Methodological Recommendations on the Organization of Internal Control and Internal Audit in Non-Bank Financial-Credit Organizations Licensed and Regulated by the National Bank of the Kyrgyz Republic

Back Print Version Date created: 2023-01-20

Approved by the Resolution of the Supervision Committee of Non-Bank Financial-Credit Organizations of the Kyrgyz Republic dated October 28, 2004 No. 24/1

METHODOLOGICAL RECOMMENDATIONS on the organization of the internal control and internal audit systems in non-bank financial-credit organizations licensed and regulated by the National Bank of the Kyrgyz Republic

(In the edition of resolutions of the Supervision Committee of the NB KR dated June 22, 2012 No. 28/7, December 24, 2012 No. 53/2, August 24, 2017 No. 31/1, December 30, 2022 No. 43/2)

These Methodological Recommendations on the organization of the internal control and internal audit systems in non-bank financial-credit organizations (hereinafter – NFKOs) licensed and regulated by the National Bank of the Kyrgyz Republic (hereinafter – Recommendations) have been developed in accordance with the Constitutional Law of the Kyrgyz Republic "On the National Bank of the Kyrgyz Republic" and the Law of the Kyrgyz Republic "On Microfinance Organizations in the Kyrgyz Republic", and contain recommendations on organizing the internal control and internal audit systems in NFKOs, including those conducting operations in accordance with Islamic principles of banking and financing (taking into account the special terminology provided by banking legislation).

(In the edition of the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1, December 30, 2022 No. 43/2)

Section I General Provisions

1.1. Definitions used. "The internal control system of an NFKO represents a complex (system) of interrelated control measures at all management levels and operational areas of the NFKO to ensure the achievement of objectives and the organization of safe NFKO operations. Internal control is a continuous process conducted by an NFKO to ensure orderly and effective operations in compliance with the legislation of the Kyrgyz Republic and internal documents of the NFKO. Internal audit is an activity (an independent expert function) for checking and assessing the adequacy and effectiveness of the NFKO's internal control system, carried out by an independent internal audit service/auditor established to conduct internal audits and assist the NFKO's governing bodies in ensuring effective and safe operations, based on objective assessment and recommendations for improving the NFKO's internal control system. Conflict of interest is a situation where a contradiction arises between the personal interests of NFKO officials and/or employees and the proper performance of their official powers or property and other interests of the NFKO and/or its employees and/or clients, which may lead to adverse consequences for the NFKO and/or its clients. (In the edition of the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1)"

1.2. The main tasks of NFKO internal control are to ensure:

• the effectiveness and efficiency of NFKO operations, asset and liability management efficiency, asset preservation, and effective risk management;
• the accuracy, completeness, objectivity, and timeliness of preparing and presenting financial, regulatory, and other reports for internal and external users;
• compliance with the legislation of the Kyrgyz Republic and internal regulatory documents of NFKOs;
• prevention of NFKO involvement in unlawful activities, including fraud, errors, inaccuracies, deception, money laundering, and terrorism financing. (In the edition of the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1)

1.3. (Expired in accordance with the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1)

Section II Recommendations for the Organization of the Internal Control System of NFKOs

2.1. The internal control system of an NFKO must enable the NFKO to continuously identify and assess risks that may adversely affect the achievement of its operational objectives. The internal control system of an NFKO must include the following components:

1. an appropriate organizational structure of the NFKO, providing for competence, separation of powers and responsibilities of governing bodies, structural subdivisions, and officials of the NFKO, as well as a remuneration system within the NFKO. All employees of the NFKO are involved in internal control. Each employee must have a defined scope of powers and responsibilities for carrying out internal control in their activities. For an effective internal control system of the NFKO, staff competence is a necessary condition. Incompetent employees cannot ensure qualified execution of NFKO procedures. The internal control system is effective if no single employee can commit a significant error or unauthorized action without it being detected in a timely manner.
2. an appropriate internal information system and management reporting system, enabling timely decision-making and ensuring information security;
3. continuous monitoring of risks, the risk management system, and risk assessment;
4. appropriate internal control procedures;
5. periodic self-assessment of the internal control system to identify deficiencies and improve it. (In the edition of the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1)

2.2. The internal control system of an NFKO is built on the organization and mutual linkage of the following components:

• control environment;
• risk identification and assessment;
• control measures;
• information collection, analysis, and reporting;
• monitoring of the NFKO's internal control system.

