Regulation (NAP) - Internal Control, Audit and Accounting

Banco Central de S. T. P. PROPOSER(S) D.S.B. ENTRY INTO FORCE 03/03/2008 DATE OF ISSUE 26/11/2007 DOC NO. 11/07 P. 1/7 NAP PERMANENT APPLICATION REGULATION E0 99 • Subject: Internal Control, Audit and Accounting

Whereas, in accordance with paragraph 2 of Article 40 of Law No. 9/92 of July 28, it is the responsibility of the Central Bank to establish internal control, audit and accounting standards to be adopted by commercial banks, and in accordance with Article 21 of the same law, it is the responsibility of banks to maintain a bylaws regarding the internal commission and audit system; The Board of Directors of the Central Bank of São Tomé and Príncipe determines:

Article 1. Application This NAP applies to all banks authorized to operate in São Tomé and Príncipe, including those licensed under Decree-Law 62/95 of October 13.

Article 2. Internal Control System

1. Banks must establish a sound internal control system with the objective of avoiding fraud or losses, maintaining a reliable set of financial and management reports, increasing prudence in bank operations, and contributing to the promotion of stability of the Financial System of São Tomé and Príncipe.
2. Each bank may adopt the internal controls it deems most appropriate, but must apply the principles of this NAP to its systems, according to its nature, complexity and risks.
3. The Banking Supervision Directorate shall be responsible for assessing the internal controls of each bank during its inspections, as well as external auditors.

Article 3. Management Supervision and Control Culture:

1. The Board of Directors of each bank is responsible for: a) Approving and periodically reviewing the bank's general policies and strategies; b) Understanding the main risks affecting the bank, establishing acceptable limits for these risks, and ensuring that bank administrators take the necessary measures to identify, measure, monitor and control these risks; c) Approving the bank's organizational structure; d) Ensuring that bank administrators supervise the efficiency of the internal control system.
2. The Board of Directors is the body responsible for ensuring that an adequate and effective internal control system is established and maintained by the bank.
3. The Board of Directors shall conduct: a) Periodic discussions with the bank's management regarding the effectiveness of the internal control system; b) Periodically reviewing assessments of internal control systems carried out by management, internal auditors and external audit; c) Periodic work to ensure that bank administrators immediately follow up on recommendations and concerns expressed by auditors and banking supervision regarding deficiencies or weaknesses in internal controls; d) Periodically reviewing whether the bank's strategy and risk limits are appropriate.
4. The Audit Committee may assist the Board of Directors in fulfilling these responsibilities, however, the latter cannot delegate its responsibilities to others.
5. The bank's Management is responsible for: a) Executing the policies and strategies approved by the Board of Directors; b) Developing procedures to identify, measure, supervise and control the risks incurred by the bank; c) Maintaining an organizational structure that clearly assigns responsibilities, authorities and reporting lines; d) Ensuring that delegated responsibilities are clearly assumed; e) Establishing an appropriate internal control policy; f) Supervising the adequacy and effectiveness of the internal control system.
6. The Board of Directors and the bank's Management are responsible for promoting a high standard of ethics and integrity, and establishing a culture within the bank's organization that emphasizes and demonstrates to all hierarchical levels the importance of internal controls, with responsibility for informing all staff about their functions in the internal control process and their responsibilities for such controls.

Banco Central de S. T. P. NAP PERMANENT APPLICATION REGULATION CODE E0 99 PROPOSER(S) D.S.B. ENTRY INTO FORCE 03/03/2008 DATE OF ISSUE 26/11/2007 DOC NO. 11/07 P. 2/7

Article 4. Risk Identification and Assessment

1. All material risks that may adversely affect the achievement of the bank's objectives must be identified and continuously assessed, including credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk.
2. Internal controls must be reviewed whenever necessary to appropriately control new or uncontrolled material risks.

Article 5. Control Activities and Segregation of Functions

1. Internal control activities must be an integral part of the bank's daily operations, and an appropriate internal control structure must be established containing defined control functions in each area of the bank's activity.
2. The control structure must cover: a) High-level control. — To keep the Board of Directors and Management in a position to evaluate the bank's progress towards established objectives, an adequate management information system must exist; b) Appropriate control activities in each unit and subunit. — Administrators responsible for the bank's units and subunits must receive performance standards and execution reports frequently, to allow functional performance analysis; c) Physical controls. — Access to tangible or corporeal assets, including cash and securities, must be controlled by physical limitation, dual custody, and periodic inventories; d) Monitoring of limits and excesses. — The bank must establish prudent risk limits, which should be in accordance with the standards issued by the Central Bank, ensure compliance with these limits and adopt procedures for rectifying any excesses; e) Approval and authorization system. — A system for the approval and authorization of bank operations that exceed a certain limit must be established, to ensure that an administrator at the appropriate level is aware of the operation or situation and to guarantee accountability; f) Verification and reconciliation system. — The verification of the details of operations and activities and periodic reconciliation must be carried out periodically, on a regular basis.
3. An appropriate system of segregation of functions must exist in all operational areas of the bank, and conflicting responsibilities should not be assigned to the same employee.
4. Areas of potential conflict of interest must be identified, minimized and subject to independent and careful monitoring.
5. The responsibilities and functions of employees in key positions must be periodically reviewed to ensure that they are not in a position to conceal inappropriate actions.

