Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
0
.
Agrani Bank Limited
Agrani Bank Bhaban
9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh
www.agranibank.org
INTERNAL CONTROL AND COMPLIANCE
POLICY & PROCEDURES-2016
[Risk Based Internal Audit Manual, Audit Compliance Manual, Audit
Monitoring and Controlling Manual and IT Manual]
(Approved in the 481th Board of Directors‘ Meeting held on 28/11/2016)
[As per 481th Board of Directors‘ meeting, dated: 28/11/2016
ratification on Audit Committee decision, memo no. , dated:
09/11/2016 regarding amendment in different section of this
policy is formed and would be treated as ICC Policy and
Procedures-2016.]
Agrani Bank Limited
Agrani Bank Bhaban
9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh
www.agranibank.org
ICC Policy and Procedures 2016
1
Preface
Banking has evolved into a diversified and complex financial activity which is no longer limited
within the geographic boundaries of a country. The issues of effective internal control systems,
corporate governance, ethical banking, transparency and accountability and regulatory compliance
have become prime need for high-level performance.
Banking operations involve both inherent and acquired risks in the pursuit of value creation. To
avoid the complexities and risk arising out of those activities some sort of internal corrective
measures must be there. Internal control is now being termed as an integral part of the daily activities
of a bank assuring the Bank‘s management and stakeholders that the Bank‘s service delivery systems
are efficient, safe and compliant with all their expectations. Further, audit activities are the most
important means of reinforcing control systems through the regular review of operations.
Effective Internal Control System results in better risk management practices in terms of
identification, management, monitoring and mitigation of risks. This ensures reliable financial and
managerial information that promote better strategic decision for a bank. Internal Control and
Compliance (ICC) ensures compliance with laws and regulations, policies and procedures issued by
both the bank management and the regulators. ICC enhances confidence over the bank and facilitates
risk based bank examination. Risk management and control are not burden on business; rather this is
one of the scientific means by which business opportunities are maximized and potential losses
associated with unwanted events are reduced.
In this manual the procedures, rules and guidelines are assembled in such a way that the related
officials can easily use it as a reference manual in discharging their duties and responsibilities
perfectly and efficiently.
This manual will ensure uniformity and consistency in audit compliance procedure and establish a
set of standard in this regard.
This Manual reflects the hopes and aspiration of Bangladesh in ―Internal Control and Compliance‖
system of Agrani Bank Limited. Here nothing is new; rather everything is to fulfill the requirement
of Audit.
Considering the changing environment of banking business and requirement of Bangladesh Bank for
reviewing the policy every year, ABL management has taken decision for the amendment in some
ICC Policy and Procedures 2016
2
paras of ICC Policy as well as Manuals. ABL‘s Board nominated Audit Committee has approved
those amendments and is incorporated in ICC Policy and Manuals.
I sincerely believe that this manual will strengthen Internal Control and Compliance system of our
Bank. This will play a vital role towards achieving our goal for a modern and vibrant Agrani Bank
Limited.
Thanks are due to all concerned Executives and Officers who have put their sincere efforts to prepare
this manual.
ICC Policy and Procedures 2016
3
INDEX
Chapter Subjects Page
No.
A. Internal Control & Compliance (ICC)Policy
Chapter One Universal Discussion of ICC
1.1 Mission Statement 07
1.2 Vision Statement 08
1.3 Executive Declaration 08
1.4 Preamble 09
Chapter Two Policy Guideline and Responsibilities
2.1 Internal Control 10
2.2 Components of Internal Control 10
2.3 Internal Control Environment 10
2.4 Objective of Internal Control 10
2.5 Control Activities and Segregation of Duties 10
2.6 Corrective measures to be taken by ICC 11
2.7 Scope of Internal Control and Compliance System 11
Chapter Three Policy Guide line for Internal Control
3.0 Policy Guide line 12
3.1 Responsibility of the Board of Directors 12
3.1.1 Responsibility and power of the Board of Directors 12
3.2 Structure & Responsibility of the Audit Committee of the Board 13
3.2.1 Organizational Structure 13
3.2.2 Qualification of the members of the Audit Committee 13
3.2.3 Roles & Responsibilities of the Audit Committee 13
3.3 Responsibility of the Senior Management 15
3.3.1 Function of the Senior Management Team 15
3.3.2 Management Reporting System 15
3.4 Role of External Auditors 15
3.5 Dispute Settlement 15
Chapter Four ICC Related Issues
4.0 Introduction 16
4.1 The Organizational Structure of ICC 16
4.2 Structure of ICC 16
4.3 Departmental Charter of ICC 18
4.4 Standards of the Best Professional Practices 18
4.5 Head of ICC 19
4.5 (a) Head of ICC 19
4.5 (b) Head of Audit 19
4.6 Roles & Responsibilities of Internal Auditors 19
4.7 Auditors‘ Ethics & Qualifications 19 4.7.1 Auditors‘ Qualifications 19 4.7.2 Internal Auditors‘ Ethics 19 4.8 Appraisal of ICC Officials 19
4.9 Training and Development 19
4.10 4.10.1 Home Training 20
4.10.2 Out Reach Training 20
4.10.3 Abroad Training 20
4.11 Job Rotation 20
4.12 Mandatory Leave 20
4.13 Recreational Leave 20
ICC Policy and Procedures 2016
4
Chapter Subjects Page
No.
Chapter Five General Matter of Audit
5.0 Definition of Audit 21
5.1 Objectives of audit 21
5.2 Auditors Right 21
5.3 Responsibilities of the Auditors 21
5.4 Auditors punishment 22
5.5 Basic Principles of Auditors 22
5.6 Types of audit 22
5.7 Internal Audit 22
5.7.1 Internal Audit 22
5.7.2 Principles of internal audit 22
5.7.3 Reporting 24
5.7.4 Importance of internal audit 24
5.8 External audit 24
5.8.1 Types of External audit 24
5.9 Concurrent Audit 25
5.10 TOR of Concurrent Audit 25
5.11 Reporting of Concurrent Auditors 25
5.12 Lapses 25
5.13 Punishment 26
5.14 Reward/Incentive for Auditors 26
5.15 System Audit Software 26
5.16 Wrap-up Meeting 26
Chapter Six IT Audit
6.1Definition of IT Audit 27
6.2Purposes/Objectives of IT Audit 27
6.3 Types of IT Audit 27
Chapter Seven Miscellaneous
7.1 Inspection Concluding meeting (Account finalization)-finalization of quick
summary report/annual accounts
28
7.2 Special Board Meeting on compliance of annual inspection report of
Bangladesh Bank
28
7.3Liaison meeting 28
7.4Self-assessment anti-fraud internal control of the bank 28
7.5 Sharia Based Audit 28
B AUDIT PROCEDURES
[Risk Based Internal Audit Manual, Audit Compliance Manual Audit
Monitoring and controlling Manual and IT Audit Manual]
A. Risk Based Internal Audit Manual
Chapter One Audit Procedures
1.0 Introduction 29
1.1 Audit procedures 29
1.2 Master Audit Plan 29
1.3 Preparation of Audit Plan 29
1.3.1 Prioritization for audit 29
1.3.2 Formation of Audit Team 30
Chapter Two Control Risk assessment
2.1 Assessing Business and Control Risk 31
2.1.1 Internal factors 31
2.1.2 External factors 31
2.2 Risk Model Construction 31
ICC Policy and Procedures 2016
5
Chapter Subjects Page
No.
2.3 Risk Recognition & Assessment 31
2.4 Risk Analysis of Control Functions 32
2.5 Risks Based Internal Audit (RBIA) 32
2.5.1 Steps in adopting Risk Based Internal Audit 32
2.5.2 Development of Formats For Risk Assessment 32
2.5.3 Risk Assessment of Branch as a whole 32
2.6 Conduct of on-site Audit and Report findings 34
2.6.1 Conduct of offsite risk assessment of branch 34
2.6.2 Risk Rating Frequency Sample Volume 35
Chapter Three Core Risk Management
3.1 Core Risk 36
3.1.1 Credit Risk 36
3.1.2 Asset Liability Risk 37
3.1.3 Foreign Exchange Risk 38
3.1.4 Internal Control & Compliance Risk 38
3.1.5 Money Laundering Risk 39
3.1.6 Information and Communication Technology (ICT) Risk 39
3.1.7 Environmental & Social Risk 40
Chapter Four Concept of Inspection
4.1 Definition of Inspection 41
4.2 Objectives of Inspection 41
4.3 Types of Inspection 41
4.4 Functions of Inspection 41
4.5 Audit & Inspection Procedures used in Agrani Bank Ltd 41
4.6 Outline of Inspection function 41
4.7 Rules to be followed during inspection 42
4.8 Reporting procedures/ Rules 42
4.9 Follow up procedures of Inspection Report 42
B. IT Audit Manual Chapter One 1.1 IT Audit Process 43
1.2 IT Audit Role 43
1.3 Risk Assessment 52
C. Audit Monitoring and Controlling Manual Chapter One Introduction And Monitoring System
1.1 Monitoring 62
1.2 Monitoring Activities and Corrective Measures 62
1.3 Objectives of Monitoring Department 62
1.4 Application of monitoring system 62
1.4.1 Departmental Control Function Checklist (DCFCL). 63
1.4.2 Loan Documentation Checklist 63
1.4.3 Quarterly Operations Report 63
1.5 Annual ICC Report on the health of the Bank 63
1.5.1 Annual Integrated Health Report 63
1.5.2 Objectives of Annual Health Report 63
1.5.3 Methodology of Assessing Health 63
1.5.4 Frequency of Health Analysis 64
1.5.5 Reporting Line & Its Approval process 64
D. Audit Compliance Manual
Chapter One Compliance
1.1 Definition 65
1.2 Overview 65
1.3 Compliance Process 65
ICC Policy and Procedures 2016
6
Chapter Subjects Page
No.
1.4 Regulatory Compliance 66
1.5 Independence of Compliance Functions 67
1.6 Roles and Responsibilities of different Parties 67
1.6.1 Responsibilities of the Management for Compliance 67
1.6.2 Responsibilities of the Board of Directors for Compliance 67
1.6.3 Responsibilities of the Senior Management for Compliance 68
1.6.4 Responsibilities of the Head of Compliance 68
1.6.5 Responsibilities of Audit Committee 68
1.6.6 Responsibilities of the Risk Management Committee 68
1.6.7 Responsibilities of the Internal Auditors 68
1.7 Functions of Compliance 69
Chapter Two Different System of Compliance
2.1 Establishment of a Compliance culture 70
2.2 Types of Compliance 70
2.2.1 Internal Audit Compliance 70
2.2.2 Instruction regarding audit Compliance 70
2.2.3 Definition of Nirikha Paripalan Patra -1 70
2.2.4 Compliance with Nirikha Paripalan Patra-1 70
2.2.5 Definition of NIPP-2 (ka) 70
2.2.6 Definition of NIPP-2 (kha) 71
2.2.7 Compliance with response to Nirikha Paripalan Patra-2 71
2.3 Internal audit objections settlement and file close 71
2.3.1 Internal audit objections settlement and file close 71
2.3.2 Settlement of Minor Irregularities and file close 72
2.3.3 Settlement of Major Lapse and file close 72
2.3.4 Settlement of Serious Lapse and file close 72
2.4 Issuing DO Letter: 72
2.5 Placement of Special Note 72
2.6 Govt. Commercial Audit Compliance 73
2.6.1 Monitoring and follow up 73
2.6.2 Commercial audit objections settlement and file close 74
2.7 Bangladesh Bank Inspection Compliance 74
12.7.1 Bangladesh Bank Inspection objections settlement & file close 74
2.8 Special Inspection on specific issue 75
2.9 Inspection regarding Foreign Trade Transaction 75
2.10 External audit Compliance 75
2.11 Settlement of objections raised by Audit Firm appointed by Board and
file close
75
2.12 Audit Clearance 75
2.13 Conclusion 76
Annexure 78
ICC Policy and Procedures 2016
7
Chapter-One
Universal Discussion of ICC
1.1. Mission Statement
To ensure corporate governance, accountability, integrity, transparency and regulatory compliance in the operation of the
Bank within the stringent frame work to achieve the International Standard of Banking.
1.2. Vision Statement
To keep the Banking operation accurate and efficient in line with the best International practices.
ICC Policy and Procedures 2016
8
1.3 Executive Declaration
A new (amended)―Guidelines on Internal control and Compliance -2016 has been circulated by Bangladesh Bank vide BRPD circular no-03 dated 08/03/2016 giving the reference of BRPD circular no-17 dated 07-10-2003
followed by further amendment vide BRPD circular no-06 dated 04/09/2016. Amendments were done with a view to
minimizing risks more effectively in day by day growing banking business. The task was performed by Bangladesh Bank
nominated Team. Team is comprised of Bangladesh Bank executives and three executives of scheduled bank.
Committee for Updating the Guidelines
Mohd. Humayun Kabir, GM, DBI-3- Convener Md. Rezaul Islam, DGM, BRPD-Member
Md. Obaidul Hoque, DGM, DBI-4-Member
Jiban Krishno Roy, DGM, DBI-4-Member
Dipankar Bhattacharjee, DGM, DBI-1-Member Secretary
Md. Mahbubul Haque, DGM, DBI-3-Member
Mirza Abdul Mannan, Joint Director, DBI-2-Member
Md. Habibur Rahman Bhuiyan, DMD, Islami Bank Bangladesh Ltd-Member
Md. Hafizur Rahman, DGM, Agrani Bank Ltd-Member
Gautam Prosad Das, SEVP, Mutual Trust Bank Ltd-Member
In light of above Guidelines on Internal Control and Compliance (ICC) and under the guidance of General Manager and
Head of ICC Md. Monowar Hossain, Md. Hafizur Rahman , DGM ,Audit Monitoring Division has given effort for the
preparation of this ICC Policy&Procedure-2016[Internal Audit (Risk Based) Manual, Audit Compliance Manual, Audit
Monitoring and Controlling Manual and IT Manual], which will be effective from September -2016.
1.4. Preamble
1.4.1 Economy of Bangladesh has got a momentum of transition towards a great uplift for development. The banking
sector is playing a pivotal role in this context. In such a time stringent banking practice in line with the best
International practices is a crying need.
1.4.2 A major risk inherent in the banking sector is systematic risk that causes the bank regulators to have concerns
with the operations of each individual bank. As such, the regulatory body gives priority to attain a high quality banking
operations of all banks in terms of managing the key banking risks, establishing an adequate compliance culture and
having satisfactory information disclosure system.
1.4.3 Effective Internal Control System results in better risk management practices in terms of identification,
management, monitoring and mitigation of risks. It ensures reliable financial and managerial information that promote
better strategic decision for a bank.
1.4.4 Banking is a diversified and multifarious financial activity which involves different risks. The issues of effective
internal control system, good governance, transparency of all financial activities, accountability towards its stakeholders
and regulators have become momentous to ensure smooth performance of the banking industry. An Effective
internalcontrol and compliance system has become essential in order to underpin effective risk management practices and
to ensure smooth performance of the banking industry. In general, internal control is identified with internal audit;
but the scope of internal control is not limited to audit work. Internal control by its own merit identifies the risks
associated with the process and adopts measures to mitigate or eliminate these risks. Internal Audit, on the other
hand, reinforces the Control system through regular review of the effectiveness of the controls.
