Managing Core Risks of Financial Institutions

M
M
A
A
N
N
A
A
G
G
I
I
N
N
G
G
C
C
O
O
R
R
E
E
R
R
I
I
S
S
K
K
S
S

O
O
F
F
F
F
I
I
N
N
A
A
N
N
C
C
I
I
A
A
L
L
I
I
N
N
S
S
T
T
I
I
T
T
U
U
T
T
I
I
O
O
N
N
S
S

O ON N
I I n nt t e er r n na al l C Co on nt t r r o ol l & & C Co om mp pl l i i a an nc c e e
F Fr r a am me ew w o or r k k

I I n nd du us st tr ry y B Be es st t P Pr ra ac ct ti i c ce es s

B
B
A
A
N
N
G
G
L
L
A
A
D
D
E
E
S
S
H
H
B
B
A
A
N
N
K
K

F
F
O
O
C
C
U
U
S
S
G
G
R
R
O
O
U
U
P
P
M
M
E
E
M
M
B
B
E
E
R
R
S
S

Co-Ordinator:
Mr. Masum Patwary, J oint Director, FlD

Members:
Mr. Shantonu Saha
Mr. M. Ataul Hoque
Mr. Md. Nazimuddoula
Mr. Sayed Aminul Islam
Mr. lqbal Mahmud
Mr. Moin Al Kashem
Mr. Mainul Huda
Mr. Nandan Kumar Paul
Mr. A.K.M. Anwarul Kabir

INDEX OF GUIDELINES OF BANGLADESH BANK FOR FINANCIAL
INSTITUTIONS ON INTERNAL CONTROLS

Page
1 INTRODUCTION
1.1 Overview 1
1.2 Definition 1
1.3Objectives of Internal Controls 2

2 STANDARDS OF INTERNAL CONTROLS 3

3 ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE
PRINCIPLES FOR ASSESSING THE SYSTEM 4

(A) Components of Internal Controls
3.1 Management oversight and environment for control 4
3.2 Risk Assessment & Management 5
3.3 Instituting Controls 6
3.4 Accounting, Information & Communication Systems 7
3.5 Self-Assessment & Monitoring 8

(B) Principles 10

4 RESPONSIBILITIES
4.1 Board of Directors 12
4.2 Management 12
4.3 Auditor Committee 12
4.4 External Auditor 13
4.5 Regulator 13

5 IMPLEMENTATION OF INTERNAL CONTROLS

5.1 Compare current practices and identify gaps. 15
5.2 Involve senior management and other key players. 15
5.3 Assess business environment, organization culture and key players. 15
5.4 Decide on implementation strategy. 15
5.5 Provide training to everyone involved 15
5.6 Rectification & Improvement: 16
5.7 Instituting an appropriate organization structure 16
5.7.1 Structure of Internal Control Unit 16
5.8 Preparing various Guidelines /Manuals/Documents on 17
a. Standard Operating procedures Credit & Operations 17
b. Finance and Accounting Manual 18
c. Treasury Manual 18
d. Human Resource Policy Manual 19
e. Information Technology Manual 19

6. EXAMINATION OR EVALUATION OF CONTROL 20
6.1. Dept Control Function Checklist (Appendix 7.1) 20
6.2. Loan Documentation Checklist (Appendix 7.2) 20
6.3. Quarterly Operations Report (Appendix 7.3) 20
6.4. Risk Analysis of Control Functions 21
6.5. Audit Procedure & Communication of weakness 22
6.6. Compliance Process 24

7 APPENDIXES
7.1 Departmental control function checklist- Quarterly 25
7.2 Departmental control function checklist- Monthly 26
7.3 Departmental control function checklist- Weekly 27
7.4 Departmental control function checklist- Daily 28
7.5 Periodic operational report 29-35
7.6 Loan Documentation checklist 36-43

Internal Control
And Compliance Risk

Page 1 of 41
1. INTERNAL CONTROL POLICY
1.1 Overview

Since its inception in early eighties NBFls have already shown its steady growth in business.
Its role in industrialization and its contribution in national exchequer can not be
undermined. In respect of asset management and risk management it has already shown
some glimpse of hope for the regulatory bodies. NBFls are now a days focusing more on
business diversification and consolidation of their existing business. These diversified and
complex financial activities involves various risk like credit risk, market risk, interest rate
risk, liquidity risk, operational risk, legal risk etc. Shaping up the Future of a financial
organization depends significantly on how these risks are handled and minimised or
protected through an effective internal control system.

Though the Board is responsible for approving strategies and policies the top management
have the responsibility for implementing strategies, setting appropriate internal control
policies and monitoring the effectiveness of internal control system.

In many NBFls internal control is identified with internal audit; the scope of internal control
is not limited to audit work. It is an integral part of the daily activity of an NBFls which on
its own merit identifies the risks associated with the process and adopts a measure to
mitigate the same.

Internal Audit on the other hand is a part of Internal Control system which reinforces the
control system through regular review.

According to an IMF publication Internal Control refers to the mechanism in place on a
permanent basis to control the activities in an organization, both at a central and at a
departmental divisional level. A key component of effective internal control is the operation
of a solid accounting and information system.

It should be mentioned that an effective internal control system could have contributed
significantly in improving the performance of the NBFls if the control culture is brought in
through policy guidelines and structural changes in those organizations.

1.2 Definition

In plain English internal controls are exercises of good old common sense practices. Even in
personal life we practice internal control principles when we:

Store and lockup valuable personal belongings
Keep copies of our tax return
Match credit card copies to monthly statements etc.

More formally internal control is the process, affected by a company's Board of Directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
effectiveness and efficiency of operations
reliability of financial reporting and
compliance with applicable laws, regulations, and internal policies.

Internal Control
And Compliance Risk

Page 2 of 41
Internal controls are tools that help management be effective and efficient while avoiding
serious problems such as overspending, operational failure, and violation of laws.

In other words Internal Controls are the structure, policies and procedures put in place to
provide reasonable assurance that management meets its objectives and fulfils its
responsibilities.

These definitions reflect certain fundamental concepts:

1. Internal control is a process. It is a means to an end , not an end in itself
2. Internal control is affected by people.
3. Internal control can be expected to provide reasonable assurance , not absolute
assurance, to an entitys management and Board
4. Internal control is geared to the achievement of objectives.

1.3 Objective of Internal Control

The primary objective of internal control system in an NBFls is to help the organization
perform better through the use of its resources. Through internal control system NBFls
identifies its weaknesses and takes appropriate measures to overcome the same. The main
objectives of internal control are as follows:

Efficiency and effectiveness of activities (performance objectives).
Reliability, completeness and timelines of financial and management information
(information objectives)
Compliance with applicable laws and regulations (compliance objectives)
Accountability to the Board

Internal Control
And Compliance Risk

Page 3 of 41
2 STANDARDS OF INTERNAL CONTROL

Internal control policies set forth some standards that departments must establish and
incorporate in an internal control structure:

(I) Cover all activities: All financial institutions should develop internal controls which have
coverage over all their functions, in general, and the key risk areas (KRA) in particular. Key
Risk Areas include those core activities, the break down of which may render a financial
institutions unable to meet its obligations; to its customers, regulators and the sponsors.
Further, the risk originating from such activities is of the type that it may cause in systemic
failure of other financial institutions. Examples of key risk areas are Liquidity Risk, Interest
Rate Risk, Foreign Exchange Risk, Credit Risk, Operational Risk, etc.

(II) Regular Feature: Control activities should be an integral part of the daily activities of a
financial institutions / DFI in such a manner that it becomes ingrained in their ongoing
processes rather than a year-end fire drill to satisfy documentation requests from auditors
and supervisors.

(III) Separation of Duties: Duties should be divided so that no one person has complete
control over a key function or activity.

(IV) Authorization and Approval: All transactions should be authorized before recording
and execution.

(V) Custodial and Security Arrangements: Responsibility for custody of assets needs to be
separated from the related record keeping.

(VI) Review and Reconciliation: Records should be examined and reconciled to regularly
determine that transactions are properly processed, approved and booked.

(VII) Physical Controls: Equipment, inventories, cash and other assets should be secured
physically, counted periodically and compared with amounts shown on control records.

(VIII) Training and Supervision: Qualified, well-trained and supervised employees always
help ensure that control processes function properly.

(IX) Documentation: Documented policies and procedures promote employee
understanding of duties and help ensure continuity during employee absences or turnover.
Therefore, policies and procedures (in the form of operations manuals and desk instructions)
should exist in all financial institutions / DFIs.

(X) Communication of importance of Internal Controls: Setting standards of professional
integrity and work ethics and ensuring that all levels of personnel in their organization
know the importance of internal controls and understand their role in the internal controls
process and be fully engaged in the process.

(XI) Cost/Benefit: It is for the financial institutions to assess the costs associated with control
processes commensurate with the expected benefits.

Internal Control
And Compliance Risk

Page 4 of 41
3 ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE
PRINCIPLES FOR ASSESSING THE SYSTEM

(A) Components of Internal Controls

An effective internal control system consists of following interrelated components:

3.1. Management oversight & Control environment;
3.2. Risk assessment & management;
3.3. Control activities & segregation of duties;
3.4. Accounting, information & communication and
3.5. Self assessment & monitoring

3.1 Control Environment:
The environment in which internal control operates has an impact on the effectiveness of the
control procedures. In fact it is institutions control environment which embodies the
principles of strong internal control. Besides giving structure to the internal control system,
it provides discipline and protocol. The success of control environment is judged according
to the integrity, ethics, and competence of personnel; the organizational structure of the
institution; oversight by the board of directors and senior management; managements
philosophy and operating style; attention and direction provided by the board of directors
and its committees, especially the audit and risk management committees; personnel
policies and practices and; external influences affecting operations and practices.

In order for internal controls to be effective, an appropriate control environment should
demonstrate following behaviours:

Board of directors reviews policies and procedures periodically and ensures their
compliance
Board of directors determines whether there is an audit and control system in place
to periodically test and monitor compliance with internal control
policies/procedures and to report to the board instances of non-compliance
Board of directors ensure independence of internal and external auditors such that
internal audit directly reports to the audit committee of the board which is
responsible to the board and that external auditor interacts with the said committee
and presents management letter to the board directly
Board ensures that appropriate remedial action has been taken when instance of non-
compliance are reported and that system has been improved to avoid recurring
errors/mistakes
Management information systems provides adequate information to the board and
that the board can have access to financial institutions records, if need arises
Board and management ensure communication of conduct or ethics policies and
compliance thereof down the line within the organization

In short, a strong control environment and an effective internal audit function can
significantly complement specific control procedures. However, constitution of internal
control environment at a point-of-time does not, by itself, ensure the effectiveness of the
overall system of internal control but it is the continuous supervision by management to
ensure if it is functioning as prescribed and is modified as appropriate. Many internal

Internal Control
And Compliance Risk

Page 5 of 41
control failures that resulted in significant losses for financial institutions could have been
substantially lessened or even avoided if the board and senior management of the
organisations had established strong control cultures.

Weak control cultures often had two common elements:

First, senior management failed to emphasise the importance of a strong system of internal
control through their words and actions, and most importantly, through the criteria used to
determine compensation and promotion.

Second, senior management failed to ensure that the organisational structure and
managerial accountabilities were well-defined. For example, senior management failed to
require adequate supervision of key decision makers and reporting of the nature and
conduct of business activities in a timely manner.

Senior management may weaken the control culture by promoting and rewarding managers
who are successful in generating profits but fail to implement internal control policies or
address problems identified by internal audit. Such actions send a message to others in the
organisation that internal control is considered secondary to other goals in the organisation,
and thus diminish the commitment to and quality of the control culture.

3.2 Risk assessment and management:
Every financial institutions activity involves some kind of risk and this creates a compulsion
for the financial institutions that, as part of an internal control system, these risks are being
identified, assessed and mitigated. From an internal control perspective, risk assessment
involves; identification and evaluation of factors, both internal and external, that could
adversely affect performance, information and compliance objectives of a financial
institutions. Internal factors include: complexity, nature and size of operations; quality of
personnel and employee turnover; objectives and goals, etc. External factors include:
fluctuating economic conditions, changes in the industry and technological advances, degree
of aggressiveness of the market and competition faced by the market participants, etc. It may
be noted that it differs from the risk management process, which typically focuses more on
the review of business strategies and plans developed to maximize the risk/reward trade-off
within the different areas of the financial institutions.

This risk identification should be done across the full spectrum of activities addressing both
measurable and non-measurable aspects of risks. Second part of risk assessment
evaluation is done to determine which risks are controllable by the financial institutions and
which are not. For those risks that are controllable, the financial institutions must assess
whether to accept those risks or the extent to which it wishes to mitigate the risks through
control procedures. For those risks that cannot be controlled, the financial institutions must
decide, for the present, whether to accept these risks or to withdraw from or reduce the level
of business activity concerned. But for the future, internal controls may need to be revised to
appropriately address any new or previously uncontrolled risks.

An effective risk assessment system allows the board and the management to plan for and
respond to existing and emerging risks in the financial institutions activities. For that matter,
such a system needs to demonstrate following:

Internal Control
And Compliance Risk

Page 6 of 41
Board and management involve audit personnel or other internal control experts in the risk
assessment and risk evaluation process. Those experts should be competent, knowledgeable,
and provided with adequate resources.

As the risks mutate with time and with changing circumstances, the board and the
management, with due involvement of audit personnel, should appropriately evaluate the
risks and consider control issues related to existing products and those relevant to new
products and activities.

Risk coverage in the form of insurance (that is risk transfer) or provisioning (contingency
fund) in relation to the financial institutions risk profile is adequate.

In the recent past, inadequate risk assessment has contributed to some organisations
internal control problems and related losses. In some cases, the potential high yields
associated with certain loans, investments, and derivative instruments distracted
management from the need to thoroughly assess the risks associated with the transactions
and devote sufficient resources to the continual monitoring and review of risk exposures.
Losses have also been caused when management has failed to update the risk assessment
process as the organisations operating environment changed. For example, as more
complex or sophisticated products within a business line are developed, internal controls
may not be enhanced to address the more complex products. A second example involves
entry into a new business activity without a full, objective assessment of the risks involved.
Without this reassessment of risks, the system of internal control may not appropriately
address the risks in the new business.

3.3 Instituting Controls:
Control activities are designed and implemented to address the risk that the financial
institutions identified through the risk assessment process as described above. Control
activities involve: (a) establishment of control policies and procedures, (b) verification that
the control policies and procedures are being complied with.

It is desired that control activities should involve all levels of personnel in the financial
institutions, including senior management as well as front line personnel. Instituting an
appropriate controls structure ensures the efficacy of an internal control system. This
process involves:

Existence and compliance of policies and procedures ensuring that decisions are
made with appropriate approvals and authorizations for transactions and activities
while assuring that exceptions to the policies are minimal and reported to the board
and the top management;

Timely reconciliation of accounts so that outstanding items, both on-and off-balance-
sheet, are resolved and cleared;

Segregation of duties, existence of cross-checks, more-than-one-person authorization,
dual controls, joint custody of keys, safeguards for access to and use of sensitive
assets and records and forced leave policies, employees rotation systems are
functioning in sensitive positions or risk-taking activities so that concerned
employees do not have absolute control over areas;

Internal Control
And Compliance Risk

Page 7 of 41
Building of such reporting lines within a business or functional area that
independence of the control function is ensured;

Accountability mechanism for the actions taken by the personnel as per their
responsibilities and authorities;

Structure and functioning of compliance framework through which the board and
senior management establishes that compliance with applicable laws and regulations
is ensured.

In short, top level reviews; appropriate activity controls for different departments or
divisions; physical controls; checking for compliance with exposure limits and follow-up on
non-compliance; a system of approvals and authorizations; and, a system of verification and
reconciliation are major constituents of the control activities.

3.4 Accounting Information and Communication Systems

An institutions accounting, information, and communication systems ensure that risk-
taking activities are within policy guidelines and that the systems are adequately tested and
reviewed.

For this the following is important to note;

Effective internal control system requires that there is an effective reporting system
of information that is relevant to decision making. The information should be
reliable, timely accessible and provided in a consistent format.
Information would have to include external market information about events and
conditions that are relevant to decision making. Internal information include
financial, operational and compliance data.
There, should be appropriate committees within the organization which would
evaluate data received through various information systems. This will ensure supply
of correct and accurate information to the management.
Internal information must cover all significant activities of the financial institutions.
These systems including those that hold and use data in electronic form must be
secure, monitored independently and supported by contingency arrangements.
Most importantly the channels of communication must ensure that all s fully
understand and adhere to policies and procedures effecting their duties and
responsibilities and that other relevant information is reaching the appropriate
personnel.

An accounting system is adequate if it properly identifies, assembles, analyzes, classifies,
records, and reports the institutions transactions in accordance with prescribed formats and
international best practices.

The adequacy of information systems is determined by the type, number, and depth of
reports it generates for operational, financial, managerial, and compliance-related activities
and the access and authorization to information systems. An ideal information system
covers the full range of its activities in such a manner that information remains

Internal Control
And Compliance Risk

Page 8 of 41
understandable and useful for audit trail.

Adequate information and effective communication are essential to the proper functioning
of a system of internal control. From the financial institutions perspective, in order for
information to be useful, it must be relevant, reliable, timely, accessible, and provided in a
consistent format. Information includes internal financial, operational and compliance data,
as well as external market information about events and conditions that are relevant to
decision making. Internal information is part of a record-keeping process that should
include established procedures for record retention.

On the one hand, the adequacy of communication systems is established by the fact that it
imparts significant information throughout the institution (from the top down and from the
bottom up, and laterally), ensuring that personnel understand whatever has been
communicated and on the other hand, communication system should ensure that significant
information is imparted to external parties such as regulators, shareholders, and customers.

Without effective communication, information is useless. Senior management of financial
institutions need to establish effective paths of communication in order to ensure that the
necessary information is reaching the appropriate people. This information relates both to
the operational policies and procedures of the financial institutions as well as information
regarding the actual operational performance of the organisation.

The organisational structure of the financial institutions should facilitate a complete flow of
information - upward, downward and across the organisation. A structure that facilitates
this flow ensures that information flows upward so that the board of directors and senior
management are aware of the business risks and the operating performance of the financial
institutions.

Information flowing down through an organisation ensures that the financial institutions
objectives, strategies, and expectations, as well as its established policies and procedures, are
communicated to lower level management and operations personnel. This communication is
essential to achieve a unified effort by all financial institutions employees to meet the
financial institutions objectives.

Finally, communication across the organisation is necessary to ensure that information that
one division or department knows can be shared with other affected divisions or
departments.

3.5 Self-Assessment and Monitoring:
An integral component of internal control system is self-assessment and monitoring which
includes:
Board and senior management oversight of the internal control, control reviews, and
audit findings. Before starting full scale control review, the board and senior
management should give their approval of the overall scope of the control review
activities (e.g., audit, loan review, etc.).

Frequent and comprehensive reporting of deviations to the board or board
committee and senior management regarding sufficiency of details and timely
presentation to allow for resolution and appropriate action.

Internal Control
And Compliance Risk

Page 9 of 41
Adequate documentation of management responses to audit or other control reviews
findings so that it can be tracked for adequate follow-up.

Board or board committee or senior management review of the qualifications and
independence of the personnel evaluating controls (e.g., external auditors, internal
auditors, or line managers).

Financial institutions are a dynamic, rapidly evolving industry. Financial institutions must
continually monitor and evaluate their internal control systems in light of changing internal
and external conditions, and must enhance these systems as necessary to maintain their
effectiveness.

Monitoring the effectiveness of internal controls should be part of the daily operations of the
financial institutions but also include separate periodic evaluations of the overall internal
control process. The frequency of monitoring different activities of a financial institution
should be determined by considering the risks involved and the frequency and nature of
changes occurring in the operating environment. Ongoing monitoring activities can offer the
advantage of quickly detecting and correcting deficiencies in the system of internal control.

Such monitoring is most effective when the system of internal control is integrated into the
operating environment and produces regular reports for review. Examples of ongoing
monitoring include the review and approval of journal entries, and management review and
approval of exception reports.

Internal Control
And Compliance Risk

Page 10 of 41
(B) CONTROL PRINCIPLES

So far we have discussed about the elements of a sound internal control. Now the question is
how to assess the internal controls of a particular organization. The following principles
related to the basic elements of control should be borne in mind while assessing internal
control:

A. Management Oversight and Control Environment

Principle 1:
The board of directors should have responsibility for approving and periodically reviewing
the overall business strategies and significant policies of the financial institutions;
understanding the major risks run by the financial institutions, setting acceptable levels for
these risks and ensuring that senior management takes the steps necessary to identify,
measure, monitor and control these risks; approving the organizational structure; and
ensuring that senior management is monitoring the effectiveness of the internal control
system. The board of directors is ultimately responsible for ensuring that an adequate and
effective system of internal controls is established and maintained.

Principle 2:
Senior management should have responsibility for implementing strategies and policies
approved by the board; developing processes that identify, measure, monitor and control
risks incurred by the financial institutions; maintaining an organizational structure that
clearly assigns responsibility, authority and reporting relationships; ensuring that delegated
responsibilities are effectively carried out; setting appropriate internal control policies; and
monitoring the adequacy and effectiveness of the internal control system.

Principle 3:
The board of directors and senior management are responsible for promoting high ethical
and integrity standards, and for establishing a culture within the organization that
emphasizes and demonstrates to all levels of personnel the importance of internal controls.
All personnel at a financial institution need to understand their role in the internal controls
process and be fully engaged in the process.

B) Risk Recognition and Assessment

Principle 4:
An effective internal control system requires that the material risks that could adversely
affect the achievement of the financial institutions goals are being recognized and
continually assessed. This assessment should cover all risks facing the financial institutions
(that is, credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk,
operational risk, legal risk and reputation risk). Internal controls may need to be revised to
appropriately address any new or previously uncontrolled risks.

C) Control Activities and Segregation of Duties

Principle 5:
Control activities should be an integral part of the daily activities of a financial institution.
An effective internal control system requires that an appropriate control structure be set up,

Internal Control
And Compliance Risk

Page 11 of 41
with control activities defined at every business level. These should include: top level
reviews; appropriate activity controls for different departments or divisions; physical
controls; checking for compliance with exposure limits and follow-up on non-compliance; a
system of approvals and authorizations; and, a system of verification and reconciliation. BIS
Framework for Internal Control Systems in Financial institutions.

Principle 6:
An effective internal control system requires that there is appropriate segregation of duties
and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts
of interest should be identified, minimized, and subject to careful, independent monitoring.

D) Information and communication

Principle 7:
An effective internal control system requires that there are adequate and comprehensive
internal financial, operational and compliance data, as well as external market information
about events and conditions that are relevant to decision making. Information should be
reliable, timely, accessible, and provided in a consistent format.

Principle 8:
An effective internal control system requires that there are reliable information systems in
place that cover all significant activities of the financial institutions. These systems,
including those that hold and use data in an electronic form, must be secure, monitored
independently and supported by adequate contingency arrangements.

Principle 9:
An effective internal control system requires effective channels of communication to ensure
that all staff fully understand and adhere to policies and procedures affecting their duties
and responsibilities and that other relevant information is reaching the appropriate
personnel.

E) Monitoring Activities and Correcting Deficiencies

Principle 10:
The overall effectiveness of the financial institutions internal controls should be monitored
on an ongoing basis. Monitoring of key risks should be part of the daily activities of the
financial institutions as well as periodic evaluations by the business lines and internal audit.

Principle 11:
There should be an effective and comprehensive internal audit of the internal control system
carried out by operationally independent, appropriately trained and competent staff. The
internal audit function, as part of the monitoring of the system of internal controls, should
report directly to the board of directors or its audit committee, and to senior management.

Principle 12:
Internal control deficiencies, whether identified by business line, internal audit, or other
control personnel, should be reported in a timely manner to the appropriate management
level and addressed promptly. Material internal control deficiencies should be reported to
senior management and the board of directors.

Internal Control
And Compliance Risk

Page 12 of 41
4 RESPONSIBILITIES OF THE PARTIES TO INTERNAL CONTROL

The board of directors, senior management and other personnel of financial institutions are
responsible for establishing, maintaining, and operating an appropriate internal control
system on an ongoing basis.

4.1 Board of Directors:
The Board of Directors of all financial institutions is responsible for ensuring that an
adequate and effective internal control system exists in their organization and that the senior
management is maintaining and monitoring the performance of that system. Moreover,
Board should periodically review the internal control systems and the significant findings.
From the above it can be said that:

The overall responsibility of setting acceptable level of risk, ensuring that the senior
management committee take necessary steps to identify , measure , monitor and
control these risks, establishing broad business strategy, significant policies and
understanding significant risks of the company rests with the Board of Directors.
Through the establishment of an 'Audit Committee' of the Board and Internal
Control Department the Board of Directors can monitor the effectiveness of internal
control system.
The internal as well as external audit reports will be sent to the board without any
intervention of the management and ensure that the management takes timely and
necessary actions as per the recommendations.
The Board should have periodic review meetings with the senior management to
discuss the effectiveness of the internal control system of the company and ensure
that the management has taken appropriate actions as per the recommendations of
the auditors and internal control.

4.2 Management:
Senior management of financial institutions have the responsibility for implementing
strategies and policies as approved by the board in work place ; developing processes that
identify, measure, monitor and control risks incurred by the financial institutions;
maintaining an organizational structure that clearly assigns responsibility, authority and
reporting relationships; ensuring that delegated responsibilities are effectively carried out;
setting appropriate internal control policies; and monitoring the adequacy and effectiveness
of the internal control system.

4.3 Audit Committee of the Board:

This Committee shall be formed by the Board of a company. The members of the Audit
Committee shall be the selected Directors and the Managing Director. The Committee shall
seat at least quarterly in a year. The Committee shall perform its work through an Internal
Control Unit comprising of the Audit & Inspection wing and Compliance wing.

The Committee shall monitor the adequacy and effectiveness of the Internal Control System
based on established policies and procedure.

