BANGKO SENTRAL NG PILIPINAS. OFFICE OF THE GOVERNOR CIRCULAR NO. 871. Series of 2015 Subject: Internal Control and Internal Audit The Monetary Board in its Resolution No. 230 dated 13 February 2015, approved the following amendments to Sections X185 - X185.12 and X186 - X186.4 of the Manual of Regulations for Banks (MORB) on the Internal Control System and Internal Audit Function in banks, respectively. Policy Statement. It is the thrust of the Bangko Sentral ng Pilipinas to Promote strong control environments in its supervised financial institutions to sustain their safe and sound operations. In this regard, the BSP is aligning its existing regulations, to the greatest extent possible, with international standards and best practices in internal control and internal audit as embodied in related documents issued by the Basel Committee on Banking Supervision (BCBS) and the Committee on ‘Sponsoring Organizations of Treadway Commission (COSO). Section 1. Internal Control Framework. Section X185 and Subsections X185.1 -X185.5 the MORB shall now read as follows: (a) Section 185. internal control framework. Internal control is a process designed and effected by the board of directors, senior management, and all levels of personnel to provide reasonable assurance on the achievement of objectives through efficient and effective operations; reliable, complete and timely financial and management information; and compliance with applicable laws, regulations, supervisory requirements, and the organization's policies and procedures. Banks shall have in place adequate and effective internal control framework for the conduct of their business taking into account their size, risk profile and complexity of operations. The internal control framework shall embody management oversight and control culture; risk recognition and assessment; control activities; information and communication; and monitoring activities and correcting deficiencies. ‘A. Mabini St, Malate 1008 Manila, Phiippines + (632) 708.7701 « wayw-bsp gov ph» [email protected] ph(b) Subsection 185.1. Management oversight and control culture. Consistent with the principles provided under Subsections X141.3 and X142.3 of the MoRB, the board of directors and senior management shall be responsible for Promoting high ethical and integrity standards; establishing the appropriate culture that emphasizes, demonstrates and promotes the importance of internal control; and designing and implementing processes for the prevention and detection of fraud. (1) The board of directors shall be ultimately responsible for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control framework commensurate with the size, risk Profile and complexity of operations of the bank. The board of directors shall also ensure that the internal audit function has an appropriate stature and authority within the bank and is provided with adequate resources to enable it to effectively carry out its assignments with objectivity. Further, the board of directors shall, on a periodic basis: (i) conduct discussions with management on the effectiveness of the internal control system; (ii) review evaluations made by the audit committee on the assessment of effectiveness of internal control made by management, internal auditors and external auditors; (iii)ensure that management has promptly followed up on recommendations and concerns expressed by auditors and supervisory authorities on internal control weaknesses; and (iv) review and approve the remuneration of the head and personnel of the internal audit function. Said remuneration shall be in accordance with the bank’s remuneration policies and practices and shall be structured in such a way that these do not create conflicts of interest or compromise independence and objectivity. The board of directors of universal/commercial banks shall likewise commission an assessment team outside of the organization to conduct an independent quality assurance review of the internal audit function at least every five (5) years. (2) The audit committee shall be responsible for overseeing senior management in establishing and maintaining an adequate, effective and efficient internal control framework. It shall ensure that systems and Processes are designed to provide assurance in areas including reporting, Page 20116Monitoring compliance with laws, regulations and internal policies, efficiency and effectiveness of operations, and safeguarding of assets. The audit committee shall oversee the internal audit function and shall be responsible for: 0 (ii) (ii) (iv) (wv) (wi) (vi) wi (in) monitoring and reviewing the effectiveness of the internal audit function; approving the internal audit plan, scope and budget; reviewing the internal audit reports and the corresponding recommendations to address the weaknesses noted, discussing the same with the head of the internal audit function and reporting significant matters to the board of directors; ensuring that the internal audit function maintains an open communication with senior management, the audit committee, external auditors, and the supervisory authority; reviewing discoveries of fraud and violations of laws and regulations as raised by the internal audit function; reporting to the board of directors the annual performance appraisal of the head of the internal audit function; recommending for approval of the board of directors the annual remuneration of the head of the internal audit function and key internal auditors; appointing, reappointing or removing the head of the internal audit function and key internal auditors; and selecting and overseeing the performance of the internal audit service provider. In particular, the audit committee shall be responsible for: (i) (i) (iii) ensuring the independence of the internal audit service provider; Teporting to the board of directors on the status of accomplishments of the outsourced internal audit activities, including significant findings