Guidelines on Internal Control for Licensed Financial Institutions

GUIDELINES ON INTERNAL CONTROL FOR LICENSED FINANCIAL INSTITUTIONS Section 1.0 Introduction The guidelines set below form a minimum standard for internal audit unit/ section/ department of all operating financial institutions to adhere with in the discharge of its duties. A financial institution is expected to have a manual / guideline on how it intends to conduct its internal control operations including but not limited to audit types, schedule on frequency of audit, audit reporting channels, audit programs, etc. As economic, regulatory and operating conditions are in constant change, risk assessment should be an ongoing evaluation process. It implies identifying and analyzing altered conditions and risks (risk assessment cycle) and modifying internal control to address changing risk. 1.1. Overview These Guidelines aim to: a) Provide a framework for performance and promotion of a broad range of internal audit activities; b) Outline best practices for a financial institution’s internal audit function; c) Establish the basis for measuring performance in the internal audit function; d) Indicate how the work of the internal audit function can improve the financial institution’s processes and operations Section 2.0 Definition 2.1 Internal Control is a process, effected by a financial institution’s board of directors, management and other personnel, designed to address risk and provide reasonable assurance regarding the achievement of objectives of an entity by: a) executing orderly, ethical, economical, efficient and effective operations; b) fulfilling accounting obligations; c) complying with applicable laws and regulations;

d) safeguarding resources against loss, misuse and damage. 2.2 Internal auditor is an employee of a financial institution or independent third party who examines internal control procedures to ensure compliance with relevant laws and regulations and to ascertain that board directives and management policies are being properly executed. The internal auditor examines and contributes to the ongoing efficiency and effectiveness of the internal control system through their evaluations and recommendations, but they don’t have primary responsibility for designing, implementing, maintaining and documenting it. 2.3 Internal audit unit/section/department is stationed within an entity and not outsource, entrusted by its management with carrying out checks and assessing the financial institution’s systems and procedures in order to minimize the likelihood of fraud, errors and inefficient practices. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal audit must be independent within the organization and report directly to management and Board. 2.4 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the financial institution’s operations. It helps the organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes Section 3.0 Components of Internal Control There are five basis components of internal control that every audit should review during any internal audit of its institution: 3.1 Control environment sets the tone of an organization, influencing the control consciousness of its staff. It is the foundation for all other components of internal control, providing discipline and structure. Elements of the control environment are: a) the personal, professional integrity, and ethical values of management and staff, including a supportive attitude

toward internal control at all times throughout the organization; b) commitment to competence; c) the “tone at the top” (i.e. management’s philosophy and operating style); d) organizational structure; e) human resource policies and practices. 3.2 Risk assessment is the process of identifying and analyzing relevant risks to the achievement of the financial institution’s objectives and determining the appropriate response. It implies: a) risk identification relative to the objectives of the institution and risks due to external and internal factors, at both the institution and the activity levels; b) risk evaluation include estimating the significance of a risk, and assessing the likelihood of the risk occurrence; c) assessment of the risk appetite of the organization; and d) development of responses: 3.3 Control activities are the policies and procedures established to address risks and to achieve the institution’s objectives. To be effective, control activities must be appropriate, function consistently according to plan throughout the period, and be cost effective, comprehensive, reasonable and directly relate to the control objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of detective and preventive control activities as diverse, for example, as: a) authorization and approval procedures; b) segregation of duties (authorizing, processing, recording, reviewing); c) controls over access to resources and records; d) verifications; e) reconciliations; f) reviews of operating performance; g) reviews of operations, processes and activities; h) supervision (assigning, reviewing and approving, guidance and training). Financial Institutions should reach an adequate balance between detective and preventive control activities. Corrective actions are

a necessary complement to control activities in order to achieve the objectives. 3.4 Information and Communication Systems are systems established to ensure proper capture of data and information and generates reports that would make it possible to control the institution. Information and Communication systems would produce report covering operational issues, financial information, control compliance, strategic information, and staff accountability to the control system. 3.5 Monitoring should ensure that audit findings and recommendations are adequately and promptly resolved. Internal control system needs to be monitored. Monitoring involves a process of assessment of the quality of the system’s performance overtime. Monitoring is achieved by: a) Ongoing monitoring includes regular management and supervisory activities and other actions personnel take in performing their duties; and b) Specific separate evaluations cover the evaluation of the effectiveness of the internal control system and ensure that internal control achieves the desired results based on predefined methods and procedures. Internal control deficiencies should be reported to the appropriate level of management. Section 4.0 INTERNAL AUDIT 4.1 FRAMEWORK FOR INTERNAL AUDITING To promote effective and efficient internal auditing, a financial institution must ensure that the structure and staffing of the internal audit function should commensurate with the size, complexity and risk profile of the financial institution. It is imperative that measures be implemented to maintain an internal audit function of high quality. 4.2 PROFESSIONAL COMPETENCE Internal audits should be performed with proficiency and due professional care. The financial institution should ensure that the technical proficiency and educational background of internal audit staff are appropriate.

a) The officer in charge of the internal audit unit should possess at least a college/university degree and/or have some formal training in the practice of auditing. The officer in charge of the internal audit unit should be encouraged, where necessary, to work towards the attaining of a professional designation in auditing or accounting. b) Internal audit staff should maintain technical competence through continuing education and training. Staff should also have sufficient up-to-date knowledge of auditing techniques and developments in the financial services sector. 4.3 INDEPENDENCE The internal audit function should be independent in substance and appearance. When assessing the independence of internal auditing, the financial institution should consider, among other things, the following: a) The financial institution’s internal auditing activities should be independent of its daily operations and internal control processes; b) In the performance of his duties, the internal auditor should be free from managerial or other interference in determining the scope of internal auditing, performing the audit tasks, and communicating results. c) The internal auditor should not have a vested interest in any area of the financial institution. d) The audit committee should recommend to the board the appointment and termination of the internal auditor. e) The audit committee should ensure that the internal auditor’s compensation scheme, appraisal and termination arrangements are consistent with the qualification, experience and performance of the internal auditor. f) The internal audit function should be subject to an independent review by the audit committee, the external auditor or a qualified party. 4.4 OBJECTIVES OF INTERNAL AUDITING The principal objective of the internal audit function is to assist management and the board of directors, through the audit committee, in the effective discharge of their responsibilities as follows: a) To ensure that internal control, governance and risk management systems are reviewed, improved and

optimized in response to the dynamic environment within which the financial institution operates; b) To provide reasonable assurance to management, staff and the audit committee that significant risks in the financial institution are being appropriately managed, with an emphasis on the effectiveness of internal controls; c) To contribute to the financial institution’s governance processes by evaluating and improving the process through which the values and goals are established and communicated; and d) To monitor the accomplishment of goals and ensure that there is accountability. 4.5 ORGANISATIONAL STATUS OF THE INTERNAL AUDIT FUNCTION a) The organizational status of the internal audit unit should be sufficient to permit the accomplishment of its audit responsibilities. b) The internal auditor should have the authority to communicate directly, and on his/her own initiative, to the board of directors, the chairman of the board of directors, the members of the audit committee or the external auditors, in accordance with policies and procedures established by the financial institution. 5.0 RULES FOR THE CONDUCTION OF INTERNAL AUDIT 5.1 THE AUDIT CHARTER The internal audit charter should enhance the organizational status and authority of the internal audit unit within the financial institution. I. The charter should at a minimum: a) Specify the objectives and scope of the work of the internal audit unit; b) Establish the internal audit function’s position, powers and responsibilities within the organization and define its relations with other control functions; c) Underscore the accountability of the internal auditor; and d) Outline the terms and conditions under which the internal audit function can be requested to provide consulting or advisory services or to carry out special tasks.

II. The internal auditor and audit committee should review the audit charter periodically. As part of its supervisory role the board of directors or audit committee is required to approve the charter. III. The charter gives the internal audit unit the right to initiate activities relevant to the performance of its assignments. In particular, the charter should give the audit unit/department the right to: a) Have direct access to and communicate with any member of staff; b) Examine any activity or institution of the financial institution; c) Access any records, files or data of the financial institution, including management information and the minutes of all consultative and decision making bodies. IV. The charter should be circulated throughout the financial institution. 5.2 AUDIT SCOPE The internal audit should entail the review of all areas of the financial institution including relevant systems, records, personnel and physical properties in order to satisfy the agreed upon objectives, to appraise and report on the adequacy of internal control systems (i.e. Managerial, financial, operational and budgetary controls) and their reliability. The scope should focus on, but not be limited to: a) Examining and evaluating the adequacy and effectiveness of the internal control systems, including information technology controls, and considers the impact over annual and interim financial reporting. This should include: I) Reliability and integrity of financial and operational information systems; II) Effectiveness and efficiency of operations; III) Safeguarding of assets; IV) Compliance with laws, regulations and controls. b) Reviewing the application and effectiveness of risk management procedures and risk assessment methodologies; c) Reviewing the financial institution’s system of assessing adequacy of its capital in relation to the estimate of risk to capital;

d) Appraising the efficiency and effectiveness of operations given the current operating environment; e) Testing transactions and internal control procedures; f) Analyzing systems established to ensure compliance with legal and regulatory requirements, codes of conduct and the institution’s policies and procedures; g) Testing the reliability and timeliness of regulatory reporting; and h) Conducting special investigations. Senior management should ensure that the internal audit department is kept fully informed of new developments, initiatives, products and operational changes to ensure that all associated risks are identified at an early stage and adequate controls and documentation are in place to address any identified risks. The actual areas to be reviewed by the internal audit unit should be determined by a risk assessment of the internal control systems. The results of this assessment will guide the internal audit planning process. 5.3 AUDIT PROGRAMME I. The internal auditor must prepare an audit plan which outlines every area to be audited in the financial institution. The plan should establish priorities, set objectives and ensure the efficient and effective use of audit resources. The audit programme should be based on the terms of reference of the internal audit unit as well as the audit risk assessment of the financial institution. II. The audit plan should be documented and approved by the board of directors upon the recommendation of the audit committee and be amended as necessary to take account of changing circumstances. All amendments have to be approved by the audit committee or board of directors. III. In developing the audit plan the following steps should be included: a) Identify all auditable activities within the agreed scope of the internal audit; b) Conduct a risk assessment of these activities in conjunction with management, identifying categories such as high, medium, low risk;

c) Prepare an audit needs assessment based on the risk assessment performed; d) Develop an overall audit plan from the audit needs assessment to cover risks identified; e) Identify and advise the audit committee of any mismatch between internal audit needs and actual resources; f) Complete all significant activities and systems in the period for which the plan is formulated. Ideally this should be annually; g) Discuss the overall and individual audit plans with appropriate senior managers and the audit committee and amend as necessary; and h) Present the audit plans to the audit committee for approval. 5.4 AUDIT PROCEDURES I Every activity should be covered in the audit programme. It should describe the objectives and outline the audit work necessary to achieve these objectives. The procedures should be flexible and risk-based. III. The audit report of each system/activity audited is to be issued as quickly as possible to the head of the area audited, the chief executive officer, the audit committee and senior management. The audit report presents the purpose and scope of the audit and includes the internal audit findings and recommendations, as well as management’s responses. IV. The internal auditor should follow up to ascertain that appropriate action is taken on reported audit findings. The status of implementation of recommendations should be reported to senior management, the audit committee and/or the board of directors at regular intervals. Senior management should ensure that internal audit’s concerns are appropriately addressed in a timely manner. V. The internal auditor should also provide an annual report to senior management and the audit committee based on a self-administered quality review of the internal audit function.

Section 6.0 DUTIES OF INTERNAL AUDITOR 6.1 Role of Internal Auditor I. An effective audit unit/section/department plays a key role in assisting the Board to discharge its governance responsibilities, which include: a) Have an objective evaluation of the existing risk and internal control framework; b) Review the compliance framework and specific compliance issues; c) Assess the accomplishment of corporate goals and objectives; d) Review operational and financial performances; e) Show systematic analysis of business processes and associated control; f) Implement ad-hoc review of other areas of concerns, including unacceptable level of risk; and g) Provide feedback on adherence to the bank’s value and code of conducts/ethics. II. The Internal auditor shall be largely independent, highly competent, very objective, consistent, have good integrity, and member or a relevant professional body. III. The Internal auditor shall report directly to the Board Audit Committee on approved audit program. He/she should provide the Board Audit Committee with a comprehensive report on occasional and impromptu audits and must make copies of all internal audit reports to the examiners, when requested for. IV. Since the objective of the internal audit function has always been to improve any process within the organization that will result in improved revenue and reduced risk, the internal unit should be adequately staffed. VI. The head of internal audit can meet privately with the full Board/Audit Committee without the presence of management. This will reinforce independence and direct nature of the reporting relationship. 6.2 OBJECTIVITY The internal auditor should be impartial and unbiased in performing the audit.

a) The internal auditor must disclose to the audit committee or the board of directors any situation that is likely to affect or might be perceived as affecting his impartiality. b) The internal auditor should be removed or re-assigned in response to any perceived, actual, threatened or future bias. 6.3 RESPONSIBILITIES OF THE INTERNAL AUDITOR The internal auditor should comply with professional standards established by internationally recognized professional bodies. I. It is the responsibility of the head of the internal audit function to: a) Establish plans to carry out the duties of the internal audit unit; b) Develop written policies and procedures to guide the audit staff; c) Establish a programme for selecting and developing the human resources of the internal audit function; d) Collaborate with the institution’s external auditors to ensure that they complement each other; e) Establish and maintain a quality assurance and improvement programme in collaboration with the audit committee to continuously evaluate the effectiveness of the internal audit function and its conformity with recognized standards on auditing; f) Maintain all working papers. These should adequately document all the work performed by the internal audit function, and support the conclusions reached; g) Review the work of the audit support staff to ensure that they possess a level of technical competence appropriate to their assigned duties; and h) Review the work of the internal audit support staff to ensure that their technical competency is adequate 7.0 Outsourcing of Internal Auditing I. If the financial institution decides to outsource the internal audit function, the board of directors and senior management of an institution are responsible for ensuring that both the system of internal control and the internal audit function operate effectively. They should maintain ownership of the internal audit function and provide active oversight of the outsourced activities.

II. Before a decision is made to outsource the internal audit function, the financial institution should seek the approval of the CBL. Once approval is given by the CBL, the financial institution should consider the following: a) The competence of the vendor; b) Management of the vendor’s business; c) The system for maintaining communication between the internal audit function and the audit committee and senior management; d) Contingency Plans to deal with any unanticipated events. III. The institution should have a written contract (an engagement letter), which should cover at a minimum: a) Expectations and responsibilities under the contract for both parties; b) Scope and frequency of engagements; c) Fees; d) Work to be performed; e) Reporting requirements (type, frequency, to whom); f) Establish the process for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract;