear objectives and policies within which senior executive officers are to operate. These should cover all aspects of operations, including strategic planning, credit administration and control, asset and liability management encompassing the management of liquidity risk, interest rate risk and market risk, accounting system and control, service quality, automation plan, prevention of money laundering, profit planning and budgeting, adequacy of capital, and human resource development. Clear lines and limits of authority for all levels of staff should be established. The seriousness of infringing the authority limit should be emphasised to staff at all levels; individual shareholder who had a significant shareholding in a failed institution and/or was involved in the running of a failed institution shall be allowed to acquire a significant shareholding or to hold a position of accountability in any banking institution. 2 SOUND CORPORATE GOVERNANCE REQUIREMENTS 4

2.4.4.10 Observe banking laws, rulings and regulations. 2.4.4.11 The duty of care 2.4.4.12 The duty of loyalty 2.4.4.13 2.6.2.3 2.6.2.4 Directors must be conversant with the relevant laws, related regulations, interpretative rulings and notices, and must exercise due diligence to see that these are not violated. This duty may involve a personal financial responsibility for losses arising out of illegal actions. Directors may be penalised for any non-compliance with the provisions of the banking legislation and be removed from office if found to have acted against the interest of depositors and the banking institution; requires a board member, at a minimum, to participate effectively in board and committee meetings, to communicate and work effectively with the chairman of the board and the chief executive officer; forbids directors and officers from participating in a competing enterprise unless a majority of the disinterested board members approve. Directors and officers who have an interest in a transaction to which the banking institution is an actual potential party are required to disclose their interest to the Board. This interest can come from: • being the other party to the contract; • acting as representative of the other party; • owning stock or serving as a director or officer of the other party; • being a financier of the other party; or • having close relatives who are any of the above. For such a transaction to be valid, a majority of the disinterested directors must approve the transaction, upon disclosure of all the facts and circumstances surrounding the conflict of interest. If all the facts and circumstances surrounding the conflict are not disclosed, the Board or the shareholders may have the right to void the transaction and/or seek damages in court; The Board shall have in 19 of the Banking Act disqualifies a person from being appointed or elected as director if he has been adjudged or otherwise declared insolvent or bankrupt and has not been rehabilitated or discharged, has made assignment to, or arrangement or composition with his creditors, or has been convicted of theft, fraud, forgery, uttering a forged document or perjury or any other offence, by whatever name called, or has been convicted of any offence and sentenced to a term of imprisonment exceeding six months without an option of a fine, and has not received a free pardon. The Reserve Bank holds the chief executive officer directly responsible for the day-to-day operations of a banking institution. He must be conversant with the operations of the banking institution, the state of internal controls, requirements of statutes, directions, guidelines, regulations, as well as current issues and policies affecting the industry in general. He must also have the necessary knowledge and professional competence in the conduct of banking business. Given the strategic operational role of the chief executive officer, this function shall be separate from that of the chairperson. A banking institution is required to inform the Reserve Bank of the person who will be directly responsible for the overall running of the institution when the chief executive officer is unavailable, on leave or otherwise absent. The person so nominated should be fully acquainted with the affairs of the banking institution, and should be able to act promptly, with authority, on matters affecting the banking institution. The delegation of responsibilities to several persons, with no single person as the coordinator within the institution, should be avoided. place a code of conduct regulating disclosures of interest in relation to its members; Once their appointments take effect, directors assume a fiduciary role and must display the utmost good faith towards the banking institution in their dealings with it or on its behalf. The Companies Act [Chapter 24:03] subjects directors to disclosure requirements for outside business interests. Directors shall observe restrictions on insider lending as provided in the Banking Act and Regulations. Further, directors are required to observe the Zimbabwe Stock Exchange rules and/or other applicable laws in dealing in shares. In particular, they must avoid making any personal profit, acquiring personal benefit or retaining any commission, bonus or gifts for performing their official function of granting approval to financing arrangements or the use of particular services. Each banking institution shall have a minimum of five directors. The board shall maintain a majority of non￾executive directors such that no individual or group of individuals or interests can dominate its decision making. In this regard, each banking institution must ensure that it appoints executive directors who constitute not more than two-fifths of the total membership of the board, in terms of Section 18 (2) of the Banking Act [Chapter 24:20]. Independent directors must be in the majority of the remaining three-fifths in such composition of the board. This is to ensure that the non-executive directors, who should form the majority, would render the necessary independence to the board from the executive arm of the banking institution, and help mitigate any possible conflict of interest between the policy-making process and the day￾to-day management of the banking institution. In an increasingly complex banking environment, the presence of suitably qualified independent directors can contribute effectively towards achieving the main tasks of the board. Further, independent directors should provide the necessary checks and balances on the board of the banking institution so as to ensure that the interests of minority shareholders and general public are given due consideration in the decision-making process. Independent directors should not be brought in as a mere formality as this would be tantamount to deceiving the minority shareholders and the public. The appointment of a chief executive officer or chief accounting officer of a banking institution requires the prior written consent of the Reserve Bank as stated under section 20 of the Banking Act. Failure to obtain the prior written consent of the Reserve Bank constitutes an offence under the Act. In processing the applications for appointment of directors and chief executive of a banking institution, rigorous vetting is conducted to ensure that the proposed chief executive officer or chief accounting officer is a fit and proper person. Section The sound operation of a banking institution depends critically on its chief executive. The chief executive officer must be suitably qualified with appropriate experience and possess a proven track record in the banking industry at senior management level. He must be a person of high calibre and impeccable integrity. The Reserve Bank will consider a candidate ineligible for the position of chief executive officer if he has been suspended for any reason while performing his duties in his previous employment or if he has been subject to investigation and compulsorily removed from his position by the Reserve Bank for doubtful transactions or misconduct during his career. He is responsible for managing the accounting and financial activities of the company. He supervises the accounting department of the banking institution and is responsible for the receipt and disbursement of all funds, preparation of the financial portion of any business plans or periodic reports, preparation and filing of tax returns, administration of contracts and control of inventory. The Chief Financial Officer, along with the Chief Executive Officer, is generally regarded as an officer materially liable for the banking institution's operations. The company secretary, through the board, has a pivotal role to play in the corporate governance of a company. The company secretary should be an executive officer. The board should be cognisant of the statutory duties imposed upon the company secretary and should empower the company secretary accordingly to enable him to fulfill those duties. 2.4.4.14 Avoid self-serving practices and conflicts of interest. 2.5 Board Composition 2.5.1 2.5.2 2.5.3 2.6 Appointment of Directors and Bank Executives 2.6.1 Legal Requirements 2.6.1.1 2.6.1.2 2.6.2 Roles of SeniorManagement Chief Executive 2.6.2.1 2.6.2.2 Chief Financial Officer 2.6.2.5 Company Secretary 2.6.2.6 2.6.2.7 5

