In line with the objectives and commitments enshrined in the mid-term Monetary Policy Statement regarding the issuanceof certain guidelines to the Banking Sector and the public at large, I hereby issue two guidelines as follows:

1. Bank Licensing, Supervision and Surveillance -

2. Bank Licensing, Supervision and Surveillance -

Corporate Governance

Minimum Internal Audit Standards in Banking Institutions

BANK LICENSING, SUPERVISION AND SURVEILLANCE

CORPORATE GOVERNANCE

Guideline No. 01-2004/BSD

1INTRODUCTION

PREFACE

2SOUND

CORPORATEGOVERNANCE

3IMPLEMENTATION

OF THEGUIDELINE

4EFFECTIVE

DATE

1

Dr. C.L. DhliwayoBank Licensing, Supervision & Surveillance,

Exchange Control & Anti - Money Laundering

Deputy Governor -

Preface

1. Short title

2. Authorisation

3. Application

4. Definitions

Corporate Governance

The Guideline is issued under the authority of section 45 of the Banking Act [Chapter 24: 20].

This Guideline applies to all banking and non banking institutions. Wherever the term "bank(s)" or "banking institution(s)" is used in the

guideline, it shall also be read to include non-bank financial institutions that are licensed and supervised by the Reserve Bank including

Bank Holding Companies.

The Guideline covers a variety of governance related issues. However should there be additional areas arising out of the particular

circumstances of the bank that merit coverage, the board will be responsible for ensuring that relevant governance systems and practices

are implemented.

means an independent function that identifies, assesses, advises on, monitors and reports on the institution's

compliance risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to reputation an institution may suffer as a result of

its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice.

' ' means a non-executive director who is not a shareholder or a representative of a shareholder, has

not been employed by the banking institution and or bank holding company in any executive capacity for the preceding three financial

years, and has no significant contractual relationship with, or interest in, the banking institution and or bank holding company.

means an individual not involved in the day-to-day management and not a full time salaried employee of a

banking institution or of its subsidiaries. An individual in the full time employment of the bank holding company or its subsidiaries, other

than the institution concerned, would also be considered to be a non-executive director of the institution concerned, unless such individual,

by his conduct or executive authority, could be construed to be directing the day to day management of the institution and its subsidiaries.

includes any company, co-operative, private business corporation, syndicate or

association of persons in which the individual has a significant interest, or is the largest single shareholder, including any person who has

entered into an agreement or arrangement with the first mentioned person, relating to the acquisition, holding or disposal of, or the

exercising of voting rights in respect of shares in the banking institution in question.

includes any (i) subsidiary or holding company and any other company of which that

holding company is a subsidiary, (ii) associate of the company.

The following terms used in this Guideline shall be taken to have the meaning assigned to them hereunder.

'Compliance Function'

Independent Non-Executive Director

'Non-Executive Director'

'Related Interest' in relation to an individual

'Related Interest', in relation to a company,

Wherever the word "he" appears it shall be taken to include she and vice versa.

2

1.1

2.1

3.1

3.2

(a)

4.1

4.2

4.3

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.5

1.5.1 Risk Management

1.5.2 Regulatory Requirements

Public confidence is the cornerstone of a

stable banking system. As the custodian of

public funds, the management of a banking

institution must exhibit impeccable integrity

and professionalism in their conduct so as to

engender public confidence in the safety of

their deposits. With the broadening and

deepening of the country's financial

infrastructure, the need for an effective board

of directors to assume full responsibility for

the overall management of each and every

banking institution is more crucial now than

ever before.

Because of a bank's special position of trust in

the national economy, corporate governance

is a matter of paramount importance. Banks

are highly leveraged institutions, with most of

their funds coming from depositors and

creditors. They provide basic financial

services to the public, financing to

commercial enterprises, and access to the

payments system. Increasing globalisation of

f i n a n c i a l m a r k e t s , e m e rg e n c e o f

conglomerate structures, technological

advances and innovations in financial

products have added to the complexity of risk

management in the banking sector. For these

reasons, the quality of corporate governance

expected of banking institutions is high.

Corporate

From a banking and financial sector

perspective, corporate governance involves

the manner in which the business and affairs

of individual institutions are governed by

their boards of directors and senior

management, affecting how banking

institutions:

set corporate objectives (including

generating economic returns to

owners);

set risk management policies and

procedures;

ensure tha t the day- to-day

operations of the business are carried

out efficiently and with integrity;

protect the interests of depositors

and other recognized stakeholders;

align corporate activities and

behaviour with the expectation that

the banking institutions will operate

in a safe and sound manner; and in

compliance with applicable laws

and regulations;

implement corporate values, codes

of conduct and other standards of

appropriate behaviour and systems

used to ensure compliance with the

aforementioned;

articulate corporate strategy against

which the success of the overall

enterprise and the contribution of

individuals are measured;

clearly assign responsibilities and

decis ion-making authori t ies ,

incorporating a hierarchy of required

approvals from individuals to the

board of directors;

establish mechanisms for interaction

and co-operation amongst the board

of directors, senior management and

the auditors;

implement strong internal control

systems, including internal and

external audit functions, risk

management and compliance

functions and other checks and

balances, independent of business

lines;

monitor risk exposures where

conflicts of interest are likely to be

particularly great, including

bus iness re la t ionsh ips wi th

borrowers affiliated with the

b a n k i n g i n s t i t u t i o n , l a r g e

shareholders, senior management, or

key decision makers within the

institution;

offer financial and managerial

i n c e n t i v e s i n t h e f o r m o f

compensation, promotion and

recognition to senior management,

business line management and

employees; and

implement appropriate information

flows internally and to the public.

The following have significant implications

on corporate governance: -

Good corporate governance

structures promote effective

ident if icat ion, measurement ,

monitoring and management of all

material business risks. Banking

institutions differ from most

companies in terms of their nature

and range of their business risks, and

the adverse consequences that would

follow if these risks are poorly

managed. Banking institutions face a

wide range of risks, many of them

complex in nature. These risks

include credit risk, market risk,

compliance risk, reputational risk,

settlement risk and business

continuity risks. If the risks are

poorly identified and managed, they

expose the institutions to potential

distress.

Banking institutions are required to

comply with a large number of

regulatory requirements including

prudential

governance refers to the processes

and structures used to direct and manage the

business and affairs of an institution with the

objective of ensuring its safety and soundness

and enhancing shareholder value. The process

and structure define the division of power and

establish mechanisms for achieving

accountability between board of directors,

management and shareholders, while

protecting the interests of depositors and

taking into account the effects on other

stakeholders, such as creditors, employees,

customers and the community.

requirements and various

reporting obligations. There is,

therefore, a need for the corporate

governance framework to include

systems for ensuring that all

s t a t u t o r y a n d r e g u l a t o r y

requirements are being adhered to

and highlight potential or actual

breaches if and when they occur.

An essential complement to sound

corporate governance is the

implementation of robust financial

d isc losure requirements for

corporates and banking institutions.

Financial disclosure is essential as a

means of strengthening the

accountability of directors and

senior management and enhancing

the incentives for risk management.

It is also essential for market

p a r t i c i p a n t s a n d o b s e r v e r s

particularly the larger creditors of

banks, news media, financial

analysts and rating agencies to

effectively monitor the performance

a n d s o u n d n e s s o f b a n k i n g

inst i tut ions and to exercise

appropriate discipline on those

institutions which do not perform

well or fail to meet acceptable

prudential standards.

It is increasingly being recognisedthat market discipline can play animportant role in promotingfinancial system stability and inencouraging the maintenance ofsound corporate governance and riskmanagement practices. Banks andcorporates are more likely to beattentive to risk management in anenvironment where poor riskm a n a g e m e n t a n d f i n a n c i a lperformance are penalised by themarket, and strong risk managementand financial performance arerewarded by the market. In thelonger term, effective marketdiscipline is likely to enhancefinancial stability and efficiency bystrengthening the incentives for theefficient management of risks and byweeding out poor performers.

1.5.3 High Quality Financial Disclosure

1.5.4 Market Discipline

1 Introduction

3

2.1 Authority and Duties of Shareholders

2.1.1

2.1.2

2.1.3

2.2 Leadership of the Banking Institution

2.2.1

2.2.2

2.3 Separation of Owners and Managers

2.3.1

2.3.2

2.3.3

2.4 Role and Functions of the Board

2.4.1

2.4.2

2.4.3

2.4.3.1

2.4.3.2

2.4.4 Duties and Responsibilities of theBoard

2.4.4.1

2.4.4.2 To ensure that the banking institutionhas adequate systems

2.4.4.3 Select and appoint senior executiveofficers

2.4.4.4 Establish and ensure the effectivef u n c t i o n i n g o f B o a r d a n dManagement Committees in keyareas;

2.4.4.5 Set up an effective internal auditdepartment

2.4.4.6 Set up an independent Compliance

Function

2.4.4.7

beneficial influence

2.4.4.8 Supervise the affairs of the banking

institution, and be regularly informed

of the banking institution's condition

and policies in ensuring that the

banking institution is soundly

managed.