1.4.5 The single greatest factor contributing to operational failure in banks is the lack of adequate internal control.
Bangladesh has witnessed a considerable growth in banking sector. A persistent moderate economic growth rate, high
degree of competition in the banking sector, speedy urbanization rate has gradually transformed our banking sector to a
large and vibrant one. The nature and magnitude of business as well as the degree of competition in the banking industry
has increased manifold in recent years.
ICC Policy and Procedures 2016
9
1.4.6 The responsibility of implementing internal controls starts with the business lines, which are the ―first lines of defense‖ against breaches that could cause the bank not to fulfill its objectives, not to report properly, or not to comply with laws and regulations. Beyond that, in any bank, the three important ―control functions‖ are risk management, compliance, and internal audit. This triumvirate of key functions is underpinned by, and in turn implements
and reinforces, the system of internal controls. The first two of these control functions constitute the ―second lines of defense‖ against mishaps. The final, or ―third line of defense‖ is the internal audit function
1.4.7 An effective internal control system requires that there are reliable information systems in place that cover
all significant activities of the bank. A system of strong internal controls can help ensure that the goals and
objectives of a banking organization will be met, that the bank will achieve long-term profitability targets, and
maintain reliable financial and managerial reporting.
1.4.8 Internal controls are particularly crucial elements of risk management program. An essential part of the
internal control framework is periodic testing to determine how well the framework is operating, so that any required
remedial actions can be taken. The frequency of testing should be risk-based and should involve as appropriate
sample transaction testing, the sample size commonly known as audit plan being determined by volume and the
degree of risk of the activity.
ICC Policy and Procedures 2016
10
CHAPTER‐TWO Internal Control
2.1 Definition Internal control is a process, rather than a structure. It is not a separate activity disconnected from the rest of business
activities, rather is an integral part of those activities. It is a dynamic, continuing series of activities planned,
implemented and monitored by the board of directors and management at all levels within an organization.
Internal control is the process, affected by the entity‘s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the management in the effectiveness and
efficiency of operations, the reliability of financial reporting and compliance with applicable laws, regulations and
internal & external policies.
2.2 Components of Internal Control 1. Control environment;
2. Risk assessment;
3. Control activities;
4. Information and communication;
5. Monitoring.
2.3 Internal Control Environment The control environment reflects the overall attitude, awareness and actions of the board and management concerning the
importance of internal control. It is the framework under which internal controls are developed, implemented and
monitored. It consists of the mechanisms and arrangements that ensure internal and external risks to which the bank
company is exposed to. Control environment factors include integrity, ethical values and competence of the employee',
management‘s philosophy and operating style, the way management assigns authority and responsibility and how it organizes and develops its human resources.
The appropriate and effective internal controls are developed and implemented to soundly and prudently manage these risks; reliable and comprehensive systems are to be put in place to appropriately monitor the
effectiveness of these controls. The factors which together comprise the control environment are:
A board of directors that is actively concerned with sound corporate governance and that understands and diligently discharges its responsibilities by ensuring that the bank is appropriately and effectively managed and
controlled;
A management that actively manages and operates the bank in a sound and prudent manner; Organizational and procedural controls supported by an effective management information system to soundly
and prudently manage the bank's exposure to risk; and
An independent audit mechanism to monitor the effectiveness of the organizational and procedural controls.
2.4 Objective of Internal Control
The primary objective of Internal Control System of Agrani Bank Limited is to help the bank to perform better through
the use of its resources. There are mainly three objectives of Internal Control and Compliance. They are as follows:
1. Performance objectives : Efficiency and effectiveness of activities.
2. Information objectives : Reliability, completeness and timelines of financial and management
information.
3. Compliance objectives : Compliance with applicable Laws and Regulations.
2.5 Control Activities and Segregation of duties
Control activities are the most tangible internal controls that the Internal Audit function will concentrate on to a large
degree. The auditor will be concerned with understanding whether a control prevents an error or detects and corrects an
error. Control activities may be manual or, if relevant, where processes are computerized then they may also have
specific IT control activities.
An effective internal control system requires that an appropriate control structure be set up with control activities defined at every business level, i.e. top level review; appropriate activity controls for different
ICC Policy and Procedures 2016
11
departments or divisions; physical controls; checks for compliance with exposure limits and follow-up on non-
compliance; a system for approvals and authorizations; and system verification and reconciliation.
Control activities involve two steps: I. The establishment of control policies and procedures and
II. Verification that the control policies and procedures are being complied with.
Senior management should ensure that adequate control activities are integral parts of the daily functions of all relevant personnel; this enables quick response to changing conditions and avoids unnecessary costs. Control
activities are most effective when they are viewed by management and all other personnel as an integral part of
daily activities rather than an addition to it.
One of the most important aspects of an internal control system is an appropriate segregation of duties and personnel who are not assigned conflicting responsibilities.
Furthermore, employees must also be provided with necessary authority, and they should be held accountable for their actions in compliance with delegated authority. Exceeding their authority or failing to exercise their
rightful authority should both be sanctioned.
For employees to carry out their responsibilities properly, each employee should have an appropriate job description.
Areas of potential conflicts of interest should be identified, minimized, and subject to careful independent monitoring.
2.6 Corrective Measures To Be Taken By Internal Control And Compliance: i. Effectiveness of bank‘s internal control should be monitored on an ongoing basis. Key/High risk items should
be identified and monitored as part of daily activities;
ii. There should be an effective and comprehensive internal audit of the internal control system carried out by
operationally independent, appropriately trained and competent staff specially designated by the management.
The significant deficiencies identified by the audit team should be reported to the board on a periodic basis;
iii. Internal control deficiencies, whether identified by business lines, internal audit or other control personnel
should be reported in a timely and prompt manner to the appropriate management level and addressed
immediately;
iv. Material internal control deficiencies should be reported to senior management and BoD with recommendations
where necessary. However it should be noted that consideration should be given to major financial exposure or
loss, significant process lapses, serious employee misconduct etc.;
v. The Head of Audit would have a direct reporting line with Audit Committee of the board.
2.7 Scope of Internal Control and Compliance System:
Head Office of the Agrani Bank Limited comprises 36 Divisions. As per geographical demarcation, there are 11 Circle
Offices. Under these Circle Offices there are 62 Zonal Offices. These Zonal Offices are controlling 905 branches. Total
number of branches is 932 (as on June/2016). Among these branches there are 40 Authorized Dealer (AD) branches and
within those 27 Corporate Branches. Moreover there are 5 Islamic Windows for shariah based Islamic Banking and also
6 Subsidiaries. Those are:
1. Agrani Exchange House Pvt. Ltd. Singapore
2. Agrani Remittance House Sdn. Bhn. Malaysia
3. Agrani Equity & Investment Limited.
4. Agrani SME Financing Company Limited.
5. Agrani Exchange Australia Company Pvt. Ltd.
6. Agrani Remittance House Canada Inc., Canada
ICC will ensure the effectiveness of the Internal Audit and Inspection, Issue based Audit and Special Audit for each and
every branches and offices, windows & subsidiaries of Agrani Bank Limited. With the help of administration of the Bank
the ICC will ensure punishment of the concerned guilt person.
They will also make arrangement audit compliance of the said internal audit as well as External audit (viz Bangladesh
Bank Inspection, Commercial audit, functional audit, appointed audit firm) effectively and efficiently.