2.6.2.8 2.6.2.9 2.6.2.10 2.6.2.11 2.7 Bank Holding Companies 2.8 Practising Lawyers andAccountants 2.8.1 2.8.2 In addition to extensive statutory duties, the company secretary shall provide the board as a whole and directors individually with detailed guidance as to how their responsibilities should be properly discharged in the best interest of the company. The company secretary shall be responsible for the induction and continuing training of directors, and for assisting the chairperson and the chief executive officer in determining the annual board plan and the administration of other issues of a strategic nature at the board level. Copies of the induction and continuing training programme shall be made available to the Reserve Bank on request by the inspectors. The company secretary shall provide a central source of guidance and advice to the board, and within the company on matters of ethics and good governance. The company secretary shall be subjected to a fit and proper test in the same manner as is recommended for new director appointments. The Reserve Bank also applies the fit and proper test to the directors and the chief executive of the bank holding company. Their appointments shall be subject to prior written approval of the Reserve Bank. The boards of directors of the bank holding company and the banking institution shall be separate. The chairperson of the bank holding company shall not be the chairperson of the banking institution. To enable banking institutions to tap the expertise of lawyers and accountants, practising lawyers and accountants may be appointed as directors of a banking institution provided that they are not employed by or are not partners in an accounting firm which is engaged to conduct audit of or consultancy work for the particular banking institution. Practising lawyers and accountants who are appointed as directors of banking institutions are expected to exercise the highest degree of integrity and professionalism. They must always be mindful of the need to avoid being involved or to appear to be involved in any self-serving practices and conflict of interest situations in the conduct of their profession while serving as directors of a banking institution. Directors of banking institutions are discouraged from appointing alternate directors as they should be committed personally to the board in directing the management of the institutions. An alternate director, in his capacity as a proxy for a director, may not be able to contribute effectively to the deliberations of the board. However, for practical reasons, directors who are not residents of Zimbabwe may appoint alternates. Interlocking directorships in the banking industry is prohibited. The Reserve Bank will only allow common directorships for banking institutions which are related corporations. This is in line with the need to avoid conflict of interest situations in the management of two or more banking institutions. Consistent with this policy, a person with more than interest in the paid-up capital of a banking institution in his personal capacity (directly or indirectly) is also not allowed to be appointed to the board of another banking institution or banking group. In line with section 19(1) (b) of the Banking Act [Chapter 24:20], no person shall be appointed, or hold office, as a director of a banking institution if he is a director of another banking institution which carries on business in Zimbabwe in competition with the other banking institution. The chief executive officer or executive director of a banking institution shall not hold any executive position in another corporation. However, for companies within the same group, and family-owned companies of the chief executive or executive director, exemption may be granted on a case-by-case basis. This is consistent with the Reserve Bank's requirement for a chief executive officer and executive director to devote his attention and commitment principally to the day-to-day operations of a banking institution. However, he may serve on the boards of other corporations in a non￾executive capacity, subject to the limit specified in paragraph 2.11.2 below. The director of a banking institution has a moral and professional obligation to devote his/her attention and commitment principally to the operations of the banking institution. Hence, section 19(1) of the Banking Act provides that " . However, it is recognised that a director of a banking institution is normally also required to sit on the boards of the banking institution's subsidiaries. Furthermore, he may sit on the boards of his family-owned companies, and be invited to sit on the boards of various organisations within the banking industry, non-profit social organisations or Government-controlled corporations. Hence, for purposes of computing the maximum number of directorships, the following shall apply:- i. Directorships in other companies within the same banking group and directorship in companies to represent the equity interest of the banking institution concerned, should be aggregated and counted as directorship; and ii. Directorships or Council position in the following organisations are from the computation of the limit:- • Organisations within the banking industry, such as Bankers Association, Zimbabwe Stock Exchange, to whom an individual is nominated by the respective associations of the banking institutions; • Professional bodies and non-profit social organisations. Every member of the board shall attend at least of the board meetings of a banking institution. This is to ensure that he will discharge his duties and responsibilities effectively. At itsAnnual General Meeting, each banking institution is required to review the suitability of a non-executive director who has failed to comply with this 75% attendance rule, without valid reason. Attendances shall be disclosed in the annual report. Banking institutions must follow good corporate governance principles, which provide for the disqualification of a director or senior manager who: (i) has been involved in the directorship or management of a failed banking institution and or bank holding company, unless that person shows to the satisfaction of the Reserve Bank of Zimbabwe that the person was not responsible for the insolvency, liquidation, composition with creditors, bankruptcy or other arrangement with creditors or other action with similar effect in Zimbabwe or elsewhere. (ii) was a director of an institution that has been liquidated or is under liquidation or management of the Reserve Bank, or (iii) has taken part in or been associated with any other business practices as would, or has otherwise conducted himself in such manner as to cause doubt on his competence, integrity and soundness of judgment, or (iv) if he is under suspension or has been removed from office, or (v) if he has been a director, chief executive officer, chief financial officer or manager of an institution that has been adjudged insolvent, entered into a composition with its creditors, gone into liquidation declared bankrupt or has entered into any other arrangement with creditors or taken any other action with similar effect in Zimbabwe or elsewhere unless that person shows to the satisfaction of the Reserve Bank of Zimbabwe that the person was not responsible for the insolvency, liquidation, composition with creditors, bankruptcy or other arrangement with creditors or other reaction with similar effect in Zimbabwe or elsewhere. Board committees assist the board and its directors in discharging their duties and responsibilities, however the board remains accountable. 2.9 Alternate Directors 2.10 Directorship in other Corporations 2.10.1 5% 2.10.2 2.11 Maximum Number of Directorships 2.11.1 2.11.2 one excluded 2.12 BoardAttendance 75% 2.13 Disqualification of Directors 2.14 Board Committees (a) No person shall be appointed, or hold office, as a director of a banking institution if (a) he is a director of more than seven other companies registered in Zimbabwe" 6