2.3. The control environment is formed by the Board of Directors/Founders (hereinafter – Board of Directors of the NFKO) and the Management Board/Executive Body, General Director (hereinafter – Management Board of the NFKO) based on high moral values, honesty, adherence to ethical principles, professional ethics, and corporate governance standards, as well as the management style and methods of Board of Directors and Management Board members, which collectively with their legally established duties and responsibilities must ensure adequate oversight by the NFKO's governing bodies. (In the edition of the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1)

2.3.1. The Board of Directors is responsible for establishing and maintaining an adequate and effective internal control system, as well as monitoring the effectiveness of the internal control system by the Management Board. The Board of Directors is also responsible for (1) approving the NFKO's development strategy and periodically assessing its implementation; (2) establishing acceptable risk levels for the NFKO(1); (3) periodically ensuring that the Management Board takes necessary and sufficient actions to identify, measure, monitor, and control risks; (4) approving business continuity plans for the NFKO in case of emergencies; (5) approving the organizational structure of the NFKO; (6) timely consideration of Audit Committee recommendations on the functioning of the NFKO's internal control system; (proposal 7 expired in accordance with the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1). (In the edition of resolutions of the Supervision Committee of the NB KR dated June 22, 2012 No. 28/7, August 24, 2017 No. 31/1)

2.3.2. (Expired in accordance with the Resolution of the NB KR Committee dated August 24, 2017 No. 31/1)

2.3.3. The Management Board of the NFKO is responsible for (1) implementing strategies and policies approved by the Board of Directors; (2) identifying, measuring, monitoring, and controlling compliance with established risk levels for the NFKO; (3) identifying new risks in existing and new NFKO operations and timely informing the Board of Directors; (4) maintaining an approved organizational structure defining responsibilities, delegation justification, employee powers, and reporting levels within the NFKO; (5) monitoring the adequacy and effectiveness of the NFKO's internal control system.

2.3.4. NFKO Management (Board of Directors and Management Board):

• establishes and maintains high-ethical standards in NFKO operations, emphasizing the importance of internal control to all personnel levels;
• takes necessary measures for diligent performance by all NFKO employees of their duties;
• develops a staff motivation system aimed at encouraging the identification and resolution of issues in the NFKO's internal control system;
• avoids decisions and practical steps that may encourage employees to pursue short-term goals while ignoring long-term risks and committing inappropriate actions;
• ensures conditions for NFKO employees to know and follow their functional duties.

2.3.5. An adequate control environment is established for all structural subdivisions, branches, and subsidiaries of the NFKO.

2.4. All risks inherent to NFKO operations must be assessed, and adequate oversight of the NFKO's risk management system functioning must be ensured.

2.4.1. The Board of Directors is responsible for (1) defining the main risks to which the NFKO is exposed and establishing acceptable levels for these risks, (2) overseeing Management Board actions taken to identify, measure, monitor, and control risks.

2.4.2. New operations must not be conducted until corresponding policies and procedures for their implementation are developed and approved.

2.4.3. NFKO internal documents must provide for a procedure for timely informing relevant NFKO management about factors affecting increased NFKO risks.

2.4.4. Risk assessment must be conducted for individual NFKO activity areas, as well as overall for consolidated (main and auxiliary) NFKO operations, taking into account all institutions that are subsidiaries or dependent entities of the NFKO.

2.4.5. An effective internal control system must ensure continuous identification (detection) and assessment of risks accompanying NFKO operations, along with taking adequate and timely measures to minimize risks. The internal control system must be adjusted as new or previously uncontrolled risks are identified (e.g., due to the introduction of new financial services and products, etc.).

2.5. Control measures include a set of control actions and responsibilities across all management and operational execution levels of the NFKO, ensuring adequate oversight over the distribution of powers and duties in conducting NFKO operations and transactions.

2.5.1. Control actions must be an integral part of daily activities of all NFKO employees, embedded in all NFKO operations.

