Upload
ngotram
View
217
Download
0
Embed Size (px)
Citation preview
In line with the objectives and commitments enshrined in the mid-term Monetary Policy Statement regarding the issuanceof certain guidelines to the Banking Sector and the public at large, I hereby issue two guidelines as follows:
1. Bank Licensing, Supervision and Surveillance -
2. Bank Licensing, Supervision and Surveillance -
Corporate Governance
Minimum Internal Audit Standards in Banking Institutions
BANK LICENSING, SUPERVISION AND SURVEILLANCE
CORPORATE GOVERNANCE
Guideline No. 01-2004/BSD
1INTRODUCTION
PREFACE
2SOUND
CORPORATEGOVERNANCE
3IMPLEMENTATION
OF THEGUIDELINE
4EFFECTIVE
DATE
1
Dr. C.L. DhliwayoBank Licensing, Supervision & Surveillance,
Exchange Control & Anti - Money Laundering
Deputy Governor -
Preface
1. Short title
2. Authorisation
3. Application
4. Definitions
Corporate Governance
The Guideline is issued under the authority of section 45 of the Banking Act [Chapter 24: 20].
This Guideline applies to all banking and non banking institutions. Wherever the term "bank(s)" or "banking institution(s)" is used in the
guideline, it shall also be read to include non-bank financial institutions that are licensed and supervised by the Reserve Bank including
Bank Holding Companies.
The Guideline covers a variety of governance related issues. However should there be additional areas arising out of the particular
circumstances of the bank that merit coverage, the board will be responsible for ensuring that relevant governance systems and practices
are implemented.
means an independent function that identifies, assesses, advises on, monitors and reports on the institution's
compliance risk, that is, the risk of legal or regulatory sanctions, financial loss, or loss to reputation an institution may suffer as a result of
its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice.
' ' means a non-executive director who is not a shareholder or a representative of a shareholder, has
not been employed by the banking institution and or bank holding company in any executive capacity for the preceding three financial
years, and has no significant contractual relationship with, or interest in, the banking institution and or bank holding company.
means an individual not involved in the day-to-day management and not a full time salaried employee of a
banking institution or of its subsidiaries. An individual in the full time employment of the bank holding company or its subsidiaries, other
than the institution concerned, would also be considered to be a non-executive director of the institution concerned, unless such individual,
by his conduct or executive authority, could be construed to be directing the day to day management of the institution and its subsidiaries.
includes any company, co-operative, private business corporation, syndicate or
association of persons in which the individual has a significant interest, or is the largest single shareholder, including any person who has
entered into an agreement or arrangement with the first mentioned person, relating to the acquisition, holding or disposal of, or the
exercising of voting rights in respect of shares in the banking institution in question.
includes any (i) subsidiary or holding company and any other company of which that
holding company is a subsidiary, (ii) associate of the company.
The following terms used in this Guideline shall be taken to have the meaning assigned to them hereunder.
'Compliance Function'
Independent Non-Executive Director
'Non-Executive Director'
'Related Interest' in relation to an individual
'Related Interest', in relation to a company,
Wherever the word "he" appears it shall be taken to include she and vice versa.
2
1.1
2.1
3.1
3.2
(a)
4.1
4.2
4.3
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.5
1.5.1 Risk Management
1.5.2 Regulatory Requirements
Public confidence is the cornerstone of a
stable banking system. As the custodian of
public funds, the management of a banking
institution must exhibit impeccable integrity
and professionalism in their conduct so as to
engender public confidence in the safety of
their deposits. With the broadening and
deepening of the country's financial
infrastructure, the need for an effective board
of directors to assume full responsibility for
the overall management of each and every
banking institution is more crucial now than
ever before.
Because of a bank's special position of trust in
the national economy, corporate governance
is a matter of paramount importance. Banks
are highly leveraged institutions, with most of
their funds coming from depositors and
creditors. They provide basic financial
services to the public, financing to
commercial enterprises, and access to the
payments system. Increasing globalisation of
f i n a n c i a l m a r k e t s , e m e rg e n c e o f
conglomerate structures, technological
advances and innovations in financial
products have added to the complexity of risk
management in the banking sector. For these
reasons, the quality of corporate governance
expected of banking institutions is high.
Corporate
From a banking and financial sector
perspective, corporate governance involves
the manner in which the business and affairs
of individual institutions are governed by
their boards of directors and senior
management, affecting how banking
institutions:
set corporate objectives (including
generating economic returns to
owners);
set risk management policies and
procedures;
ensure tha t the day- to-day
operations of the business are carried
out efficiently and with integrity;
protect the interests of depositors
and other recognized stakeholders;
align corporate activities and
behaviour with the expectation that
the banking institutions will operate
in a safe and sound manner; and in
compliance with applicable laws
and regulations;
implement corporate values, codes
of conduct and other standards of
appropriate behaviour and systems
used to ensure compliance with the
aforementioned;
articulate corporate strategy against
which the success of the overall
enterprise and the contribution of
individuals are measured;
clearly assign responsibilities and
decis ion-making authori t ies ,
incorporating a hierarchy of required
approvals from individuals to the
board of directors;
establish mechanisms for interaction
and co-operation amongst the board
of directors, senior management and
the auditors;
implement strong internal control
systems, including internal and
external audit functions, risk
management and compliance
functions and other checks and
balances, independent of business
lines;
monitor risk exposures where
conflicts of interest are likely to be
particularly great, including
bus iness re la t ionsh ips wi th
borrowers affiliated with the
b a n k i n g i n s t i t u t i o n , l a r g e
shareholders, senior management, or
key decision makers within the
institution;
offer financial and managerial
i n c e n t i v e s i n t h e f o r m o f
compensation, promotion and
recognition to senior management,
business line management and
employees; and
implement appropriate information
flows internally and to the public.
The following have significant implications
on corporate governance: -
Good corporate governance
structures promote effective
ident if icat ion, measurement ,
monitoring and management of all
material business risks. Banking
institutions differ from most
companies in terms of their nature
and range of their business risks, and
the adverse consequences that would
follow if these risks are poorly
managed. Banking institutions face a
wide range of risks, many of them
complex in nature. These risks
include credit risk, market risk,
compliance risk, reputational risk,
settlement risk and business
continuity risks. If the risks are
poorly identified and managed, they
expose the institutions to potential
distress.
Banking institutions are required to
comply with a large number of
regulatory requirements including
prudential
governance refers to the processes
and structures used to direct and manage the
business and affairs of an institution with the
objective of ensuring its safety and soundness
and enhancing shareholder value. The process
and structure define the division of power and
establish mechanisms for achieving
accountability between board of directors,
management and shareholders, while
protecting the interests of depositors and
taking into account the effects on other
stakeholders, such as creditors, employees,
customers and the community.
requirements and various
reporting obligations. There is,
therefore, a need for the corporate
governance framework to include
systems for ensuring that all
s t a t u t o r y a n d r e g u l a t o r y
requirements are being adhered to
and highlight potential or actual
breaches if and when they occur.
An essential complement to sound
corporate governance is the
implementation of robust financial
d isc losure requirements for
corporates and banking institutions.
Financial disclosure is essential as a
means of strengthening the
accountability of directors and
senior management and enhancing
the incentives for risk management.
It is also essential for market
p a r t i c i p a n t s a n d o b s e r v e r s
particularly the larger creditors of
banks, news media, financial
analysts and rating agencies to
effectively monitor the performance
a n d s o u n d n e s s o f b a n k i n g
inst i tut ions and to exercise
appropriate discipline on those
institutions which do not perform
well or fail to meet acceptable
prudential standards.
It is increasingly being recognisedthat market discipline can play animportant role in promotingfinancial system stability and inencouraging the maintenance ofsound corporate governance and riskmanagement practices. Banks andcorporates are more likely to beattentive to risk management in anenvironment where poor riskm a n a g e m e n t a n d f i n a n c i a lperformance are penalised by themarket, and strong risk managementand financial performance arerewarded by the market. In thelonger term, effective marketdiscipline is likely to enhancefinancial stability and efficiency bystrengthening the incentives for theefficient management of risks and byweeding out poor performers.
1.5.3 High Quality Financial Disclosure
1.5.4 Market Discipline
1 Introduction
3
2.1 Authority and Duties of Shareholders
2.1.1
2.1.2
2.1.3
2.2 Leadership of the Banking Institution
2.2.1
2.2.2
2.3 Separation of Owners and Managers
2.3.1
2.3.2
2.3.3
2.4 Role and Functions of the Board
2.4.1
2.4.2
2.4.3
2.4.3.1
2.4.3.2
2.4.4 Duties and Responsibilities of theBoard
2.4.4.1
2.4.4.2 To ensure that the banking institutionhas adequate systems
2.4.4.3 Select and appoint senior executiveofficers
2.4.4.4 Establish and ensure the effectivef u n c t i o n i n g o f B o a r d a n dManagement Committees in keyareas;
2.4.4.5 Set up an effective internal auditdepartment
2.4.4.6 Set up an independent Compliance
Function
2.4.4.7
beneficial influence
2.4.4.8 Supervise the affairs of the banking
institution, and be regularly informed
of the banking institution's condition
and policies in ensuring that the
banking institution is soundly
managed.
2.4.4.9 Adopt and follow sound policies and
objectives which have been fully
deliberated.
Shareholders of banking institutions shall
jointly and severally protect, preserve and
actively exercise the supreme authority of the
institution in general meetings. They have a
duty, jointly and severally, to exercise that
supreme authority to:
Ensure that only competent and reliable
persons who can add value to the banking
institution are elected or appointed to the
board of directors;
Ensure that the board of directors is constantly
held accountable and responsible for the
efficient and effective governance of the
banking institution.
Change the composition of a board of
directors that does not perform to expectation
or in accordance with the mandate of the
institution.
The board of directors shall exercise
leadership, enterprise, integrity and shrewd
judgment in directing the banking institution
so as to achieve continuing viability for the
banking institution and shall always act in the
best interest of the institution.
There shall be a clearly accepted division of
responsibilities at the head of the banking
institution, which will ensure a balance of
power and authority such that no one
individual has unfettered powers of decision.
In terms of section 18(3) of the Banking Act
[Chapter 24:20], the chairman of the board of
a banking institution shall not be an officer of
the institution. Preferably, the chairperson
should be an independent non-executive
director. The board of directors of the banking
subsidiary and its bank holding company
shall be distinctly separate, with separate
chairpersons.
No shareholder with a ten per centum (10%)
or more shareholding in a banking institution
or bank holding company shall form part of
management of the banking institution or
bank holding company.
No shareholder with a ten per centum (10%)
or more shareholding in a banking institution
shall be appointed as Chairperson or Deputy
Chairperson of the board of directors of a
banking institution or bank holding company.
No
An important aspect of the functions is theidentification of key risk areas and keyperformance indicators. The board must havea Charter, which as a minimum should clearlyset out:
• The adoption of strategic plans,
• Monitoring of operational performanceand management,
• Determination of policy and processesto ensure effective risk management andinternal control, and
• Communication policy and directorselection, orientation and evaluation.
The board of directors of a banking institutionshall comprise technically competent personsof integrity with a strong sense ofprofessionalism, fostering and practicing thehighest standards of banking and finance.
In this regard, it is expected that the board ofdirectors shall fulfill the following:
Ensure that through a managed andeffective process, board appointmentsare made that provide a mix of proficientdirectors, each of whom is able to addvalue and bring independent judgment tobear on the decision-making process; and
Determine the institution's purpose andvalues, determine the strategy to achieveits purpose and to implement its values inorder to ensure it survives and thrives.
The major duties and responsibilities ofthe board of directors of a bankinginstitution are as follows:
To ensure that there are adequate policiesin place that are aimed at improving thebanking institution's profit performanceand ensuring fulfillment of the bankinginstitution's strategic plans;
to identify,measure, monitor and manage key risksfacing the banking institution;
who are qualified and competentto administer the affairs of the bankinginstitution effectively and soundly;
, staffed with qualifiedpersonnel to perform internal auditfunctions, covering the traditionalfunction of financial audit as well as thefunction of management audit;
and approve the bank's
compliance policy, including a charter or
other formal document. It shall be the
duty of the board to ensure that the
Reserve Bank is informed, should the
Head of Compliance leave that position
and the reasons thereof. At least once a
year, the board or committee of the board
shall review the bank's compliance
policy and its ongoing implementation to
assess the extent to which the bank is
managing its compliance risk effectively.
Ensure that the banking institution has a
on the economic
well-being of its community. Directors
have a continuing responsibility to the
community to provide those banking
services and facilities which will be
conducive to well-balanced economic
growth;
The directors of a banking
institution are entrusted with the
handling and investment of public funds.
Consequen t ly, the superv i so ry
commitment required from them entails a
higher degree of wisdom, prudence, good
business judgment and competence than
that of directors of other types of
companies. They should commit
sufficient time to be fully informed of the
condition of the business, the direction
they are steering the institution, and
apply immediate remedial measures
when the need arises. The board should
meet at least once a quarter to deliberate
on the performance of the banking
institutions and to provide policy
direction and guidance for the
management. Although directors may
delegate certain authority to senior
officers, they are ultimately accountable
for the banking institution's operations.
They should retain a record of the
minutes of board meetings and a record
of remedial actions by directors. Minutes
should accurately capture contributions
of every member;
The directors must provide
clear objectives and policies within
which senior executive officers are to
operate. These should cover all aspects
of operations, including strategic
planning, credit administration and
control, asset and liability management
encompassing the management of
liquidity risk, interest rate risk and
market risk, accounting system and
control, service quality, automation plan,
prevention of money laundering, profit
planning and budgeting, adequacy of
c a p i t a l , a n d h u m a n r e s o u r c e
development. Clear lines and limits of
authority for all levels of staff should be
established. The seriousness of
infringing the authority limit should be
emphasised to staff at all levels;
individual shareholder who had a
significant shareholding in a failed institution
and/or was involved in the running of a failed
institution shall be allowed to acquire a
significant shareholding or to hold a position
of accountability in any banking institution.
2 SOUND CORPORATEGOVERNANCE REQUIREMENTS
4
2.4.4.10 Observe banking laws, rulings and
regulations.
2.4.4.11 The duty of care
2.4.4.12 The duty of loyalty
2.4.4.13
2.6.2.3
2.6.2.4
Directors must be
conversant with the relevant laws, related
regulations, interpretative rulings and
notices, and must exercise due diligence
to see that these are not violated. This
duty may involve a personal financial
responsibility for losses arising out of
illegal actions. Directors may be
penalised for any non-compliance with
the provisions of the banking legislation
and be removed from office if found to
have acted against the interest of
depositors and the banking institution;
requires a board
member, at a minimum, to participate
effectively in board and committee
meetings, to communicate and work
effectively with the chairman of the
board and the chief executive officer;
forbids directors andofficers from participating in acompeting enterprise unless a majority ofthe disinterested board membersapprove. Directors and officers who havean interest in a transaction to which thebanking institution is an actual potentialparty are required to disclose theirinterest to the Board. This interest cancome from:
• being the other party to the contract;
• acting as representative of the otherparty;
• owning stock or serving as a directoror officer of the other party;
• being a financier of the other party;or
• having close relatives who are any ofthe above.
For such a transaction to be valid, amajority of the disinterested directorsmust approve the transaction, upondisclosure of all the facts andcircumstances surrounding the conflictof interest. If all the facts andcircumstances surrounding the conflictare not disclosed, the Board or theshareholders may have the right to voidthe transaction and/or seek damages incourt;
The Board shall have in
19 of the Banking Act
disqualifies a person from being
appointed or elected as director if he has
been adjudged or otherwise declared
insolvent or bankrupt and has not been
rehabilitated or discharged, has made
assignment to, or arrangement or
composition with his creditors, or has
been convicted of theft, fraud, forgery,
uttering a forged document or perjury or
any other offence, by whatever name
called, or has been convicted of any
offence and sentenced to a term of
imprisonment exceeding six months
without an option of a fine, and has not
received a free pardon.
The Reserve Bank holds the chiefexecutive officer directly responsible forthe day-to-day operations of a bankinginstitution. He must be conversant withthe operations of the banking institution,the s ta te of in ternal controls ,requirements of statutes, directions,guidelines, regulations, as well as currentissues and policies affecting the industryin general. He must also have thenecessary knowledge and professionalcompetence in the conduct of bankingbusiness.
Given the strategic operational role of thechief executive officer, this function shallbe separate from that of the chairperson.
A banking institution is required toinform the Reserve Bank of the personwho will be directly responsible for theoverall running of the institution whenthe chief executive officer is unavailable,on leave or otherwise absent. The personso nominated should be fully acquaintedwith the affairs of the banking institution,and should be able to act promptly, withauthority, on matters affecting thebanking institution. The delegation ofresponsibilities to several persons, withno single person as the coordinatorwithin the institution, should be avoided.
place a code ofconduct regulating disclosures of interestin relation to its members;
Once theirappointments take effect, directorsassume a fiduciary role and must displaythe utmost good faith towards thebanking institution in their dealings withit or on its behalf. The Companies Act[Chapter 24:03] subjects directors todisclosure requirements for outsidebusiness interests. Directors shallobserve restrictions on insider lending asprovided in the Banking Act andRegulations. Further, directors arerequired to observe the Zimbabwe StockExchange rules and/or other applicablelaws in dealing in shares. In particular,they must avoid making any personalprofit, acquiring personal benefit orretaining any commission, bonus or giftsfor performing their official function ofgranting approval to financingarrangements or the use of particularservices.
Each banking institution shall have a
minimum of five directors. The board
shall maintain a majority of non-
executive directors such that no
individual or group of individuals or
interests can dominate its decision
making.
In this regard, each banking institution
must ensure that it appoints executive
directors who constitute not more than
two-fifths of the total membership of the
board, in terms of Section 18 (2) of the
Banking Act [Chap te r 24 :20] .
Independent directors must be in the
majority of the remaining three-fifths in
such composition of the board. This is to
ensure that the non-executive directors,
who should form the majority, would
render the necessary independence to the
board from the executive arm of the
banking institution, and help mitigate
any possible conflict of interest between
the policy-making process and the day-
to-day management of the banking
institution.
In an increasingly complex banking
environment, the presence of suitably
qualified independent directors can
contribute effectively towards achieving
the main tasks of the board. Further,
independent directors should provide the
necessary checks and balances on the
board of the banking institution so as to
ensure that the interests of minority
shareholders and general public are given
due consideration in the decision-making
process. Independent directors should
not be brought in as a mere formality as
this would be tantamount to deceiving
the minority shareholders and the public.
The appointment of a chief executive
officer or chief accounting officer of a
banking institution requires the prior
written consent of the Reserve Bank as
stated under section 20 of the Banking
Act. Failure to obtain the prior written
consent of the Reserve Bank constitutes
an offence under the Act. In processing
the applications for appointment of
directors and chief executive of a
banking institution, rigorous vetting is
conducted to ensure that the proposed
chief executive officer or chief
accounting officer is a fit and proper
person.
Section
The sound operation of a bankinginstitution depends critically on its chiefexecutive. The chief executive officermust be suitably qualified withappropriate experience and possess aproven track record in the bankingindustry at senior management level. Hemust be a person of high calibre andimpeccable integrity. The Reserve Bankwill consider a candidate ineligible forthe position of chief executive officer ifhe has been suspended for any reasonwhile performing his duties in hisprevious employment or if he has beensubject to investigation and compulsorilyremoved from his position by theReserve Bank for doubtful transactionsor misconduct during his career.
He is responsible for managing theaccounting and financial activities of thecompany. He supervises the accountingdepartment of the banking institution andis responsible for the receipt anddisbursement of all funds, preparation ofthe financial portion of any businessplans or periodic reports, preparation andfiling of tax returns, administration ofcontracts and control of inventory. TheChief Financial Officer, along with theChief Executive Officer, is generallyregarded as an officer materially liablefor the banking institution's operations.
The company secretary, through theboard, has a pivotal role to play in thecorporate governance of a company. Thecompany secretary should be anexecutive officer.
The board should be cognisant of thestatutory duties imposed upon thecompany secretary and should empowerthe company secretary accordingly toenable him to fulfill those duties.
2.4.4.14 Avoid self-serving practices and
conflicts of interest.
2.5 Board Composition
2.5.1
2.5.2
2.5.3
2.6 Appointment of Directors and Bank
Executives
2.6.1 Legal Requirements
2.6.1.1
2.6.1.2
2.6.2 Roles of Senior Management
Chief Executive
2.6.2.1
2.6.2.2
Chief Financial Officer
2.6.2.5
Company Secretary
2.6.2.6
2.6.2.7
5
2.6.2.8
2.6.2.9
2.6.2.10
2.6.2.11
2.7 Bank Holding Companies
2.8 Practising Lawyers andAccountants
2.8.1
2.8.2
In addition to extensive statutory duties,
the company secretary shall provide the
board as a whole and directors
individually with detailed guidance as to
how their responsibilities should be
properly discharged in the best interest of
the company.
The company secretary shall be
responsible for the induction and
continuing training of directors, and for
assisting the chairperson and the chief
executive officer in determining the
annual board plan and the administration
of other issues of a strategic nature at the
board level. Copies of the induction and
continuing training programme shall be
made available to the Reserve Bank on
request by the inspectors.
The company secretary shall provide a
central source of guidance and advice to
the board, and within the company on
matters of ethics and good governance.
The company secretary shall be
subjected to a fit and proper test in the
same manner as is recommended for new
director appointments.
The Reserve Bank also applies the fit and
proper test to the directors and the chief
executive of the bank holding company.
Their appointments shall be subject to
prior written approval of the Reserve
Bank. The boards of directors of the bank
holding company and the banking
institution shall be separate. The
chairperson of the bank holding company
shall not be the chairperson of the
banking institution.
To enable banking institutions to tap the
expertise of lawyers and accountants,
practising lawyers and accountants may
be appointed as directors of a banking
institution provided that they are not
employed by or are not partners in an
accounting firm which is engaged to
conduct audit of or consultancy work for
the particular banking institution.
Practising lawyers and accountants who
are appointed as directors of banking
institutions are expected to exercise the
highest degree of integrity and
professionalism. They must always be
mindful of the need to avoid being
involved or to appear to be involved in
any self-serving practices and conflict of
interest situations in the conduct of their
profession while serving as directors of a
banking institution.
Directors of banking institutions are
discouraged from appointing alternate
directors as they should be committed
personally to the board in directing the
management of the institutions. An
alternate director, in his capacity as a
proxy for a director, may not be able to
contribute effectively to the deliberations
of the board. However, for practical
reasons, directors who are not residents
of Zimbabwe may appoint alternates.
Interlocking directorships in the bankingindustry is prohibited. The ReserveBank will only allow commondirectorships for banking institutionswhich are related corporations. This is inline with the need to avoid conflict ofinterest situations in the management oftwo or more banking institutions.Consistent with this policy, a person withmore than interest in the paid-upcapital of a banking institution in hispersonal capacity (directly or indirectly)is also not allowed to be appointed to theboard of another banking institution orbanking group. In line with section 19(1)(b) of the Banking Act [Chapter 24:20],no person shall be appointed, or holdoffice, as a director of a bankinginstitution if he is a director of anotherbanking institution which carries onbusiness in Zimbabwe in competitionwith the other banking institution.
The chief executive officer or executivedirector of a banking institution shall nothold any executive position in anothercorporation. However, for companieswithin the same group, and family-ownedcompanies of the chief executive orexecutive director, exemption may begranted on a case-by-case basis. This isconsistent with the Reserve Bank'srequirement for a chief executive officerand executive director to devote hisattention and commitment principally tothe day-to-day operations of a bankinginstitution. However, he may serve on theboards of other corporations in a non-executive capacity, subject to the limitspecified in paragraph 2.11.2 below.
The director of a banking institution has amoral and professional obligation to devotehis/her attention and commitment principallyto the operations of the banking institution.Hence, section 19(1) of the Banking Actprovides that "
.
However, it is recognised that a director of abanking institution is normally alsorequired to sit on the boards of the bankinginstitution's subsidiaries. Furthermore, hemay sit on the boards of his family-ownedcompanies, and be invited to sit on theboards of various organisations within thebanking industry, non-profit socialorganisations or Government-controlledcorporations. Hence, for purposes ofcomputing the maximum number ofdirectorships, the following shall apply:-
i. Directorships in other companies withinthe same banking group and directorshipin companies to represent the equityinterest of the banking institutionconcerned, should be aggregated andcounted as directorship; and
ii. Directorships or Council position in thefollowing organisations arefrom the computation of the limit:-
• Organisations within the bankingindustry, such as Bankers Association,Zimbabwe Stock Exchange, to whom anindividual is nominated by the respectiveassociations of the banking institutions;
• Professional bodies and non-profit socialorganisations.
Every member of the board shall attend atleast of the board meetings of abanking institution. This is to ensure thathe will discharge his duties andresponsibilities effectively. At itsAnnualGeneral Meeting, each bankinginstitution is required to review thesuitability of a non-executive directorwho has failed to comply with this 75%attendance rule, without valid reason.Attendances shall be disclosed in theannual report.