(b) (c) (d) (e) (f) (g) 2.14.1 Structure and Duties of the Audit Committee 2.14.1.1 2.14.1.2 2.14.1.3 (a) (b) (c) (d) (e) (f) 2.14.2 Board Credit Committee (a) (b) (c) (d) (e) There should be a formal procedure for certain functions of the board to be delegated, describing the extent of such delegation, to enable the board to properly discharge its duties and responsibilities and to effectively execute its decision making process. Board committees with formally determined terms of reference, life span, role and function constitute an important element of the process and should be established with clearly agreed upon reporting procedures and written scope of authority. As a general principle there should be transparency and full disclosure from the board committee to the board, except where the committee has been mandated otherwise by the board. Non-executive directors must play an important role in board committees. All board committees shall be chaired by an independent non-executive director. The exception should be a board committee fulfilling an executive function. Board committees should be free to take independent outside professional advice as and when necessary. The board is required to establish an Audit Committee to review the financial condition of the banking institution, its internal controls, performance and findings of the internal auditors, and to recommend appropriate remedial action regularly, preferably at least once in three months. The Audit Committee should consist of not less than three members, all of whom should be independent non￾executive directors of the banking institution. The members should be conversant with financial and accounting matters. The Audit Committee members should elect a Chairman among them who is an independent non-executive director. The Chairman should not be the chairperson of the Board. The Board chairperson shall not be a member of the Audit Committee at all, but could be invited to attend meetings as necessary by the chairperson of that committee. The Chief Executive Officer should not be a member of the Audit Committee, but may attend by invitation. Membership of the Audit Committee should be disclosed in the annual report. Alternate directors are not allowed to be appointed as members of theAudit Committee. The primary responsibilities of the Audit Committee shall include the following:- Ensure that the accounts are prepared in a timely and accurate manner and ensure the prompt publication of annual accounts; Review internal controls, including the scope of the internal audit programme, the internal audit findings, and recommend action to be taken by management; Review with the external auditors, the scope of their audit plan, system of internal audit reports, assistance given by management and its staff to the auditors and any findings and actions to be taken; The Audit Committee should also select external auditors for appointment by the board each year; and Review any related party transactions that may arise within the banking institution. The external and internal auditors of a banking institution should have free access to the Audit Committee. The auditors should be allowed to attend and be heard at any meeting of the Audit Committee. Upon the request of the auditors, the Chairman of the Audit Committee should convene a meeting to consider any matter that auditors believe should be brought to the attention of directors or shareholders. The primary responsibilities of the Board Credit Committee shall be to:- Review and oversee the overall lending policy of the banking institution; Deliberate and consider loan applications beyond the discretionary limits of the Risk Management committee; Review lendings by the Credit Risk Management Committee; Direct the formulation of, review and monitor the credit principles and policies of the banking institution; Ensure that there are effective procedures and resources to identify and manage irregular problem credits, minimise credit loss and maximise recoveries; Direct, monitor, review and consider all issues that may materially impact on the present and future quality of the banking institution's credit risk management; and Delegate and review lending limits to the sanctioning arms of the banking institution. The primary responsibilities of the Loans Review Committee shall be as follows: - To assist the board with discharging its responsibility to review the quality of the banking institution's loan portfolio, To review the quality of its loan portfolio with the view to achieving the objectives spelt out in paragraph 20, Part IV of Third Schedule of the Banking Regulations (Statutory Instrument 205 of 2000), The committee shall conduct loan reviews independent of any person or committee responsible for sanctioning credit. The responsibility of the board loans review committee falls into the following main areas, namely: (i) To ensure the conformity of the loan portfolio and lending function to a sound lending policy which is documented, approved and adopted by the board; (ii) To ensure that the credit policy and risk lending limits are reviewed at least on an annual basis and as and when the environment so dictates; and (iii) To ensure that the Bank's potential and specific bad debts are adequately provided for. ALCO shall derive the most appropriate strategy for the banking institution in terms of the mix of assets and liabilities given its expectations of the future and the potential consequences of interest￾rate movements, liquidity constraints, and foreign exchange exposure and capital adequacy. The committee shall ensure that all strategies conform to the banking institution's risk appetite and levels of exposure as determined by the Risk Management Committee. The responsibility to ensure quality, integrity and reliability of the banking institution's risk management shall be delegated to the Risk Management Committee. The committee shall assist the board of directors in the discharge of its duties relating to the corporate accountability and associated risks in terms of management, assurance and reporting. The committee shall review and assess the integrity of the risk control systems and ensure that the risk policies and strategies are effectively managed. The committee shall set out the nature, role, responsibility and authority of the risk management function within the banking institution and outline the scope of risk management work. The committee shall monitor external developments relating to the practice of corporate accountability and the reporting of specifically associated risk, including emerging and prospective impact. The committee shall provide independent and objective oversight and review of the information presented by management on corporate accountability and specifically associated risk, also taking account of risk concerns raised by management in the Audit Committee, Asset and Liability Committee and Executive Committee meetings on financial, business and strategic risk. The committee, in carrying out its tasks under these terms of reference, may (f) (g) 2.14.3 Loans Review Committee (a) (b) (c) (d) 2.14.4 Asset and Liability Committee (ALCO) 2.14.4.1 2.14.4.2 2.14.5 RiskManagement Committee 2.14.5.1 2.14.5.2 2.14.5.3 2.14.5.4 2.14.5.5 7

