CIRCULAR D197l4 TO CREDIT INSTITUTIONS

Similar documents
Statement of Guidance

Internal audit in banking organisations and the relationship of the supervisory authorities with internal and external auditors

Chapter 5 Responsibilities of the Board of Directors Structure of the Board

Salini Costruttori S.p.A. Report of the Board of Statutory Auditors on the Financial Statements as at

Guideline on risk management and other aspects of internal control in stock exchange

Regulation for Establishing the Internal Control System of an Investment Management Company

Key functions in the system of governance Responsibilities, interfaces and outsourcing under Solvency II

Directives. of the Federal Office of Private Insurance FOPI

System of Governance

Sub: Appointment as an Independent Director on the Board of GMR Infrastructure Limited

Reserve Bank of Fiji Insurance Supervision Policy Statement No. 8 MINIMUM REQUIREMENTS FOR RISK MANAGEMENT FRAMEWORKS OF LICENSED INSURERS IN FIJI

A form to be filled in by every applicant for a position as non-executive director

Statement of Guidance: Outsourcing All Regulated Entities

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Revised May Corporate Governance Guideline

COMMISSION REGULATION (EU)

Corporate Governance Code for Banks

Finansinspektionen s Regulatory Code

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Effective Internal Audit in the Financial Services Sector

i-control Holdings Limited 超 智 能 控 股 有 限 公 司 (incorporated in the Cayman Islands with limited liability) (the Company )

CI FINANCIAL CORP. BOARD OF DIRECTORS MANDATE. As of August 4, 2016

Positioning the internal audit function within the Solvency II framework Key challenges. Ludovic Bardon Senior Manager Audit Deloitte Luxembourg

TERMS OF REFERENCE OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

Audit and Risk Committee Charter. 1. Membership of the Committee. 2. Administrative matters

MISSION STATEMENT OBJECTIVES IN ACCOMPLISHING OUR MISSION

Guideline on risk management and other aspects of internal control in central securities depository

Appendix 15 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

European Investment Bank. Charter for Internal Audit

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

U & D COAL LIMITED A.C.N BOARD CHARTER

BERMUDA MONETARY AUTHORITY

Central bank corporate governance, financial management, and transparency

GUIDANCE NOTE ON OUTSOURCING

Health and Safety Policy and Procedures

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Brussels, 30 March Dear Sir or Madam,

BAHRAIN TELECOMMUNICATIONS COMPANY B.S.C. AUDIT COMMITTEE CHARTER

CMVM Regulation No. 4/2013 Corporate Governance

SUMMARY AUDIT REPORT DIRECTORATE OF CIVIL AVIATION OF MOROCCO

THE COMBINED CODE PRINCIPLES OF GOOD GOVERNANCE AND CODE OF BEST PRACTICE

Basel Committee on Banking Supervision. The internal audit function in banks

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Official Journal of the European Union REGULATIONS

EBA/GL/2012/06 22 November Guidelines. on the assessment of the suitability of members of the management body and key function holders

The Holding Company S auditor

Euribor Code of Conduct

Pursuant to Article 95, item 3 of the Constitution of Montenegro I hereby pass the ENACTMENT PROCLAIMING THE LAW ON BANKS

RISK MANAGEMENT AND COMPLIANCE

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

FRAMEWORK FOR INTERNAL CONTROL SYSTEMS IN BANKING ORGANISATIONS (September 1998)

AS DnB NORD Banka REPORT ON CORPORATE GOVERNANCE for the year ending on 31 December 2008

DRAFT. Guidance for Member States and Programme Authorities Designation Procedure

INTERNAL AUDIT CHARTER AND TERMS OF REFERENCE

Standards for the Professional Practice of Internal Auditing

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

INTERNAL AUDITING POLICIES AND PROCEDURES MANUAL

1. Board of Directors

Credit Risk Management System Checklist and Manual

Solvency Assessment and Management: Pillar II Sub Committee Governance Task Group Discussion Document 81 (v 3)

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

(Article 131(2) of the Financial Rules of the Innovative Medicines Initiative Joint Undertaking)

Clearing and Settlement Procedures. New Zealand Clearing Limited. Clearing and Settlement Procedures

Act on the Supervision of Financial Institutions etc. (Financial Supervision Act)

