MANAGING CORE RISKS OF FINANCIAL INSTITUTIONS

INTERNAL CONTROL AND COMPLIANCE FRAMEWORK

Industry Best Practices

2211 JJuullyy 22000055

BANGLADESH BANK

Focus Group MembersInternal Control and Compliance Framework

Name Designation Organization

TeamCo-ordinator Md. Masum Patwary Joint Director, FID Bangladesh Bank

A.K.M. Anwarul Kabir SVP & Company Secretary LankaBangla Finance Limited

Iqbal Mahmud Senior Manager IDLC of Bangladesh Ltd. M. Ataul Hoque GM United Leasing Company Ltd.

Md. Nazimuddoula Head of Finance & ASVP Bangladesh Industrial Finance Company Ltd.

Moin Al Kashem AVP, Merchant Banking Prime Finance & Investment Ltd.

Nandan Kumar Paul VPIndustrial & Infrastructure Development Finance Company Ltd.

Sayed Aminul Islam Manager, Internal Compliance

Delta Brac Housing Finance Corporation Ltd.

Team Members

Shantonu Saha DMD Fareast Finance & Investment Limited

INDEX OF GUIDELINES OF BANGLADESH BANK FOR FINANCIAL INSTITUTIONS ON INTERNAL CONTROLS

Page 1 INTRODUCTION 1.1 Overview 1 1.2 Definition 1 1.3Objectives of Internal Controls 2

2 STANDARDS OF INTERNAL CONTROLS 3

3 ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE PRINCIPLES FOR ASSESSING THE SYSTEM 4

(A) Components of Internal Controls 3.1 Management oversight and environment for control 4 3.2 Risk Assessment & Management 5 3.3 Instituting Controls 6 3.4 Accounting, Information & Communication Systems 7 3.5 Self-Assessment & Monitoring 8

(B) Principles 10

4 RESPONSIBILITIES4.1 Board of Directors 12 4.2 Management 12 4.3 Auditor Committee 12 4.4 External Auditor 13 4.5 Regulator 13

5 IMPLEMENTATION OF INTERNAL CONTROLS

5.1 Compare current practices and identify gaps. 15 5.2 Involve senior management and other key players. 15 5.3 Assess business environment, organization culture and key players. 15 5.4 Decide on implementation strategy. 15 5.5 Provide training to everyone involved 16 5.6 Rectification & Improvement: 16 5.7 Instituting an appropriate organization structure 16 5.7.1 Structure of Internal Control Unit 16 5.8 Preparing various Guidelines /Manuals/Documents on 17

a. Standard Operating procedures –Credit & Operations 17

b. Finance and Accounting Manual 18 c. Treasury Manual 18 d. Human Resource Policy Manual 19 e. Information Technology Manual 19

6. EXAMINATION OR EVALUATION OF CONTROL 20 6.1. Dept Control Function Checklist (Appendix 7.1) 20 6.2. Loan Documentation Checklist (Appendix 7.2) 20 6.3. Quarterly Operations Report (Appendix 7.3) 20 6.4. Risk Analysis of Control Functions 21 6.5. Audit Procedure & Communication of weakness 22 6.6. Compliance Process 24

7 APPENDIXES 7.1 Departmental control function checklist- Quarterly 25 7.2 Departmental control function checklist- Monthly 26 7.3 Departmental control function checklist- Weekly 27 7.4 Departmental control function checklist- Daily 28 7.5 Periodic operational report 29-35 7.6 Loan Documentation checklist 36-43

1

1. INTERNAL CONTROL POLICY

1.1 Overview

Since its inception in early eighties NBFls have already shown its steady growth in business. Its role in industrialization and its contribution in national exchequer can not be undermined. In respect of asset management and risk management it has already shown some glimpse of hope for the regulatory bodies. NBFls are now a days focusing more on business diversification and consolidation of their existing business. These diversified and complex financial activity involves various risk like credit risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk etc. Shaping up the Future of a financial organization depends significantly on how these risks are handled and minimised or protected through an effective internal control system.

Though the Board is responsible for approving strategies and policies the top management have the responsibility for implementing strategies, setting appropriate internal control policies and monitoring the effectiveness of internal control system.

In many NBFls internal control is identified with internal audit; the scope of internal control is not limited to audit work. It is an integral part of the daily activity of an NBFls which on its own merit identifies the risks associated with the process and adopts a measure to mitigate the same.

Internal Audit on the other hand is a part of Internal Control system which reinforces the control system through regular review.

According to an IMF publication Internal Control refers to the mechanism in place on a permanent basis to control the activities in an organization, both at a central and at a departmental divisional level. A key component of effective internal control is the operation of a solid accounting and information system.

It should be mentioned that an effective internal control system could have contributed significantly in improving the performance of the NBFls if the control culture is brought in through policy guidelines and structural changes in those organizations.

1.2 Definition

In plain English internal controls are exercises of good old common sense practices. Even in personal life we practice internal control principles when we:

Store and lockup valuable personal belongings Keep copies of our tax returnMatch credit card copies to monthly statements etc.

More formally internal control is the process, effected by a company's Board of Directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

2

effectiveness and efficiency of operations reliability of financial reporting andcompliance with applicable laws, regulations, and internal policies.

Internal controls are tools that help management be effective and efficient while avoiding serious problems such as overspending, operational failure, and violation of laws.

In other words Internal Controls are the structure, policies and procedures put in place to provide reasonable assurance that management meets its objectives and fulfils its responsibilities.

These definitions reflects certain fundamental concepts :

1. Internal control is a process. It is a means to an end , not an end in itself 2. Internal control is effected by people. 3. Internal control can be expected to provide reasonable assurance , not

absolute assurance, to an entity’s management and Board 4. Internal control is geared to the achievement of objectives.

1.3 Objective of Internal Control

The primary objective of internal control system in an NBFls is to help the organization perform better through the use of its resources. Through internal control system NBFls identifies its weaknesses and takes appropriate measures to overcome the same. The main objectives of internal control are as follows:

Efficiency and effectiveness of activities (performance objectives).Reliability, completeness and timelines of financial and management information (information objectives)Compliance with applicable laws and regulations (compliance objectives)Accountability to the Board

3

2 STANDARDS OF INTERNAL CONTROL

Internal control policies set forth some standards that departments must establish and incorporate in an internal control structure:

(I) Cover all activities: All financial institutions should develop internal controls which have coverage over all their functions, in general, and the key risk areas (KRA) in particular. Key Risk Areas include those core activities, the break down of which may render a financial institutions unable to meet its obligations; to its customers, regulators and the sponsors. Further, the risk originating from such activities is of the type that it may cause in systemic failure of other financial institutions. Examples of key risk areas are Liquidity Risk, Interest Rate Risk, Foreign Exchange Risk, Credit Risk, Operational Risk, etc.

(II) Regular Feature: Control activities should be an integral part of the daily activities of a financial institutions / DFI in such a manner that it becomes ingrained in their ongoing processes rather than a year-end “fire drill” to satisfy documentation requests from auditors and supervisors.

(III) Separation of Duties: Duties should be divided so that no one person has complete control over a key function or activity.

(IV) Authorization and Approval: All transactions should be authorized before recording and execution.

(V) Custodial and Security Arrangements: Responsibility for custody of assets needs to be separated from the related record keeping.

(VI) Review and Reconciliation: Records should be examined and reconciled to regularly determine that transactions are properly processed, approved and booked.

(VII) Physical Controls: Equipment, inventories, cash and other assets should be secured physically, counted periodically and compared with amounts shown on control records.

(VIII) Training and Supervision: Qualified, well-trained and supervised employees always help ensure that control processes function properly.

(IX) Documentation: Documented policies and procedures promote employee understanding of duties and help ensure continuity during employee absences or turnover. Therefore, policies and procedures (in the form of operations manuals and desk instructions) should exist in all financial institutionss / DFIs.

(X) Communication of importance of Internal Controls: Setting standards of professional integrity and work ethics and ensuring that all levels of personnel in their organization know the importance of internal controls and understand their role in the internal controls process and be fully engaged in the process.

(XI) Cost/Benefit: It is for the financial institutions to assess the costs associated with control processes commensurate with the expected benefits.

4

3 ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE PRINCIPLES FOR ASSESSING THE SYSTEM

(A) Elements of Internal Controls

An effective internal control system consists of following interrelated components:

3.1. Management oversight & Control environment; 3.2. Risk assessment & management ; 3.3. Control activities & segregation of duties; 3.4. Accounting, information & communication; and 3.5. Self assessment & monitoring

3.1 Control Environment: The environment in which internal control operates has an impact on the effectiveness of the control procedures. In fact it is institution’s control environment which embodies the principles of strong internal control. Besides giving structure to the internal control system, it provides discipline and protocol. The success of control environment is judged according to the integrity, ethics, and competence of personnel; the organizational structure of the institution; oversight by the board of directors and senior management; management’s philosophy and operating style; attention and direction provided by the board of directors and its committees, especially the audit and risk management committees; personnel policies and practices and; external influences affecting operations and practices.

In order for internal controls to be effective, an appropriate control environment should demonstrate following behaviors:

Board of directors reviews policies and procedures periodically and ensures their compliance;Board of directors determines whether there is an audit and control system in place to periodically test and monitor compliance with internal control policies/procedures and to report to the board instances of noncompliance; Board of directors ensure independence of internal and external auditors such that internal audit directly reports to the audit committee of the board which is responsible to the board and that external auditor interacts with the said committee and presents management letter to the board directly; Board ensures that appropriate remedial action has been taken when instance of noncompliance are reported and that system has been improved to avoid recurring errors/mistakes;Management information systems provides adequate information to the board and that the board can have access to financial institutions records, if need arises; Board and management ensure communication of conduct or ethics policies and compliance thereof down the line within the organization;

In short, a strong control environment and an effective internal audit function, can significantly complement specific control procedures. However, constitution of internal control environment at a point-of-time does not, by itself, ensure the effectiveness of the overall system of internal control but it is the continuous supervision by management to ensure if it is functioning as prescribed and is

5

modified as appropriate.

Many internal control failures that resulted in significant losses for financial institutions could have been substantially lessened or even avoided if the board and senior management of the organisations had established strong control cultures.

Weak control cultures often had two common elements:

First, senior management failed to emphasise the importance of a strong system of internal control through their words and actions, and most importantly, through the criteria used to determine compensation and promotion.

Second, senior management failed to ensure that the organisational structure and managerial accountabilities were well-defined. For example, senior management failed to require adequate supervision of key decision makers and reporting of the nature and conduct of business activities in a timely manner.

Senior management may weaken the control culture by promoting and rewarding managers who are successful in generating profits but fail to implement internal control policies or address problems identified by internal audit. Such actions send a message to others in the organisation that internal control is considered secondary to other goals in the organisation, and thus diminish the commitment to and quality of the control culture.

3.2 Risk assessment and management: Every financial institutions activity involves some kind of risk and this creates a compulsion for the financial institutions that, as part of an internal control system, these risks are being identified, assessed and mitigated. From an internal control perspective, risk assessment involves; identification and evaluation of factors, both internal and external, that could adversely affect performance, information and compliance objectives of a financial institutions. Internal factors include: complexity, nature and size of operations; quality of personnel and employee turnover; objectives and goals, etc. External factors include: fluctuating economic conditions, changes in the industry and technological advances, degree of aggressiveness of the market and competition faced by the market participants, etc.It may be noted that it differs from the risk management process, which typically focuses more on the review of business strategies and plans developed to maximize the risk/reward trade-off within the different areas of the financial institutions.

This risk identification should be done across the full spectrum of activities addressing both measurable and non-measurable aspects of risks. Second part of risk assessment – evaluation is done to determine which risks are controllable by the financial institutions and which are not. For those risks that are controllable, the financial institutions must assess whether to accept those risks or the extent to which it wishes to mitigate the risks through control procedures. For those risks that cannot be controlled, the financial institutions must decide, for the present, whether to accept these risks or to withdraw from or reduce the level of business activity concerned. But for the future, internal controls may need to be revised to appropriately address any new or previously uncontrolled risks.

An effective risk assessment system allows the board and the management to plan

6

for and respond to existing and emerging risks in the financial institutions activities. For that matter, such a system needs to demonstrate following:

Board and management involve audit personnel or other internal control experts in the risk assessment and risk evaluation process. Those experts should be competent, knowledgeable, and provided with adequate resources.

As the risks mutate with time and with changing circumstances, the board and the management, with due involvement of audit personnel, should appropriately evaluate the risks and consider control issues related to existing products and those relevant to new products and activities.

Risk coverage in the form of insurance (that is risk transfer) or provisioning (contingency fund) in relation to the financial institutions risk profile is adequate.

In the recent past, inadequate risk assessment has contributed to some organisations’ internal control problems and related losses. In some cases, the potential high yields associated with certain loans, investments, and derivative instruments distracted management from the need to thoroughly assess the risks associated with the transactions and devote sufficient resources to the continual monitoring and review of risk exposures. Losses have also been caused when management has failed to update the risk assessment process as the organisation’s operating environment changed. For example, as more complex or sophisticated products within a business line are developed, internal controls may not be enhanced to address the more complex products. A second example involves entry into a new business activity without a full, objective assessment of the risks involved. Without this reassessment of risks, the system of internal control may not appropriately address the risks in the new business.

3.3 Instituting Controls: Control activities are designed and implemented to address the risk that the financial institutions identified through the risk assessment process as described above. Control activities involve: (a) establishment of control policies and procedures, (b) verification that the control policies and procedures are being complied with. It is desired that control activities should involve all levels of personnel in the financial institutions, including senior management as well as front line personnel. Instituting an appropriate controls structure ensures the efficacy of an internal control system. This process involves :

Existence and compliance of policies and procedures ensuring that decisions are made with appropriate approvals and authorizations for transactions and activities while assuring that exceptions to the policies are minimal and reported to the board and the top management;

Timely reconciliation of accounts so that outstanding items, both on-and off-balance-sheet, are resolved and cleared;

Segregation of duties, existence of cross-checks, more-than-one-person authorization, dual controls, joint custody of keys, safeguards for access to and use of sensitive assets and records and forced leave policies, employees rotation systems are functioning in sensitive positions or risk-taking activities so that concerned employees do not have absolute control over areas;

7

Building of such reporting lines within a business or functional area that independence of the control function is ensured;

Accountability mechanism for the actions taken by the personnel as per their responsibilities and authorities;

Structure and functioning of compliance framework through which the board and senior management establishes that compliance with applicable laws and regulations is ensured.

In short, top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on noncompliance; a system of approvals and authorizations; and, a system of verification and reconciliation are major constituents of the control activities.

3.4 Accounting Information and Communication Systems

An institution’s accounting, information, and communication systems ensure that risk-taking activities are within policy guidelines and that the systems are adequately tested and reviewed.

For this the following is important to note;

Effective internal control system requires that there is an effective reporting system of information that is relevant to decision making. The information should be reliable, timely accessible and provided in a consistent format.Information would have to include external market information about events and conditions that are relevant to decision making. Internal information include financial, operational and compliance data.There, should be appropriate committees within the organization which would evaluate data received through various information systems. This will ensure supply of correct and accurate information to the management.Internal information must cover all significant activities of the financial institutions. These systems including those that hold and use data in electronic form must be secure, monitored independently and supported by contingency arrangements.Most importantly the channels of communication must ensure that all s fully understand and adhere to policies and procedures effecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.

An accounting system is adequate if it properly identifies, assembles, analyzes, classifies, records, and reports the institution’s transactions in accordance with prescribed formats and international best practices.

The adequacy of information systems is determined by the type, number, and depth of reports it generates for operational, financial, managerial, and compliance-related activities and the access and authorization to information systems. An ideal information systems covers the full range of its activities in such a manner that information remains understandable and useful for audit trail.

8

Adequate information and effective communication are essential to the proper functioning of a system of internal control. From the financial institutions perspective, in order for information to be useful, it must be relevant, reliable, timely, accessible, and provided in a consistent format. Information includes internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Internal information is part of a record-keeping process that should include established procedures for record retention.