The Committee vide its two wing shall produce, on quarterly basis, a report on internal
control system and significant findings and present it to the Board.

Internal Control
And Compliance Risk

Page 13 of 41
The terms of reference of the Audit Committee, frequency of meeting , name of the
members of the Committee shall be decided by the Board.

4.4 External Auditor:
The external auditors are not part of a financial institution and, therefore, are not part of its
internal control system, yet they have an important impact on the quality of internal controls
through their audit activities, including discussions with management and
recommendations for improvement of internal controls. The external auditors provide
important feedback on the effectiveness of the internal control system.

The concept of external reporting on internal controls is well established and supported in
the accounting literature. It is expected that external / statutory auditors shall review control
systems for the impact they have on financial reporting and compliance with relevant
policies, procedures, regulations and laws. The extent of attention given to the internal
control system may vary by auditor and by financial institutions; however, it is generally
expected that the auditor would identify significant weaknesses that exist at a financial
institutions and report material weaknesses to management and the board in the form of an
audit report/ management letter.

As regards internal control and the role of external auditors the following things should be
borne in mind by the auditors:
External Auditors by dint of their independence from the management of the
financial institutions can provide unbiased recommendation on the strength and
weakness of the internal control system of the financial institutions.
They can examine the records, transactions of the financial institutions and evaluate
its accounting policy, disclosure policy and methods of financial estimation made by
the financial institutions; this will allow the board and the management to have an
independent overview on the overall control system of the financial institutions.

It should be made obligatory on the part of the auditor to report to the Bangladesh Bank
immediately if during the course of audit the auditor come across any facts which (1) might
warrant qualification (2) endanger the entity audited and (3) indicate that the organization
has severely infringed the regulatory provisions/guidelines.

4.5 Regulator:

The Financial Institutions Department (FID) of Bangladesh Bank is the direct supervisor of
the financial institutions of Bangladesh. FID has many responsibilities to the Financial
Institutions to protect interest of the public and to maintain financial discipline. The
responsibilities of FID should be regulatory as well as advisory.

In order to achieve the regulatory and supervisory objectives the Bangladesh Bank may
introduce a comprehensive supervisory framework.

Supervision can be of two types:
a. On Site Supervision and
b. Off Site Supervision

Off site supervision would structurally be an in-house review and analysis based on various
statutory returns and other statements.

Internal Control
And Compliance Risk

Page 14 of 41
On site supervision includes physical visit and inspection by Bangladesh Bank Official
ensuring regulatory compliance, evaluation of financial soundness, appraisal of
management and identification of areas requiring corrections, review of asset quality,
analysis of key financial indicators etc.

As a regulator the Bangladesh Bank may introduce a system whereby the name of the
Financial Institution which had not complied with the regulatory directions could be
published in the newspapers.

The Bank may make it compulsory for the NBFIs to do credit rating periodically.

The Bank may introduce an on-line corporate memory/profile building process based on the
observations generated from off-site surveillance system, , market intelligence, complaints,
supervisory rating, record of compliance with directions and inspection findings.

Bangladesh Bank may think of devising a suitable system for co-ordinating the On-site
inspection in tandem with the other regulatory authorities so that these NBFIs are subject to
one shot examination by different regulatory authorities.

The Bank may think of introducing a supervisory rating system for the NBFIs. Such a rating
system should be designed on the basis of different levels of regulatory compliance, capital
adequacy and rating assigned by the credit rating agencies.

Based on the rating the NBFIs may be placed in three different supervisory watch list with
low, medium and high risks. The rating assigned may primarily be the tool for triggering
on-site inspection at various intervals.

It shall play its role as a watch dog, review the compliances of the regulations and Circulars
issued from time to time through periodic inspections and visits, issue new directives for the
betterment of macro economy, take corrective actions, if necessary, provide necessary
advises and clarifications to the NBFIS.

During the course of regular inspection of financial institutions or when required, Financial
institutions Department (FID)of Bangladesh Bank shall review the internal control system of
any financial institutions in order to ensure compliance with these guidelines and all other
relevant regulations and laws, circulars issued and enforced from time to time. In addition
to that, the FID may review the report of the internal auditor of the financial institutions,
assessment report of the management regarding effectiveness of the internal control and
Boards endorsement thereof and the external/statutory auditors evaluation of the
management regarding effectiveness of the internal control.

In addition to the above the following points shall also apply to the regulators:
For the financial institutions Bangladesh Bank is the primary regulator, who governs
the activities of financial institutions. In addition Tax Authority, Registrar of Joint
Stock Company Finance Ministry, Securities and Exchange Commission etc. are
different types of Government bodies whose directives have significant impact of
financial institutions business.
The internal control system should always take into account the financial institutions
internal processes to meet the regulatory requirement before conducting any
operation.

Internal Control
And Compliance Risk

Page 15 of 41
The internal control system of the financial institutions must be designed in a
manner that the compliance with regulatory requirements is recognized in each
activity of the financial institutions. The financial institutions must obtain regular
information on regulatory changes and distribute among the concerned department,
so that they can take necessary, action to adapt to such changes.
The financial institutions must develop an effective communication process which
will allow smooth distribution of relevant regulations among different departments
and, personnel.

5 IMPLEMENTATION OF INTERNAL CONTROLS:
Various models/methodologies are used for the design and implementation of internal
controls. However, it is the decision of the organizations to decide what model / strategy
suit the size, nature, complexity, scope, risk exposure, etc. of their activities. Nevertheless,
following is a brief summary of the key points that should be kept in mind while
implementing the internal controls:

5.1 Compare current practices to the internal control system and identify gaps.
For an internal control expert, the most important consideration should be to evaluate the
existing system of internal control in comparison to one defined by these guidelines and
other international best practices. In this regard the first step is to identify what is and what
is not covered by existing practices.

5.2 Involve senior management, the audit committee, audit staff, other key players.
The thought process and implementation of change should not be considered as just other
audit things." Senior management and the audit committee must be perceived as driving the
change and developing the control culture.

5.3 Assess business environment, organization culture and key players.
Before the process of change is set in, it would be necessary to understand: (1) what is
changing in the culture (2) What is changing in the organizations businesses and systems (3)
Are there organizational initiatives which internal control system implementation could link
to (4) What is the perception about the internal auditing function within the organization .

5.4 Decide on implementation strategy.
If the new practices can be designed to align with other organizational initiatives, or if senior
management has taken ownership, this step is relatively easy. In any case, having a realistic
implementation strategy is critical to success. Most implementers introduce the new ideas
slowly and informally, building on personal relationships within the organization, listening
as much as talking, and gradually building a consensus for change.

5.5 Provide training to everyone involved.
The most critical factor to the successful implementation of a control model is that everyone
involved must understand internal control. Effective training depends heavily on how
concepts are phrased and the concrete examples and exercises which make the concepts real
to participants.

5.6 Rectification & Improvement:
The findings of the internal audit department and that of other experts should be reported
back to the relevant staff/office for rectification and improvement of the internal control
system.

Internal Control
And Compliance Risk

Page 16 of 41
5.7 Instituting an appropriate organization structure:
Organization structure plays a vital role in establishing effective internal control system. It is
the sometimes called the pictorial representation of the chain of command and the authority
and supervision chain of an organization. The essence of the ideal organizational structure
that will facilitate effectiveness of the internal control system is the segregation of duties.
The financial institutions should, depending on the nature of business, structure, size,
location of its branches and strength of its manpower try to establish an organizational
structure which allow segregation of duties among its key functions such as marketing,
operations, credit, financial administration etc.

Up to which level this segregation will take place will depend on an individual financial
institution. For instance a financial institution which has small branch operations at remote
places of the country may not find it feasible to have such functional segregation of duties at
that branch level. However at the higher level such segregation should exist and where
possible this should be extended to the branch levels. In cases where such segregation is not
possible, there must be certain monitoring mechanism which should be independently
reviewed to ensure all policies and procedures are followed at the branch level. A detail
guideline in this respect is given in the following section.

5.7.1 Structure of the Internal Control Unit
For an effective control system a separate organizational structure is also provided for this
unit.

The audit committee of the board shall be the contact point for the internal control unit. The
unit should be adequately staffed so that it can perform its duty properly. In order to ensure
that availability of efficient people with internal control the financial institutions will make it
mandatory for all middle to senior management staff to spend at least two years with
internal control on secondment.

The head of internal control will report directly to the Audit Committee of the Board. He
will be responsible for the both compliance and control related tasks which include
compliance with laws and regulation, audits and inspection, monitoring activities and risk
assessment.

The audit team of the internal control unit will perform periodic and special audit and
inspection.

The compliance unit will be responsible to ensure that a financial institution complies with
all regulatory requirements while conducting its business. They will maintain liaison with
the regulators at all level and notify the other units regarding regulatory changes.