Banking institutions must follow goodcorporate governance principles, whichprovide for the disqualification of adirector or senior manager who:
(i) has been involved in the directorship ormanagement of a failed bankinginstitution and or bank holding company,unless that person shows to thesatisfaction of the Reserve Bank ofZimbabwe that the person was notresponsible for the insolvency,liquidation, composition with creditors,bankruptcy or other arrangement withcreditors or other action with similareffect in Zimbabwe or elsewhere.
(ii) was a director of an institution that hasbeen liquidated or is under liquidation ormanagement of the Reserve Bank, or
(iii) has taken part in or been associated withany other business practices as would, orhas otherwise conducted himself in suchmanner as to cause doubt on hiscompetence, integrity and soundness ofjudgment, or
(iv) if he is under suspension or has beenremoved from office, or
(v) if he has been a director, chief executiveofficer, chief financial officer or managerof an institution that has been adjudgedinsolvent, entered into a compositionwith its creditors, gone into liquidationdeclared bankrupt or has entered into anyother arrangement with creditors or takenany other action with similar effect inZimbabwe or elsewhere unless thatperson shows to the satisfaction of theReserve Bank of Zimbabwe that theperson was not responsible for theinsolvency, liquidation, compositionwith creditors, bankruptcy or otherarrangement with creditors or otherreaction with similar effect in Zimbabweor elsewhere.
Board committees assist the board and its
directors in discharging their duties and
responsibilities, however the board
remains accountable.
2.9 Alternate Directors
2.10 Directorship in other Corporations
2.10.1
5%
2.10.2
2.11 Maximum Number of Directorships
2.11.1
2.11.2
one
excluded
2.12 BoardAttendance
75%
2.13 Disqualification of Directors
2.14 Board Committees
(a)
No person shall be appointed,or hold office, as a director of a bankinginstitution if (a) he is a director of more thanseven other companies registered inZimbabwe"
6
(b)
(c)
(d)
(e)
(f)
(g)
2.14.1 Structure and Duties of the Audit
Committee
2.14.1.1
2.14.1.2
2.14.1.3
(a)
(b)
(c)
(d)
(e)
(f)
2.14.2 Board Credit Committee
(a)
(b)
(c)
(d)
(e)
There should be a formal procedure for
certain functions of the board to be
delegated, describing the extent of such
delegation, to enable the board to
properly discharge its duties and
responsibilities and to effectively
execute its decision making process.
Board committees with formally
determined terms of reference, life span,
role and function constitute an important
element of the process and should be
established with clearly agreed upon
reporting procedures and written scope
of authority.
As a general principle there should be
transparency and full disclosure from the
board committee to the board, except
where the committee has been mandated
otherwise by the board.
Non-executive directors must play an
important role in board committees.
All board committees shall be chaired by
an independent non-executive director.
The exception should be a board
committee fulfilling an executive
function.
Board committees should be free to take
independent outside professional advice
as and when necessary.
The board is required to establish an
Audit Committee to review the financial
condition of the banking institution, its
internal controls, performance and
findings of the internal auditors, and to
recommend appropriate remedial action
regularly, preferably at least once in three
months. The Audit Committee should
consist of not less than three members, all
of whom should be independent non-
executive directors of the banking
institution. The members should be
conversant with financial and accounting
matters.
The Audit Committee members should
elect a Chairman among them who is an
independent non-executive director. The
Chairman should not be the chairperson
of the Board. The Board chairperson
shall not be a member of the Audit
Committee at all, but could be invited to
attend meetings as necessary by the
chairperson of that committee. The Chief
Executive Officer should not be a
member of the Audit Committee, but
may attend by invitation. Membership of
the Audit Committee should be disclosed
in the annual report. Alternate directors
are not allowed to be appointed as
members of theAudit Committee.
The primary responsibilities of the Audit
Committee shall include the following:-
Ensure that the accounts are prepared in a
timely and accurate manner and ensure
the prompt publication of annual
accounts;
Review internal controls, including the
scope of the internal audit programme,
the internal audit findings, and
recommend action to be taken by
management;
Review with the external auditors, the
scope of their audit plan, system of
internal audit reports, assistance given by
management and its staff to the auditors
and any findings and actions to be taken;
The Audit Committee should also select
external auditors for appointment by the
board each year; and
Review any related party transactions
that may arise within the banking
institution.
The external and internal auditors of a
banking institution should have free
access to the Audit Committee. The
auditors should be allowed to attend and
be heard at any meeting of the Audit
Committee. Upon the request of the
auditors, the Chairman of the Audit
Committee should convene a meeting to
consider any matter that auditors believe
should be brought to the attention of
directors or shareholders.
The primary responsibilities of the Board Credit
Committee shall be to:-
Review and oversee the overall lending
policy of the banking institution;
D e l i b e r a t e a n d c o n s i d e r l o a n
applications beyond the discretionary
limits of the Risk Management
committee;
Review lendings by the Credit Risk
Management Committee;
Direct the formulation of, review and
monitor the credit principles and policies
of the banking institution;
Ensure that there are effective procedures
and resources to identify and manage
irregular problem credits, minimise
credit loss and maximise recoveries;
Direct, monitor, review and consider all
issues that may materially impact on the
present and future quality of the banking
institution's credit risk management; and
Delegate and review lending limits to the
sanctioning arms of the banking
institution.
The primary responsibilities of the Loans Review
Committee shall be as follows: -
To assist the board with discharging its
responsibility to review the quality of the
banking institution's loan portfolio,
To review the quality of its loan portfolio
with the view to achieving the objectives
spelt out in paragraph 20, Part IV of Third
Schedule of the Banking Regulations
(Statutory Instrument 205 of 2000),
The committee shall conduct loan
reviews independent of any person or
committee responsible for sanctioning
credit.
The responsibility of the board loans
review committee falls into the following
main areas, namely:
(i) To ensure the conformity of the loan
portfolio and lending function to a sound
lending policy which is documented,
approved and adopted by the board;
(ii) To ensure that the credit policy and risk
lending limits are reviewed at least on an
annual basis and as and when the
environment so dictates; and
(iii) To ensure that the Bank's potential and
specific bad debts are adequately
provided for.
ALCO shall derive the most appropriate
strategy for the banking institution in
terms of the mix of assets and liabilities
given its expectations of the future and
the potential consequences of interest-
rate movements, liquidity constraints,
and foreign exchange exposure and
capital adequacy.
The committee shall ensure that all
strategies conform to the banking
institution's risk appetite and levels of
exposure as determined by the Risk
Management Committee.
The responsibility to ensure quality,
integrity and reliability of the banking
institution's risk management shall be
delegated to the Risk Management
Committee. The committee shall assist
the board of directors in the discharge of
its duties relating to the corporate
accountability and associated risks in
terms of management, assurance and
reporting.
The committee shall review and assess
the integrity of the risk control systems
and ensure that the risk policies and
strategies are effectively managed.
The committee shall set out the nature,
role, responsibility and authority of the
risk management function within the
banking institution and outline the scope
of risk management work.
The committee shall monitor external
developments relating to the practice of
corporate accountability and the
reporting of specifically associated risk,
including emerging and prospective
impact. The committee shall provide
independent and objective oversight and
review of the information presented by
management on corporate accountability
and specifically associated risk, also
taking account of risk concerns raised by
management in the Audit Committee,
Asset and Liability Committee and
Executive Committee meetings on
financial, business and strategic risk.
The committee, in carrying out its tasksunder these terms of reference, may
(f)
(g)
2.14.3 Loans Review Committee
(a)
(b)
(c)
(d)
2.14.4 Asset and Liability Committee
(ALCO)
2.14.4.1
2.14.4.2
2.14.5 Risk Management Committee
2.14.5.1
2.14.5.2
2.14.5.3
2.14.5.4
2.14.5.5
7
obtain such outside or other independentprofessional advice as it considersnecessary to carry out its duties. TheExecutive Committee will ensure that thecommittee will have access toprofessional advice both inside andoutside of the banking institution in orderfor it to perform its duties. The committeeshall have access to any information itneeds to fulfill its responsibilities.
The committee is the link between theboard and management and isresponsible for implementation ofoperational plans, annual budgeting andperiodic reviews of group operations,strategic plans, ALCO strategies, creditproposals review, identification andmanagement of key r i sks andopportunities. The committee shallreview and approve guidelines foremployees' remuneration.
The Executive Committee is constitutedto assist the chief executive officer tomanage the banking institution. Theboard of directors takes cognisance ofauthorities delegated to the chiefexecutive officer by means of resolutionsfrom time to time. The ExecutiveCommittee assists the chief executiveofficer guide and control the overalldirection of the business of the bankinginstitution and acts as a medium ofcommunication and co-ordinationbetween business units and the board.