2.4.4.9 Adopt and follow sound policies and

objectives which have been fully

deliberated.

Shareholders of banking institutions shall

jointly and severally protect, preserve and

actively exercise the supreme authority of the

institution in general meetings. They have a

duty, jointly and severally, to exercise that

supreme authority to:

Ensure that only competent and reliable

persons who can add value to the banking

institution are elected or appointed to the

board of directors;

Ensure that the board of directors is constantly

held accountable and responsible for the

efficient and effective governance of the

banking institution.

Change the composition of a board of

directors that does not perform to expectation

or in accordance with the mandate of the

institution.

The board of directors shall exercise

leadership, enterprise, integrity and shrewd

judgment in directing the banking institution

so as to achieve continuing viability for the

banking institution and shall always act in the

best interest of the institution.

There shall be a clearly accepted division of

responsibilities at the head of the banking

institution, which will ensure a balance of

power and authority such that no one

individual has unfettered powers of decision.

In terms of section 18(3) of the Banking Act

[Chapter 24:20], the chairman of the board of

a banking institution shall not be an officer of

the institution. Preferably, the chairperson

should be an independent non-executive

director. The board of directors of the banking

subsidiary and its bank holding company

shall be distinctly separate, with separate

chairpersons.

No shareholder with a ten per centum (10%)

or more shareholding in a banking institution

or bank holding company shall form part of

management of the banking institution or

bank holding company.

No shareholder with a ten per centum (10%)

or more shareholding in a banking institution

shall be appointed as Chairperson or Deputy

Chairperson of the board of directors of a

banking institution or bank holding company.

No

An important aspect of the functions is theidentification of key risk areas and keyperformance indicators. The board must havea Charter, which as a minimum should clearlyset out:

• The adoption of strategic plans,

• Monitoring of operational performanceand management,

• Determination of policy and processesto ensure effective risk management andinternal control, and

• Communication policy and directorselection, orientation and evaluation.

The board of directors of a banking institutionshall comprise technically competent personsof integrity with a strong sense ofprofessionalism, fostering and practicing thehighest standards of banking and finance.

In this regard, it is expected that the board ofdirectors shall fulfill the following:

Ensure that through a managed andeffective process, board appointmentsare made that provide a mix of proficientdirectors, each of whom is able to addvalue and bring independent judgment tobear on the decision-making process; and

Determine the institution's purpose andvalues, determine the strategy to achieveits purpose and to implement its values inorder to ensure it survives and thrives.

The major duties and responsibilities ofthe board of directors of a bankinginstitution are as follows:

To ensure that there are adequate policiesin place that are aimed at improving thebanking institution's profit performanceand ensuring fulfillment of the bankinginstitution's strategic plans;

to identify,measure, monitor and manage key risksfacing the banking institution;

who are qualified and competentto administer the affairs of the bankinginstitution effectively and soundly;

, staffed with qualifiedpersonnel to perform internal auditfunctions, covering the traditionalfunction of financial audit as well as thefunction of management audit;

and approve the bank's

compliance policy, including a charter or

other formal document. It shall be the

duty of the board to ensure that the

Reserve Bank is informed, should the

Head of Compliance leave that position

and the reasons thereof. At least once a

year, the board or committee of the board

shall review the bank's compliance

policy and its ongoing implementation to

assess the extent to which the bank is

managing its compliance risk effectively.

Ensure that the banking institution has a

on the economic

well-being of its community. Directors

have a continuing responsibility to the

community to provide those banking

services and facilities which will be

conducive to well-balanced economic

growth;

The directors of a banking

institution are entrusted with the

handling and investment of public funds.

Consequen t ly, the superv i so ry

commitment required from them entails a

higher degree of wisdom, prudence, good

business judgment and competence than

that of directors of other types of

companies. They should commit

sufficient time to be fully informed of the

condition of the business, the direction

they are steering the institution, and

apply immediate remedial measures

when the need arises. The board should

meet at least once a quarter to deliberate

on the performance of the banking

institutions and to provide policy

direction and guidance for the

management. Although directors may

delegate certain authority to senior

officers, they are ultimately accountable

for the banking institution's operations.

They should retain a record of the

minutes of board meetings and a record

of remedial actions by directors. Minutes

should accurately capture contributions

of every member;

The directors must provide

clear objectives and policies within

which senior executive officers are to

operate. These should cover all aspects

of operations, including strategic

planning, credit administration and

control, asset and liability management

encompassing the management of

liquidity risk, interest rate risk and

market risk, accounting system and

control, service quality, automation plan,

prevention of money laundering, profit

planning and budgeting, adequacy of

c a p i t a l , a n d h u m a n r e s o u r c e

development. Clear lines and limits of

authority for all levels of staff should be

established. The seriousness of

infringing the authority limit should be

emphasised to staff at all levels;

individual shareholder who had a

significant shareholding in a failed institution

and/or was involved in the running of a failed

institution shall be allowed to acquire a

significant shareholding or to hold a position

of accountability in any banking institution.

2 SOUND CORPORATEGOVERNANCE REQUIREMENTS

4

2.4.4.10 Observe banking laws, rulings and

regulations.

2.4.4.11 The duty of care

2.4.4.12 The duty of loyalty

2.4.4.13

2.6.2.3

2.6.2.4

Directors must be

conversant with the relevant laws, related

regulations, interpretative rulings and

notices, and must exercise due diligence

to see that these are not violated. This

duty may involve a personal financial

responsibility for losses arising out of

illegal actions. Directors may be

penalised for any non-compliance with

the provisions of the banking legislation

and be removed from office if found to

have acted against the interest of

depositors and the banking institution;

requires a board

member, at a minimum, to participate

effectively in board and committee

meetings, to communicate and work

effectively with the chairman of the

board and the chief executive officer;

forbids directors andofficers from participating in acompeting enterprise unless a majority ofthe disinterested board membersapprove. Directors and officers who havean interest in a transaction to which thebanking institution is an actual potentialparty are required to disclose theirinterest to the Board. This interest cancome from:

• being the other party to the contract;

• acting as representative of the otherparty;

• owning stock or serving as a directoror officer of the other party;

• being a financier of the other party;or

• having close relatives who are any ofthe above.

For such a transaction to be valid, amajority of the disinterested directorsmust approve the transaction, upondisclosure of all the facts andcircumstances surrounding the conflictof interest. If all the facts andcircumstances surrounding the conflictare not disclosed, the Board or theshareholders may have the right to voidthe transaction and/or seek damages incourt;

The Board shall have in

19 of the Banking Act

disqualifies a person from being

appointed or elected as director if he has

been adjudged or otherwise declared

insolvent or bankrupt and has not been

rehabilitated or discharged, has made

assignment to, or arrangement or

composition with his creditors, or has

been convicted of theft, fraud, forgery,

uttering a forged document or perjury or

any other offence, by whatever name

called, or has been convicted of any

offence and sentenced to a term of

imprisonment exceeding six months

without an option of a fine, and has not

received a free pardon.

The Reserve Bank holds the chiefexecutive officer directly responsible forthe day-to-day operations of a bankinginstitution. He must be conversant withthe operations of the banking institution,the s ta te of in ternal controls ,requirements of statutes, directions,guidelines, regulations, as well as currentissues and policies affecting the industryin general. He must also have thenecessary knowledge and professionalcompetence in the conduct of bankingbusiness.

Given the strategic operational role of thechief executive officer, this function shallbe separate from that of the chairperson.

A banking institution is required toinform the Reserve Bank of the personwho will be directly responsible for theoverall running of the institution whenthe chief executive officer is unavailable,on leave or otherwise absent. The personso nominated should be fully acquaintedwith the affairs of the banking institution,and should be able to act promptly, withauthority, on matters affecting thebanking institution. The delegation ofresponsibilities to several persons, withno single person as the coordinatorwithin the institution, should be avoided.

place a code ofconduct regulating disclosures of interestin relation to its members;

Once theirappointments take effect, directorsassume a fiduciary role and must displaythe utmost good faith towards thebanking institution in their dealings withit or on its behalf. The Companies Act[Chapter 24:03] subjects directors todisclosure requirements for outsidebusiness interests. Directors shallobserve restrictions on insider lending asprovided in the Banking Act andRegulations. Further, directors arerequired to observe the Zimbabwe StockExchange rules and/or other applicablelaws in dealing in shares. In particular,they must avoid making any personalprofit, acquiring personal benefit orretaining any commission, bonus or giftsfor performing their official function ofgranting approval to financingarrangements or the use of particularservices.

Each banking institution shall have a

minimum of five directors. The board

shall maintain a majority of non-

executive directors such that no

individual or group of individuals or

interests can dominate its decision

making.

In this regard, each banking institution

must ensure that it appoints executive

directors who constitute not more than

two-fifths of the total membership of the

board, in terms of Section 18 (2) of the

Banking Act [Chap te r 24 :20] .

Independent directors must be in the

majority of the remaining three-fifths in

such composition of the board. This is to

ensure that the non-executive directors,

who should form the majority, would

render the necessary independence to the

board from the executive arm of the

banking institution, and help mitigate

any possible conflict of interest between

the policy-making process and the day-

to-day management of the banking

institution.

In an increasingly complex banking

environment, the presence of suitably

qualified independent directors can

contribute effectively towards achieving

the main tasks of the board. Further,

independent directors should provide the

necessary checks and balances on the

board of the banking institution so as to

ensure that the interests of minority

shareholders and general public are given

due consideration in the decision-making

process. Independent directors should

not be brought in as a mere formality as

this would be tantamount to deceiving

the minority shareholders and the public.

The appointment of a chief executive

officer or chief accounting officer of a

banking institution requires the prior

written consent of the Reserve Bank as

stated under section 20 of the Banking

Act. Failure to obtain the prior written

consent of the Reserve Bank constitutes

an offence under the Act. In processing

the applications for appointment of

directors and chief executive of a

banking institution, rigorous vetting is

conducted to ensure that the proposed

chief executive officer or chief

accounting officer is a fit and proper

person.

Section

The sound operation of a bankinginstitution depends critically on its chiefexecutive. The chief executive officermust be suitably qualified withappropriate experience and possess aproven track record in the bankingindustry at senior management level. Hemust be a person of high calibre andimpeccable integrity. The Reserve Bankwill consider a candidate ineligible forthe position of chief executive officer ifhe has been suspended for any reasonwhile performing his duties in hisprevious employment or if he has beensubject to investigation and compulsorilyremoved from his position by theReserve Bank for doubtful transactionsor misconduct during his career.

He is responsible for managing theaccounting and financial activities of thecompany. He supervises the accountingdepartment of the banking institution andis responsible for the receipt anddisbursement of all funds, preparation ofthe financial portion of any businessplans or periodic reports, preparation andfiling of tax returns, administration ofcontracts and control of inventory. TheChief Financial Officer, along with theChief Executive Officer, is generallyregarded as an officer materially liablefor the banking institution's operations.

The company secretary, through theboard, has a pivotal role to play in thecorporate governance of a company. Thecompany secretary should be anexecutive officer.

The board should be cognisant of thestatutory duties imposed upon thecompany secretary and should empowerthe company secretary accordingly toenable him to fulfill those duties.

2.4.4.14 Avoid self-serving practices and

conflicts of interest.

2.5 Board Composition

2.5.1

2.5.2

2.5.3

2.6 Appointment of Directors and Bank

Executives

2.6.1 Legal Requirements

2.6.1.1

2.6.1.2

2.6.2 Roles of Senior Management

Chief Executive

2.6.2.1

2.6.2.2

Chief Financial Officer

2.6.2.5

Company Secretary

2.6.2.6

2.6.2.7

5

2.6.2.8

2.6.2.9

2.6.2.10

2.6.2.11

2.7 Bank Holding Companies

2.8 Practising Lawyers andAccountants

2.8.1

2.8.2

In addition to extensive statutory duties,

the company secretary shall provide the

board as a whole and directors

individually with detailed guidance as to

how their responsibilities should be

properly discharged in the best interest of

the company.

The company secretary shall be

responsible for the induction and

continuing training of directors, and for

assisting the chairperson and the chief

executive officer in determining the

annual board plan and the administration

of other issues of a strategic nature at the

board level. Copies of the induction and

continuing training programme shall be

made available to the Reserve Bank on

request by the inspectors.

The company secretary shall provide a

central source of guidance and advice to

the board, and within the company on

matters of ethics and good governance.

The company secretary shall be

subjected to a fit and proper test in the

same manner as is recommended for new

director appointments.

The Reserve Bank also applies the fit and

proper test to the directors and the chief

executive of the bank holding company.

Their appointments shall be subject to

prior written approval of the Reserve

Bank. The boards of directors of the bank

holding company and the banking

institution shall be separate. The

chairperson of the bank holding company

shall not be the chairperson of the

banking institution.

To enable banking institutions to tap the

expertise of lawyers and accountants,

practising lawyers and accountants may

be appointed as directors of a banking

institution provided that they are not

employed by or are not partners in an

accounting firm which is engaged to

conduct audit of or consultancy work for

the particular banking institution.

Practising lawyers and accountants who

are appointed as directors of banking

institutions are expected to exercise the

highest degree of integrity and

professionalism. They must always be

mindful of the need to avoid being

involved or to appear to be involved in

any self-serving practices and conflict of

interest situations in the conduct of their

profession while serving as directors of a

banking institution.

Directors of banking institutions are

discouraged from appointing alternate

directors as they should be committed

personally to the board in directing the

management of the institutions. An

alternate director, in his capacity as a

proxy for a director, may not be able to

contribute effectively to the deliberations

of the board. However, for practical

reasons, directors who are not residents

of Zimbabwe may appoint alternates.

Interlocking directorships in the bankingindustry is prohibited. The ReserveBank will only allow commondirectorships for banking institutionswhich are related corporations. This is inline with the need to avoid conflict ofinterest situations in the management oftwo or more banking institutions.Consistent with this policy, a person withmore than interest in the paid-upcapital of a banking institution in hispersonal capacity (directly or indirectly)is also not allowed to be appointed to theboard of another banking institution orbanking group. In line with section 19(1)(b) of the Banking Act [Chapter 24:20],no person shall be appointed, or holdoffice, as a director of a bankinginstitution if he is a director of anotherbanking institution which carries onbusiness in Zimbabwe in competitionwith the other banking institution.

The chief executive officer or executivedirector of a banking institution shall nothold any executive position in anothercorporation. However, for companieswithin the same group, and family-ownedcompanies of the chief executive orexecutive director, exemption may begranted on a case-by-case basis. This isconsistent with the Reserve Bank'srequirement for a chief executive officerand executive director to devote hisattention and commitment principally tothe day-to-day operations of a bankinginstitution. However, he may serve on theboards of other corporations in a non-executive capacity, subject to the limitspecified in paragraph 2.11.2 below.

The director of a banking institution has amoral and professional obligation to devotehis/her attention and commitment principallyto the operations of the banking institution.Hence, section 19(1) of the Banking Actprovides that "

.

However, it is recognised that a director of abanking institution is normally alsorequired to sit on the boards of the bankinginstitution's subsidiaries. Furthermore, hemay sit on the boards of his family-ownedcompanies, and be invited to sit on theboards of various organisations within thebanking industry, non-profit socialorganisations or Government-controlledcorporations. Hence, for purposes ofcomputing the maximum number ofdirectorships, the following shall apply:-

i. Directorships in other companies withinthe same banking group and directorshipin companies to represent the equityinterest of the banking institutionconcerned, should be aggregated andcounted as directorship; and

ii. Directorships or Council position in thefollowing organisations arefrom the computation of the limit:-

• Organisations within the bankingindustry, such as Bankers Association,Zimbabwe Stock Exchange, to whom anindividual is nominated by the respectiveassociations of the banking institutions;

• Professional bodies and non-profit socialorganisations.

Every member of the board shall attend atleast of the board meetings of abanking institution. This is to ensure thathe will discharge his duties andresponsibilities effectively. At itsAnnualGeneral Meeting, each bankinginstitution is required to review thesuitability of a non-executive directorwho has failed to comply with this 75%attendance rule, without valid reason.Attendances shall be disclosed in theannual report.

