Title
BSP Circular on Bank Internal Control and Audit
Law
Bsp Circular No. 871
Decision Date
Mar 5, 2015
BSP Circular No. 871 mandates banks to establish a robust internal control and audit framework aligned with international standards, ensuring effective risk management, compliance, and operational integrity through enhanced oversight by the board of directors and senior management.
internal control
internal audit
banking regulations

Policy intent and alignment standards

  • BSP Circular No. 871 states the BSP’s thrust to promote strong control environments in BSP-supervised financial institutions to sustain safe and sound operations.
  • The Circular aligns existing internal control and internal audit regulations, to the greatest extent possible, with international standards and best practices embodied in documents issued by the Basel Committee on Banking Supervision (BCBS) and the Committee of Sponsoring Organizations of Treadway Commission (COSO) (Policy Statement).
  • The Circular strengthens internal governance and accountability by requiring internal controls and internal audit functions to operate with effectiveness, independence, and adequate resourcing ( Sections 1 and 3 ).

Definitions and internal control framework

  • Internal control is a process designed and effected by the board of directors, senior management, and all levels of personnel to provide reasonable assurance on achievement of objectives through:
    • efficient and effective operations,
    • reliable, complete and timely financial and management information, and
    • compliance with applicable laws, regulations, supervisory requirements, and the organization’s policies and procedures (Section X185).
  • Banks must have an adequate and effective internal control framework for the conduct of their business, considering their size, risk profile and complexity of operations (Section X185).
  • The internal control framework must embody:
    • management oversight and control culture,
    • risk recognition and assessment,
    • control activities,
    • information and communication, and
    • monitoring activities and correcting deficiencies (Section X185).

Management oversight and control culture

  • The board of directors and senior management must be responsible for promoting high ethical and integrity standards and establishing a culture that emphasizes and promotes the importance of internal control (Subsection X185.1).
  • The board of directors must ensure that senior management establishes and maintains an internal control framework adequate, effective, and efficient, commensurate with the bank’s size, risk profile and complexity (Subsection X185.1).
  • The board of directors must ensure the internal audit function has appropriate stature and authority and is provided with adequate resources to perform its assignments with objectivity (Subsection X185.1).
  • The board of directors must periodically:
    • conduct discussions with management on the effectiveness of the internal control system,
    • review evaluations made by the audit committee, management, internal auditors, and external auditors,
    • ensure prompt follow-up by management on recommendations and concerns raised by auditors and supervisory authorities, and
    • review and approve the remuneration of the head and personnel of the internal audit function in a structure that avoids conflicts of interest and preserves independence and objectivity (Subsection X185.1).
  • Universal/commercial banks must commission an assessment team outside the organization for an independent quality assurance review of the internal audit function at least every five (5) years (Subsection X185.1).
  • The audit committee must oversee senior management in establishing and maintaining an adequate, effective, and efficient internal control framework, including systems and processes for assurance in reporting, compliance monitoring, operational efficiency/effectiveness, and asset safeguarding (Subsection X185.1).
  • The audit committee must be responsible for internal audit oversight and governance actions including:
    • monitoring internal audit effectiveness,
    • approving internal audit plan, scope and budget,
    • reviewing internal audit reports and recommendations and reporting significant matters to the board,
    • ensuring open communication with senior management, internal audit, external auditors, and the supervisory authority,
    • reviewing fraud and legal/regulatory violations discoveries raised by internal audit,
    • receiving annual performance appraisal of the head of internal audit,
    • recommending annual remuneration for the head and key internal auditors for board approval,
    • appointing/reappointing/removing the head and key internal auditors,
    • selecting and overseeing the internal audit service provider,
    • ensuring independence of the internal audit service provider, and
    • ensuring internal audit service providers comply with sound internal auditing standards and the relevant code of ethics (Subsection X185.1).
  • Senior management must:
    • maintain, monitor, and evaluate internal controls on an ongoing basis,
    • report on the effectiveness of internal controls on a periodic basis,
    • identify, measure, monitor, and control inherent risks,
    • maintain an organizational structure with clear assignment of responsibility, authority, and reporting relationships,
    • ensure delegated responsibilities are carried out,
    • implement internal control policies and ensure activities are performed by qualified personnel,
    • ensure continuing professional development, and
    • inform internal audit of significant changes in the bank’s risk management systems, policies, and processes (Subsection X185.1).
  • All personnel must understand roles and responsibilities in internal control, be accountable in carrying them out, and promptly communicate to the appropriate level of management any issue inconsistent with documented internal control processes and the code of ethics (Subsection X185.1).