The Executive Committee shall alsoensure that the Risk ManagementCommittee has access to any informationit requires to fulfill its responsibilities.
The remuneration of directors and thechief executive shall not be out of linewith the nature and size of operations of abanking institution. The directors andchief executive should not availthemselves of unreasonably bountifulremuneration, with excessive bonusesand fringe benefits relative to the profitsand operations of the banking institution.Non-executive directors should notexpect executive pay.
As a matter of principle, the chiefexecutive of a group should draw all hissalary, including benefits, from onesource, usually the parent company.While the chief executive of a bankinginstitution is entitled to receive director'sfees from that institution's subsidiaries,such fees should be nominal.
The Board, through its nominationcommittee or similar board committee,shall regularly review its required mix ofskills and experience and other qualitiessuch as demographics and diversity inorder to assess the effectiveness of theboard. Such review shall be by means ofpeer and self evaluation of the board as awhole, i ts committees and thecontribution of each and every director,including the Chairman.
The evaluations shall be conductedannually and the fact that they have beendone should be disclosed in the annualreport. The Chairman of the board shallreport to the Reserve Bank annually onthe board and directors' evaluations andeffectiveness. The report shall besubmitted 14 days after the year end.
Every listed banking institution shallhave a prohibition on dealing in its sharesby directors, officers and other selectedemployees for a designated periodpreceding the announcement of itsfinancial results or in any other periodconsidered sensitive, and have regard tothe listing requirements of the ZimbabweStock Exchange rules and/or any otherapplicable rules and legislation, inrespect of dealings of directors.
The abovementioned practice should bedetermined by way of a formal policyes t ab l i shed by the boa rd andimplemented by the company secretaryor compliance officer.
Every banking institution shall have apolicy on insider loans, which complieswith the provisions of the Banking Act
and Regulations as amended from time totime.
The banking institution shall makedisclosures on any lending in connectionwith any related interest.
The banking institution shall take acautionary approach and where it is notclear whether or not a lending will betreated as "insider lending", the approachto be taken is that the lending is an insiderlending.
Every banking institution shall have apolicy on intra-group exposures.
Every banking institution should reportat least annually on the nature and extentof its social, transformation, ethical,safety, health and environmentalmanagement policies and practices. Theboard must determine what is relevant fordisclosure, having regard to thecompany's particular circumstances.
Every banking institution should engageits stakeholders in determining thecompany's standards of ethicalbehaviour. It should demonstrate itscommitment to organisational integrityby codifying its standards and ethics.
The disclosure shouldinclude a statement as to the extent thedirectors believe the ethical standardsand the above criteria are being met. Ifthis is considered inadequate thereshould be further disclosure of how thedesired end-state will be achieved.
Banking institutions should deal withindividuals or entities that demonstratethe same level of commitment toorganisational integrity.
2.14.6 Executive Committee
2.14.6.1
2.14.6.2
2.14.6.3
2.15 Remuneration And TerminationBenefits
2.15.1
2.15.2
2.16 Board and Director Evaluation
2.16.1
2.16.2
2.17 Policy on Dealings and Securities
2.17.1
2.17.2
2.18 Policy on insider loans and Intra-Group Transactions
2.18.1
2.18.2
2.18.3
2.18.4
2.19 Integrated Sustainability Reporting
2.20 Organisational Integrity/ Code ofEthics
2.20.1
2.20.2
2.20.3
Each banking institution should disclosein its annual report the extent of itsadherence to the banking institution'scode of ethics.
3 Implementationof the Guideline
All boards and individualdirectors have a duty andresponsibility to ensure that theprinciples set out in theGuideline are observed.
4 Effective DateThis Guideline is effective from 30 September 2004.
Questions relating to the Guideline should be addressed to the Division
Chief, Bank Licensing, Supervision & Surveillance, Reserve Bank of
Zimbabwe, Telephone 703 000 extension 11133.
N. Mataruka
Division Chief,
Bank Licensing, Supervision & Surveillance
8
9
BANK LICENSING, SUPERVISION AND SURVEILLANCE
MINIMUM INTERNAL AUDIT STANDARDS IN
BANKING INSTITUTIONS
Guideline No. 02-2004/BSD
5Organisation
of the InternalAudit Function
1Preliminary
2Introduction
3Purpose
4Limitations
6ProfessionalProficiency
7Relationship
andCommunication
8Audit
Governance
9Duties and
Responsibilities
10Scope
ofAudit Work
11Reporting
andDocumentation
12Audit of
Critical Areasof Operations
13Effective
Date
Mr. N. MatarukaBank Licensing, Supervision & SurveillanceDivision Chief -
1. PRELIMINARY
1.1. Short Title
1.2. Authorization
1.3. Definitions
1.4. Application
Minimum InternalAudit Standards in Banking Institutions
This Guideline is issued under the authority of section 45 of the BankingAct [Chapter 24:20].
Terms used within this Guideline are as defined in the BankingAct Chapter 24:20]
This Guideline applies to all banking and non-bank financial institutions that are licensed and supervised by the Reserve Bank of
Zimbabwe including bank holding companies. The Guideline should be read in conjunction with Guideline No. 01-2004/BSD on
Corporate Governance.
[
10
2 Introduction2.1.
2.2.
2.3.
2.3.1.
2.3.2.
2.3.3.
2.3.4.
2.3.5.
2.3.6.
2.3.7.
2.3.8.
2.3.9.
2.4.
The internal audit function is an integralcomponent of sound corporategovernance and risk managementpractices in banks. It is part of theongoing monitoring of controls whichprovides an independent assessment ofthe adequacy of, and compliance with thebank's established policies andprocedures. As such, the internal auditfunction assists the board andmanagement of the organization in thee f f e c t i v e d i s c h a r g e o f t h e i rresponsibilities.
Increased competition, pressure tooperate profitably or to improveperformance, introduction of newfinancial products and the change inin format ion technolog ies haveheightened operational risk. This ismanifested in the numerous fraudsreported to the Reserve Bank ofZimbabwe (RBZ). RBZ examinationscontinue to reveal weaknesses in therecords, systems and controls in financialinstitutions. Therefore, it is incumbentupon the management to enhance and toplay a more proactive and meaningfulrole in achieving sound and stablegrowth in financial institutions.
In carrying out the internal auditfunction, the internal auditor must takec o g n i s a n c e o f t h e f o l l o w i n gcharacteristics that generally distinguishbanks f rom othe r commerc i a lenterprises, and which the auditor musttake into account in assessing the level ofinherent risk:
Banks have custody of large amounts ofmonetary items, including cash andnegotiable instruments, whose physicalsecurity has to be safeguarded during
transfer and while being stored. Theyalso have custody and control ofnegotiable instruments and other assetsthat are readily transferable in electronicform. The liquidity characteristics ofthese items make banks vulnerable tomisappropriation and fraud. Bankstherefore need to establish formaloperating procedures, well defined limitsfor individual discretion and rigoroussystems of internal control.
They have assets that can rapidly changein value and whose value is often difficultto determine. Consequently, a relativelysmall decrease in asset values may have asignificant effect on capital solvency.
They generally derive a significantamount of their funding from short-termdeposits. Loss of confidence bydepositors in a bank's solvency canquickly result in a liquidity crisis.
They have fiduciary duties in respect ofthe assets they hold that belong to otherpersons. This may give rise to liability forbreach of trust. Banks, therefore, need toestablish operating procedures andinternal controls designed to ensure thatthey deal with such assets only inaccordance with the terms on which theassets were transferred to the bank.
They engage in large volumes and avariety of transactions whose value maybe significant. This necessarily requirescomplex accounting and internal controlsystems and widespread use ofinformation technology (IT).
Transactions can often be directlyinitiated and completed by the customerwithout any intervention by the bank's
employees, for example over the Internetor through automated teller machines.
They of ten assume signif icantcommitments without any initial transferof funds other than, in some cases, thepayment of fees. These commitmentsmay involve only memorandumaccounting entries. Consequently theirexistence may be difficult to detect.
They are regulated by governmentala u t h o r i t i e s w h o s e r e g u l a t o r yrequirements influence the accountingprinciples that banks follow. Non-c o m p l i a n c e w i t h r e g u l a t o r yrequirements, for example, capitaladequacy requirements, could haveimplications for the bank's financialstatements or the disclosures therein.
They deal in complex financialinstruments, some of which may need tobe recorded at fair value in the financialstatements. There is therefore need toestablish appropriate valuation and riskm a n a g e m e n t p r o c e d u r e s . T h eeffectiveness of these proceduresdepends on the appropriateness of themethodologies and mathematical modelsselected, access to reliable current andhistorical market information, and themaintenance of data integrity.
It is against this background of thecentrality of the internal audit function inthe risk management process in bankinginstitutions that the Reserve Bank isissuing these Guidelines on MinimumAudit Standards for Internal Auditors ofBanking Institutions.
11
3.
4.
5.
PURPOSE
LIMITATIONS
ORGANISATION
OF THEINTERNALAUDITFUNCTION
The Guidelines are issued to meet the followingobjectives:-
To improve the quality and effectivenessof the internal audit function;
To outline the role, duties andresponsibilities of internal auditors to theboard of directors (board), all levels ofmanagement and the external auditors;and
To provide uniform practice on internalauditing which would serve as ab e n c h m a r k f o r g u i d a n c e a n dmeasurement of the effectiveness of theinternal audit function.
These Guidelines serve as a generalguide for the internal auditors of financialinstitutions. They are not intended toprovide comprehensive discussion of allpossible matters or situations of auditsignificance that the internal auditorsmay encounter in the course of auditing.
The Guidelines are also not meant to beexhaustive nor intended to providedetailed audit steps required to performthe audit of every operational area offinancial institutions. The internalauditors should be guided by theauthoritative pronouncements issued bythe relevant professional accounting andauditing bodies.
Internal auditors play an importantfunctional role in helping to establish andmaintain the best possible internalcontrol environment at their financialinstitutions. An effective internal auditfunction is crucial to ensure a soundfinancial system as a whole. Importantconsideration has to be given to theorganization of the internal auditfunction in the financial institution toensure its effectiveness.
Financial conglomerates, by virtue oftheir nature and size of operations, mayfind the establishment of an internal auditdepartment too onerous. For reasons ofsynergy and economies of scale, thesemay use the services of the group internalauditors.
An Audit Committee shall comprise ofnon-executive directors who shall beappointed by the board of the financialinstitution. The chairman of the AuditCommittee shall be an independent non-executive director and shall not be thechairman of the board.
The role of the Audit Committee in thecontext of the Guideline is to provide anavenue for the internal audit departmentto effectively communicate findings andshould be in line with the provisions of
the BankingAct Chapter 24:20].
The independence of internal auditors isan important prerequisite to the properconduct of audits so as to render impartialand unbiased judgments.
The organizational and reportingstructure of the internal audit functionshall ensure that the function isindependent of the activities audited andshould also be independent from theeveryday internal control process. Thismeans that internal audit is given anappropriate standing within the bank andcarries out its assignments withobjectivity and impartiality.
The internal audit department should beable to exercise its assignment on its owni n i t i a t i v e i n a l l d e p a r t m e n t s ,establishments and functions of the bank.It must be free to report its findings andappraisals and to disclose theminternally.
The principle of independence entailsthat the head of the internal auditdepartment has the authority tocommunicate directly on his/her owninitiative, to the board, the chairman ofthe board of directors, board auditcommittee or the external auditors whereappropriate, according to the provisionsof the audit charter.
The reporting lines of the internal auditfunction in all cases must be clearlydefined as follows:
The status of the internal audit
department within a bank's overall
organizational structure should be
sufficient and distinct to permit the
internal auditors to accomplish their
audit objectives. Internal auditors
should have the support of the
management in order to gain the
cooperation of the auditees and to
per form the i r work f ree f rom
interference. The position of the head of
internal audit should be equivalent to the
status of other key functional heads to
enable him to deal effectively with his
peers and superiors when discharging his
duties and responsibilities. The
a p p o i n t m e n t , r e m u n e r a t i o n ,
performance appraisal, transfer and
dismissal of the head of internal audit
should be decided by the Audit
Committee.
Internal auditors shall have unrestricted
access to the institution's records, assets,
personnel and premises which are
necessary for the proper conduct of the
audit. Any restriction should be
promptly communicated in writing to the
Audit Committee for the latter to resolve
with the management.
Objectivity is an independent mental
attitude which would enable the internal
auditors to exercise judgment, express
opinions and present recommendations
with impartiality.
The internal auditors should at the least
observe the following principles:-
a. Avoid any conflict of interest situation
arising either from their professional or
personal relationships in an organization
or activity which is subject to audit;
b. Have no authority or responsibility over
any unit or activity that is being audited;
c. Should not be assigned to audit
operational areas which they were
previously involved as non-audit staff
until an independent audit has been
conducted during the intervening period;
and
3.1.
3.2.
3.3.
4.1.
4.2.
5.1. Overview
5.1.1.
5.1.2.
5.2. Audit Committee
5.2.1.
5.2.2.
5.3. Independence
5.3.1.
5.3.2.
5.3.3.
5.3.4.
5.3.5. INTERNAL AUDIT REPORTINGSTRUCTURE
5.3.6.
5.3.7.
5.4. Objectivity
5.4.1.
5.4.2.
[
Audit Committee
Internal Audit
Function
Chief Executive
Officer
Administrative Reporting Functional
Reporting
12
d. Act only in advisory capacity whenrecommending controls on new systems orreviewing procedures prior to theirimplementation.
The internal audit function must be subjectto an independent review by anindependent party. This function can becarried out by an external auditor or theAudit Committee.
The effectiveness of the internal auditfunction depends substantially on thequality, training and experience of the auditstaff. Professional competence is assessedtaking into account the nature of the roleand the auditors' capacity to collectinformation, to examine, to evaluate and tocommunicate.
In this respect cognisance is taken of theability of the auditor to understand thegrowing technical complexity of a bank'sactivities and the increasing diversity oftasks that need to be undertaken by theinternal audit department as a result ofdevelopments in the financial sector.
The internal audit staff should be suitablyqualified and be provided with thenecessary training and continuingprofessional education for the purpose ofenhancing or enriching their audit andrelevant technical skills.
The head of internal audit, in consultationwith the CEO, shall decide on the rightresources required for the internal auditdepartment taking into consideration thesize and complexity of operations of thefinancial institution. The level of theresources required should be justified andendorsed by theAudit Committee.
The head of internal audit must establishsuitable criteria for the recruitment of theinternal audit staff. The effectiveness of theinternal audit function may be enhanced bythe use of specialist staff or consultants,particularly in highly technical areas e.g.I.T. and new complex synthetic products.
The academic background and expertiserequired of the head of internal audit variesdepending on the size and complexity of thefinancial inst i tut ion's operat ions.Commensurate with his position in theorganizational hierarchy, the head ofinternal audit should possess relevantacademic/professional qualifications andsufficient audit experience. The head ofinternal audit should also have in-depthknowledge of the bus iness andorganizational, technical, communicationand other relevant skills.
Internal auditors should be proficient inapplying approved auditing guidelines andaccounting standards, legal and regulatoryrequirements, directives and guidelinesissued by RBZ and other authorities, andother rules and regulations issued by the
relevant associations of the bankingindustry.
5.4.3.
6.1.
6.2.
6.3.
6.4. Resources
6.4.1.
6.4.2.
6.5. Qualification, Knowledge, Experienceand Skills
6.5.1.
6.5.2.
6.
7.
8.
PROFESSIONAL
PROFICIENCY
RELATIONSHIPAND
AUDIT
GOVERNANCE
COMMUNICATION
6.6. Supervision
6.6.1.
6.6.2.
6.7. Professional Ethics
6.7.1.
6.7.2.
6.8. Training
6.8.1.
6.8.2.
7.1.
7.2.
8.1.
8.2. Audit Charter
8.2.1.
8.2.2.
8.2.3.
8.2.4.
8.3. Audit Plan
8.3.1.
8.3.2.
8.3.3.
8.3.4.
Supervision is a continuing process fromplanning to the conclusion of the auditassignment. The head of internal audit isresponsible for the audit performed by hissubordinates. The head of internal auditshould ensure that the audit objectivesstated in the approved audit programmehave been achieved.
The head of internal audit should setmilestones for each audit assignment (i.e.from the commencement of the assignmentto the issuance of the audit report) afterconsidering its nature and complexity.
Internal auditors should at all timesexercise due professional care whend i s c h a r g i n g t h e i r d u t i e s a n dresponsibilities. They should carry out theirwork independent ly, object ively,professionally and with utmost good faith.Internal auditors should subject themselvesto the highest ethical standards and avoidany conflict of interest situation.
