163 INTERNAL AUDIT FUNCTION

163 INTERNAL AUDIT FUNCTION

An effective and efficient internal audit function constitutes the third line of defense in the system of internal control.

Internal audit is an independent, objective assurance and consulting function established to examine, evaluate and improve the effectiveness of internal control, risk management and governance systems and processes of an organization, which helps management and the board of directors in protecting the bank and its reputation. The internal audit function shall both assess and complement operational management, risk management, compliance and other control functions. In this respect, internal audit shall be conducted in frequencies commensurate with the assessed levels of risk in specific banking areas.

a. Permanency of the internal audit function. Each bank shall have a permanent internal audit function. In the case of group structures involving a parent bank and subsidiary or affiliate Bangko Sentral-supervised financial institutions (BSFIs), the internal audit function shall either be established in each of the BSFI or centrally by the parent bank.

b. Internal audit function in group structures. In case each BSFI belonging to group structures has its own internal audit function, said internal audit function shall be accountable to the financial institution’s own board of directors and shall likewise report to the head of the internal audit function of the parent bank within a reasonable period and frequency prescribed by the board of directors of the parent bank.

On the other hand, in case the parent bank’s internal audit function shall cover the internal audit activities in the subsidiary or affiliate BSFI, the board of directors of the parent bank shall ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the subsidiary or affiliate concerned.

The establishment of internal audit function centrally by the parent bank in group structures shall not fall under the outsourcing framework as provided under Sec. 112. In this respect, the head of the internal audit function of the parent bank shall define the internal audit strategies, methodology, scope and quality assurance measures for the entire group: Provided, That this shall be done in consultation and coordination with the respective board of directors and of the subsidiary or affiliate BSFI: Provided, further, That, the board of directors of the subsidiary or affiliate BSFI, shall remain ultimately responsible for the performance of the internal audit activities.

c. Outsourcing of internal audit activities. Banks may outsource, in accordance with existing Bangko Sentral regulations on outsourcing, internal audit activities except for areas covered under existing statutes on deposit secrecy. Outsourcing of internal audit activities shall however, be done on a limited basis to have access to certain areas of expertise that are not available to the internal audit function or to address resource constraints: Provided, That the internal audit activity shall not be outsourced to the bank’s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the bank in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year “cooling off” period: Provided, further, That the head of the bank’s internal audit function shall ensure that the knowledge or inputs from the outsourced experts shall be assimilated into the bank to the greatest extent possible.

Non-complex TB, RB and Coop banks on the other hand, shall be allowed to outsource internal audit activities covering all areas of bank operations except for areas covered by existing statutes on deposit secrecy: Provided, That the board of directors, through the audit committee, shall be ultimately responsible for the conduct of audit on areas covered by existing statutes on deposit secrecy.

d. Internal audit function of branches of foreign banks. Branches of foreign banks may establish their own internal audit function or may be covered by the regional/group internal audit function: Provided, That in case the regional/group internal audit function performs the internal audit activities in branches of foreign banks, the senior management team in branches of foreign banks shall conduct a periodic self-assessment of the effectiveness of internal control, risk management and governance systems and processes in the branch and report the results thereof to the regional/group internal audit function to ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the branch: Provided, further, That the regional/group internal audit function shall likewise inform the senior management team in branches of foreign banks of the results of internal audit conducted: Provided, finally, That in cases when the risk assessment of the senior management team in branches of foreign banks or of the Bangko Sentral differs from the risk assessment of the regional/group internal audit function, the senior management team in branches of foreign banks or the Bangko Sentral may require the regional/group internal audit function to subject the branch to an immediate or more frequent internal audit.

Qualifications of the head of the internal audit function. The head of the internal audit function must have an unassailable integrity, relevant education/experience/training, and has an understanding of the risk exposures of the bank, as well as competence to audit all areas of its operations. He must also possess the following qualifications:

a. The head of the internal audit function of a UB or a KB must be a Certified Public Accountant (CPA) or a Certified Internal Auditor (CIA) and must have at least five (5) years experience in the regular audit (internal or external) of a UB or KB as auditor-in-charge, senior auditor or audit manager. He must possess the knowledge, skills, and other competencies to examine all areas in which the institution operates. Professional competence as well as continuing training and education shall be required to face up to the increasing complexity and diversity of the institution’s operations.

b. The head of the internal audit function of a complex TB, RB and Coop Bank; QB and; trust entity must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least five (5) years experience in the regular audit (internal or external) of a TB, national Coop Bank or, at least three (3) years experience in the regular audit (internal or external) of a UB or KB.

c. The head of the internal audit function of a simple or non-complex TB, RB and Coop Bank; and NSSLA must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least two (2) years experience in the regular audit (internal or external) of a UB, KB, TB, RB, Coop Bank, QB or NSSLA.

A qualified head of the internal audit function of a UB or a KB shall be qualified to audit TBs, RB, Coop Banks, QBs, trust entities, NSSLAs, subsidiaries and affiliates engaged in allied activities, and other financial institutions under Bangko Sentral supervision. A qualified internal auditor of a complex TB, RB, and Coop Bank; QB and trust entity shall likewise be qualified to audit non-complex TB, RB and Coop Bank and NSSLA.