Risk recognition and control activities

  • Banks must identify, evaluate, and continually assess all material risks that could affect achievement of the bank’s performance, information, and compliance objectives (Subsection X185.2).
  • Banks must consider the potential for fraud in assessing risks to achievement of those objectives (Subsection X185.2).
  • Risk assessment must cover risks including credit; country and transfer; market; interest rate; liquidity; operational; compliance; legal; and reputational risks (Subsection X185.2).
  • Risk assessment must consider both:
    • internal factors (e.g., complexity of organizational structure, nature of activities, personnel profile), and
    • external factors (e.g., economic conditions, technological developments, industry changes) (Subsection X185.2).
  • Risk assessment must be conducted:
    • at the level of individual business units and across all bank activities/groups/units and subsidiaries for a parent bank (Subsection X185.2).
  • Internal controls must be revised to address new or previously uncontrolled or unidentified risks (Subsection X185.2).
  • Control activities must be part of the daily activities of the bank and all levels of personnel, designed to address risks identified in the risk assessment process (Subsection X185.3).
  • Banks must have control activities defined at every business level including:
    • top and functional level reviews,
    • compliance checking with exposure limits and follow-up on noncompliance,
    • systems of approvals and authorizations including approvals for new products and services,
    • systems of verification and reconciliation (Subsection X185.3).
  • Banks must observe supporting control systems including clearly defined organizational structure and reporting lines, arrangements for delegating authority, adequate accounting policies/records/processes, robust physical and environmental controls for tangible assets, access controls to information assets, and segregation of conflicting functions (Subsection X185.3).
  • Delegating authority must have clear, documented arrangements: each personnel’s functions and scope of authority/responsibility must be defined, documented, and communicated; the level approving delegation extent must match the level of management or the board of directors (Subsection X185.3(1)).
  • Accounting controls must include:
    • adequate financial policies, records, and processes,
    • records kept up-to-date with sufficient detail for an audit trail,
    • independent balancing and reconciliation,
    • a reliable information system covering significant activities enabling access to data for decision-making, including financial, operations, risk management, compliance, and market information,
    • secure and independently monitored systems supported by adequate contingency arrangements (Subsection X185.3(2)).
  • Tangible and information assets must be safeguarded through measures including:
    • board-approved signing authorities with clearly defined extent of authority,
    • joint custody for certain assets, with joint custodians being equally accountable, and with a prohibition that related persons within the third degree of consanguinity or affinity shall not be joint custodians,
    • dual control via verification of one person’s work by a second person for authorization, recording, and settlement,
    • sequence number control in the accounting system used in promissory notes, checks, and similar instruments, plus controls to monitor usage, safekeeping, and recording of accountable forms,
    • access restriction to information assets by classifying information by sensitivity and criticality and defining information owners/access personnel by job responsibility and duty necessity, and
    • authentication and access controls (including password rules) with monitoring mechanisms that enable auditing of information asset use (Subsection X185.3(3)).
  • Banks must identify and minimize conflicts of interest, ensure segregation of functions in areas that pose conflicts, and conduct periodic reviews to ensure personnel cannot conceal inappropriate actions (Subsection X185.3(4)).

Information, communication, and monitoring

  • Banks must maintain adequate and comprehensive internal financial, operational, and compliance data and relevant external information for decision-making; information must be reliable, timely, accessible, and consistently formatted (Subsection X185.4).
  • Banks must establish a reliable management information system that covers significant activities and can generate relevant and quality information to support internal control functioning (Subsection X185.4).
  • Banks must establish effective communication channels so personnel understand and adhere to policies/procedures and relevant control measures, with management ensuring personnel are aware of the duty to promptly report deficiencies to appropriate management levels or to the board where required (Subsection X185.4).
  • Banks must ensure communication enables quick response to changing conditions and avoids unnecessary costs (Subsection X185.4).
  • The effectiveness of internal controls must be monitored on an ongoing basis; management must define monitoring activities integrated in operations and ensure regular reports for review (Subsection X185.5).
  • Review documentation must be maintained and results must be reported timely to the appropriate management level (Subsection X185.5).
  • Evaluations of internal control effectiveness may be performed through self-assessment by the same operational area or by internal audit from other areas, but self-assessment by business units must be subject to independent validation (Subsection X185.5).
  • Evaluations must be documented, internal control deficiencies/weaknesses must be reported timely to appropriate management and/or the board where necessary, and deficiencies must be addressed promptly (Subsection X185.5).

