Sample Manual on Internal Control Activities of the Bank

1 UNOFFICIAL TRANSLATION Appendix of Decree # 623 of the Governor of the Bank of Mongolia, dated December 29, 2000 SAMPLE MANUAL ON INTERNAL CONTROL ACTIVITIES OF THE BANK ONE. GENERAL PROVISIONS 1.1. This sample manual shall be used by a bank to present methods to determine general principles of the internal audit functions, to determine principles of the activities of Internal Audit Unit and for improvements in own internal control systems. The purpose of this manual shall be to help a bank to clearly determine and implement a policy regarding internal audit policy in line with specifics of its activities and future prospects. 1.2. The Board of Directors of the bank in order to evaluate and implement internal control procedures shall establish internal control unit. 1.3. Internal control of the bank shall implement guidelines, regulations, recommendations, directions approved by the executive management, the Board of Directors of the bank and orders of the Governor of the BOM, Banking Law of Mongolia and Law on deposits, loans and banking transactions. 1.4. An internal control shall have the following purposes: 1.4.1 Efficiently implement bank activities - The internal control shall supervise how the assets of the bank have been placed to ensure the effectiveness and profitability of operations. 1.4.2 Reports, which are used by the management of the bank to make decision, or provided to external auditors and other parties, have been prepared in true and complete manner in line with approved accounting standards and existing regulations. 1.4.3 To verify whether bank activities comply with existing laws, regulations and requirements set up by supervisory authorities and internal regulations of the bank. 1.5. Internal control system shall include a structure, scope, levels and directions of internal control of the bank. The internal control system consists of five interrelated parts: 1). Management supervision and control of ethics 2). Risk definition and assessment 3). Distribution of duties and control over certain types of banking activities 4). Management information system (mis) and its communication

2 5). Monitoring an activities of internal audit unit and correcting mistakes 1.6. Internal control system of the bank shall supervise day-to-day activities of the bank, implement policies, business plans and other objectives approved by the bank, assure that true and reliable financial statements have been made within specified time set in compliance with existing legislation, rules, regulations. 1.7. Internal control system of the bank shall be implemented at all levels of bank management:

1. Shareholders' meeting
2. The Board of Directors of the bank
3. The Executive Director of the bank
4. Internal Audit Unit
5. Management of departments, divisions and subsidiaries of the bank
6. All officers of the bank TWO. MANAGEMENT SUPERVISION AND CONTROL OF ETHICS 2.1. Shareholders' meeting shall conduct activities to approve the charter of a bank, alteration of or amendment to the charter, changes in the structure or amount of the paid-up capital, reorganization and liquidation of the bank, election and removal of the chairman and members of the Board of Directors, determination of their powers and responsibilities, their salary or remuneration, approval of the annual budget and discussion of the financial statements, appointment of a supervisor of the bank, determination of their salary or remuneration, consideration of their statements, consideration and approval of the auditing of the financial statements. 2.2. The Board of Directors of the bank shall supervise an approval and implementation of the bank's targets and business plan, determine the bank management, organizational structure and administrative expenses, evaluate risk assess meet of the Executive Director and management of departments, divisions and subsidiaries of the bank, control Executive Director activities regarding actions taken under the internal audit, and fulfillment of responsibilities of the Internal Audit Unit. 2.3. The Board of Directors of the bank shall implement the following actions with regard to the ethics concerning Internal Audit Unit: 1/. shall take prompt action in order to come up with its own conclusion in a case when requirements have not been met, meet Executive Director and other management regularly in order to ensure that the internal auditing system meets the requirements,

3 2/. to control whether Executive Director, departments and divisions are implementing decisions based upon internal and external audit inspections or results of the on-site examination conducted by the BOM, 3/. to hold Executive Director, internal auditor liable if due to their negligence an internal audit system has not been properly established and as a result of this negligence bank has been or being imposed to certain risks. 2.4. The Executive Director of the bank shall implement the strategy and policy approved by the Board of Directors to define and make the risk assessment as well as take steps to reduce it, create an organizational structure that corresponds with aspects of management and responsibility, and pay attention to the monitoring system of the bank. The Executive Director and related officers of the bank shall take the following actions to implement the internal auditing: 1/. to ensure of dual control of each transaction of the bank, and to clearly define rights and responsibilities of each officer and to organize control at each level, 2/. to organize training and re-training of the bank officers in order to strengthen personal of the bank, to award officers who have done a good job in terms of internal audit, to undertake disciplinary actions if officer of the bank had neglected his/her duties and breaches from rules have taken place. 2.5. Management of the bank shall make clear the significance of internal audit to all level officers and support honest way of doing business, and make habitual an existence of internal control at all levels. 2.6. Any officers and employee of the bank should know his/her own obligations within the system of the internal audit and do their best.

