BANK OF THE REPUBLIC OF BURUNDI

THE MANAGEMENT

---

Circular No. 12/M/18 on Internal Control Applicable to Microfinance Institutions, Umbrella Structures and Financial Bodies issued pursuant to Regulation No. 001/2018 on Microfinance Activities

---

Article 1: Object and Scope

This circular aims to specify the conditions under which the internal control system of a microfinance institution, Umbrella Structures and Financial Bodies must be organized.

Community Financial Groups implement an internal control system in their organization to ensure the sustainability of their activities.

Article 2: Definitions

For the purposes of this circular, the following terms are understood as:

Internal Audit, a body, function or entity whose mission is to permanently ensure that the internal control system is effective and, if not, to quickly detect weaknesses to assist the body responsible for daily management in implementing appropriate solutions.

Audit Charter, a document describing the objectives assigned to internal audit and approved by the executive body and the Audit Committee. The content of said document must be understood by all members of the institution. The audit charter must provide at least the following points:

• the objectives of internal audit;
• its scope of competence;
• the position of internal audit within the organization;
• the responsibilities and powers of internal audit.

Audit Committee, a committee originating from the Board of Directors, established to assist it in exercising its missions, particularly the evaluation of internal control quality and the assessment of the consistency of risk identification, measurement, monitoring and management systems. Its role can in no case substitute that of the Internal Audit Service.

Supervisory Board, a statutory body responsible for controlling the management and regularity of operations of savings and credit cooperatives. It also ensures the evaluation of internal control quality and the assessment of the consistency of risk identification, measurement, monitoring and management systems.

Audit Trail, represents each step in the life of a file, from submission to archiving. It structures all management, certification and control acts related to files.

Audit Plan, defines the nature, scope as well as the priority and timing of an audit mission based on mapped risks in order to define priorities consistent with the institution's objectives.

Annual Audit Plan, the set of audit missions scheduled during a fiscal year.

Multi-year Audit Plan, the set of audit missions scheduled over several fiscal years.

Business Continuity Plan, a written and detailed action plan describing, in the event of major operational disruption, including external shocks, the procedures and systems necessary to maintain or restore within a predetermined timeframe the essential activities and functions of the institution.

Internal Control System, the set of human and technical means, such as organization, procedures and systems, aimed at ensuring:

• the security of operations, assets and personnel;
• the effectiveness and quality of services;
• compliance with legal and regulatory provisions, professional and ethical standards and practices;
• the promotion of a control and ethics culture;
• the production and dissemination of reliable, quality information available in a timely manner;
• compliance with objectives, rules and limits set by the body responsible for daily management;
• the management of significant risks.

---

Article 3: Obligations to Establish an Internal Control System

Every microfinance institution, Umbrella Structure and Financial Body is required to equip itself with an effective internal control system covering aspects related to its organization and functioning, enabling it to assess:

• its financial policies and practices;
• the quality and reliability of its accounting;
• the effectiveness of its internal control;
• the compliance of its operations with legislative and regulatory texts, its statutes as well as professional and ethical standards and practices, as well as with the management guidelines and standards formulated by its Board of Directors;
• the quality, completeness and reliability of information, whether intended for the Central Bank, the Board of Directors, management officials or its General Assembly;
• the conditions for evaluation, registration, retention and availability of this information.

The internal control system must be adapted to the nature, volume of activities and size of the institution, as well as to the various types of risks to which the institution is exposed.

Article 4: Bodies Responsible for Establishing the Internal Control System and Their Roles

The internal control system is designed by Management and approved by the Board of Directors, whose roles are set out in Articles 5 and 6.

Article 5: Role of Management

Management is responsible for:

• establishing the appropriate organizational structure and providing the necessary human and material resources to implement the internal control system;
• identifying all sources of internal and external risks;
• defining risk management procedures and having them approved by the Board of Directors;
• defining adequate internal control procedures and those ensuring the separation of duties and preventing conflicts of interest;
• conducting permanent monitoring and evaluation of the proper functioning of internal control and taking necessary measures to promptly remedy any identified deficiencies or shortcomings;
• periodically reviewing procedure manuals to adapt their provisions to legal and regulatory requirements as well as to the evolution of the institution's activity, economic and financial environment, and analysis techniques.

Article 6: Role of the Board of Directors

The Board of Directors is responsible for:

• defining the institution's strategic directions and approving internal control procedures initiated by Management;
• defining adapted risk management strategies;
• clearly delineating the responsibilities of Management and defining delegation of authority procedures;
• ensuring the establishment and monitoring by Management of the internal control system;
• reviewing the activity and results of internal control based on information transmitted for this purpose by Management, the Audit Committee and, where applicable, the Internal Audit Service;
• executing recommendations issued by the General Assembly;
• regularly evaluating the crisis scenario program and ensuring that said program takes into account significant risk sources.