ICC Policy and Procedures 2016
12
Chapter‐ Three Policy Guidelines for Internal Control
3.0 Policy Guidelines
In addition to any existing relevant legislation, the following statements of policies and procedures relevant to internal
control are to be meticulously implemented by the bank, and adherence to which is reviewed by the Internal Audit and
Compliance functions:
1. Credit Policy Manual
2. Operation Manual
3. Finance and Accounting Manual
4. Treasury Manual
5. HR Policy Manual
6. Internal Control and Compliance Manual
7. IT Audit Manual
8. Payment System Manual
9. Guidelines on Anti Money Laundering and Terrorist Financing.
10. Agent Banking Manual
11. Green Banking Manual
12. Guidelines for Foreign Exchange Transactions
13. ICT- Manual
3.1 Responsibilities of Board of Directors (BoD)
The responsibility of Board of Directors in respect of implementing a modern, scientific and acceptable Internal Control
and Compliance Process in a Bank has been described in Banking Companies Act,1991 Rule15(Kha) and exclusively in
section 15(Ga). As per prudential guidelines of Bangladesh Bank the responsibilities of Board of Directors of the bank
are enumerated below:
The Board shall be observant on the internal control system of the Bank in order to accomplish a satisfactory standard of its portfolio. The Board will form an Audit Committee with such directors who are not the members
of Executive Committee of BoD and a Risk Management Committee from its members.
The Board will also establish such an Internal Control System so that the whole Internal Audit process can work independently from the management which will directly report to the Audit Committee of the Board.
The BoD shall review the reports submitted by its audit committee on quarterly basis regarding compliance of recommendations made in internal and external audit reports and as well as Bangladesh Bank inspection reports.
In addition to the above the following responsibilities will also be observed by the BoD:
They should set up an organizational structure of Internal Control and Compliance (ICC) Division in such a way that, it should have no conflict of interest with the regular management of the bank and fulfill the requirements
as directed in the Rule 15 (Ga) (1) of BCA 1991 for establishing and maintaining effective internal control and
risk management having regard to the complexity of the activities of the bank, its size, scope of operations and
risk profile;
The Board of directors should, at least annually, conduct a review meeting about the effectiveness of internal control process and report to the shareholders accordingly;
The Responsibilities of Board of Directors (BoD) of the Bank are given in BRPD Circular No.11 dated 27-10-2013 of
Bangladesh Bank, from which Internal Control and Compliance related responsibilities are enumerated below:
3.1.1 Responsibilities and power of BoD:
a) Action plan and strategic management: i. BoD will set goals and objectives of the bank and prepare an annual action plan;
ii. In annual report of bank BoD will incorporate success and failures of the goals and objectives elaborately,
which will be the basis of future planning and strategies. This is to be disclosed to the shareholders;
iii. The BoD will review different policies of bank annually, if any changes required concerned division will take
approval from the BoD.
ICC Policy and Procedures 2016
13
b) Credit Management: i. Under the preview of existing laws and regulations every credit/ investment proposal evaluation, sanction and
disbursement, loan recovery, rescheduling and write-off policies etc. will be approved by BoD.
ii. At the implementation level above rules and policies regarding risk management will be assessed quarterly. In
evaluation process BoD will observe whether risk management principles of Bangladesh Bank are followed or
not.
c) Internal Control: To ensure sustainable quality investment BoD will oversee keenly internal control system of the bank. It will
also ensure internal audit activities performed independently. These will be evaluated on quarterly basis. BoD
will ensure compliance of all Laws and regulations that are circulated by various regulatory authorities like,
Bangladesh Bank, Ministry of Finance, Security and Exchange Commission etc.
d) Human Resource Management (HRM) and Development: i. All policies regarding HRM will be approved by BoD.
ii. For the development of HRM BoD will give emphasis for the arrangement of training for bank
personnel. This training will help them to implement IT based MIS and correct assessment for quality
loans and investments.
iii. BoD will prepare Code of Ethics for employees.
3.2 Structure and Responsibilities of the Audit Committee of the Board.( BRPD
Circular-11dated27/10/2013)
The board will approve the objectives, strategies and overall business plans of the bank and the audit committee will
assist the board in fulfilling its oversight responsibilities. The committee will review the financial reporting process,
the system of internal control and management of financial risks, the audit process, and the bank's process for
monitoring compliance with laws and regulations and its own code of business conduct.
3.2.1Organizational Structure: i. Members of the committee will be nominated by the board of directors from the directors;
ii. The audit committee will comprise of maximum 05 (five) members, with minimum 2 (two) independent director;
iii. Audit committee will comprise with directors who are not executive committee members;
iv. Members may be appointed for a 03 (three) year term of office;
v. Company secretary of the bank will be the secretary of the audit committee.
3.2.2 Qualification of the Members of the Audit Committee: i. Integrity, dedication, and opportunity to spare time in the functions of committee will have to be considered
while nominating a director to the committee;
ii. Each member should be capable of making valuable and effective contributions in the functioning of the
committee;
iii. To perform his or her role effectively each committee member should have adequate understanding of the
detailed responsibilities of the committee membership as well as the bank's business, operations and its risks.
iv. Professionally Experienced persons in banking/financial institutions specially having educational qualification
in Finance, Banking, Management, Economics, Accounting will get preference in forming the committee.
3.2.3 Roles and Responsibilities of the Audit Committee
i. Internal Control: 1. Evaluate whether management is setting an appropriate compliance culture by communicating the importance
of internal control and the management of risk and ensuring that all employees have clear understanding of their
roles and responsibilities;
2. Review management‘s actions in computerization of the bank and its applications and Management Information System (MIS) of the bank.
3. Consider whether internal control strategies recommended by internal and external auditors have been
implemented by the management;
4. Consider reports relating to fraud, forgery, deficiencies in internal control or other similar issues detected by
internal and external auditors and inspectors of the regulatory authority and place it before the board after
reviewing whether necessary corrective measures have been taken by the management.
ICC Policy and Procedures 2016
14
5. As the roles and responsibilities of the Board, Executive Committee, Credit Committee and Management
Committee are of high impact and high frequency, ICC needs to take special care in order to identify lapses
specially in-
(i) Sanction and rescheduling of loans & advances, interest waiver, write-off of loans,
Director's loans, large loans, etc.
(ii) Presenting financial and non-financial position of the bank,
(iii) Allowing perks, benefits, incentives etc
(iv) Procurement and disposal of assets/services/materials,
(v) Managing risks and uncertainties in the bank.
So ICC should meticulously examine the minutes and memos of Board/Executive Committe/Credit Committee /
Management Committee meeting to assess the fact that memos were presented with proper and adequate information
and decisions in minutes were carried accordingly.
ii. Financial Reporting: 1. Audit committee will check whether the financial statements reflect the complete and concrete information and
determine whether the statements are prepared according to existing rules & regulations and standards
enforced in the country and as per relevant prescribed accounting standards set by Bangladesh Bank;
2. Discuss with management and the external auditors to review the financial statements before its finalization.
iii. Internal Audit: 1. Audit committee will monitor whether internal audit is working independently from the management.
2. Review the activities and the organizational structure of the internal audit and ensure that no unjustified
restriction or limitation hinders in the internal audit process;
3. Examine the efficiency and effectiveness of internal audit function;
4. Examine whether the findings and recommendations made by the internal auditors are duly considered by the
management or not.
iv. External Audit 1. Review the performance of the external auditors and their audit reports;
2. Examine whether the findings and recommendations made by the external auditors are duly considered by the
management or not.
3. Make recommendations to the board regarding the appointment of the external auditors.
v. Compliance with Existing Laws and Regulations: Review whether the laws and regulations framed by the regulatory authorities (Central Bank and other
Bodies) and internal regulations approved by the board are being complied with.
vi. Other Responsibilities: 1. Submit compliance report to the board on quarterly basis on regularization of the omission, fraud and
forgeries and other irregularities detected by the internal and external auditors and inspectors of
regulatory authorities;
2. External and internal auditors will submit their related assessment report, if the committee solicits;
3. Perform other oversight functions as desired by the Board of Directors and evaluate the committee's own
performance on a regular basis.
vii. Meetings:
1. The audit committee should hold at least four meetings in a year and it can sit any time as it may deem fit;
2.The Committee may invite Chief Executive Officer, Head of Internal Audit or any other Officer to its meetings, if it deems necessary;
3.To ensure active participation and contribution by the members, a detailed memorandum should be distributed to committee members well in advance (at least three days) before each meeting;
4.All decisions/observations of the committee should be noted in minutes.