noted during the conduct of the internal audit; ensuring that the internal audit service provider comply with sound internal auditing standards such as the Institute of Internal Auditors’ international Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics; Page of 16(iv) ensuring that the audit plan is aligned with the overall plan strategy and budget of the bank and is based on robust risk assessment; and (v) ensuring that the internal audit service provider has adequate human resources with sufficient qualifications and skills necessary to accomplish the internal audit activities. (3) Senior management shall be responsible for maintaining, monitoring and evaluating the adequacy and effectiveness of the internal control system ‘on an ongoing basis, and for reporting on the effectiveness of internal controls on a periodic basis. Management shall develop a process that identifies, measures, monitors and controls risks that are inherent to the operations of the bank; maintain an organizational structure that clearly assigns responsibility, authority and reporting relationships; ensure that delegated responsibilities are effectively carried out; implement internal control policies and ensure that activities are conducted by qualified personnel with the necessary experience and competence. Management shall ensure that bank personnel undertake continuing professional development and that there is an appropriate balance in the skills and resources of the front office, back office, and control functions. Moreover, Management shall promptly inform the internal audit function of the significant changes in the bank’s risk management systems, policies and processes. (4) All personnel need to understand their roles and responsibilities in the internal control process. They should be fully accountable in carrying out their responsibilities effectively and they should communicate to the appropriate level of management any problem in operations, action or behavior that is inconsistent with documented internal control processes and code of ethics. (c) Subsection X185.2. Risk recognition and assessment. An effective internal control system shall identify, evaluate and continually assess all materi risks that could affect the achievement of the bank’s performance, information and compliance objectives. The potential for fraud shall be considered in assessing the risks to the achievement of said objectives. Further, the risk assessment shall cover all risks facing the bank, which include, among others, credit; country and transfer; market; interest rate; liquidity; operational; compliance; legal; and reputational risks. Effective risk assessment identifies and considers both internal (e.g., complexity of the organization’s structure, nature of the bank’s activities and personnel profile) and external (e.g., economic conditions, technological Page 4of 16developments and changes in the industry) factors that could affect the internal control framework. The risk assessment shall be conducted at the level of individual business units and across all bank activities/groups/units and subsidiaries, in the case of a parent bank. Internal controls shall be revised to address any new or previously uncontrolled or unidentified risks. (d) Subsection X185.3. Control activities. Control activities shall form part of the daily activities of the bank and all levels of personnel in the bank. Control activities are designed and implemented to address the risks identified in the risk assessment process. These involve the establishment of control policies and procedures, and verification that these are being complied with. Banks shall have in place control activities defined at every business level, which shall include a system that provides for top and functional level reviews; checking compliance with exposure limits and follow-up on noncompliance; a system of approvals and authorizations, which shall include the approval process for new Products and services; and a system of verification and reconciliation. Control activities complement existing policies, procedures and other control systems in place such as, among others, having clearly defined organizational structure and reporting lines, and arrangements for delegating authority; adequate accounting policies, records and processes; robust physical and environmental controls for tangible assets and access controls to information assets; and appropriate segregation of conflicting functions. (1) Clear arrangements for delegating authority. The functions and scope of authority and responsibility of each personnel should be adequately defined, documented and clearly communicated. The extent to which authorities may be delegated and the corresponding accountabilities of the personnel involved shall be approved by the appropriate level of management or the board of directors. Q Adequate accounting policies, records and processes. Banks shall maintain adequate financial policies, records and processes. These records shall be kept up-to-date and contain sufficient detail to establish an audit trail. Further, banks shall conduct independent balancing and reconciliation of records and reports to ensure the integrity of the reported data and balances. Banks shall also put in place a reliable information system that covers all of its significant activities which shall allow the board of directors and management access to data and information relevant to decision making such as, among others, financial, operations, risk management, compliance and market information. Moreover, these systems shall be secured, Pages of 16,monitored independently and supported by adequate contingency arrangements. (3) Robust physical and environmental controls to tangible assets and access controls to information assets. Banks shall adopt policies and practices to safeguard their tangible and information assets. These shall include, but shall not be limited to: in lentifying officers