Article 7: Levels of Internal Control

The internal control system consists of three levels:

• the first level (operational) control is performed by the operational staff themselves, team supervisors and hierarchical managers within their daily activities and must be implemented as various tasks are processed;

• the second level (permanent) control is performed by dedicated teams for compliance, internal control, etc., who do not exercise operational functions. It must ensure the proper execution of first-level controls and compliance with procedures. Teams dedicated to this control may be centralized and/or located at the activity or business level. The permanent control function requires strict independence between the initiator of an operation and its validator;

• the third level (periodic) control aims to ensure the proper functioning of the control framework, in order to inform effective Management, the Audit Committee and the Supervisory Board, as applicable. It is performed by independent staff intervening on documents or on-site within the framework of periodic audits. Control at this level is performed by internal audit, and, upon request of the competent body, by an external firm or by the Regulatory Authority. The periodic control function must be placed in a situation of independence from all entities and services it controls.

Article 8: Levels of Authority, Responsibility and Areas of Intervention

The levels of authority and responsibility as well as the areas of intervention of different operational units must be clearly specified and delineated.

Strict separation must be established between units responsible, on the one hand, for initiating, executing, validating and accounting for operations, and, on the other hand, for their control.

Internal controls must be tested by an independent internal auditor holding the rank of second-in-command of the institution and duly qualified, who reports directly to the Board of Directors or the Supervisory Board depending on the institution's category.

Article 9: Obligation to Have Permanent and Periodic Control Officers

Microfinance institutions, Umbrella Structures and Financial Bodies must have sufficient and competent officers to conduct permanent and periodic controls on documents and on-site.

Article 10: Promoting a Control Culture

The Board of Directors and Management ensure the promotion, within their institution, of a strong control culture that particularly emphasizes the necessity for each Officer to perform their tasks in compliance with applicable legal and regulatory provisions, as well as internal directives and procedures.

To this end, they adopt a training and information policy that highlights the institution's objectives and explains the means of achieving them.

Article 11: Preparation and Updating of Procedure Manuals

Every microfinance institution, Umbrella Structure and Financial Body prepares and maintains up-to-date a procedure manual related to its various daily activities. This document must in particular describe the methods for recording, processing and reporting information, accounting schemes and procedures for committing operations.

It establishes, under the same conditions, documentation specifying the means intended to ensure the proper functioning of internal control, including:

• different levels of responsibility;

• assigned duties and resources allocated to the functioning of internal control;

• procedures related to information and communication system security;

• a description of risk measurement systems.

The documentation is organized so that it can be made available to its requester, the Board of Directors, Management, the Statutory Auditor or external Auditor and the Central Bank.

Article 12: Control of Daily Operations by Operational Units

The methods for executing operations performed daily by operational units must include appropriate permanent control procedures to ensure the regularity, reliability and security of these operations as well as compliance with other diligence related to monitoring associated risks.

Article 13: Audit Trails

The methods for accounting recording of operations must provide a set of procedures, called audit trails, which allow:

• reconstructing operations in chronological order;
• justifying any information with an original document from which it must be possible to trace uninterrupted back to the summary document and vice versa;
• explaining the evolution of balances, from one closing to another, by retaining movements affecting accounting items.

Article 14: Establishment of an Internal Audit Department

Microfinance institutions that have reached at least a total of 500 million BIF in terms of deposits and/or credits over a fiscal year are required to equip themselves with an Internal Audit Department and an audit charter.

The Internal Audit Department reports to the Supervisory Board for third-category microfinance institutions and to the Audit Committee for first-category institutions, Umbrella Structures and Financial Bodies.

The Internal Audit Department establishes an annual internal control forecast program to be communicated to the Central Bank before the end of November each year, for the following fiscal year.

Article 15: Profile of the Head of Internal Audit

The Head of the Internal Audit Department must hold a minimum university degree (bachelor's/licence) in economics, management, law and have at least three (03) years of professional experience related to banking, finance, financial or accounting audit.