Deletions and minimum measures appendix

  • Subsections X185.6 - X185.12 of the MORB are deleted (Section 2).
  • Minimum Internal Control Measures are provided under Appendix A of BSP Circular No. 871 as “Minimum Internal Control Measures” (Section 2).

Internal audit function requirements

  • Internal audit is an independent, objective assurance and consulting function established to examine, evaluate, and improve the effectiveness of internal control, risk management, and governance systems and processes, helping management and the board protect the bank and its reputation (Section X186).
  • Internal audit must both assess and complement operational management, risk management, compliance, and other control functions, and must be conducted at frequencies commensurate with assessed risk levels in specific banking areas (Section X186).
  • Each bank must have a permanent internal audit function; in group structures, internal audit must be established in each BSP-supervised financial institution or centrally by the parent bank (Section X186(1)).
  • In group structures where each BSP-supervised institution has its own internal audit:
    • the internal audit function must be accountable to the institution’s own board, and
    • it must report to the head of the parent bank’s internal audit within a reasonable period and frequency prescribed by the parent bank’s board (Section X186(2)).
  • If the parent bank’s internal audit covers internal audit activities in the subsidiary or affiliate BSP-supervised financial institution:
    • the parent bank board must ensure the scope is adequate considering the subsidiary/affiliate’s size, risk profile, and complexity (Section X186(2)).
  • Centralized internal audit under the parent bank in group structures is not treated as outsourcing under Section X162 of the MORB, and the parent bank head defines internal audit strategies, methodology, scope, and quality assurance measures for the entire group, in consultation and coordination with the respective boards of subsidiaries/affiliates (Section X186(2)).
  • The subsidiary/affiliate board remains ultimately responsible for the performance of internal audit activities (Section X186(2)).
  • Banks may outsource internal audit activities in accordance with existing BSP outsourcing regulations, except for areas covered by existing statutory deposit secrecy provisions (Section X186(3)).
  • Outsourcing of internal audit activities must be limited to:
    • access expertise not available internally, or
    • address resource constraints (Section X186(3)).
  • Banks must not outsource internal audit activities to:
    • the bank’s own external auditor/audit firm, or
    • an internal audit service provider previously engaged by the bank in the same area to be outsourced,
      without a one-year “cooling off” period (Section X186(3)).
  • The head of the internal audit function must ensure that knowledge/inputs from outsourced experts are assimilated into the bank to the greatest extent possible (Section X186(3)).
  • Non-complex thrift, rural, and cooperative banks may outsource internal audit activities covering all areas of bank operations, excluding areas covered by deposit secrecy, while their boards through the audit committee remain ultimately responsible for auditing areas covered by deposit secrecy (Section X186(3)).
  • Branches of foreign banks may establish their own internal audit function or be covered by the regional/group internal audit function (Section X186(4)).
  • If the regional/group internal audit performs internal audits in branches of foreign banks, senior management in the branch must conduct periodic self-assessment of internal control, risk management, and governance processes and report results to the regional/group internal audit to ensure scope is adequate, and the regional/group internal audit must inform branch senior management of results (Section X186(4)).
  • If the senior management risk assessment for the branch differs from the regional/group internal audit function’s risk assessment, branch senior management or the BSP may require immediate or more frequent internal audit (Section X186(4)).

