QuestionsQuestions (BSP Circular No. 871)
It emphasizes promoting strong control environments in BSP-supervised institutions to sustain safe and sound operations, and aligning existing regulations with international standards and best practices in internal control and internal audit (BCBS and COSO).
Management oversight and control culture; risk recognition and assessment; control activities; information and communication; and monitoring activities and correcting deficiencies.
The board of directors.
The board must discuss effectiveness with management, review audit committee evaluations, ensure prompt follow-up on auditor/supervisory recommendations, and review/approve the remuneration of the head and personnel of the internal audit function (with structures that do not compromise independence and objectivity).
They must commission an assessment team outside the organization to conduct an independent quality assurance review at least every five (5) years.
It oversees senior management in establishing/maintaining an internal control framework; monitors and reviews internal audit effectiveness; approves internal audit plan/scope/budget; reviews internal audit reports and recommendations; ensures open communication among stakeholders; reviews fraud/discovery matters; reports annual performance appraisal of the head of internal audit; recommends remuneration and appointment/removal of the head/key auditors; and selects/oversees internal audit service providers (including independence, compliance with standards, and adequacy of resources).
Senior management must maintain, monitor, and evaluate internal control adequacy/effectiveness on an ongoing basis, report on effectiveness periodically, implement risk identification/measurement/monitoring/controls, ensure clear organizational responsibilities, ensure delegated responsibilities are carried out, implement internal control policies, ensure qualified personnel, maintain balance among front office/back office/control functions, and promptly inform internal audit of significant changes in risk management systems/policies/processes.
Among others: credit; country and transfer; market; interest rate; liquidity; operational; compliance; legal; and reputational risks.
The potential for fraud must be considered in assessing risks to the achievement of performance, information, and compliance objectives.
Control activities must be defined at every business level and include: top/functional level reviews; checking compliance with exposure limits and follow-up on noncompliance; systems of approvals/authorizations (including for new products/services); and verification and reconciliation.
Identify and minimize potential conflicts of interest, ensure segregation of functions in areas that may pose conflicts, conduct periodic reviews of responsibilities/functions, and prevent personnel from concealing inappropriate actions.
Information must be reliable, timely, accessible, and in a consistent format.
Evaluations may be done by personnel from the same operational area (self-assessment), but business-unit self-assessment must be subject to independent validation.
Internal audit is an independent, objective assurance and consulting function to examine, evaluate, and improve the effectiveness of internal control, risk management, and governance processes, helping management and the board protect the bank and its reputation.
Yes. Each bank must have a permanent internal audit function. In group structures (parent bank and BSP-supervised subsidiaries/affiliates), internal audit may be established in each institution or centrally by the parent bank. If each subsidiary has its own internal audit, it is accountable to its own board but reports to the parent’s internal audit head within a reasonable time/frequency set by the parent board.
Banks may outsource internal audit activities except deposit-secrecy areas, but only on a limited basis (expertise/resource constraints). Outsourcing cannot be to the bank’s own external auditor/audit firm or to an internal audit service provider previously engaged by the bank in the same area without a one-year “cooling off” period.
He must be a CPA or CIA and must have at least five (5) years’ experience in the regular audit (internal or external) of a UB or KB as auditor-in-charge, senior auditor, or audit manager, with competence to audit all areas and continuing training/education.
It must be independent of the activities audited and day-to-day internal control process, with direct reporting line to the board or audit committee and authority to access records/entities. If independence/objectivity is impaired (in fact or appearance), details of the impairment must be disclosed to the audit committee.
It requires the internal auditor to include an annual audit of the trust department/investment management department, unless the board resolves to adopt a suitable continuous audit system or conduct audits in intervals commensurate with assessed risk. In all cases, the audit must ascertain compliance of trust/fiduciary/investment management activities with laws, BSP rules, and sound trust/fiduciary principles.