(1) |
In order to, amongst other things, evaluate and improve the effectiveness of a bank's risk management, control, capital management and governance processes and/or systems, a bank shall establish an independent and objective internal audit function, which internal audit function— |
(a) |
shall in no case serve as a substitute for the ultimate responsibility of the bank's board of directors to ensure that the senior management of the bank, amongst other things— |
(i) |
establishes and maintains— |
(A) |
an adequate and effective system of internal controls, including controls over financial reporting; |
(B) |
a sufficiently robust measurement system in order to identify and assess the various risks to which the bank may be exposed; |
(C) |
a sufficiently robust system that relates risk exposure to required capital levels; |
(D) |
appropriate methods in order to monitor the bank's compliance with laws, regulations, and supervisory and internal policies; |
(ii) |
implements appropriate corrective actions in respect of internal control weaknesses identified by the bank's internal or external auditor and subsequently brought to the attention of the bank's board of directors or senior management; |
(iii) |
keeps the internal audit department fully informed of new developments, initiatives, products and operational changes in order to ensure that all associated risks are identified at an early stage; |
(b) |
shall form an integral part of the ongoing monitoring of the bank's system of internal controls, and of the bank's internal capital assessment procedure; |
(c) |
shall be a permanent function of the bank, provided that— |
(i) |
subject to the prior written approval of and such conditions as may be specified in writing by the Registrar, a bank may outsource some of its internal audit services, provided that the bank shall as part of its application to the Registrar, among other things, present its analysis and assessment of the impact that the said outsourcing of internal audit services will have on the bank's overall risk profile and internal control system; |
(ii) |
notwithstanding approval that might be obtained from the Registrar for a bank to outsource certain internal audit services, the bank's board of directors and senior management shall remain ultimately responsible for ensuring that the bank's system of internal control and internal audit are adequate, and operate effectively; |
(i) |
the nature and extent of the bank's operations and risk exposure, shall be appropriately structured within the bank's governance structure; |
(ii) |
the governance structure of the bank, shall report directly to the bank's chief executive officer, board of directors or audit committee; |
(e) |
shall have sufficient resources and appropriately trained staff, that is— |
(i) |
the staff of the internal audit department shall be sufficiently competent to examine all areas in which the bank conducts business; |
(ii) |
the bank shall ensure the continued professional competence of internal auditors by way of systematic and relevant training; |
(iii) |
all staff members of the internal audit department shall have sufficient up-to-date knowledge of auditing techniques and banking activities; |
(f) |
shall be functionally independent from the activities audited and the day-to-day internal control processes of the bank, that is, the internal audit function— |
(i) |
shall be able to conduct an assignment on its own initiative in respect of any relevant department, establishment or functions of the bank, including the activities of branches and subsidiaries, and outsourced activities; |
(ii) |
shall be free to report its findings and appraisals; |
(iii) |
shall be free to internally disclose its findings and appraisals; |
(g) |
shall be able to conduct any assignment with objectivity and impartiality, that is— |
(i) |
the internal audit department shall be able to conduct an assignment free from any bias or interference; |
(ii) |
staff shall not audit any activity or function they performed within the twelve month period preceding their appointment in the internal audit department and staff assignments shall periodically be rotated; |
(iii) |
the internal audit department shall not be involved in the operations of the bank or in selecting or implementing internal control measures that may impair the judgmental independence of the internal auditors; |
(iv) |
staff members of internal audit shall conduct their work free from any potential conflict of interest, which potential conflict of interest, for example, may be influenced by matters such as a compensation scheme, that is, the compensation of internal auditors shall be consistent with the objectives and charter of internal audit; |
(h) |
shall be headed by a senior executive officer of the bank with the authority to communicate directly and freely in respect of any relevant matter, including, for example, decisions made by the management of the bank that may be in conflict with legal or regulatory requirements, and on his/her own initiative, |
(i) |
with the members or chairman of the bank's board of directors; |
(ii) |
with the members or chairman of the bank's audit committee; or |
(iii) |
with the external auditor of the bank, when appropriate. |
Provided that whenever the head of the bank's internal audit department ceases to act as such or has been relieved of his/her duties, the bank shall in writing inform the Registrar accordingly.
