163 INTERNAL AUDIT FUNCTION
a. Permanency of the internal audit function. Each bank shall have a permanent internal audit function. In the case of group structures involving a parent bank and subsidiary or affiliate Bangko Sentral-supervised financial institutions (BSFIs), the internal audit function shall either be established in each of the BSFI or centrally by the parent bank.
b. Internal audit function in group structures. In case each BSFI belonging to group structures has its own internal audit function, said internal audit function shall be accountable to the financial institution’s own board of directors and shall likewise report to the head of the internal audit function of the parent bank within a reasonable period and frequency prescribed by the board of directors of the parent bank.
c. Outsourcing of internal audit activities. Banks may outsource, in accordance with existing Bangko Sentral regulations on outsourcing, internal audit activities except for areas covered under existing statutes on deposit secrecy. Outsourcing of internal audit activities shall however, be done on a limited basis to have access to certain areas of expertise that are not available to the internal audit function or to address resource constraints: Provided, That the internal audit activity shall not be outsourced to the bank’s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the bank in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year “cooling off” period: Provided, further, That the head of the bank’s internal audit function shall ensure that the knowledge or inputs from the outsourced experts shall be assimilated into the bank to the greatest extent possible.
d. Internal audit function of branches of foreign banks. Branches of foreign banks may establish their own internal audit function or may be covered by the regional/group internal audit function: Provided, That in case the regional/group internal audit function performs the internal audit activities in branches of foreign banks, the senior management team in branches of foreign banks shall conduct a periodic self-assessment of the effectiveness of internal control, risk management and governance systems and processes in the branch and report the results thereof to the regional/group internal audit function to ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the branch: Provided, further, That the regional/group internal audit function shall likewise inform the senior management team in branches of foreign banks of the results of internal audit conducted: Provided, finally, That in cases when the risk assessment of the senior management team in branches of foreign banks or of the Bangko Sentral differs from the risk assessment of the regional/group internal audit function, the senior management team in branches of foreign banks or the Bangko Sentral may require the regional/group internal audit function to subject the branch to an immediate or more frequent internal audit.
a. The head of the internal audit function of a UB or a KB must be a Certified Public Accountant (CPA) or a Certified Internal Auditor (CIA) and must have at least five (5) years experience in the regular audit (internal or external) of a UB or KB as auditor-in-charge, senior auditor or audit manager. He must possess the knowledge, skills, and other competencies to examine all areas in which the institution operates. Professional competence as well as continuing training and education shall be required to face up to the increasing complexity and diversity of the institution’s operations.
b. The head of the internal audit function of a complex TB, RB and Coop Bank; QB and; trust entity must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least five (5) years experience in the regular audit (internal or external) of a TB, national Coop Bank or, at least three (3) years experience in the regular audit (internal or external) of a UB or KB.
c. The head of the internal audit function of a simple or non-complex TB, RB and Coop Bank; and NSSLA must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least two (2) years experience in the regular audit (internal or external) of a UB, KB, TB, RB, Coop Bank, QB or NSSLA.
a. To demonstrate appropriate leadership and have the necessary skills to fulfill his responsibilities for maintaining the unit’s independence and objectivity;
b. To be accountable to the board of directors or audit committee on all matters related to the performance of its mandate as provided in the internal audit charter. The head of the internal audit function shall submit a report to the audit committee or board of directors on the status of accomplishments of the internal audit unit, including findings noted during the conduct of the internal audit as well as status of compliance of concerned departments/units;
c. To ensure that the internal audit function complies with sound internal auditing standards such as the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics;
d. To develop an audit plan based on robust risk assessment, including inputs from the board of directors, audit committee and senior management and ensure that such plan is comprehensive and adequately covers regulatory matters. The head of the internal audit function shall also ensure that the audit plan, including any revisions thereto, shall be approved by the audit committee; and
e. To ensure that the internal audit function has adequate human resources with sufficient qualifications and skills necessary to accomplish its mandate. In this regard, the head of the internal audit function shall periodically assess and monitor the skill-set of the internal audit function and ensure that there is an adequate development program for the internal audit staff that shall enable them to meet the growing technical complexity of banking operations.
a. Purpose, stature and authority, and responsibilities of the internal audit function as well as its relations with other control functions in the bank. The charter shall recognize the authority of the internal audit function, to initiate direct communication with any bank personnel; to examine any activity or entity; and to access any records, files, data and physical properties of the bank, in performing its duties and responsibilities;
b. Standards of independence, objectivity, professional competence and due professional care, and professional ethics;
c. Guidelines or criteria for outsourcing internal audit activities to external experts;
d. Guidelines for consulting or advisory services that may be provided by the internal audit function;
e. Responsibilities and accountabilities of the head of the internal audit function;
f. Requirement to comply with sound internal auditing standards such as the Institute of Internal Auditor’s International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics; and
g. Guidelines for coordination with the external auditor and supervisory authority.
a. Evaluation of the adequacy, efficiency and effectiveness of internal control, risk management and governance systems in the context of current and potential future risks;
b. Review of the reliability, effectiveness and integrity of management and financial information systems, including the electronic information system and electronic banking services;
c. Review of the systems and procedures of safeguarding the bank’s physical and information assets;
d. Review of compliance of trading activities with relevant laws, rules and regulations;
e. Review of the compliance system and the implementation of established policies and procedures; and
f. Review of areas of interest to regulators such as, among others monitoring of compliance with relevant laws, rules and regulations, including but not limited to the assessment of the adequacy of capital and provisions; liquidity level; regulatory and internal reporting.