Banking institutions must follow goodcorporate governance principles, whichprovide for the disqualification of adirector or senior manager who:

(i) has been involved in the directorship ormanagement of a failed bankinginstitution and or bank holding company,unless that person shows to thesatisfaction of the Reserve Bank ofZimbabwe that the person was notresponsible for the insolvency,liquidation, composition with creditors,bankruptcy or other arrangement withcreditors or other action with similareffect in Zimbabwe or elsewhere.

(ii) was a director of an institution that hasbeen liquidated or is under liquidation ormanagement of the Reserve Bank, or

(iii) has taken part in or been associated withany other business practices as would, orhas otherwise conducted himself in suchmanner as to cause doubt on hiscompetence, integrity and soundness ofjudgment, or

(iv) if he is under suspension or has beenremoved from office, or

(v) if he has been a director, chief executiveofficer, chief financial officer or managerof an institution that has been adjudgedinsolvent, entered into a compositionwith its creditors, gone into liquidationdeclared bankrupt or has entered into anyother arrangement with creditors or takenany other action with similar effect inZimbabwe or elsewhere unless thatperson shows to the satisfaction of theReserve Bank of Zimbabwe that theperson was not responsible for theinsolvency, liquidation, compositionwith creditors, bankruptcy or otherarrangement with creditors or otherreaction with similar effect in Zimbabweor elsewhere.

Board committees assist the board and its

directors in discharging their duties and

responsibilities, however the board

remains accountable.

2.9 Alternate Directors

2.10 Directorship in other Corporations

2.10.1

5%

2.10.2

2.11 Maximum Number of Directorships

2.11.1

2.11.2

one

excluded

2.12 BoardAttendance

75%

2.13 Disqualification of Directors

2.14 Board Committees

(a)

No person shall be appointed,or hold office, as a director of a bankinginstitution if (a) he is a director of more thanseven other companies registered inZimbabwe"

6

(b)

(c)

(d)

(e)

(f)

(g)

2.14.1 Structure and Duties of the Audit

Committee

2.14.1.1

2.14.1.2

2.14.1.3

(a)

(b)

(c)

(d)

(e)

(f)

2.14.2 Board Credit Committee

(a)

(b)

(c)

(d)

(e)

There should be a formal procedure for

certain functions of the board to be

delegated, describing the extent of such

delegation, to enable the board to

properly discharge its duties and

responsibilities and to effectively

execute its decision making process.

Board committees with formally

determined terms of reference, life span,

role and function constitute an important

element of the process and should be

established with clearly agreed upon

reporting procedures and written scope

of authority.

As a general principle there should be

transparency and full disclosure from the

board committee to the board, except

where the committee has been mandated

otherwise by the board.

Non-executive directors must play an

important role in board committees.

All board committees shall be chaired by

an independent non-executive director.

The exception should be a board

committee fulfilling an executive

function.

Board committees should be free to take

independent outside professional advice

as and when necessary.

The board is required to establish an

Audit Committee to review the financial

condition of the banking institution, its

internal controls, performance and

findings of the internal auditors, and to

recommend appropriate remedial action

regularly, preferably at least once in three

months. The Audit Committee should

consist of not less than three members, all

of whom should be independent non-

executive directors of the banking

institution. The members should be

conversant with financial and accounting

matters.

The Audit Committee members should

elect a Chairman among them who is an

independent non-executive director. The

Chairman should not be the chairperson

of the Board. The Board chairperson

shall not be a member of the Audit

Committee at all, but could be invited to

attend meetings as necessary by the

chairperson of that committee. The Chief

Executive Officer should not be a

member of the Audit Committee, but

may attend by invitation. Membership of

the Audit Committee should be disclosed

in the annual report. Alternate directors

are not allowed to be appointed as

members of theAudit Committee.

The primary responsibilities of the Audit

Committee shall include the following:-

Ensure that the accounts are prepared in a

timely and accurate manner and ensure

the prompt publication of annual

accounts;

Review internal controls, including the

scope of the internal audit programme,

the internal audit findings, and

recommend action to be taken by

management;

Review with the external auditors, the

scope of their audit plan, system of

internal audit reports, assistance given by

management and its staff to the auditors

and any findings and actions to be taken;

The Audit Committee should also select

external auditors for appointment by the

board each year; and

Review any related party transactions

that may arise within the banking

institution.

The external and internal auditors of a

banking institution should have free

access to the Audit Committee. The

auditors should be allowed to attend and

be heard at any meeting of the Audit

Committee. Upon the request of the

auditors, the Chairman of the Audit

Committee should convene a meeting to

consider any matter that auditors believe

should be brought to the attention of

directors or shareholders.

The primary responsibilities of the Board Credit

Committee shall be to:-

Review and oversee the overall lending

policy of the banking institution;

D e l i b e r a t e a n d c o n s i d e r l o a n

applications beyond the discretionary

limits of the Risk Management

committee;

Review lendings by the Credit Risk

Management Committee;

Direct the formulation of, review and

monitor the credit principles and policies

of the banking institution;

Ensure that there are effective procedures

and resources to identify and manage

irregular problem credits, minimise

credit loss and maximise recoveries;

Direct, monitor, review and consider all

issues that may materially impact on the

present and future quality of the banking

institution's credit risk management; and

Delegate and review lending limits to the

sanctioning arms of the banking

institution.

The primary responsibilities of the Loans Review

Committee shall be as follows: -

To assist the board with discharging its

responsibility to review the quality of the

banking institution's loan portfolio,

To review the quality of its loan portfolio

with the view to achieving the objectives

spelt out in paragraph 20, Part IV of Third

Schedule of the Banking Regulations

(Statutory Instrument 205 of 2000),

The committee shall conduct loan

reviews independent of any person or

committee responsible for sanctioning

credit.

The responsibility of the board loans

review committee falls into the following

main areas, namely:

(i) To ensure the conformity of the loan

portfolio and lending function to a sound

lending policy which is documented,

approved and adopted by the board;

(ii) To ensure that the credit policy and risk

lending limits are reviewed at least on an

annual basis and as and when the

environment so dictates; and

(iii) To ensure that the Bank's potential and

specific bad debts are adequately

provided for.

ALCO shall derive the most appropriate

strategy for the banking institution in

terms of the mix of assets and liabilities

given its expectations of the future and

the potential consequences of interest-

rate movements, liquidity constraints,

and foreign exchange exposure and

capital adequacy.

The committee shall ensure that all

strategies conform to the banking

institution's risk appetite and levels of

exposure as determined by the Risk

Management Committee.

The responsibility to ensure quality,

integrity and reliability of the banking

institution's risk management shall be

delegated to the Risk Management

Committee. The committee shall assist

the board of directors in the discharge of

its duties relating to the corporate

accountability and associated risks in

terms of management, assurance and

reporting.

The committee shall review and assess

the integrity of the risk control systems

and ensure that the risk policies and

strategies are effectively managed.

The committee shall set out the nature,

role, responsibility and authority of the

risk management function within the

banking institution and outline the scope

of risk management work.

The committee shall monitor external

developments relating to the practice of

corporate accountability and the

reporting of specifically associated risk,

including emerging and prospective

impact. The committee shall provide

independent and objective oversight and

review of the information presented by

management on corporate accountability

and specifically associated risk, also

taking account of risk concerns raised by

management in the Audit Committee,

Asset and Liability Committee and

Executive Committee meetings on

financial, business and strategic risk.

The committee, in carrying out its tasksunder these terms of reference, may

(f)

(g)

2.14.3 Loans Review Committee

(a)

(b)

(c)

(d)

2.14.4 Asset and Liability Committee

(ALCO)

2.14.4.1

2.14.4.2

2.14.5 Risk Management Committee

2.14.5.1

2.14.5.2

2.14.5.3

2.14.5.4

2.14.5.5

7

obtain such outside or other independentprofessional advice as it considersnecessary to carry out its duties. TheExecutive Committee will ensure that thecommittee will have access toprofessional advice both inside andoutside of the banking institution in orderfor it to perform its duties. The committeeshall have access to any information itneeds to fulfill its responsibilities.

The committee is the link between theboard and management and isresponsible for implementation ofoperational plans, annual budgeting andperiodic reviews of group operations,strategic plans, ALCO strategies, creditproposals review, identification andmanagement of key r i sks andopportunities. The committee shallreview and approve guidelines foremployees' remuneration.

The Executive Committee is constitutedto assist the chief executive officer tomanage the banking institution. Theboard of directors takes cognisance ofauthorities delegated to the chiefexecutive officer by means of resolutionsfrom time to time. The ExecutiveCommittee assists the chief executiveofficer guide and control the overalldirection of the business of the bankinginstitution and acts as a medium ofcommunication and co-ordinationbetween business units and the board.

The Executive Committee shall alsoensure that the Risk ManagementCommittee has access to any informationit requires to fulfill its responsibilities.

The remuneration of directors and thechief executive shall not be out of linewith the nature and size of operations of abanking institution. The directors andchief executive should not availthemselves of unreasonably bountifulremuneration, with excessive bonusesand fringe benefits relative to the profitsand operations of the banking institution.Non-executive directors should notexpect executive pay.

As a matter of principle, the chiefexecutive of a group should draw all hissalary, including benefits, from onesource, usually the parent company.While the chief executive of a bankinginstitution is entitled to receive director'sfees from that institution's subsidiaries,such fees should be nominal.

The Board, through its nominationcommittee or similar board committee,shall regularly review its required mix ofskills and experience and other qualitiessuch as demographics and diversity inorder to assess the effectiveness of theboard. Such review shall be by means ofpeer and self evaluation of the board as awhole, i ts committees and thecontribution of each and every director,including the Chairman.

The evaluations shall be conductedannually and the fact that they have beendone should be disclosed in the annualreport. The Chairman of the board shallreport to the Reserve Bank annually onthe board and directors' evaluations andeffectiveness. The report shall besubmitted 14 days after the year end.

Every listed banking institution shallhave a prohibition on dealing in its sharesby directors, officers and other selectedemployees for a designated periodpreceding the announcement of itsfinancial results or in any other periodconsidered sensitive, and have regard tothe listing requirements of the ZimbabweStock Exchange rules and/or any otherapplicable rules and legislation, inrespect of dealings of directors.

The abovementioned practice should bedetermined by way of a formal policyes t ab l i shed by the boa rd andimplemented by the company secretaryor compliance officer.

Every banking institution shall have apolicy on insider loans, which complieswith the provisions of the Banking Act

and Regulations as amended from time totime.

The banking institution shall makedisclosures on any lending in connectionwith any related interest.

The banking institution shall take acautionary approach and where it is notclear whether or not a lending will betreated as "insider lending", the approachto be taken is that the lending is an insiderlending.

Every banking institution shall have apolicy on intra-group exposures.

Every banking institution should reportat least annually on the nature and extentof its social, transformation, ethical,safety, health and environmentalmanagement policies and practices. Theboard must determine what is relevant fordisclosure, having regard to thecompany's particular circumstances.

Every banking institution should engageits stakeholders in determining thecompany's standards of ethicalbehaviour. It should demonstrate itscommitment to organisational integrityby codifying its standards and ethics.

The disclosure shouldinclude a statement as to the extent thedirectors believe the ethical standardsand the above criteria are being met. Ifthis is considered inadequate thereshould be further disclosure of how thedesired end-state will be achieved.

Banking institutions should deal withindividuals or entities that demonstratethe same level of commitment toorganisational integrity.

2.14.6 Executive Committee

2.14.6.1

2.14.6.2

2.14.6.3

2.15 Remuneration And TerminationBenefits

2.15.1

2.15.2

2.16 Board and Director Evaluation

2.16.1

2.16.2

2.17 Policy on Dealings and Securities

2.17.1

2.17.2

2.18 Policy on insider loans and Intra-Group Transactions

2.18.1

2.18.2

2.18.3

2.18.4

2.19 Integrated Sustainability Reporting

2.20 Organisational Integrity/ Code ofEthics

2.20.1

2.20.2

2.20.3

Each banking institution should disclosein its annual report the extent of itsadherence to the banking institution'scode of ethics.

3 Implementationof the Guideline

All boards and individualdirectors have a duty andresponsibility to ensure that theprinciples set out in theGuideline are observed.

4 Effective DateThis Guideline is effective from 30 September 2004.

Questions relating to the Guideline should be addressed to the Division

Chief, Bank Licensing, Supervision & Surveillance, Reserve Bank of

Zimbabwe, Telephone 703 000 extension 11133.

N. Mataruka

Division Chief,

Bank Licensing, Supervision & Surveillance

8

9

BANK LICENSING, SUPERVISION AND SURVEILLANCE

MINIMUM INTERNAL AUDIT STANDARDS IN

BANKING INSTITUTIONS

Guideline No. 02-2004/BSD

5Organisation

of the InternalAudit Function

1Preliminary

2Introduction

3Purpose

4Limitations

6ProfessionalProficiency

7Relationship

andCommunication

8Audit

Governance

9Duties and

Responsibilities

10Scope

ofAudit Work

11Reporting

andDocumentation

12Audit of

Critical Areasof Operations

13Effective

Date

Mr. N. MatarukaBank Licensing, Supervision & SurveillanceDivision Chief -

1. PRELIMINARY

1.1. Short Title

1.2. Authorization

1.3. Definitions

1.4. Application

Minimum InternalAudit Standards in Banking Institutions

This Guideline is issued under the authority of section 45 of the BankingAct [Chapter 24:20].

Terms used within this Guideline are as defined in the BankingAct Chapter 24:20]

This Guideline applies to all banking and non-bank financial institutions that are licensed and supervised by the Reserve Bank of

Zimbabwe including bank holding companies. The Guideline should be read in conjunction with Guideline No. 01-2004/BSD on

Corporate Governance.

[

10

2 Introduction2.1.

2.2.

2.3.

2.3.1.

2.3.2.

2.3.3.

2.3.4.

2.3.5.

2.3.6.

2.3.7.

2.3.8.

2.3.9.

2.4.

The internal audit function is an integralcomponent of sound corporategovernance and risk managementpractices in banks. It is part of theongoing monitoring of controls whichprovides an independent assessment ofthe adequacy of, and compliance with thebank's established policies andprocedures. As such, the internal auditfunction assists the board andmanagement of the organization in thee f f e c t i v e d i s c h a r g e o f t h e i rresponsibilities.

Increased competition, pressure tooperate profitably or to improveperformance, introduction of newfinancial products and the change inin format ion technolog ies haveheightened operational risk. This ismanifested in the numerous fraudsreported to the Reserve Bank ofZimbabwe (RBZ). RBZ examinationscontinue to reveal weaknesses in therecords, systems and controls in financialinstitutions. Therefore, it is incumbentupon the management to enhance and toplay a more proactive and meaningfulrole in achieving sound and stablegrowth in financial institutions.

In carrying out the internal auditfunction, the internal auditor must takec o g n i s a n c e o f t h e f o l l o w i n gcharacteristics that generally distinguishbanks f rom othe r commerc i a lenterprises, and which the auditor musttake into account in assessing the level ofinherent risk:

Banks have custody of large amounts ofmonetary items, including cash andnegotiable instruments, whose physicalsecurity has to be safeguarded during

transfer and while being stored. Theyalso have custody and control ofnegotiable instruments and other assetsthat are readily transferable in electronicform. The liquidity characteristics ofthese items make banks vulnerable tomisappropriation and fraud. Bankstherefore need to establish formaloperating procedures, well defined limitsfor individual discretion and rigoroussystems of internal control.

They have assets that can rapidly changein value and whose value is often difficultto determine. Consequently, a relativelysmall decrease in asset values may have asignificant effect on capital solvency.

They generally derive a significantamount of their funding from short-termdeposits. Loss of confidence bydepositors in a bank's solvency canquickly result in a liquidity crisis.

They have fiduciary duties in respect ofthe assets they hold that belong to otherpersons. This may give rise to liability forbreach of trust. Banks, therefore, need toestablish operating procedures andinternal controls designed to ensure thatthey deal with such assets only inaccordance with the terms on which theassets were transferred to the bank.

They engage in large volumes and avariety of transactions whose value maybe significant. This necessarily requirescomplex accounting and internal controlsystems and widespread use ofinformation technology (IT).

Transactions can often be directlyinitiated and completed by the customerwithout any intervention by the bank's

employees, for example over the Internetor through automated teller machines.

They of ten assume signif icantcommitments without any initial transferof funds other than, in some cases, thepayment of fees. These commitmentsmay involve only memorandumaccounting entries. Consequently theirexistence may be difficult to detect.

They are regulated by governmentala u t h o r i t i e s w h o s e r e g u l a t o r yrequirements influence the accountingprinciples that banks follow. Non-c o m p l i a n c e w i t h r e g u l a t o r yrequirements, for example, capitaladequacy requirements, could haveimplications for the bank's financialstatements or the disclosures therein.

They deal in complex financialinstruments, some of which may need tobe recorded at fair value in the financialstatements. There is therefore need toestablish appropriate valuation and riskm a n a g e m e n t p r o c e d u r e s . T h eeffectiveness of these proceduresdepends on the appropriateness of themethodologies and mathematical modelsselected, access to reliable current andhistorical market information, and themaintenance of data integrity.