Internal Control
And Compliance Risk

Page 17 of 41

Audit Committee of Board
Internal Control Unit
Audit & Inspection
Wing
Compliance Wing
Inspector Inspector

Figure: Structure of Internal Control Unit

5.8 Preparing various guidelines/manuals
Each Financial institution should have a policy guideline in line with relevant laws and
internal documents in order to ensure an effective control over its process in various fields
e.g. credit, human resources, finance & accounts, treasury, audit, customer service etc. There
should be a written policy guideline for each Departments function which may be as
follows.

5.8(a) Standard Operating Procedures -Credit & Operations
The main objective of lending money is to ensure maximum return of lend able fund. This
manual should highlight the process starting from review of credit proposals, obligor risk
rating, approving credit limit, disbursement of loans, monitoring of credit risk etc. Various
types of MIS should be provided in order to have better control over assets of the financial
institutions which can be generated if the system is in place.

This manual should also contain role of Credit Admin., Trade Finance, Reconciliations,
Cash, Clients service, Treasury, Back office etc. It should also reflect a clear guideline
regarding Anti-Money Laundering activity in order to protect financial institutions interest.
Credit Admin will be responsible for monitoring of limits and outstanding as per credit
approval.

This manual should cover the following areas inter alia:

Risk classes, lending limits and credit authorities
Investment policies
Policies on financial & other product & services
Lending guidelines
Approval processes
Documentations
Securities and collaterals etc.
Account Opening and closing
Payment monitoring procedures

Internal Control
And Compliance Risk

Page 18 of 41
Loan Administration
Treasury Operations
Anti-money Laundering procedures etc.

5.8(b) Finance & Accounting Manual
This manual should provide guidelines on financial activities regarding income and
expenditure of a financial institution. They will look after if there is any exaggeration of
expenditure where it is necessary to get control. This manual must incorporate a clause
which shall make it mandatory to prepare and present an annual budget which shall contain
target business, revenue, expenses, capital expenditures etc. This budget should be placed to
the Board before starting of a new year and a periodic review of the actual achievement.
Through this process it can also ensure the profitability of the financial institutions.

The basic content of Finance Manuals are:
Financial & Accounting Policies
Financial Accounting
Financial Management & Administration
Fixed Assets Control
Procurement of Goods and Services
Audit and Internal Control
General Clause
Capital structure policies
Treatment of Land, Building & Equipment
Capital Adequacy and Shareholders Equity
Treatment of revenue and expenditures
Income tax procedures
Write-off procedures etc.

5.8(c) Treasury Manual
This manual should include activities of fund transfer. Inter financial institutions fund
management is one by them. The manual should include the guideline so that they may
manage the financial institutions fund properly and profitably. There may be some idle fund
in the financial institutions which is to be taken into account so as to make them invested in
optimum profit seeking area. They should also ensure the security of the fund. If possible,
they may look into international money market subject to the available opportunity in the
money market arena.

While framing a treasury manual the following things should be considered inter alia:

Internal Items
Liquidity
Cost of fund Vs. yield from assets
Policies & Procedure
Skill of staff etc.
External Items
Market Liquidity
Risks including changes in Exchange Rates
Changes in regulations etc.
Investments
Capital management etc.

Internal Control
And Compliance Risk

Page 19 of 41
5.8(d) Human Resource Policy Manual
distribution of available human resources in the
his manual should contain inter alia the following:
They will, at first, ensure the proper
infrastructure of the financial institutions. It should also delineate the authority and
responsibility of each employees .To find out the right person for setting up them at the right
position is very crucial. The rewarding method of that department should be impartial. They
will ensure staff welfare which will ultimately encourage people and create a healthy
working atmosphere.

T

Recruitment policy
Background checking policy
Leave policy
Compensation policy
Reward and Recognition policy
Termination & retirement policy
Promotion and increment policy
Training guidelines
Employees code of conduct etc.

.8( I
areas:
5 e) nformation Technology Manual

his manual should contain the following T

MIS to be generated
Security of Data and programme
Back up system
Control mechanism of data and files
Disaster recovery plan
Networking
Hardware maintenance
ments etc. Service agree
Training
Manpower backup
Power backup system
Data storage

Internal Control
And Compliance Risk

Page 20 of 41
6. EXAMINATION OR EVALUATION OF CONTROL

As soon as the implementation of control is completed the next question is how to evaluate
the effective functioning of this system. Evaluation may be done in the following ways:

a. Verification of departmental function through Check List
b. Reviewing the documentation relating to operational activities through a check list
c. Preparing quarterly report and reviewing the same
d. Risk analysis
e. Audit Process & communication of weakness

6.1Deprtmental Control Function Checklist (DCFCL) {Appendix 7.1 to 7.4}
a) The guideline/procedure deals with matters relating to review/verifications of
departmental functions to ensure that prescribed procedures are being followed by
each department.
b) All departments are required to check that prescribed controls are being observed and
laid down procedures are not overlooked & relaxed.
c) Departmental Managers/Branch Managers will review the DCFCL to ensure that
control functions are performed and documented in the control sheets (Appendix 1)
at the prescribed frequencies i.e. Daily, weekly, monthly and quarterly.
d) The DCFCL Checklist should be retained with the branch/departments for future
inspection by Internal Control and Senior Management.

6.2 Loan Documentation Checklist {Appendix 7.6}

The checklist deals with matters relating to security/other documentation for
sanctioning credit facilities to ensure that prescribed documentation is being obtained to
safe guard financial institutions interest in case of litigation. Copy of the loan
documentation check list shall be sent to the lease/loans department for their use.

6.3 Quarterly Operations Report {Appendix 7.5}

This guideline/procedure relates to reporting of operational functions of each
branch/centre under the following heads on the enclosed format:
i. Policies, Procedures and Controls
ii. Protection of Valuables
iii. Proofs/Verifications and Internal Checks
iv. Personal and Supervision and
v. Premises Management
vi. Confirmation on Regulatory Compliance

This report will be prepared by the Departmental/Branch Head. This will be prepared in
duplicate copies one copy is to be dispatched to Internal Audit Department and another
copy to the Audit Committee of the Board by 10
th
of the following month.

The items which are not applicable for individual Department should be marked as N/A
and no signature is required against the items marked as N/A.

Internal Control
And Compliance Risk

Page 21 of 41
Any deviation in the quarterly operations report must be reported in a separate exception
report or shall be marked specially in the report.
6.4. Risk Analysis of Control Functions
Individual items in the DCFCL need to be assigned a risk rating in terms of the following
dimensions:
a) Impact: Before taking into account the mitigation (i.e. Insurance) what is the impact of
the lapse/omission.
b) Probability: After taking into account of the mitigation what is the likelihood of the event
occurring.
To assist in this task, the following matrix (Table 1) can be used. However some financial
institutions may consider customization of this matrix to suit their own risk profile. Where
appropriate, additional details (e.g. financial values can be added). The key principle is that
all financial institutions should be able to differentiate between different levels of risk in
their own area of activity and then ensure appropriate controls are established.
Scores should be plotted on the following table to determine a category of high, medium
and low risk.
3 High High High
2 Medium Medium High
1 Low Medium High
1 2 3
P
r
o
b
a
b
i
l
i
t
y

Impact

Table: Risk Assessment Matrix

To arrive at the decision of what constitutes a high, medium or low risk the following
template can be used:

Risk
Score
Probability (after taking into
account of risk mitigation)
Impact (before taking into account of
mitigation)
3 High probability or almost
certainty
High/frequently recurring
Governed by widely anticipated
external factors/frequency of
management review not
established
New area of risk with no policy &
procedure to deal with the matter
Probability uncertain
Complex, requires specialized
skills to mitigate
Catastrophic/major impact on the
financial institutions
Potential loss in excess of BDT
1Million.
Serious regulatory implications
(Revocation of license,
imprisonment)/sanctions.
Potential/actual damage to
reputation
Major corporate governance
failure

Internal Control
And Compliance Risk

Page 22 of 41
2 Evidence of increasing trends
Management reviews largely to
manage exceptions
Policies exists but compliance is
complex
External factors have medium
bearing on ability to follow
established standards
Process requires moderate degree
of supervision
Significant impact on the financial
institutions.
Potential loss in excess of BDT
1,00,000
Possibility of fines/penalties from
regulators
Medium financial loss with some
potential for recovery
Medium level of reputation risk
Exposure due to control weakness
1 Unlikely
Isolated incident/Not likely to be
repeated
Frequent management review/
well documented
Clear policy exists
External factors have low impact
on ability follow
Potential or actual loss less than
BDT 1,00,000
Low impact on business or
reputation
Exposure on regulatory sanctions
low
Customer service issues are within
expected levels

6.5 Audit Procedure & Communication of weakness
Audit & Inspection and Compliance shall be under the control of Head of Internal control.
Major responsibilities entrusted to the Audit & Inspection Department shall be to carry out
Audit & Inspection of the various Departments/branches of the FIS in accordance with the
instruction contained in the internal control policy guidelines and sometimes as per the
direction of the Board or even as per the direction of the Management. The inspection team
may conduct surprise checking/investigation and special inspection.

