Title
BSP Circular on Bank Internal Control and Audit
Law
Bsp Circular No. 871
Decision Date
Mar 5, 2015
BSP Circular No. 871 mandates banks to establish a robust internal control and audit framework aligned with international standards, ensuring effective risk management, compliance, and operational integrity through enhanced oversight by the board of directors and senior management.
internal control
internal audit
banking regulations
A

Internal Control Framework

  • Defined as a process involving the board, senior management, and personnel
  • Ensures achievement of objectives in operations, financial reporting, compliance
  • Framework components: management oversight and control culture; risk recognition and assessment; control activities; information and communication; monitoring and correcting deficiencies
  • Framework tailored by size, risk, and complexity of the bank

Management Oversight and Control Culture

  • Board responsible for enforcing high ethical standards and designing fraud prevention/detection
  • Board duties: ensure internal audit authority/resources; discuss internal control effectiveness; evaluate audit assessments; follow up on audit recommendations; approve audit personnel remuneration; commission independent audit review every five years (universal/commercial banks)
  • Audit committee oversees senior management and internal audit function including approval of audit plans and reports, monitoring fraud discovery, and performance appraisal of internal audit head
  • Senior management maintains and monitors internal controls, assigns responsibilities, ensures qualified personnel, and informs internal audit on significant risk changes
  • All personnel accountable for their role in internal controls and reporting inconsistencies

Risk Recognition and Assessment

  • Banks must identify, evaluate, and continuously assess material risks affecting performance, information, and compliance objectives
  • Risks include credit, market, liquidity, operational, compliance, legal, reputational, among others
  • Both internal (organizational complexity, personnel) and external (economic, technological, industry changes) factors considered
  • Risk assessments at unit and organizational levels, including subsidiaries
  • Controls updated to address new or unidentified risks

Control Activities

  • Control activities embedded in bank daily functions addressing identified risks
  • Include policies, procedures, compliance checks, approvals, reconciliations
  • Must incorporate:
    • Delegation of authority with clear documentation and approval
    • Adequate accounting policies, record-keeping, audit trails, independent reconciliations
    • Secure information systems with contingency planning
    • Physical protections and access controls for assets including joint custody and dual control
    • Information sensitivity classifications and access restrictions
    • Segregation of conflicting functions with independent monitoring

Information and Communication

  • Effective internal controls require reliable, timely, and accessible financial, operational, and compliance data
  • Banks to have management information systems generating quality information for decision-making
  • Communication channels must ensure personnel understand and comply with policies and report deficiencies promptly

Monitoring Activities and Correcting Deficiencies

  • Continuous monitoring integrated into operations
  • Documentation of reviews and timely reporting of control deficiencies
  • Self-assessments supplemented by independent validation
  • Prompt corrective action on identified weaknesses

Internal Audit Function

  • Internal audit defined as independent, objective function to examine and improve controls, risk management, and governance
  • Audit frequency based on assessed risk
  • Permanent internal audit function required for each bank or centrally at parent bank level
  • Group structures: subsidiary internal audits accountable to their boards, coordinated with parent bank audit function
  • Internal audit outsourcing permitted with limits; cannot be outsourced to own external auditor or recently engaged audit provider without one-year cooling-off
  • Branches of foreign banks may have internal audit or be covered by group audit with requirements for self-assessment and communication

Qualifications of Head of Internal Audit

  • Requirements vary by bank type:
    • Universal/commercial banks: CPA or CIA with 5 years audit experience
    • Complex thrift, rural banks, cooperative banks, quasi-banks, trust entities: business-related degree with audit proficiency and experience
    • Simple/non-complex banks and similar: business-related degree with audit proficiency and lesser experience
  • Appointment/replacement subject to audit committee approval with timely BSP notification

Duties of Chief Audit Executive

  • Leadership and independence, reporting to board or audit committee
  • Compliance with professional audit standards and ethics
  • Develop and seek approval for risk-based audit plans
  • Ensure adequacy of audit staff qualifications and ongoing training

Professional Competence and Ethics

  • Internal audit staff must have necessary knowledge and tools
  • Integrity, confidentiality, and avoidance of conflicts of interest mandated
  • Cooling-off period for auditors with prior responsibilities
  • Compliance with bank and internal audit ethical standards

Independence and Objectivity

  • Internal audit free from operational management influence
  • Direct reporting to board or audit committee
  • Authority to access all records and personnel
  • Disclosure required if independence is impaired
  • Staff rotation encouraged to preserve objectivity

Internal Audit Charter

  • Must be board-approved, periodically reviewed
  • Specifies authority, responsibilities, standards, outsourcing, consulting, head accountability, compliance, and coordination with external auditors/supervisors

Scope of Internal Audit

  • Covers all processes, units, systems including outsourced services
  • Includes evaluation of internal controls, risk management, governance, information systems, compliance, asset safeguarding, and regulator interests

Trust Operations Audit

  • Annual internal audit of trust department mandatory
  • Continuous or risk-based audits allowed per board resolution
  • Ensures compliance with laws, BSP rules, and fiduciary principles

Applicability to Non-Bank Financial Institutions

  • Provisions apply to non-bank financial institutions with necessary amendments
  • Outsourcing allowed with restrictions and board responsibility
  • Alignment of internal audit functions and regulations consistent with banks

Repealing Clause and Effectivity

  • Supersedes inconsistent circulars and regulations
  • Takes effect 15 days after publication

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms