LogoRegulatory Alerts
2017-06-15 | 122491

Regulation on Minimum Requirements for External Audit of Banks and Other Non-Bank Financial Credit Organizations Licensed by the National Bank of the Kyrgyz Republic

The National Bank of the Kyrgyz Republic issued this regulation to establish minimum requirements for the external audit of banks and other licensed financial credit organizations, ensuring auditor independence and effective risk management. The document mandates annual audits by qualified, independent firms, defines strict eligibility criteria for auditors and audit teams, and outlines procedures for auditor selection, rotation, and reporting to the regulator. It further specifies detailed audit scopes for financial statements and information security, including consolidated group audits and specific compliance checks against international standards and local legislation.

National Bank of the Kyrgyz Republic logo

Kyrgyzstan

National Bank of the Kyrgyz Republic

Click to view thumbnail

Back to top

Print Version

Creation Date: 2024-11-20

Appendix to the Resolution of the Board of the National Bank of the Kyrgyz Republic of June 15, 2017 No. 2017-P-12/25-2-(NPA)

REGULATION

on the minimum requirements for external audit of banks and other financial-credit organizations licensed by the National Bank of the Kyrgyz Republic

(As amended by Resolutions of the Board of the National Bank of the KR of April 24, 2019 No. 2019-P-12/22-4, June 28, 2019 No. 2019-P-12/34-3, August 14, 2019 No. 2019-P-12/42-1, September 9, 2019 No. 2019-P-33/47-4, November 1, 2019 No. 2019-P-33/55-3, December 14, 2022 No. 2022-P-12/78-9, December 28, 2022 No. 2022-P-12/83-7, April 29, 2023 No. 2023-P-12/29-1, January 17, 2024 No. 2024-P-12/1-3, April 12, 2024 No. 2024-P-12/17-2, October 31, 2024 No. 2024-P-12/58-1-(BS))

  1. General Provisions

  2. This Regulation on the minimum requirements for external audit of banks and other financial-credit organizations licensed by the National Bank of the Kyrgyz Republic (hereinafter - the Regulation) establishes minimum requirements (criteria) for the audit of banks and microfinance companies, including those conducting activities in accordance with Islamic principles of banking and financing or having an "Islamic window," JSC "Financial Company of Credit Unions," housing savings credit companies, and guarantee funds (hereinafter - the Bank).

(As amended by Resolution of the Board of the National Bank of the KR of January 17, 2024 No. 2024-P-12/1-3)

  1. The purpose of this Regulation is the effective organization of the Bank's activities in engaging audit organizations, implementing accepted procedures for their selection, ensuring the independence of auditors of the Bank when providing audit services, and preventing conflicts of interest.

2-1. Audit may be mandatory and/or voluntary. Voluntary audit is conducted by decision of the audited entity or another audit client, taking into account specific obligations, deadlines, and scope of the audit.

(As amended by Resolution of the Board of the National Bank of the KR of April 29, 2023 No. 2023-P-12/29-1)

  1. For the purposes of this Regulation, the following concepts are used:

External audit of the Bank - an independent verification of the Bank's activities for the purpose of expressing an independent opinion on the reliability of financial reporting in all material respects in accordance with international financial reporting standards and other information in accordance with the legislation of the Kyrgyz Republic.

External auditor of the Bank - an independent audit organization (including its auditors included in the audit team), formed in accordance with the requirements of the legislation of the Kyrgyz Republic.

Audit requirements include requirements that the Bank must impose on the audit organization, its staff, engaged auditors (natural and legal persons), the audit (at any stage), and the audit report in accordance with the legislation of the Kyrgyz Republic and this Regulation.

External information security audit - an independent comprehensive check by an external auditor of the technical regulations and requirements of the Bank that ensure the security and protection of information and the banking systems themselves from unauthorized interference and other threats (risks).

Conflict of interest - a situation in which the interest of the external auditor of the Bank may affect its opinion on the reliability of the Bank's financial reporting.

Independence of the external auditor of the Bank - the ability of the external auditor of the Bank to act independently, free from any influence on the results of its conclusions, and under conditions that exclude any external influence on the expression of opinion by the external auditor of the Bank.

The terms "officials of the Bank," "affiliated persons," "persons related to the Bank," "subsidiary company of the Bank or banking holding company," "Islamic bank," "bank having an 'Islamic window'," "Islamic principles of banking and financing," "Sharia Council" - have meanings according to the legislation of the Kyrgyz Republic.

DDoS attack (distributed denial of service) - a targeted attack by submitting a large number of requests to stop or disrupt the operation of an information system.

Anti-fraud systems - software complexes for preventing fraudulent transactions.

SQL injection - a vulnerability that allows an attacker to use fragments of malicious code in the Structured Query Language (SQL) to manipulate the database and gain access to information.