Internal auditors are required to maintainstrict confidentiality with regard to allinformation obtained in the course of theirwork and must not use any privilegedinformation for personal gain. They shouldcomply with RBZ guidelines, relevant lawsand regulations and the requirements ofrelevant professional bodies.
The Audit Committee has a responsibilityto ensure that the internal audit staffreceives the necessary training to performthe audit work. There should be aprogramme of continuing education andtraining to enable internal auditors to keepabreast with the business trends anddevelopments as well as to upgrade andenhance their technical skills.
The head of internal audit should ensurethat on-the-job training is provided to newrecruits under the supervision ofcompetent and experienced internalauditors. Training should be a planned andcontinuous process for all levels of internalaudit staff. The head of internal audit, inconsultation with the Audit Committee andthe CEO, should determine the budgetrequirements for the training needs of theinternal audit department.
Internal auditors should have a constructiveworking relationship and be in constantcommunication with management, externalauditors and the RBZ. Regular meetingsshould be held with the external auditors onareas of common concerns such as auditplanning, audit priorities and scope to avoidduplication of effort.
The head of internal audit should monitorall corrective actions taken by management
with regard to RBZ examination findingsand report to RBZ any instances wherecorrective actions have not been taken.
The internal audit department should havean audit charter, audit plan, audit manual,audit programme and internal controlquestionnaires in place. Although thesedocuments may be called by differentnames and differ in comprehensiveness, theunderlying principle is that they serve theintended purpose.
The internal audit function must be guidedby a formalAudit Charter, which identifies:
a. the objectives, scope purpose andindependence of the internal audit function;
b. the internal audit department's positionwithin the organization, its powers,responsibilities and relations with otherfunctions; and
c. the accountability of the head of the internalaudit department.
The Charter shall be drawn up, andreviewed periodically, by the internal auditdepartment; it must be approved by seniormanagement and subsequently confirmedby the board of directors as part of itssupervisory role.
The Charter shall also state the terms andconditions according to which the internalauditor may provide consulting and otheradvisory services.
The audit charter must be approved by theAudit Committee and endorsed by theboard so that the internal audit functionmay be effectively discharged.
The head of internal audit should developan audit plan as a means of directing andcontrolling the audit work. The auditstrategic plan may range from one to fiveyears depending on the size and complexityof operations.
The plan shall set out the audit objectives,auditable areas, scope of coverage,frequency of audit, resources required andduration of each audit assignment. Thehead of internal audit should assess therisks of the auditable areas beforedetermining the audit frequency and scopeof coverage.
The head of internal audit shall establish theprinciples of the risk assessmentmethodology in writing and regularlyupdate them to reflect the changes to thesystem of internal control or work process,and to incorporate new lines of business.Asa general guide, the audit cycle for allauditable areas should be at least once ayear.
The head of internal audit, however, has thediscretion to determine the audit cycle forauditable areas deemed not critical if the
13
financial institution has an effective riskassessment system in place.
The head of internal audit should alsoinclude management audit in the audit plan.The audit plan must be endorsed by theAudit Committee, approved by the boardand should be flexible to respond tochanging priorities or needs.
The audit manual provides the auditdepartment personnel with a set of auditstandards for guidance and reference. Italso serves as a valuable training aid for newrecruits. The audit manual should containwritten audit policies, objectives, standardprocedures and programmes.
The head of internal audit should ensure thatthe audit manual is comprehensive enoughto cover at least the major operations of thefinancial institution and is reviewedperiodically to reflect corporate, regulatoryand industry trends.
The audit programme shall set out detailedstep-by-step audit procedures for eachaud i tab le a rea which shou ld besupplemented by the internal controlquestionnaire. Both the audit programmeand internal control questionnaire should becomprehensive and tailored to keep abreastwith the current developments relevant tothe industry.
A well-designed audit programme andinternal control questionnaire shouldprovide a systematic audit approach. Inaddition, the internal auditors' soundjudgment and analytical skills are essentialin ensuring a high quality audit.
The core function of an internal auditdepartment is to perform an independentappraisal of the financial institution'sactivities as a service to management. Theinternal audit function plays an importantrole in helping management to establish andmaintain the best possible internal controlenvironment within the financial institution.
Asound internal control environment wouldensure:
Adequacy and effectiveness of the internalcontrol system,
Compliance with policies, procedures,rules, guidelines, directives, laws andregulations,
Detection of frauds, errors, omissions andany other irregularities,
Management audit,
Information systems audit, and
Participative and consultative role in thedevelopment of new products and systems.
The audit scope should entail theexamination and evaluation of all functionsand activities of the financial institutionincluding control features, operationalsystems and procedures as well asassessment of the quality of managementperformance in discharging their duties andresponsibilities.
The scope of audit work covered under thispart should not be construed to beexhaustive but serves to provide theminimum scope to be covered under auditassignment. The head of internal auditshould ensure that sufficient coverage anddepth are given to each audit assignmentbased on the assigned risk factors. The headof internal audit, after having considered thelevel of risk for each auditable area, shoulddecide whether to expand or limit the auditscope. Such decision should be properlydocumented.
The internal auditors should also decide onthe appropriate level of audit sampling inorder to achieve their audit objectives. Theinternal auditors should be guided by theInternational Auditing Guideline on AuditSampling.
The audit scope should cover:
The audit scopeshould cover the effectiveness of the systemof internal control, the reliability andintegrity of MIS, the prevention or timelydetection of frauds, errors, omissions andother irregularities, and the means for thesafeguarding of assets.
All financial institutionsshould ensure strict compliance with allapplicable laws and regulations, guidelines,directives, reporting requirements andinternal policies and operating procedures.The audit scope should cover the financialinstitution's compliance with:-
a. Banking Act, Banking Regulations andother applicable statutes and regulations;
b. Guidelines, directives and circulars issuedby RBZ and pronouncements or rules issuedby the relevant associations; and
c. Internally approved policies and operationalprocedures as well as the soundness andeffectiveness of the compliance function.
In view ofincreasing competition, complexities ofoperations and financial innovations,management should develop a formalizedsystem to ensure that risk exposures areidentified and adequately measured,monitored and controlled. The riskm a n a g e m e n t s y s t e m s h o u l d b ecommensurate with the scope, size andcomplexity of the financial institution'sactivities and the level of risk a financialinstitution is prepared to assume. Inassessing the overall risk managementsystem, the auditor should review thefollowing to ensure:-
a. Effective management supervision ispracticed by the board and its delegatedauthorities;
b. Procedures that identify and quantify thelevel of risk on a timely basis are in place;
c. Limits or other controls are in place tomanage the risk;
d. Reports to management accurately presentthe nature and level of risk taken and anynon-compliance with approved policies andlimits;
e. Responsibilities for managing individualrisks are clearly identified; and
f. Procedures relating to the calculation andallocation of capital to risks are in place.
g. A risk matrix adequately capturing theinstitution's risk profile prepared andupdated as necessary.
Internal auditors should play a proactiverole in determining the financial institution'soptimum utilization of resources in theaccomplishment of the organisation'soverall objectives and goals.
I n e v a l u a t i n g t h eaccomplishment of set goals and objectives,the internal auditors' scope should cover theentire operations or a sub-section thereof todetermine whether:-
a. Objectives and goals are clearly set andmeasurable;
b. Objectives and goals have been articulatedand communicated to all staff and are beingmet;
c. Adequate controls are established form e a s u r i n g a n d r e p o r t i n g t h eaccomplishment of objectives and goals;
d. An effective control mechanism isimplemented to monitor actual performanceagainst budget. Any significant variancesare analyzed, investigated and promptlyreported to the management and the board;
e. Management has considered the strengths,weaknesses, opportunities and threats of therespective operation or programme;
f. The achievement of set objectives and goalsis in compliance with policies, plans,procedures, laws and regulations; and
g. The underlying assumptions used bymanagement in developing business plansand strategies are appropriate andreasonable.
Internal audit reports provide a formalmeans of communicating audit results andrecommended actions to management andtheAudit Committee. Audit reports providean avenue for the Audit Committee tohighlight significant weaknesses and themanagement's proposed remedial measuresto the board. The management'sresponsiveness to internal auditors'recommendations for reducing risks,strengthening internal controls andcorrecting errors should be the desired resultof the audit reports.
It is of primary importance that in the courseof the audit, should the internal auditorsuncover major issues or frauds that wouldsignificantly affect the financial institution'sfinancial position or operations, they shall
8.3.5.
8.4. Manual
8.4.1.
8.4.2.
8.5. Audit Programme and Internal ControlQuestionnaires
8.5.1.
8.5.2.
9.1.
9.2.
9.2.1.
9.2.2.