Basel Committee on Banking Supervision. Consolidated KYC Risk Management

THE CORPORATE GOVERNANCE CODE FOR THE COMPANIES LISTED ON THE NATIONAL STOCK EXCHANGE OF LITHUANIA

Corporate Governance Code for Collective Investment Schemes and Management Companies

CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

1. This bulletin, which contains the Charter of the Office of Internal Oversight Services (IOS) of

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 700 THE AUDITOR S REPORT ON FINANCIAL STATEMENTS CONTENTS

The Banking Act of 29 August 1997 (Journal of Laws of 2015, item 128) (consolidated version) CHAPTER 1 GENERAL PROVISIONS

Checklist for Operational Risk Management

GUIDANCE NOTE ON THE CONCEPT OF RELIANCE

Substance requirements applying to Luxembourg UCITS management companies and to Luxembourg self-managed UCITS investments companies

GN5: The Prudential Supervision outside the UK of Long-Term Insurance Business

Swiss Federal Banking Commission Circular: Audit Reports of Banks and Securities Firms. 29 June 2005 (Latest amendment: 24 November 2005)

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

FINANCIAL AND ADMINISTRATIVE FRAMEWORK AGREEMENT. between. the EUROPEAN UNION represented by the EUROPEAN COMMISSION. and. the UNITED NATIONS

Internal Audit Standards

[Translation] 1. Audit Practice Standards for Internal Control Systems

TERMS AND CONDITIONS OF APPOINTMENT OF INDEPENDENT DIRECTORS

Foreword 2 STO BR IBBS

UNOFFICIAL CONSOLIDATION AND TRANSLATION OF LAWS 128(I) OF 2009 AND 52(I) OF 2010 THE PAYMENT SERVICES LAWS OF 2009 TO 2010

CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS

FINAL DOCUMENT. Guidelines for Regulatory Auditing of Quality Management Systems of Medical Device Manufacturers Part 1: General Requirements

Appendix 14 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

ISO 9001:2008 Quality Management System Requirements (Third Revision)

Svenska Handelsbanken AB FI Ref through Chair of Board Service no. 1. Finansinspektionen's decision (to be issued on 19 May 2015 at 08.

Operational Risk Publication Date: May Operational Risk... 3

AUDIT AND RISK ASSESSMENT COMMITTEE TERMS OF REFERENCE

The purpose of internal control within the Cegedim Group are based on the following topics:

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

NABL NATIONAL ACCREDITATION

Regulations of the Audit and Compliance Committee of Gamesa Corporación Tecnológica, S.A.

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

Transcription:

l UNOFFICIAL TRANSLATION 1 Brussels, 30 June 1997 CIRCULAR D197l4 TO CREDIT INSTITUTIONS Dear Madam, Dear Sir, In its circular dated 6 April 1987 to banks, private savings banks and companies governed by the Law of 10 June 1964, the Banking and Finance Commission had formulated a series of recommendations on internal audit. Since then, Article 20 of the Law of 22 March 1993 on the legal status and supervision of credit institutions (hereafter referred to as the banking law) has introduced the obligation for all credit institutions to have appropriate administrative and accounting procedures and adequate internal control systems. The Commission considers that it is appropriate to adapt the 1987 circular and to present it as a list of principles which normally should guide a sound banking practice. Therefore this circular replaces the circular dated 6 April 1987. It applies to all credit institutions which are subject to the banking law. As far as branches of credit institutions governed by the law of a Member State of the European Union are concerned, it is for the supervisory authorities of the home country to verify whether the administrative procedures and internal control systems are sufficient. However, this circular does apply to these branches as well, since internal control and internal audit are part of an adequate policy aiming at compliance with the provisions applicable in Belgium in the interest of the general good. The financial sector has undergone numerous developments now facing credit institutions. such as the financial markets increasingly rapid development, the growing technical complexity and diversity in the field of banking products. and the constraints introduced by new information technologies. Those developments entail ever higher requirements for credit institutions risk management and organizational procedures; they also increase the risk of inadequate control systems and of irregularities. The Commission has noted that since the circular of 6 April 1987, numerous credit institutions have highly concentrated on developing a comprehensive internal audit function. Nonetheless, some credit institutions - mainly, but not only, smaller ones - have yet to take the necessary measures to meet the requirements introduced by this circular. With this circular, the Banking and Finance Commission aims to issue principles for sound banking practice as regards internal control procedures (Chapter I) and internal audit procedures (Chapter 2). In the circular, the Commission also recommends setting up a permanent audit committee and lists a number of relevant aspects in this context (chapter 3). It should also be reminded that the Banking and Finance Commission has already made. recommendations in the past about internal control with regard to specific activities (independent agents. transactions on money and foreign exchange markets, risk management, interest rate risk, etc.). One particularly important aspect of this circular is that it emphasizes the responsibility of the board of directors and executive committee in the field of internal control procedures.