It is against this background of thecentrality of the internal audit function inthe risk management process in bankinginstitutions that the Reserve Bank isissuing these Guidelines on MinimumAudit Standards for Internal Auditors ofBanking Institutions.

11

3.

4.

5.

PURPOSE

LIMITATIONS

ORGANISATION

OF THEINTERNALAUDITFUNCTION

The Guidelines are issued to meet the followingobjectives:-

To improve the quality and effectivenessof the internal audit function;

To outline the role, duties andresponsibilities of internal auditors to theboard of directors (board), all levels ofmanagement and the external auditors;and

To provide uniform practice on internalauditing which would serve as ab e n c h m a r k f o r g u i d a n c e a n dmeasurement of the effectiveness of theinternal audit function.

These Guidelines serve as a generalguide for the internal auditors of financialinstitutions. They are not intended toprovide comprehensive discussion of allpossible matters or situations of auditsignificance that the internal auditorsmay encounter in the course of auditing.

The Guidelines are also not meant to beexhaustive nor intended to providedetailed audit steps required to performthe audit of every operational area offinancial institutions. The internalauditors should be guided by theauthoritative pronouncements issued bythe relevant professional accounting andauditing bodies.

Internal auditors play an importantfunctional role in helping to establish andmaintain the best possible internalcontrol environment at their financialinstitutions. An effective internal auditfunction is crucial to ensure a soundfinancial system as a whole. Importantconsideration has to be given to theorganization of the internal auditfunction in the financial institution toensure its effectiveness.

Financial conglomerates, by virtue oftheir nature and size of operations, mayfind the establishment of an internal auditdepartment too onerous. For reasons ofsynergy and economies of scale, thesemay use the services of the group internalauditors.

An Audit Committee shall comprise ofnon-executive directors who shall beappointed by the board of the financialinstitution. The chairman of the AuditCommittee shall be an independent non-executive director and shall not be thechairman of the board.

The role of the Audit Committee in thecontext of the Guideline is to provide anavenue for the internal audit departmentto effectively communicate findings andshould be in line with the provisions of

the BankingAct Chapter 24:20].

The independence of internal auditors isan important prerequisite to the properconduct of audits so as to render impartialand unbiased judgments.

The organizational and reportingstructure of the internal audit functionshall ensure that the function isindependent of the activities audited andshould also be independent from theeveryday internal control process. Thismeans that internal audit is given anappropriate standing within the bank andcarries out its assignments withobjectivity and impartiality.

The internal audit department should beable to exercise its assignment on its owni n i t i a t i v e i n a l l d e p a r t m e n t s ,establishments and functions of the bank.It must be free to report its findings andappraisals and to disclose theminternally.

The principle of independence entailsthat the head of the internal auditdepartment has the authority tocommunicate directly on his/her owninitiative, to the board, the chairman ofthe board of directors, board auditcommittee or the external auditors whereappropriate, according to the provisionsof the audit charter.

The reporting lines of the internal auditfunction in all cases must be clearlydefined as follows:

The status of the internal audit

department within a bank's overall

organizational structure should be

sufficient and distinct to permit the

internal auditors to accomplish their

audit objectives. Internal auditors

should have the support of the

management in order to gain the

cooperation of the auditees and to

per form the i r work f ree f rom

interference. The position of the head of

internal audit should be equivalent to the

status of other key functional heads to

enable him to deal effectively with his

peers and superiors when discharging his

duties and responsibilities. The

a p p o i n t m e n t , r e m u n e r a t i o n ,

performance appraisal, transfer and

dismissal of the head of internal audit

should be decided by the Audit

Committee.

Internal auditors shall have unrestricted

access to the institution's records, assets,

personnel and premises which are

necessary for the proper conduct of the

audit. Any restriction should be

promptly communicated in writing to the

Audit Committee for the latter to resolve

with the management.

Objectivity is an independent mental

attitude which would enable the internal

auditors to exercise judgment, express

opinions and present recommendations

with impartiality.

The internal auditors should at the least

observe the following principles:-

a. Avoid any conflict of interest situation

arising either from their professional or

personal relationships in an organization

or activity which is subject to audit;

b. Have no authority or responsibility over

any unit or activity that is being audited;

c. Should not be assigned to audit

operational areas which they were

previously involved as non-audit staff

until an independent audit has been

conducted during the intervening period;

and

3.1.

3.2.

3.3.

4.1.

4.2.

5.1. Overview

5.1.1.

5.1.2.

5.2. Audit Committee

5.2.1.

5.2.2.

5.3. Independence

5.3.1.

5.3.2.

5.3.3.

5.3.4.

5.3.5. INTERNAL AUDIT REPORTINGSTRUCTURE

5.3.6.

5.3.7.

5.4. Objectivity

5.4.1.

5.4.2.

[

Audit Committee

Internal Audit

Function

Chief Executive

Officer

Administrative Reporting Functional

Reporting

12

d. Act only in advisory capacity whenrecommending controls on new systems orreviewing procedures prior to theirimplementation.

The internal audit function must be subjectto an independent review by anindependent party. This function can becarried out by an external auditor or theAudit Committee.

The effectiveness of the internal auditfunction depends substantially on thequality, training and experience of the auditstaff. Professional competence is assessedtaking into account the nature of the roleand the auditors' capacity to collectinformation, to examine, to evaluate and tocommunicate.

In this respect cognisance is taken of theability of the auditor to understand thegrowing technical complexity of a bank'sactivities and the increasing diversity oftasks that need to be undertaken by theinternal audit department as a result ofdevelopments in the financial sector.

The internal audit staff should be suitablyqualified and be provided with thenecessary training and continuingprofessional education for the purpose ofenhancing or enriching their audit andrelevant technical skills.

The head of internal audit, in consultationwith the CEO, shall decide on the rightresources required for the internal auditdepartment taking into consideration thesize and complexity of operations of thefinancial institution. The level of theresources required should be justified andendorsed by theAudit Committee.

The head of internal audit must establishsuitable criteria for the recruitment of theinternal audit staff. The effectiveness of theinternal audit function may be enhanced bythe use of specialist staff or consultants,particularly in highly technical areas e.g.I.T. and new complex synthetic products.

The academic background and expertiserequired of the head of internal audit variesdepending on the size and complexity of thefinancial inst i tut ion's operat ions.Commensurate with his position in theorganizational hierarchy, the head ofinternal audit should possess relevantacademic/professional qualifications andsufficient audit experience. The head ofinternal audit should also have in-depthknowledge of the bus iness andorganizational, technical, communicationand other relevant skills.

Internal auditors should be proficient inapplying approved auditing guidelines andaccounting standards, legal and regulatoryrequirements, directives and guidelinesissued by RBZ and other authorities, andother rules and regulations issued by the

relevant associations of the bankingindustry.

5.4.3.

6.1.

6.2.

6.3.

6.4. Resources

6.4.1.

6.4.2.

6.5. Qualification, Knowledge, Experienceand Skills

6.5.1.

6.5.2.

6.

7.

8.

PROFESSIONAL

PROFICIENCY

RELATIONSHIPAND

AUDIT

GOVERNANCE

COMMUNICATION

6.6. Supervision

6.6.1.

6.6.2.

6.7. Professional Ethics

6.7.1.

6.7.2.

6.8. Training

6.8.1.

6.8.2.

7.1.

7.2.

8.1.

8.2. Audit Charter

8.2.1.

8.2.2.

8.2.3.

8.2.4.

8.3. Audit Plan

8.3.1.

8.3.2.

8.3.3.

8.3.4.

Supervision is a continuing process fromplanning to the conclusion of the auditassignment. The head of internal audit isresponsible for the audit performed by hissubordinates. The head of internal auditshould ensure that the audit objectivesstated in the approved audit programmehave been achieved.

The head of internal audit should setmilestones for each audit assignment (i.e.from the commencement of the assignmentto the issuance of the audit report) afterconsidering its nature and complexity.

Internal auditors should at all timesexercise due professional care whend i s c h a r g i n g t h e i r d u t i e s a n dresponsibilities. They should carry out theirwork independent ly, object ively,professionally and with utmost good faith.Internal auditors should subject themselvesto the highest ethical standards and avoidany conflict of interest situation.

Internal auditors are required to maintainstrict confidentiality with regard to allinformation obtained in the course of theirwork and must not use any privilegedinformation for personal gain. They shouldcomply with RBZ guidelines, relevant lawsand regulations and the requirements ofrelevant professional bodies.