The head of the internal audit function shall be appointed/reappointed or replaced with prior approval of the audit committee. In cases when the head of the internal audit function will be replaced, the bank shall report the same and the corresponding reason for replacement to the appropriate supervising department of the Bangko Sentral within five (5) days from the time it has been approved by the board of directors.

Duties and responsibilities of the head of the internal audit function or the chief audit executive.

a. To demonstrate appropriate leadership and have the necessary skills to fulfill his responsibilities for maintaining the unit’s independence and objectivity;

b. To be accountable to the board of directors or audit committee on all matters related to the performance of its mandate as provided in the internal audit charter. The head of the internal audit function shall submit a report to the audit committee or board of directors on the status of accomplishments of the internal audit unit, including findings noted during the conduct of the internal audit as well as status of compliance of concerned departments/units;

c. To ensure that the internal audit function complies with sound internal auditing standards such as the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics;

d. To develop an audit plan based on robust risk assessment, including inputs from the board of directors, audit committee and senior management and ensure that such plan is comprehensive and adequately covers regulatory matters. The head of the internal audit function shall also ensure that the audit plan, including any revisions thereto, shall be approved by the audit committee; and

e. To ensure that the internal audit function has adequate human resources with sufficient qualifications and skills necessary to accomplish its mandate. In this regard, the head of the internal audit function shall periodically assess and monitor the skill-set of the internal audit function and ensure that there is an adequate development program for the internal audit staff that shall enable them to meet the growing technical complexity of banking operations.

Professional competence and ethics of the internal audit function. The internal audit function shall be comprised of professional and competent individuals who collectively have the knowledge and experience necessary in the conduct of an effective internal audit on all areas of bank’s operations. The skill set of the internal audit staff shall be complemented with appropriate audit methodologies and tools as well as sufficient knowledge of auditing techniques in the conduct of audit activities.

All internal audit personnel shall act with integrity in carrying-out their duties and responsibilities. They should respect the confidentiality of information acquired in the course of the performance of their duties and should not use it for personal gain or malicious actions. Moreover, internal audit personnel shall avoid conflicts of interest. Internally-recruited internal auditors shall not engage in auditing activities for which they have had previous responsibility before a one-year “cooling off” period has elapsed. The internal audit personnel shall adhere at all times to the bank’s Code of Ethics as well as to an established code of ethics for internal auditors such as that of the Institute of Internal Auditors.

Independence and objectivity of the internal audit function. The internal audit function must be independent of the activities audited and from day-to-day internal control process. It must be free to report audit results, findings, opinions, appraisals and other information through clear reporting line to the board of directors or audit committee. It shall have authority to directly access and communicate with any officer or employee, to examine any activity or entity of the bank, as well as to access any records, files or data whenever relevant to the exercise of its assignment.

If independence or objectivity of internal audit function is impaired, in fact or appearance, the details of the impairment must be disclosed to the audit committee. Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.

The internal audit function shall inform senior management of the results of its audits and assessment. Senior management may consult the internal auditor on matters related to risks and internal controls without tainting the latter’s independence: Provided, That, the internal auditor shall not be involved in the development or implementation of policies and procedures, preparation of reports or execution of activities that fall within the scope of his review.

Staff of the internal audit function shall be periodically rotated, whenever practicable, and without jeopardizing competence and expertise to avoid unwarranted effects of continuously performing similar tasks or routine jobs that may affect the internal auditor’s judgment and objectivity.

Internal audit charter. Banks shall have an internal audit charter approved by the board of directors. The internal audit charter shall be periodically reviewed by the head of the internal audit function and any changes thereto shall be approved by the board of directors.

The internal audit charter shall establish, among others, the following:

a. Purpose, stature and authority, and responsibilities of the internal audit function as well as its relations with other control functions in the bank. The charter shall recognize the authority of the internal audit function, to initiate direct communication with any bank personnel; to examine any activity or entity; and to access any records, files, data and physical properties of the bank, in performing its duties and responsibilities;

b. Standards of independence, objectivity, professional competence and due professional care, and professional ethics;

c. Guidelines or criteria for outsourcing internal audit activities to external experts;

d. Guidelines for consulting or advisory services that may be provided by the internal audit function;

e. Responsibilities and accountabilities of the head of the internal audit function;

f. Requirement to comply with sound internal auditing standards such as the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics; and

g. Guidelines for coordination with the external auditor and supervisory authority.

Scope. All processes, systems, units, and activities, including outsourced services, shall fall within the overall scope of the internal audit function. The scope of internal audit shall cover, among others, the following:

a. Evaluation of the adequacy, efficiency and effectiveness of internal control, risk management and governance systems in the context of current and potential future risks;

b. Review of the reliability, effectiveness and integrity of management and financial information systems, including the electronic information system and electronic banking services;

c. Review of the systems and procedures of safeguarding the bank’s physical and information assets;

d. Review of compliance of trading activities with relevant laws, rules and regulations;

e. Review of the compliance system and the implementation of established policies and procedures; and

f. Review of areas of interest to regulators such as, among others monitoring of compliance with relevant laws, rules and regulations, including but not limited to the assessment of the adequacy of capital and provisions; liquidity level; regulatory and internal reporting.

(Circular Nos. 969 dated 22 August 2017 and 871 dated 05 March 2015)