LogoRegulatory Alerts
2017-06-15 | 127047

Regulation on Minimum Requirements for External Audit of Banks and Other Non-Bank Financial Credit Organizations Licensed by the National Bank of the Kyrgyz Republic

The National Bank of the Kyrgyz Republic issued this regulation to establish minimum requirements for the external audit of banks and other licensed financial credit organizations, aiming to ensure auditor independence and prevent conflicts of interest. The document mandates annual external audits conducted by independent firms registered in the state registry, strictly defining eligibility criteria, rotation limits, and independence standards for audit personnel. It further outlines specific procedures for selecting auditors, auditing banking groups on a consolidated basis, and verifying the accuracy of financial reporting and information security systems.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Return to previous page

Print version

Creation date: 2025-08-20

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic of June 15, 2017 No. 2017-P-12/25-2-(NPA)

REGULATION

on the minimum requirements for external audit of banks and other financial-credit organizations licensed by the National Bank of the Kyrgyz Republic

(In the edition of the Resolutions of the Board of the National Bank of the KR of April 24, 2019 No. 2019-P-12/22-4, June 28, 2019 No. 2019-P-12/34-3, August 14, 2019 No. 2019-P-12/42-1, September 9, 2019 No. 2019-P-33/47-4, November 1, 2019 No. 2019-P-33/55-3, December 14, 2022 No. 2022-P-12/78-9, December 28, 2022 No. 2022-P-12/83-7, April 29, 2023 No. 2023-P-12/29-1, January 17, 2024 No. 2024-P-12/1-3, April 12, 2024 No. 2024-P-12/17-2, October 31, 2024 No. 2024-P-12/58-1-(BS))

  1. General Provisions

  2. This Regulation on the minimum requirements for external audit of banks and other financial-credit organizations licensed by the National Bank of the Kyrgyz Republic (hereinafter - the Regulation) establishes minimum requirements (criteria) for the audit of banks and microfinance companies, including those conducting activities in accordance with Islamic principles of banking and financing or having an "Islamic window," JSC "Financial Company of Credit Unions," housing savings credit companies, and guarantee funds (hereinafter - the Bank).

(In the edition of the Resolution of the Board of the National Bank of the KR of January 17, 2024 No. 2024-P-12/1-3)

  1. The purpose of this Regulation is the effective organization of the Bank's activities in attracting the services of audit organizations, implementing accepted procedures for their selection, ensuring the preservation of the Bank's auditor's independence in providing audit services, and preventing conflicts of interest.

2-1. Audit may be mandatory and/or initiative. An initiative audit is conducted by decision of the audited entity or another audit customer, taking into account specific obligations, deadlines, and scope of the audit.

(In the edition of the Resolution of the Board of the National Bank of the KR of April 29, 2023 No. 2023-P-12/29-1)

  1. For the purposes of this Regulation, the following concepts are used:

External audit of the Bank - an independent verification of the Bank's activities for the purpose of expressing an independent opinion on the reliability of financial reporting in all material respects in accordance with international financial reporting standards and other information in accordance with the legislation of the Kyrgyz Republic.

External auditor of the Bank - an independent audit organization (including its auditors included in the audit team), formed in accordance with the requirements of the legislation of the Kyrgyz Republic.

Audit requirements include requirements that the Bank must impose on the audit organization, its staff, engaged auditors (natural and legal persons), the audit (at any stage), and the audit opinion in accordance with the legislation of the Kyrgyz Republic and this Regulation.

External information security audit - an independent comprehensive check by an external auditor of the Bank's technical regulations and requirements that ensure the security and protection of information and the banking systems themselves from unauthorized interference and other threats (risks).

Conflict of interest - a situation in which the interest of the Bank's external auditor may affect its opinion on the reliability of the Bank's financial reporting.

Independence of the Bank's external auditor - the ability of the Bank's external auditor to act independently, free from any influence on the results of its conclusions, opinions, and under conditions that exclude any external influence on the expression of opinion by the Bank's external auditor.

The terms Bank officials, affiliated persons, persons related to the Bank, subsidiary of the Bank or banking holding company, Islamic bank, bank having an "Islamic window", Islamic principles of banking and financing, Shariah Council - have meanings according to the legislation of the Kyrgyz Republic.

DDoS attack (distributed denial of service) - a targeted attack by submitting a large number of requests to stop or disrupt the operation of an information system.

Anti-fraud systems - software complexes for preventing fraudulent transactions.

SQL injection - a vulnerability that allows an attacker to use fragments of malicious code in the Structured Query Language (SQL) to manipulate the database and gain access to information.