with authorities to sign for and on behalf of the bank. Signing authorities shall be approved by the board of directors and the extent of authority at each level shall be clearly defined; implementing joint custody on certain assets. Joint custody shall mean the processing of transactions in the presence, and under the direct observation, of a second person. Both persons shall be equally accountable for the physical protection of the items and records involved. Provided: That persons who are related to each other within the third degree of consanguinity or affinity shall not be made joint custodians; (iii) adopting dual control wherein the work of one person is to be verified by a second person to ensure that the transaction is properly authorized, recorded and settled; (iv) incorporating sequence number control in the accounting system which shall also be used in promissory notes, checks and other similar instruments. Management shall also put in place appropriate controls to monitor the usage, safekeeping and recording of accountable forms; (v) restricting access to information assets by classifying information as to degree of sensitivity and criticality and identifying information owners or personnel with authority to access particular classifications based on job responsibilities and the necessity to fulfill one's duties; and (vi) implementing authentication and access controls prior to granting access to information such as, among others, implementing password rules. This shall be supplemented by appropriate monitoring mechanisms that allow audit of use of information assets. (4) Segregation of conflicting functions. Banks shall ensure that areas of potential conflicts of interest shall be identified, minimized and subjected to independent monitoring. Further, appropriate segregation of functions shall be observed in identified areas that may pose potential conflict of interest. Page Gof 16Moreover, periodic reviews of responsibilities and functions shall be conducted to ensure that personnel are not in a position to conceal inappropriate actions. (e) Subsection X185.4. Information and communication. An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external information about events and conditions that are relevant to decision making. Information shall be reliable, timely, accessible, and provided in a consistent format. Banks shall have in place a reliable management information system that covers significant activities of the bank and has the capability to generate relevant and quality information to support the functioning of internal control. Banks shall also establish effective channels of communication to ensure that all personnel fully understand and adhere to policies and procedures and control measures relevant to their duties and responsibilities and that relevant information is reaching the appropriate personnel. Management shall also ensure that all Personnel are cognizant of their duty to promptly report any deficiency to appropriate levels of management or to the board of directors, where required. These shall enable them to quickly respond to changing conditions and avoid unnecessary costs. (f) Subsections X185.5. Monitoring activities and correcting deficiencies. The overall effectiveness of the internal controls shall be monitored on an ongoing basis. Monitoring functions and activities shall be adequately defined by management, integrated in the operating environment and should produce regular reports for review. In this regard, all levels of review shall be adequately documented and results thereof reported on a timely basis to the appropriate level of management. Evaluations of the effectiveness of the internal control system and the corresponding monitoring activities may be done by personnel from the same operational area in the form of self-assessment or from other areas such as internal audit: Provided, That, self-assessment done by business units shall be subject to independent validation. Evaluations done shall be adequately documented and internal control deficiencies and weaknesses identified shall be reported on a timely basis to the appropriate level of management or the board of directors, where necessary, and addressed promptly. Page70f 16Section 2. Subsections X185.6 -X185.12 of the MORB are hereby deleted. Examples of internal control measures are provided under Appendix A of this Circular as “Minimum Internal Control Measures”. Section 3. Internal Audit Function. Section X186 and Subsections X186.1- X186.4 of the MORB are hereby amended to read as follows: a) Sec. X186. Internal Audit Function. Internal audit is an independent, objective assurance and consulting function established to examine, evaluate and improve the effectiveness of internal control, risk management and governance systems and processes of an organization, which helps management and the board of directors in protecting the bank and its reputation. The internal audit function shall both assess and complement operational management, risk management, compliance and other control functions. In this respect, internal audit shall be conducted in frequencies commensurate with the assessed levels of risk in specific banking areas. (1) Permanency of the internal audit function. Each bank shall have a Permanent internal audit function. In the case of group structures involving a Parent bank and subsidiary or affiliate BSP-supervised financial institutions, the internal audit function shall either be established in each of the BSP- supervised financial institution or centrally by the parent bank. (2) Internal audit function in group structures. In case each BSP-supervised financial institution belonging to group structures has its own internal audit function, said internal audit function shall be accountable to the financial institution’s own board of directors and shall likewise report to the head of the internal audit function of the parent bank within a reasonable