2.5.2. The NFKO must have written policies and procedures for all types of activities and operations, with sufficient control measures ensuring acceptable risk levels for the NFKO. NFKO policies are approved by the Board of Directors and reviewed at least once a year. Based on approved policies, the Management Board ensures the development of necessary procedures. To ensure the effectiveness of control measures, the Management Board carries out:

• timely dissemination of relevant policies and procedures to NFKO employees who must use them in their work;
• organizing training for NFKO employees on relevant policies and procedures. Training includes explaining the interrelationship between each employee's individual duties and the overall tasks defined by NFKO policy.

2.5.3. Control actions include, at minimum, the following:

• oversight by governing bodies through requests for reports and information on structural subdivision performance, management explanations to identify internal control deficiencies, violations, and errors;
• control actions by structural subdivision managers through continuous and periodic (daily, weekly, and/or monthly) verification of subordinate employees' reports;
• physical presence control conducted through access restriction checks to material assets (cash, securities, etc.), asset counting, separation of storage and usage responsibilities, and ensuring security for storage facilities;
• compliance checks against established limits;
• a system for approving and authorizing operations and transactions, verifying their proper reflection in accounting and reporting;
• verification of compliance with NFKO policies and procedures during operations and transactions.

2.5.4. Control actions within the segregation of duties should help exclude conflict of interest and its occurrence, prevent unlawful actions, and avoid granting the same structural subdivision or employee the ability to:

• conduct banking operations and other transactions while simultaneously recording them in accounting;
• authorize cash payments and actually make the payments(2);
• conduct operations on NFKO client accounts and accounts reflecting the NFKO's own financial activities;
• assess the accuracy and completeness of documents submitted for credit issuance, and monitor loan repayment;
• conduct actions in any other operational areas where conflicts of interest may arise.

2.5.5. Potential conflict of interest spheres must be defined, minimized, and subject to independent tracking. To ensure separation of responsibilities in decision-making and operations, thereby protecting against fraudulent actions, no single employee should conduct an operation from start to finish (e.g., the employee responsible for credit approval must not be allowed to conduct settlement-cash operations for that credit, or the employee authorizing an operation must not perform the reconciliation of balances for that operation with the general ledger).

2.5.6. Basic control techniques include: a) dual control ("four-eyes" and "joint access" principles). The "four-eyes" principle requires that one employee's work be reviewed/approved by another, involving the second employee in verifying calculation accuracy, authorization, and documentation (e.g., a payment document is prepared by one employee and countersigned by another, or account release requires two authorizing signatures). The "joint access" principle involves a procedure where two or more employees share equal responsibility for the physical protection of assets and documents (e.g., requiring two keys to access a safe, vault, confidential documents, securities, etc.). This responsibility must be established by an appropriate NFKO order and communicated to all employees; b) transaction analysis (pre-transaction analysis to prevent incorrect or unauthorized transactions, post-transaction analysis to uncover unauthorized transactions. To ensure effectiveness, the analysis must be thorough and complete, and the analyzing person must be independent from the employee performing the transaction); c) operational performance reports (to provide NFKO management with information on operational indicators, financial conditions, and budget deviations to confirm the actual execution of operations and fulfillment of management decisions); d) mandatory accounting for all NFKO operations and transactions; e) staff training in control techniques and error detection; f) data protection (protective devices and mechanisms); g) staff error prevention techniques; h) calculation error control for timely detection; i) other control measures and techniques necessary for the NFKO.

2.6. Information collection, analysis, and reporting involve ensuring (1) reliable, complete, accurate, and timely information for NFKO management and employees to make decisions and fulfill duties, (2) rational and secure information flows (receiving and transmitting information) within and outside the NFKO, and (3) adequate oversight of information flow management and NFKO information security.

2.6.1. The procedure for overseeing the management and provision of secure information flows, including protection against unauthorized access and dissemination of confidential information, as well as prevention of using confidential information for personal purposes, is established by NFKO internal documents in accordance with these Recommendations and applies to all operational areas and activities of the NFKO.

2.6.2. The NFKO must possess adequate and comprehensive financial and other necessary data in real-time, as well as information about market events and conditions that may affect NFKO management decisions.

2.6.3. Internal control over automated information systems and technical means consists of general control and software control.

2.6.4. General control of automated systems involves computer system oversight (oversight of the main computer, client-server system, and end-user workstations, etc.) aimed at ensuring uninterrupted and continuous operation. General control consists of NFKO procedures for data backup (copying) and automated information system function recovery, ongoing support during the