Article 6. Information and Communication

1. The bank must develop an adequate and comprehensive internal information system, with financial, operational and limit compliance data, as well as market information on events and conditions relevant to the decision-making process.
2. Information must be obtained reliably, timely, accessibly, and provided in a consistent format.
3. The bank's information system, covering all relevant activities and including the electronic system, must be reliable, secure, independently audited and have an adequate contingency plan.
4. Control over the information and technology system must be general, ensuring the continuous and adequate functioning of computers, and include procedures to maintain backup copies and data recovery, development and application acquisition policies, and access control to the area and systems.
5. Control applications involve the processing of commercial operations and activities and include controls for verifying information and system access.
6. The contingency plan covers the risk of loss or interruption of bank services related to the IT system and must include both the use of other equipment maintained at a different location and the recovery of critical systems with support from an external service provider.

Article 7. Monitoring and Correction of Deficiencies Activities

1. The effectiveness of a bank's internal controls must be monitored continuously, forming part of the bank's daily activities and periodic business evaluations, as well as interim audits.
2. The bank must maintain an effective and comprehensive internal audit system of the control system, to be carried out by competent personnel, operationally independent and adequately trained.
3. The internal audit function, as part of the monitoring system for internal controls, must report directly to the Board of Directors, or its Audit Committee, and the bank's Management.
4. The internal audit function must be independent of the bank's daily operations and have access to all activities conducted by the bank, including branch, subsidiary and agency operations.
5. The frequency and depth of internal audit examinations and tests of internal controls within a bank must be consistent with the nature, complexity and risk of that bank's activities.
6. Internal control deficiencies, whether identified by management, interim audit or another control body, must be reported promptly to the appropriate hierarchical level of administration and corrective measures must be promptly adopted.
7. Internal control deficiencies considered material or relevant must be reported to the Board of Directors and the bank's Management.

Article 8. External Audit Standards

1. Commercial Banks are required to annually audit their accounts by external and independent auditors.
2. The selected Company or Auditor must be previously communicated to the Central Bank, which, for justified reasons, may refuse it within a maximum period of 5 days. If upon expiry of this period there is no objection by the Central Bank, it is automatically deemed accepted.
3. No Company may audit the accounts of the same Institution for more than three consecutive years.
4. Commercial Banks must submit to the Central Bank — Banking Supervision Directorate (D.S.B.) — within 90 days after the close of the financial year, a complete and detailed report of the work carried out, indicating, at minimum, the accounts examined, procedures and tests performed, outstanding items found, methods of rectification and recommendations presented, internal control deficiencies detected, compliance with the Commercial Banks' Chart of Accounts and adherence to International Accounting Principles, as well as the institution's net equity position and any reservations.

Article 9. Basic Accounting Standards

1. Commercial banks must maintain their accounting in accordance with international accounting standards and the provisions of the Central Bank.
2. Monthly accounting of revenues and costs is mandatory, covering amortizations and all necessary provisions, including for income tax.
3. Foreign currency amounts must be adjusted daily or monthly, in the latter case with prior authorization from the Central Bank, using for this purpose the purchase exchange rate published by the Central Bank.
4. In the absence of a quotation for a given currency, international arbitrage rates issued by the European Central Bank should be used.
5. Daily foreign exchange revaluations must form part of the income accounts, affecting gains or losses, as appropriate.
6. Banks are permitted to establish a provision for the foreign exchange devaluation of capital actually paid in foreign currency, whose amount may be used only for capital increases, and which will be limited, each year, to the percentage of devaluation of the domestic currency relative to foreign currency occurring in the period.
7. The Chart of Accounts for Financial Institutions provides for other complementary standards.
8. Banks must communicate to the Central Bank the name of the administrator responsible for the accounting area and the provision of information.

Article 10. Sanctions Non-compliance with the provisions contained in this regulation shall be subject to punishment, under the terms of NAP No. 01/2007 on Supervisory Action and Application of Penalties, published on 03/01/07.

Article 11. Effectiveness This Permanent Application Regulation enters into force upon its publication.

Central Bank of São Tomé and Príncipe, March 3, 2008 Reviewed / Revocation Data: