966
AZ
E-CBAR
Regulations on organization of internal control and internal audit in banks

Approved
by the Resolution of the Management Board of the
Central Bank of the Republic of Azerbaijan
dated 29 December 1999 (Minutes No.12)
Register No.138

 

Regulations on organization of internal control and internal audit in banks

(as amended on 15 April 2010)



These Regulations have been developed in accordance with the requirements of the Laws of the Republic of Azerbaijan "On Banks and Banking Activity in the Republic of Azerbaijan" and "On the Central Bank of the Republic of Azerbaijan" and determine the mechanisms of organization of internal control and internal audit for all commercial (joint-stock commercial) banks in the Republic of Azerbaijan.

 

1. General provisions


The Supervisory Board and the Management Board of the bank shall be responsible for the establishment and implementation of general strategic directions of the banking activity and policy, including the internal control system, as well as the correct and efficient conduct of banking operations. The Bank's Financial Audit Commission shall be responsible for conducting regular audits of the bank's operations in order to analyze the bank's compliance with laws, regulations, as well as the bank's own policies and regulations.
The internal audit shall also confirm the adequacy or availability of appropriate control mechanisms to ensure the security of the bank's assets, and the accuracy, completeness and integrity of the bank's periodic reports submitted to shareholders, regulatory bodies and the public.
Internal control mechanisms are an important tool for timely detection and prevention of potential errors, deficiencies and losses in banking, and minimizing banking risks. The establishment of internal control mechanisms is necessary to ensure the reliability, security, efficiency and compliance of banking operations with the law.
Each bank shall be guided by the following basic principles and rules in order to ensure the adequacy of internal control mechanisms in its activity:

a) Perfect organizational structure;
b) Necessary policy and accounting procedures;
c) Asset protection measures;
d) Effective internal audit program.

 

2. Organizational structure


2.1 The Supervisory Board, the Financial Audit Commission and the Management Board shall be responsible for developing the policy of the Bank's relevant internal control mechanisms, as well as for the compliance of the management and employees with this policy. These policy and control mechanisms shall cover the entire structure of credit institutions, including branches and divisions.

2.2. The organizational structure shall have a clear and unambiguous division of powers and responsibilities. The powers of employees to conduct operations, such as lending, investment or trade (currency, securities trading), etc., shall be clearly and precisely defined in the relevant policy approved by the Supervisory Board.

The volume of lending, investment, trade (sale and purchase of currency and securities) and other transactions and deals carried out by each employee, regardless of his/her position, shall be limited by limits;

  • monitoring and reporting systems shall be established on limits;
  • policy compliance reports shall be submitted to the management, the Supervisory Board and the Financial Audit Commission on a regular basis.

2.3. Appropriate policies and internal procedures shall be developed for each type of the Bank's activities, as well as adequate control systems shall be established to monitor compliance with those policies and procedures:

  • each policy shall be approved by the Supervisory Board;
  • each policy shall be reviewed at least once in a year;
  • all employees shall be familiar with the bank's policies and regulations in their field;
  • ongoing training courses shall be conducted to ensure unconditional adherence to policies and regulations;
  • reports on the situation for each type of activity shall be submitted to the Supervisory Board and the Financial Audit Commission, indicating the effectiveness of such type of activities.

It is necessary for credit institutions to develop at least the following internal policies, procedures and rules:

  • bank management structure and decision-making procedures;
  • documents regulating the rights and responsibilities between individual structural units and employees of the bank;
  • procedures regulating the activity of the bank’s internal audit service;
  • rules regulating the bank's credit policy, attraction and placement of funds;
  • bank's liquidity, assets and liabilities management policy;
  • securities issuance and investment policy;
  • rules for opening customer accounts and maintaining accounts;
  • computer systems, rules for their use and safety;
  • employee policy;
  • other policy, procedure and rules.

These policies, procedures and rules shall meet the requirements of applicable law, instructions, rules and regulations of the Central Bank.

2.4. Duties shall be distributed in such a way that from the beginning to the end of each operation not the same person is engaged in it, i.e. the execution and control over each operation is not carried out by the same person.
For ex.:

  • persons engaged in documenting of loans shall not have the authority to issue the actual loan;
  • persons authorized to conduct transactions with correspondent accounts shall not process these transactions on balance and personal accounts;
  • documents shall be reconciled with the balance sheet, turnover balance sheet and personal accounts by another person, not by the person who performed the transfer;
  • persons sending or receiving telex shall not have the right to execute the operations specified in the telex, to record them on the balance and personal accounts, or to reconcile related accounts.

2.5. The employee policy shall include the following:

  • positions shall be replaced alternately and the duration of this replacement shall be long enough for it to be effective;
  • all employees, including executives, shall leave their workplaces for at least two weeks a year without interruption so that other employees can perform their work during this period (vacation period).