Article 16: Duties of the Audit Committee

The Audit Committee is responsible in particular for:

• supervising and controlling the internal audit function;
• approving the Audit Charter as well as the annual audit plan;
• examining audit reports prepared by internal audit;
• verifying the reliability and accuracy of financial information intended for the Board of Directors and third parties;
• assessing the adequacy of human and material resources allocated to the audit function;
• ensuring that internal controllers and auditors possess necessary competencies and proposing, where appropriate, measures to be taken at this level;
• providing an assessment of the quality of the internal control system, particularly the consistency of risk identification, measurement, monitoring and management mechanisms, and proposing, where applicable, complementary actions in this regard;
• defining the risk map and specifying the areas that the internal control system and Statutory Auditors must cover;
• evaluating the relevance of corrective measures taken or proposed to address deficiencies or shortcomings identified in the internal control system;
• taking note of and ensuring follow-up on activity reports and recommendations from the internal control function, internal audit reports, Statutory Auditors and Supervisory Authority as well as corrective measures taken.

The duties mentioned above also concern the Supervisory Board for Savings and Credit Cooperatives.

Article 17: Frequency of Audit Committee Meetings

The Audit Committee or Supervisory Board holds its ordinary meetings at least four times a year, i.e., once per quarter. However, if necessary, extraordinary meetings may be convened by its President or Vice-President.

The Audit Committee or Supervisory Board may associate other individuals with its work, particularly the Head of Internal Audit or Control Department, Statutory Auditors as well as individuals possessing expertise to enlighten their work.

Article 18: Establishment of a Risk Management System

Microfinance institutions, Umbrella Structures and Financial Bodies are required to implement risk management systems enabling them to identify, analyze, measure, monitor and manage the risks to which their financial intermediation activity exposes them.

These systems must be adapted to the nature, volume and degree of complexity of the institution's activities and operations and adjusted regularly according to their risk profile and market evolution.

The management of each risk includes the following steps:

• Identification: all products and services offered by microfinance institutions involve several risks, including credit risk, interest rate risk, liquidity risk and operational risk. Risk identification must be a continuous process and the risk must be understood at both the transaction and portfolio levels.

• Analysis and Measurement: once risks associated with a particular activity have been identified, the next step is to measure the importance of each risk. Each risk must be considered in terms of its three dimensions: size, duration and probability of adverse events. Precise and timely risk measurement is essential for effective risk management systems.

• Risk Monitoring: institutions must implement an Information and Management System (IMS) that identifies and measures risks at the commencement of operations and activities. It is equally important for Management to establish an IMS to monitor significant changes in risk profiles.

• Risk Control: in addition to risk monitoring, microfinance institutions must implement adequate control and audit procedures. To this end, they ensure an appropriate internal control system relative to the risk profile and monitor the effectiveness of internal and external audit.

Microfinance institutions, Umbrella Structures and Financial Bodies are required to adopt, within their risk management framework, appropriate provisions in case of emergency, addressing risks likely to materialize as well as measures to be taken during periods of stress, including situations that would seriously threaten their viability.

Article 19: Business Continuity Plan

Microfinance institutions, Umbrella Structures and Financial Bodies must equip themselves with a Business Continuity Plan, approved by the Board of Directors, regularly tested and updated by Management.

This Business Continuity Plan must specify the requirements to plan, deploy, implement, operate, monitor, review, maintain and continuously improve a documented management system to reduce the probability of occurrence of a disastrous event, prepare for it, intervene and recover following disruptive incidents of any kind.

These systems must be adapted to the nature, volume and degree of complexity of the institution's activities and operations and adjusted regularly according to their risk profile and market evolution.

A copy of this plan must be transmitted to the Bank of the Republic of Burundi.

Article 20: Annual Report on the Internal Control System

Microfinance institutions, Umbrella Structures and Financial Bodies transmit, by March 31 of each year at the latest, the annual report on internal control activities including:

• an inventory of completed investigations highlighting main information and, in particular, major identified deficiencies as well as a follow-up on corrective measures;
• a description of significant modifications made in the field of internal control during the reviewed period;
• a description of test results performed on the Business Continuity Plan and its updating;
• a description of application conditions for procedures implemented for new activities;
• the presentation of the program for main projected actions in the field of internal control.

They also transmit within the same timeframe the minutes of the Board of Directors meeting that ruled on said report.

This report must be available for consultation, in particular by the Statutory Auditor and external Auditor, where applicable.

Article 21: Entry into Force

This circular replaces Circular No. 02/M/10 on internal control dated May 4, 2010 and enters into force on the day of its publication in the Official Gazette of Burundi and on the website of the Bank of the Republic of Burundi.

Done in Bujumbura, on August 20, 2018

BANK OF THE REPUBLIC OF BURUNDI

Annonciata SENDAZIRASA
2nd Vice-Governor.

Melchior WAGARA
1st Vice-Governor.