Qualifications, duties, ethics, independence

  • The head of internal audit must have:
    • unassailable integrity,
    • relevant education/experience/training,
    • understanding of the bank’s risk exposures,
    • competence to audit all areas of operations (Section X186.1).
  • For a universal bank (UB) or commercial bank (KB), the head must be a Certified Public Accountant (CPA) or Certified Internal Auditor (CIA) and must have at least five (5) years experience in regular audit (internal or external) of a UB or KB as auditor-in-charge, senior auditor or audit manager (Section X186.1(1)).
  • For a complex thrift bank (TB), rural bank (RB), cooperative bank (Coop Bank), quasi-bank (QB), and trust entity, the head must be a graduate of accounting, business, finance or economics with technical proficiency in internal audit and must have at least five (5) years experience in regular audit (internal or external) of a TB, national Coop Bank, QB or trust entity, or at least three (3) years in regular audit of a UB or KB (Section X186.1(2)).
  • For a simple or non-complex TB, RB, and Coop Bank, and non-stock savings and loan association (NSSLA), the head must be a graduate of accounting, business, finance or economics with technical proficiency in internal audit and must have at least two (2) years experience in regular audit (internal or external) of a UB, KB, TB, RB, Coop Bank, QB or NSSLA (Section X186.1(3)).
  • A qualified head of internal audit of a UB/KB is qualified to audit TBs, RBs, Coop Banks, QBs, trust entities, NSSLAs, and subsidiaries/affiliates in allied activities and other BSP-supervised financial institutions (Section X186.1).
  • A qualified head of internal audit of a complex TB/RB/Coop Bank and QB/trust entity is likewise qualified to audit non-complex TB/RB/Coop Bank and NSSLA (Section X186.1).
  • The head of internal audit must be appointed/reappointed or replaced with prior approval of the audit committee (Section X186.1).
  • When the head of internal audit is replaced, the bank must report the replacement and the reasons for replacement to the appropriate BSP supervising department within five (5) days from the time it is approved by the board of directors (Section X186.1).
  • The head of internal audit must:
    • demonstrate leadership and necessary skills to fulfill responsibilities maintaining independence and objectivity,
    • be accountable to the board or audit committee and submit reports to them on internal audit unit accomplishments, including findings and status of concerned departments’/unit compliance,
    • ensure compliance with sound internal auditing standards (including the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing) and supplemental standards and the relevant code of ethics,
    • develop an audit plan based on robust risk assessment with inputs from the board, audit committee, and senior management, ensure it is comprehensive and covers regulatory matters, and ensure approval by the audit committee,
    • ensure adequate human resources and an internal development program aligned with increasing technical complexity (Section X186.2).
  • Internal audit personnel must act with integrity, respect confidentiality of information acquired, not use information for personal gain or malicious actions, avoid conflicts of interest, and adhere at all times to the bank’s Code of Ethics and an established code of ethics for internal auditors such as that of the Institute of Internal Auditors (Section X186.3).
  • Internally recruited internal auditors must not engage in auditing activities for which they previously had responsibility until a one-year “cooling off” period has elapsed (Section X186.3).
  • Internal audit must be independent of audited activities and independent of day-to-day internal control processes (Section X186.4).
  • Internal audit must report audit results, findings, opinions, appraisals, and information through a clear reporting line to the board of directors or audit committee (Section X186.4).
  • Internal audit must have authority to directly access and communicate with any officer or employee, examine any activity or entity of the bank, and access records/files/data whenever relevant to the assignment (Section X186.4).
  • If independence or objectivity is impaired, the details of impairment must be disclosed to the audit committee, including personal conflict of interest, scope limitations, restrictions on access to records/personnel/properties, and resource limitations such as funding (Section X186.4).
  • Internal audit must inform senior management of results of audits and assessment; senior management may consult internal auditors on risks and internal controls without tainting independence, but the internal auditor must not be involved in development/implementation of policies and procedures, preparation of reports, or execution of activities that fall within the scope of review (Section X186.4).
  • Internal audit staff must be periodically rotated, whenever practicable, without jeopardizing competence and expertise to avoid unwarranted effects that could affect judgment and objectivity (Section X186.4).

Internal audit charter and scope

  • Banks must have an internal audit charter approved by the board of directors, and the charter must be periodically reviewed by the head of internal audit; changes must be approved by the board (Section X186.5).
  • The internal audit charter must establish, among others:
    • purpose, stature, authority, responsibilities, and relations with other control functions, recognizing internal audit authority to initiate direct communication, examine any activity/entity, and access records/files/data/physical properties,
    • independence, objectivity, professional competence and due professional care, and professional ethics,
    • criteria/guidelines for outsourcing internal audit activities to external experts,
    • guidelines for consulting/advisory services by internal audit,
    • responsibilities and accountabilities of the head of internal audit,
    • requirement to comply with sound internal auditing standards and relevant codes of ethics, and
    • coordination guidelines with external auditor and supervisory authority (Section X186.5).
  • The scope of internal audit covers all processes, systems, units, and activities including outsourced services (Section X186.6).
  • Internal audit scope must cover at least:
    • evaluation of adequacy/efficiency/effectiveness of internal control, risk management and governance systems in current and potential future risks,
    • review of reliability, effectiveness, and integrity of management and financial information systems including electronic information system and electronic banking services,
    • review of systems and procedures safeguarding physical and information assets,
    • review of compliance of trading activities with relevant laws/rules/regulations,
    • review of compliance system and implementation of established policies and procedures, and
    • review of areas of interest to regulators, including monitoring compliance with relevant laws/rules/regulations and assessment of adequacy of capital and provisions, liquidity level, and regulatory and internal reporting (Section X186.6).