The Audit Committee has a responsibilityto ensure that the internal audit staffreceives the necessary training to performthe audit work. There should be aprogramme of continuing education andtraining to enable internal auditors to keepabreast with the business trends anddevelopments as well as to upgrade andenhance their technical skills.

The head of internal audit should ensurethat on-the-job training is provided to newrecruits under the supervision ofcompetent and experienced internalauditors. Training should be a planned andcontinuous process for all levels of internalaudit staff. The head of internal audit, inconsultation with the Audit Committee andthe CEO, should determine the budgetrequirements for the training needs of theinternal audit department.

Internal auditors should have a constructiveworking relationship and be in constantcommunication with management, externalauditors and the RBZ. Regular meetingsshould be held with the external auditors onareas of common concerns such as auditplanning, audit priorities and scope to avoidduplication of effort.

The head of internal audit should monitorall corrective actions taken by management

with regard to RBZ examination findingsand report to RBZ any instances wherecorrective actions have not been taken.

The internal audit department should havean audit charter, audit plan, audit manual,audit programme and internal controlquestionnaires in place. Although thesedocuments may be called by differentnames and differ in comprehensiveness, theunderlying principle is that they serve theintended purpose.

The internal audit function must be guidedby a formalAudit Charter, which identifies:

a. the objectives, scope purpose andindependence of the internal audit function;

b. the internal audit department's positionwithin the organization, its powers,responsibilities and relations with otherfunctions; and

c. the accountability of the head of the internalaudit department.

The Charter shall be drawn up, andreviewed periodically, by the internal auditdepartment; it must be approved by seniormanagement and subsequently confirmedby the board of directors as part of itssupervisory role.

The Charter shall also state the terms andconditions according to which the internalauditor may provide consulting and otheradvisory services.

The audit charter must be approved by theAudit Committee and endorsed by theboard so that the internal audit functionmay be effectively discharged.

The head of internal audit should developan audit plan as a means of directing andcontrolling the audit work. The auditstrategic plan may range from one to fiveyears depending on the size and complexityof operations.

The plan shall set out the audit objectives,auditable areas, scope of coverage,frequency of audit, resources required andduration of each audit assignment. Thehead of internal audit should assess therisks of the auditable areas beforedetermining the audit frequency and scopeof coverage.

The head of internal audit shall establish theprinciples of the risk assessmentmethodology in writing and regularlyupdate them to reflect the changes to thesystem of internal control or work process,and to incorporate new lines of business.Asa general guide, the audit cycle for allauditable areas should be at least once ayear.

The head of internal audit, however, has thediscretion to determine the audit cycle forauditable areas deemed not critical if the

13

financial institution has an effective riskassessment system in place.

The head of internal audit should alsoinclude management audit in the audit plan.The audit plan must be endorsed by theAudit Committee, approved by the boardand should be flexible to respond tochanging priorities or needs.

The audit manual provides the auditdepartment personnel with a set of auditstandards for guidance and reference. Italso serves as a valuable training aid for newrecruits. The audit manual should containwritten audit policies, objectives, standardprocedures and programmes.

The head of internal audit should ensure thatthe audit manual is comprehensive enoughto cover at least the major operations of thefinancial institution and is reviewedperiodically to reflect corporate, regulatoryand industry trends.

The audit programme shall set out detailedstep-by-step audit procedures for eachaud i tab le a rea which shou ld besupplemented by the internal controlquestionnaire. Both the audit programmeand internal control questionnaire should becomprehensive and tailored to keep abreastwith the current developments relevant tothe industry.

A well-designed audit programme andinternal control questionnaire shouldprovide a systematic audit approach. Inaddition, the internal auditors' soundjudgment and analytical skills are essentialin ensuring a high quality audit.

The core function of an internal auditdepartment is to perform an independentappraisal of the financial institution'sactivities as a service to management. Theinternal audit function plays an importantrole in helping management to establish andmaintain the best possible internal controlenvironment within the financial institution.

Asound internal control environment wouldensure:

Adequacy and effectiveness of the internalcontrol system,

Compliance with policies, procedures,rules, guidelines, directives, laws andregulations,

Detection of frauds, errors, omissions andany other irregularities,

Management audit,

Information systems audit, and

Participative and consultative role in thedevelopment of new products and systems.

The audit scope should entail theexamination and evaluation of all functionsand activities of the financial institutionincluding control features, operationalsystems and procedures as well asassessment of the quality of managementperformance in discharging their duties andresponsibilities.

The scope of audit work covered under thispart should not be construed to beexhaustive but serves to provide theminimum scope to be covered under auditassignment. The head of internal auditshould ensure that sufficient coverage anddepth are given to each audit assignmentbased on the assigned risk factors. The headof internal audit, after having considered thelevel of risk for each auditable area, shoulddecide whether to expand or limit the auditscope. Such decision should be properlydocumented.

The internal auditors should also decide onthe appropriate level of audit sampling inorder to achieve their audit objectives. Theinternal auditors should be guided by theInternational Auditing Guideline on AuditSampling.

The audit scope should cover:

The audit scopeshould cover the effectiveness of the systemof internal control, the reliability andintegrity of MIS, the prevention or timelydetection of frauds, errors, omissions andother irregularities, and the means for thesafeguarding of assets.

All financial institutionsshould ensure strict compliance with allapplicable laws and regulations, guidelines,directives, reporting requirements andinternal policies and operating procedures.The audit scope should cover the financialinstitution's compliance with:-

a. Banking Act, Banking Regulations andother applicable statutes and regulations;

b. Guidelines, directives and circulars issuedby RBZ and pronouncements or rules issuedby the relevant associations; and

c. Internally approved policies and operationalprocedures as well as the soundness andeffectiveness of the compliance function.

In view ofincreasing competition, complexities ofoperations and financial innovations,management should develop a formalizedsystem to ensure that risk exposures areidentified and adequately measured,monitored and controlled. The riskm a n a g e m e n t s y s t e m s h o u l d b ecommensurate with the scope, size andcomplexity of the financial institution'sactivities and the level of risk a financialinstitution is prepared to assume. Inassessing the overall risk managementsystem, the auditor should review thefollowing to ensure:-

a. Effective management supervision ispracticed by the board and its delegatedauthorities;

b. Procedures that identify and quantify thelevel of risk on a timely basis are in place;

c. Limits or other controls are in place tomanage the risk;

d. Reports to management accurately presentthe nature and level of risk taken and anynon-compliance with approved policies andlimits;

e. Responsibilities for managing individualrisks are clearly identified; and

f. Procedures relating to the calculation andallocation of capital to risks are in place.

g. A risk matrix adequately capturing theinstitution's risk profile prepared andupdated as necessary.

Internal auditors should play a proactiverole in determining the financial institution'soptimum utilization of resources in theaccomplishment of the organisation'soverall objectives and goals.

I n e v a l u a t i n g t h eaccomplishment of set goals and objectives,the internal auditors' scope should cover theentire operations or a sub-section thereof todetermine whether:-

a. Objectives and goals are clearly set andmeasurable;

b. Objectives and goals have been articulatedand communicated to all staff and are beingmet;

c. Adequate controls are established form e a s u r i n g a n d r e p o r t i n g t h eaccomplishment of objectives and goals;

d. An effective control mechanism isimplemented to monitor actual performanceagainst budget. Any significant variancesare analyzed, investigated and promptlyreported to the management and the board;

e. Management has considered the strengths,weaknesses, opportunities and threats of therespective operation or programme;

f. The achievement of set objectives and goalsis in compliance with policies, plans,procedures, laws and regulations; and

g. The underlying assumptions used bymanagement in developing business plansand strategies are appropriate andreasonable.

Internal audit reports provide a formalmeans of communicating audit results andrecommended actions to management andtheAudit Committee. Audit reports providean avenue for the Audit Committee tohighlight significant weaknesses and themanagement's proposed remedial measuresto the board. The management'sresponsiveness to internal auditors'recommendations for reducing risks,strengthening internal controls andcorrecting errors should be the desired resultof the audit reports.

It is of primary importance that in the courseof the audit, should the internal auditorsuncover major issues or frauds that wouldsignificantly affect the financial institution'sfinancial position or operations, they shall

8.3.5.

8.4. Manual

8.4.1.

8.4.2.

8.5. Audit Programme and Internal ControlQuestionnaires

8.5.1.

8.5.2.

9.1.

9.2.

9.2.1.

9.2.2.

9.2.3.