ICC Policy and Procedures 2016
15
3.3 Responsibilities of Senior Management In setting out a strong control framework within the organization the role of Managing Director/ CEO is very important.
The Board of Directors of the Bank/Organization will define/form Senior
Management Team (SMT) that should include the MD/CEO and the Chief Financial Officer. Any officer that perform a
policy making function or is in charge of a principal business unit/function may be member of SMT. However, any
executive of ICC audit should not be member of SMT.
The bank/organization should report the composition of the ECM (and update thereto) to Banking Regulation and Policy
Department of Bangladesh Bank.
3.3.1 Functions of Senior Management Team (SMT) Responsibilities of the SMT should include monitoring the adequacy and effectiveness of the Internal Control System
based on the bank‘s established policy and procedure.
The SMT will review on a yearly basis the overall effectiveness of the control system of the organization and provide a
certification on a yearly basis to the Board of Directors on the effectiveness of Internal Control policy, practice and
procedure. The management will enrich audit teams with adequate skilled manpower and proper IT support as per
requisition of the ACB for purposeful and effective audit. The management will ensure compliance of all laws and
regulations that are circulated by various regulatory authorities such as, Bangladesh Bank, Ministry of Finance,
Bangladesh Securities and Exchange Commission, etc. During the audit period, if the present audit team finds any lapse
or irregularity which was not detected or identified by the previous auditor, then that will be reported to the Audit
Committee.
3.3.2 Management Reporting System Effective internal control system requires that there is an efficient reporting system of information that is
relevant to decision making. The information should be reliable, timely accessible and provided in a
consistent format.
Information would have to include external market information about events and conditions that are relevant to decision making. Internal information should include financial, operational and compliance data.
There should be appropriate committees within the organization which would evaluate data received through various information systems. This will ensure supply of correct and accurate information to the
management.
Internal information must cover all significant activities of the bank. Electronic data must be secured, monitored independently and supported by contingency arrangements.
Most importantly the channels of communication must ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information are
reaching the appropriate personnel.
3.4 Role of External Auditors in Evaluating Internal Control System The Statutory Auditors by dint of their independence from the management of the bank must provide
recommendations on the strength and weakness of the internal control system of the bank and submit its
findings in management report
They can examine the records, transactions of the bank and evaluate its accounting policy, disclosure policy and methods of financial estimation made by the Bank; this will allow the board and the
management to have an independent overview on the overall control system of the bank.
3.5 Dispute Settlement Any unresolved issue between SMT and ICC to be referred to the Board of Directors through ECB and ACB
respectively and then to Bangladesh Bank (if needed).
ICC Policy and Procedures 2016
16
Chapter‐Four ICC Related Issues
4.0 Introduction All departments, and all business lines, are responsible for developing, implementing, and making sure that the
controls are observed and not breached. Individual departments or business lines will be vigilant and will participate fully
in the internal control regime where ICC should act as internal watchdog of the organization. The main issue of ICC is to
look after whether bank machineries are acting as vanguards of its assets, reputation and Depositors' interests. ICC will
oversee whether bank is following regulatory guidelines, institutional policies and procedures set by/and approved by the
BoD covering related Laws of land and whether there is any deficiency in internal policy and procedure.
4.1 Organizational Structure/ Organogram of ICC: For smooth functioning of internal control and compliance, the department will be comprised of three major Divisions, which are as follows.
a) Audit and Inspection Division
b) Audit Compliance Division
c) Audit Monitoring and Controlling Division
For convenient way of action and effective administration according to the nature of the bank, volume of work, number
of Branches, (Rural, Urban, AD, Corporate), Assets involvement, Concentration of assets, Risk involvement etc. Audit
Division and compliance division may be further divided in to the following divisions-
1. Audit & Inspection Division-1: To carryout audit on Branch /offices (Non-AD &
SME /Agri. branches).
2. Audit & Inspection Division-2: This Division will have two units:
(a)Unit-1: To carryout audit on All AD, Corp. Br. Circle, Zonal Office, Subsidiaries & H/O(divisions).
(b) Unit-2: To carry out specialized (IT/IS), Concurrent Audit and vigilance audit.
3. Audit Compliance Division (External): To monitor compliance activities of branch and office under
external audit (Bangladesh Bank Audit/Inspection, Commercial Audit, External Audit /statutory audit and
other regulatory authorities).
4. Audit Compliance Division (Internal): To monitor compliance activities of branch, Office and
subsidiaries under internal audit
5. Audit Monitoring and Controlling Division:
(i) To verify the internal control system & Operational activities by Implementing of DCFCL
(Departmental Control Functional Check List), QOR (Quarterly Operation Report), and LDCL
(Loan Documentation Checklist) at Branch level.
(ii) To ensure timely and effective audit including ICT Audit by Internal Control Team
(iii) To Assist Audit and Inspection Division in Risked Based Internal Audit by assessing
department wise risk (Off sight Analysis) with grading of all branches
(iv) To prepare and submit Self-Assessment of Anti-Fraud Internal Controls report and Bank‘s Health report to Bangladesh Bank.
4.2 Structure of ICC There should be the Head of ICC‘s secretariat, which will consist of one (1) Deputy General Manager (1) Assistant General Manager, Three (3) Senior Principal Officers, three (3) Principal Officers, Three (3) Senior Officers
and two (2) non clerical Staffs‘. Each of the division is headed by a Deputy General Manager (DGM). Under the command of the DGM of
different divisions of ICC, there will be 350 numbers of executives, officers, staffs as shown in the Organogram given
below. Transfer posting of the executives, officers and staff from ICC to another division/branch/office must require the
consent of the Head of ICC.
All the divisional Head of ICC will report to the Head of ICC. The Head of Audit Division would have a
direct reporting line with Audit Committee of the Board. Thus Audit Committee of the Board will be the contact point for
the ICC. On the other hand, for the administrative purpose, the Head of ICC also has a direct reporting line to Managing
Director & Chief Executive Officer (MD & CEO) of the Bank
ICC Policy and Procedures 2016
17
ICC Policy and Procedures 2016
18
4.3 Departmental Charter of ICC
The mission of the ICC is to provide independent objective assurance and advice designed to add value and improve
the banks' operations. It will help the bank to accomplish its objectives by bringing a systematic, disciplined approach
to evaluate and improve the effectiveness of risk management, control and transparent governance processes.
The scope of work of the Department is to determine whether the Bank's network of risk management, control
and governance processes, as designed and represented by management, is adequate and functioning in a manner to
ensure:
Appropriate identification of risk Need-based interaction with the various governance groups Significant financial, managerial and operational information in accurate, reliable and in timely manner. Employees' actions in compliance with policies, standards, procedures, laws and regulations. Use of acquired resources economically, efficiently and adequately. Achievement of programs, plans and objectives. Fostering the quality and continuous improvement in the bank's control process. Appropriate recognition and addressing of legislative and regulatory issues impacting the bank.
Officers of ICC are authorized to:
Have unrestricted access to all functions, records, property and personnel. The Head of Audit has full and free access to the Audit Committee. Set frequencies, select subjects, determine scopes of work and apply the techniques required to
accomplish audit objectives.
Obtain the necessary assistance of personnel in all departments of the bank where they perform audits/inspection as well as other specialized services from within or outside the bank.
Officers of the ICC are not authorized to- Initiate or approve accounting transactions other than the Internal Audit Department. Direct the activities of any Bank officer not employed by the Internal Audit Department except to the extent
such officers have been appropriately assigned to auditing/inspecting teams or to otherwise assist the officers
of the Department.
Audit their own works performed in their previous Departments/Offices.
4.4 Standards of Best Professional Practices
In line with Committee of Sponsoring Organization of the Tread way Commission (COSO) and
Bank for International Settlement (BIS), the following, but not limited to, standards should be followed:
The internal audit function‘s control risk assessment, audit plans, and audit programs are appropriate for the bank‘s activities.
The internal audit activities have been adjusted for significant changes in the bank‘s environment, structure, activities, risk exposures, or systems.
The internal audit activities are consistent with the long-range goals and strategic direction of the bank and are responsive to its internal control needs.
The bank has promptly responded to significant identified internal control weaknesses. The internal audit function is adequately managed to ensure that audit plans are met, programs are carried out,
and results of audits are promptly communicated to senior management and members of the Audit Committee
and full Board.
Work papers adequately document the internal audit work performed and support the audit reports. The Audit Committee periodically assesses the performance of internal audit. The internal audit function provides high-quality advice and counsel to management and the Board on current
developments in the bank‘s internal control policies and procedure, and in the performance of the other control functions of the bank (Risk Management and Compliance)
ICC Policy and Procedures 2016
19
4.5 (a) Head of ICC As per BRPD circular letter no -03 dated 08/03/16 and circular letter no-06 dated 04/09/2016 The Head of ICC will be responsible for reporting of Internal Control and Compliance (ICC) and Monitoring activities of the bank to Senior
Management/Managing Director and CEO. The rank of the Head of ICC to be lower than two steps immediate below the
CEO. The Head of ICC will report his/her activities and findings to the Senior Management/Managing Director and
CEO. Bangladesh Bank should arrange conference of ICC head of all Banks once a year to share their problems and
experiences in discharging their responsibilities without undue influence of others.
4.5 (b) Head of Audit The Head of Audit, although being a part of ICC administratively, shall report directly to ACB and will be responsible to
the ACB. The Head of Audit may be at the ranks of GM/DGM who would be a Professional Auditor.
4.6 Role and Responsibilities of Internal Auditors Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an
organization‘s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk Management, control and governance processes.
The purpose, authority and responsibility of the internal audit activity should be formally defined in a charter consistent
with the Auditing Standards approved by the ACB and the Board. Internal Audit Charter of the bank defines the purpose,
authority and responsibility of the Internal Audit Department. The internal audit activity should be independent and
objective oriented.
4.7 Auditors' Ethics & Qualifications:
4.7.1 Auditors' Qualifications: General Auditor: Chartered Accountancy Course Completed, MBA/Masters with Commerce background and
preferably partly qualified Chartered Accountant and also have banking knowledge.
IT Auditor: BSC in Computer science and should have related software, hardware and also preferably have banking knowledge.
Other general requirements:
a) Persons punished for major offence and persons under disciplinary proceedings must not be posted in ICC.
Track record of officers to be checked and maintained before posting them in ICC.
b) ICC people should have thorough professional knowledge and banking experience with good academic
background.
c) Auditors posted in ICC should be worked at least Five (5) Years and every officers of
ABL should be posted at ICC at least once in his service tenure.
4.7.2 Internal Auditors' Ethics: Internal auditors should have to be bold, honest and truthful. These qualifications will be the basis for trust on the
internal auditor's professional judgment. Internal auditors should keep strict confidentiality of information found during
audit. They should not use such information for personal gain or malicious action and should be responsible for
protection of such information. The Head of the internal audit and all internal auditors should avoid conflicts of interest.
Internal auditors should abide by the bank‘s code of ethics. A code of ethics should address the principles of objectivity, competence, confidentiality and integrity.
4.8 Appraisal of ICC Officials The Head of ICC will be appraised by the Senior Management/Managing Director and CEO. The Head of Compliance and Monitoring Division to be appraised by the head of ICC primarily and by the Senior
Management/Managing Director and CEO finally. Head of Audit will be appraised by the Chairman of the Audit
Committee solely.
4.9 Training and Development: Training is a proven and effective instrument for human resources development. It plays a key role in developing
knowledge and skills to keep pace with the changes taking place all around and ever developing technology and also
works as a catalyst for attitudinal change of human beings. For this purpose all members/staff of the ICC should be
provided with appropriate and advance training.
ICC Policy and Procedures 2016
20
4.10.1Home Training: HR Training, Research & Development Division of Agrani Bank Limited conducts various training programs for the Executives/Officers/Staff to develop their risk based efficiency so that they can apply their knowledge and experience
in the bank regularly. Being apprised of updates on developments in their areas of responsibility, it is expected that they
have developed the necessary skills to perform their functions effectively. Basically the following trainings are provided
by HR Training, Research & Development Division:
4.10.2 Out Reach Training: 1. Internal Control and Compliance Risk Management
2. Internal Audit Compliance.
3. Internal Control Audit in Bank.
4. Agri Financing & Recovery.
5. Credit Risk Grading.
6. Compliance of Bangladesh Bank Inspection.
7. Compliance of Commercial Audit objections.
8. Any other relevant issues.
4.10.3 Abroad Training: To keep pace with the changes taking place all around the globe and ever developing technology, Executives and
Officers should be sent abroad to attend various training courses, workshops, seminars, conferences and symposia to
acquire updated knowledge of modern banking.
4.11 Job Rotation:
a) Job Rotation within ICC: Every auditor is to audit year to year until transferred from Audit and Inspection Division to other divisions or branches. But if any auditor‘s auditing continues in the same branch or division for three times or more, he may apply force or be biased to financial interest. Moreover, if the same person or auditor‘s auditing continues in a branch or division, he may be the person of familiar threat, financial threat or review threat. He will not be able to audit
independently or fairly. The head of Audit and Inspection Division will observe the circumstances before formation of
the audit team. He must set an audit team by rotation.
The head of the ICC will effect rotation among every employee among the three divisions (Audit and Inspection
Division, Audit Monitoring and Controlling Division and Audit Compliance Division) each to others. The head of Audit
and Inspection Division will observe the circumstances before formation of the audit team. He must set an audit team by
rotation.
b) Job Rotation within the Bank: By executing the rotation of jobs in a branch or office or division, the manager/head of the office will be able to
check fraud and forgeries maintain expertise development and increase accountability of the organization, so that the
daily assignment can be done properly.
The auditors will observe the job rotation in every branch or office or division during the period of audit. If the
branch manager/ Zonal head needs to audit his branch based on special issue, he/ she will call upon to the Head of ICC to
conduct special audit.
4.12 Mandatory leave:
Criteria: 01) Mandatory leave will be sanctioned by the management at any time as required; no time bound will be
applicable in this case.
02) This leave cannot be claimed.
03) Leave sanction can only be changed by the management, employee cannot claim for alteration.
04) There will be no monetary sanction like 01 (One) month basic salary.
4.13 Recreational Leave Criteria:
01) Employees are entitled to enjoy 15 (Fifteen) days recreational leave every after 03 (Three Years).
02) There will be monetary sanction like 01 (One) month basic salary.
03) It requires the approval of the management and provision of proper replacement.
04) It can be claimed and changed.
ICC Policy and Procedures 2016
21
Chapter-Five
General Matter of Audit
5.0. Definition of Audit Audit includes an examination of the books of accounts and other documents relating to the receipts and
expenditure of the government, statutory public authorities and public enterprise with a view to ensuring that rules and
orders framed by the competent authority in regard to financial matters have been followed, that sums due have been
properly assessed, realized and brought to account, that assets have been properly utilized and safeguarded and that the
accounts truly represents facts.