period and frequency prescribed by the board of directors of the parent bank. On the other hand, in case the parent bank’s internal audit function shall cover the internal audit activities in the subsidiary or affiliate BSP-supervised financial institution, the board of directors of the parent bank shall ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the subsidiary or affiliate concerned. The establishment of internal audit function centrally by the parent bank in group structures shall not fall under the outsourcing framework as provided under Section X162 of the MORB. In this respect, the head of the internal audit function of the parent bank shall define the internal audit strategies, methodology, scope and quality assurance measures for the entire group. Provided, That: this shall be done in consultation and coordination with the age Bf 16respective board of directors of the subsidiary or affiliate BSP-supervised financial institution. Provided, further, That: the board of directors of the subsidiary or affiliate BSP-supervised financial institution, shall remain ultimately responsible for the performance of the internal audit activities. (3) Outsourcing of internal audit activities. Banks may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities except for areas covered by existing statutes on deposit secrecy. Outsourcing of internal audit activities shall however, be done on a limited basis to have access to certain areas of expertise that are not available to the internal audit function or to address resource constraints. Provided, That: The internal audit activity shall not be outsourced to the bank's own external auditor/audit firm nor to internal audit service provider that was previously engaged by the bank in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year “cooling off” period. Provided, further, That: The head of the bank's internal audit function shall ensure that the knowledge or inputs from the outsourced experts shall be assimilated into the bank to the greatest extent possible. Non-complex thrift, rural and cooperative banks on the other hand, shall be allowed to outsource internal audit activities covering all areas of bank operations except for areas covered by existing statutes on deposit secrecy. Provided, That: The board of directors, through the audit committee, shall be ultimately responsible for the conduct of audit on areas covered by existing statutes on deposit secrecy. (4) Internal audit function of branches of foreign banks. Branches of foreign banks may establish their own internal audit function or may be covered by the regional/group internal audit function. Provided, That: in case the regional/group internal audit function performs the internal audit activities in branches of foreign banks, the Senior Management team in branches of foreign banks shall conduct a periodic self-assessment of the effectiveness of internal control, risk management and governance systems and processes in the branch and report the results thereof to the regional/group internal audit function to ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the branch. Provided, further, That the regional/group internal audit function shall likewise inform the senior management team in branches of foreign banks of the results of internal audit conducted. Provided, finally, That in cases when the risk assessment of the senior management team in branches of foreign banks or of the BSP differs from the risk assessment of the regional/group internal audit function, the senior management team in branches of foreign Page 90f 16,banks or the BSP may require the regional/group internal audit function to subject the branch to an immediate or more frequent internal audit. b) Sec. X186.1. Qualifications of the Head of the internal Audit Function. The head of the internal audit function must have an unassailable integrity, relevant education/experience/training, and has an understanding of the risk exposures of the bank, as well as competence to audit all areas of its operations. He must also possess the following qualifications: (1) The head of the internal audit function of a universal bank (UB) or a commercial bank (KB) must be a Certified Public Accountant (CPA) or a Certified Internal Auditor (CIA) and must have at least five (5) years experience in the regular audit (internal or external) of a UB or KB as auditor- in-charge, senior auditor or audit manager. He must possess the knowledge, skills, and other competencies to examine all areas in which the institution operates. Professional competence as well as continuing trai and education shall be required to face up to the increasing complexity and diversity of the institution's operations. (2) The head of the internal audit function of a complex thrift bank (TB), rural bbank (RB) and cooperative bank (Coop Bank); quasi-vank (QB) and; trust entity must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least five (5) years experience in the regular audit (internal or external) of a TB, national Coop Bank, QB or trust entity or, at least three (3) years experience in the regular audit (internal or external) of a UB or KB. (3) The head of the internal audit function of a simple or non-complex TB, RB and Coop Bank; and non-stock savings and loan association (NSSLA) must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least two (2) years experience in the regular audit (internal or external) of a UB, KB, TB, RB, Coop Bank, QB or NSSLA. A qualified head of the internal audit function of a UB or a KB shall be qualified to audit TBs, RB, Coop Banks, QBs, trust entities, NSSLAs, subsidiaries and affiliates engaged in allied activities, and other financial institutions under BSP supervision. A qualified internal auditor of a complex TB, RB and Coop Bank; QB and; trust entity shall likewise be qualified to audit non-complex TB, RB and Coop Bank and NSSLA. Page 10 of 16The head of the internal audit function