2.6. When introducing a new type of banking service, an appropriate control mechanism for the risk level and monitoring of such operations shall be developed in advance.

It is necessary to have internal control rules, but it is extremely important to follow these rules for the effectiveness of internal control.

 

3. Accounting principles and rules

 

The accounting systems of each bank shall comply with the international accounting standards set by the CBAR and the principles of modern banking. The bank's accounting information shall reflect its true financial position and the exact results of its operations.


Below are some of the characteristics of each bank's accounting system:

  • each bank shall have internal guidelines on accounting of daily operations and data analysis;
  • documents shall be processed on a daily basis reflecting the daily operations and activities of the bank, as well as the bank’s financial status on a certain date;
  • supporting documents, such as deposits, loans, securities and foreign exchange transactions documents, shall be in accordance with the balance sheet, turnover balance sheet and personal accounts;
  • documents confirming all accounting correspondence shall have original copies;
  • reconciliation shall be conducted on a regular basis by employees who are not involved in the execution of operations and approval of documents;
  • documentation and systems shall be designed so that any transaction can be tracked from beginning to end as it passes through the bank's balance sheet.

 

4. Physical security of assets


Effective procedures shall be established and implemented in each bank to ensure that assets are protected and allowed to be handled only by authorized employees.

4.1. Employees working with cash shall be provided with cash funds directly assigned to them at the bank so that investigation can be conducted and liability can be determined. Rules for immediate notification of shortages shall be applied. Once the information is provided, all causes shall be investigated.

4.2. In certain cases, joint security shall be applied. During joint security, two or more persons are equally responsible for the physical security of certain items or documents (for example, different persons have the keys to safes containing confidential information, money and valuables). These positions shall be assigned to employees appointed for this purpose, and the remaining employees shall be informed about the existence of these positions.

4.3. Double control shall be established when conducting transactions that require verification or approval of the work of one employee by another (for example, payment of cashier's checks).

4.4. All banks shall develop and implement an appropriate plan to protect their most important assets and documents in the event of an emergency, such as a natural disaster or other internal or external damage to the bank's assets.


5. Internal audit

 

5.1. Internal audit is the most effective means of internal control available to the Supervisory Board, the Financial Audit Commission and the Management Board. An internal audit program can be considered perfect if the established control mechanisms, operational procedures ensure to minimize the damage that may result from inefficiencies, inconsistencies, or fraud or deliberate manipulation. The auditor's role is to assist in protecting the bank's assets by conducting audits and analyzes to determine the completeness, effectiveness and reliability of operating systems, procedural control mechanisms and documentation. An effective audit creates the necessary control atmosphere, serves the accuracy and reliability of banking operations.

The goals and objectives of the internal audit defined by these Regulations do not preclude the implementation of the powers of the Financial Audit Commission of the bank assigned to it by law. The Financial Audit Commission may rely on internal and external audits in the performance of its duties and powers.

5.2. The goals and objectives of the audit shall be primarily:

  • ensure regular checks to determine the compliance of operations performed by individual employees and structural units of the bank with the legislation, regulations and internal documents;
  • investigate the facts of violation by the bank’s employees of the requirements of legislation, normative acts, instructions, internal documents, standards of professional ethics, reveal inconsistencies or signs of fraud;
  • develop recommendations to eliminate and monitor identified deficiencies;
  • ensure proper documentation of the results of inspections and each fact found;
  • timely inform the bank's management about the results of inspections, new risks, shortcomings and deficiencies and their elimination;
  • control the organization of work on studying the requirements of legislation, normative acts, internal documents by the bank's employees;
  • analyze the adequacy of the accounting and reporting system;
  • assess the effectiveness of administrative control mechanisms and rules, as well as operations;
  • ensure that control mechanisms are in place when formulating new policies and revising old policies, or when planning new activities and at various stages of their implementation.

5.3. Employees of the internal audit service shall have the following rights:

  • access to accounting, cash and other documents for examination purposes;
  • determine whether the actions of the bank's employees and the operations carried out by them comply with the requirements of the legislation, normative acts and internal documents;
  • check the activities of all structural units of the bank;
  • make recommendations on the suspension of certain operations;
  • involve employees of other structural units of the bank in resolving a number of issues related to internal audit, if necessary.

5.4. In relations with the internal audit service, all bank employees are required:

  • to help the internal audit service to fulfill its responsibilities;
  • to inform the internal audit service about the facts of violation of the requirements of the legislation, instructions and rules, as well as damages to the bank;
  • to consult with the employees of the internal audit service in case of doubt as to the compliance of certain transactions with the requirements of legislation, normative acts, internal documents and standards of professional ethics;
  • bank employees cannot participate in the relevant transactions without prior notice to the internal audit service when they can be considered a “stakeholder”.