9.2.4.

9.2.5.

9.2.6.

10.1.

10.2.

10.3.

10.4.

10.4.1. Evaluation And Appraisal Of TheInternal Control System:

10.4.2. Compliance with Policies, Procedures,Rules, Guidelines, Directives, Laws AndRegulations:

10.4.3. Adequacy and Effectiveness of RiskManagement System:

10.4.4. Effective and Efficient Use of Resources:

10.4.5. Accomplishment Of Set Goals AndO b j e c t i v e s :

11.1.

11.2.

9. DUTIES AND

RESPONSIBILITIES

SCOPE OF AUDIT

WORK

REPORTING

ANDDOCUMENTATION

10.

11.

14

immediately inform management to ensureprompt corrective actions are taken.

A signed report should be issued after thecompletion of each audit assignmentirrespective of the significance of the issuesraised. The internal auditors should discussthe audit results and the recommendationsthereof with the auditee before the financialaudit report is issued. The discussionshould be carried out with those individualswho are knowledgeable of detailedoperations and those who can authorize theimplementation of corrective actions.

Managemen t comment s sha l l beincorporated in the financial audit report.The head of internal audit should review andapprove the final audit report before it ispresented to theAudit Committee.

A copy of the final audit report should beforwarded to the Audit Committee, theauditee, the CEO and the bank shouldforward such report to the RBZ on a timelybasis.

Where the completion of an audit is likely totake a longer period, an interim audit reportmay be issued to communicate anys ign i f ican t i s sues which requi remanagement's immediate attention. TheAudit Committee and the CEO should bekept informed of the issues as well as theprogress of the audit. Discretion as towhether an interim audit report is warrantedrests with the head of internal audit.

The head of internal audit shall ensure thatan audit report is of sufficient quality so as tocommand management's attention. In orderto communicate the audit results effectively,the following standards should be adopted:-

a. The audit report shall be objective, clear,concise, constructive and timely; and

b. The structure of the audit report shallinclude the following:-

• An executive summary;

Management shall treat all audit findingsa n d r e c o m m e n d a t i o n s s e r i o u s l y.Management's response to the auditfindings should be included in the report.The internal auditors should monitorwhether appropriate actions have beentaken.

Management's plan of corrective actionsand implementation time-table forcompletion should be developed and jointlyagreed upon by management and theauditee. The status of the corrective actionsshould be monitored and reported to theAudit Committee and the CEO so thatfollow-up action can be taken to inform theappropriate levels of management onoutstanding audit issues.

The internal auditors shall immediatelyreport to the Audit Committee and the CEOany significant audit findings uncovered inthe course of audit. RBZ should also bepromptly informed of such findings.Significant financial findings are those thatwould have an adverse impact on thefinancial performance and condition of thefinancial institution. Significant non-financial findings represent fundamentalweaknesses that could lead to the collapse ofthe financial institution's system of internalcontrol.

The interim audit report shall incorporatepreliminary summary findings, the impactor potential impact on the financial positionand operations of the financial institution,and the proposed actions to be carried out bythe internal auditors to investigate thematters.

The internal audit reports and workingpapers should be treated confidentially. Theinternal audit reports should only bedisclosed to those persons authorized by theAudit Committee. As the internal auditworking papers provide evidence of auditcoverage and documentation of audit trails,they should be properly filed and stored.

To ensure systematic filing and control ofaudit reports and working papers, thefollowing minimum procedures should beobserved:-

a. The format for the working papers should bestandardized;

b. There should be adequate referencing toidentify the audit records, files and workingpapers created; and

c. There should be a system for filing andretrieving past reports and working papers.

As a minimum requirement, the auditworking papers on the routine audit shouldbe retained until the next audit is carried outon the same auditable area. Reports andworking papers on investigation mattersshould be retained for at least seven years orsuch period until the matter is closed.

All internal audit reports, however, shouldbe retained for at least three years or until thenext audit report on the same auditable areais completed.

Internal auditors should focus their attentionand direct their available resources to thoseoperations or units which entail significantrisks that may have an adverse impact on theoperations and financial condition of thefinancial institution.

The critical operational areas identified areCredit Operations, Treasury Operations,Derivatives, Investment in Debt and EquitySecurities and, Information Systems. Thesecritical areas of operations are not meant tobe exhaustive and the internal auditorsshould also identify and review otheroperational areas deemed to be critical to thespecific business undertaken by thefinancial institution.

In reviewing the critical areas of theoperations, it is vital that the audit coverageis comprehensive. The internal auditorsshould extend their scope if seriousunsatisfactory features are uncovered in thecourse of the audit.

Important features to consider whenauditing different critical areas arehighlighted below:

When auditing thecredit operations internal auditors shall putmore emphasis on the:

a. Credit strategy;

b. Risk inherent in the credit operations;

c. Policies and procedures;

d. Security and legal documentation;

e. Credit disbursement, administration,monitoring and effective recovery system;

f. Accounting and financial reporting;

g. Provisioning;

h. Compliance with legal and regulatoryrequirements.

The control areas tobe checked include:

a. Risk inherent in treasury operations;

b. Adequacy of and compliance withestablished policies and procedures;

c. Assets and liabilities management;

d. Accounting and financial reporting;

e. Compliance with legal and regulatoryrequirements.

To carry out their auditeffectively, internal auditors should beconversant and knowledgeable about thederivative products and transactions, andmust be guided by comprehensive auditmanuals and programmes. Internal auditorsshould be conversant with:

a. Risk inherent in derivatives;

b. Policies and procedures;

c. Accounting and financial reporting;

d. Legal and regulatory requirements.

11.3. Audit Report

11.3.1.

11.3.2.

11.3.3.

11.3.4.

11.3.5.

11.4. Action and Follow-Up on AuditRecommendations

11.4.1.

11.4.2.

11.5. Reporting of Significant Findings and

Frauds

11.5.1.

11.5.2.

11.6. Control and Filing of Audit Reports and

Working Papers

11.6.1.

11.6.2.

11.7. Retention of Audit Reports and Working

Papers

11.7.1.

11.7.2.

12.1.

12.2.

12.3.

12.4.

12.4.1. Credit Operations:

12.4.2. Treasury Operations:

12.4.3. Derivatives:

• Date of report and period covered by theaudit;

• The scope and objectives of the audit;

• The significance and magnitude of theproblems or issues;

• The causes of the problems or issues;

• Recommended solutions or preventiveactions;

• Auditee's comments on the issues andrecommendations, and remedialmeasures taken or proposed to be takento address the audit issues;

• Management's achievements notedduring the audit; and

• Overall conclusion.

12. AUDIT OF

CRITICAL AREASOF OPERATIONS

15

12.4.4. Investment In Debt and Equity Securities 12.4.5. Information Systems

a. A financial institution's investment in debtand equity securities normally involvesparticipation in two main financial marketsnamely, the capital market and the moneyand foreign exchange market. A typicalinvestment portfolio usually consists ofpublic debt securities, equity securities(quoted and unquoted), equitylinksecurities, and private debt securities.Equity securities and private debt securitiesmay also be acquired in the primary marketor as a result of underwriting commitment.In banking institutions, equity securities arealso acquired in satisfaction of debt andthrough debt-equity conversion.

b. Investment and trading securities mayaccount for a sizeable proportion of thefinancial institution's assets and hence,securities of inferior quality may have anadverse impact on the financial institution'sfinancial condition. Hence the internalauditors should be conversant with:

• Investment strategy;

• Risk inherent in investment;

• Policies and procedures;

• Accounting and financial reporting;

• Legal and regulatory requirements.

a. The financial institution shall have aneffective information system audit functionto evaluate the internal controls of thecomputerized system.

b. The information system auditors shouldreview the effectiveness of informationsystems in supporting the business activitiesof the financial institution and the adequacyof controls over the information systemmanagement, systems development andprogramming, computer operations andsecurity, teleprocessing and data integrity.In reviewing information systems auditorsshould pay particular attention to issuessuch as:

• Computer operations procedures andphysical controls;

.............................................................• Computer security e.g. password

issuance and maintenance, follow up onaccess violation;

• System reliability and availability;

• Disaster recovery plan;

• Alternative processing site.

.....................

N. Mataruka

Division ChiefBank Licensing, Supervision &Surveillance

13. Effective Date

These guidelines are effective from30 September 2004. Questionsrelating to these guidelines shouldbe addressed to the Division Chief,Bank Licensing, Supervision &Surveillance, Reserve Bank ofZimbabwe,

Telephone 703 000 Ext. 11133.

16