(i) |
shall be subject to independent review, which review, for example, may be conducted by an independent person or committee such as external audit or the bank's audit committee; |
(j) |
shall conduct its work in terms of a duly documented internal audit charter, which charter— |
(i) |
shall enhance the standing and authority of the internal audit function within the bank; |
(A) |
the objectives and scope of the internal audit function; |
(B) |
the position of the internal audit department within the bank, including its powers, responsibilities and relations with other control functions within the bank; |
(C) |
the accountability of the head of the internal audit department; |
(D) |
that the senior management of the bank grants the internal audit department the right of initiative and authorises the department— |
(i) |
to have direct access to and communicate with any member of staff; |
(ii) |
to examine any activity or entity of the bank; |
(iii) |
to access any records, files or data of the bank, including management information and the minutes of any consultative or decision-making body, whenever relevant to the performance of the department's assignment; |
(E) |
the terms and conditions according to which the internal audit department may be requested to provide consulting or advisory services or to conduct special tasks; |
(F) |
that none of the activities of the bank or entities in which the bank has an interest, including the activities of branches and subsidiaries, and outsourced activities, are excluded from the scope of investigation of the internal audit department; |
(iii) |
shall periodically be reviewed by the internal audit department, approved by the senior management of the bank and subsequently confirmed by the board of directors of the bank as part of the board's supervisory role; |
(iv) |
shall be communicated throughout the bank; |
(k) |
shall adopt and comply with all relevant generally accepted internal audit standards issued from time to time; |
(i) |
shall provide an independent assessment of the adequacy of and compliance with the bank's established policies, processes and procedures; |
(ii) |
shall examine and evaluate— |
(A) |
the adequacy and effectiveness of the bank's internal control systems; |
(B) |
the application and effectiveness of the bank's risk management procedures and risk assessment methodologies; |
(C) |
the bank's management and financial information systems, including the electronic information system and electronic banking services; |
(D) |
the accuracy and reliability of the bank's accounting records and financial reports; |
(E) |
the manner and means in terms of which the bank safeguards its assets; |
(F) |
the bank's system in terms of which the bank assesses its capital and reserve funds in relation to the bank's risk exposure; |
(G) |
the systems and processes established by the bank in order to ensure compliance with any relevant legal and regulatory requirements, codes of conduct and the implementation of policies and procedures; |
(H) |
the manner in which assigned responsibilities are fulfilled; |
(I) |
the bank's compliance with policies and controls; |
(J) |
the reliability, integrity, accuracy, completeness and timeliness of financial and management information; |
(K) |
the continuity and reliability of the electronic information systems; |
(L) |
the functioning of the staff departments; |
(A) |
an appraisal of the economy and efficiency of the bank's operations; |
(B) |
appropriate testing of— |
(ii) |
the functioning of specific internal control procedures; |
(iii) |
the reliability and timeliness of the bank's regulatory reporting; |
(C) |
relevant special investigations from time to time; |
(iv) |
shall evaluate whether or not the senior management of the bank— |
(A) |
developed and maintained sufficiently robust risk management processes and procedures to identify, measure, monitor and control the risks to which the bank is exposed; |
(B) |
at least once a year, reports to the board of directors the scope and performance of the bank's internal control system and the bank's capital assessment procedure; |
(C) |
maintains an organisational structure that clearly assigns responsibility, authority and reporting relationships, and ensures that delegated responsibilities are effectively carried out; |
(D) |
developed and maintains appropriate internal control policies; |
(E) |
continuously monitors the adequacy and effectiveness of the internal control system; |
(m) |
shall have in place a complete and duly authorized audit programme in respect of each relevant audit assignment, which audit programme, as a minimum, shall describe the relevant audit objectives and an outline of the required audit work in order to achieve the stated objectives; |
(n) |
in order to ensure the senior management of the bank makes informed decisions in a cost-effective manner, may provide advisory services to the senior management of the bank regarding the development or improvement of internal controls, provided that— |
(i) |
the said advisory or consulting services shall be ancillary to the basic function and primary responsibilities of internal audit; |
(ii) |
subsequently internal audit shall not be precluded from analysing and criticising the internal controls that have been put in place by or at the direction of senior management; |
(iii) |
the introduction, development or improvement of internal controls shall remain the responsibility of the management of the bank; |
(o) |
may in the case when the bank established a separate department to control or monitor a specific activity or entity of the bank use the information reported by the relevant control department, provided that the internal audit department shall remain responsible for the examination and evaluation of the adequate functioning of the internal control of the said activity or entity; |
(p) |
may from time to time provide such additional assurance services as reasonably may be expected by the bank from such a function; |
(q) |
shall encourage departments or business units within the bank, or entities within the banking group, from time to time to conduct control self-assessments regarding the efficiency and effectiveness of all relevant internal control procedures; |
(r) |
may from time to time meet with the bank's external auditor in order to— |
(i) |
provide information relating to any significant matter that came to the attention of the internal audit department that may affect the work of the external auditor; |
(ii) |
obtain information regarding any significant matter that came to the attention of the external auditor that may affect internal audit; |
(iii) |
provide input regarding the nature, timing and extent of certain external audit procedures, |
provided that the external auditor shall solely be responsible for the audit opinion in respect of the bank's financial statements;
(s) |
shall provide the bank's external auditor access to any relevant internal audit reports; |
(t) |
shall duly document — |
(i) |
the bank's audit plan; |
(ii) |
all audit procedures, examinations and evaluations that formed part of a particular audit assignment; |
(iii) |
the purpose and scope of every audit assignment; |
(iv) |
all audit findings and recommendations, and the relevant responses received; |
(u) |
shall have in place a sufficiently robust process in order to follow up— |
(i) |
responses that relate to audit findings; |
(ii) |
whether or not recommendations made by the internal audit department have been implemented; |
(iii) |
whether or not the department's concerns were appropriately addressed. |
(i) |
report to and advise senior management and the board of directors or audit committee, as the case may be— |
(A) |
on the performance of the internal control system; |
(B) |
on the achievement of the objectives of the internal audit department; |
(ii) |
inform senior management and/or the board of directors or audit committee about the progress made in respect of the audit plan. |