shall be appointed/reappointed or replaced with prior approval of the audit committee. In cases when the head of the internal audit function will be replaced, the bank shall report the same and the corresponding reason for replacement to the appropriate supervising department of the BSP within five (5) days from the time it has been approved by the board of directors. c) Sec. X186.2. Duties and responsibilities of the head of the internal audit function or the Chief Audit Executive. {1) To demonstrate appropriate leadership and have the necessary skills to fulfill his responsibilities for maintaining the unit’s independence and objectivity; (2) To be accountable to the board of directors or audit committee on all matters related to the performance of its mandate as provided in the internal audit charter. The head of the internal audit function shall submit a report to the audit committee or board of directors on the status of accomplishments of the internal audit unit, including findings noted during the conduct of the internal audit as well as status of compliance of concerned departments/units. (3) To ensure that the internal audit function complies with sound internal auditing standards such as the Institute of Internal Auditors’ international Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics; (4) To develop an audit plan based on robust risk assessment, including inputs from the board of directors, audit committee and senior management and ensure that such plan is comprehensive and adequately covers regulatory matters. The head of the internal audit function shall also ensure that the audit plan, including any revisions thereto, shall be approved by the audit committee; (5) To ensure that the internal audit function has adequate human resources with sufficient qualifications and skills necessary to accomplish its mandate. In this regard, the head of the internal audit function shall periodically assess and monitor the skill-set of the internal audit function and ensure that there is an adequate development program for the internal audit staff that shall enable them to meet the growing technical complexity of banking operations. Paget of 164) Subsection X186.3. Professional competence and ethics of the internal audit function. The internal audit function shall be comprised of professional and competent individuals who collectively have the knowledge and experience necessary in the conduct of an effective internal audit on all areas of bank's operations. The skill set of the internal audit staff shall be complemented with appropriate audit methodologies and tools as well as sufficient knowledge of auditing techniques in the conduct of audit activities. All internal audit personnel shall act with integrity in carrying out their duties and responsibilities. They should respect the confidentiality of information acquired in the course of the performance of their duties and should not use it for personal gain or malicious actions. Moreover, internal audit personnel shall avoid conflicts of interest. Internally-recruited internal auditors shall not engage in auditing activities for which they have had previous responsibility before a one-year “cooling off” period has elapsed. The internal audit personnel shall adhere at all times to the bank's Code of Ethics as well as to an established code of ethics for internal auditors such as that of the Institute of Internal Auditors. e) Subsection X186.4. Independence and objectivity of the internal audit function, The internal audit function must be independent of the activities audited and from day-to-day internal control process. It must be free to report audit results, findings, opinions, appraisals and other information through clear reporting line to the board of directors or audit committee. It shall have authority to directly access and communicate with any officer or employee, to examine any activity or entity of the bank, as well as to access any records, files or data whenever relevant to the exercise of its assignment. If independence or objectivity of internal audit function is impaired, in fact or appearance, the details of the impairment must be disclosed to the audit committee. Impairment to organizational independence and_ individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding. The internal audit function shall inform senior management of the results of its audits and assessment. Senior management may consult the internal auditor on matters related to risks and internal controls without tainting the latter’s independence. Provided, That: the internal auditor shall not be involved in the development or implementation of policies and procedures, preparation of reports or execution of activities that fall within the scope of his review. Page 120116e) Staff of the internal audit function shall be periodically rotated, whenever practicable, and without jeopardizing competence and expertise to avoid unwarranted effects of continuously performing similar tasks or routine jobs that may affect the internal auditor's judgment and objectivity. Subsection X186.5. Internal audit charter. Banks shall have an internal audit charter approved by the board of directors. The internal audit charter shall be periodically reviewed by the head of the internal audit function and any changes thereto shall be approved by the board of directors. The internal audit charter shall establish, among others, the followi (A) Purpose, stature and authority, and responsibilities of the internal audit function as well as its relations with other control functions in the bank. The charter shall recognize the authority of the internal audit function, to initiate direct communication with any bank personnel; to examine any activity or entity; and to access any records, files, data and physical properties of the bank, in performing its duties and responsi (2) Standards of independence, objectivity, professional competence and due professional