5.5. It is necessary to establish an internal audit service in all commercial (joint-stock) banks. The number of staff of the internal audit service shall be determined by the Supervisory Board based on the proposals of the Financial Audit Commission and the Management Board, depending on the size of the bank's assets, the scale of the bank's branch network, the scope and nature of the bank's internal control policy.

The head, members or internal auditor of the internal audit service shall be approved by the Management Board upon nomination by the bank's Supervisory Board and the Financial Audit Commission.

If the branches of foreign banks operating in the territory of the Republic are regularly audited by their parent bank, these branches may not have a full-time auditor, but it is necessary to establish an internal control system in these branches that meets the requirements of these Regulations.

Each bank shall have a corresponding internal audit program.

5.6. The audit function of banks shall meet the following minimum standards.
1) The auditor shall be independent:

  • shall report directly to the Supervisory Board and the Financial Audit Commission of the bank;
  • shall have the necessary authority to perform duties (free access to documents and departments);
  • shall have high business ethics and professional skills;
  • shall not be related to the function of the audited unit;
  • there shall be no restrictions on the schedule or scope of audit programs.

2) The auditor shall be competent:

  • shall have higher economic education, relevant professional experience, as well as a desire to constantly increase his professional knowledge;
  • shall be familiar with banking operations and international auditing rules;
  • shall be aware of internationally accepted accounting standards.

3) The audit program:

  • shall be approved by the bank's Financial Audit Commission and Supervisory Board and reviewed regularly;
  • shall be in writing and reflect the objectives of the audit;
  • shall be large enough to be consistent with the audit objectives;
  • shall provide detailed work programs for each area audited;
  • each program shall have a clear and concise description of the required audit work, and, depending on the scope of the audit work, shall include procedures for auditing specific transactions in various departments of the bank. Alongside with other factors, the procedures envisaged in the program may be changed depending on the volume and complexity of banking operations;
  • if necessary, the program shall provide for the approval of balance accounts, especially credit, deposit and correspondent accounts;
  • The timing of audits shall depend on the risk associated with each area. When analyzing bank risks, the auditor shall pay special attention to factors such as the nature of a specific transaction, related assets and liabilities, the availability of appropriate policies and internal controls, and the effectiveness of internal control mechanisms;
  • The work done shall be documented. Internal audit working papers shall contain the program of audit works, analytical materials describing the scope of the audit and the operations performed, and the basis for the opinions submitted.

The internal audit program shall focus on the following issues:
a. Adherence to the policies and rules established by the Supervisory Board and the management, as well as confirmation of obtaining appropriate permits to conduct operations;
b. Compliance with current legislation and regulations;
c. Detailed bank documents, including correct and timely recording of all transactions on the relevant accounts;
d. Security of bank assets, their correct accounting in financial statements;
e. Detailed analysis of income and expenses to determine their accuracy, legality and compliance with the bank's policy. In order to ensure the accuracy of calculations and documents, such analysis includes selective auditing of computer calculations and documents such as interest on deposits and loans, penalties for overdue payments, service fees, etc.;
f. Maintaining relevant documentation and collateral control, as well as accounting of off-balance sheet items such as letters of credit and guarantees;
g. Analysis of documents on losses from loans written off the balance sheet;
h. Availability of accurate and duly certified documents for each transaction from beginning to the end;
i. Security and reliability of computer equipment, software, as well as emergency planning (data security, storage and recovery).

4) The auditor’s opinion:

  • shall be prepared immediately after the audit;
  • shall include a report on the objectives, scope and results of the audit and detailed recommendations for each area where problems are identified;
  • recommendations shall include a brief description of the results of the audit, the required corrective measures, the names of those responsible for implementing these measures and the timing of their implementation;
  • opinions shall be submitted directly to the Supervisory Board and the Financial Audit Commission, and copies of the opinions shall be submitted to the Bank's Management Board and heads of departments (only relevant sections of the opinion);
  • the effectiveness of the internal audit depends on continuous monitoring to ensure that more recommendations are followed. The Supervisory Board shall develop a follow-up policy. Management and the internal auditor shall establish rules for follow-up control.

5) Audit frequency:

The frequency of audits usually depends on the degree of risk associated with each area being audited. The audit shall be conducted at least once a year.

The state of the internal control system in credit institutions, including the process of the internal audit, its organization and compliance with the requirements of these Regulations shall be checked by the Central Bank of the Republic of Azerbaijan. In addition, the Central Bank may periodically require credit institutions to report on the state of the internal control system and the results of audits.

These Regulations shall be effective from the date of signing.


Chairman of the Management Board of the Central Bank
E.S. Rustamov


10 January 2000