DMZ zone - a part of the local network intended for placing network devices interacting with external networks, in particular the Internet network.

(In the edition of the Resolutions of the Board of the National Bank of the KR of June 28, 2019 No. 2019-P-12/34-3, December 28, 2022 No. 2022-P-12/83-7, April 12, 2024 No. 2024-P-12/17-2)

Note of the IC "Toktom": The number of paragraphs in paragraph 3 of this Regulation does not correspond to the number of paragraphs in paragraph 3 of the text in the state language.

  1. Requirements for External Audit of Banks

  2. The Bank's activities are subject to annual external audit verification in accordance with international audit standards recognized in the Kyrgyz Republic, as well as in the manner established by the legislation of the Kyrgyz Republic and in accordance with this Regulation.

  3. In relations carried out in accordance with Islamic principles of banking and financing, audit standards for Islamic financial institutions developed by the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) are applied.

  4. In order to identify and assess the risks of material misstatement due to fraud or error, the Bank's external auditor conducts consultations with the Bank's internal audit department employees to obtain information about the Bank's internal control system, as well as information about problems identified by the Bank's internal audit department. The Bank's external auditor must have access to all materials and reports of the Bank's internal audit department.

  5. The Bank develops internal regulatory documents on attracting external audit, approved by the Board of Directors of the Bank, not contradicting the requirements of the Regulation, including the definition of:

  • a list of criteria for selecting the Bank's external auditor;
  • conditions for hiring the external auditor;
  • procedure and conditions for payment of services of the audit organization for the audit of financial reporting, as well as for providing ancillary (non-audit) services to the Bank and organizations controlled by the Bank.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The selection of the audit organization is carried out by the Bank independently, in compliance with the requirements of the legislation of the Kyrgyz Republic.

  2. It is necessary to consider proposals from no fewer than three audit organizations to choose the most acceptable audit organization from the point of view of the quality of the Bank's external audit. When appointing an external auditor, the Bank's choice should be determined not only by the minimization of costs for external auditor services.

During the period of external audit, there must be an unchanged key composition of auditors carrying out the external audit of the Bank, except for changes in the key composition of auditors agreed upon between the Bank and the external auditor, which are approved by the Bank's Audit Committee.

  1. The Board of Directors of the Bank selects audit organizations and auditor candidates for submission to the general meeting of shareholders. No later than ninety working days before the day of the general meeting of shareholders, the Bank notifies the National Bank of the audit organization and auditor candidates. The National Bank has the right to reject the audit organization and auditor candidates as not meeting the established requirements for the audit of banks and notify the Bank of this no later than ten working days from the date of receipt of the notification, indicating the requirement that the audit organization or auditor candidates do not meet.

  2. The selection of the Bank's external auditor, conducting negotiations with the audit organization regarding remuneration, deadlines, conditions for conducting the Bank's external audit, and presenting the Bank's external auditor for consideration by the general meeting of shareholders of the Bank is the exclusive competence of the Board of Directors of the Bank.

When concluding a contract for the audit of financial reporting, the requirements set out in Chapter 5 of this Regulation must be included, and in the contract for the audit of information security - the requirements set out in Chapter 6 of this Regulation.

(In the edition of the Resolution of the Board of the National Bank of the KR of April 12, 2024 No. 2024-P-12/17-2)

  1. The Board of Directors of the Bank in the process of selecting the Bank's external auditor should require the audit organization to provide evidence (proofs) of the existence of conditions established in paragraph 18 of this Regulation, as well as:

a) a list of financial-credit and other organizations whose external audit was carried out by this audit organization over the past three years;

b) proposals including the planned scope of the audit, the period that will be studied during the audit, the schedule for conducting the Bank's external audit, as well as the reports that are planned to be prepared.

  1. The Bank is obliged to notify the National Bank in writing within three working days:

a) about the selection (appointment) of the Bank's external auditor or banking group after the decision of the General Meeting of Shareholders of the Bank.

This notification must indicate the presence of registration in the Unified State Register (individual registration number of the audit organization and auditor, date of registration), legal address, including telephone numbers of the audit organization, full name of the head of the audit organization;

b) about the change of the Bank's external auditor and its reasons, if the change of the Bank's external auditor occurred during the period of the Bank's external audit.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. Requirements for the Bank's External Auditor

  2. Only an audit organization included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic and meeting the requirements established by the National Bank for the audit of banks can be the external auditor of the Bank.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. When conducting the external audit of the Bank, the Bank's external auditor must comply with the restrictions established by the legislation of the Kyrgyz Republic and normative legal acts of the National Bank.

