BANK OF THE REPUBLIC OF BURUNDI

THE GOVERNOR

CIRCULAR No. 07/2018 ON THE INTERNAL CONTROL OF CREDIT INSTITUTIONS ISSUED PURSUANT ACT No. 1/17 OF 22 AUGUST 2017 GOVERNING BANKING ACTIVITIES

Having regard to Act No. 1/34 of 02 December 2008 establishing the Statutes of the Bank of the Republic of Burundi, particularly Articles 7 (paragraphs 4 and 6) and 8;

Having regard to Act No. 1/17 of 22 August 2017 governing banking activities, particularly Articles 3, 49 (point 9), 50 and 51 (paragraph 3);

Having reviewed Circular No. 07/2017 on internal control applicable to credit institutions;

The Bank of the Republic of Burundi, hereinafter referred to as the "Central Bank", hereby issues:

---

Article 1: Purpose

This circular aims to specify the conditions under which the internal control system of credit institutions must be organized.

---

Article 2: Definitions

For the purposes of this circular, the following terms shall mean:

• credit institutions, banks and financial institutions;

• internal control system, the set of measures adopted by the Board of Directors and implemented by the General Management to ensure that risks associated with the institution's activities are managed at all levels;

• internal audit, a body, function, or entity whose mission is to continuously ensure that the internal control system is effective, and if not, to quickly detect weaknesses so that the credit institution can remedy them, and to monitor the implementation of recommendations;

---

Article 3: Internal Control System

A credit institution must establish an adequate internal control system, adapted to the nature and volume of its activities, its size, its locations, and the various risks to which it is exposed.

An internal control system generally includes:

• a system for controlling operations and internal procedures;
• an accounting and information processing organization;
• risk and performance measurement systems;
• risk monitoring and management systems;
• a documentation and information system;
• a monitoring mechanism for cash and securities flows.

The credit institution must establish written rules specifying the measures intended to ensure the proper functioning of the internal control system, including:

---

Article 4: Levels of Internal Control

The control levels are:

• first-level control (ongoing) performed by the operational staff themselves, team supervisors, and hierarchical managers as part of their daily activities;

• second-level control (ongoing) performed by dedicated compliance, internal control, etc. teams that do not exercise operational functions. It must ensure the proper execution of first-level controls. Teams dedicated to this control may be centralized and/or located at the activity or business unit level;

• third-level control (periodic) performed by independent staff intervening on documents or on-site as part of ad hoc audits. Control at this level is carried out by internal audit and, at the request of the competent body, by an external firm.

---

Article 5: Indicative Content of the Internal Control System

The internal control system includes mechanisms to ensure:

• verification of operations, internal procedures, and controls performed by the ongoing control function;
• the reliability of the conditions for collecting, processing, disseminating, and retaining accounting and financial data;
• the assessment of the adequacy of capital and liquidity to the credit institution's risk profile;
• a comprehensive approach to business continuity management within the credit institution;
• the effectiveness of internal channels for documentation and information circulation, as well as their dissemination to third parties.

---

Article 6: Obligation to Have Ongoing and Periodic Control Staff

Credit institutions must have sufficient and competent staff to perform ongoing and periodic controls.

---

Article 7: Levels of Authority, Responsibility, and Areas of Intervention

The levels of authority and responsibility, as well as the areas of intervention of the different operational units, must be clearly specified and delineated.

A strict separation must be established between units responsible, on the one hand, for initiating, executing, validating, and recording operations, and, on the other hand, for their control.

---

Article 8: Bodies Responsible for Implementing the Internal Control System

The internal control system is designed by General Management, approved, and periodically evaluated by the Board of Directors.

---

Article 9: Role of General Management

General Management is responsible for:

• establishing the appropriate organizational structure and providing the human and material resources necessary to implement the internal control system;
• identifying all sources of internal and external risks;
• defining adequate internal control procedures and those ensuring the separation of duties and preventing conflicts of interest;
• continuously monitoring and evaluating the proper functioning of internal control and taking necessary measures to promptly remedy any identified deficiencies or shortcomings;
• periodically reviewing procedure manuals to adapt their provisions to legal and regulatory requirements, as well as to the evolution of the institution's activities, the economic and financial environment, and analysis techniques.

---

Article 10: Role of the Board of Directors

The Board of Directors is responsible for:

• defining the strategic directions of the credit institution and approving the internal control procedures initiated by General Management;

---

Article 11: Promotion of a Control Culture

Members of the Board of Directors and General Management must promote, within their institution, a strong control culture that places particular emphasis on the necessity for each employee to perform their duties in compliance with applicable legal and regulatory provisions, as well as internal directives and procedures.