Adequate internal control procedures require an efficient set of integrated measures which must tit into the organization and operational activity of the credit institution and be in compliance with the principles of sound and prudent management. These principles must also be complied with in developing the internal audit function. The prudential supervisory authorities and the accredited statutory auditors must for their part be able to rely on the control instruments of credit institutions themselves. Their assessment of how appropriate the internal control procedures are, constitutes a specitic part of their assignment. These internal control procedures must satisfy a number of requirements. Efficient verification of the quality and functioning of the organisation and of the internal control procedures therefore requires clear and precise criteria. Indeed such developments reflect a general tendency in the theory and practice of prudential supervision, which lays particular emphasis on assessment. Yours sincerely, The Chairman, J.-L. Duplat. Enclosure: 1

ANNEX TO CIRCULAR Dl 97/4 OF 30 JUNE 1997 ON INTERNAL CONTROL AND INTERNAL AUDIT TABLE OF CONTENTS Contents 0. Legal reference and overview of the principles 1. Internal control 1.1. Definition and aspects 1.2. Basic measures 1.3. Specific measures 1.4. Responsibility of the board of directors (principle No 1) 1.5. Responsibility of the executive committee (principle No 2) 2. Internal audit 2.1. 2.2. 2.3. 2.4. 2.5. 2.6. 2.7. 2.8. Definition Continuity (principle No 3) Independence of the internal audit department from the activities audited (principle No 4) 2.3.1. General aspects 2.3.2. Audit charter 2.3.3. Impartiality Professional competence (principle No 5) Scope of internal audit (principle No 6) Planning, implementation, reporting and follow up (principle No 7) 2.6.1. Planning 2.6.2. Implementation and types of audit 2.6.3. Audit programme 2.6.4. Working papers 2.6.5. Written reports 2.6.6. Follow up Management of the internal audit department (principle No 8) Outsourcing of the internal audit activity in small credit institutions 3. The audit committee 3.1. Definition 3.2. Recommendation 3.3. Composition, powers and functioning 3.4. Relevant aspects * * *

0. Legal reference and overview of the principles Legal orovisions Article 20 of the banking law of 22 March 1993 provides that all credit institutions must have appropriate administrative and accounting procedures and adequate internal control systems. Principle No 1: In carrying out its supervisory tasks, the board of directors should regularly verify whether the credit institution can rely on an adequate system of internal controls. The board of directors should also promote a positive attitude in respect of the control function. Princiule No 2: The executive committee should set up an adequate internal control system and ensure that it is assessed at least every year. At least once a year, the executive committee reports to the board of directors on the state of affairs, through the audit committee if one exists. Principle No 3: In fulfilling its duties and responsibilities, the executive committee should take all necessary measures to ensure that the credit institution can permanently rely on an adequate internal audit function. Princiole No 4: The internal audit department must be independent from the activities audited. This means the internal audit department is given an appropriate standing within the organization and carries out its assignments with impartiality. Princiule No 5: The professional competence of every internal auditor and of the internal audit department as a whole is essential for the proper functioning of the internal audit function. Princiule No 6: Every activity and entity of the credit institution falls within the scope of the internal audit department s investigations. Princiole No 7: Internal audit includes drawing up an audit plan, examining and assessing the available information, communicating the results, and following up. Principle No 8: The head of the internal audit department leads his department appropriately. Article 20 of the banking law transposes into Belgian law Article 13 (2) of the EU Second Banking Directive of 15 December 1989, which provides that evety credit institution must have adequate internal control mechanisms. A similar obligation is provided for in the Directive of 6 April 1992 on the supervision of credit institutions on a consolidated basis and the Directive of 2 I December 1992 on the monitoring and control of large exposures of credit institutions.