On the one hand, the adequacy of communication systems is established by the fact that it imparts significant information throughout the institution (from the top down and from the bottom up, and laterally), ensuring that personnel understand whatever has been communicated and on the other hand, communication system should ensure that significant information is imparted to external parties such as regulators, shareholders, and customers.

Without effective communication, information is useless. Senior management of financial institutions need to establish effective paths of communication in order to ensure that the necessary information is reaching the appropriate people. This information relates both to the operational policies and procedures of the financial institutions as well as information regarding the actual operational performance of the organisation.

The organisational structure of the financial institutions should facilitate a complete flow of information - upward, downward and across the organisation. A structure that facilitates this flow ensures that information flows upward so that the board of directors and senior management are aware of the business risks and the operating performance of the financial institutions.

Information flowing down through an organisation ensures that the financial institutions objectives, strategies, and expectations, as well as its established policies and procedures, are communicated to lower level management and operations personnel. This communication is essential to achieve a unified effort by all financial institutions employees to meet the financial institutions objectives.

Finally, communication across the organisation is necessary to ensure that information that one division or department knows can be shared with other affected divisions or departments.

3.5 Self-Assessment and Monitoring: An integral component of internal control system is self-assessment and monitoring which includes:

Board and senior management oversight of the internal control, control reviews, and audit findings. Before starting full scale control review, the board and senior management should give their approval of the overall scope of the control review activities (e.g., audit, loan review, etc.).

Frequent and comprehensive reporting of deviations to the board or board

9

committee and senior management regarding sufficiency of details and timely presentation to allow for resolution and appropriate action.

Adequate documentation of management responses to audit or other control review findings so that it can be tracked for adequate follow-up.

Board or board committee or senior management review of the qualifications and independence of the personnel evaluating controls (e.g., external auditors, internal auditors, or line managers).

Financial institutions is a dynamic, rapidly evolving industry. Financial institutions must continually monitor and evaluate their internal control systems in light of changing internal and external conditions, and must enhance these systems as necessary to maintain their effectiveness.

Monitoring the effectiveness of internal controls should be part of the daily operations of the financial institutions but also include separate periodic evaluations of the overall internal control process. The frequency of monitoring different activities of a financial institutions should be determined by considering the risks involved and the frequency and nature of changes occurring in the operating environment. Ongoing monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the system of internal control.

Such monitoring is most effective when the system of internal control is integrated into the operating environment and produces regular reports for review. Examples of ongoing monitoring include the review and approval of journal entries, and management review and approval of exception reports.

10

(B) CONTROL PRINCIPLES

So far we have discussed about the elements of a sound internal control. Now the question is how to assess the internal controls of a particular organization The following principles related to the basic elements of control should be borne in mind while assessing internal control:

A. Management Oversight and Control Environment

Principle 1: The board of directors should have responsibility for approving and periodically reviewing the overall business strategies and significant policies of the financial institutions; understanding the major risks run by the financial institutions, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, measure, monitor and control these risks; approving the organizational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system. The board of directors is ultimately responsible for ensuring that an adequate and effective system of internal controls is established and maintained.

Principle 2: Senior management should have responsibility for implementing strategies and policies approved by the board;developing processes that identify, measure, monitor and control risks incurred by the financial institutions; maintaining an organizational structure that clearly assigns responsibility, authority and reporting relationships; ensuring that delegated responsibilities are effectively carried out; setting appropriate internal control policies; and monitoring the adequacy and effectiveness of the internal control system.

Principle 3: The board of directors and senior management are responsible for promoting high ethical and integrity standards,and for establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. All personnel at a financial institutionsing organization need to understand their role in the internal controls process and be fully engaged in the process.

B) Risk Recognition and Assessment

Principle 4: An effective internal control system requires that the material risks that could adversely affect the achievement of the financial institutions goals are being recognized and continually assessed. This assessment should cover all risks facing the financial institutions (that is, credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk). Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks.

C) Control Activities and Segregation of Duties

Principle 5: Control activities should be an integral part of the daily activities of a financial institutions. An effective internal control system requires that an appropriate control

11

structure be set up, with control activities defined at every business level. These should include: top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorizations; and, a system of verification and reconciliation. BIS Framework for Internal Control Systems in Financial institutions.

Principle 6: An effective internal control system requires that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimized, and subject to careful, independent monitoring.

D) Information and communication

Principle 7: An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format.

Principle 8: An effective internal control system requires that there are reliable information systems in place that cover all significant activities of the financial institutions. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements.

Principle 9: An effective internal control system requires effective channels of communication to ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.

E) Monitoring Activities and Correcting Deficiencies

Principle 10: The overall effectiveness of the financial institutions internal controls should be monitored on an ongoing basis. Monitoring of key risks should be part of the daily activities of the financial institutions as well as periodic evaluations by the business lines and internal audit.

Principle 11: There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately trained and competent staff. The internal audit function, as part of the monitoring of the system of internal controls, should report directly to the board of directors or its audit committee, and to senior management.

Principle 12: Internal control deficiencies, whether identified by business line, internal audit, or other control personnel, should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the board of directors.

12

4 RESPONSIBILITIES OF THE PARTIES TO INTERNAL CONTROL

The board of directors, senior management and other personnel of financial institutions are responsible for establishing, maintaining, and operating an appropriate internal control system on an ongoing basis.

4.1 Board of Directors: The Board of Directors of all financial institutions is responsible for ensuring that an adequate and effective internal control system exists in their organization and that the senior management is maintaining and monitoring the performance of that system. Moreover, Board should periodically review the internal control systems and the significant findings. From the above it can be said that:

The overall responsibility of setting acceptable level of risk, ensuring that the senior management committee take necessary steps to identify , measure , monitor and control these risks, establishing broad business strategy, significant policies and understanding significant risks of the company rests with the Board of Directors.Through the establishment of an 'Audit Committee' of the Board and ‘Internal Control Department’ the Board of Directors can monitor the effectiveness of internal control system.The internal as well as external audit reports will be sent to the board without any intervention of the management and ensure that the management takes timely and necessary actions as per the recommendations.The Board should have periodic review meetings with the senior management to discuss the effectiveness of the internal control system of the company and ensure that the management has taken appropriate actions as per the recommendations of the auditors and internal control.

4.2 Management : Senior management of financial institutions have the responsibility for implementing strategies and policies as approved by the board in work place ; developing processes that identify, measure, monitor and control risks incurred by the financial institutions; maintaining an organizational structure that clearly assigns responsibility, authority and reporting relationships; ensuring that delegated responsibilities are effectively carried out; setting appropriate internal control policies; and monitoring the adequacy and effectiveness of the internal control system.

4.3 Audit Committee of the Board:

This Committee shall be formed by the Board of a company. The members of the Audit Committee shall be the selected Directors and the Managing Director. The Committee shall seat at least quarterly in a year. The Committee shall perform its work through an Internal Control Unit comprising of the Audit & Inspection wing and Compliance wing.

The Committee shall monitor the adequacy and effectiveness of the Internal Control System based on established policies and procedure.

13

The Committee vide its two wing shall produce, on quarterly basis, a report on internal control system and significant findings and present it to the Board.

The terms of reference of the Audit Committee, frequency of meeting , name of the members of the Committee shall be decided by the Board.

4.4 External Auditor: The external auditors are not part of a financial institution and, therefore, are not part of its internal control system, yet they have an important impact on the quality of internal controls through their audit activities, including discussions with management and recommendations for improvement of internal controls. The external auditors provide important feedback on the effectiveness of the internal control system.

The concept of external reporting on internal controls is well established and supported in the accounting literature. It is expected that external / statutory auditors shall review control systems for the impact they have on financial reporting and compliance with relevant policies, procedures, regulations and laws. The extent of attention given to the internal control system may vary by auditor and by financial institutions; however, it is generally expected that the auditor would identify significant weaknesses that exist at a financial institutions and report material weaknesses to management and the board in the form of an audit report/ management letter.

As regards internal control and the role of external auditors the following things should be borne in mind by the auditors:

External Auditors by dint of their independence from the management of the financial institutions can provide unbiased recommendation on the strength and weakness of the internal control system of the financial institutions.They can examine the records, transactions of the financial institutions and evaluate its accounting policy, disclosure policy and methods of financial estimation made by the Financial institutions; this will allow the board and the management to have an independent overview on the overall control system of the financial institutions.

