Agrani Bank Limited - [Risk Based Internal Audit Manual, Audit … · 2019. 1. 2. · Agrani Bank Limited Agrani Bank Bhaban 9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh INTERNAL

0

.

Agrani Bank Limited

Agrani Bank Bhaban

9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh

www.agranibank.org

INTERNAL CONTROL AND COMPLIANCE

POLICY & PROCEDURES-2016

[Risk Based Internal Audit Manual, Audit Compliance Manual, Audit

Monitoring and Controlling Manual and IT Manual]

(Approved in the 481th Board of Directors‘ Meeting held on 28/11/2016)

[As per 481th Board of Directors‘ meeting, dated: 28/11/2016

ratification on Audit Committee decision, memo no. , dated:

09/11/2016 regarding amendment in different section of this

policy is formed and would be treated as ICC Policy and

Procedures-2016.]

Agrani Bank Limited

Agrani Bank Bhaban

9D, Dilkusha Commercial Area, Dhaka-1000, Bangladesh

www.agranibank.org

ICC Policy and Procedures 2016

1

Preface

Banking has evolved into a diversified and complex financial activity which is no longer limited

within the geographic boundaries of a country. The issues of effective internal control systems,

corporate governance, ethical banking, transparency and accountability and regulatory compliance

have become prime need for high-level performance.

Banking operations involve both inherent and acquired risks in the pursuit of value creation. To

avoid the complexities and risk arising out of those activities some sort of internal corrective

measures must be there. Internal control is now being termed as an integral part of the daily activities

of a bank assuring the Bank‘s management and stakeholders that the Bank‘s service delivery systems

are efficient, safe and compliant with all their expectations. Further, audit activities are the most

important means of reinforcing control systems through the regular review of operations.

Effective Internal Control System results in better risk management practices in terms of

identification, management, monitoring and mitigation of risks. This ensures reliable financial and

managerial information that promote better strategic decision for a bank. Internal Control and

Compliance (ICC) ensures compliance with laws and regulations, policies and procedures issued by

both the bank management and the regulators. ICC enhances confidence over the bank and facilitates

risk based bank examination. Risk management and control are not burden on business; rather this is

one of the scientific means by which business opportunities are maximized and potential losses

associated with unwanted events are reduced.

In this manual the procedures, rules and guidelines are assembled in such a way that the related

officials can easily use it as a reference manual in discharging their duties and responsibilities

perfectly and efficiently.

This manual will ensure uniformity and consistency in audit compliance procedure and establish a

set of standard in this regard.

This Manual reflects the hopes and aspiration of Bangladesh in ―Internal Control and Compliance‖

system of Agrani Bank Limited. Here nothing is new; rather everything is to fulfill the requirement

of Audit.

Considering the changing environment of banking business and requirement of Bangladesh Bank for

reviewing the policy every year, ABL management has taken decision for the amendment in some


2

paras of ICC Policy as well as Manuals. ABL‘s Board nominated Audit Committee has approved

those amendments and is incorporated in ICC Policy and Manuals.

I sincerely believe that this manual will strengthen Internal Control and Compliance system of our

Bank. This will play a vital role towards achieving our goal for a modern and vibrant Agrani Bank

Limited.

Thanks are due to all concerned Executives and Officers who have put their sincere efforts to prepare

this manual.


3

INDEX

Chapter Subjects Page

No.

A. Internal Control & Compliance (ICC)Policy

Chapter One Universal Discussion of ICC

1.1 Mission Statement 07

1.2 Vision Statement 08

1.3 Executive Declaration 08

1.4 Preamble 09

Chapter Two Policy Guideline and Responsibilities

2.1 Internal Control 10

2.2 Components of Internal Control 10

2.3 Internal Control Environment 10

2.4 Objective of Internal Control 10

2.5 Control Activities and Segregation of Duties 10

2.6 Corrective measures to be taken by ICC 11

2.7 Scope of Internal Control and Compliance System 11

Chapter Three Policy Guide line for Internal Control

3.0 Policy Guide line 12

3.1 Responsibility of the Board of Directors 12

3.1.1 Responsibility and power of the Board of Directors 12

3.2 Structure & Responsibility of the Audit Committee of the Board 13

3.2.1 Organizational Structure 13

3.2.2 Qualification of the members of the Audit Committee 13

3.2.3 Roles & Responsibilities of the Audit Committee 13

3.3 Responsibility of the Senior Management 15

3.3.1 Function of the Senior Management Team 15

3.3.2 Management Reporting System 15

3.4 Role of External Auditors 15

3.5 Dispute Settlement 15

Chapter Four ICC Related Issues

4.0 Introduction 16

4.1 The Organizational Structure of ICC 16

4.2 Structure of ICC 16

4.3 Departmental Charter of ICC 18

4.4 Standards of the Best Professional Practices 18

4.5 Head of ICC 19

4.5 (a) Head of ICC 19

4.5 (b) Head of Audit 19

4.6 Roles & Responsibilities of Internal Auditors 19

4.7 Auditors‘ Ethics & Qualifications 19 4.7.1 Auditors‘ Qualifications 19 4.7.2 Internal Auditors‘ Ethics 19 4.8 Appraisal of ICC Officials 19

4.9 Training and Development 19

4.10 4.10.1 Home Training 20

4.10.2 Out Reach Training 20

4.10.3 Abroad Training 20

4.11 Job Rotation 20

4.12 Mandatory Leave 20

4.13 Recreational Leave 20


4


No.

Chapter Five General Matter of Audit

5.0 Definition of Audit 21

5.1 Objectives of audit 21

5.2 Auditors Right 21

5.3 Responsibilities of the Auditors 21

5.4 Auditors punishment 22

5.5 Basic Principles of Auditors 22

5.6 Types of audit 22

5.7 Internal Audit 22

5.7.1 Internal Audit 22

5.7.2 Principles of internal audit 22

5.7.3 Reporting 24

5.7.4 Importance of internal audit 24

5.8 External audit 24

5.8.1 Types of External audit 24

5.9 Concurrent Audit 25

5.10 TOR of Concurrent Audit 25

5.11 Reporting of Concurrent Auditors 25

5.12 Lapses 25

5.13 Punishment 26

5.14 Reward/Incentive for Auditors 26

5.15 System Audit Software 26

5.16 Wrap-up Meeting 26

Chapter Six IT Audit

6.1Definition of IT Audit 27

6.2Purposes/Objectives of IT Audit 27

6.3 Types of IT Audit 27

Chapter Seven Miscellaneous

7.1 Inspection Concluding meeting (Account finalization)-finalization of quick

summary report/annual accounts

28

7.2 Special Board Meeting on compliance of annual inspection report of

Bangladesh Bank

28

7.3Liaison meeting 28

7.4Self-assessment anti-fraud internal control of the bank 28

7.5 Sharia Based Audit 28

B AUDIT PROCEDURES

[Risk Based Internal Audit Manual, Audit Compliance Manual Audit

Monitoring and controlling Manual and IT Audit Manual]

A. Risk Based Internal Audit Manual

Chapter One Audit Procedures

1.0 Introduction 29

1.1 Audit procedures 29

1.2 Master Audit Plan 29

1.3 Preparation of Audit Plan 29

1.3.1 Prioritization for audit 29

1.3.2 Formation of Audit Team 30

Chapter Two Control Risk assessment

2.1 Assessing Business and Control Risk 31

2.1.1 Internal factors 31

2.1.2 External factors 31

2.2 Risk Model Construction 31


5


No.

2.3 Risk Recognition & Assessment 31

2.4 Risk Analysis of Control Functions 32

2.5 Risks Based Internal Audit (RBIA) 32

2.5.1 Steps in adopting Risk Based Internal Audit 32

2.5.2 Development of Formats For Risk Assessment 32

2.5.3 Risk Assessment of Branch as a whole 32

2.6 Conduct of on-site Audit and Report findings 34

2.6.1 Conduct of offsite risk assessment of branch 34

2.6.2 Risk Rating Frequency Sample Volume 35

Chapter Three Core Risk Management

3.1 Core Risk 36

3.1.1 Credit Risk 36

3.1.2 Asset Liability Risk 37

3.1.3 Foreign Exchange Risk 38

3.1.4 Internal Control & Compliance Risk 38

3.1.5 Money Laundering Risk 39

3.1.6 Information and Communication Technology (ICT) Risk 39

3.1.7 Environmental & Social Risk 40

Chapter Four Concept of Inspection

4.1 Definition of Inspection 41

4.2 Objectives of Inspection 41

4.3 Types of Inspection 41

4.4 Functions of Inspection 41

4.5 Audit & Inspection Procedures used in Agrani Bank Ltd 41

4.6 Outline of Inspection function 41

4.7 Rules to be followed during inspection 42

4.8 Reporting procedures/ Rules 42

4.9 Follow up procedures of Inspection Report 42

B. IT Audit Manual Chapter One 1.1 IT Audit Process 43

1.2 IT Audit Role 43

1.3 Risk Assessment 52

C. Audit Monitoring and Controlling Manual Chapter One Introduction And Monitoring System

1.1 Monitoring 62

1.2 Monitoring Activities and Corrective Measures 62

1.3 Objectives of Monitoring Department 62

1.4 Application of monitoring system 62

1.4.1 Departmental Control Function Checklist (DCFCL). 63

1.4.2 Loan Documentation Checklist 63

1.4.3 Quarterly Operations Report 63

1.5 Annual ICC Report on the health of the Bank 63

1.5.1 Annual Integrated Health Report 63

1.5.2 Objectives of Annual Health Report 63

1.5.3 Methodology of Assessing Health 63

1.5.4 Frequency of Health Analysis 64

1.5.5 Reporting Line & Its Approval process 64

D. Audit Compliance Manual

Chapter One Compliance

1.1 Definition 65

1.2 Overview 65

1.3 Compliance Process 65


6


No.

1.4 Regulatory Compliance 66

1.5 Independence of Compliance Functions 67

1.6 Roles and Responsibilities of different Parties 67

1.6.1 Responsibilities of the Management for Compliance 67

1.6.2 Responsibilities of the Board of Directors for Compliance 67

1.6.3 Responsibilities of the Senior Management for Compliance 68

1.6.4 Responsibilities of the Head of Compliance 68

1.6.5 Responsibilities of Audit Committee 68

1.6.6 Responsibilities of the Risk Management Committee 68

1.6.7 Responsibilities of the Internal Auditors 68

1.7 Functions of Compliance 69

Chapter Two Different System of Compliance

2.1 Establishment of a Compliance culture 70

2.2 Types of Compliance 70

2.2.1 Internal Audit Compliance 70

2.2.2 Instruction regarding audit Compliance 70

2.2.3 Definition of Nirikha Paripalan Patra -1 70

2.2.4 Compliance with Nirikha Paripalan Patra-1 70

2.2.5 Definition of NIPP-2 (ka) 70

2.2.6 Definition of NIPP-2 (kha) 71

2.2.7 Compliance with response to Nirikha Paripalan Patra-2 71

2.3 Internal audit objections settlement and file close 71

2.3.1 Internal audit objections settlement and file close 71

2.3.2 Settlement of Minor Irregularities and file close 72

2.3.3 Settlement of Major Lapse and file close 72

2.3.4 Settlement of Serious Lapse and file close 72

2.4 Issuing DO Letter: 72

2.5 Placement of Special Note 72

2.6 Govt. Commercial Audit Compliance 73

2.6.1 Monitoring and follow up 73

2.6.2 Commercial audit objections settlement and file close 74

2.7 Bangladesh Bank Inspection Compliance 74

12.7.1 Bangladesh Bank Inspection objections settlement & file close 74

2.8 Special Inspection on specific issue 75

2.9 Inspection regarding Foreign Trade Transaction 75

2.10 External audit Compliance 75

2.11 Settlement of objections raised by Audit Firm appointed by Board and

file close

75

2.12 Audit Clearance 75

2.13 Conclusion 76

Annexure 78


7

Chapter-One

Universal Discussion of ICC

1.1. Mission Statement

To ensure corporate governance, accountability, integrity, transparency and regulatory compliance in the operation of the

Bank within the stringent frame work to achieve the International Standard of Banking.

1.2. Vision Statement

To keep the Banking operation accurate and efficient in line with the best International practices.


8

1.3 Executive Declaration

A new (amended)―Guidelines on Internal control and Compliance -2016 has been circulated by Bangladesh Bank vide BRPD circular no-03 dated 08/03/2016 giving the reference of BRPD circular no-17 dated 07-10-2003

followed by further amendment vide BRPD circular no-06 dated 04/09/2016. Amendments were done with a view to

minimizing risks more effectively in day by day growing banking business. The task was performed by Bangladesh Bank

nominated Team. Team is comprised of Bangladesh Bank executives and three executives of scheduled bank.

Committee for Updating the Guidelines

Mohd. Humayun Kabir, GM, DBI-3- Convener Md. Rezaul Islam, DGM, BRPD-Member

Md. Obaidul Hoque, DGM, DBI-4-Member

Jiban Krishno Roy, DGM, DBI-4-Member

Dipankar Bhattacharjee, DGM, DBI-1-Member Secretary

Md. Mahbubul Haque, DGM, DBI-3-Member

Mirza Abdul Mannan, Joint Director, DBI-2-Member

Md. Habibur Rahman Bhuiyan, DMD, Islami Bank Bangladesh Ltd-Member

Md. Hafizur Rahman, DGM, Agrani Bank Ltd-Member

Gautam Prosad Das, SEVP, Mutual Trust Bank Ltd-Member

In light of above Guidelines on Internal Control and Compliance (ICC) and under the guidance of General Manager and

Head of ICC Md. Monowar Hossain, Md. Hafizur Rahman , DGM ,Audit Monitoring Division has given effort for the

preparation of this ICC Policy&Procedure-2016[Internal Audit (Risk Based) Manual, Audit Compliance Manual, Audit

Monitoring and Controlling Manual and IT Manual], which will be effective from September -2016.

1.4. Preamble

1.4.1 Economy of Bangladesh has got a momentum of transition towards a great uplift for development. The banking

sector is playing a pivotal role in this context. In such a time stringent banking practice in line with the best

International practices is a crying need.

1.4.2 A major risk inherent in the banking sector is systematic risk that causes the bank regulators to have concerns

with the operations of each individual bank. As such, the regulatory body gives priority to attain a high quality banking

operations of all banks in terms of managing the key banking risks, establishing an adequate compliance culture and

having satisfactory information disclosure system.

1.4.3 Effective Internal Control System results in better risk management practices in terms of identification,

management, monitoring and mitigation of risks. It ensures reliable financial and managerial information that promote

better strategic decision for a bank.

1.4.4 Banking is a diversified and multifarious financial activity which involves different risks. The issues of effective

internal control system, good governance, transparency of all financial activities, accountability towards its stakeholders

and regulators have become momentous to ensure smooth performance of the banking industry. An Effective

internalcontrol and compliance system has become essential in order to underpin effective risk management practices and

to ensure smooth performance of the banking industry. In general, internal control is identified with internal audit;

but the scope of internal control is not limited to audit work. Internal control by its own merit identifies the risks

associated with the process and adopts measures to mitigate or eliminate these risks. Internal Audit, on the other

hand, reinforces the Control system through regular review of the effectiveness of the controls.

1.4.5 The single greatest factor contributing to operational failure in banks is the lack of adequate internal control.

Bangladesh has witnessed a considerable growth in banking sector. A persistent moderate economic growth rate, high

degree of competition in the banking sector, speedy urbanization rate has gradually transformed our banking sector to a

large and vibrant one. The nature and magnitude of business as well as the degree of competition in the banking industry

has increased manifold in recent years.


9

1.4.6 The responsibility of implementing internal controls starts with the business lines, which are the ―first lines of defense‖ against breaches that could cause the bank not to fulfill its objectives, not to report properly, or not to comply with laws and regulations. Beyond that, in any bank, the three important ―control functions‖ are risk management, compliance, and internal audit. This triumvirate of key functions is underpinned by, and in turn implements

and reinforces, the system of internal controls. The first two of these control functions constitute the ―second lines of defense‖ against mishaps. The final, or ―third line of defense‖ is the internal audit function

1.4.7 An effective internal control system requires that there are reliable information systems in place that cover

all significant activities of the bank. A system of strong internal controls can help ensure that the goals and

objectives of a banking organization will be met, that the bank will achieve long-term profitability targets, and

maintain reliable financial and managerial reporting.

1.4.8 Internal controls are particularly crucial elements of risk management program. An essential part of the

internal control framework is periodic testing to determine how well the framework is operating, so that any required

remedial actions can be taken. The frequency of testing should be risk-based and should involve as appropriate

sample transaction testing, the sample size commonly known as audit plan being determined by volume and the

degree of risk of the activity.


10

CHAPTER‐TWO Internal Control

2.1 Definition Internal control is a process, rather than a structure. It is not a separate activity disconnected from the rest of business

activities, rather is an integral part of those activities. It is a dynamic, continuing series of activities planned,

implemented and monitored by the board of directors and management at all levels within an organization.

Internal control is the process, affected by the entity‘s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives of the management in the effectiveness and

efficiency of operations, the reliability of financial reporting and compliance with applicable laws, regulations and

internal & external policies.

2.2 Components of Internal Control 1. Control environment;

2. Risk assessment;

3. Control activities;

4. Information and communication;

5. Monitoring.

2.3 Internal Control Environment The control environment reflects the overall attitude, awareness and actions of the board and management concerning the

importance of internal control. It is the framework under which internal controls are developed, implemented and

monitored. It consists of the mechanisms and arrangements that ensure internal and external risks to which the bank

company is exposed to. Control environment factors include integrity, ethical values and competence of the employee',

management‘s philosophy and operating style, the way management assigns authority and responsibility and how it organizes and develops its human resources.

The appropriate and effective internal controls are developed and implemented to soundly and prudently manage these risks; reliable and comprehensive systems are to be put in place to appropriately monitor the

effectiveness of these controls. The factors which together comprise the control environment are:

A board of directors that is actively concerned with sound corporate governance and that understands and diligently discharges its responsibilities by ensuring that the bank is appropriately and effectively managed and

controlled;

A management that actively manages and operates the bank in a sound and prudent manner; Organizational and procedural controls supported by an effective management information system to soundly

and prudently manage the bank's exposure to risk; and

An independent audit mechanism to monitor the effectiveness of the organizational and procedural controls.

2.4 Objective of Internal Control

The primary objective of Internal Control System of Agrani Bank Limited is to help the bank to perform better through

the use of its resources. There are mainly three objectives of Internal Control and Compliance. They are as follows:

1. Performance objectives : Efficiency and effectiveness of activities.

2. Information objectives : Reliability, completeness and timelines of financial and management

information.

3. Compliance objectives : Compliance with applicable Laws and Regulations.

2.5 Control Activities and Segregation of duties

Control activities are the most tangible internal controls that the Internal Audit function will concentrate on to a large

degree. The auditor will be concerned with understanding whether a control prevents an error or detects and corrects an

error. Control activities may be manual or, if relevant, where processes are computerized then they may also have

specific IT control activities.

An effective internal control system requires that an appropriate control structure be set up with control activities defined at every business level, i.e. top level review; appropriate activity controls for different


11

departments or divisions; physical controls; checks for compliance with exposure limits and follow-up on non-

compliance; a system for approvals and authorizations; and system verification and reconciliation.

Control activities involve two steps: I. The establishment of control policies and procedures and

II. Verification that the control policies and procedures are being complied with.

Senior management should ensure that adequate control activities are integral parts of the daily functions of all relevant personnel; this enables quick response to changing conditions and avoids unnecessary costs. Control

activities are most effective when they are viewed by management and all other personnel as an integral part of

daily activities rather than an addition to it.

One of the most important aspects of an internal control system is an appropriate segregation of duties and personnel who are not assigned conflicting responsibilities.

Furthermore, employees must also be provided with necessary authority, and they should be held accountable for their actions in compliance with delegated authority. Exceeding their authority or failing to exercise their

rightful authority should both be sanctioned.

For employees to carry out their responsibilities properly, each employee should have an appropriate job description.

Areas of potential conflicts of interest should be identified, minimized, and subject to careful independent monitoring.

2.6 Corrective Measures To Be Taken By Internal Control And Compliance: i. Effectiveness of bank‘s internal control should be monitored on an ongoing basis. Key/High risk items should

be identified and monitored as part of daily activities;

ii. There should be an effective and comprehensive internal audit of the internal control system carried out by

operationally independent, appropriately trained and competent staff specially designated by the management.

The significant deficiencies identified by the audit team should be reported to the board on a periodic basis;

iii. Internal control deficiencies, whether identified by business lines, internal audit or other control personnel

should be reported in a timely and prompt manner to the appropriate management level and addressed

immediately;

iv. Material internal control deficiencies should be reported to senior management and BoD with recommendations

where necessary. However it should be noted that consideration should be given to major financial exposure or

loss, significant process lapses, serious employee misconduct etc.;

v. The Head of Audit would have a direct reporting line with Audit Committee of the board.

2.7 Scope of Internal Control and Compliance System:

Head Office of the Agrani Bank Limited comprises 36 Divisions. As per geographical demarcation, there are 11 Circle

Offices. Under these Circle Offices there are 62 Zonal Offices. These Zonal Offices are controlling 905 branches. Total

number of branches is 932 (as on June/2016). Among these branches there are 40 Authorized Dealer (AD) branches and

within those 27 Corporate Branches. Moreover there are 5 Islamic Windows for shariah based Islamic Banking and also

6 Subsidiaries. Those are:

1. Agrani Exchange House Pvt. Ltd. Singapore

2. Agrani Remittance House Sdn. Bhn. Malaysia

3. Agrani Equity & Investment Limited.

4. Agrani SME Financing Company Limited.

5. Agrani Exchange Australia Company Pvt. Ltd.

6. Agrani Remittance House Canada Inc., Canada

ICC will ensure the effectiveness of the Internal Audit and Inspection, Issue based Audit and Special Audit for each and

every branches and offices, windows & subsidiaries of Agrani Bank Limited. With the help of administration of the Bank

the ICC will ensure punishment of the concerned guilt person.

They will also make arrangement audit compliance of the said internal audit as well as External audit (viz Bangladesh

Bank Inspection, Commercial audit, functional audit, appointed audit firm) effectively and efficiently.


12

Chapter‐ Three Policy Guidelines for Internal Control

3.0 Policy Guidelines

In addition to any existing relevant legislation, the following statements of policies and procedures relevant to internal

control are to be meticulously implemented by the bank, and adherence to which is reviewed by the Internal Audit and

Compliance functions:

1. Credit Policy Manual

2. Operation Manual

3. Finance and Accounting Manual

4. Treasury Manual

5. HR Policy Manual

6. Internal Control and Compliance Manual

7. IT Audit Manual

8. Payment System Manual

9. Guidelines on Anti Money Laundering and Terrorist Financing.

10. Agent Banking Manual

11. Green Banking Manual

12. Guidelines for Foreign Exchange Transactions

13. ICT- Manual

3.1 Responsibilities of Board of Directors (BoD)

The responsibility of Board of Directors in respect of implementing a modern, scientific and acceptable Internal Control

and Compliance Process in a Bank has been described in Banking Companies Act,1991 Rule15(Kha) and exclusively in

section 15(Ga). As per prudential guidelines of Bangladesh Bank the responsibilities of Board of Directors of the bank

are enumerated below:

The Board shall be observant on the internal control system of the Bank in order to accomplish a satisfactory standard of its portfolio. The Board will form an Audit Committee with such directors who are not the members

of Executive Committee of BoD and a Risk Management Committee from its members.

The Board will also establish such an Internal Control System so that the whole Internal Audit process can work independently from the management which will directly report to the Audit Committee of the Board.

The BoD shall review the reports submitted by its audit committee on quarterly basis regarding compliance of recommendations made in internal and external audit reports and as well as Bangladesh Bank inspection reports.

In addition to the above the following responsibilities will also be observed by the BoD:

They should set up an organizational structure of Internal Control and Compliance (ICC) Division in such a way that, it should have no conflict of interest with the regular management of the bank and fulfill the requirements

as directed in the Rule 15 (Ga) (1) of BCA 1991 for establishing and maintaining effective internal control and

risk management having regard to the complexity of the activities of the bank, its size, scope of operations and

risk profile;

The Board of directors should, at least annually, conduct a review meeting about the effectiveness of internal control process and report to the shareholders accordingly;

The Responsibilities of Board of Directors (BoD) of the Bank are given in BRPD Circular No.11 dated 27-10-2013 of

Bangladesh Bank, from which Internal Control and Compliance related responsibilities are enumerated below:

3.1.1 Responsibilities and power of BoD:

a) Action plan and strategic management: i. BoD will set goals and objectives of the bank and prepare an annual action plan;

ii. In annual report of bank BoD will incorporate success and failures of the goals and objectives elaborately,

which will be the basis of future planning and strategies. This is to be disclosed to the shareholders;

iii. The BoD will review different policies of bank annually, if any changes required concerned division will take

approval from the BoD.


13

b) Credit Management: i. Under the preview of existing laws and regulations every credit/ investment proposal evaluation, sanction and

disbursement, loan recovery, rescheduling and write-off policies etc. will be approved by BoD.

ii. At the implementation level above rules and policies regarding risk management will be assessed quarterly. In

evaluation process BoD will observe whether risk management principles of Bangladesh Bank are followed or

not.

c) Internal Control: To ensure sustainable quality investment BoD will oversee keenly internal control system of the bank. It will

also ensure internal audit activities performed independently. These will be evaluated on quarterly basis. BoD

will ensure compliance of all Laws and regulations that are circulated by various regulatory authorities like,

Bangladesh Bank, Ministry of Finance, Security and Exchange Commission etc.

d) Human Resource Management (HRM) and Development: i. All policies regarding HRM will be approved by BoD.

ii. For the development of HRM BoD will give emphasis for the arrangement of training for bank

personnel. This training will help them to implement IT based MIS and correct assessment for quality

loans and investments.

iii. BoD will prepare Code of Ethics for employees.

3.2 Structure and Responsibilities of the Audit Committee of the Board.( BRPD

Circular-11dated27/10/2013)

The board will approve the objectives, strategies and overall business plans of the bank and the audit committee will

assist the board in fulfilling its oversight responsibilities. The committee will review the financial reporting process,

the system of internal control and management of financial risks, the audit process, and the bank's process for

monitoring compliance with laws and regulations and its own code of business conduct.

3.2.1Organizational Structure: i. Members of the committee will be nominated by the board of directors from the directors;

ii. The audit committee will comprise of maximum 05 (five) members, with minimum 2 (two) independent director;

iii. Audit committee will comprise with directors who are not executive committee members;

iv. Members may be appointed for a 03 (three) year term of office;

v. Company secretary of the bank will be the secretary of the audit committee.

3.2.2 Qualification of the Members of the Audit Committee: i. Integrity, dedication, and opportunity to spare time in the functions of committee will have to be considered

while nominating a director to the committee;

ii. Each member should be capable of making valuable and effective contributions in the functioning of the

committee;

iii. To perform his or her role effectively each committee member should have adequate understanding of the

detailed responsibilities of the committee membership as well as the bank's business, operations and its risks.

iv. Professionally Experienced persons in banking/financial institutions specially having educational qualification

in Finance, Banking, Management, Economics, Accounting will get preference in forming the committee.

3.2.3 Roles and Responsibilities of the Audit Committee

i. Internal Control: 1. Evaluate whether management is setting an appropriate compliance culture by communicating the importance

of internal control and the management of risk and ensuring that all employees have clear understanding of their

roles and responsibilities;

2. Review management‘s actions in computerization of the bank and its applications and Management Information System (MIS) of the bank.

3. Consider whether internal control strategies recommended by internal and external auditors have been

implemented by the management;

4. Consider reports relating to fraud, forgery, deficiencies in internal control or other similar issues detected by

internal and external auditors and inspectors of the regulatory authority and place it before the board after

reviewing whether necessary corrective measures have been taken by the management.


14

5. As the roles and responsibilities of the Board, Executive Committee, Credit Committee and Management

Committee are of high impact and high frequency, ICC needs to take special care in order to identify lapses

specially in-

(i) Sanction and rescheduling of loans & advances, interest waiver, write-off of loans,

Director's loans, large loans, etc.

(ii) Presenting financial and non-financial position of the bank,

(iii) Allowing perks, benefits, incentives etc

(iv) Procurement and disposal of assets/services/materials,

(v) Managing risks and uncertainties in the bank.

So ICC should meticulously examine the minutes and memos of Board/Executive Committe/Credit Committee /

Management Committee meeting to assess the fact that memos were presented with proper and adequate information

and decisions in minutes were carried accordingly.

ii. Financial Reporting: 1. Audit committee will check whether the financial statements reflect the complete and concrete information and

determine whether the statements are prepared according to existing rules & regulations and standards

enforced in the country and as per relevant prescribed accounting standards set by Bangladesh Bank;

2. Discuss with management and the external auditors to review the financial statements before its finalization.

iii. Internal Audit: 1. Audit committee will monitor whether internal audit is working independently from the management.

2. Review the activities and the organizational structure of the internal audit and ensure that no unjustified

restriction or limitation hinders in the internal audit process;

3. Examine the efficiency and effectiveness of internal audit function;

4. Examine whether the findings and recommendations made by the internal auditors are duly considered by the

management or not.

iv. External Audit 1. Review the performance of the external auditors and their audit reports;

2. Examine whether the findings and recommendations made by the external auditors are duly considered by the

management or not.

3. Make recommendations to the board regarding the appointment of the external auditors.

v. Compliance with Existing Laws and Regulations: Review whether the laws and regulations framed by the regulatory authorities (Central Bank and other

Bodies) and internal regulations approved by the board are being complied with.

vi. Other Responsibilities: 1. Submit compliance report to the board on quarterly basis on regularization of the omission, fraud and

forgeries and other irregularities detected by the internal and external auditors and inspectors of

regulatory authorities;

2. External and internal auditors will submit their related assessment report, if the committee solicits;

3. Perform other oversight functions as desired by the Board of Directors and evaluate the committee's own

performance on a regular basis.

vii. Meetings:

1. The audit committee should hold at least four meetings in a year and it can sit any time as it may deem fit;

2.The Committee may invite Chief Executive Officer, Head of Internal Audit or any other Officer to its meetings, if it deems necessary;

3.To ensure active participation and contribution by the members, a detailed memorandum should be distributed to committee members well in advance (at least three days) before each meeting;

4.All decisions/observations of the committee should be noted in minutes.


15

3.3 Responsibilities of Senior Management In setting out a strong control framework within the organization the role of Managing Director/ CEO is very important.

The Board of Directors of the Bank/Organization will define/form Senior

Management Team (SMT) that should include the MD/CEO and the Chief Financial Officer. Any officer that perform a

policy making function or is in charge of a principal business unit/function may be member of SMT. However, any

executive of ICC audit should not be member of SMT.

The bank/organization should report the composition of the ECM (and update thereto) to Banking Regulation and Policy

Department of Bangladesh Bank.

3.3.1 Functions of Senior Management Team (SMT) Responsibilities of the SMT should include monitoring the adequacy and effectiveness of the Internal Control System

based on the bank‘s established policy and procedure.

The SMT will review on a yearly basis the overall effectiveness of the control system of the organization and provide a

certification on a yearly basis to the Board of Directors on the effectiveness of Internal Control policy, practice and

procedure. The management will enrich audit teams with adequate skilled manpower and proper IT support as per

requisition of the ACB for purposeful and effective audit. The management will ensure compliance of all laws and

regulations that are circulated by various regulatory authorities such as, Bangladesh Bank, Ministry of Finance,

Bangladesh Securities and Exchange Commission, etc. During the audit period, if the present audit team finds any lapse

or irregularity which was not detected or identified by the previous auditor, then that will be reported to the Audit

Committee.

3.3.2 Management Reporting System Effective internal control system requires that there is an efficient reporting system of information that is

relevant to decision making. The information should be reliable, timely accessible and provided in a

consistent format.

Information would have to include external market information about events and conditions that are relevant to decision making. Internal information should include financial, operational and compliance data.

There should be appropriate committees within the organization which would evaluate data received through various information systems. This will ensure supply of correct and accurate information to the

management.

Internal information must cover all significant activities of the bank. Electronic data must be secured, monitored independently and supported by contingency arrangements.

Most importantly the channels of communication must ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information are

reaching the appropriate personnel.

3.4 Role of External Auditors in Evaluating Internal Control System The Statutory Auditors by dint of their independence from the management of the bank must provide

recommendations on the strength and weakness of the internal control system of the bank and submit its

findings in management report

They can examine the records, transactions of the bank and evaluate its accounting policy, disclosure policy and methods of financial estimation made by the Bank; this will allow the board and the

management to have an independent overview on the overall control system of the bank.

3.5 Dispute Settlement Any unresolved issue between SMT and ICC to be referred to the Board of Directors through ECB and ACB

respectively and then to Bangladesh Bank (if needed).


16

Chapter‐Four ICC Related Issues

4.0 Introduction All departments, and all business lines, are responsible for developing, implementing, and making sure that the

controls are observed and not breached. Individual departments or business lines will be vigilant and will participate fully

in the internal control regime where ICC should act as internal watchdog of the organization. The main issue of ICC is to

look after whether bank machineries are acting as vanguards of its assets, reputation and Depositors' interests. ICC will

oversee whether bank is following regulatory guidelines, institutional policies and procedures set by/and approved by the

BoD covering related Laws of land and whether there is any deficiency in internal policy and procedure.

4.1 Organizational Structure/ Organogram of ICC: For smooth functioning of internal control and compliance, the department will be comprised of three major Divisions, which are as follows.

a) Audit and Inspection Division

b) Audit Compliance Division

c) Audit Monitoring and Controlling Division

For convenient way of action and effective administration according to the nature of the bank, volume of work, number

of Branches, (Rural, Urban, AD, Corporate), Assets involvement, Concentration of assets, Risk involvement etc. Audit

Division and compliance division may be further divided in to the following divisions-

1. Audit & Inspection Division-1: To carryout audit on Branch /offices (Non-AD &

SME /Agri. branches).

2. Audit & Inspection Division-2: This Division will have two units:

(a)Unit-1: To carryout audit on All AD, Corp. Br. Circle, Zonal Office, Subsidiaries & H/O(divisions).

(b) Unit-2: To carry out specialized (IT/IS), Concurrent Audit and vigilance audit.

3. Audit Compliance Division (External): To monitor compliance activities of branch and office under

external audit (Bangladesh Bank Audit/Inspection, Commercial Audit, External Audit /statutory audit and

other regulatory authorities).

4. Audit Compliance Division (Internal): To monitor compliance activities of branch, Office and

subsidiaries under internal audit

5. Audit Monitoring and Controlling Division:

(i) To verify the internal control system & Operational activities by Implementing of DCFCL

(Departmental Control Functional Check List), QOR (Quarterly Operation Report), and LDCL

(Loan Documentation Checklist) at Branch level.

(ii) To ensure timely and effective audit including ICT Audit by Internal Control Team

(iii) To Assist Audit and Inspection Division in Risked Based Internal Audit by assessing

department wise risk (Off sight Analysis) with grading of all branches

(iv) To prepare and submit Self-Assessment of Anti-Fraud Internal Controls report and Bank‘s Health report to Bangladesh Bank.

4.2 Structure of ICC There should be the Head of ICC‘s secretariat, which will consist of one (1) Deputy General Manager (1) Assistant General Manager, Three (3) Senior Principal Officers, three (3) Principal Officers, Three (3) Senior Officers

and two (2) non clerical Staffs‘. Each of the division is headed by a Deputy General Manager (DGM). Under the command of the DGM of

different divisions of ICC, there will be 350 numbers of executives, officers, staffs as shown in the Organogram given

below. Transfer posting of the executives, officers and staff from ICC to another division/branch/office must require the

consent of the Head of ICC.

All the divisional Head of ICC will report to the Head of ICC. The Head of Audit Division would have a

direct reporting line with Audit Committee of the Board. Thus Audit Committee of the Board will be the contact point for

the ICC. On the other hand, for the administrative purpose, the Head of ICC also has a direct reporting line to Managing

Director & Chief Executive Officer (MD & CEO) of the Bank


17


18

4.3 Departmental Charter of ICC

The mission of the ICC is to provide independent objective assurance and advice designed to add value and improve

the banks' operations. It will help the bank to accomplish its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of risk management, control and transparent governance processes.

The scope of work of the Department is to determine whether the Bank's network of risk management, control

and governance processes, as designed and represented by management, is adequate and functioning in a manner to

ensure:

Appropriate identification of risk Need-based interaction with the various governance groups Significant financial, managerial and operational information in accurate, reliable and in timely manner. Employees' actions in compliance with policies, standards, procedures, laws and regulations. Use of acquired resources economically, efficiently and adequately. Achievement of programs, plans and objectives. Fostering the quality and continuous improvement in the bank's control process. Appropriate recognition and addressing of legislative and regulatory issues impacting the bank.

Officers of ICC are authorized to:

Have unrestricted access to all functions, records, property and personnel. The Head of Audit has full and free access to the Audit Committee. Set frequencies, select subjects, determine scopes of work and apply the techniques required to

accomplish audit objectives.

Obtain the necessary assistance of personnel in all departments of the bank where they perform audits/inspection as well as other specialized services from within or outside the bank.

Officers of the ICC are not authorized to- Initiate or approve accounting transactions other than the Internal Audit Department. Direct the activities of any Bank officer not employed by the Internal Audit Department except to the extent

such officers have been appropriately assigned to auditing/inspecting teams or to otherwise assist the officers

of the Department.

Audit their own works performed in their previous Departments/Offices.

4.4 Standards of Best Professional Practices

In line with Committee of Sponsoring Organization of the Tread way Commission (COSO) and

Bank for International Settlement (BIS), the following, but not limited to, standards should be followed:

The internal audit function‘s control risk assessment, audit plans, and audit programs are appropriate for the bank‘s activities.

The internal audit activities have been adjusted for significant changes in the bank‘s environment, structure, activities, risk exposures, or systems.

The internal audit activities are consistent with the long-range goals and strategic direction of the bank and are responsive to its internal control needs.

The bank has promptly responded to significant identified internal control weaknesses. The internal audit function is adequately managed to ensure that audit plans are met, programs are carried out,

and results of audits are promptly communicated to senior management and members of the Audit Committee

and full Board.