THREE. RISK DEFINITION AND ASSESSMENT 3.1. The Executive Director and related officers of the bank shall take appropriate measures in time to determine and assess risks, and the factors effecting risks such as external factors (such as fluctuating economic conditions, changes in the industry and technological advances) as well as internal factors (such as the complexity of the organization's structure, the nature of the banking activities, the level of the professional knowledge of officers) at all levels. 3.2. The Executive director and related officers of the bank shall determine the following risks in its operation:

1. credit risk or risk of non-payment as set out in the loan agreement and guarantee agreement

4 2) interest rate risk or risk as a result of fluctuations in the level of interest rate 3) liquidity risk or risk of non-payment 4) price risk or risk as a result as fluctuation of financial instrument's value or prices 5) foreign currency risk or risk as a result as fluctuations in the exchange rate 6) operational risk 7) legal risk or risk as a result of breaching legal acts and norms of ethic 8) decision risk or risk as a result as incorrect implementation or incorrect decisions being issued 9) reputation risk of the bank or risk as a result of possibly incorrect understanding of the public about the bank 10) market risk or risk as a result as change of demand and supply for credit service in the market 11) auditing risk or mistake risk in auditing activities and control 12) other risks 3.3. Executive Director and employees of the bank will differentiate between risks on the basis wheter risks can be or cannot be measured, between risks, which can be controlled and ones, which cannot be controlled. They will undertake measures either to stop those immeasurable, uncontrollable risks or mitigate those risks. 3.4. The bank shall pay attention in particular to new financial transactions and market changes, and define new or previously uncontrolled risks by the system of internal control.

FOUR. DISTRIBUTION OF DUTIES AND CONTROL OVER CERTAIN TYPES OF BANKING ACTIVITIES 4.1. Constant control over banking activities will consist of management's and internal audit's control over departments and divisions, control over physical properties, control of risks and prudential ratios, and control of accounting procedures. 4.2. Controlling of executive level is a procedure by which responsible person, related executive level managers constantly report on their tasks, fulfilment of tasks, financial standing to the Board of Directors meeting, and the Executive director of the bank, and in turn, top level management puts questions to them, gets clarifications and explanations. 4.3. Internal auditing of departments and divisions - Department or Division level management reviews implementation of work plan on a daily, weekly, monthly or quarterly basis.

5 Reviews of how work plans are being implemented occur more frequently than top-level reviews and usually are more detailed. 4.4. Control over physical properties - Physical controls generally focus on restricting access to tangible assets, including cash, precious item, fixed assets and inventory. Control activities include physical limitations, dual control and periodic inventory checks. 4.5. Control of risks and prudential ratios - Shall control capital adequacy, liquidity ratios and credit concentration risks. 4.6. Commencing dual control on the accounting activity and corrective measures if those prudential ratios have been breached, reporting to the respected management every time when any violation occurs. 4.7. Supervision of information activities to supervise daily statements and statements for delivery to the other organization, which is timely and reliable. 4.8. The Executive Director of the bank and management of the departments, divisions and units shall determine a distribution of duties, which is detailed, and shall organize dual control. 4.9. If two jobs are being done by one officer, then control should be enhanced: 1/ Accountant giving permission to withdraw cash from account and make related transactions. 2/ Loan officer receiving related documents, compiling, and submitting it to Loan committee and after its approval controlling the borrower's activity. 3/ Advertising staff according her/his job function has a chance of giving unofficial information to the client. 4/ Other activities of possible interest conflict. FIVE. MANAGEMENT INFORMATION SYSTEM (MIS) AND ITS COMMUNICATION

5.1. The Executive Director of the bank, related employees shall pay attention for setting up software and internal information network program of financial, economic and other main activities; full system of foreign market information that might affect the decision making process of the management of the bank. 5.2. Information system should be organized in way that it ensures quick reliable and timely delivery of information to related officers and it should be easy with certain standards.