It should be made obligatory on the part of the auditor to report to the Bangladesh Bank immediately if during the course of audit the auditor come across any facts which (1) might warrant qualification (2) endanger the entity audited and (3) indicate that the organization has severely infringed the regulatory provisions/guidelines.

4.5 Regulator:

The Financial Institutions Department(FID) of Bangladesh Bank is the direct supervisor of the financial institutions of Bangladesh. FID has many responsibilities to the Financial Institutions to protect interest of the public and to maintain financial discipline. The responsibilities of FID should be regulatory as well as advisory.

In order to achieve the regulatory and supervisory objectives the Bangladesh Bank may introduce a comprehensive supervisory framework.

Supervision can be of two types:

14

a. On Site Supervision and b. Off Site Supervision

Off site supervision would structurally be an in-house review and analysis based on various statutory returns and other statements.

On site supervision includes physical visit and inspection by Bangladesh Bank Official ensuring regulatory compliance, evaluation of financial soundness, appraisal of management and identification of areas requiring corrections, review of asset quality , analysis of key financial indicators etc.

As a regulator the Bangladesh Bank may introduce a system whereby the name of the Financial Institute which had not complied with the regulatory directions could be published in the newspapers.

The Bank may make it compulsory for the NBFIs to do credit rating periodically.

The Bank may introduce an on-line corporate memory/profile building process based on the observations generated from off-site surveillance system, , market intelligence, complaints, supervisory rating, record of compliance with directions and inspection findings.

Bangladesh Bank may think of devising a suitable system for co-ordinating the On-site inspection in tandem with the other regulatory authorities so that these NBFIs are subject to one shot examination by different regulatory authorities.

The Bank may think of introducing a supervisory rating system for the NBFIs. Such a rating system should be designed on the basis of different levels of regulatory compliance, capital adequacy and rating assigned by the credit rating agencies.

Based on the rating the NBFIs may be placed in three different supervisory “watch list” with low, medium and high risks. The rating assigned may primarily be the tool for triggering on-site inspection at various intervals.

It shall play its role as a watch dog, review the compliances of the regulations and Circulars issued from time to time through periodic inspections and visits, issue new directives for the betterment of macro economy, take corrective actions, if necessary, provide necessary advises and clarifications to the NBFIS.

During the course of regular inspection of financial institutions or when required, Financial institutions Department (FID)of Bangladesh Bank shall review the internal control system of any financial institutions in order to ensure compliance with these guidelines and all other relevant regulations and laws, circulars issued and enforced from time to time. In addition to that, the FID may review the report of the internal auditor of the financial institutions, assessment report of the management regarding effectiveness of the internal control and Boards’ endorsement thereof and the external/statutory auditors’ evaluation of the management regarding effectiveness of the internal control.

In addition to the above the following points shall also apply to the regulators:

15

For the financial institutions Bangladesh Bank is the primary regulator, who governs the activities of financial institutions. In addition Tax Authority, Registrar of Joint Stock Company Finance Ministry, Securities and Exchange Commission etc. are different types of Govt.bodies whose directives have significant impact of financial institutions business.The internal control system should always take into account the financial institutions internal processes to meet the regulatory requirement before conducting any operation.The internal control system of the financial institutions must be designed in a manner that the compliance with regulatory requirements is recognized in each activity of the financial institutions. The financial institutions must obtain regular information on regulatory changes and distribute among the concerned department, so that they can take necessary, action to adapt to such changes.The financial institutions must develop an effective communication process which will allow smooth distribution of relevant regulations among different departments and, personnel.

5 IMPLEMENTATION OF INTERNAL CONTROLS:

Various models/methodologies are used for the design and implementation of internal controls. However, it is the decision of the organizations to decide what model / strategy suit the size, nature, complexity, scope, risk exposure, etc. of their activities. Nevertheless, following is a brief summary of the key points that should be kept in mind while implementing the internal controls:

5.1 Compare current practices to the internal control system and identify gaps. For an internal control expert, the most important consideration should be to

evaluate the existing system of internal control in comparison to one defined by these guidelines and other international best practices. In this regard the first step is to identify what is and what is not covered by existing practices.

5.2 Involve senior management, the audit committee, audit staff, other key players. The thought process and implementation of change should not be considered as “just other audit things." Senior management and the audit committee must be perceived as driving the change and developing the control culture.

5.3 Assess business environment, organization culture and key players.Before the process of change is set in, it would be necessary to understand: (1) what is changing in the culture (2) What is changing in the organization’s businesses and systems (3) Are there organizational initiatives which internal control system implementation could link to (4) What is the perception about the internal auditing function within the organization .

5.4 Decide on implementation strategy.If the new practices can be designed to align with other organizational initiatives, or if senior management has taken ownership, this step is relatively easy. In any case, having a realistic implementation strategy is critical to success. Most implementers introduce the new ideas slowly and informally, building on personal relationships within the organization, listening as much as talking, and gradually building a consensus for change.

16

5.5 Provide training to everyone involved.The most critical factor to the successful implementation of a control model is that everyone involved must understand internal control. Effective training depends heavily on how concepts are phrased and the concrete examples and exercises which make the concepts real to participants.

5.6 Rectification & Improvement:The findings of the internal audit department and that of other experts should be reported back to the relevant staff/office for rectification and improvement of the internal control system. 5.7 Instituting an appropriate organization structure: Organization structure plays a vital role in establishing effective internal control system. It is the sometimes called the pictorial representation of the chain of command and the authority and supervision chain of an organization. The essence of the ideal organizational structure that will facilitate effectiveness of the internal control system is the segregation of duties. The financial institutions should, depending on the nature of business, structure, size,location of its branches and strength of its manpower try to establish an organizational structure which allow segregation of duties among its key functions such as marketing, operations, credit, financial administration etc.

Up to which level this segregation will take place will depend on an individual financial institutions. For instance a financial institutions which has small branch operations at remote places of the country may not find it feasible to have such functional segregation of duties at that branch level. However at the higher level such segregation should exist and where possible this should be extended to the branch levels. In cases where such segregation is not possible, there must be certain monitoring mechanism which should be independently reviewed to ensure all policies and procedures are followed at the branch level. A detail guideline in this respect is given in the following section.

5.7.1 Structure of the Internal Control Unit For an effective control system a separate organizational structure is also provided for this unit.

The audit committee of the board shall be the contact point for the internal control unit. The unit should be adequately staffed so that it can perform its duty properly. In order to ensure that availability of efficient people with internal control the financial institutions will make it mandatory for all middle to senior management staff to spend at least two years with internal control on secondment.

The head of internal control will report directly to the Audit Committee of the Board He will be responsible for the both compliance and control related tasks which include compliance with laws and regulation, audits and inspection, monitoring activities and risk assessment.

The audit team of the internal control unit will perform periodic and special audit and inspection.

The compliance unit will be responsible to ensure that financial institutions complies with all regulatory requirement while conducting its business. They will maintain liaison with the regulators at all level and notify the other units regarding regulatory changes.

Audit Committee of Board

Audit & InspectionWing

InspectorInspector

Compliance Wing

Internal Control Unit

Figure : Structure of Internal Control Unit

5.8 Preparing various guidelines/manuals Each Financial institutions should have a policy guideline in line with relevany laws and internal documents in order to ensure an effective control over its process invarious fields e.g. credit, human resources, finance & accounts, treasury, audit, customer service etc. There should be a written policy guideline for each Department’s function which may be as follows.

5.8(a) Standard Operating Procedures -Credit & Operations The main objective of lending money is to ensure maximum return of lend able fund. This manual should highlight the process starting from review of credit proposals, obligor risk rating, approving credit limit, disbursement of loans, monitoring of credit risk etc. Various types of MIS should be provided in order to have bettercontrol over assets of the financial institutions which can be generated if the system is in place.

This manual should also contain role of Credit Admin., Trade Finance, Reconciliations, Cash, Client’s service, Treasury, Back office etc. It should also reflecta clear guideline regarding Anti-Money Laundering activity in order to protect Financial institution’s interest. Credit Admin will be responsible for monitoring of limits and outstanding as per credit approval.

