Question & AnswerQ&A (BSP Circular No. 871)
The internal control framework is designed to provide reasonable assurance on the achievement of objectives through efficient and effective operations; reliable, complete and timely financial and management information; and compliance with applicable laws, regulations, supervisory requirements, and the organization's policies and procedures.
The board of directors is ultimately responsible for ensuring senior management establishes and maintains an adequate, effective and efficient internal control framework commensurate with the bank's size, risk profile, and complexity of operations.
The audit committee oversees senior management in establishing and maintaining an effective internal control framework, monitors and reviews the effectiveness of the internal audit function, approves the internal audit plan and budget, reviews internal audit reports and recommendations, ensures open communication between the internal audit function and other stakeholders, oversees internal audit service providers, and reports significant matters to the board of directors.
Management oversight and control culture; risk recognition and assessment; control activities; information and communication; and monitoring activities and correcting deficiencies.
Yes, banks may outsource internal audit activities on a limited basis to access areas of expertise not available internally or to address resource constraints, but outsourcing cannot be to the bank's own external auditor or to a provider previously engaged by the bank in the same audit area without a one-year cooling-off period.
The head must be a Certified Public Accountant (CPA) or a Certified Internal Auditor (CIA) with at least five years experience as auditor-in-charge, senior auditor or audit manager in a universal or commercial bank.
The scope covers evaluation of internal control, risk management, governance systems; review of management and financial information systems; safeguarding of physical and information assets; compliance with laws and regulations; and review of areas of interest to regulators including capital adequacy, liquidity levels, and regulatory reporting.
At least every five (5) years by an assessment team outside the organization.
Senior management is responsible for maintaining, monitoring, and evaluating the adequacy and effectiveness of the internal control system on an ongoing basis, reporting on its effectiveness periodically, implementing control policies, ensuring qualified personnel undertake these activities, and communicating significant changes in risk management systems to the internal audit function.
Internal audit personnel must act with integrity, respect confidentiality, avoid conflicts of interest, not audit areas where they had prior responsibility within a one-year cooling-off period, and adhere to both the bank's Code of Ethics and established codes for internal auditors such as the Institute of Internal Auditors' code of ethics.