5.1. Objectives/Purpose of Audit:
The broad aim of Agrani bank Limited audit is to safeguard the interest of the State and to promote transparency and accountability, along with sound economic and financial management practices. Towards that broad aim, the
auditors‘ objectives are to give an independent assessment of: i) Whether the statements of accounts show a true and fair view of the financial position of the audited
body and its income and expenditure for the year in question and have been properly prepared in
accordance with appropriate rules and regulations:
ii) The adequacy of the audited body‘s arrangements to secure economy, efficiency and effectiveness in the use of resources;
iii) The adequacy of the audited body‘s financial management systems; iv) The adequacy of the audited body‘s arrangements for preventing and detecting fraud, corruption and the
internal control framework generally;
v) The adequacy of the audited body‘s arrangements for ensuring the legality of transactions that might have a financial consequence;
vi) The adequacy of the audited body‘s arrangements for collecting, collating and recording accounting data and publishing financial statements and reports pursuant to appropriate rules and regulations.
vii)
5.2. Auditors Right:
The auditor should have the following rights: The right to access at all times to the bank‘s books of account, document and vouchers. The right to require from the officers of the bank such information and explanation as the auditor considers
necessary for the performance of his duties.
Inquire into particular issues regarding loans and advance, transaction represented merely as book entries, sale of securities, treatment of personal expenses and share allotment.
Recording to the members; Visiting branches and access to the branch accounts; Signing the audit report; The right to attend any general meeting of the company and to receive all notices relating to general meetings. The right to be heard at any general meeting on any matter which concerns him in his capacity as auditor. Receiving the remuneration and allowances Posting of ICC staff should be taken consent from Head of ICC.
5.3 Responsibilities of the Auditors: Responsibilities of internal auditors are as below:
evaluates and provides reasonable assurance that risk management, control and governance systems are functioning as intended and will enable the organization‘s objectives and goals to be met;
reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organization‘s operations, in terms of both efficient and effective performance;
evaluates information security and associated risk exposures; evaluates regulatory compliance; evaluates the organization‘s readiness in case of business interruption; maintains open communication with management and the audit committee;
ICC Policy and Procedures 2016
22
Provides support to the bank's anti-fraud programs. Preparation of Branch Audit Rating (using specific format), where rating of the branch will be as Excellent,
Very Good, Good , Satisfactory and poor -according to score obtained by the branch.
5.4 Auditors Punishment During the audit period if present audit team find any lapses or irregularities which was not detected or identified by previous auditor that will be reported to Head of ICC and senior management will take punitive action against the
concern auditor(s).
5.5 Basic principles to be followed by the auditors: The auditor should comply with the Code of Ethics regarding professionalism. Ethical principles governing the professional responsibilities are:
Independence; Integrity- Honesty , Truthfulness, Straightforwardness, Reliability; Objectivity- Impartiality, Independence, Neutrality; Confidentiality; Professional Competence and Due Care; Professional Behavior and Technical Standards.
5.6 Types of Audit: 1. Internal Audit
2. External Audit
i) Chartered Accountancy Firms Audit
ii) Government Commercial Audit
iii) Bangladesh Bank Inspection
iv) Functional Audit
5.7 Internal Audit
5.7. 1 Definition of Internal Audit: Internal control is the process, affected by a company's board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of
operations, the reliability of financial reporting and compliance with applicable laws, regulations, and internal policies.
5.7.2 Principles of Internal Audit A. Supervisory expectations relevant to the internal audit function
Principle 1:
An effective internal audit function provides independent assurance to the board of directors and senior management on
the quality and effectiveness of a bank‘s internal control, risk management and governance systems and processes, thereby helping the board and senior management to protect their organization and its reputation.
Principle 2:
The Bank‘s internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their
assignments with objectivity.
Principle 3:
Professional competence, including the knowledge and experience of each internal audit and internal auditors
collectively, is essential to the effectiveness of the bank‘s internal audit function.
Principle 4:
Internal auditors must act with integrity and diligence.
ICC Policy and Procedures 2016
23
Principle 5:
The bank should have an internal audit charter that articulates the purpose, standing and authority of the internal
audit function within the bank in a manner that promotes an effective internal audit function as described in principle-1.
Principle 6:
Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the
internal audit function.
Principle 7:
The scope of the internal audit function‘s activities should ensure adequate coverage of matter of regulatory interest within the audit plan.
Principle 8:
The bank should have a permanent internal audit function, which should be structured consistent with principle-14 when
the bank is within a banking group or holding company.
Principle 9:
The Bank‘s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains adequate, effective and efficient internal control system and, accordingly, the board should support the internal
audit function in discharging its duties effectively.
Principle 10:
The Audit committee, or its equivalent, should oversee the bank‘s internal audit function.
Principle 11:
The head of the internal audit department should be responsible for ensuring that the department complies with sound
internal auditing standards and with a relevant code of ethics.
Principle 12:
The internal audit function should be accountable to the board, or its audit committee, on all matters related to the
performance of its mandate as described in the internal audit charter.
Principle 13:
The internal audit function should independently assess the effectiveness and efficiency of the internal control, risk
management and governance system and process created by the business units and support functions and provide
assurance on these systems and processes.
Principle 14:
To facilitate a consistent approach to internal audit across the banks within a banking organization, the boards of
directors of bank within a banking group or holding accompany structure should ensure that either:-
i) The bank has its own internal audit function, either should be accountable to the bank‘s board and should report to the banking group or holding company‘s head of the internal audit; or
ii) The banking group or holding company‘s internal audit function performs internal audit activities of having sufficient scope at the bank to enable the board to satisfy its fiduciary and
legal responsibilities.
Principle 15:
Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for
the internal audit function.
A. The relationship of the supervisory authority with the internal audit function Principle 16:
Supervisor should have regular communication with the bank‘s internal auditors: i) Discuss the risk areas identified by both parties,
ii) Understand the risk mitigation measures taken by the bank, and
iii) Monitor the bank‘s response to weaknesses identified.
ICC Policy and Procedures 2016
24
B. Supervisory assessment of the internal audit function
Principle 17:
Bank supervisors should regularly assess whether the internal audit function has sufficient standing and authority within
the bank and operates according to sound principles.
Principle 18:
Supervisors should formally report all weakness they identify in the internal audit function to the board of directors and
recommend remedial actions.
Principle 19:
The supervisory authority should consider the impact of its assessment of the internal audit function on its evaluation of
the bank‘s risk profile and its own supervisory work.
Principle 20:
The supervisory authority should be prepared to take informal or formal supervisory actions requiring the board and
senior management to remedy any identified deficiencies related to the internal audit function within a specified time
frame and to provide the supervisor with periodic written progress reports.
5.7.3 Reporting: Head of Audit directly report to the Audit Committee of the Board. Different divisions of the bank have existing
MIS; on the basis of MIS report management take their decision for smooth operation of the bank. Reporting structure
for ICC depends upon size and complexity of business.
The Audit Division will prepare report on individual inspection/audit programs within 15 days (except for items that needs to be escalated immediately) and submit the same to the branch/ business unit for rectification with a
copy to line management.
For low and medium risk items findings will be reported to the MD/CEO. For high-risk items findings will be reported to the MD/CEO and the Audit Committee of the Board. ICC will prepare an annual report on the health of the Bank to be submitted to the Board of Directors under
supervision of ACB for onward submission to Bangladesh Bank.
At the end of the year there should be a summary report on the audit findings and corrective actions taken which should be forwarded to the Audit Committee of the board and the Managing Director simultaneously.
5.7.4 Importance of internal audit:
The Internal Audit, to be effective should provide three types of services PPC, viz., Preventive, Protective and
Curative, PPC.
In the preventive role, it forewarns the management of an adverse situation in advance; In its protective role it protects the management by the bringing to its notice the deficiencies in advance, before
the external auditors point them out; and
As a curative function, it suggests remedial measures, thereby acting as a catalyst for change and action.
5.8 External audit:
Role of External Auditors in evaluating internal control system:
a) External auditors by dint of their independence from the management of the bank can provide unbiased
recommendation on the strength and weakness of the internal control system of the bank.
b) They can examine the records, transactions of the bank and evaluate its accounting policy and methods of
financial estimation made by the bank; this will allow the board and the management to have an
independent overview on the overall control system of the bank.