This manual should cover the following areas inter alia:

Risk classes, lending limits and credit authorities Investment policies Policies on financial & other product & services

17

18

Lending guidelines Approval processes DocumentationsSecurities and collaterals etc. Account Opening and closing Payment monitoring procedures Loan Administration Treasury Operations Anti-money Laundering procedures etc.

5.8(b) Finance & Accounting Manual This manual should provide guidelines on financial activities regarding income and expenditure of a financial institutions. They will look after if there is any exaggeration of expenditure where it is necessary to get control. This manual must incorporate a clause which shall make it mandatory to prepare and present an annual budget which shall contain target business, revenue, expenses, capital expenditures etc. This budget should be placed to the Board before starting of a new year and a periodic review of the actual achievement. Through this process it can also ensure the profitability of the financial institutions.

The basic content of Finance Manuals are:

Financial & Accounting Policies Financial Accounting Financial Management & Administration Fixed Assets Control Procurement of Goods and Services Audit and Internal Control General Clause Capital structure policies Treatment of Land, Building & Equipment Capital Adequacy and Shareholders Equity Treatment of revenue and expenditures Income tax procedures Write-off procedures etc.

5.8(c) Treasury Manual This manual should include activities of fund transfer. Inter financial institutions fund management is one by them. The manual should include the guideline so that they may manage the financial institutions fund properly and profitably. There may be some idle fund in the financial institutions which is to be taken into account so as to make them invested in optimum profit seeking area. They should also ensure the security of the fund. If possible, they may look into international money market subject to the available opportunity in the money market arena.

While framing a treasury manual the following things should be considered inter alia :

Internal Items Liquidity

19

Cost of fund Vs. yield from assets Policies & Procedure Skill of staff etc.

External Items

Market LiquidityRisks including changes in Exchange Rates Changes in regulations etc. InvestmentsCapital management etc.

5.8(d)Human Resource Policy Manual They will, at first, ensure the proper distribution of available human resources in the infrastructure of the financial institutions. It should also delineate the authority and responsibility of each employees .To find out the right person for setting up them at the right position is very crucial. The rewarding method of that department should be impartial. They will ensure staff welfare which will ultimately encourage people and create a healthy working atmosphere.

This manual should contain inter alia the following:

Recruitment policy Background checking policy Leave policy Compensation policy Reward and Recognition policy Termination & retirement policy Promotion and increment policy Training guidelines Employees code of conduct etc.

5.8(e)Information Technology Manual

This manual should contain the following areas:

MIS to be generated Security of Data and programme Back up system Control mechanism of data and files Disaster recovery plan NetworkingHardware maintenance Service agreements etc. TrainingManpower backup Power backup system Data storage

20

6. EXAMINATION OR EVALUATION OF CONTROL

As soon as the implementation of control is completed the next question is how to evaluate the effective functioning of this system. Evaluation may be done in the following ways:

a. Verification of departmental function through Check List b. Reviewing the documentation relating to operational activities through a

check list c. Preparing quarterly report and reviewing the same d. Risk analysis e. Audit Process & communication of weakness

6.1Deprtmental Control Function Checklist (DCFCL) {Appendix 7.1 to 7.4}

a) The guideline/procedure deals with matters relating to review/verifications of departmental functions to ensure that prescribed procedures are being followed by each department.

b) All departments are required to check that prescribed controls are being observed and laid down procedures are not overlooked & relaxed.

c) Departmental Managers/Branch Managers will review the DCFCL to ensure that control functions are performed and documented in the control sheets (Appendix 1) at the prescribed frequencies i.e. Daily, weekly, monthly and quarterly.

d) The DCFCL Checklist should be retained with the branch/departments for future inspection by Internal Control and Senior Management.

6.2 Loan Documentation Checklist {Appendix 7.6}

The checklist deals with matters relating to security/other documentation for sanctioning credit facilities to ensure that prescribed documentation is being obtained to safe guard financial institutions interest in case of litigation. Copy of the loan documentation check list shall be sent to the lease/loans department for their use.

6.3 Quarterly Operations Report {Appendix 7.5}

This guideline/procedure relates to reporting of operational functions of each branch/centre under the following heads on the enclosed format:

i. Policies, Procedures and Controls ii. Protection of Valuables iii. Proofs/Verifications and Internal Checks

iv. Personal and Supervision and v. Premises Management

vi. Confirmation on Regulatory Compliance

This report will be prepared by the Departmental/Branch Head . This will be prepared in duplicate copies one copy is to be dispatched to Internal Audit Department and another copy to the Audit Committee of the Board by 10th of the

21

following month.

The items which are not applicable for individual Department should be marked as N/A and no signature is required against the items marked as N/A.

Any deviation in the quarterly operations report must be reported in a separate exception report or shall be marked specially in the report.

6.4. Risk Analysis of Control Functions

Individual items in the DCFCL need to be assigned a risk rating in terms of the following dimensions:

a) Impact: Before taking into account the mitigation (i.e. Insurance) what is the impact of the lapse/omission.

b) Probability: After taking into account of the mitigation what is the likelihood of the event occurring.

To assist in this task, the following matrix (Table 1) can be used. However some financial institutions may consider customization of this matrix to suit their own risk profile. Where appropriate, additional details (e.g. financial values can be added). The key principle is that all financial institutions should be able to differentiate between different levels of risk in their own area of activity and then ensure appropriate controls are established.

Scores should be plotted on the following table to determine a category of high, medium and low risk.

P3 High High High

rob

2 Medium Medium High

abi

1 Low Medium High

1 2 3lity

Impact

Table: Risk Assessment Matrix

22

To arrive at the decision of what constitutes a high, medium or low risk the following template can be used

RiskScore

Probability (after taking into account of risk mitigation)

Impact (before taking into account of mitigation)

3 �High probability or almost certainty�High/frequently recurring �Governed by widely anticipated external factors/frequency of management review not established�New area of risk with no policy & procedure to deal with the matter�Probability uncertain�Complex, requires specialized skills to mitigate

�Catastrophic/major impact on the financial institutions�Potential loss in excess of BDT 1Million.�Serious regulatory implications (Revocation of license, imprisonment)/sanctions.�Potential/actual damage to reputation�Major corporate governance failure

2 �Evidence of increasing trends �Management reviews largely to manage exceptions �Policies exists but compliance is complex�External factors have medium bearing on ability to follow established standards�Process requires moderate degree of supervision

�Significant impact on the financial institutions.�Potential loss in excess of BDT 1,00,000�Possibility of fines/penalties from regulators�Medium financial loss with some potential for recovery�Medium level of reputation risk �Exposure due to control weakness

1 �Unlikely�Isolated incident/Not likely to be repeated�Frequent management review/ well documented�Clear policy exists�External factors have low impact on ability follow

�Potential or actual loss less than BDT 1,00,000�Low impact on business or reputation�Exposure on regulatory sanctions low�Customer service issues are within expected levels

6.5 Audit Procedure & Communication of weakness

Audit & Inspection and Compliance shall be under the control of Head of Internal control. Major responsibilities entrusted to the Audit & Inspection Department shall be to carry out Audit & Inspection of the various Departments/branches of the FIS in accordance with the instruction contained in the internal control policy guidelines and sometimes as per the direction of the Board or even as per the direction of the Management. The inspection team may conduct surprise checking/investigation and special inspection.

At the beginning of the year the Audit Team shall prepare a schedule for Audit and Inspection of Departments or branches with the approval of the CEO. Audit shall be

23

carried out at periodic intervals whereas inspection may be carried out any time. The audit shall basically be conducted based on some check list and the risk involved on the area to be audited.

On completion of each audit /Inspection a report must be submitted to the Head of Internal Control by the Head of Audit & Inspection within maximum 14 working days for onward submission to the Audit Committee of the Board.

The Head of Compliance is responsible for implementation of Inspection Repots and follow up with the Department/branches for regularization of the irregularities and implementation of the observations/recommendations made in the Audit Report.

This Department is also responsible for submission of Audit Report and ensuring compliance to the competent authority including preparation of Board Memos on Audit & Inspection. Compliance of Bangladesh Bank Inspection Reports and follow up of the same are the responsibility of this department.