  2. The Bank's external auditor must remain independent, objective, avoid situations that give reason to believe that a conflict of interest exists. The Bank's external auditor, in the presence of risks posing a threat to the independence of the audit organization and the auditor, must provide the Bank with information in written or electronic form about such risks and measures applied to reduce them.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The external auditor must be independent of the Bank, which means the ability to act independently, free from any influence on the results of the audit opinion, conclusions, and under conditions that exclude any external influence on the expression of opinion by the external auditor. The contract on the conduct of external audit must reflect a statement by the audit organization that the audit organization itself or any of its auditors, or any other employee included in the audit team, has no interest in the Bank, is independent, and is not connected by any relations with the Bank and its officials.

  2. An audit organization or auditors participating in the audit of the Bank, or engaged auditors participating in the audit of the Bank, are not considered independent of the Bank if they are or have been in the last two years:

  1. persons who directly or indirectly have a significant participation in the capital of the Bank or its affiliated persons;

  2. affiliated persons of the Bank or its affiliated persons;

  3. an audit organization or an organization belonging to the same international network, to which services were provided:

  • for restoring and maintaining accounting records;

  • related to the development of accounting methodology;

  • for preparing financial reporting;

  • internal audit;

  1. an employee of the Bank or its affiliated persons;

  2. in other cases provided for by the legislation of the Kyrgyz Republic.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 14, 2022 No. 2022-P-12/78-9)

  1. The Bank must not attract an audit organization as the external auditor of the Bank if there are confirmed circumstances casting doubt on the independence of the Bank's external auditor, including if there are relations under which the audit organization, or any of its auditors, are essentially a person related to the Bank in accordance with banking legislation. The audit organization selected for the audit of the Bank or banking group must:

  • be included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic, as well as have audit experience of no less than three years;

  • be independent of the Bank;

  • have experience in auditing commercial banks and financial-credit organizations in accordance with international audit standards and international financial reporting standards, as well as in accordance with standards approved by the Accounting and Auditing Organization for Islamic Financial Institutions;

  • have full-time or engaged auditors in a number sufficient for the quality and timely performance of the tasks set.

In the event that an audit organization belonging to an international network of audit organizations lacks experience in auditing commercial banks, such an audit organization may be attracted by the Bank for conducting the audit upon compliance with the following additional criteria:

  • has experience in assessing the value of the Bank's financial instruments and the adequacy of the creation of reserves for possible losses on financial instruments and recognition of other losses from impairment;

  • has full-time auditors whose experience and qualifications meet the requirements of paragraphs 20 and 21 of this Regulation;

  • has a centralized policy or quality control program on the scale of the entire international network of audit organizations.

(In the edition of the Resolutions of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7, October 31, 2024 No. 2024-P-12/58-1-(BS))

  1. The head of the financial reporting audit must be included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic, and possess:

  • qualification in accordance with the requirements of legislation on audit or international qualification;

  • three-year experience in auditing commercial banks and financial-credit organizations;

  • experience in auditing financial-credit organizations in accordance with international audit standards and international financial reporting standards;

  • knowledge in the field of banking and banking legislation of the Kyrgyz Republic;

  • knowledge of AAOIFI standards and three-year experience in auditing banks and financial-credit organizations conducting activities in accordance with Islamic principles of banking and financing - for the audit of a bank providing services in accordance with Islamic principles of banking and financing.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The head of the information security audit for conducting external information security audit must possess:

  • a qualification certificate (one of CISA, CISM, CISSP, etc.);

  • experience in auditing information systems and/or information security of financial-credit organizations.

(In the edition of the Resolution of the Board of the National Bank of the KR of April 12, 2024 No. 2024-P-12/17-2)

  1. External audit of the Bank cannot be carried out by the same audit organization for more than five consecutive years. The rotation period is determined based on five consecutive years from the date when the General Meeting of Shareholders of the Bank must make a decision on the election (appointment) of the external auditor of the Bank.

  2. At the request of the Bank to the National Bank to change the rotation period, included in the banking group, the rotation period may be increased if the international holding company, into which the Bank is included, is provided by the legislation of the country of registration a term for the rotation of the external auditor different from that established by this Regulation.

  3. Audit of the Banking Group

  4. The Bank located at the head of the banking group, the banking holding company, or the parent company and the subsidiary of the Bank, representing the audited group, are subject to annual audit by an independent audit organization (external auditor), included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic in accordance with the requirements of this Regulation.

(In the edition of the Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The audit of the Bank or banking group is conducted on a consolidated basis and individually for each participant of the banking group. The audit of the banking group must be carried out by one audit organization.