5.8.1 Types of External audit: 1. Chartered Accountancy Firms Audit:
When more than one Chartered Accountancy firms are appointed by Ministry of Finance (Finance Division)
Banking Wing from the enlisted/ qualified list of Bangladesh Bank for a maximum period of three (03) years to
conduct the audit it is called statutory / external Audit.
2. Commercial audit: Government Commercial Audit is another external audit which conducts by auditors of government through
CAG Office
ICC Policy and Procedures 2016
25
5.9 Concurrent audit in Agrani Bank Limited:
The role of concurrent audit has become very crucial and important for bank in discharging duties properly and
efficiently, particularly for timely detection of irregularities and lapses, which help in minimization of irregularities as
well as prevention of frauds.
In ABL, auditors of ICC will be deputed in Central Accounts Division, Principal Branch and 9 (Nine) big corporate
branches for performing concurrent audit.
One auditor having accounting background at the rank of Assistant General Manager with another two auditors will be
deputed in Central Accounts Division, one Assistant General Manager with two experienced auditors in Principal Branch
and one Assistant General Manager with two experienced auditors in each big Corporate Branch as follows:
Principal Branch 1 AGM 2 Auditors
Big Corporate Branch 1 AGM 2 Auditors
Central Accounts Division 1 AGM 2 Auditors
5.10 TOR of Concurrent audit: Concurrent Auditors will check and verify constantly error, fraud, forgery and inefficiencies lying on daily different
transactions & activities i.e. vouchers, documents and approval whether it ensures compliance with set rules and
regulations, policies and procedures issued by both the bank and the regulators.
Following steps to be followed for Auditing of-
>Every Expenditure related financial transactions.
>Pre sanction activities
- Loan applied in prescribed form is duly filled up having sufficient information.
- Loan appraisal is proper.
- Legal opinion is favorable.
- Value of collateral is sufficient.
- Other relevant papers are collected.
>Documentation- Charge documents are obtained as per sanction advice.
- Mortgage is proper.
>Incase of installment basis loan- Utilization of every installment are duly performed.
>Voucher Checking- Daily Vouchers are checked by respective/assigned officer(s) with computer generated print.
>General banking activities.
>Foreign Exchange / Foreign Trade activities:
- Requisite papers are obtained for LC‘s. - L/C Documents are tallied with SWIFT message.
- Funded and Non-funded loan activities.
- L/C approval process.
> The concurrent auditors will act as the back office of the respective Branch/Division .
5.11 Reporting of Concurrent Auditors Concurrent auditors will report to branch manager/CFO/Head of the division and Head of ICC on monthly basis. In case of major lapses, auditors will immediately report it to reporting authorities.
5.12 Lapses Lapses arise out of any kind of irregularities, misstatements, non-compliances of existing policy & procedures of the
bank, law of the land by which the bank may incur financial losses. Moreover, sometimes non-compliance of existing
policies & procedures may not cause any financial loss with immediate effect but can result in erosion of reputation. At
the same time any malpractice in banking, misuse of offices and its fund is defined as lapses.
5.12.1Types of Lapses:
Generally in Agrani Bank Limited the Auditors are instructed to clarify the irregularities (Annexure-E) in three groups such as:
Minor Irregularities (MI); Major Lapses (ML); Serious Lapses (SL).
ICC Policy and Procedures 2016
26
5.12.1.1Minor Irregularities (MI): Minor irregularities are ordinary lapses. It does not involve any major potential risk or loss for the bank. MI occurs due to
ordinary carelessness of an employee. Auditors should try to rectify these irregularities as far as possible on the spot
and follow-up with the branch Manager till final rectification.
5.12.1.2 Major Lapses (ML):
Major Lapses are those lapses or irregularities which occurred intentionally or un-intentionally by violating the rules,
regulations and laws set out by regulatory authority for which bank faces potential financial risk at present or in the
immediate future. These lapses require quick action to safeguard the bank‘s interest.
5.12.1.3 Serious Lapses (SL):
Serious Lapses are those types of lapses which have already occurred and bank has been suffering or about to suffer
financial loss.
The following transactions are included in SL:
Fraud and Forgery occurred by any transaction; Any kind of irregularities which indicate chances of loss or chances of manifold potential loss in near future; Any irregularities or lapses which require instant/ immediate administrative action by the higher authorities.
5.13 Punishment: Punishment is an action to be taken by the management of the bank for committing lapses / offences done by employees
of the Agrani Bank Limited. Punishable offences are activities for which higher management thinks to take
administrative action. Auditor should detect level or quantum of lapses/ offence and report to higher management.
5.14 Reward / Incentive for Auditors: Auditors will be rewarded for performing extra-ordinary works during audit period such as any frauds, forgeries
identified by the auditor that reduces the huge financial losses of the bank. In those cases auditors will be eligible to get
reward/ incentive from the bank. Both auditors and the bank will be financially benefited if this kind of reward/ incentive
system is introduced.
5.15 System Audit Software: Today‘s challenging service sector is the banking sector. Now the age world is the age of automation. Banking World is now totally IT oriented. To cope with the International Standard, the Agrani Bank Limited has run Real Time Online
software T-24. Online software is quicker and ensures fair transaction. This also increases risks day by day. So, the bank
needs system audit software.
5.16 Wrap-up Meeting of Audit & Inspection During audit some irregularities are to be rectified on the spot. The Audit team must give emphasis on rectification of
errors or omissions on the report. In light of that, at the closing day of the audit there must be a meeting with the head of
Branch/Office. In this meeting general discussion will be held on the objections raised by the auditors during the audit
period. If the branch office can satisfy the auditor, then on the basis of consensus the objections may be settled; while the
unsettled objections are brought into the Audit report. Audit objections raised also are disclosed in the wrap-up Meeting
to the Branch Management.
ICC Policy and Procedures 2016
27
Chapter-Six
IT Audit 6.1Definition of IT Audit An information technology audit, or information systems audit, is an examination of the management controls within
an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems
are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or
objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form
of attestation engagement.
IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called
"electronic data processing (EDP) audits".
6.2 Purpose/ Objectives of IT Audit The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its
information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:
Will the organization's computer systems be available for the business at all times when required? (Known as availability)
Will the information in the systems be disclosed only to authorize users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)
In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of
minimizing those risks.
6.3 Types of IT Audits Others describe the spectrum of IT audits with five categories of audits:
a) Systems and Applications:.
b) Information Processing Facilities.
c) Systems Development:.
d) Management of IT and
e) Enterprise Architecture: Client/Server, Telecommunications, Intranets, and Extranets
And some lump all IT audits as being one of only two types: "general control review" audits or "application control
review" audits.
https://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Infrastructurehttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Electronic_data_processing
ICC Policy and Procedures 2016
28
Chapter- Seven
Miscellaneous
7.1 Inspection Concluding Meeting (Account Finalization)- Finalization Of Quick Summary Report/ Annual Accounts
In line with section 38 of BCA-1991(revised up to 2013) banks have to finalize their annual account statements.
In compliance with governor's order dated 29/07/2012, BB inspection team has to finalize their observation having
requirements to reflect them on the concurrent financial statements of the bank. To impel the external auditor to
reflect the issue(s) in the same vein of inspection observation, there should be a meeting between external auditor
and management of the bank in presence of BB inspection team.
7.2 Special Board Meeting On Compliance Of Annual Inspection Report Of Bangladesh Bank To bring the BB inspection observation and compliance thereof to the knowledge of the Board of Directors, banks were advised to arrange a board meeting in presence of BB inspection officials and management of the bank as per
instruction contained in DBI-2 circular no-01 dated 12/03/2009. In such meeting the external auditor should remain
present.
7.3 Liaison Meeting
To ensure the regular compliance, BB inspection departments may ask to participate and explain their position on the
relevant issues such as timely compliance and material changes in operational and portfolio