obtain such outside or other independent professional advice as it considers necessary to carry out its duties. The Executive Committee will ensure that the committee will have access to professional advice both inside and outside of the banking institution in order for it to perform its duties. The committee shall have access to any information it needs to fulfill its responsibilities. The committee is the link between the board and management and is responsible for implementation of operational plans, annual budgeting and periodic reviews of group operations, strategic plans, ALCO strategies, credit proposals review, identification and management of key risks and opportunities. The committee shall review and approve guidelines for employees' remuneration. The Executive Committee is constituted to assist the chief executive officer to manage the banking institution. The board of directors takes cognisance of authorities delegated to the chief executive officer by means of resolutions from time to time. The Executive Committee assists the chief executive officer guide and control the overall direction of the business of the banking institution and acts as a medium of communication and co-ordination between business units and the board. The Executive Committee shall also ensure that the Risk Management Committee has access to any information it requires to fulfill its responsibilities. The remuneration of directors and the chief executive shall not be out of line with the nature and size of operations of a banking institution. The directors and chief executive should not avail themselves of unreasonably bountiful remuneration, with excessive bonuses and fringe benefits relative to the profits and operations of the banking institution. Non-executive directors should not expect executive pay. As a matter of principle, the chief executive of a group should draw all his salary, including benefits, from one source, usually the parent company. While the chief executive of a banking institution is entitled to receive director's fees from that institution's subsidiaries, such fees should be nominal. The Board, through its nomination committee or similar board committee, shall regularly review its required mix of skills and experience and other qualities such as demographics and diversity in order to assess the effectiveness of the board. Such review shall be by means of peer and self evaluation of the board as a whole, its committees and the contribution of each and every director, including the Chairman. The evaluations shall be conducted annually and the fact that they have been done should be disclosed in the annual report. The Chairman of the board shall report to the Reserve Bank annually on the board and directors' evaluations and effectiveness. The report shall be submitted 14 days after the year end. Every listed banking institution shall have a prohibition on dealing in its shares by directors, officers and other selected employees for a designated period preceding the announcement of its financial results or in any other period considered sensitive, and have regard to the listing requirements of the Zimbabwe Stock Exchange rules and/or any other applicable rules and legislation, in respect of dealings of directors. The abovementioned practice should be determined by way of a formal policy established by the board and implemented by the company secretary or compliance officer. Every banking institution shall have a policy on insider loans, which complies with the provisions of the Banking Act and Regulations as amended from time to time. The banking institution shall make disclosures on any lending in connection with any related interest. The banking institution shall take a cautionary approach and where it is not clear whether or not a lending will be treated as "insider lending", the approach to be taken is that the lending is an insider lending. Every banking institution shall have a policy on intra-group exposures. Every banking institution should report at least annually on the nature and extent of its social, transformation, ethical, safety, health and environmental management policies and practices. The board must determine what is relevant for disclosure, having regard to the company's particular circumstances. Every banking institution should engage its stakeholders in determining the company's standards of ethical behaviour. It should demonstrate its commitment to organisational integrity by codifying its standards and ethics. The disclosure should include a statement as to the extent the directors believe the ethical standards and the above criteria are being met. If this is considered inadequate there should be further disclosure of how the desired end-state will be achieved. Banking institutions should deal with individuals or entities that demonstrate the same level of commitment to organisational integrity. 2.14.6 Executive Committee 2.14.6.1 2.14.6.2 2.14.6.3 2.15 Remuneration And Termination Benefits 2.15.1 2.15.2 2.16 Board and DirectorEvaluation 2.16.1 2.16.2 2.17 Policy on Dealings and Securities 2.17.1 2.17.2 2.18 Policy on insider loans and Intra￾GroupTransactions 2.18.1 2.18.2 2.18.3 2.18.4 2.19 Integrated Sustainability Reporting 2.20 Organisational Integrity/ Code of Ethics 2.20.1 2.20.2 2.20.3 Each banking institution should disclose in its annual report the extent of its adherence to the banking institution's code of ethics. 3 Implementation of the Guideline All boards and individual directors have a duty and responsibility to ensure that the principles set out in the Guideline are observed. 4 Effective Date This Guideline is effective from 30 September 2004. Questions relating to the Guideline should be addressed to the Division Chief, Bank Licensing, Supervision & Surveillance, Reserve Bank of Zimbabwe, Telephone 703 000 extension 11133. N.Mataruka Division Chief, Bank Licensing, Supervision & Surveillance 8

9 BANK LICENSING, SUPERVISION AND SURVEILLANCE MINIMUM INTERNAL AUDIT STANDARDS IN BANKING INSTITUTIONS Guideline No. 02-2004/BSD 5 Organisation of the Internal Audit Function 1 Preliminary 2 Introduction 3 Purpose 4 Limitations 6 Professional Proficiency 7 Relationship and Communication 8 Audit Governance 9 Duties and Responsibilities 10 Scope of Audit Work 11 Reporting and Documentation 12 Audit of Critical Areas of Operations 13 Effective Date Mr. N. Mataruka Division Chief - Bank Licensing, Supervision & Surveillance

1. PRELIMINARY 1.1. Short Title 1.2. Authorization 1.3. Definitions 1.4. Application Minimum InternalAudit Standards in Banking Institutions This Guideline is issued under the authority of section 45 of the BankingAct [Chapter 24:20]. Terms used within this Guideline are as defined in the BankingAct Chapter 24:20] This Guideline applies to all banking and non-bank financial institutions that are licensed and supervised by the Reserve Bank of Zimbabwe including bank holding companies. The Guideline should be read in conjunction with Guideline No. 01-2004/BSD on Corporate Governance. [ 10

2 Introduction 2.1. 2.2. 2.3. 2.3.1. 2.3.2. 2.3.3. 2.3.4. 2.3.5. 2.3.6. 2.3.7. 2.3.8. 2.3.9. 2.4. The internal audit function is an integral component of sound corporate governance and risk management practices in banks. It is part of the ongoing monitoring of controls which provides an independent assessment of the adequacy of, and compliance with the bank's established policies and procedures. As such, the internal audit function assists the board and management of the organization in the effective discharge of their responsibilities. Increased competition, pressure to operate profitably or to improve performance, introduction of new financial products and the change in information technologies have heightened operational risk. This is manifested in the numerous frauds reported to the Reserve Bank of Zimbabwe (RBZ). RBZ examinations continue to reveal weaknesses in the records, systems and controls in financial institutions. Therefore, it is incumbent upon the management to enhance and to play a more proactive and meaningful role in achieving sound and stable growth in financial institutions. In carrying out the internal audit function, the internal auditor must take cognisance of the following characteristics that generally distinguish banks from other commercial enterprises, and which the auditor must take into account in assessing the level of inherent risk: Banks have custody of large amounts of monetary items, including cash and negotiable instruments, whose physical security has to be safeguarded during transfer and while