General Guidelines for the Inspectors

1. The inspectors are the representatives of the Audit & Inspection and Compliance Department. They must posses a high standard of integrity & competence and are expected to have a thorough knowledge of working procedure of all the departments/branches of a company. They must also have a good knowledge on law and practices and should keep themselves abreast with the regulations and developments in the particular sector. They should be conversant with the prudential guidelines & circulars issued by Bangladesh Bank and other regulatory bodies. They should be in a position to interpret the circulars in proper perspective. They are however expected to provide appropriate guidelines where necessary to solve the problems.

2. Inspectors will be personally responsible for the accuracy and correctness of the figures and statements incorporated in the Report.

3. Irregularities shall be consecutively numbered and photocopy of the proof of irregularities to be taken if possible.

4. Minor irregularities shall be rectified during the course of audit. Major lapses and irregularities shall be listed and reported.

5. The inspector shall go through the progress in the way of compliance of the previous report and if any previously reported irregularities is repeated the same must be reported.

6. Where irregularities are due to negligence or inefficiency of any officer, past or present, the inspector must report the name of the officials responsible.

7. Should any difference of opinion arises between the inspector and the official upon some areas of irregularities then the inspectors shall incorporate in his report the views of the officials together with his own comments.

8. Before undertaking audit & Inspection , the inspectors will hold consultation with Head of the Department with a view to find out the special areas or

24

problems which need to be looked into. He shall have a full idea on the check list to be followed.

9. It is important for the inspectors to act as a sympathetic adviser to the staff of the Department/branches they are auditing/inspecting. Faults must of course be brought to light but report should be written with the recognition of the difficulties and efforts of the staff as well as their shortcomings.

10. Inspectors shall discuss with the Head of the Department on the draft report and shall obtain his/her signature thereon after the audit is completed and note down his/her comments if any. These replies must be incorporated in the final audit/Inspection Report. The report must be clearly and concisely written and free from padding.

11. If the inspector feels the requirement to change any written policies or guidelines he/she shall forward recommendations and the reason thereof to the Head of Audit & Inspection and compliance Departments.

12. The Inspection Report shall be prepared in five copies:

One copy shall be forwarded to the Audit Committee of the Board One copy shall be forwarded to the Managing Director/CEO One copy shall be forwarded to the Head of Audit & Inspection One copy shall be forwarded to the Head of Compliance One copy shall be forwarded to the respective department/branch in charge

13. The inspection report shall not be a public documents. But the Bangladesh Bank and any regulatory body shall have the authority/right to have a copy of it for their use.

6.6 Compliance Process

Regulatory requirements are to be incorporated into the work process to ensure full compliance. The financial institutions has to ensure that all guidelines received from the regulatory authority are properly disseminated among the relevant departments.

A particular unit (if possible Internal Control) should be responsible of receiving regulatory guidelines, maintaining proper record and distribution among all relevant units. If required this unit would contact regulatory authorities for proper clarifications on a particular issue and notify the concerned departments accordingly.

When regulatory inspection is conducted on the operation of the financial institutions this unit should work as point of contact.

Once the audit report is received they must ensure that corrective measures are taken and the appropriate response is made on a timely fashion. If any major lapse is identified by the regulatory authority they must ensure that the Audit Committee of the board is also notified along with the senior management of the branch.

This unit must arrange appropriate training for employees so that employees are aware of the regulations that are necessary to accomplish their jobs.

25

APPENDIX 7.1

DEPARTMENTAL CONTROL FUNCTION CHECKLIST – QUARTERLY

This is sample list of control functions. Each financial institutions will develop the list according to their own requirements

Area Function Responsibility Qtr 1 Qtr 2 Qtr 3 Qtr 4

QuarterlyBudget Review

To check whetherachievement is OK or not and how to overcome the deficit

CEO & Head of Dept

QuarterlyPerformancereview of employees

To see whether employees are lagging behind theirindividualtarget and to know their problems and how to overcome

Head of Department

Stock Taking To verify stock position

Head of Administration

Reports Check the copy of the reports with regulators deadlines

At present there are 6 such reports for Bangladesh Bank

Head of respectivedepartments

All security documentsincluding post dated cheques

Take the inventory

By appropriate person other than the custodian

26

APPENDIX 7.2

DEPARTMENTAL CONTROL FUNCTION CHECKLIST – MONTHLY

This is sample list of control functions. Each financial institutions will develop the list according to their own requirements

Area Function ResponsibilityFinancialStatements

Check whether the monthly statements are prepared as per the deadline of Board/shareholders

Head of Accounts

InsuranceCoverage

See whether renewal is necessary- Gen & Life

Head of Admin

TDR Verify TDR held with GL on last day of the month

Manager , TreasuryDepartment

Date

Initial

Date

Initial

Date

Initial

Date

InitialHoliday File Check with independent

source ie, Central Bank for local Holidays and check with Govt. Calendars

Head of HRD

Reports Check the copy of the reports with regulators deadlines & see deviations

Head of respectivedepartments

Accruals of Income & Expenses

Check whether all income and expenses have been accrued as per companies policies, regulatory requirement

Head of Accounts

Physicalsecurity of Assets

Check whether movement register and requisition slip are kept against assets movement. Fixed asset Register is marked accordinglySee whether insurance coverage is still effective on the day of verification

ManagerAdministrationtogether with ManagerAccounts

BankReconciliation

See whether all Bank Reconciliations were done properly

Head of Accounts

27

APPENDIX 7.3

DEPARTMENTAL CONTROL FUNCTION CHECKLIST – WEEKLY

This is sample list of control functions. Each financial institutions will develop the list according to their own requirements

Area Function Responsibility W 1 W 2 W 3 W 4

Reports Check the copy of the reports with regulators deadlines & see deviations

Head of respectivedepartments

Premiseprotection

See whether fire extinguishers are in place. Necessary direction to operate the same are kept beside the extinguishers

ManagerAdministration

Documentation See whether all documentation related to credit is completed by operations dept. as per document check list

ManagerOperations

MIS Check whether the MIS is updated with inputs from various dept.

Manager,Operations

CRR & SLR Requirements

Check the amount of CRR & SLR requirement based on the liability

AccountsDepartment

28

APPENDIX 7.4

DEPARTMENTAL CONTROL FUNCTION CHECKLIST – DAILY

This is sample list of control functions. Each financial institutions will develop the list according to their own requirements

Area Function Responsibility

Vouchers & posting Check on sample basis whether vouchers are properly raised and authorized as per Accounting manual

Check whether vouchers are posted regularly

ManagerAccounts

Receivable/payableaccount

Have the explanation of the head and see whether they are required at all.

Properauthority

Correction entry Check the nature of correction entry passed

Properauthority

Reports Check the copy of the reports as per check list with regulators deadlines & see deviations

Properauthority

Accruals of Income & Expenses

Check whether all income and expenses have been accrued as per companies policies, regulatory requirement

Head of Accounts

CRR Requirements Check the amount of CRR requirement based on the liability with current account balance with Bangladesh Bank

Head ofTreasury

Computer Back Ups

Check whether Back up of programme files and other important files are taken.

Head of IT

Filing of Correspondences

Check whether copies all outgoing letters are kept in Master File and Specific Files

DesignatedDepartment

Updating money market transaction

Prepare call money correspondences, information on call rate

Manager , Treasury

Updatingoperations software and information

See whether every day entry has been given in the system

Updating share price index and other merchant bankinginformation

Manager, Merchant Banking Properauthority

29

APPENDIX 7.5

QUARTERLY OPERATIONS REPORT

Date :

From : Audit & Inspection Department

To : Head of Internal Control Unit

Copy : Compliance Department

Quarter Ended on :

POLICIES, PROCEDURES AND CONTROLS

1. FINANCIAL INSTITUTIONS DEPARTMENT (FID) AUDIT & FOLLOW UPS

The Branch/Centre was last audited by the Audit Team of FID on …………………..We confirm that adequate corrective actions have been initiated to remove the deficiencies other than the following papers of their Audit Report.

Audit Observation Target Date of Rectification Reason for failure to rect.

Para no.