At the beginning of the year the Audit Team shall prepare a schedule for Audit and
Inspection of Departments or branches with the approval of the CEO. Audit shall be carried
out at periodic intervals whereas inspection may be carried out any time. The audit shall
basically be conducted based on some check list and the risk involved on the area to be
audited.

On completion of each audit /Inspection a report must be submitted to the Head of Internal
Control by the Head of Audit & Inspection within maximum 14 working days for onward
submission to the Audit Committee of the Board.

The Head of Compliance is responsible for implementation of Inspection Reports and follow
up with the Department/branches for regularization of the irregularities and
implementation of the observations/recommendations made in the Audit Report.

This Department is also responsible for submission of Audit Report and ensuring
compliance to the competent authority including preparation of Board Memos on Audit &
Inspection. Compliance of Bangladesh Bank Inspection Reports and follow up of the same
are the responsibility of this department.

Internal Control
And Compliance Risk

Page 23 of 41
General Guidelines for the Inspectors

1. The inspectors are the representatives of the Audit & Inspection and Compliance
Department. They must posses a high standard of integrity & competence and are
expected to have a thorough knowledge of working procedure of all the
departments/branches of a company. They must also have a good knowledge on law
and practices and should keep themselves abreast with the regulations and
developments in the particular sector. They should be conversant with the prudential
guidelines & circulars issued by Bangladesh Bank and other regulatory bodies. They
should be in a position to interpret the circulars in proper perspective. They are
however expected to provide appropriate guidelines where necessary to solve the
problems.

2. Inspectors will be personally responsible for the accuracy and correctness of the figures
and statements incorporated in the Report.

3. Irregularities shall be consecutively numbered and photocopy of the proof of
irregularities to be taken if possible.

4. Minor irregularities shall be rectified during the course of audit. Major lapses and
irregularities shall be listed and reported.

5. The inspector shall go through the progress in the way of compliance of the previous
report and if any previously reported irregularities are repeated the same must be
reported.

6. Where irregularities are due to negligence or inefficiency of any officer, past or present,
the inspector must report the name of the officials responsible.

7. Should any difference of opinion arise between the inspector and the official upon some
areas of irregularities then the inspectors shall incorporate in his report the views of the
officials together with his own comments.

8. Before undertaking audit & Inspection, the inspectors will hold consultation with Head
of the Department with a view to find out the special areas or problems which need to be
looked into. He shall have a full idea on the check list to be followed.

9. It is important for the inspectors to act as a sympathetic adviser to the staff of the
Department/branches they are auditing/inspecting. Faults must of course be brought to
light but report should be written with the recognition of the difficulties and efforts of
the staff as well as their shortcomings.

10. Inspectors shall discuss with the Head of the Department on the draft report and shall
obtain his/her signature thereon after the audit is completed and note down his/her
comments if any. These replies must be incorporated in the final audit/Inspection
Report. The report must be clearly and concisely written and free from padding.

11. If the inspector feels the requirement to change any written policies or guidelines he/she
shall forward recommendations and the reason thereof to the Head of Audit &
Inspection and compliance Departments.

Internal Control
And Compliance Risk

Page 24 of 41
12. The Inspection Report shall be prepared in five copies:

One copy shall be forwarded to the Audit Committee of the Board
One copy shall be forwarded to the Managing Director/CEO
One copy shall be forwarded to the Head of Audit & Inspection
One copy shall be forwarded to the Head of Compliance
One copy shall be forwarded to the respective department/branch in charge

13. The inspection report shall not be a public document. But the Bangladesh Bank and any
regulatory body shall have the authority/right to have a copy of it for their use.

6.6 Compliance Process
Regulatory requirements are to be incorporated into the work process to ensure full
compliance. The financial institutions have to ensure that all guidelines received from the
regulatory authority are properly disseminated among the relevant departments.

A particular unit (if possible Internal Control) should be responsible of receiving regulatory
guidelines, maintaining proper record and distribution among all relevant units. If required
this unit would contact regulatory authorities for proper clarifications on a particular issue
and notify the concerned departments accordingly.

When regulatory inspection is conducted on the operation of the financial institutions this
unit should work as point of contact.

Once the audit report is received they must ensure that corrective measures are taken and
the appropriate response is made on a timely fashion. If any major lapse is identified by the
regulatory authority they must ensure that the Audit Committee of the board is also notified
along with the senior management of the branch.

This unit must arrange appropriate training for employees so that employees are aware of
the regulations that are necessary to accomplish their jobs.

Internal Control
And Compliance Risk

Page 25 of 41
APPENDIX 7.1

DEPARTMENTAL CONTROL FUNCTION CHECKLIST QUARTERLY

This is sample list of control functions. Each financial institutions will develop the list according
to their own requirements

Area Function Responsibility Qtr 1 Qtr 2 Qtr 3 Qtr 4

Quarterly
Budget Review
To check
whether
achievement is
OK or not and
how to
overcome the
deficit
CEO & Head
of Dept

Quarterly
Performance
review of
employees
To see whether
employees are
lagging behind
their
individual
target and to
know their
problems and
how to
overcome
Head of
Department

Stock Taking To verify stock
position
Head of
Administration

Reports Check the copy
of the reports
with regulators
deadlines

At present
there are 6
such reports
for Bangladesh
Bank
Head of
respective
departments

All security
documents
including post
dated cheques
Take the
inventory
By appropriate
person other
than the
custodian

Internal Control
And Compliance Risk

Page 26 of 41

APPENDIX 7.2

DEPARTMENTAL CONTROL FUNCTION CHECKLIST MONTHLY

This is sample list of control functions. Each financial institutions will develop the list according to their own
requirements
Area Function Responsibility
Financial
Statements
Check whether the
monthly statements are
prepared as per the
deadline of
Board/shareholders
Head of
Accounts

Insurance
Coverage
See whether renewal is
necessary- Gen & Life
Head of Admin
TDR Verify TDR held with GL
on last day of the month
Manager ,
Treasury
Department
Date

Initial
Date

Initial
Date

Initial
Date

Initial
Holiday File Check with independent
source ie, Central Bank
for local Holidays and
check with Govt.
Calendars
Head of HRD
Reports Check the copy of the
reports with regulators
deadlines & see
deviations

Head of
respective
departments

Accruals of
Income &
Expenses
Check whether all income
and expenses have been
accrued as per companies
policies, regulatory
requirement
Head of
Accounts

Physical
security of
Assets
Check whether movement
register and requisition
slip are kept against assets
movement. Fixed asset
Register is marked
accordingly
See whether insurance
coverage is still effective
on the day of verification
Manager
Administration
together with
Manager
Accounts

Bank
Reconciliation
See whether all Bank
Reconciliations were done
properly
Head of
Accounts

Internal Control
And Compliance Risk

Page 27 of 41
APPENDIX 7.3

DEPARTMENTAL CONTROL FUNCTION CHECKLIST WEEKLY

requirements

Area Function Responsibility W 1 W 2 W 3 W 4

Reports Check the copy of the
reports with regulators
deadlines & see
deviations

Head of
respective
departments

Premise
protection
See whether fire
extinguishers are in
place. Necessary
direction to operate the
same are kept beside the
extinguishers
Manager
Administration

Documentation See whether all
documentation related to
credit is completed by
operations dept. as per
document check list
Manager
Operations

MIS Check whether the MIS is
updated with inputs from
various dept.
Manager,
Operations

CRR & SLR
Requirements
Check the amount of
CRR & SLR requirement
based on the liability
Accounts
Department

Internal Control
And Compliance Risk

Page 28 of 41
APPENDIX 7.4

DEPARTMENTAL CONTROL FUNCTION CHECKLIST DAILY

requirements

Area Function Responsibility

Vouchers & posting Check on sample basis whether
vouchers are properly raised and
authorized as per Accounting
manual

Check whether vouchers are
posted regularly
Manager
Accounts

Receivable/payable
account
Have the explanation of the head
and see whether they are required
at all.
Proper
authority

Correction entry Check the nature of correction
entry passed
Proper
authority

Reports Check the copy of the reports as
per check list with regulators
deadlines & see deviations

Proper
authority

Accruals of Income
& Expenses
Check whether all income and
expenses have been accrued as
per companies policies, regulatory
requirement
Head of
Accounts

CRR Requirements Check the amount of CRR
requirement based on the liability
with current account balance with
Bangladesh Bank
Head of
Treasury

Computer Back
Ups
Check whether Back up of
programme files and other
important files are taken.
Head of IT
Filing of
Correspondences
Check whether copies all
outgoing letters are kept in Master
File and Specific Files
Designated
Department

Updating money
market transaction
Prepare call money
correspondences, information on
call rate
Manager ,
Treasury

Updating
operations software
and information
See whether every day entry has
been given in the system

Updating share
price index and
other merchant
banking
information
Manager, Merchant Banking Proper
authority

Internal Control
And Compliance Risk

Page 29 of 41
APPENDIX 7.5
QUARTERLY OPERATIONS REPORT
Date :
From : Audit & Inspection Department
To : Head of Internal Control Unit
Copy : Compliance Department
Quarter Ended on :
POLICIES, PROCEDURES AND CONTROLS
1. FINANCIAL INSTITUTIONS DEPARTMENT (FID) AUDIT & FOLLOW UPS
The Branch/Centre was last audited by the Audit Team of FID on ..
We confirm that adequate corrective actions have been initiated to remove the
deficiencies other than the following papers of their Audit Report.

Audit Observation Target Date of Rectification Reason for failure to rect.
Para no.
Enclosure : Bangladesh Bank Audit Report & Findings

2. INTERNAL CONTROL
The Companys internal control situation was last audited by the FID on ,,,,,,,,,,,,,,,,,,,,,
We confirm that adequate corrective actions have been initiated to remove the
deficiencies other than the following para of the report.
Observation Target Date of Rectification Reason for failure to rect.

3. REGULATORY COMPLIANCE
(a) Financial Institutions Act 1993 and FI Regulations 1994 and FID Circulars

We confirm that requirements of Bangladesh Bank have been complied with except
the following:
Sl. No Sections and FID Circulars reference Risk Remarks

Internal Control
And Compliance Risk

Page 30 of 41

(b) Income Tax Ordinance 19984 and Income Tax Rules

We confirm that requirements of Income Tax Ordinance 19984 and Income Tax
Rules have been complied with except the following:
(c) Companies Act 1994

We confirm that requirements of the Companies Act 1994 have been complied
with except the following:

(d ) Securities and Exchange Ordinance

We confirm that requirements of the Securities & Exchange Commission Ordinance
and Rules complied with except the following:

(e) Dhaka Stock Exchange Listing Rules

We confirm that requirements of the Dhaka Stock Exchange Listing Rules have been
complied with except the following:

(f) Shops and Establishment Act

We confirm that requirements of the Shops & Establishment Act have been
complied with except the following:

(g) Other Rules & Regulations

4. Computer ACCESS ( if available)
a. We confirm that a full review of Access Levels is made to ensure that no conflicts
exist and no official is holding both IDs to input transactions and Authorise such
transactions.
b. We also confirm that Administrator Passwords are held in dual custody and the both
custodians review the Administrator Journal Report and the Audit Trail Report
(which reports all user access maintenance) and investigate all activities on a daily
basis.

5. CUSTOMER SERVICES STANDARDS

a. The Customer Services Standards of all departments have been checked and
documented as per guidelines from the Company . The shortfalls detected during the
last quarter have been/will be removed within the target set.
b. Customers queries are meet in time as per the time frame fixed by the company and
customers satisfaction note is received and preserved

Internal Control
And Compliance Risk

Page 31 of 41
6. DEPARTMENTAL CONTROL FUNCTIONS CHECK LISTS

a. The DCFCLs were completed and documented as per Companys Guidelines by the
concerned departments which are being/have been verified by the designated independent
officials on _______
b. We confirm that no shortfalls have been identified by the Independent Reviewer
and/or the shortfalls identified by him/her are being rectified and will be completed by
__________________ under advice to Head of Compliance.

7. INTERNAL CHECKS
We confirm that all Internal Checks as per Companys Guidelines applicable to us are being
undertaken by the Independent officials designated in writing. All papers and the
reviewers certificates are retained under the control of the Head of Department for future
review by the Bangladesh Financial institutions audit team/ Internal Control Team.

8. RECOVERY OF COSTS

We confirm that the costs of telex/swift/telegrams/telephone/fax and other charges have
been recovered from the Customers where applicable and credited to Processing Fee A/C

9. FRAUDS, FORGERIES & OPERATING LOSSES

Following transaction(s) involving Frauds/Forgeries/Other Operating Losses has/have
been detected during the quarter ended on ___________ and reported to Internal
Compliance Department

10. RETURNS

We confirm that returns to all Regulatory Bodies have been submitted within the schedule
dates except the following:

Title of Return Due Date Act Date Reasons for Delay

11. LEGAL

We confirm that legal matters are being monitored by us as per Company Policy The
following litigations are pending as of the reporting date:

Party Case Initiated on Brief Description Status

Internal Control
And Compliance Risk

Page 32 of 41
12. COMMUNICATIONS

Following meetings of the management were held during this quarter to improve
communication among the members of Officer/Staff. We enclose a copy of the minutes of
the meetings held for information and record.

Name of the Meeting Date of Meeting

13. FIXED ASSETS

We confirm that:
Quarterly as on March, June and September and December all items of Fixed Assets
were physical check and verified with Fixed Assets Register and General Ledger.
The entries passed through Profit and Loss A/c in respect of sale of Fixed Assets for
the quarter ended have been reviewed to ensure that no entry is outstanding in the
books.
Fixed Assets sold during the quarters have been reviewed for tax purposes
Fixed Assets of the Company have been physically checked on sample basis by the
independent officers designated by Internal Control team.
Proper tender/quotations were received before disposing off the assets.

PROTECTION OF VALUABLES
1. MAINTENANCE OF KEYS

We confirm that the Key Register is being maintained as per prescribed procedure. Dual
keys have been maintained in sensitive areas.

2. SAFE CUSTODY

We confirm that Safe Custody items are being maintained under dual custody and the Last
complete independent physical verification of Safe Custody items as per Internal Control
Depts instructions was undertaken on __________. We enclose a copy of the certificate
received from the designated reviewer(s).

3. SAFE DEPOSIT LOCKERS
We confirm that keys to lockers are kept under dual control. The Head of Finance shall
supervise the things.

Internal Control
And Compliance Risk

Page 33 of 41
4. STOCK OF STATIONERY

Stock of Stationery are being kept under dual custody and Bulk/Working Stocks are being
verified each month end by Manager Administration together with Manager Finance.

5. CASH.

Cash/Prize Bonds / Sanchaya Patras/ Bonds were kept in safe fire proof vault under dual
key. Cash is counted on a daily basis and reconciled with GL balance. Bond and other
instruments are counted for number and value at the end of each month and tallied with
GL balance.
6. SIGNATURE BOOKS

Daily signature book or Attendance Register is maintained at the proper place and every
staff shall put his signature thereon as per Companys policy. The Head of Administration
shall supervise at random each month whether the employees are putting their signature
properly. After verification he shall put his own signature with date.

VERIFICATIONS
1. All accounts in GL/ Subsidiary ledger were proved and verified during the quarter and
the following wrong entries were detected and rectified promptly with the consent of
Head of Finance & Accounts:
GL Head Voucher no. Vr. Date Amount Appropriate Head

2. We confirm that all outstanding entries in General Suspense (Assets & Liabilities) are
being followed up for early liquidation. We enclose the statements of General Suspense
Accounts as on March, June, September and December for your perusal :

March qtr June qtr Sept qtr Dec qtr Suspense
Account

Amt Correct
Head &
Date of
correcti
on
Amt Correct
Head &
Date of
correction
Amt Correct
Head &
Date of
correction
Amt Correct
Head &
Date of
correction

Internal Control
And Compliance Risk

Page 34 of 41
PERSONNEL & SUPERVISION
1. Following transfers/movements were affected during the quarter as regards staff of
the Company:
Name Transferred From Transferred To Period with present dept

LEAVE PROGRAMMES
1. Officers/staff are being granted leave as per leave program. Exception are given
below:
Name of staff Department No. of days accumulated

2. Unionized staff has leave were enjoyed by the following staff as per Service
Regulations:
Name of staff Department No. of days Action taken

3. Arrangements have been made to allow all employees including Management Staff to
avail of 10 days uninterrupted leave or half of annual leave entitlement, whichever is the
lesser in terms of service rules.
TRAINING PROGRAMME
Following Officers / staffs have undergone training both inside and overseas during the
quarter :

Name of
Participant
Department Duration
of
Training
Subject of
training
Place of
Training
Cost of
the
training
Total
number of
training
availed in
this
Company

Internal Control
And Compliance Risk

Page 35 of 41
PREMISES MANAGEMENT

1. FIRE/SAFETY STANDARDS
a) Following items have been checked during the quarter ended
March/June/September/December _________.
Fire/Safety Procedure Ref: Standard Achieved/Shortfalls detected
i)
ii)
iii)
iv)
b) Half-yearly Self Audit of Fire/Safety Standards was undertaken and the return
submitted to you for the period ended 31
st
January / 31
st
July . by a separate
letter on .
c) We confirm that:

i) Close Circuit Camera was/is functioning properly.
ii) Security Alarm system was functioning properly.
iii) Recording of the arrival and departure time of all personnel occupying the
Premises outside working hours and after financial institutions hours are
being documented/reviewed by the Manager ,Administration on the
Registers maintained for these purposes.
d) All electric wiring were checked by M/s .. on
and certificates obtained and kept in file for future audit /
inspection. We enclose a copy of the certificate for our record.
e). The premises were inspected on holidays by the officers on rotation. Immediate
action was taken on shortfalls detected through the checklist maintained which is
retained after taking appropriate action as applicable for future audit/inspection.
f) The premise and the equipment and assets are under fire insurance cover which is
renewed and updated. Besides there is a burglary insurance for the assets.
(Head of Finance & Administration) (Depart. Manager)

Internal Control
And Compliance Risk

Page 36 of 41
APPENDIX 7.6
LOAN DOCUMENTATION CHECKLIST
Borrower :
Registered Address :

STATUS: Individual / Proprietorship / Partnership / Limited Company A/c No.
First obtain General Documents. Then identify the Collateral and obtain specific documents
listed hereunder. Leave out documents not called for by the terms of the Credit Approval
and Facilities Advice Letter (Sanction Letter).
Sl Description Require Date of
Document
Date of
Receipt
Expire Original
document
location
Amount
In Taka
A GENERAL DOCUMENTS
1 Letter of Borrower Requesting
for new facilities / renewal

2 Authority of Borrow to Borrow
(Letter of authority from
partners in case of partnership
concern and resolution in case
of limited company) with list
of Partners/Directors

3 Form XII (Particulars of
Directors) certified by RJ SC
regarding list of existing
Directors for limited company

4 Sanction Letter: accepted
unconditionally by Borrower

5
Demand Promissory Note

6
Letter of Continuity

7 Deed of Partnership (for
Partnerships; Borrower / third
party), By-Laws etc.

8 Memorandum and Articles of
Association (for limited
company Borrower / third party)
with Certificate of Incorporation

9
Letter of Arrangement

10
Letter of Disbursement

11 Revival Letter
B LIEN OF ACCOUNT
1 Resolution to lien account
proceeds (for Third Party
partnerships and limited cos.)

2 Letter of Lien and Set- Off
(Pledge Agreement)

C PLEDGE OF DEPOSITS/S. PATRA
1 Resolution to deposit (for Third
Party partnerships and limited
company)

Internal Control
And Compliance Risk

Page 37 of 41
Document
Date of
Receipt
Expire Original
document
location
Amount
In Taka
2 Fixed Deposit Receipts /
Sanchaya Patra / Bonds
endorsed by holder(s)

3 Letter of Guarantee by depositor
(if the deposit stands in the
name of Third Party)

4 Letter of Lien and Set Off
(Pledge Agreement)

5 Letter of Authority for
encashment of Sanchaya Patra/
Fixed Deposits

D
PLEDGE OF SHARES
1 Resolution to deposit (for Third
Party partnerships and limited
company)

2
Share certificates

3 Blank transfer forms for each
share certificate (Form 117)

4 Memorandum of Deposit of
Shares

5 Letter of Guarantee by the
shareholder (if the share stands
in the name of person other than
borrower)

6 Irrevocable letter of authority
for collection of dividends,
bonus etc. addressed by the
shareholder to the relative
company.

7 Notice of pledge by the
shareholder to the relative
companies.

E PLEDGE OF INVENTORY
1 Letter of Pledge / Pledge
Agreement

2 Letter of Disclaimer (if
required)

3 RJ SC Search Report (for limited
company partnerships;
Borrower / third party)

4 RJ SC Form 18, and receipt of
filing with RJSC

5 Certificate of registration from
RJ SC

6 Modification of Letter of Pledge
/ Pledge Agreement of
Inventory

filing with RJSC

Internal Control
And Compliance Risk

Page 38 of 41
Document
Date of
Receipt
Expire Original
document
location
Amount
In Taka
8 Insurance Policy
F HYPOTHECATION OF INVENTORY
1 Resolution to hypothecate
inventory (for Third Party

2 Letter of Hypothecation of
Inventory / Hypothecation
Agreement

company. partnerships;
borrower/third party)

filing with RJSC

RJ SC

6 Modification of Letter of
Hypothecation of Inventory

filing with RJSC

8 Insurance Policy - jointly
insured

G TRUST RECEIPT
1 Trust Receipt Agreement
H HYPOTHECATION OF RECEIVABLES/BOOK DEBTS
receivables / book debts (for
Third Party partnerships and
limited company)

Receivables / Book Debts
(Hypothecation Agreement)

company/registered
partnerships; borrower/third
party)

filing with RJSC

RJ SC

Hypothecation of Receivables

filing with RJSC

I HYPOTHECATION OF MACHINERY AND EQUIPMENT
inventory (for Third Party

Internal Control
And Compliance Risk

Page 39 of 41
Document
Date of
Receipt
Expire Original
document
location
Amount
In Taka
Machinery and Equipment /
Hypothecation Agreement

company. partnerships;
borrower/third party)

filing with RJSC

RJ SC

Hypothecation of Machinery &
Equipment

filing with RJSC

8 Latest list of machinery &
equipment

9
Insurance Policy

J
ASSIGNMENT OF RECEIVABLES
1 Resolution to assign receivables
(for Third Party partnerships
and limited cos.)

2 Deed of Assignment of
receivables

3 Notification and
acknowledgement of assignment
and confirmation of receivables
from the debtor

4 Letter of arrangement of Escrow
Account among three parties,
lessor, lessee and the bank.

K
MORTGAGE
1 Letter of nomination of third
party mortgagor from Borrower
with attested specimen signature
of mortgagor

2 Resolution to mortgage and
guarantee (for Third Party
partnerships and limited
company)

3 Copy of valid ID (for Third
Party individual mortgagor)

4 Personal Guarantee from Third
Party mortgagor

5 Original title deeds of
mortgagor and previous
owners (Bia- Deed)

6
C.S., S.A. and R.S. Parchas

Internal Control
And Compliance Risk

Page 40 of 41
Document
Date of
Receipt
Expire Original
document
location
Amount
In Taka
7 Mutation Parchas in
mortgagors name, certified by
Assistant Commissioner of Land

8 Duplicate carbon receipt for
mutation case

9 Letter of no objection of lessor
for mortgagor to mortgage (for
leasehold property)

10 Land development tax receipts
of the immediately preceding
Bengali year

11 Municipal holding tax receipts
for property in municipalities

12 Building/factory plan with letter
of approval

13 Real Estate Appraisal /
Valuation report

company/registered
partnerships; borrower/third
party)

15 Memorandum of deposit of title
deeds (for equitable mortgages)
with legal counsels approved
draft.

16 Mortgage Deed and registration
receipt endorsed by mortgagor
(for legal/Registered mortgage)
along with Power of Attorney

filing with RJ SC if property in
the name of ltd cos.

RJ SC

19 Modification of Memorandum
of deposit of title deeds

filing with RJSC

21 Income Tax Clearance
Certificate as required for
Registration

22 Non Encumbrance Certificate
from Land Registrar

L
GUARANTEE
1 List of Directors/Partners with
specimen signatures, certified
by company secretary or
chairman, or managing partner
(for limited company and
partnerships)

Internal Control
And Compliance Risk

Page 41 of 41
Document
Date of
Receipt
Expire Original
document
location
Amount
In Taka
2 Resolution to guarantee (for
limited company and
partnerships)

3 Net Worth Statements (NWS)
for individuals/guarantors

4
Letter of Guarantee

5
Letter of Counter Indemnity

M TERM LOAN AGREEMENT
1 Term loan agreement between
Borrower and the Company

2 Draft Term Loan Agreement
approved by Head of Credit
Risk Management Division and
Legal Counsel.

N SECURITY SHARING AGREEMENT
1 Whether Charge is created to
RJ SC
Through Form XVIII and Form
XIX

2
Security Sharing Agreement

3 Draft Security Sharing
Agreement approved by Head of
Credit Risk Management
Division and Legal Counsel.

O SYNDICATION
1
Accepted Mandate Letter

2
Accepted Term Sheet

3
Information Memorandum

4
Participation letters

5
Facilities Agreement

6 Powers of Attorney of
participants

7
Accepted Fee Letter

8
Legal counsels opinion

9 Head of Credit Risk
Management and Legal Counsel
approval of documents.

P OTHER DOCUMENTS

DEPARTMENT/UNIT NAME DATE SIGNATURE
MANAGER:

CREDIT
ADMINISTRATION:

Managing Core Risks of Financial Institutions

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Managing Core Risks of Financial Institutions

Transféré par

Droits d'auteur :

Formats disponibles

M

Vous aimerez peut-être aussi