To this end, they adopt a training and information policy that highlights the credit institution's objectives and clarifies the means to achieve them.

---

Article 12: System for Controlling Operations and Internal Procedures

The system for controlling operations and internal procedures must enable credit institutions to ensure:

• the compliance of executed operations, organization, and internal procedures with applicable legal and regulatory requirements, as well as professional and ethical standards and internal instructions of the executive body;
• strict adherence to decision-making and risk-taking procedures, as well as management standards and limits set by General Management;
• the quality of accounting and financial information intended for the Board of Directors and General Management, for transmission to the Central Bank or publication;
• the conditions for evaluating, recording, retaining, and accessing this information, including the existence of an audit trail;
• the quality of information systems, particularly information system security, data availability and integrity preservation, operational continuity, and the traceability of all modifications made to the system and data;
• the execution within reasonable timeframes of decided corrective measures.

---

Article 13: Procedure Manual per Operational Unit

Each department or operational unit must be equipped with a manual containing the procedures for executing operations.

---

Article 14: Control of Daily Operations of Operational Units

The execution methods for operations performed daily by operational units must include appropriate ongoing control procedures to ensure the regularity, reliability, and security of these operations, as well as compliance with other diligence requirements related to monitoring associated risks.

---

Article 15: Accounting Control Mechanism

The accounting control mechanism must enable credit institutions to ensure the reliability and completeness of their accounting and financial data, and to guarantee the availability of information when needed.

---

Article 16: Audit Trails

The accounting recording methods for operations in balance sheet and income statement accounts must provide for a set of procedures, called audit trails, enabling:

• reconstruct operations in chronological order;
• substantiate any information with an original document from which it must be possible to trace, through an uninterrupted path, to the summary document and vice versa;
• explain the evolution of balances from one closing to the next by reviewing transactions affecting accounting items.

---

Article 17: Compliance with Audit Principles

Information contained in accounting statements and that necessary for calculating management standards and prudential ratios, as well as periodic and prudential declarations intended for the Central Bank, must comply with the principles of the preceding article.

---

Article 18: Tracking of Securities and Assets Held or Managed for Third Parties

Securities and other assets of the same nature held or managed for third parties must be tracked through a physical inventory accounting system that records receipts, issuances, and balances, and must be subject to periodic inventories.

A distinction must be made between freely deposited assets and those serving as collateral for the credit institution itself or for third parties.

---

Article 19: Internal Audit Function

The Internal Audit function ensures comprehensive monitoring of the internal control system and maintains its coherence through the evaluation of different control levels within the credit institution. The Internal Audit function is functionally attached to the Board of Directors.

The rank of the Head of Internal Audit Department must be equivalent to that of other key functional department heads to enable effective interaction with peers and superiors when exercising their functions and responsibilities.

The appointment, remuneration, performance evaluation, transfer, and dismissal of the Head of the Internal Audit Department must be decided by the Audit Committee.

---

Article 20: Profile of the Internal Audit Manager

The Internal Audit Manager must hold a university degree, at minimum a bachelor's degree, in economics, management, law, and have at least 5 years of professional experience related to banking, finance, financial or accounting audit.

---

Article 21: Periodic Controls by the Internal Audit Manager

The Internal Audit Manager is required to conduct periodic controls. To this end, they:

• prepare annual and multi-year audit plans approved by the Audit Committee and allocate resources accordingly;
• rely on a methodology that enables the identification of significant risks incurred by the credit institution;
• have sufficient resources with a university degree, at minimum a bachelor's degree, and possessing the required experience to understand and evaluate activities to be audited;

---

Article 22: Audit Plan

The Internal Audit Manager must establish an audit plan based on mapped risks to define priorities consistent with the institution's objectives.

The Internal Audit Manager must define:

• the nature of the assignment;
• the scope of the assignment (the aspects to be covered);
• the priority and timing of the assignment.

The set of audit assignments scheduled during a fiscal year constitutes the annual internal audit plan.

The identification and assessment of risks faced by the credit institution is a prerequisite for developing said plan.

Under the same conditions, the Internal Audit Manager establishes a multi-year audit plan intended to cover all of the institution's risks within a given timeframe.

