162 INTERNAL CONTROL FRAMEWORK
a. The board of directors shall be ultimately responsible for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control framework commensurate with the size, risk profile and complexity of operations of the bank. The board of directors shall also ensure that the internal audit function has an appropriate stature and authority within the bank and is provided with adequate resources to enable it to effectively carry out its assignments with objectivity.
(1) conduct discussions with management on the effectiveness of the internal control system;
(2) review evaluations made by the audit committee on the assessment of effectiveness of internal control made by management, internal auditors and external auditors;
(3) ensure that management has promptly followed up on recommendations and concerns expressed by auditors and supervisory authorities on internal control weaknesses; and
(4) review and approve the remuneration of the head and personnel of the internal audit function. Said remuneration shall be in accordance with the bank’s remuneration policies and practices and shall be structured in such a way that these do not create conflicts of interest or compromise independence and objectivity.
b. The audit committee shall be responsible for overseeing senior management in establishing and maintaining an adequate, effective and efficient internal control framework. It shall ensure that systems and processes are designed to provide assurance in areas including reporting, monitoring compliance with laws, regulations and internal policies, efficiency and effectiveness of operations, and safeguarding of assets.
(1) monitoring and reviewing the effectiveness of the internal audit function;
(2) approving the internal audit plan, scope and budget;
(3) reviewing the internal audit reports and the corresponding recommendations to address the weaknesses noted, discussing the same with the head of the internal audit function and reporting significant matters to the board of directors;
(4) ensuring that the internal audit function maintains an open communication with senior management, the audit committee, external auditors, and the supervisory authority;
(5) reviewing discoveries of fraud and violations of laws and regulations as raised by the internal audit function;
(6) reporting to the board of directors the annual performance appraisal of the head of the internal audit function;
(7) recommending for approval of the board of directors the annual remuneration of the head of the internal audit function and key internal auditors;
(8) appointing, reappointing or removing the head of the internal audit function and key internal auditors; and
(9) selecting and overseeing the performance of the internal audit service provider.
(1) ensuring independence of the internal audit service provider;
(2) reporting to the board of directors on the status of accomplishments of the outsourced internal audit activities, including significant findings noted during the conduct of the internal audit;
(3) ensuring that the internal audit service provider comply with sound internal auditing standards such as the Institute of Internal Auditors’ International Standard for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics;
(4) ensuring that the audit plan is aligned with the overall plan strategy and budget of the bank and is based on robust risk assessment; and
(5) ensuring that the internal audit service provider has adequate human resources with sufficient qualifications and skills necessary to accomplish the internal audit activities.
c. Senior management shall be responsible for maintaining, monitoring and evaluating the adequacy and effectiveness of the internal control system on an ongoing basis, and for reporting on the effectiveness of internal controls on a periodic basis. Management shall develop a process that identifies, measures, monitors and controls risks that are inherent to the operations of the bank; maintain an organizational structure that clearly assigns responsibility, authority and reporting relationships; ensure that delegated responsibilities are effectively carried out; implement internal control policies and ensure that activities are conducted by qualified personnel with the necessary experience and competence. Management shall ensure that bank personnel undertake continuing professional development and that there is an appropriate balance in the skills and resources of the front office, back office, and control functions. Moreover, management shall promptly inform the internal audit function of the significant changes in the bank’s risk management systems, policies and processes.
d. All personnel need to understand their roles and responsibilities in the internal control process. They should be fully accountable in carrying out their responsibilities effectively and they should communicate to the appropriate level of management any problem in operations, action or behavior that is inconsistent with documented internal control processes and code of ethics.
a. Clear arrangements for delegating authority. The functions and scope of authority and responsibility of each personnel should be adequately defined, documented and clearly communicated. The extent to which authorities may be delegated and the corresponding accountabilities of the personnel involved shall be approved by the appropriate level of management or the board of directors.
b. Adequate accounting policies, records and processes. Banks shall maintain adequate financial policies, records and processes. These records shall be kept up-to-date and contain sufficient detail to establish an audit trail. Further, banks shall conduct independent balancing and reconciliation of records and reports to ensure the integrity of the reported data and balances. Banks shall also put in place a reliable information system that covers all of its significant activities which shall allow the board of directors and management access to data and information relevant to decision making such as, among others, financial, operations, risk management, compliance and market information. Moreover, these systems shall be secured, monitored independently and supported by adequate contingency arrangements.
c. Robust physical and environmental controls to tangible assets and access controls to information assets. Banks shall adopt policies and practices to safeguard its tangible and information assets. These shall include, but shall not be limited to:
(1) identifying officers with authorities to sign for and on behalf of the bank. Signing authorities shall be approved by the board of directors and the extent of authority at each level shall be clearly defined;
(2) implementing joint custody on certain assets. Joint custody shall mean the processing of transactions in the presence, and under the direct observation, of a second person. Both persons shall be equally accountable for the physical protection of the items and records involved: Provided, That persons who are related to each other within the third degree of consanguinity or affinity shall not be made joint custodians;
(3) adopting dual control wherein the work of one (1) person is to be verified by a second person to ensure that the transaction is properly authorized, recorded and settled;
(4) incorporating sequence number control in the accounting system which shall also be used in promissory notes, checks and other similar instruments. Management shall also put in place appropriate controls to monitor the usage, safekeeping and recording of accountable forms;
(5) restricting access to information assets by classifying information as to degree of sensitivity and criticality and identifying information owners or personnel with authority to access particular classifications based on job responsibilities and the necessity to fulfill one’s duties; and
(6) implementing authentication and access controls prior to granting access to information such as, among others, implementing password rules. This shall be supplemented by appropriate monitoring mechanisms that will allow audit of use of information assets.
d. Segregation of conflicting functions. Banks shall ensure that areas of potential conflicts of interest shall be identified, minimized and subjected to independent monitoring. Further, appropriate segregation of functions shall be observed in identified areas that may pose potential conflict of interest. Moreover, periodic reviews of responsibilities and functions shall be conducted to ensure that personnel are not in a position to conceal inappropriate actions.