Trust operations internal audit

  • The internal auditor must include among functions the conduct of an annual audit of the trust department or investment management department (Subsection X426.1).
  • If the board of directors adopts a resolution in its minutes requiring a suitable continuous audit system to supplement and/or replace the annual audit, the audit may be conducted in intervals commensurate with assessed levels of risk in trust and investment management operations (Subsection X426.1).
  • Those intervals must be supported and reassessed regularly to ensure appropriateness given current risk and volume of trust and investment management operations (Subsection X426.1).
  • The audit must ascertain whether trust and other fiduciary business and investment management activities are administered in accordance with laws, BSP rules and regulations, and sound trust or fiduciary principles (Subsection X426.1).

Extension to non-bank financial institutions

  • The Circular’s provisions apply to non-bank financial institutions and amend relevant provisions of the Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) (Section 5).
  • Sections 1 and 2 of the Circular amend Section 4185Q of the MORNBFI (Section 5(a) and Section 5(b)).
  • Sections 3.a.1 to 3.a.3 and 3.b to 3.g and related amendments modify the internal audit outsourcing and related provisions for:
    • Quasi-banks (QBs),
    • Sections 4186Q and Subsections 4186Q.2 to 4186Q.4, and
    • corresponding provisions referenced in the Circular (Section 5(b)).
  • QBs that are not part of group structures must be allowed to outsource internal audit activities covering all areas of operations under BSP outsourcing regulations, while the QB’s board remains ultimately responsible for effective internal audit (Section 5(b)).
  • The internal audit outsourcing restrictions for QBs prohibit outsourcing to the QB’s own external auditor/audit firm or to an internal audit service provider previously engaged by the QB in the same area to be outsourced without a one-year “cooling off” period (Section 5(b)).
  • Section 4 of the Circular amends Section 4426Q.1 of the MORNBFI (Section 5(c)).
  • Sections 1 and 2 of the Circular are adopted under Section 4163S of the MORNBFI (Section 5(d)) and amend:
    • Section 4164S and Subsections 4164S.1 to 4164S.4 with the QB-like internal audit outsourcing structure for NSSLAs and related entities as stated in the Circular (Section 5(e)).
  • NSSLAs may outsource internal audit activities covering all areas of operations under BSP outsourcing regulations, while the board of trustees remains ultimately responsible for effective internal audit (Section 5(e)).
  • The internal audit outsourcing restrictions for NSSLAs prohibit outsourcing to the NSSLA’s own external auditor/audit firm or to a previously engaged internal audit service provider in the same area without a one-year “cooling off” period (Section 5(e)).
  • Sections 1 and 2 are adopted under Section 4163N of the MORNBFI (Section 5(f)) and amend:
    • Section 4164N and Subsections 4164N.1 to 4164N.4 with internal audit outsourcing rules for NBFIs consistent with the Circular’s specified text (Section 5(g)).
  • Non-bank financial institutions (NBFIs) may outsource internal audit activities covering all areas of operations under BSP outsourcing regulations, while the board of directors remains ultimately responsible for effective internal audit (Section 5(g)).
  • The internal audit outsourcing restrictions for NBFIs prohibit outsourcing to the NBFI’s own external auditor/audit firm or to a previously engaged internal audit service provider in the same area intended to be covered without a one-year “cooling off” period (Section 5(g)).

Supersession and inconsistency clause

  • BSP Circular No. 871 supersedes/amends/modifies existing BSP circulars, memoranda, and/or regulations that are inconsistent with its provisions through its repealing clause (Section 6).

Analyze Cases Smarter, Faster
Jur helps you analyze cases smarter to comprehend faster, building context before diving into full texts. AI-powered analysis, always verify critical details.

About Privacy Terms