DMZ zone - a part of the local network intended for placing network devices interacting with external networks, in particular the Internet network.

(As amended by Resolutions of the Board of the National Bank of the KR of June 28, 2019 No. 2019-P-12/34-3, December 28, 2022 No. 2022-P-12/83-7, April 12, 2024 No. 2024-P-12/17-2)

Note of the IC "Toktom": The number of paragraphs in paragraph 3 of this Regulation does not correspond to the number of paragraphs in paragraph 3 of the text in the state language.

  1. Requirements for External Audit of Banks

  2. The activities of the Bank are subject to annual external audit in accordance with international audit standards recognized in the Kyrgyz Republic, as well as in the manner established by the legislation of the Kyrgyz Republic and in accordance with this Regulation.

  3. In relations carried out in accordance with Islamic principles of banking and financing, audit standards for Islamic financial institutions developed by the Accounting and Auditing Organization for Islamic Financial Institutions (AAOIFI) are applied.

  4. In order to identify and assess the risks of material misstatement due to fraud or error, the external auditor of the Bank conducts consultations with the employees of the Bank's internal audit service to obtain information about the Bank's internal control system, as well as information about problems identified by the Bank's internal audit service. The external auditor of the Bank must have access to all materials and reports of the Bank's internal audit service.

  5. The Bank develops internal regulatory documents on the engagement of external audit, approved by the Board of Directors of the Bank, not conflicting with the requirements of the Regulation, including the definition of:

  • a list of criteria for selecting an external auditor of the Bank;
  • conditions for hiring an external auditor;
  • procedure and conditions for payment of services of the audit organization for the audit of financial reporting, as well as for providing ancillary (non-audit) services to the Bank and organizations controlled by the Bank.

(As amended by Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The selection of the audit organization is carried out by the Bank independently, in compliance with the requirements of the legislation of the Kyrgyz Republic.

  2. Proposals from no fewer than three audit organizations must be considered to select the most acceptable audit organization from the point of view of the quality of the external audit of the Bank. When appointing an external auditor, the Bank's choice must be determined not only by the minimization of costs for external auditor services.

During the period of external audit, there must be an unchanged key composition of auditors conducting the external audit of the Bank, except for changes in the key composition of auditors agreed upon between the Bank and the external auditor, which are approved by the Bank's Audit Committee.

  1. The Board of Directors of the Bank selects audit organizations and auditor candidates for submission to the General Meeting of Shareholders. No later than ninety working days before the day of the General Meeting of Shareholders, the Bank notifies the National Bank of the audit organization and auditor candidates. The National Bank has the right to reject the audit organization and auditor candidates as not meeting the established requirements for the audit of banks and notify the Bank of this no later than ten working days from the date of receipt of the notification, indicating the requirement that the audit organization or auditor candidates do not meet.

  2. The selection of the external auditor of the Bank, conducting negotiations with the audit organization regarding remuneration, deadlines, and conditions for conducting the external audit of the Bank, and presenting the external auditor of the Bank for consideration by the General Meeting of Shareholders of the Bank is the exclusive competence of the Board of Directors of the Bank.

When concluding a contract for the audit of financial reporting, the requirements set out in Chapter 5 of this Regulation must be included, and in the contract for the audit of information security - the requirements set out in Chapter 6 of this Regulation.

(As amended by Resolution of the Board of the National Bank of the KR of April 12, 2024 No. 2024-P-12/17-2)

  1. The Board of Directors of the Bank, in the process of selecting an external auditor of the Bank, should require the audit organization to provide evidence (proofs) of the existence of conditions established in paragraph 18 of this Regulation, as well as:

a) a list of financial-credit and other organizations whose external audit was conducted by this audit organization over the last three years;

b) proposals including the planned scope of the audit, the period that will be studied during the audit, the schedule for conducting the external audit of the Bank, as well as the reports that are planned to be prepared.

  1. The Bank is obliged to notify the National Bank in writing within three working days:

a) about the selection (appointment) of the external auditor of the Bank or banking group after the decision of the General Meeting of Shareholders of the Bank.

This notification must indicate the presence of registration in the Unified State Register (individual registration number of the audit organization and auditor, date of registration), legal address, including telephone numbers of the audit organization, full name of the head of the audit organization;

b) about the change of the external auditor of the Bank and its reasons, if the change of the external auditor of the Bank occurred during the period of the external audit of the Bank.

(As amended by Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. Requirements for the External Auditor of the Bank

  2. Only an audit organization included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic and meeting the requirements established by the National Bank for the audit of banks can be the external auditor of the Bank.

(As amended by Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. When conducting the external audit of the Bank, the external auditor of the Bank must comply with the restrictions established by the legislation of the Kyrgyz Republic and normative legal acts of the National Bank.

  2. The external auditor of the Bank must remain independent and objective, avoid situations that give grounds to believe that a conflict of interest exists. If there are risks posing a threat to the independence of the audit organization and the auditor, the external auditor of the Bank must provide the Bank with information in written or electronic form about such risks and measures applied to reduce them.

(As amended by Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The external auditor must be independent of the Bank, which means the ability to act independently, free from any influence on the results of the audit report, conclusions, and under conditions that exclude any external influence on the expression of opinion by the external auditor. The contract on the conduct of external audit must reflect a statement by the audit organization that the audit organization itself or any of its auditors, or any other employee included in the audit team, has no interest in the Bank, is independent, and is not connected by any relations with the Bank and its officials.

  2. An audit organization or auditors participating in the audit of the Bank, or engaged auditors participating in the audit of the Bank, are not considered independent of the Bank if they are or have been in the last two years:

  1. persons who directly or indirectly have a significant participation in the capital of the Bank or its affiliated persons;

  2. affiliated persons of the Bank or its affiliated persons;

  3. an audit organization or an organization belonging to the same international network, to which services were provided:

  • on restoration and maintenance of accounting records;

  • related to the development of accounting methodology;

  • on the preparation of financial reporting;

  • internal audit;

  1. an employee of the Bank or its affiliated persons;

  2. in other cases provided for by the legislation of the Kyrgyz Republic.

(As amended by Resolution of the Board of the National Bank of the KR of December 14, 2022 No. 2022-P-12/78-9)

  1. The Bank must not engage an audit organization as an external auditor of the Bank if there are confirmed circumstances casting doubt on the independence of the external auditor of the Bank, including if there are relations under which the audit organization, or any of its auditors, are essentially a person related to the Bank in accordance with banking legislation. The audit organization selected for the audit of the Bank or banking group must:

  • be included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic, and also have audit experience of no less than three years;

  • be independent of the Bank;

  • have experience in auditing commercial banks and financial-credit organizations in accordance with international audit standards and international financial reporting standards, as well as in accordance with standards approved by the Accounting and Auditing Organization for Islamic Financial Institutions;

  • have full-time or engaged auditors in a number sufficient for the quality and timely performance of the tasks set.

In the event that an audit organization belonging to an international network of audit organizations lacks experience in auditing commercial banks, such an audit organization may be engaged by the Bank for the audit upon compliance with the following additional criteria:

  • has experience in assessing the value of the Bank's financial instruments and the adequacy of the creation of reserves for possible losses on financial instruments and recognition of other losses from impairment;

  • has full-time auditors whose experience and qualifications meet the requirements of paragraphs 20 and 21 of this Regulation;

  • has a centralized policy or quality control program on the scale of the entire international network of audit organizations.

(As amended by Resolutions of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7, October 31, 2024 No. 2024-P-12/58-1-(BS))

  1. The head of the audit of financial reporting must be included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic, and possess:

  • qualification in accordance with the requirements of legislation on audit or international qualification;

  • three-year experience in auditing commercial banks and financial-credit organizations;

  • experience in auditing financial-credit organizations in accordance with international audit standards and international financial reporting standards;

  • knowledge in the field of banking and banking legislation of the Kyrgyz Republic;

  • knowledge of AAOIFI standards and three-year experience in auditing banks and financial-credit organizations conducting activities in accordance with Islamic principles of banking and financing - for the audit of a bank providing services in accordance with Islamic principles of banking and financing.

(As amended by Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The head of the information security audit for the conduct of external information security audit must possess:

  • a qualification certificate (one of CISA, CISM, CISSP, etc.);

  • experience in auditing information systems and/or information security of financial-credit organizations.

(As amended by Resolution of the Board of the National Bank of the KR of April 12, 2024 No. 2024-P-12/17-2)

  1. External audit of the Bank cannot be carried out by the same audit organization for more than five consecutive years. The rotation period is determined based on five consecutive years from the date when the General Meeting of Shareholders of the Bank must make a decision on the election (appointment) of the external auditor of the Bank.

  2. At the request of the Bank to the National Bank to change the rotation period of a bank included in a banking group, the rotation period may be increased if the international holding company, which includes the Bank, is provided by the legislation of the country of registration with a rotation period for the external auditor different from that established by this Regulation.

  3. Audit of the Banking Group

  4. A Bank located at the head of a banking group, a banking holding company, or a parent company and a subsidiary company of the Bank, representing an audited group, are subject to annual audit by an independent audit organization (external auditor), included in the Unified State Register of Auditors, Audit Organizations and Professional Audit Associations on the territory of the Kyrgyz Republic in accordance with the requirements of this Regulation.

(As amended by Resolution of the Board of the National Bank of the KR of December 28, 2022 No. 2022-P-12/83-7)

  1. The audit of the Bank or banking group is conducted on a consolidated basis and individually for each participant of the banking group. The audit of the banking group must be carried out by one audit organization.