1. Internal control I. I. Definiiion and aspects Internal control is generally defined as a set of measures which, under management responsibility, must provide reasonable assurance with regard to: l a well-ordered and prudent conduct of business, with reference to clearly defined objectives; l an economical and efficient use of resources; l the identification and adequate control of the risks incurred, to safeguard the credit institution s assets; l the integrity and reliability of financial information and management information; l the compliance with laws and regulations, general policies, plans and internal procedures. Internal control measures give adequate consideration to the operational and administrative activities of the credit institution. They form a permanent and integral part of the functioning of the credit institution. The credit institution should make the necessary resources available to provide reasonable assurance that the above-mentioned objectives are achieved. The costs entailed are a necessary part of the credit institution s operating costs. Internal control combines the following aspects: l an internal environment that promotes a positive attitude in respect of the control function; l setting objectives, and subsequently identifying andanalyzing the risks; l setting up standards and procedures to monitor the risks, so that the objectives that have been set can be achieved; l organizing information and communication systems so that the internal control objectives are known to the staff and can be followed up; l identifying, registering and reporting relevant information, so as to enable the various entities of the credit institution to effectively exercise their assigned responsibilities; l reporting - both internally and externally - correctly and in time, using adequate information systems; l supervision and regular assessment of the measures taken. Final responsibility for establishing an adequate internal control system lies both with the board of directors and the executive committee, as explained in paragraphs 1.4. and 1.5. below. 1.2. Basic measures Basic internal control measures include organizational measures (such as descriptions of functions and responsibilities, line supervision, segregation of duties), controls (crosschecks, double signatures, periodic verification of inventories), accounting procedures (reconciling accounts, justifying balances, maintaining control ledgers) and measures to safeguard the credit institution s staff and assets.

3 1.3. Specific measures In addition to basic internal control measures, the credit institution must pay special attention to identifying and monitoring risk and to guaranteeing the integrity and reliability of financial information and management information, including the external reporting obligations. There are two categories of risks : quantifiable risks, such as credit risk, liquidity risk, market risk and general interest rate risk, and risks that are difficult or impossible to quantify, such as the risk of errors or fraud, legal risk, risk to reputation and fiduciary risk. As far as quantifiable risks are concerned, the credit institution takes the appropriate specific measures to ensure the follow-up and control of these risks. Such measures may include developing policies, establishing adequately structured limits, and identifying, measuring, following up and reporting the risks, as well as appropriately documenting the implemented risk control systems and the procedures that apply to the processing of transactions. For risks that are difficult or impossible to quantify, the credit institution takes adequate safeguarding measures. Such measures may include analyzing the risks in detail, adopting internationally accepted standard clauses in the conventions, and concluding netting conventions and other conventions. In order to guarantee that financial information and management information is comprehensive and reliable, it is necessary to ensure the continuity and reliability of the electronic information systems. 1.4. Responsibilify of the board of directors Principle No 1 : In carrying out its supervisory tasks, the board of directors should regularly verify whether the credit institution can rely on an adequate system of internal controls. The board of directors should also promote a positive attitude in respect of the control function. In compliance with the agreement on the autonomy of bank management, the board of directors is responsible, inter aha, for supervising the activities of the credit institution and the management by the executive committee. In carrying out this supervisory task, the board of directors therefore verities on a regular basis whether the credit institution has an adequate internal control system. To this end. the board of directors may rely inter aha on the periodic reporting by the executive committee (see following paragraph). The board of directors should also promote a positive attitude in respect of the control function. I.5 Responsibility of the executive commitfee Principle No 2 : The executive committee should set up an adequate internal control system and ensure that it is assessed at least once a year. At least once a year, the executive committee reports the to the board of directors on the state of affairs, through the audit committee if one exists.

4 Pursuant to the agreement on the autonomy of bank management, the management of the credit institution s activities is the executive committee s exclusive responsibility. In carrying out this task, the executive committee takes all necessary measures to ensure that the credit institution can permanently rely on an adequate internal control system. This means that the executive committee ensures that an internal control system is set up and reviewed at least once a year. This review refers to the internal audit department s reporting (see Chapter 2 below), and by other sources such as reports and/or memoranda from the various departments s, establishments and/or functions of the credit institution. The review covers all aspects of internal control, such as its objectives, resources, methods, reported deficiencies, as well as its appropriateness and efficiency. At least once a year, the executive committee reports to the board of directors, or the audit committee, if one exists (see Chapter 3 below), on the scope and performance of the internal control system. The minutes of the board of directors and executive committee should report the discussions on the scope and performance of the internal control system and its review. 2. Internal audit 2.1. Definition Internal audit is an independent appraisal function established within the organization to examine and evaluate the smooth functioning, effectiveness and efficiency of internal control. Internal audit assists members of the organization in the effective discharge of their responsibilities. To this end, internal control furnishes them with analyses, appraisals, recommendations, counsel, and information concerning the activities reviewed. 2.2. Continuity Principle No 3 : In fulfilling its duties and responsibilities, the executive committee should take all necessary measures to ensure that the credit institution can permanently rely on an adequate internal audit function. 2.3. Independence of the internal audit department from the activities audited Principle No 4 : The internal audit department must be independent from the organisational activities audited. This means the internal audit department is given an appropriate standing within the organixation and carries out its assignments with impartiality. *In this respect. it should bc noted that the technique known as selfassessment can be useful in evaluating the efficiency of internal control. Self assessment is a formal and documented process whereby management and/or a staff team analyze their activity or function and evaluate the efficiency of the related internal control procedures.

5 2.3.1. General aspects The internal audit department must be able to exercise its assignment on its own initiative in all departments, establishments and functions of the credit institution. It must be free to express its findings and appraisals and to disclose them. The principle of independence entails that the internal audit department operates under the direct control of the executive committee, preferably as staff function under the direct responsibility of the chairman of the credit institution s executive committee. It should be possible for the head of the internal audit department to inform directly, and on his own initiative, the chairman of the board of directors, the members of the audit committee or the accredited statutory auditors, according to rules to be defined by each credit institution. 2.3.2. Audit charter The audit charter guarantees the standing of the internal audit department within the organization. Such document establishes at least : l the objectives and scope of the internal audit function; l the internal audit department s position within the organization, its powers and responsibilities. The charter should be drawn up - and if necessary reviewed - by the internal audit department; it should be approved by the executive committee and subsequently confirmed by the board of directors, as part to its supervisory role, through the audit committee, if one exists. In this document, the executive committee gives the internal audit department the right of initiative and authorize it to have direct communication with any member of staff, to examine any activity or entity of the credit institution, as well as to access any records, files or data of the credit institution, including management information and the minutes of the consultative and decision-making bodies, whenever relevant to the performance of its assignment. It is recommended that the audit charter states the terms and conditions according to which the internal audit department can be called upon to give its opinion, or assistance or to carry out other special tasks. The audit charter is communicated to all staff, both in Belgium and abroad, and to any independent agent. 2.3.3. Impartial@ Impartiality means that the internal audit department should be in a position to perform its assignments with complete independence and effectively do so. This entails that the internal audit department itself seeks to avoid any conflict of interest. To this end, staff assignments should be rotated periodically whenever practicable and internally recruited auditors should not audit activities or functions they previously performed, especially if this was in the recent past.

6 Impartiality requires that the internal audit department is not involved in the operational organization of the credit institution or in developing, introducing or implementing organizational or internal control measures. Otherwise it would have to assume responsibility for this, which would impair its judgmental independence. However, the need for impartiality does not exclude the possibility that the executive committee may request from the internal audit department an opinion, on specific matters related to the internal control principles to be complied with. For instance, management may for the sake of efficiency request an opinion when considering important reorganizations, the start of significant and/or risky new activities, new establishments which are to carry out risky activities, and the setting up or reorganization of risk control systems, management information systems, information technology systems (this list is not exhaustive). However, the eventual development and introduction of the measures should remain the responsibility of management. Indeed, such consultative function constitutes a secondary task which may in no way impede the basic tasks or the responsibility and appraisal idependence of the internal audit department. 2.4. Professional competence Principle No 5 : The professional competence of every internal auditor and of the internal audit department as a whole is essential for the proper functioning of the internal audit function. The professional competence of each internal auditor, their motivation and continuing training, are prerequisites for the efficiency of the internal audit department. Professional competence must be assessed taking into account the nature of the role and the auditor s capacity to collect information, to examine, to evaluate and to communicate. In this respect, account should also be taken of the growing technical complexity and increasing diversity of tasks as a result of developments in the financial sector. Professional competence, and particularly knowledge and experience, within the internal audit department itself, also deserve special attention. The main implication of this is that the department as a whole must be proficient enough to examine all areas in which the credit institution operates. The internal audit department needs to be aware of the fact that continuously performing similar tasks may turn them into a routine, at the cost of critical sense. This also applies to the internal auditor s function itself. It is therefore recommended, whenever practicable, to rotate tasks both within the internal audit department itself and between the internal audit department and other departments or functions of the credit institution. The internal audit department should ensure that its professional competence is maintained, through systematic continuing training of each member of its staff. All staff members of the internal audit department should have sufficient up-to-date knowledge of auditing techniques.

