The
Presidents/Chief Executives
All
Banks/DFIs
Dear
Sirs/Madam,
GUIDELINES
ON INTERNAL CONTROLS
Recent developments in financial
sector, both at home and abroad, have proved that adequate
risk management and good corporate governance are crucial
to the strength and success of banking business. An effective
internal control system is an integral part of an ideal
risk management framework. A properly designed and strictly
enforced system of internal controls helps protect the organization’s
assets and profitability from operational losses and frauds
and forgeries, produces reliable financial and management
reports, helps compliance with laws and regulations, and
finally, creates value for the stakeholders.
2
As a part of our ongoing efforts to encourage banks/DFIs
to adopt robust risk management practices, the State Bank
of Pakistan has prepared attached Guidelines on Internal
Controls. These guidelines require all banks/DFIs to ensure
existence of an effective system of internal controls which
is commensurate with the nature, size and complexity of
their business; minimizes the risk inherent in their activities;
and responds to changes in the business and general economic
environment in which the banks/DFIs operate.
3
These guidelines include a brief introduction to the Internal
Controls, followed by Objectives of Internal Control System,
Control Principles, Components of Internal Control System,
Responsibilities of key players, Implementation of Internal
Controls, Evaluation of Internal Controls, and finally,
Reporting of Internal Controls. The salient features of
the guidelines are as under:
a)
Objectives of internal controls can be divided into three
categories – performance, information and compliance
objectives. Internal controls for assets protection, operational
efficiency and risk management tend to achieve performance
objectives; those meant for ensuring accuracy of recording
and adequacy of disclosure are meant to serve information
objective, and those for ensuring adherence to laws, regulations
and internal polices, are meant to serve compliance objective
of internal controls.
b) While developing framework of internal controls, some
universally accepted and well-tested Controls Principles
need to be followed by all organizations, irrespective of
their size, nature and complexity of business. These principles
include: internal controls’ coverage to all business
activities, segregation of duties at various levels, clearly
defined authorization and approval powers, periodic review
and reconciliation, existence of physical controls, continuous
training and supervision of staff, etc.
c)
For establishing an internal control system, it is important
to identify and understand different components of internal
control system. Major components include: Control environment;
Risk assessment; Instituting Control; Accounting, information,
and communication systems; and Self-assessment or monitoring.
d)
Regarding responsibility for putting in place an effective
internal control system, all employees are ultimately responsible
for operating and maintaining an efficient internal control
system at their respective levels. However, the Board of
Directors is responsible for ensuring existence of an efficient
internal control system, management is responsible for appropriate
design and functioning of the system, internal audit for
continuous monitoring and internal evaluation of that system
and for making timely and practical suggestions for improvement,
external auditor is responsible for evaluating the system
with respect to its design, performance and management’s
understanding regarding its adequacy, and finally, the regulator
is responsible for reviewing the internal controls for ensuring
compliance with relevant guidelines, laws and regulations.
e)
Regarding implementation of internal controls, it may be
noted that there is no universal model/design for this purpose.
It depends upon the size, nature, complexity, scope, risk
exposure, etc., of the institution. However, at the minimum,
implementation process should involve all – Board,
Audit Committee, Senior Management, Audit staff and all
other key players who should compare the current best practices
with the control model and identify the gap, if any; assess
the business environment, organization culture and key players;
etc. to ensure that the internal control system is functioning
effectively.
f)
Evaluation, an important part of internal control system,
is meant to detect errors/discrepancies in the internal
control system; to minimize deviations from policies, procedures
and laws; and to recommend improvements for the best. Evaluation
is a multi-party process done by Internal Auditor, External
Auditor and the Supervisor. Different parties use different
techniques keeping in view the objective of their evaluation.
g)
Final part of guidelines is regarding reporting on internal
controls. The reports are evidence of understanding of the
Board of Directors, management and auditors regarding the
robustness and effectiveness of internal controls vis-à-vis
activities of the institution.
4
The attached guidelines are aimed at providing guidance
to banks/DFIs in instituting an effective internal control
system in their institutions. The banks/DFIs are required
to take necessary steps, including training of their staff,
to implement these guidelines.
5
All banks/DFIs are also required to submit a half-yearly
progress report, within 30 days of the end of each calendar
half-year, regarding the status of the development and implementation
of the guidelines. First such progress report shall be for
the half-year ending on 31st December 2004, which shall
be submitted on or before 31st January 2005. In addition,
the internal control systems will be tested/checked by our
inspectors and will factor in the CAMELS-S rating system
under ‘S’ (Systems & Controls).