  2. The National Bank may exclude the requirements specified in paragraph 27 at the request of the Bank and its affiliated person(s) if the Bank and the affiliated person provide evidence and the National Bank recognizes the existence of the following circumstances:

a) the impossibility of conducting the audit for all persons of the audited group by one audit organization due to the high cost of the audit, which may lead to negative consequences for the financial condition of the Bank, or the absence of an audit organization that could complete the audit of each person of the audited group within the required time or conduct a proper audit regarding each person of the audited group;

b) the Bank or its affiliated person has taken all measures to fulfill the requirements specified in this paragraph;

c) the provision of permission by the National Bank for various audit organizations to audit various persons of the audited group will not cause adverse effects on the results of the audit of the Bank of any affiliated person of the Bank or the banking group as a whole.

  1. The National Bank cannot exclude the requirement for the audit of all persons included in the audited group by one audit organization until all audit organizations that are supposed to conduct the audit of various persons included in the audited group agree in writing to provide each other with access to their working documents and audit reports related to the audit of the Bank and its affiliated persons, exchange information during the audit, and carry out interaction between them regarding the content of their audit reports.

  2. Based on the results of the audit of the banking group, reports are prepared separately for each participant of the group and a consolidated report.

In the event that the indicator of the net total capital of a participant of the banking group is less than 5% of the net total capital of the Bank located at the head of the banking group, separate reporting for the participant of the banking group is not required.

  1. Audit of Financial Reporting

  2. Upon completion of the financial year, the Bank is obliged to ensure the conduct of the external audit of the Bank no later than ninety days from the beginning of the new financial year.

  3. The external auditor ensures the level of assurance of users in the reliability of financial reporting in all its material respects in accordance with the applicable bases of presentation of financial reporting (international financial reporting standards).

(As amended by Resolution of the Board of the National Bank of the KR of June 28, 2019 No. 2019-P-12/34-3)

  1. The external auditor needs to consider the exposure of the Bank's financial reporting to material misstatement and the use of applied financial reporting principles regarding data and circumstances related to the Bank's activities, as well as:

a) assess identified risks and determine whether they extend to financial reporting as a whole and can potentially affect many assertions, goals, and strategies of the Bank, as well as related commercial risks that can lead to risks of material misstatement;

b) assess the selection and application of accounting policies, including the reasons for any changes. The external auditor assesses whether the Bank's accounting policy corresponds to the nature of its commercial activity and whether the selected and applied provisions of the accounting policy correspond to the applicable concept of preparation of financial reporting and are appropriate;

c) assess and analyze the financial results of the Bank's activities in order to identify and assess the risks of material misstatement due to fraud or error, at the level of financial reporting and at the level of assumptions, development, and conduct of audit procedures in response to these risks.

  1. The external auditor needs to consider the compliance of the Bank's accounting and asset classification with the legislation of the Kyrgyz Republic, regulatory requirements of the National Bank, accounting policy, and procedures of the Bank. For these purposes, the external auditor of the Bank should perform corresponding procedures within the audit conducted in accordance with international audit standards and the requirements of the National Bank, necessary for the purpose of expressing an opinion on the compliance of the Bank's financial reporting in all material respects with the established principles of presentation of financial reporting, necessary to obtain information regarding the following sub-items:

a) assessment of the compliance of the credit policy applied by the Bank with circumstances, including the nature, size, and complexity of the Bank's activities, within the assessment of the Bank's internal control system related to financial reporting and significant for the audit, including:

  • whether the quality of management of credit risks is ensured through the proper activities of the Bank's Credit Committee;

  • whether there are procedures for considering credit applications;

  • whether the collection of necessary and sufficient information about the borrower is ensured;

  • whether control (monitoring) of the timeliness of loan repayment is carried out, including by affiliated and related persons defined as such in accordance with international financial reporting standards and banking legislation;

  • whether the necessary justification for the restructuring of loans is ensured;

  • whether a list of measures taken by the Bank during the reporting period aimed at loan repayment is maintained, including for loans subject to court proceedings;

b) justification of the classification and assessment (justification of provisions for potential losses and losses) of the credit portfolio and other assets, as well as off-balance sheet obligations, carried out by management;

c) assessment of the appropriateness of the applied accounting policy, as well as the justification of estimated values calculated by management regarding other assets - real estate acquired by the Bank as a result of foreclosure;

d) the presence of an assessment of collateral for provided loans and whether the assessment conducted by management is justified;

e) compliance with the periodicity of procedures conducted by the Bank for confirmation of balances on loan accounts and "loro" and "nostro" accounts in accordance with the Bank's internal policies and the requirements of the National Bank, as well as ensuring the compliance of deposit accounting with the established structure of deposits and other...

Share