---

Article 23: Audit Charter

Credit institutions are required to develop an audit charter that defines, in particular:

• the position, powers, and objectives of the internal audit function;
• the responsibilities of the internal audit function and the nature of its work;
• the composition, organizational procedures, program determination, and frequency of Audit Committee meetings;
• the relationship between internal audit and other control functions;
• the procedures for communicating audit assignment results and monitoring recommendations.

The Audit Charter must be attached to the annual internal control report to be submitted to the Central Bank.

---

Article 24: Obligations of the Internal Audit Manager

The Internal Audit Manager reports to the Board of Directors, through the Audit Committee, on the execution of their mission and monitors the implementation of corrective measures arising from their recommendations, as well as those of external auditors, statutory auditors, and the Central Bank.

They inform the Audit Committee of identified deficiencies, recommendations made to strengthen internal control and risk management mechanisms, and their implementation by General Management and operational services.

---

Article 25: Functions of the Audit Committee

The functions assigned to the Audit Committee include, in particular:

• supervise and control the internal audit function, notably through regular review of its activities and results;
• approve the audit charter as well as the annual audit plan;
• assess the adequacy of human and material resources allocated to the Internal Audit function, and potentially propose measures to be taken at this level;
• evaluate the quality of the internal control system, particularly the coherence of risk identification, measurement, monitoring, and management mechanisms, and propose, where applicable, complementary actions in this regard;
• rely on the risk map to specify the areas that the internal control system and statutory auditors must cover, while prioritizing them;
• verify the reliability and accuracy of financial information intended for the deliberative body and third parties, and evaluate the relevance of accounting methods adopted for preparing individual and consolidated accounts;
• assess the relevance of corrective measures taken or proposed to address gaps or shortcomings identified in the internal control system;
• recommend the selection of statutory auditors;
• review and ensure follow-up on activity reports and recommendations from the internal control function, internal audit reports, statutory auditor reports, supervisory authority reports, and corrective measures taken.

---

Article 26: Outsourcing of Activities

Outsourcing arrangements must take into account the type of outsourced services:

• services corresponding to support functions that do not commit the institution vis-à-vis its clients (mail, real estate, logistics, etc.) may be outsourced to service providers meeting the service quality, business continuity, and internal control criteria defined by the institution;
• functions corresponding to services that commit the credit institution vis-à-vis clients, notably through banking activities (payment services, accounting reports, internal control, etc.) may only be outsourced to persons approved by the Central Bank or authorized according to the standards required to perform such activities.

---

Article 27: Control of Outsourced Services

Credit institutions that outsource a service must retain full control over their activity.

Outsourcing of activities must in particular:

• result in a written contract between the external provider and the credit institution, and be notified to the Central Bank for services committing the credit institution vis-à-vis clients;
• provide, within the contract, the possibility for the Central Bank to conduct on-site inspections at the external provider;
• fall within the framework of a formalized external provider control policy defined by the credit institution.

---

Article 28: Obligations of the External Provider

Credit institutions must ensure, in their relations with external providers, that the latter:

• commit to a quality level ensuring normal service operation and, in case of incident, enabling recourse to backup mechanisms;
• implement backup mechanisms in case of serious difficulties affecting service continuity, or that their own continuity plans account for the impossibility of the external provider to perform their services;

---

Article 29: Control of Outsourced Activities

Credit institutions that outsource activities must:

• ensure that their internal control system includes their outsourced activities;
• ensure that the supervisory authority and other external controllers can conduct on-site inspections at their external providers.

---

Article 30: Exchange Meetings with the Central Bank

At the invitation of the Central Bank, exchange meetings may be organized with the Internal Audit Manager to discuss risk analysis, conclusions, recommendations, and the audit plan.

The frequency of these meetings depends on the size, nature, risks, and organizational complexity of the credit institution.

---

Article 31: Annual Report on the Internal Control System

Credit institutions are required to prepare an annual report on the internal control system.

They submit a copy of this report to the Central Bank before the end of the first quarter of the year following the reporting year. They also submit within the same timeframe the minutes of the Board of Directors meeting that reviewed said report.

---

Article 32: Entry into Force

This circular replaces Circular No. 07/2017 of 17 July 2017 and enters into force on the day of its publication on the Central Bank's website and in the Official Bulletin of Burundi.

Issued in Bujumbura, on 17/08/2018

Jean CIZA
Governor.

---

1, Government Avenue - P.O. Box 705 BUJUMBURA - Tel: (257) 22-20 40 00 / 22 22 27 44 - Fax: (257) 223128 - Email: brb@brb.bi