being stored. They also have custody and control of negotiable instruments and other assets that are readily transferable in electronic form. The liquidity characteristics of these items make banks vulnerable to misappropriation and fraud. Banks therefore need to establish formal operating procedures, well defined limits for individual discretion and rigorous systems of internal control. They have assets that can rapidly change in value and whose value is often difficult to determine. Consequently, a relatively small decrease in asset values may have a significant effect on capital solvency. They generally derive a significant amount of their funding from short-term deposits. Loss of confidence by depositors in a bank's solvency can quickly result in a liquidity crisis. They have fiduciary duties in respect of the assets they hold that belong to other persons. This may give rise to liability for breach of trust. Banks, therefore, need to establish operating procedures and internal controls designed to ensure that they deal with such assets only in accordance with the terms on which the assets were transferred to the bank. They engage in large volumes and a variety of transactions whose value may be significant. This necessarily requires complex accounting and internal control systems and widespread use of information technology (IT). Transactions can often be directly initiated and completed by the customer without any intervention by the bank's employees, for example over the Internet or through automated teller machines. They often assume significant commitments without any initial transfer of funds other than, in some cases, the payment of fees. These commitments may involve only memorandum accounting entries. Consequently their existence may be difficult to detect. They are regulated by governmental authorities whose regulatory requirements influence the accounting principles that banks follow. Non￾compliance with regulatory requirements, for example, capital adequacy requirements, could have implications for the bank's financial statements or the disclosures therein. They deal in complex financial instruments, some of which may need to be recorded at fair value in the financial statements. There is therefore need to establish appropriate valuation and risk management procedures. The effectiveness of these procedures depends on the appropriateness of the methodologies and mathematical models selected, access to reliable current and historical market information, and the maintenance of data integrity. It is against this background of the centrality of the internal audit function in the risk management process in banking institutions that the Reserve Bank is issuing these Guidelines on Minimum Audit Standards for Internal Auditors of Banking Institutions. 11

PURPOSE LIMITATIONS ORGANISATION OF THE INTERNAL AUDIT FUNCTION The Guidelines are issued to meet the following objectives:- To improve the quality and effectiveness of the internal audit function; To outline the role, duties and responsibilities of internal auditors to the board of directors (board), all levels of management and the external auditors; and To provide uniform practice on internal auditing which would serve as a benchmark for guidance and measurement of the effectiveness of the internal audit function. These Guidelines serve as a general guide for the internal auditors of financial institutions. They are not intended to provide comprehensive discussion of all possible matters or situations of audit significance that the internal auditors may encounter in the course of auditing. The Guidelines are also not meant to be exhaustive nor intended to provide detailed audit steps required to perform the audit of every operational area of financial institutions. The internal auditors should be guided by the authoritative pronouncements issued by the relevant professional accounting and auditing bodies. Internal auditors play an important functional role in helping to establish and maintain the best possible internal control environment at their financial institutions. An effective internal audit function is crucial to ensure a sound financial system as a whole. Important consideration has to be given to the organization of the internal audit function in the financial institution to ensure its effectiveness. Financial conglomerates, by virtue of their nature and size of operations, may find the establishment of an internal audit department too onerous. For reasons of synergy and economies of scale, these may use the services of the group internal auditors. An Audit Committee shall comprise of non-executive directors who shall be appointed by the board of the financial institution. The chairman of the Audit Committee shall be an independent non￾executive director and shall not be the chairman of the board. The role of the Audit Committee in the context of the Guideline is to provide an avenue for the internal audit department to effectively communicate findings and should be in line with the provisions of the BankingAct Chapter 24:20]. The independence of internal auditors is an important prerequisite to the proper conduct of audits so as to render impartial and unbiased judgments. The organizational and reporting structure of the internal audit function shall ensure that the function is independent of the activities audited and should also be independent from the everyday internal control process. This means that internal audit is given an appropriate standing within the bank and carries out its assignments with objectivity and impartiality. The internal audit department should be able to exercise its assignment on its own initiative in all departments, establishments and functions of the bank. It must be free to report its findings and appraisals and to disclose them internally. The principle of independence entails that the head of the internal audit department has the authority to communicate directly on his/her own initiative, to the board, the chairman of the board of directors, board audit committee or the external auditors where appropriate, according to the provisions of the audit charter. The reporting lines of the internal audit function in all cases must be clearly defined as follows: The status of the internal audit department within a bank's overall organizational structure should be sufficient and distinct to permit the internal auditors to accomplish their audit objectives. Internal auditors should have the support of the management in order to gain the cooperation of the auditees and to perform their work free from interference. The position of the head of internal audit should be equivalent to the status of other key functional heads to enable him to deal effectively with his peers and superiors when discharging his duties and responsibilities. The appointment, remuneration, performance appraisal, transfer and dismissal of the head of internal audit should be decided by the Audit Committee. Internal auditors shall have unrestricted access to the institution's records, assets, personnel and premises which are necessary for the proper conduct of the audit. Any restriction should be promptly communicated in writing to the Audit Committee for the latter to resolve with the management. Objectivity is an independent mental attitude which would enable the internal auditors to exercise judgment, express opinions and present recommendations with impartiality. The internal auditors should at the least observe the following principles:- a. Avoid any conflict of interest situation arising either from their professional or personal relationships in an organization or activity which is subject to audit; b. Have no authority or responsibility over any unit or activity that is being audited; c. Should not be assigned to audit operational areas which they were previously involved as non-audit staff until an independent audit has been conducted during the intervening period; and 3.1. 3.2. 3.3. 4.1. 4.2. 5.1. Overview 5.1.1. 5.1.2. 5.2. Audit Committee 5.2.1. 5.2.2. 5.3. Independence 5.3.1. 5.3.2. 5.3.3. 5.3.4. 5.3.5. INTERNAL AUDIT REPORTING STRUCTURE 5.3.6. 5.3.7. 5.4. Objectivity 5.4.1. 5.4.2. [ Audit Committee Internal Audit Function Chief Executive Officer Administrative Reporting Functional Reporting 12

d. Act only in advisory capacity when recommending controls on new systems or reviewing procedures prior to their implementation. The internal audit function must be subject to an independent review by an independent party. This function can be carried out by an external auditor or the Audit Committee. The effectiveness of the internal audit function depends substantially on the quality, training and experience of the audit staff. Professional competence is assessed taking into account the nature of the role and the auditors' capacity to collect information, to examine, to evaluate and to communicate. In this respect cognisance is taken of the ability of the auditor to understand the growing technical complexity of a bank's activities and the increasing diversity of tasks that need to be undertaken by the internal audit department as a result of developments in the financial sector. The internal audit staff should be suitably qualified and be provided with the necessary training and continuing professional education for the purpose of enhancing or enriching their audit and relevant technical skills. The head of internal audit, in consultation with the CEO, shall decide on the right resources required for the internal audit department taking into consideration the size and complexity of operations of the financial institution. The level of the resources required should be justified and endorsed by theAudit Committee. The head of internal audit must establish suitable criteria for the recruitment of the internal audit staff. The effectiveness of the internal audit function may be enhanced by the use of specialist staff or consultants, particularly in highly technical areas e.g. I.T. and new complex synthetic products. The academic background and expertise required of the head of internal audit varies depending on the size and complexity of the financial institution's operations. Commensurate with his position in the organizational hierarchy, the head of internal audit should possess relevant academic/professional qualifications and sufficient audit experience. The head of internal audit should also have in-depth knowledge of the business and organizational, technical, communication and other relevant skills. Internal auditors should be proficient in applying approved auditing guidelines and accounting standards, legal and regulatory requirements, directives and guidelines issued by RBZ and other authorities, and other rules and regulations issued by the relevant associations of the banking industry. 5.4.3. 6.1. 6.2. 6.3. 6.4. Resources 6.4.1. 6.4.2. 6.5. Qualification, Knowledge, Experience and Skills 6.5.1. 6.5.2. 6. 7. 8. PROFESSIONAL PROFICIENCY RELATIONSHIP AND AUDIT GOVERNANCE COMMUNICATION 6.6. Supervision 6.6.1. 6.6.2. 6.7. Professional Ethics 6.7.1. 6.7.2. 6.8. Training 6.8.1. 6.8.2. 7.1. 7.2. 8.1. 8.2. Audit Charter 8.2.1. 8.2.2. 8.2.3. 8.2.4. 8.3. Audit Plan 8.3.1. 8.3.2. 8.3.3. 8.3.4. Supervision is a continuing process from planning to the conclusion of the audit assignment. The head of internal audit is responsible for the audit performed by his subordinates. The head of internal audit should ensure that the audit objectives stated in the approved audit programme have been achieved. The head of internal audit should set milestones for each audit assignment (i.e. from the commencement of the assignment to the issuance of the audit report) after considering its nature and complexity. Internal auditors should at all times exercise due professional care when discharging their duties and responsibilities. They should carry out their work independently, objectively, professionally and with utmost good faith. Internal auditors should subject themselves to the highest ethical standards and avoid any conflict of interest situation. Internal auditors are required to maintain strict confidentiality with regard to all information obtained in the course of their work and must not use any privileged information for personal gain. They should comply with RBZ guidelines, relevant laws and regulations and the requirements of relevant professional bodies. The Audit Committee has a responsibility to ensure that the internal audit staff receives the necessary training to perform the audit work. There should be a programme of continuing education and training to enable internal auditors to keep abreast with the business trends and developments as well as to upgrade and enhance their technical skills. The head of internal audit should ensure that on-the-job training is provided to new recruits under the supervision of competent and experienced internal auditors. Training should be a planned and continuous process for all levels of internal audit staff. The head of internal audit, in consultation with the Audit Committee and the CEO, should determine the budget requirements for the training needs of the internal audit department. Internal auditors should have a constructive working relationship and be in constant communication with management, external auditors and the RBZ. Regular meetings should be held with the external auditors on areas of common concerns such as audit planning, audit priorities and scope to avoid duplication of effort. The head of internal audit should monitor all corrective actions taken by management with regard to RBZ examination findings and report to RBZ any instances where corrective actions have not been taken. The internal audit department should have an audit charter, audit plan, audit manual, audit programme and internal control questionnaires in place. Although these documents may be called by different names and differ in comprehensiveness, the underlying principle is that they serve the intended purpose. The internal audit function must be guided by a formalAudit Charter, which identifies: a. the objectives, scope purpose and independence of the internal audit function; b. the internal audit department's position within the organization, its powers, responsibilities and relations with other functions; and c. the accountability of the head of the internal audit department. The Charter shall be drawn up, and reviewed periodically, by the internal audit department; it must be approved by senior management and subsequently confirmed by the board of directors as part of its supervisory role. The Charter shall also state the terms and conditions according to which the internal auditor may provide consulting and other advisory services. The audit charter must be approved by the Audit Committee and endorsed by the board so that the internal audit function may be effectively discharged. The head of internal audit should develop an audit plan as a means of directing and controlling the audit work. The audit strategic plan may range from one to five years depending on the size and complexity of operations. The plan shall set out the audit objectives, auditable areas, scope of coverage, frequency of audit, resources required and duration of each audit assignment. The head of internal audit should assess the risks of the auditable areas before determining the audit frequency and scope of coverage. The head of internal audit shall establish the principles of the risk assessment methodology in writing and regularly update them to reflect the changes to the system of internal control or work process, and to incorporate new lines of business.As a general guide, the audit cycle for all auditable areas should be at least once a year. The head of internal audit, however, has the discretion to determine the audit cycle for auditable areas deemed not critical if the 13

financial institution has an effective risk assessment system in place. The head of internal audit should also include management audit in the audit plan. The audit plan must be endorsed by the Audit Committee, approved by the board and should be flexible to respond to changing priorities or needs. The audit manual provides the audit department personnel with a set of audit standards for guidance and reference. It also serves as a valuable training aid for new recruits. The audit manual should contain written audit policies, objectives, standard procedures and programmes. The head of internal audit should ensure that the audit manual is comprehensive enough to cover at least the major operations of the financial institution and is reviewed periodically to reflect corporate, regulatory and industry trends. The audit programme shall set out detailed step-by-step audit procedures for each auditable area which should be supplemented by the internal control questionnaire. Both the audit programme and internal control questionnaire should be comprehensive and tailored to keep abreast with the current developments relevant to the industry. A well-designed audit programme and internal control questionnaire should provide a systematic audit approach. In addition, the internal auditors' sound judgment and analytical skills are essential in ensuring a high quality audit. The core function of an internal audit department is to perform an independent appraisal of the financial institution's activities as a service to management. The internal audit function plays an important role in helping management to establish and maintain the best possible internal control environment within the financial institution. A sound internal control environment would ensure: Adequacy and effectiveness of the internal control system, Compliance with policies, procedures, rules, guidelines, directives, laws and regulations, Detection of frauds, errors, omissions and any other irregularities, Management audit, Information systems audit, and Participative and consultative role in the development of new products and systems. The audit scope should entail the examination and evaluation of all functions and activities of the financial institution including control features, operational systems and procedures as well as assessment of the quality of management performance in discharging their duties and responsibilities. The scope of audit work covered under this part should not be construed to be exhaustive but serves to provide the minimum scope to be covered under audit assignment. The head of internal audit should ensure that sufficient coverage and depth are given to each audit assignment based on the assigned risk factors. The head of internal audit, after having considered the level of risk for each auditable area, should decide whether to expand or limit the audit scope. Such decision should be properly documented. The internal auditors should also decide on the appropriate level of audit sampling in order to achieve their audit objectives. The internal auditors should be guided by the International Auditing Guideline on Audit Sampling. The audit scope should cover: The audit scope should cover the effectiveness of the system of internal control, the reliability and integrity of MIS, the prevention or timely detection of frauds, errors, omissions and other irregularities, and the means for the safeguarding of assets. All financial institutions should ensure strict compliance with all applicable laws and regulations, guidelines, directives, reporting requirements and internal policies and operating procedures. The audit scope should cover the financial institution's compliance with:- a. Banking Act, Banking Regulations and other applicable statutes and regulations; b. Guidelines, directives and circulars issued by RBZ and pronouncements or rules issued by the relevant associations; and c. Internally approved policies and operational procedures as well as the soundness and effectiveness of the compliance function. In view of increasing competition, complexities of operations and financial innovations, management should develop a formalized system to ensure that risk exposures are identified and adequately measured, monitored and controlled. The risk management system should be commensurate with the scope, size and complexity of the financial institution's activities and the level of risk a financial institution is prepared to assume. In assessing the overall risk management system, the auditor should review the following to ensure:- a. Effective management supervision is practiced by the board and its delegated authorities; b. Procedures that identify and quantify the level of risk on a timely basis are in place; c. Limits or other controls are in place to manage the risk; d. Reports to management accurately present the nature and level of risk taken and any non-compliance with approved policies and limits; e. Responsibilities for managing individual risks are clearly identified; and f. Procedures relating to the calculation and allocation of capital to risks are in place. g. A risk matrix adequately capturing the institution's risk profile prepared and updated as necessary. Internal auditors should play a proactive role in determining the financial institution's optimum utilization of resources in the accomplishment of the organisation's overall objectives and goals. In evaluating the accomplishment of set goals and objectives, the internal auditors' scope should cover the entire operations or a sub-section thereof to determine whether:- a. Objectives and goals are clearly set and measurable; b. Objectives and goals have been articulated and communicated to all staff and are being met; c. Adequate controls are established for measuring and reporting the accomplishment of objectives and goals; d. An effective control mechanism is implemented to monitor actual performance against budget. Any significant variances are analyzed, investigated and promptly reported to the management and the board; e. Management has considered the strengths, weaknesses, opportunities and threats of the respective operation or programme; f. The achievement of set objectives and goals is in compliance with policies, plans, procedures, laws and regulations; and g. The underlying assumptions used by management in developing business plans and strategies are appropriate and reasonable. Internal audit reports provide a formal means of communicating audit results and recommended actions to management and theAudit Committee. Audit reports provide an avenue for the Audit Committee to highlight significant weaknesses and the management's proposed remedial measures to the board. The management's responsiveness to internal auditors' recommendations for reducing risks, strengthening internal controls and correcting errors should be the desired result of the audit reports. It is of primary importance that in the course of the audit, should the internal auditors uncover major issues or frauds that would significantly affect the financial institution's financial position or operations, they shall 8.3.5. 8.4. Manual 8.4.1. 8.4.2. 8.5. Audit Programme and Internal Control Questionnaires 8.5.1. 8.5.2. 9.1. 9.2. 9.2.1. 9.2.2. 9.2.3. 9.2.4. 9.2.5. 9.2.6. 10.1. 10.2. 10.3. 10.4. 10.4.1. Evaluation And Appraisal Of The Internal Control System: 10.4.2. Compliance with Policies, Procedures, Rules, Guidelines, Directives, Laws And Regulations: 10.4.3. Adequacy and Effectiveness of Risk Management System: 10.4.4. Effective and Efficient Use of Resources: 10.4.5. Accomplishment Of Set Goals And Objectives: 11.1. 11.2. 9. DUTIES AND RESPONSIBILITIES SCOPE OF AUDIT WORK REPORTING AND DOCUMENTATION 10. 11. 14

immediately inform management to ensure prompt corrective actions are taken. A signed report should be issued after the completion of each audit assignment irrespective of the significance of the issues raised. The internal auditors should discuss the audit results and the recommendations thereof with the auditee before the financial audit report is issued. The discussion should be carried out with those individuals who are knowledgeable of detailed operations and those who can authorize the implementation of corrective actions. Management comments shall be incorporated in the financial audit report. The head of internal audit should review and approve the final audit report before it is presented to theAudit Committee. A copy of the final audit report should be forwarded to the Audit Committee, the auditee, the CEO and the bank should forward such report to the RBZ on a timely basis. Where the completion of an audit is likely to take a longer period, an interim audit report may be issued to communicate any significant issues which require management's immediate attention. The Audit Committee and the CEO should be kept informed of the issues as well as the progress of the audit. Discretion as to whether an interim audit report is warranted rests with the head of internal audit. The head of internal audit shall ensure that an audit report is of sufficient quality so as to command management's attention. In order to communicate the audit results effectively, the following standards should be adopted:- a. The audit report shall be objective, clear, concise, constructive and timely; and b. The structure of the audit report shall include the following:- • An executive summary; Management shall treat all audit findings and recommendations seriously. Management's response to the audit findings should be included in the report. The internal auditors should monitor whether appropriate actions have been taken. Management's plan of corrective actions and implementation time-table for completion should be developed and jointly agreed upon by management and the auditee. The status of the corrective actions should be monitored and reported to the Audit Committee and the CEO so that follow-up action can be taken to inform the appropriate levels of management on outstanding audit issues. The internal auditors shall immediately report to the Audit Committee and the CEO any significant audit findings uncovered in the course of audit. RBZ should also be promptly informed of such findings. Significant financial findings are those that would have an adverse impact on the financial performance and condition of the financial institution. Significant non￾financial findings represent fundamental weaknesses that could lead to the collapse of the financial institution's system of internal control. The interim audit report shall incorporate preliminary summary findings, the impact or potential impact on the financial position and operations of the financial institution, and the proposed actions to be carried out by the internal auditors to investigate the matters. The internal audit reports and working papers should be treated confidentially. The internal audit reports should only be disclosed to those persons authorized by the Audit Committee. As the internal audit working papers provide evidence of audit coverage and documentation of audit trails, they should be properly filed and stored. To ensure systematic filing and control of audit reports and working papers, the following minimum procedures should be observed:- a. The format for the working papers should be standardized; b. There should be adequate referencing to identify the audit records, files and working papers created; and c. There should be a system for filing and retrieving past reports and working papers. As a minimum requirement, the audit working papers on the routine audit should be retained until the next audit is carried out on the same auditable area. Reports and working papers on investigation matters should be retained for at least seven years or such period until the matter is closed. All internal audit reports, however, should be retained for at least three years or until the next audit report on the same auditable area is completed. Internal auditors should focus their attention and direct their available resources to those operations or units which entail significant risks that may have an adverse impact on the operations and financial condition of the financial institution. The critical operational areas identified are Credit Operations, Treasury Operations, Derivatives, Investment in Debt and Equity Securities and, Information Systems. These critical areas of operations are not meant to be exhaustive and the internal auditors should also identify and review other operational areas deemed to be critical to the specific business undertaken by the financial institution. In reviewing the critical areas of the operations, it is vital that the audit coverage is comprehensive. The internal auditors should extend their scope if serious unsatisfactory features are uncovered in the course of the audit. Important features to consider when auditing different critical areas are highlighted below: When auditing the credit operations internal auditors shall put more emphasis on the: a. Credit strategy; b. Risk inherent in the credit operations; c. Policies and procedures; d. Security and legal documentation; e. Credit disbursement, administration, monitoring and effective recovery system; f. Accounting and financial reporting; g. Provisioning; h. Compliance with legal and regulatory requirements. The control areas to be checked include: a. Risk inherent in treasury operations; b. Adequacy of and compliance with established policies and procedures; c. Assets and liabilities management; d. Accounting and financial reporting; e. Compliance with legal and regulatory requirements. To carry out their audit effectively, internal auditors should be conversant and knowledgeable about the derivative products and transactions, and must be guided by comprehensive audit manuals and programmes. Internal auditors should be conversant with: a. Risk inherent in derivatives; b. Policies and procedures; c. Accounting and financial reporting; d. Legal and regulatory requirements. 11.3. Audit Report 11.3.1. 11.3.2. 11.3.3. 11.3.4. 11.3.5. 11.4. Action and Follow-Up on Audit Recommendations 11.4.1. 11.4.2. 11.5. Reporting of Significant Findings and Frauds 11.5.1. 11.5.2. 11.6. Control and Filing of Audit Reports and Working Papers 11.6.1. 11.6.2. 11.7. Retention of Audit Reports and Working Papers 11.7.1. 11.7.2. 12.1. 12.2. 12.3. 12.4. 12.4.1. Credit Operations: 12.4.2. Treasury Operations: 12.4.3. Derivatives: • Date of report and period covered by the audit; • The scope and objectives of the audit; • The significance and magnitude of the problems or issues; • The causes of the problems or issues; • Recommended solutions or preventive actions; • Auditee's comments on the issues and recommendations, and remedial measures taken or proposed to be taken to address the audit issues; • Management's achievements noted during the audit; and • Overall conclusion. 12. AUDIT OF CRITICAL AREAS OF OPERATIONS 15

12.4.4. Investment In Debt and Equity Securities 12.4.5. Information Systems a. A financial institution's investment in debt and equity securities normally involves participation in two main financial markets namely, the capital market and the money and foreign exchange market. A typical investment portfolio usually consists of public debt securities, equity securities (quoted and unquoted), equitylink securities, and private debt securities. Equity securities and private debt securities may also be acquired in the primary market or as a result of underwriting commitment. In banking institutions, equity securities are also acquired in satisfaction of debt and through debt-equity conversion. b. Investment and trading securities may account for a sizeable proportion of the financial institution's assets and hence, securities of inferior quality may have an adverse impact on the financial institution's financial condition. Hence the internal auditors should be conversant with: • Investment strategy; • Risk inherent in investment; • Policies and procedures; • Accounting and financial reporting; • Legal and regulatory requirements. a. The financial institution shall have an effective information system audit function to evaluate the internal controls of the computerized system. b. The information system auditors should review the effectiveness of information systems in supporting the business activities of the financial institution and the adequacy of controls over the information system management, systems development and programming, computer operations and security, teleprocessing and data integrity. In reviewing information systems auditors should pay particular attention to issues such as: • Computer operations procedures and physical controls; ............................................................. • Computer security e.g. password issuance and maintenance, follow up on access violation; • System reliability and availability; • Disaster recovery plan; • Alternative processing site. ..................... N. Mataruka Division Chief Bank Licensing, Supervision & Surveillance 13. Effective Date These guidelines are effective from 30 September 2004. Questions relating to these guidelines should be addressed to the Division Chief, Bank Licensing, Supervision & Surveillance, Reserve Bank of Zimbabwe, Telephone 703 000 Ext. 11133. 16