care, and professional ethics; (3) Guidelines or criteria for outsourcing internal audit activities to external experts; (4) Guidelines for consulting or advisory services that may be provided by the internal audit function; (5) Responsibilities and accountabil function; (6) Requirement to comply with sound internal auditing standards such as the Institute of Internal Auditors’ international Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics; and (7) Guidelines for coordination with the external auditor and supervisory authority. fies of the head of the internal audit Subsection X186.6. Scope. All processes, systems, units, and activities, including outsourced services, shall fall within the overall scope of the internal audit function. The scope of internal audit shall cover, among others, the following: (1) Evaluation of the adequacy, efficiency and effectiveness of internal control, risk management and governance systems in the context of current and potential future risks; Page 13 of 16(2) Review of the reliability, effectiveness and integrity of management and financial information systems, including the electronic information system and electronic banking services; (3) Review of the systems and procedures of safeguarding the bank’s physical and information assets; (4) Review of compliance of trading activities with relevant laws, rules and regulatior (5) Review of the compliance system and the implementation of established policies and procedures; and (6) Review of areas of interest to regulators such as, among others monitoring of compliance with relevant laws, rules and regulations, including but not limited to the assessment of the adequacy of capital and provisions; liquidity level; regulatory and internal reporting. Section 4. Trust Operations. The provisions of Subsection X426.1 of the MORB shall now read as follows: a) 426.1 Internal audit. The bank's internal auditor shall include among his functions, the conduct of annual audit of the trust department or investment management department. However, should the board of directors, in a resolution entered in its minutes, require the internal auditor to adopt a suitable continuous audit system to supplement and/or to replace the performance of the annual audit, the audit may be conducted in intervals commensurate with the assessed levels of risk in trust and investment management operations; Provided, That such intervals shall be supported and reassessed regularly to ensure appropriateness given the current risk and volume of the trust and investment management operations. In any case, the audit shall ascertain Whether the institution's trust and other fiduciary business and investment management activities have been administered in accordance with laws, BSP tules and regulations, and sound trust or fiduciary principles. Section 5. Applicability to non-bank financial institutions. The provisions of this Circular shall likewise apply to non-bank financial institutions and shall amend the relevant provisions of the Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) as follows: a) Sections 1 and 2 of this Circular shall likewise amend Section 4185Q of the MORNEFI. Page 14 of 16b) Subsections 3.a.1 to 3.a.3 and Subsections 3.b to 3.g of this Circular shall likewise amend Subsection 4185Q.9, Section 41860, and Subsections 4186Q.2 to 41860.4 of the MORNBFI with the following changes: “Section 3.2.3. Outsourcing of internal audit activities. QBs that are not part of group structures may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities covering all areas of its operations. Provided, That: the board of directors of the QB shall remain ultimately responsible for the conduct of effective internal audit. Provided, further, That: The internal audit activities shall not be outsourced to the QB’s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the QB in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year “cooling off” period. ¢) Section 4 of this Circular shall likewise amend Section 4426Q.1 of the MORNBFI. d) Sections 1 and 2 of this Circular shall be adopted under Section 4163S of the MORNBFI. e) Subsections 3.a.1 to 3.a.3 and Subsections 3.b to 3.g of this Circular shall likewise amend Section 4164S and Subsections 4164S.1 to 41645.4 of the MORNBFI with the following changes: “Section 3.2.3. Outsour ies. NSSLAs may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities covering all areas of its operations. Provided, That: the board of trustees of the NSSLA shall remain ultimately responsible for the conduct of effective internal audit. Provided, further, That: The internal audit activity shall not be outsourced to the NSSLA’s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the NSSLA in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year “cooling off” period. f) Sections 1 and 2 of this Circular shall likewise be adopted under Section 4163N of the MORNBFI. 8) Subsections 3.a.1 to 3.a.3 and Subsections 3.b to 3.g of this Circular shall likewise amend Section 4164N and Subsections 4164N.1 to 4164N.4 of the MORNBF! with the following changes: Page 15 of 16“Section 3.2.3. Outsourcing of internal audit activities. NBFIs may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities covering all areas of its operations. Provided, That: the board of directors of the NBFI shall remain ultimately responsible for the conduct of effective internal audit. Provided, further, That: The internal audit activity shall not be outsourced to the NBFI’s own external auditor/audit firm nor to internal audit service Provider that was previously engaged by the NBFI in the same area intended to be covered by the internal audit activity that will be outsourced, without a one- year “cooling off” period. Section 6. Repealing Clause. This Circular supersedes/amends/modifies the Provisions of existing circulars, memoranda, and/or regulations that are inconsistent herewith, Section 7. Effectivity. This Circular shall take effect fifteen (15) calendar days after its publication either in the Official Gazette or in a newspaper of general circulation. FOR THE MONETARY BOARD: AQUINO OffichyAn-Charge OS march 2015 Page 1601161 ‘Appendix A MINIMUM INTERNAL CONTROL MEASURES. Independent balancing a. Monthly reconciliation of general ledger balances against respective subsidiary and supporting records and documentation by someone other than the bookkeeper or the Person handling the records, or the person directly connected with processing the transactions; b. Irregular and unannounced count of teller’s/cashier’s cash and checks and other cash items and vault cash including Automated Tellering Machine's (ATM) cash dispensers by the auditor/control officer or by an officer not connected with cash department or its equivalent; Monthly reconciliation of due from banks, cash in bank accounts (domestic and foreign) and due from/to head office/branches by someone other than the person handling the records or posting the general ledger entries; d. Periodic verification of securities and collaterals by someone other than their custodian; and e. Periodic verification of the accuracy of the interest credits to deposit/deposit substitutes liabilities accounts. Physical handling of transactions a. A person handling cash shall not be permitted to post the ledger records nor should Posting the general ledger be performed by an employee who posts the depositor’s/investor’s/creditor’s subsidiary ledgers; b. A lending officer shall never be allowed to disburse proceeds of loans, accept payment ‘on loans nor post loan ledgers; ©. The functions of issuing, recording and signing of drafts/checks shall be separated; d. Checks and other cash items shall be maintained either by an employee not handling cash or by the Rack/Distributing Department provided that adequate control as to custody and disposition of funds are properly maintained; Page 1 of 6‘Appendix A e. The receipt of statements from depository bank shall be assigned to an employee other than the one connected with the preparation, recording and signing of bank drafts or checks; f. Custodians of securities shall not be allowed to handle security transactions; 8. Collateral appraisal shall be done by an employee/officer who does not approve loans; h, Incoming checks and other cash items shall be recorded chronologically in a register by an employee other than the bookkeeper before they are forwarded for posting purposes; i. Credit reports shall be obtained by someone other than lending officers; i. Mailing of customers’ statements and delinquent notices shall be done by an employee other than the one who granted the loan or the one handling the records; and k. Dispatching and delivery of current account statements shall be done by someone who is not involved in current account operations. |. For QBs, paid checks/drafts should be controlled and maintained by an officer/employee other than the authorized signatory or the cashier. Joint custody The following shall be under joint custody: a. Cash on hand or in vault and in ATM cash dispensers; b. All accountable forms; c. Collaterals; d. Securities; e. Documents of title and/or ownership of properties or fixed assets; f. Dormant or inactive deposit ledgers/EDP print-outs and corresponding signature cards including on-line posting of dormant/inactive accounts; 8, Import documents; ‘h. Trust receipts; i. Collection items; j. Duplicate keys, safe deposit spare locks and keys, and keys to unrented safe deposit boxes; k. Safekeeping items; |. Vault door and safe combinations; m. Unissued specimen signature books; Page 2 of 6Appendix A 1. Correspondent’s and bank’s own telegraphic and/or electronic fund transfer system or cable test keys currently in use; Test key fixed numbers unissue Unissued and captured ATM cards and similar devices; Access locks and keys to on-line EDP terminals and similar devices; and ‘Access locks and keys to EDP mainframes and peripherals. repo Dual control The following accounts/transactions shall be in dual control: a. Checks, cashier's/manager's checks, telegraphic transfers (TTs) and electronic fund transfer system (EFTS) — The signature of at least two (2) officers should be required in the issuance of cashier’s/ manager's checks and payment orders (incoming and outgoing) of TTs and EFTS. The board of directors may, however, prescribe a predetermined amount by which one (1) senior officer can sign checks or payment orders, subject to appropriate control measures. b. Certificates of Time Deposit - The board of directors of a bank is given the discretion to determine the number of signatories for the issuance of certificates of time deposit. (CTDs). The internal control measures for the issuance of CTDs include, at a minimum, the following activities: ‘© Joint custody of unissued CTD forms; Accounting for all issued/ cancelled CTDs; Signature requirement for the issuance of CTDs; Counterchecking of issued CTDs against the tellers’ proof sheets/validated slips; and Recording of CTD transactions. ©. Bank Drafts - The signature of two (2) authorized officers should be required in the issuance of bank draft. d. Borrowings - The signature of at least two (2) authorized officers should be required. e. All transactions giving rise to Due to or Due from accounts and all instruments of remittances evidencing these transactions particularly those involving substantial amounts should be approved by two (2) authorized officers. Number control The following are the forms, instruments and accounts that shall be number-controlled: a. Bank drafts; b. Checks, manager’s and cashier's checks; Page 3 of 6Appendix A Promissory notes and other commercial papers; Savings deposit accounts; Demand deposit accounts; CTs; Letters of credi Collection items; Official and provisional receipts; Certificates of stocks; Loan accounts; Expense vouchers; |. Payment orders (incoming and outgoing ) of TTs and EFTS; Transfer requests through EFT involving bank’s accounts abroad; EDP batch transmittal slips of documents; and Due to/from head office/branches tickets. pergrrr se mpan Confirmation of accounts At least once a year, the internal auditing staff shall confirm by direct verification with bank clients, the following: ‘a. Balances of loans and credit accommodations of borrowers; b. Deposit account balances particularly new deposit accounts, inactive or dormant accounts and closed accounts; ¢. Outstanding balances of borrowings and other liabilities; and d. Outstanding balances of receivables/payables. €. For QBs, collaterals securing said accounts. 