Work papers adequately document the internal audit work performed and support the audit reports. The Audit Committee periodically assesses the performance of internal audit. The internal audit function provides high-quality advice and counsel to management and the Board on current

developments in the bank‘s internal control policies and procedure, and in the performance of the other control functions of the bank (Risk Management and Compliance)


19

4.5 (a) Head of ICC As per BRPD circular letter no -03 dated 08/03/16 and circular letter no-06 dated 04/09/2016 The Head of ICC will be responsible for reporting of Internal Control and Compliance (ICC) and Monitoring activities of the bank to Senior

Management/Managing Director and CEO. The rank of the Head of ICC to be lower than two steps immediate below the

CEO. The Head of ICC will report his/her activities and findings to the Senior Management/Managing Director and

CEO. Bangladesh Bank should arrange conference of ICC head of all Banks once a year to share their problems and

experiences in discharging their responsibilities without undue influence of others.

4.5 (b) Head of Audit The Head of Audit, although being a part of ICC administratively, shall report directly to ACB and will be responsible to

the ACB. The Head of Audit may be at the ranks of GM/DGM who would be a Professional Auditor.

4.6 Role and Responsibilities of Internal Auditors Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an

organization‘s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk Management, control and governance processes.

The purpose, authority and responsibility of the internal audit activity should be formally defined in a charter consistent

with the Auditing Standards approved by the ACB and the Board. Internal Audit Charter of the bank defines the purpose,

authority and responsibility of the Internal Audit Department. The internal audit activity should be independent and

objective oriented.

4.7 Auditors' Ethics & Qualifications:

4.7.1 Auditors' Qualifications: General Auditor: Chartered Accountancy Course Completed, MBA/Masters with Commerce background and

preferably partly qualified Chartered Accountant and also have banking knowledge.

IT Auditor: BSC in Computer science and should have related software, hardware and also preferably have banking knowledge.

Other general requirements:

a) Persons punished for major offence and persons under disciplinary proceedings must not be posted in ICC.

Track record of officers to be checked and maintained before posting them in ICC.

b) ICC people should have thorough professional knowledge and banking experience with good academic

background.

c) Auditors posted in ICC should be worked at least Five (5) Years and every officers of

ABL should be posted at ICC at least once in his service tenure.

4.7.2 Internal Auditors' Ethics: Internal auditors should have to be bold, honest and truthful. These qualifications will be the basis for trust on the

internal auditor's professional judgment. Internal auditors should keep strict confidentiality of information found during

audit. They should not use such information for personal gain or malicious action and should be responsible for

protection of such information. The Head of the internal audit and all internal auditors should avoid conflicts of interest.

Internal auditors should abide by the bank‘s code of ethics. A code of ethics should address the principles of objectivity, competence, confidentiality and integrity.

4.8 Appraisal of ICC Officials The Head of ICC will be appraised by the Senior Management/Managing Director and CEO. The Head of Compliance and Monitoring Division to be appraised by the head of ICC primarily and by the Senior

Management/Managing Director and CEO finally. Head of Audit will be appraised by the Chairman of the Audit

Committee solely.

4.9 Training and Development: Training is a proven and effective instrument for human resources development. It plays a key role in developing

knowledge and skills to keep pace with the changes taking place all around and ever developing technology and also

works as a catalyst for attitudinal change of human beings. For this purpose all members/staff of the ICC should be

provided with appropriate and advance training.


20

4.10.1Home Training: HR Training, Research & Development Division of Agrani Bank Limited conducts various training programs for the Executives/Officers/Staff to develop their risk based efficiency so that they can apply their knowledge and experience

in the bank regularly. Being apprised of updates on developments in their areas of responsibility, it is expected that they

have developed the necessary skills to perform their functions effectively. Basically the following trainings are provided

by HR Training, Research & Development Division:

4.10.2 Out Reach Training: 1. Internal Control and Compliance Risk Management

2. Internal Audit Compliance.

3. Internal Control Audit in Bank.

4. Agri Financing & Recovery.

5. Credit Risk Grading.

6. Compliance of Bangladesh Bank Inspection.

7. Compliance of Commercial Audit objections.

8. Any other relevant issues.

4.10.3 Abroad Training: To keep pace with the changes taking place all around the globe and ever developing technology, Executives and

Officers should be sent abroad to attend various training courses, workshops, seminars, conferences and symposia to

acquire updated knowledge of modern banking.

4.11 Job Rotation:

a) Job Rotation within ICC: Every auditor is to audit year to year until transferred from Audit and Inspection Division to other divisions or branches. But if any auditor‘s auditing continues in the same branch or division for three times or more, he may apply force or be biased to financial interest. Moreover, if the same person or auditor‘s auditing continues in a branch or division, he may be the person of familiar threat, financial threat or review threat. He will not be able to audit

independently or fairly. The head of Audit and Inspection Division will observe the circumstances before formation of

the audit team. He must set an audit team by rotation.

The head of the ICC will effect rotation among every employee among the three divisions (Audit and Inspection

Division, Audit Monitoring and Controlling Division and Audit Compliance Division) each to others. The head of Audit

and Inspection Division will observe the circumstances before formation of the audit team. He must set an audit team by

rotation.

b) Job Rotation within the Bank: By executing the rotation of jobs in a branch or office or division, the manager/head of the office will be able to

check fraud and forgeries maintain expertise development and increase accountability of the organization, so that the

daily assignment can be done properly.

The auditors will observe the job rotation in every branch or office or division during the period of audit. If the

branch manager/ Zonal head needs to audit his branch based on special issue, he/ she will call upon to the Head of ICC to

conduct special audit.

4.12 Mandatory leave:

Criteria: 01) Mandatory leave will be sanctioned by the management at any time as required; no time bound will be

applicable in this case.

02) This leave cannot be claimed.

03) Leave sanction can only be changed by the management, employee cannot claim for alteration.

04) There will be no monetary sanction like 01 (One) month basic salary.

4.13 Recreational Leave Criteria:

01) Employees are entitled to enjoy 15 (Fifteen) days recreational leave every after 03 (Three Years).

02) There will be monetary sanction like 01 (One) month basic salary.

03) It requires the approval of the management and provision of proper replacement.

04) It can be claimed and changed.


21

Chapter-Five

General Matter of Audit

5.0. Definition of Audit Audit includes an examination of the books of accounts and other documents relating to the receipts and

expenditure of the government, statutory public authorities and public enterprise with a view to ensuring that rules and

orders framed by the competent authority in regard to financial matters have been followed, that sums due have been

properly assessed, realized and brought to account, that assets have been properly utilized and safeguarded and that the

accounts truly represents facts.

5.1. Objectives/Purpose of Audit:

The broad aim of Agrani bank Limited audit is to safeguard the interest of the State and to promote transparency and accountability, along with sound economic and financial management practices. Towards that broad aim, the

auditors‘ objectives are to give an independent assessment of: i) Whether the statements of accounts show a true and fair view of the financial position of the audited

body and its income and expenditure for the year in question and have been properly prepared in

accordance with appropriate rules and regulations:

ii) The adequacy of the audited body‘s arrangements to secure economy, efficiency and effectiveness in the use of resources;

iii) The adequacy of the audited body‘s financial management systems; iv) The adequacy of the audited body‘s arrangements for preventing and detecting fraud, corruption and the

internal control framework generally;

v) The adequacy of the audited body‘s arrangements for ensuring the legality of transactions that might have a financial consequence;

vi) The adequacy of the audited body‘s arrangements for collecting, collating and recording accounting data and publishing financial statements and reports pursuant to appropriate rules and regulations.

vii)

5.2. Auditors Right:

The auditor should have the following rights: The right to access at all times to the bank‘s books of account, document and vouchers. The right to require from the officers of the bank such information and explanation as the auditor considers

necessary for the performance of his duties.

