The Presidents/Chief Executives
All Banks/DFIs

Dear Sirs/Madam,

GUIDELINES ON INTERNAL CONTROLS

Recent developments in financial sector, both at home and abroad, have proved that adequate risk management and good corporate governance are crucial to the strength and success of banking business. An effective internal control system is an integral part of an ideal risk management framework. A properly designed and strictly enforced system of internal controls helps protect the organization’s assets and profitability from operational losses and frauds and forgeries, produces reliable financial and management reports, helps compliance with laws and regulations, and finally, creates value for the stakeholders.

2 As a part of our ongoing efforts to encourage banks/DFIs to adopt robust risk management practices, the State Bank of Pakistan has prepared attached Guidelines on Internal Controls. These guidelines require all banks/DFIs to ensure existence of an effective system of internal controls which is commensurate with the nature, size and complexity of their business; minimizes the risk inherent in their activities; and responds to changes in the business and general economic environment in which the banks/DFIs operate.

3 These guidelines include a brief introduction to the Internal Controls, followed by Objectives of Internal Control System, Control Principles, Components of Internal Control System, Responsibilities of key players, Implementation of Internal Controls, Evaluation of Internal Controls, and finally, Reporting of Internal Controls. The salient features of the guidelines are as under:

a) Objectives of internal controls can be divided into three categories – performance, information and compliance objectives. Internal controls for assets protection, operational efficiency and risk management tend to achieve performance objectives; those meant for ensuring accuracy of recording and adequacy of disclosure are meant to serve information objective, and those for ensuring adherence to laws, regulations and internal polices, are meant to serve compliance objective of internal controls.
b) While developing framework of internal controls, some universally accepted and well-tested Controls Principles need to be followed by all organizations, irrespective of their size, nature and complexity of business. These principles include: internal controls’ coverage to all business activities, segregation of duties at various levels, clearly defined authorization and approval powers, periodic review and reconciliation, existence of physical controls, continuous training and supervision of staff, etc.

c) For establishing an internal control system, it is important to identify and understand different components of internal control system. Major components include: Control environment; Risk assessment; Instituting Control; Accounting, information, and communication systems; and Self-assessment or monitoring.

d) Regarding responsibility for putting in place an effective internal control system, all employees are ultimately responsible for operating and maintaining an efficient internal control system at their respective levels. However, the Board of Directors is responsible for ensuring existence of an efficient internal control system, management is responsible for appropriate design and functioning of the system, internal audit for continuous monitoring and internal evaluation of that system and for making timely and practical suggestions for improvement, external auditor is responsible for evaluating the system with respect to its design, performance and management’s understanding regarding its adequacy, and finally, the regulator is responsible for reviewing the internal controls for ensuring compliance with relevant guidelines, laws and regulations.

e) Regarding implementation of internal controls, it may be noted that there is no universal model/design for this purpose. It depends upon the size, nature, complexity, scope, risk exposure, etc., of the institution. However, at the minimum, implementation process should involve all – Board, Audit Committee, Senior Management, Audit staff and all other key players who should compare the current best practices with the control model and identify the gap, if any; assess the business environment, organization culture and key players; etc. to ensure that the internal control system is functioning effectively.

f) Evaluation, an important part of internal control system, is meant to detect errors/discrepancies in the internal control system; to minimize deviations from policies, procedures and laws; and to recommend improvements for the best. Evaluation is a multi-party process done by Internal Auditor, External Auditor and the Supervisor. Different parties use different techniques keeping in view the objective of their evaluation.

g) Final part of guidelines is regarding reporting on internal controls. The reports are evidence of understanding of the Board of Directors, management and auditors regarding the robustness and effectiveness of internal controls vis-à-vis activities of the institution.

4 The attached guidelines are aimed at providing guidance to banks/DFIs in instituting an effective internal control system in their institutions. The banks/DFIs are required to take necessary steps, including training of their staff, to implement these guidelines.

5 All banks/DFIs are also required to submit a half-yearly progress report, within 30 days of the end of each calendar half-year, regarding the status of the development and implementation of the guidelines. First such progress report shall be for the half-year ending on 31st December 2004, which shall be submitted on or before 31st January 2005. In addition, the internal control systems will be tested/checked by our inspectors and will factor in the CAMELS-S rating system under ‘S’ (Systems & Controls).