7. Internal control measures for dormant/inactive accounts a. Definition of dormant or inactive accounts * Current or checking accounts showing no activity (deposit or withdrawals) for a period of one (1) year. * Savings account showing no activity (deposit or withdrawals) for a period of two (2) years. b. Procedures for classification. Banks shall review and segregate dormant accounts as herein defined at least once in every semester. ¢ Internal contro! measures * As a matter of policy, banks shall exert all efforts to prevent checking and savings accounts from becoming dormant. When it becomes apparent that an account is Page 4 of 6‘Appendix A inactive, a short letter should be sent to the depositor encouraging him to use his account. In case of checking accounts, the banks shall ensure that the monthly statement of accounts reach the depositors. If the depositors cannot be located, the following steps should be undertaken: > Check any significant changes or fluctuations in the depositors’ account balances ‘over a period of time with emphasis on accounts with decreasing balances; > Verify apparent reactivation entries, represented either by deposit or withdrawal, that appears to have prevented the account from being classified as dormant; and > Investigate any obvious alteration of the ledger records. * Entries to dormant account ledgers shall be verified and approved by a designated officer. His initials shall be placed next to the entry on the ledger sheet. ‘* Dormant accounts shall be segregated from active account ledgers with a separate subsidiary ledger. Segregated dormant accounts shall be placed under joint custody of two (2) responsible officers/employees. Signature cards for dormant accounts shall be removed from active files and held under joint custody. * All inquiries on dormant accounts shall be coursed to one officer who should obtain sufficient identification from the inquirer to assure that he is entitled to the information. * Atrial balance of dormant account ledgers shall be taken periodically and balances with the general control account by an employee other than the bookkeeper. + Dormant or inactive accounts shall be verified directly with depositors. * All transactions affecting dormant accounts shall be subject to audit by the internal auditor. + Asemestral report on deposit accounts transferred to dormant shall be rendered to bank management. 8. Other Internal Control Measures @. Deposit accounts All new current accounts shall be approved by a designated officer. ‘Signature cards and deposit ledger sheets shall be authenticated by some form of validation. Subsequent changes shall also be validated. * Signature cards and deposit ledger sheets shall be accessible only to authorized Persons. © Deposit tickets shall be occasionally examined at irregular intervals to determine that postings are made on the actual date deposits are received. Checks shall be cancelled as soon as they have been paid and posted. Reports on closed accounts and returned checks shall be prepared daily. Page 5 of 6Appendix A * All current account statements shall be mailed or sent electronically via electronic mail (e-mail), or such other electronic means direct to depositors: Provided, That banks using the electronic means of sending the current account statements shall have prior BSP-approved internet banking service and shall strictly observe the required retention of electronic data messages or electronic documents under Section 13 of R.A. No. 8792, otherwise known as the “Electronic Commerce Act”. Undelivered statements shall be retained by an organizational unit not responsible for demand deposit account processing, ‘+ An officer shall be designated to attend to customers who report differences on their statements. * Checkbooks shall be issued only against requi signatory to the account. ‘* Banks shall adopt a system to establish the identity of their depositors, ion forms signed by an authorized For QBs: investments * Investment limits and a list of accredited companies as approved by the Board of Directors or by its Credit Committee should be established as a guide for investing in any Fl engaged in money market trading. ‘+ Investments should be secured by assets approved by the Board of Directors or by its Credit Committee. * Checks representing placements of investments should be released only upon receipt of either the deposit substitute instrument or the underlying securities or documents of title. Miscellaneous * loan applications and related documents shall be verified to ensure their authenticity particularly the name, residence, employment and current reputation of the borrowers. * Tellers paying checks to strangers shall obtain positive identification of the person and the account on which the checks are drawn should be verified. + No employee shall be permitted to process transaction affecting his own account. * Tellers/cashiers and other employees having contact with customers shall be Prohibited from preparing deposit ticket, withdrawal slip or other forms for the customer. ‘* All banks/QBs shall have a sound recruitment policy. ‘+ In the case of TBs, all accountable officers and employees shall be bonded. * All QBs shall secure adequate insurance coverages, fidelity and other indemnity protection. Page 6 of 6