9.2.3.
9.2.4.
9.2.5.
9.2.6.
10.1.
10.2.
10.3.
10.4.
10.4.1. Evaluation And Appraisal Of TheInternal Control System:
10.4.2. Compliance with Policies, Procedures,Rules, Guidelines, Directives, Laws AndRegulations:
10.4.3. Adequacy and Effectiveness of RiskManagement System:
10.4.4. Effective and Efficient Use of Resources:
10.4.5. Accomplishment Of Set Goals AndO b j e c t i v e s :
11.1.
11.2.
9. DUTIES AND
RESPONSIBILITIES
SCOPE OF AUDIT
WORK
REPORTING
ANDDOCUMENTATION
10.
11.
14
immediately inform management to ensureprompt corrective actions are taken.
A signed report should be issued after thecompletion of each audit assignmentirrespective of the significance of the issuesraised. The internal auditors should discussthe audit results and the recommendationsthereof with the auditee before the financialaudit report is issued. The discussionshould be carried out with those individualswho are knowledgeable of detailedoperations and those who can authorize theimplementation of corrective actions.
Managemen t comment s sha l l beincorporated in the financial audit report.The head of internal audit should review andapprove the final audit report before it ispresented to theAudit Committee.
A copy of the final audit report should beforwarded to the Audit Committee, theauditee, the CEO and the bank shouldforward such report to the RBZ on a timelybasis.
Where the completion of an audit is likely totake a longer period, an interim audit reportmay be issued to communicate anys ign i f ican t i s sues which requi remanagement's immediate attention. TheAudit Committee and the CEO should bekept informed of the issues as well as theprogress of the audit. Discretion as towhether an interim audit report is warrantedrests with the head of internal audit.
The head of internal audit shall ensure thatan audit report is of sufficient quality so as tocommand management's attention. In orderto communicate the audit results effectively,the following standards should be adopted:-
a. The audit report shall be objective, clear,concise, constructive and timely; and
b. The structure of the audit report shallinclude the following:-
• An executive summary;
Management shall treat all audit findingsa n d r e c o m m e n d a t i o n s s e r i o u s l y.Management's response to the auditfindings should be included in the report.The internal auditors should monitorwhether appropriate actions have beentaken.
Management's plan of corrective actionsand implementation time-table forcompletion should be developed and jointlyagreed upon by management and theauditee. The status of the corrective actionsshould be monitored and reported to theAudit Committee and the CEO so thatfollow-up action can be taken to inform theappropriate levels of management onoutstanding audit issues.
The internal auditors shall immediatelyreport to the Audit Committee and the CEOany significant audit findings uncovered inthe course of audit. RBZ should also bepromptly informed of such findings.Significant financial findings are those thatwould have an adverse impact on thefinancial performance and condition of thefinancial institution. Significant non-financial findings represent fundamentalweaknesses that could lead to the collapse ofthe financial institution's system of internalcontrol.
The interim audit report shall incorporatepreliminary summary findings, the impactor potential impact on the financial positionand operations of the financial institution,and the proposed actions to be carried out bythe internal auditors to investigate thematters.
The internal audit reports and workingpapers should be treated confidentially. Theinternal audit reports should only bedisclosed to those persons authorized by theAudit Committee. As the internal auditworking papers provide evidence of auditcoverage and documentation of audit trails,they should be properly filed and stored.
To ensure systematic filing and control ofaudit reports and working papers, thefollowing minimum procedures should beobserved:-
a. The format for the working papers should bestandardized;
b. There should be adequate referencing toidentify the audit records, files and workingpapers created; and
c. There should be a system for filing andretrieving past reports and working papers.
As a minimum requirement, the auditworking papers on the routine audit shouldbe retained until the next audit is carried outon the same auditable area. Reports andworking papers on investigation mattersshould be retained for at least seven years orsuch period until the matter is closed.
All internal audit reports, however, shouldbe retained for at least three years or until thenext audit report on the same auditable areais completed.
Internal auditors should focus their attentionand direct their available resources to thoseoperations or units which entail significantrisks that may have an adverse impact on theoperations and financial condition of thefinancial institution.
The critical operational areas identified areCredit Operations, Treasury Operations,Derivatives, Investment in Debt and EquitySecurities and, Information Systems. Thesecritical areas of operations are not meant tobe exhaustive and the internal auditorsshould also identify and review otheroperational areas deemed to be critical to thespecific business undertaken by thefinancial institution.
In reviewing the critical areas of theoperations, it is vital that the audit coverageis comprehensive. The internal auditorsshould extend their scope if seriousunsatisfactory features are uncovered in thecourse of the audit.
Important features to consider whenauditing different critical areas arehighlighted below:
When auditing thecredit operations internal auditors shall putmore emphasis on the:
a. Credit strategy;
b. Risk inherent in the credit operations;
c. Policies and procedures;
d. Security and legal documentation;
e. Credit disbursement, administration,monitoring and effective recovery system;
f. Accounting and financial reporting;
g. Provisioning;
h. Compliance with legal and regulatoryrequirements.
The control areas tobe checked include:
a. Risk inherent in treasury operations;
b. Adequacy of and compliance withestablished policies and procedures;
c. Assets and liabilities management;
d. Accounting and financial reporting;
e. Compliance with legal and regulatoryrequirements.
To carry out their auditeffectively, internal auditors should beconversant and knowledgeable about thederivative products and transactions, andmust be guided by comprehensive auditmanuals and programmes. Internal auditorsshould be conversant with:
a. Risk inherent in derivatives;
b. Policies and procedures;
c. Accounting and financial reporting;
d. Legal and regulatory requirements.
11.3. Audit Report
11.3.1.
11.3.2.
11.3.3.
11.3.4.
11.3.5.
11.4. Action and Follow-Up on AuditRecommendations
11.4.1.
11.4.2.
11.5. Reporting of Significant Findings and
Frauds
11.5.1.
11.5.2.
11.6. Control and Filing of Audit Reports and
Working Papers
11.6.1.
11.6.2.
11.7. Retention of Audit Reports and Working
Papers
11.7.1.
11.7.2.
12.1.
12.2.
12.3.
12.4.
12.4.1. Credit Operations:
12.4.2. Treasury Operations:
12.4.3. Derivatives:
• Date of report and period covered by theaudit;
• The scope and objectives of the audit;
• The significance and magnitude of theproblems or issues;
• The causes of the problems or issues;
• Recommended solutions or preventiveactions;
• Auditee's comments on the issues andrecommendations, and remedialmeasures taken or proposed to be takento address the audit issues;
• Management's achievements notedduring the audit; and
• Overall conclusion.
12. AUDIT OF
CRITICAL AREASOF OPERATIONS
15
12.4.4. Investment In Debt and Equity Securities 12.4.5. Information Systems
a. A financial institution's investment in debtand equity securities normally involvesparticipation in two main financial marketsnamely, the capital market and the moneyand foreign exchange market. A typicalinvestment portfolio usually consists ofpublic debt securities, equity securities(quoted and unquoted), equitylinksecurities, and private debt securities.Equity securities and private debt securitiesmay also be acquired in the primary marketor as a result of underwriting commitment.In banking institutions, equity securities arealso acquired in satisfaction of debt andthrough debt-equity conversion.
b. Investment and trading securities mayaccount for a sizeable proportion of thefinancial institution's assets and hence,securities of inferior quality may have anadverse impact on the financial institution'sfinancial condition. Hence the internalauditors should be conversant with:
• Investment strategy;
• Risk inherent in investment;
• Policies and procedures;
• Accounting and financial reporting;
• Legal and regulatory requirements.
a. The financial institution shall have aneffective information system audit functionto evaluate the internal controls of thecomputerized system.
b. The information system auditors shouldreview the effectiveness of informationsystems in supporting the business activitiesof the financial institution and the adequacyof controls over the information systemmanagement, systems development andprogramming, computer operations andsecurity, teleprocessing and data integrity.In reviewing information systems auditorsshould pay particular attention to issuessuch as:
• Computer operations procedures andphysical controls;
.............................................................• Computer security e.g. password
issuance and maintenance, follow up onaccess violation;
• System reliability and availability;
• Disaster recovery plan;
• Alternative processing site.
.....................
N. Mataruka
Division ChiefBank Licensing, Supervision &Surveillance
13. Effective Date
These guidelines are effective from30 September 2004. Questionsrelating to these guidelines shouldbe addressed to the Division Chief,Bank Licensing, Supervision &Surveillance, Reserve Bank ofZimbabwe,
Telephone 703 000 Ext. 11133.
16