Inquire into particular issues regarding loans and advance, transaction represented merely as book entries, sale of securities, treatment of personal expenses and share allotment.

Recording to the members; Visiting branches and access to the branch accounts; Signing the audit report; The right to attend any general meeting of the company and to receive all notices relating to general meetings. The right to be heard at any general meeting on any matter which concerns him in his capacity as auditor. Receiving the remuneration and allowances Posting of ICC staff should be taken consent from Head of ICC.

5.3 Responsibilities of the Auditors: Responsibilities of internal auditors are as below:

evaluates and provides reasonable assurance that risk management, control and governance systems are functioning as intended and will enable the organization‘s objectives and goals to be met;

reports risk management issues and internal controls deficiencies identified directly to the audit committee and provides recommendations for improving the organization‘s operations, in terms of both efficient and effective performance;

evaluates information security and associated risk exposures; evaluates regulatory compliance; evaluates the organization‘s readiness in case of business interruption; maintains open communication with management and the audit committee;


22

Provides support to the bank's anti-fraud programs. Preparation of Branch Audit Rating (using specific format), where rating of the branch will be as Excellent,

Very Good, Good , Satisfactory and poor -according to score obtained by the branch.

5.4 Auditors Punishment During the audit period if present audit team find any lapses or irregularities which was not detected or identified by previous auditor that will be reported to Head of ICC and senior management will take punitive action against the

concern auditor(s).

5.5 Basic principles to be followed by the auditors: The auditor should comply with the Code of Ethics regarding professionalism. Ethical principles governing the professional responsibilities are:

Independence; Integrity- Honesty , Truthfulness, Straightforwardness, Reliability; Objectivity- Impartiality, Independence, Neutrality; Confidentiality; Professional Competence and Due Care; Professional Behavior and Technical Standards.

5.6 Types of Audit: 1. Internal Audit

2. External Audit

i) Chartered Accountancy Firms Audit

ii) Government Commercial Audit

iii) Bangladesh Bank Inspection

iv) Functional Audit

5.7 Internal Audit

5.7. 1 Definition of Internal Audit: Internal control is the process, affected by a company's board of directors, management and other personnel,

designed to provide reasonable assurance regarding the achievement of objectives in the effectiveness and efficiency of

operations, the reliability of financial reporting and compliance with applicable laws, regulations, and internal policies.

5.7.2 Principles of Internal Audit A. Supervisory expectations relevant to the internal audit function

Principle 1:

An effective internal audit function provides independent assurance to the board of directors and senior management on

the quality and effectiveness of a bank‘s internal control, risk management and governance systems and processes, thereby helping the board and senior management to protect their organization and its reputation.

Principle 2:

The Bank‘s internal audit function must be independent of the audited activities, which requires the internal audit function to have sufficient standing and authority within the bank, thereby enabling internal auditors to carry out their

assignments with objectivity.

Principle 3:

Professional competence, including the knowledge and experience of each internal audit and internal auditors

collectively, is essential to the effectiveness of the bank‘s internal audit function.

Principle 4:

Internal auditors must act with integrity and diligence.


23

Principle 5:

The bank should have an internal audit charter that articulates the purpose, standing and authority of the internal

audit function within the bank in a manner that promotes an effective internal audit function as described in principle-1.

Principle 6:

Every activity (including outsourced activities) and every entity of the bank should fall within the overall scope of the

internal audit function.

Principle 7:

The scope of the internal audit function‘s activities should ensure adequate coverage of matter of regulatory interest within the audit plan.

Principle 8:

The bank should have a permanent internal audit function, which should be structured consistent with principle-14 when

the bank is within a banking group or holding company.

Principle 9:

The Bank‘s board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains adequate, effective and efficient internal control system and, accordingly, the board should support the internal

audit function in discharging its duties effectively.

Principle 10:

The Audit committee, or its equivalent, should oversee the bank‘s internal audit function.

Principle 11:

The head of the internal audit department should be responsible for ensuring that the department complies with sound

internal auditing standards and with a relevant code of ethics.

Principle 12:

The internal audit function should be accountable to the board, or its audit committee, on all matters related to the

performance of its mandate as described in the internal audit charter.

Principle 13:

The internal audit function should independently assess the effectiveness and efficiency of the internal control, risk

management and governance system and process created by the business units and support functions and provide

assurance on these systems and processes.

Principle 14:

To facilitate a consistent approach to internal audit across the banks within a banking organization, the boards of

directors of bank within a banking group or holding accompany structure should ensure that either:-

i) The bank has its own internal audit function, either should be accountable to the bank‘s board and should report to the banking group or holding company‘s head of the internal audit; or

ii) The banking group or holding company‘s internal audit function performs internal audit activities of having sufficient scope at the bank to enable the board to satisfy its fiduciary and

legal responsibilities.

Principle 15:

Regardless of whether internal audit activities are outsourced, the board of directors remains ultimately responsible for

the internal audit function.

A. The relationship of the supervisory authority with the internal audit function Principle 16:

Supervisor should have regular communication with the bank‘s internal auditors: i) Discuss the risk areas identified by both parties,

ii) Understand the risk mitigation measures taken by the bank, and

iii) Monitor the bank‘s response to weaknesses identified.


24

B. Supervisory assessment of the internal audit function

Principle 17:

Bank supervisors should regularly assess whether the internal audit function has sufficient standing and authority within

the bank and operates according to sound principles.

Principle 18:

Supervisors should formally report all weakness they identify in the internal audit function to the board of directors and

recommend remedial actions.

Principle 19:

The supervisory authority should consider the impact of its assessment of the internal audit function on its evaluation of

the bank‘s risk profile and its own supervisory work.

Principle 20:

The supervisory authority should be prepared to take informal or formal supervisory actions requiring the board and

senior management to remedy any identified deficiencies related to the internal audit function within a specified time

frame and to provide the supervisor with periodic written progress reports.

5.7.3 Reporting: Head of Audit directly report to the Audit Committee of the Board. Different divisions of the bank have existing

MIS; on the basis of MIS report management take their decision for smooth operation of the bank. Reporting structure

for ICC depends upon size and complexity of business.

The Audit Division will prepare report on individual inspection/audit programs within 15 days (except for items that needs to be escalated immediately) and submit the same to the branch/ business unit for rectification with a

copy to line management.

For low and medium risk items findings will be reported to the MD/CEO. For high-risk items findings will be reported to the MD/CEO and the Audit Committee of the Board. ICC will prepare an annual report on the health of the Bank to be submitted to the Board of Directors under

supervision of ACB for onward submission to Bangladesh Bank.

At the end of the year there should be a summary report on the audit findings and corrective actions taken which should be forwarded to the Audit Committee of the board and the Managing Director simultaneously.

5.7.4 Importance of internal audit:

The Internal Audit, to be effective should provide three types of services PPC, viz., Preventive, Protective and

Curative, PPC.

In the preventive role, it forewarns the management of an adverse situation in advance; In its protective role it protects the management by the bringing to its notice the deficiencies in advance, before

the external auditors point them out; and

As a curative function, it suggests remedial measures, thereby acting as a catalyst for change and action.

5.8 External audit:

Role of External Auditors in evaluating internal control system:

a) External auditors by dint of their independence from the management of the bank can provide unbiased

recommendation on the strength and weakness of the internal control system of the bank.

b) They can examine the records, transactions of the bank and evaluate its accounting policy and methods of

financial estimation made by the bank; this will allow the board and the management to have an

independent overview on the overall control system of the bank.

5.8.1 Types of External audit: 1. Chartered Accountancy Firms Audit:

When more than one Chartered Accountancy firms are appointed by Ministry of Finance (Finance Division)

Banking Wing from the enlisted/ qualified list of Bangladesh Bank for a maximum period of three (03) years to

conduct the audit it is called statutory / external Audit.