7 A credit institution s internal audit department should be competent enough to examine the credit institution s key activities and to evaluate the smooth functioning, effectiveness and efficiency of internal control over these activities. However, it may resort to an external expert to carry out certain investigations for which it is not - or not sufficiently - proficient. The relevant aspects listed in paragraph 2.8 below, when outsourcing the internal audit activity in small credit institutions, also apply mutatis mutandis to this case, in particular as regards the expert s independence from the accredited statutory auditor. In addition, the head of the internal audit department should see to it that, whenever practicable, the knowledge brought by the expert is transferred to his department; possibly by having one or more members of his staff participating in the external expert s assignment. 2.5. Scope of internal auditing work Principle No 6 : Every activity and every entity of the credit institution the scope of the internal audit department s investigations. falls within None of the credit institution s activities or entities - including the activities of branches and subsidiaries - may be excluded from the internal audit department s scope of investigation. To this end, the internal audit department has access to any record, tile or data of the credit institution, including management information and the minutes of the consultative and decision-making bodies, whenever relevant to the performance of its assignment. From a general point of view, the scope of internal audit includes the examination and evaluation of the appropriateness and efficiency of the internal control system and of the manner in which assigned responsibilities are fulfilled. In particular, the internal audit department verifies compliance with policies, risk control (both quantifiable and non- quantifiable), reliability (including integrity, accuracy and comprehensiveness) as well as timeliness of financial and management information including external reporting, continuity and reliability of the electronic information systems, and the functioning of the staff departments. The internal audit department also gives adequate consideration to the legal provisions governing the supervision of credit institutions, including principles and/or recommendations formulated by the Commission with regard to the manner in which credit institutions are organized and the way in which they operate. It should also be remembered that the above-mentioned principles andfor recommendations provide for certain tasks to be carried out by the internal audit department. Certain credit institutions have established separate departments in charge of controlling or monitoring a specific activity or entity of the credit institution. Such departments are part of the internal control system and therefore do not release the internal audit department from examining those specific activities or entities. However, for the sake of efficiency. the internal audit department may, in carrying out its tasks, use the information reported by the various control departments. Nonetheless, the internal audit department remains entirely responsible for the examination and evaluation of the smooth functioning, effectiveness and efficiency of internal control of the credit institution s activity or relevant entity.

8 For the sake of efficiency, a credit institution s foreign branch of a certain size or one carrying out risky activities shah have its own internal audit department. From a functional point of view, such local department shall be part of the group s internal audit department and shall therefore be subject to the provisions of this circular, without prejudice to local legal and/or regulatory provisions and instructions. Organizationally, the local internal audit department may depend either from local management or from the head office s internal audit department. As separate legal entities, banking or non-banking subsidiaries are responsible for their own internal control and their own internal audit function in accordance with the provisions of this circular, taking into account the local legal and/or regulatory provisions and instructions. The subsidiaries internal audit departments report to the parent company s internal audit department. The latter takes all necessary measures to ensure that its own internal audit department has unlimited access to all activities and entities of the subsidiaries, and that it carries out on-site inspections at sufficient intervals. For branches abroad as well as for subsidiaries, the internal auditing principles are established centrally by the parent company. The latter should draw up audit instructions for the whole group. The parent company s internal audit department participates in recruiting and evaluating local internal auditors. In the case of more complex group structures than described above, the internal audit function should be organized in such a way as to comply with the principles set out in this circular. 2.6. Planning, performing, reporting andfollowing up Principle No 7 : Internal audit includes drawing up an audit plan, examining and assessing the available information, communicating the results, and following up. 2.6. I. Planning Each audit is performed according to a plan. Planning should be sufficiently documented and include the objectives and scope of the work as well as the necessary resources. 2.6.2. Implementation and types of audit There are different types of audit, such as: l the financial audit, the aim of which is to verify the reliability of the accounting and of the resulting annual accounts; l the compliance audit, the aim of which is to verify compliance with laws, regulations, policies and procedures; l the operational audit, the aim of which is to verify the quality and appropriateness of the systems and procedures, to analyze the organizational structures with a critical mind, and to evaluate the adequacy of the methods and resources used in relation to the stated objectives: l the management audit, the aim of which is to assess the quality of the management function in the framework of the credit institution s objectives.

9 The internal audit department examines and evaluates the whole of the credit institution s activities in all its entities. Therefore, it may not focus on one single type of audit, but should use the most appropriate type, depending on the audit objective to be achieved. Neither may the internal audit department limit itself in this respect to auditing the credit institution s various departments; it must also pay special attention to auditing the banking activity through all entities of the credit institution. 2.6.3. Audit programme Each audit assignment should be prepared. Its objectives as well as an outline of the work that is considered necessary to attain them should be described in an audit programme. The audit programme is a relatively flexible tool that will have to be adapted and completed according to the findings. 2.6.4. Working papers All audit procedures forming part of the assignment should be documented in working papers. These must reflect the examinations that have been made and emphasize, and wherever necessary support, the evaluations formulated in the report. The working papers must be drawn up according to a well-determined method. Such method must in particular allow to verify whether the assignment was duly performed and to check the manner in which it was performed. 2.6.5. Written reports A written report of each assignment is be issued as quickly as possible. It is transmitted to the auditee and the auditee management, and - possibly as an executive summary - to the executive committee. The report includes the internal audit department s findings and recommendations, as well as the auditee s responses. It also discloses the items on which a consensus exists at the end of the assignment. The internal audit department indicates the relative importance of the deficiencies found or the recommendations made. The internal audit department maintains a record of the assignments performed and of the reports issued. 2.6.6. Follow-up On a proposal from the internal audit department, the executive committee approves a procedure ensuring the implementation of the internal audit department s recommendations. In developing this procedure, adequate consideration is given to the respective responsibilities of the parties involved for rectifying reported deficiencies, the approval of the management involved, the possible role of the executive committee in any pending dispute, and the schedule according to which the situation must be rectified. The internal audit department develops an appropriate method to verify the manner in which its recommendations are implemented. Findings with regard thereto are communicated at least every half-year to the executive committee.

IO 2.7. Management of the internal audit department Principle No 8 : The head of the internal audit department conducts his department appropriately. The head of the internal audit department leads his department appropriately. He ensures compliance with the internal auditing principles issued by the Commission. In particular, he ensures the establishment of an audit charter, an audit plan, and written policies and procedures for his staff. He must continuously ensure the professional competence and training of his staff and that the necessary resources are available. He also gives particular consideration to his staffs motivation and to its quality consciousness. The internal audit department regularly reports to the executive committee on the performance of the internal control system and on the achievement of the internal audit department s objectives. In particular, it informs the executive committee about the execution of the audit plan. As part of its supervisory tasks and on the basis of the executive committee s report, the board of directors regularly discusses the organization, audit programme, resources (both in terms of personnel and tools), activity reports, and summary of the recommendations and their implementation. The management of the internal audit department prepares a planning for all the assignments to be performed. This audit programme is based on a methodical risk analysis, the principles of which are established in writing and regularly reviewed. The risk analysis examines both all of the credit institution s activities and entities, and the complete internal control systems. On the basis of the results of the risk analysis. a plan for several years is established, taking into account the degree of risk inherent in the activities. Such plan also takes into account expected developments and innovations, the generally higher degree of risk of new activities, and of the intention to review all activities and entities within a reasonable time period (audit cycle principle). All those concerns will determine the extent, nature and frequency of the assignments to be performed. The audit plan must be realistic, i.e. it must include a time budget for other assignments and activities such, as specific examinations, opinions to be given, and training. The plan includes a statement detailing the necessary resources in terms of personnel and tools. As for human resources, not only their number but also the necessary professional competence will be addressed. The audit plan is established by the internal audit department and approved by the executive committee. This approval implies that the executive committee makes the necessary resources available to the internal audit department. The audit plan is confirmed by the board of directors, as part of its supervisory role, through the audit committee, if one exists. Whenever the head of the internal audit department is replaced (e.g. if he is given another assignment, resigns or is dismissed, etc.), this is immediately notified to the Banking and Finance Commission, indicating the reason(s) justifying the replacement.

11 2.8. Outsourcing internal audit in small credit institutions In certain small credit institutions where the size and extent of the risks do not justify entrusting the internal audit function to at least one full-time staff member, this function can be outsourced to an external expert. All the principles enunciated in Chapter 2 concerning internal audit remain applicable in the case of an outsourced internal audit function (see in particular paragraph 2.4 above). The fact that the internal audit function is outsourced is formally recorded in a written agreement between the credit institution and the external expert. The executive committee ensures that the credit institution concludes an agreement for a sufficient period, with an expert who has the necessary professional competence, taking into account the characteristics of the credit institution concerned. The above-mentioned agreement determines the expert s assignments and responsibilities as well as their permanence, referring to the principles set out in this circular. The agreement explicitly provides that the executive committee must give its prior approval on the risk analysis performed by the expert and on the plan that has been established. in addition, the agreement states that the executive committee or its representative(s), the accredited statutory auditor(s) or its representative(s), and the Commission s inspection department have access at any time to the expert s records relating to his assignments, including his audit programme and working papers. The agreement provides that the expert commits to providing effectively the resources required by the audit plan for the performance of his assignment. The executive committee permanently follows up the expert s audit activity and determines who is in charge of implementing his recommendations. The appointed expert must in all respects be completely independent of the accredited statutory auditor or of the latter s company and group. 3. The audit committee 3. I, Definition The audit committee is a committee that is created within the board of directors; it is composed of directors who are not members of the executive committee; its aim is to facilitate the effective supervision by the board of directors.

3.2. Recommendation The agreement on the autonomy of bank management provides for the possibility for the board of directors to be assisted by an audit committee. The Commission considers the creation of a permanent audit committee as a solution to meet the practical difficulties that may arise in the performance of supervision by the board of directors as a joint body. In addition, the Commission considers that such a committee reinforces both the internal control system and the internal audit function. Therefore, the Commission recommends credit institutions to set up a permanent audit committee, especially if they are faced with numerous complex risks. Any credit institution that wishes to set up an audit committee first consults the Commission in accordance with the agreement on the autonomy of bank management. The Commission recommends credit institutions non-banking subsidiaries and subsidiaries abroad to consider the appropriateness of setting up an audit committee within their board of directors. As far as subsidiaries abroad are concerned, account should naturally be taken of local legal and/or regulatory provisions and instructions. 3.3. Composition, powers andfunclioning Upon setting up an audit committee, the board of directors draws up a document that establishes the audit committee s composition, powers and operational activities, as well as a reporting methodology to the entire board of directors. The Commission is of the opinion that an audit committee should include at least three members of the board of directors who are not members of the executive committee. In order to reinforce the audit committee s efficiency. the following persons also attend the meetings of the audit committee, albeit without being members of that committee: the chairman or a member of the executive committee, the internal auditor and the accredited statutory auditor. In exceptional circumstances, the audit committee may decide that one or more of these persons shall not attend the meeting. The audit committee may request access to any necessary data or records and order any investigation to be performed. For this purpose, it calls upon the credit institution s internal audit department, which nonetheless continues to be under the control of the executive committee. The audit committee regularly reports to the board of directors. Its tasks may in no way duplicate or replace those of the internal audit department. 3.4. Relevanl aspects The audit committee encourages communication between the members of the board of directors, the executive committee, the internal audit department, the accredited statutory auditors and the Banking and Finance Commission. The audit committee confirms the internal audit department s audit charter (see Chapter 2, paragraph 2.3.2). The audit committee confirms the audit plan (see Chapter 2, paragraph 2.7) as well as the resources required (both personnel and tools), the activity reports and the summary of the main individual recommendations and their implementation.

13 The accredited statutory auditor presents his audit programme to the audit committee and informs the audit committee of his audit conclusions and recommendations. The audit committee regularly discusses: l the state of affairs of the internal control system;. the operations of the internal audit department; l the external financial information, including compliance with the legal and regulatory provisions, the credit institution s articles of association, and the rules established by the board of directors. The audit committee draws up a recommendation to the board of directors for the appointment of the accredited statutory auditor.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information