6 5.3. Internal audit system would require to have an information system, which allows checking whether all necessary information has been timely, transmitted to relevant employees and whether all employees are fully aware of his/her own duties. SIX. MONITORING AN ACTIVITIES OF INTERNAL AUDIT UNIT AND CORRECTING MISTAKES 6.1. Shareholders Meeting, the Board of Directors and Executive Director of the bank shall supervise implementation for internal audit regularly according to own obligations. 6.2 Bank's internal audit should have a staff consisting of professionally high officers outside of any external influence to control internal auditing system. Inspection of Internal Auditing Unit of the bank should be executed constantly, covering all units and departments and reporting its findings to the Board of Directors and Executive Director of the bank. If required a sudden inspections can be made. 6.3 Mistakes in internal control activities detected by internal auditing inspection and outside auditors will have to be reported to the Board of Directors, Executive Director related managers in timely manner, and related resolutions should be taken. SEVEN. METHODOLOGY OF INSPECTION TO BE CONDUCTED BY THE INTERNAL AUDITING UNIT OF THE BANK 7.1 Internal Auditing Unit appointed by the Board of Directors shall inspect a fulfillment of main tasks of internal auditing activities. 7.2 Internal Auditing Unit may use any of following methodologies or combination of any: 1/ Observation - It is based on job organization, work relations among employees, work initiative, time utilization, requests and complaints of the clients. 2/ Documentary inspection - It is an inspection of principle documents of the bank, its units, documents concerning loan, deposit, and transactions, general ledger matching with related account transactions, and fulfillment of legal acts approved by the BOM and the Board of Directors meeting of the bank. 3/ Research can be conducted on a base of balance sheet and reports on financial position of the bank to draw certain conclusions or to have plan of actions to be undertaken in future. 4/ Questionnaire is a method of drawing certain conclusions on the base of questions distributed to bank staff or customers.

7 7.3 Inspection can be complete or selective. 1/ Selective inspection is a selective check of documents of the bank, its units, documents concerning, loan, deposit, check of all documents. 7.4 Inspection type could be sudden, regular, by request and by order of the Director. 7.5 The inspection at the unit of the bank is usually a sudden inspection and plan of inspections shall be kept as a secret. 7.6 Inspection could be done by auditors of internal audit unit and other related staff of that bank, and, in some cases, staff of the BOM and other professionals may be engaged. 7.7. Supervision by the Internal Audit Unit is organized in the following ways: 1/ cash transactions 2/ accounting, forex statement 3/ loans 4/ deposit 5/ inter branch settlement 6/ internal and external information system, software 7/ compliance with prudential ratios 8/ documentation, internal job 9/ other related matters concerning internal audit system EIGHT. WRITING AN INSPECTION REPORT BY THE INTERNAL AUDIT UNIT 8.1. Inspection group using this sample manual and in line with regulations approved by the Board of Directors will write an inspection report, and if necessary, will issue an act on violation of laws and regulations, which has to be signed by related officer, who committed this violation. 8.2. The introduction and summary of inspection shall be confirmed by enclosing materials of evidence, which prove an act of violation of laws and regulations: 1/. Balance sheet of the bank and its units, general ledger income statement, loan classification, status of loan loss provisioning, list of Other Real Estate Owned (OREO), list of accrued interest as of day of inspection. 2/. Compliants submitted from customers and if certain measures have taken in response to process and those compliants, then documents verifying those measures. 3/. General ledger, balance sheet and certain lists showing loan classification, provisioning adjustments made during an inspection.

8 4/. Resolution of violations discovered during prevous supervision, material evidence, which certifies that certain officers have been held responsible for their mistakes. 8.3. An act must be evidenced by facts and discovered breaches must be proven in documents and responsible officers should be named, also measures should be taken in order to fix a violation alongside with immediate steps to localize losses caused by violation. The monitoring time may only be extended depending on the specifics of matter by authorized officer. 8.4. Inspection reports shall reflect an implementation of relevant laws, regulations, a list of discovered violations with names of officers who have done it, also auditor shall encorporate his/her own conclusions and recommendations. 8.5. An act should be set up in the case of discovered violations of law and regulations. In it, the articles and provisions of the law that have been violated must be cited as well as an amount of damage caaused to the bank or companies or individuals should be quoted. The act should include the following: 1/ detailed report on which activity of the bank has been audited, 2/ should indicate an article of breached law, regulation, 3/ the consequence of the violation (amount of damage) that has been identified as well as an accountable person for the breach, 4/ should express an opinion describing which appropriate measures should be taken 8.6. The acts for embezzlement of properties, loss of properties and supplementary documents, copy of account and report should be duly signed by supervisor and person responsible for this breach. 8.7. Inspections team head has following duties: 1/ introduce directive of inspection to the management of the bank and related staff, require related documents for inspection from related bank employees, make notification of directive of inspection and directions of inspection 2/ produce job distribution for auditors, meet auditors and give recommendations, during inspection control the inspection time within specified period 8.8. Supervisors after an end of inspection should report on the bank's general activity, weaknesses, advantages, issues, recommendations and related documents to the management of the bank and Board of Directors. 8.9. On the basis of inspection report and proof document verifying that certain employee should be held responsible for discovered breaches (if not criminally punishable), an order of the Executive Director of the bank should be issued to take

9 administrative measures punishing responsible employee and damage should be compensated. 8.10. Inspection materials, documents and acts should be signed by auditor himself/ herself, also; in addition, managers of audited units should sign. If manager of audited units cannot accept results of the audit he/she will write a explanatory note and note should be signed. 8.11. The Board of Directors shall discuss results and summary of audit and shall take measures to rectily deficiencies. Measures would provide certain actions to be implemented by the Executive Director and related employees. According to the resolution of the Board of Directors, the Executive Director may punish the person who is liable for the breach of line related laws and acts. NINE. THE REQUIREMENTS PRINCIPLES, RIGHTS AND OBLIGATIONS OF AN AUDITOR OF THE INTERNAL UNIT, PROHIBITED ACTIVITIES 9.1. The bank shall employ an auditor at the Internal Audit Unit, who satisfies the following requirements: 1/ to be a graduate in the field of banking, finance, accounting or economics, 2/ to have at least two years of work in banking and financial system, 3/ to have technical and operational abilities to carry out internal audit functions, 4/ be capable of making appropriate formal written and oral reports, 5/ to be honest and be able to bear responsibility, 6/ not to be a shareholder of controlling package the bank, not be a relative of the management of the bank, 9.2. The supervisor shall be observe in his/her actions the following principles: 1/ to comply with legal acts, 2/ to executive his/her job honestly at professional level, 3/ not be influenced by external factors, 4/ to respect reputation and legal interests of the bank, its management, its officers and customers of the bank 9.3. The supervisor shall be prohibited to engage in the following activities: 1/ to release, distribute and transfer confidential documents and related information, 2/ to represent a third party's interest, 3/ to borrow from the bank or have certain service rendered by the bank at preferential terms,

10 4/ to intentionally disclose the results of audit in incorrect ways, 5/ to represent an interest of any other legal person, 6/ to seek advantages or preferential conditions for him/herself or family members, relatives, business partners or other acquaintances, 7/ to demand things, which are beyond job distribution, 8/ to pursue any other activities prohibited by legal acts. 9.4. A supervisor shall have the following responsibilities: 1/ to carry out an audit honestly in accordance with legal acts and support any conclusion by documents, 2/ be responsible for the correctness of audit results, conclusions and reports. 9.5. A supervisor shall have the following rights: 1/ to receive documentation from related officers, if it is necessary, to offer formally written explanations, 2/ to present own views to the Board of Directors and management of the bank on the matters regarding proof of guilty employee, copying and verifying that proof, on imposing disciplinary actions on guilty person (firing, demotion, damage compensation) or increasing remuneration, or awarding the employees, who have shown good performance, 3/ to transfer the relevant documents to the law enforcement agencies, if the breach of law is of criminal nature. TEN. RESPONSIBILITY 10.1 The Board of Directors meeting of the bank, the Executive Director of the bank have a right to take measures upon responsible person according to laws whenever when supervisor has not fulfilled directives of inspection, non quality of inspection, breached supervisors rules. 10.2 The bank will work out its own internal audit regulation on the basis of this sample regulation and that audit regulation should be registered with the BOM and implemented. If internal audit regulation has not registered with BOM or bank was pursuing regulation, which is not in line with existing laws and regulations, the BOM will have bank and related officers responsible for the breach of laws and regulations. THE BANK OF MONGOLIA