  2. The National Bank may exclude the requirements specified in paragraph 27 at the request of the Bank and its affiliated person (affiliated persons), if the Bank and the affiliated person provide evidence and the National Bank recognizes the existence of the following circumstances:

a) the impossibility of conducting an audit for all persons of the audited group by one audit organization due to the high cost of the audit, which may lead to negative consequences for the financial condition of the Bank, or the absence of an audit organization that could complete the audit of each person of the audited group within the required time or conduct a proper audit regarding each person of the audited group;

b) the Bank or its affiliated person has taken all measures to fulfill the requirements specified in this paragraph;

c) the provision of permission by the National Bank for various audit organizations to audit various persons of the audited group will not cause adverse effects on the results of the audit of the Bank of any affiliated person of the Bank or the banking group as a whole.

  1. The National Bank cannot exclude the requirement to audit all persons included in the audited group by one audit organization until all audit organizations that are supposed to conduct the audit of various persons included in the audited group agree in writing to provide each other with access to their working documents and audit opinion related to the audit of the Bank and its affiliated persons, exchange information during the audit, and carry out interaction between them regarding the content of their audit opinions.

  2. As a result of the audit of the banking group, reports are drawn up separately for each participant of the group and a consolidated report.

In the event that the indicator of the net aggregate capital of a participant of the banking group is less than 5% of the net aggregate capital of the Bank located at the head of the banking group, separate reporting on the participant of the banking group is not required.

  1. Audit of Financial Reporting

  2. Upon completion of the financial year, the Bank is obliged to ensure the conduct of the external audit of the Bank no later than ninety days from the beginning of the new financial year.

  3. The external auditor ensures the degree of confidence of users in the reliability of financial reporting in all its material respects in accordance with the applicable bases of presentation of financial reporting (international financial reporting standards).

(In the edition of the Resolution of the Board of the National Bank of the KR of June 28, 2019 No. 2019-P-12/34-3)

  1. The external auditor needs to consider the exposure of the Bank's financial reporting to material misstatement and the use of applied financial reporting principles regarding data and circumstances related to the Bank's activities, as well as:

a) assess the identified risks and determine whether they apply to financial reporting as a whole and can potentially affect many assertions, goals, and strategies of the Bank, as well as related commercial risks that can lead to risks of material misstatement;

b) assess the selection and application of accounting policies, including the reasons for any changes. The external auditor assesses whether the Bank's accounting policy corresponds to the nature of its commercial activity and whether the selected and applied provisions of the accounting policy correspond to the applicable concept of preparation of financial reporting and are appropriate;

c) assess and analyze the financial results of the Bank's activities in order to identify and assess the risks of material misstatement due to fraud or error, at the level of financial reporting and at the level of assumptions, development and conduct of audit procedures in response to these risks.

  1. The external auditor needs to consider the compliance of the Bank's accounting and asset classification with the legislation of the Kyrgyz Republic, regulatory requirements of the National Bank, accounting policy, and Bank procedures. For these purposes, the Bank's external auditor should perform corresponding procedures within the audit conducted in accordance with international audit standards and National Bank requirements, necessary for the purpose of expressing an opinion on the compliance of the Bank's financial reporting in all material respects with the established principles of presentation of financial reporting, necessary for obtaining information regarding the following sub-items:

a) assessment of the compliance of the Bank's applied credit policy with circumstances, including the nature, size, and complexity of the Bank's activities, within the assessment of the Bank's internal control system related to financial reporting and significant for the audit, including:

  • whether the quality of credit risk management is ensured through the proper activities of the Bank's Credit Committee;

  • whether there are procedures for considering credit applications;

  • whether the collection of necessary and sufficient information about the borrower is ensured;

  • whether control (monitoring) of the timeliness of loan repayment is carried out, including by affiliated and related persons defined as such in accordance with international financial reporting standards and banking legislation;

  • whether the necessary justification for the restructuring of loans is ensured;

  • whether a list of measures taken by the Bank during the reporting period aimed at loan repayment is kept, including for loans subject to court proceedings;

b) the justification of the classification and assessment (justification of allocations to reserves to cover potential losses and losses) of the credit portfolio and other assets, as well as off-balance sheet obligations, carried out by management;

c) the assessment of the appropriateness of the applied accounting policy, as well as the justification of the estimated values calculated by management, regarding other assets - real estate acquired by the Bank as a result of foreclosure;

d) the presence of an assessment of collateral for provided loans and whether the assessment conducted by management is justified;

e) the compliance of the periodicity of procedures conducted by the Bank for confirmation of balances on loan debt accounts and "Loro" and "Nostro" accounts in accordance with the Bank's internal policies and National Bank requirements, as well as ensuring the compliance of deposit accounting with the established...

Share