2. Commercial audit: Government Commercial Audit is another external audit which conducts by auditors of government through

CAG Office


25

5.9 Concurrent audit in Agrani Bank Limited:

The role of concurrent audit has become very crucial and important for bank in discharging duties properly and

efficiently, particularly for timely detection of irregularities and lapses, which help in minimization of irregularities as

well as prevention of frauds.

In ABL, auditors of ICC will be deputed in Central Accounts Division, Principal Branch and 9 (Nine) big corporate

branches for performing concurrent audit.

One auditor having accounting background at the rank of Assistant General Manager with another two auditors will be

deputed in Central Accounts Division, one Assistant General Manager with two experienced auditors in Principal Branch

and one Assistant General Manager with two experienced auditors in each big Corporate Branch as follows:

Principal Branch 1 AGM 2 Auditors

Big Corporate Branch 1 AGM 2 Auditors

Central Accounts Division 1 AGM 2 Auditors

5.10 TOR of Concurrent audit: Concurrent Auditors will check and verify constantly error, fraud, forgery and inefficiencies lying on daily different

transactions & activities i.e. vouchers, documents and approval whether it ensures compliance with set rules and

regulations, policies and procedures issued by both the bank and the regulators.

Following steps to be followed for Auditing of-

>Every Expenditure related financial transactions.

>Pre sanction activities

- Loan applied in prescribed form is duly filled up having sufficient information.

- Loan appraisal is proper.

- Legal opinion is favorable.

- Value of collateral is sufficient.

- Other relevant papers are collected.

>Documentation- Charge documents are obtained as per sanction advice.

- Mortgage is proper.

>Incase of installment basis loan- Utilization of every installment are duly performed.

>Voucher Checking- Daily Vouchers are checked by respective/assigned officer(s) with computer generated print.

>General banking activities.

>Foreign Exchange / Foreign Trade activities:

- Requisite papers are obtained for LC‘s. - L/C Documents are tallied with SWIFT message.

- Funded and Non-funded loan activities.

- L/C approval process.

> The concurrent auditors will act as the back office of the respective Branch/Division .

5.11 Reporting of Concurrent Auditors Concurrent auditors will report to branch manager/CFO/Head of the division and Head of ICC on monthly basis. In case of major lapses, auditors will immediately report it to reporting authorities.

5.12 Lapses Lapses arise out of any kind of irregularities, misstatements, non-compliances of existing policy & procedures of the

bank, law of the land by which the bank may incur financial losses. Moreover, sometimes non-compliance of existing

policies & procedures may not cause any financial loss with immediate effect but can result in erosion of reputation. At

the same time any malpractice in banking, misuse of offices and its fund is defined as lapses.

5.12.1Types of Lapses:

Generally in Agrani Bank Limited the Auditors are instructed to clarify the irregularities (Annexure-E) in three groups such as:

Minor Irregularities (MI); Major Lapses (ML); Serious Lapses (SL).


26

5.12.1.1Minor Irregularities (MI): Minor irregularities are ordinary lapses. It does not involve any major potential risk or loss for the bank. MI occurs due to

ordinary carelessness of an employee. Auditors should try to rectify these irregularities as far as possible on the spot

and follow-up with the branch Manager till final rectification.

5.12.1.2 Major Lapses (ML):

Major Lapses are those lapses or irregularities which occurred intentionally or un-intentionally by violating the rules,

regulations and laws set out by regulatory authority for which bank faces potential financial risk at present or in the

immediate future. These lapses require quick action to safeguard the bank‘s interest.

5.12.1.3 Serious Lapses (SL):

Serious Lapses are those types of lapses which have already occurred and bank has been suffering or about to suffer

financial loss.

The following transactions are included in SL:

Fraud and Forgery occurred by any transaction; Any kind of irregularities which indicate chances of loss or chances of manifold potential loss in near future; Any irregularities or lapses which require instant/ immediate administrative action by the higher authorities.

5.13 Punishment: Punishment is an action to be taken by the management of the bank for committing lapses / offences done by employees

of the Agrani Bank Limited. Punishable offences are activities for which higher management thinks to take

administrative action. Auditor should detect level or quantum of lapses/ offence and report to higher management.

5.14 Reward / Incentive for Auditors: Auditors will be rewarded for performing extra-ordinary works during audit period such as any frauds, forgeries

identified by the auditor that reduces the huge financial losses of the bank. In those cases auditors will be eligible to get

reward/ incentive from the bank. Both auditors and the bank will be financially benefited if this kind of reward/ incentive

system is introduced.

5.15 System Audit Software: Today‘s challenging service sector is the banking sector. Now the age world is the age of automation. Banking World is now totally IT oriented. To cope with the International Standard, the Agrani Bank Limited has run Real Time Online

software T-24. Online software is quicker and ensures fair transaction. This also increases risks day by day. So, the bank

needs system audit software.

5.16 Wrap-up Meeting of Audit & Inspection During audit some irregularities are to be rectified on the spot. The Audit team must give emphasis on rectification of

errors or omissions on the report. In light of that, at the closing day of the audit there must be a meeting with the head of

Branch/Office. In this meeting general discussion will be held on the objections raised by the auditors during the audit

period. If the branch office can satisfy the auditor, then on the basis of consensus the objections may be settled; while the

unsettled objections are brought into the Audit report. Audit objections raised also are disclosed in the wrap-up Meeting

to the Branch Management.


27

Chapter-Six

IT Audit 6.1Definition of IT Audit An information technology audit, or information systems audit, is an examination of the management controls within

an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems

are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or

objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form

of attestation engagement.

IT audits are also known as "automated data processing (ADP) audits" and "computer audits". They were formerly called

"electronic data processing (EDP) audits".

6.2 Purpose/ Objectives of IT Audit The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its

information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following:

Will the organization's computer systems be available for the business at all times when required? (Known as availability)

Will the information in the systems be disclosed only to authorize users? (known as security and confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)

In this way, the audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of

minimizing those risks.

6.3 Types of IT Audits Others describe the spectrum of IT audits with five categories of audits:

a) Systems and Applications:.

b) Information Processing Facilities.

c) Systems Development:.

d) Management of IT and

e) Enterprise Architecture: Client/Server, Telecommunications, Intranets, and Extranets

And some lump all IT audits as being one of only two types: "general control review" audits or "application control

review" audits.

https://en.wikipedia.org/wiki/Information_technologyhttps://en.wikipedia.org/wiki/Infrastructurehttps://en.wikipedia.org/wiki/Data_integrityhttps://en.wikipedia.org/wiki/Financial_audithttps://en.wikipedia.org/wiki/Internal_audithttps://en.wikipedia.org/wiki/Electronic_data_processing


28

Chapter- Seven

Miscellaneous

7.1 Inspection Concluding Meeting (Account Finalization)- Finalization Of Quick Summary Report/ Annual Accounts

In line with section 38 of BCA-1991(revised up to 2013) banks have to finalize their annual account statements.

In compliance with governor's order dated 29/07/2012, BB inspection team has to finalize their observation having

requirements to reflect them on the concurrent financial statements of the bank. To impel the external auditor to

reflect the issue(s) in the same vein of inspection observation, there should be a meeting between external auditor

and management of the bank in presence of BB inspection team.

7.2 Special Board Meeting On Compliance Of Annual Inspection Report Of Bangladesh Bank To bring the BB inspection observation and compliance thereof to the knowledge of the Board of Directors, banks were advised to arrange a board meeting in presence of BB inspection officials and management of the bank as per

instruction contained in DBI-2 circular no-01 dated 12/03/2009. In such meeting the external auditor should remain

present.

7.3 Liaison Meeting

To ensure the regular compliance, BB inspection departments may ask to participate and explain their position on the

relevant issues such as timely compliance and material changes in operational and portfolio