Enclosure : Bangladesh Bank Audit Report & Findings

2. INTERNAL CONTROL

The Company’s internal control situation was last audited by the FID on ,,,,,,,,,,,,,,,,,,,,, We confirm that adequate corrective actions have been initiated to remove the deficiencies other than the following para of the report.

Observation Target Date of Rectification Reason for failure to rect.

3. REGULATORY COMPLIANCE

(a) Financial Institutions Act 1993 and FI Regulations 1994 and FID Circulars

We confirm that requirements of Bangladesh Bank have been complied with except the following:

Sl. No Sections and FID Circulars reference Risk Remarks

30

(b) Income Tax Ordinance 19984 and Income Tax Rules

We confirm that requirements of Income Tax Ordinance 19984 and Income Tax Rules have been complied with except the following:

(C) Companies Act 1994

We confirm that requirements of the Companies Act 1994 have been complied with except the following:

(d ) Securities and Exchange Ordinance

We confirm that requirements of the Securities & Exchange Commission Ordinance and Rules complied with except the following:

(e) Dhaka Stock Exchange Listing Rules

We confirm that requirements of the Dhaka Stock Exchange Listing Rules have been complied with except the following:

(f) Shops and Establishment Act

We confirm that requirements of the Shops & Establishment Act have been complied with except the following:

(g) Other Rules & Regulations

4. Computer ACCESS ( if available)

a. We confirm that a full review of “Access Levels” is made to ensure that no conflicts exist and no official is holding both IDs to input transactions and Authorise such transactions.

b. We also confirm that Administrator Passwords are held in dual custody and the both custodians review the Administrator Journal Report and the Audit Trail Report (which reports all user access maintenance) and investigate all activities on a daily basis.

5. CUSTOMER SERVICES STANDARDS

a. The Customer Services Standards of all departments have been checked and documented as per guidelines from the Company . The shortfalls detected during the last quarter have been/will be removed within the target set.

b. Customers queries are meet in time as per the time frame fixed by the company and customers satisfaction note is received and preserved

31

6. DEPARTMENTAL CONTROL FUNCTIONS CHECK LISTS

a. The DCFCLs were completed and documented as per Company’s Guidelines by the concerned departments which are being/have been verified by the designated independent officials on _______

b. We confirm that no shortfalls have been identified by the Independent Reviewer and/or the shortfalls identified by him/her are being rectified and will be completed by __________________ under advice to Head of Compliance.

8. INTERNAL CHECKS

We confirm that all Internal Checks as per Company’s Guidelines applicable to us are being undertaken by the Independent officials designated in writing. All papers and the reviewer’s certificates are retained under the control of the Head of Department for future review by the Bangladesh Financial institutions audit team/ Internal Control Team.

10. RECOVERY OF COSTS

We confirm that the costs of telex/swift/telegrams/telephone/fax and other charges have been recovered from the Customers where applicable and credited to “Processing Fee A/C”

11. FRAUDS, FORGERIES & OPERATING LOSSES

Following transaction(s) involving Frauds/Forgeries/Other Operating Losses has/have been detected during the quarter ended on ___________ and reported to Internal Compliance Department

12. RETURNS

We confirm that returns to all Regulatory Bodies have been submitted within the schedule dates except the following:

Title of Return Due Date Act Date Reasons for Delay

13. LEGAL

We confirm that legal matters are being monitored by us as per Company Policy The following litigations are pending as of the reporting date:

Party Case Initiated on Brief Description Status

32

14. COMMUNICATIONS

Following meetings of the management were held during this quarter to improve communication among the members of Officer/Staff. We enclose a copy of the minutes of the meetings held for information and record.

Name of the Meeting Date of Meeting

15. FIXED ASSETS

We confirm that:

Quarterly as on March, June and September and December all items of Fixed Assets were physical check and verified with Fixed Assets Register and General Ledger.The entries passed through Profit and Loss A/c in respect of sale of Fixed Assets for the quarter ended have been reviewed to ensure that no entry is outstanding in the books.Fixed Assets sold during the quarters have been reviewed for tax purposesFixed Assets of the Company have been physically checked on sample basis by the independent officers designated by Internal Control team.Proper tender/quotations were received before disposing off the assets.

PROTECTION OF VALUABLES

1. MAINTENANCE OF KEYS

We confirm that the Key Register is being maintained as per prescribed procedure. Dual keys have been maintained in sensitive areas.

2. SAFE CUSTODY

We confirm that Safe Custody items are being maintained under dual custody and the Last complete independent physical verification of Safe Custody items as per Internal Control Dept’s instructions was undertaken on __________. We enclose a copy of the certificate received from the designated reviewer(s).

3. SAFE DEPOSIT LOCKERS

We confirm that keys to lockers are kept under dual control. The Head of Finance shall supervise the things.

4. STOCK OF STATIONERY

Stock of Stationery are being kept under dual custody and Bulk/Working Stocks are being verified each month end by Manager Administration together with Manager Finance.

33

5. CASH.

Cash/Prize Bonds / Sanchaya Patras/ Bonds were kept in safe fire proof vault under dual key. Cash is counted on a daily basis and reconciled with GL balance. Bond and other instruments are counted for number and value at the end of each month and tallied with GL balance.

6. SIGNATURE BOOKS

Daily signature book or Attendance Register is maintained at the proper place and every staff shall put his signature thereon as per Company’s policy. The Head of Administration shall supervise at random each month whether the employees are putting their signature properly. After verification he shall put his own signature with date.

VERIFICATIONS

1. All accounts in GL/ Subsidiary ledger were proved and verified during the quarter and the following wrong entries were detected and rectified promptly with the consent of Head of Finance & Accounts:

GL Head Voucher no. Vr. Date Amount Appropriate Head

2. We confirm that all outstanding entries in General Suspense (Assets & Liabilities) are being followed up for early liquidation. We enclose the statements of General Suspense Accounts as on March, June, September and December for your perusal :

March qtr June qtr Sept qtr Dec qtr SuspenseAccount Amt Correct

Head & Date of correction

Amt CorrectHead & Date of correction

Amt CorrectHead & Date of correction

Amt CorrectHead & Date of correction

PERSONNEL & SUPERVISION

1. Following transfers/movements were affected during the quarter as regards staff of the Company:

34

Name Transferred Transferred Period with From To present dept

LEAVE PROGRAMMES

1. Officers/staff are being granted leave as per leave program. Exception are given below:

Name of staff Department No. of days accumulated

2. Unionized staff has leave were enjoyed by the following staff as per Service Regulations:

Name of staff Department No. of days Action taken

3. Arrangements have been made to allow all employees including Management Staff to avail of 10 days uninterrupted leave or half of annual leave entitlement, whichever is the lesser in terms of service rules.

TRAINING PROGRAMME

Following Officers / staffs have undergone training both inside and overseas during the quarter :

Name ofParticipant

Department DurationofTraining

Subject of training

Place of Training

Cost of thetraining

Totalnumber of trainingavailed in thisCompany

PREMISES MANAGEMENT

1. FIRE/SAFETY STANDARDS

a) Following items have been checked during the quarter ended March/June/September/December _________.

35

Fire/Safety Procedure Ref: Standard Achieved/Shortfalls detected

i)

ii)

iii)

iv)

b) Half-yearly Self Audit of Fire/Safety Standards was undertaken and the return

submitted to you for the period ended 31 st January / 31

st July ……. by a

separate letter on ……….

c) We confirm that:

i) Close Circuit Camera was/is functioning properly.

ii) Security Alarm system was functioning properly.

iii) Recording of the arrival and departure time of all personnel occupying the Premises outside working hours and after financial institutions’ hours are being documented/reviewed by the Manager ,Administration on the Registers maintained for these purposes.

d) All electric wiring were checked by M/s ………………………………….. on …………………… and certificates obtained and kept in file for future audit / inspection. We enclose a copy of the certificate for our record.

e). The premises were inspected on holidays by the officers on rotation. Immediate action was taken on shortfalls detected through the checklist maintained which is retained after taking appropriate action as applicable for future audit/inspection.

f) The premise and the equipment and assets are under fire insurance cover which is renewed and updated. Besides there is a burglary insurance for the assets.

(Head of Finance & Administration) (Depart. Manager)

36

APPENDIX 7.6

LOAN DOCUMENTATION CHECKLIST

Borrower :

Registered Address :

STATUS: Individual / Proprietorship / Partnership / Limited Company A/c No.

First obtain General Documents. Then identify the Collateral and obtain specific documents listed hereunder. Leave out documents not called for by the terms of the Credit Approval and Facilities Advice Letter (Sanction Letter).

Sl.No

DESCRIPTION REQD. ( )

DATEOFDOC.

DATERECEIVED

EXPIRY ORIGINALDOCLOCATEDIN

TAKAAMOUNT

A. GENERALDOCUMENTS

1. Letter of Borrower requesting for new facilities / renewal

2. Authority of Borrow to Borrow (Letter of authority from partners in case of partnership concern and resolution in case of limited company) – with list of Partners/Directors

3. Form XII (Particulars of Directors) certified by RJSC regarding list of existing Directors for limited company

4. Sanction Letter: accepted unconditionally by Borrower

5. Demand Promissory Note

6. Letter of Continuity7. Deed of Partnership (for

Partnerships; Borrower / third party), By-Laws etc.

37

8. Memorandum and Articles of Association (for limited company Borrower / third party) with Certificate of Incorporation

9. Letter of Arrangement10. Letter of Disbursement11 Revival Letter

B. LIEN OF ACCOUNT 1. Resolution to lien account

proceeds (for Third Party partnerships and limited cos.)

2. Letter of Lien and Set- Off (Pledge Agreement)

C. PLEDGE OF DEPOSITS/S. PATRA

1. Resolution to deposit (for Third Party partnerships and limited company)

2. Fixed Deposit Receipts / Sanchaya Patra / Bonds endorsed by holder(s)

3. Letter of Guarantee by depositor (if the deposit stands in the name of Third Party)

Sl.No

DESCRIPTION REQD. ( )

DATEOFDOC.

DATERECEIVED

EXPIRY ORIGINALDOCLOCATEDIN

TAKAAMOUNT

4. Letter of Lien and Set Off (Pledge Agreement)

5. Letter of Authority for encashment of Sanchaya Patra/ Fixed Deposits

D. PLEDGE OF SHARES 1. Resolution to deposit (for

Third Party partnerships and limited company)

2. Share certificates3. Blank transfer forms for

each share certificate (Form 117)

4. Memorandum of Deposit of Shares

38

5. Letter of Guarantee by the shareholder (if the share stands in the name of person other than borrower)

6. Irrevocable letter of authority for collection of dividends, bonus etc. addressed by the shareholder to the relative company.

7. Notice of pledge by the shareholder to the relative companies.

E. PLEDGE OF INVENTORY

1. Letter of Pledge / Pledge Agreement

2. Letter of Disclaimer (if required)

3. RJSC Search Report (for limited company partnerships; Borrower / third party)

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6. Modification of Letter of Pledge / Pledge Agreement of Inventory

7. RJSC Form 19, and receipt of filing with RJSC

8. Insurance Policy

F. HYPOTHECATION OF INVENTORY

1. Resolution to hypothecate inventory (for Third Party partnerships and limited cos.)

2. Letter of Hypothecation of Inventory / HypothecationAgreement

3. RJSC Search Report (for limited company. partnerships;borrower/third party)

39

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6.Modification of Letter of Hypothecation of Inventory

Sl.No

DESCRIPTION REQD. ( )

DATEOFDOC.

DATERECEIVED

EXPIRY ORIGINALDOCLOCATEDIN

TAKAAMOUNT

of Inventory7. RJSC Form 19, and receipt

of filing with RJSC

8. Insurance Policy - jointly insured

G. TRUST RECEIPT 1. Trust Receipt Agreement

H. HYPOTHECATION OF RECEIVABLES/BOOKDEBTS

1. Resolution to hypothecate receivables / book debts (for Third Party partnerships and limited company)

2. Letter of Hypothecation of Receivables / Book Debts (Hypothecation Agreement)

3. RJSC Search Report (for limitedcompany/registeredpartnerships;borrower/third party)

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6. Modification of Letter of Hypothecation of Receivables

7. RJSC Form 19, and receipt of filing with RJSC

I. HYPOTHECATION OF MACHINERY AND EQUIPMENT

40

1. Resolution to hypothecate inventory (for Third Party partnerships and limited cos.)

2. Letter of Hypothecation of Machinery and Equipment / HypothecationAgreement

3. RJSC Search Report (for limited company. partnerships;borrower/third party)

4. RJSC Form 18, and receipt of filing with RJSC

5. Certificate of registration from RJSC

6. Modification of Letter of Hypothecation of Machinery & Equipment

7. RJSC Form 19, and receipt of filing with RJSC

8. Latest list of machinery & equipment

9. Insurance Policy

J. ASSIGNMENT OF RECEIVABLES

1. Resolution to assign receivables (for Third Party partnerships and limited cos.)

Sl.No

DESCRIPTION REQD. ( )

DATEOFDOC.

DATERECEIVED

EXPIRY ORIGINALDOCLOCATEDIN

TAKAAMOUNT

2. Deed of Assignment of receivables

3. Notification and acknowledgement of assignment and confirmation of receivables from the debtor

4. Letter of arrangement of Escrow Account among three parties, lessor, lessee and the bank.

K. MORTGAGE

41

1. Letter of nomination of third party mortgagor from Borrower with attested specimen signature of mortgagor

2. Resolution to mortgage and guarantee (for Third Party partnerships and limited company)

3. Copy of valid ID (for Third Party individual mortgagor)

4. Personal Guarantee from Third Party mortgagor

5. Original title deeds of mortgagor and previous owners (Bia- Deed)

6. C.S., S.A. and R.S. Parchas

7. Mutation Parchas in mortgagor’s name, certified by Assistant Commissioner of Land

8. Duplicate carbon receipt for mutation case

9. Letter of no objection of lessor for mortgagor to mortgage (for leasehold property)

10. Land development tax receipts of the immediately preceding Bengali year

11. Municipal holding tax receipts for property in municipalities

12. Building/factory plan with letter of approval

13. Real Estate Appraisal / Valuation report

14. RJSC Search Report (for limitedcompany/registeredpartnerships;borrower/third party)

15. Memorandum of deposit of title deeds (for equitable mortgages) with legal counsel’s approved draft.

42

16. Mortgage Deed and registration receipt endorsed by mortgagor (for legal/Registered mortgage) along with Power of Attorney

17. RJSC Form 18, and receipt of filing with RJSC if property in the name of ltd cos.

18. Certificate of registration from RJSC

19. Modification of Memorandum of deposit of title deeds

20. RJSC Form 19, and receipt of filing with RJSC

21. Income Tax Clearance Certificate as required for Registration

22.Non Encumbrance Certificate from Land Registrar

Sl.No

DESCRIPTION REQD. ( )

DATEOFDOC.

DATERECEIVED

EXPIRY ORIGINALDOCLOCATEDIN

TAKAAMOUNT

Registrar L. GUARANTEE1. List of

Directors/Partners with specimen signatures, certified by company secretary or chairman, or managing partner (for limited company and partnerships)

2. Resolution to guarantee (for limited company and partnerships)

3. Net Worth Statements (NWS) for individuals/guarantors

4. Letter of Guarantee

5. Letter of Counter Indemnity

M. TERM LOAN AGREEMENT

43

1. Term loan agreement between Borrower and the Company

2. Draft Term Loan Agreement approved by Head of Credit Risk Management Division and Legal Counsel.

N. SECURITY SHARING AGREEMENT

1

Whether Charge is created to RJSC Through Form XVIII and Form XIX

2. Security Sharing Agreement

3. Draft Security Sharing Agreement approved by Head of Credit Risk Management Division and Legal Counsel.

4.

O. SYNDICATION1. Accepted Mandate Letter2. Accepted Term Sheet

3. InformationMemorandum

4. Participation letters5. Facilities Agreement

6. Powers of Attorney of participants

7. Accepted Fee Letter8. Legal counsel’s opinion9. Head of Credit Risk

Management and Legal Counsel approval of documents.

P. OTHER DOCUMENTS

DEPARTMENT/UNIT NAME DATE SIGNATURE

MANAGER:

CREDITADMINISTRATION: