MANAGING CORE RISKS

OF FINANCIAL INSTITUTIONS

INTERNAL CONTROL AND

COMPLIANCE FRAMEWORK

Industry Best Practices

21 July 2005

BANGLADESH BANK
 Focus Group Members
Internal Control and Compliance Framework

Name Designation Organization

Team
Md. Masum Patwary Joint Director, FID Bangladesh Bank
Co-ordinator
SVP & Company
A.K.M. Anwarul Kabir LankaBangla Finance Limited
Secretary
Iqbal Mahmud Senior Manager IDLC of Bangladesh Ltd.
M. Ataul Hoque GM United Leasing Company Ltd.
Bangladesh Industrial Finance
Md. Nazimuddoula Head of Finance & ASVP
Company Ltd.
Team Members Moin Al Kashem AVP, Merchant Banking Prime Finance & Investment Ltd.
Industrial & Infrastructure
Nandan Kumar Paul VP Development Finance Company
Ltd.
Manager, Internal Delta Brac Housing Finance
Sayed Aminul Islam
Compliance Corporation Ltd.
Fareast Finance & Investment
Shantonu Saha DMD
Limited
 INDEX OF GUIDELINES OF BANGLADESH BANK FOR FINANCIAL
INSTITUTIONS ON INTERNAL CONTROLS

Page
1 INTRODUCTION
1.1 Overview 1
1.2 Definition 1
1.3Objectives of Internal Controls 2

2 STANDARDS OF INTERNAL CONTROLS 3

3 ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE

PRINCIPLES FOR ASSESSING THE SYSTEM 4

(A) Components of Internal Controls

3.1 Management oversight and environment for control 4
3.2 Risk Assessment & Management 5
3.3 Instituting Controls 6
3.4 Accounting, Information & Communication Systems 7
3.5 Self-Assessment & Monitoring 8

(B) Principles 10

4 RESPONSIBILITIES
4.1 Board of Directors 12
4.2 Management 12
4.3 Auditor Committee 12
4.4 External Auditor 13
4.5 Regulator 13

5 IMPLEMENTATION OF INTERNAL CONTROLS

5.1 Compare current practices and identify gaps. 15

5.2 Involve senior management and other key players. 15
5.3 Assess business environment, organization culture and key players. 15
5.4 Decide on implementation strategy. 15
5.5 Provide training to everyone involved 16
5.6 Rectification & Improvement: 16
5.7 Instituting an appropriate organization structure 16
5.7.1 Structure of Internal Control Unit 16
5.8 Preparing various Guidelines /Manuals/Documents on 17
a. Standard Operating procedures Credit & Operations 17
 b. Finance and Accounting Manual 18
c. Treasury Manual 18
d. Human Resource Policy Manual 19
e. Information Technology Manual 19

6. EXAMINATION OR EVALUATION OF CONTROL 20

6.1. Dept Control Function Checklist (Appendix 7.1) 20
6.2. Loan Documentation Checklist (Appendix 7.2) 20
6.3. Quarterly Operations Report (Appendix 7.3) 20
6.4. Risk Analysis of Control Functions 21
6.5. Audit Procedure & Communication of weakness 22
6.6. Compliance Process 24

7 APPENDIXES
7.1 Departmental control function checklist- Quarterly 25
7.2 Departmental control function checklist- Monthly 26
7.3 Departmental control function checklist- Weekly 27
7.4 Departmental control function checklist- Daily 28
7.5 Periodic operational report 29-35
7.6 Loan Documentation checklist 36-43
1. INTERNAL CONTROL POLICY

1.1 Overview

Since its inception in early eighties NBFls have already shown its steady growth in
business. Its role in industrialization and its contribution in national exchequer can
not be undermined. In respect of asset management and risk management it has
already shown some glimpse of hope for the regulatory bodies. NBFls are now a
days focusing more on business diversification and consolidation of their existing
business. These diversified and complex financial activity involves various risk like
credit risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk etc.
Shaping up the Future of a financial organization depends significantly on how these
risks are handled and minimised or protected through an effective internal control
system.

Though the Board is responsible for approving strategies and policies the top
management have the responsibility for implementing strategies, setting appropriate
internal control policies and monitoring the effectiveness of internal control system.

In many NBFls internal control is identified with internal audit; the scope of internal
control is not limited to audit work. It is an integral part of the daily activity of an
NBFls which on its own merit identifies the risks associated with the process and
adopts a measure to mitigate the same.

Internal Audit on the other hand is a part of Internal Control system which reinforces
the control system through regular review.

According to an IMF publication Internal Control refers to the mechanism in place on

a permanent basis to control the activities in an organization, both at a central and at
a departmental divisional level. A key component of effective internal control is the
operation of a solid accounting and information system.

It should be mentioned that an effective internal control system could have

contributed significantly in improving the performance of the NBFls if the control
culture is brought in through policy guidelines and structural changes in those
organizations.

1.2 Definition

In plain English internal controls are exercises of good old common sense practices.
Even in personal life we practice internal control principles when we:

x Store and lockup valuable personal belongings

x Keep copies of our tax return
x Match credit card copies to monthly statements etc.

More formally internal control is the process, effected by a company's Board of

Directors, management and other personnel, designed to provide reasonable
assurance regarding the achievement of objectives in the following categories:

1
 x effectiveness and efficiency of operations
x reliability of financial reporting and
x compliance with applicable laws, regulations, and internal policies.

Internal controls are tools that help management be effective and efficient while
avoiding serious problems such as overspending, operational failure, and violation
of laws.

In other words Internal Controls are the structure, policies and procedures put in
place to provide reasonable assurance that management meets its objectives and
fulfils its responsibilities.

These definitions reflects certain fundamental concepts :

1. Internal control is a process. It is a means to an end , not an end in itself

2. Internal control is effected by people.
3. Internal control can be expected to provide reasonable assurance , not
absolute assurance, to an entitys management and Board
4. Internal control is geared to the achievement of objectives.

1.3 Objective of Internal Control

The primary objective of internal control system in an NBFls is to help the

organization perform better through the use of its resources. Through internal
control system NBFls identifies its weaknesses and takes appropriate measures to
overcome the same. The main objectives of internal control are as follows:

x Efficiency and effectiveness of activities (performance objectives).

x Reliability, completeness and timelines of financial and management
information (information objectives)
x Compliance with applicable laws and regulations (compliance objectives)
x Accountability to the Board

2
 2 STANDARDS OF INTERNAL CONTROL

Internal control policies set forth some standards that departments must establish
and incorporate in an internal control structure:

(I) Cover all activities: All financial institutions should develop internal controls
which have coverage over all their functions, in general, and the key risk areas (KRA)
in particular. Key Risk Areas include those core activities, the break down of which
may render a financial institutions unable to meet its obligations; to its customers,
regulators and the sponsors. Further, the risk originating from such activities is of the
type that it may cause in systemic failure of other financial institutions. Examples of
key risk areas are Liquidity Risk, Interest Rate Risk, Foreign Exchange Risk, Credit
Risk, Operational Risk, etc.

(II) Regular Feature: Control activities should be an integral part of the daily
activities of a financial institutions / DFI in such a manner that it becomes ingrained
in their ongoing processes rather than a year-end fire drill to satisfy documentation
requests from auditors and supervisors.

(III) Separation of Duties: Duties should be divided so that no one person has
complete control over a key function or activity.

(IV) Authorization and Approval: All transactions should be authorized before

recording and execution.

(V) Custodial and Security Arrangements: Responsibility for custody of assets

needs to be separated from the related record keeping.

(VI) Review and Reconciliation: Records should be examined and reconciled to

regularly determine that transactions are properly processed, approved and booked.

(VII) Physical Controls: Equipment, inventories, cash and other assets should be
secured physically, counted periodically and compared with amounts shown on
control records.

(VIII) Training and Supervision: Qualified, well-trained and supervised employees

always help ensure that control processes function properly.

(IX) Documentation: Documented policies and procedures promote employee

understanding of duties and help ensure continuity during employee absences or
turnover. Therefore, policies and procedures (in the form of operations manuals and
desk instructions) should exist in all financial institutionss / DFIs.

(X) Communication of importance of Internal Controls: Setting standards of

professional integrity and work ethics and ensuring that all levels of personnel in
their organization know the importance of internal controls and understand their
role in the internal controls process and be fully engaged in the process.

(XI) Cost/Benefit: It is for the financial institutions to assess the costs associated with
control processes commensurate with the expected benefits.

3
3 ELEMENTS OF A SOUND SYSTEM OF INTERNAL CONTROLS AND THE
PRINCIPLES FOR ASSESSING THE SYSTEM

(A) Elements of Internal Controls

An effective internal control system consists of following interrelated components:

3.1. Management oversight & Control environment;

3.2. Risk assessment & management ;
3.3. Control activities & segregation of duties;
3.4. Accounting, information & communication; and
3.5. Self assessment & monitoring

3.1 Control Environment:

The environment in which internal control operates has an impact on the
effectiveness of the control procedures. In fact it is institutions control environment
which embodies the principles of strong internal control. Besides giving structure to
the internal control system, it provides discipline and protocol. The success of control
environment is judged according to the integrity, ethics, and competence of
personnel; the organizational structure of the institution; oversight by the board of
directors and senior management; managements philosophy and operating style;
attention and direction provided by the board of directors and its committees,
especially the audit and risk management committees; personnel policies and
practices and; external influences affecting operations and practices.

In order for internal controls to be effective, an appropriate control environment

should demonstrate following behaviors:

Board of directors reviews policies and procedures periodically and ensures their
compliance;
Board of directors determines whether there is an audit and control system in place
to periodically test and monitor compliance with internal control
policies/procedures and to report to the board instances of noncompliance;
Board of directors ensure independence of internal and external auditors such that
internal audit directly reports to the audit committee of the board which is
responsible to the board and that external auditor interacts with the said committee
and presents management letter to the board directly;
Board ensures that appropriate remedial action has been taken when instance of
noncompliance are reported and that system has been improved to avoid recurring
errors/mistakes;
Management information systems provides adequate information to the board and
that the board can have access to financial institutions records, if need arises;
Board and management ensure communication of conduct or ethics policies and
compliance thereof down the line within the organization;

In short, a strong control environment and an effective internal audit function, can
significantly complement specific control procedures. However, constitution of
internal control environment at a point-of-time does not, by itself, ensure the
effectiveness of the overall system of internal control but it is the continuous
supervision by management to ensure if it is functioning as prescribed and is

4
modified as appropriate.

Many internal control failures that resulted in significant losses for financial
institutions could have been substantially lessened or even avoided if the board and
senior management of the organisations had established strong control cultures.

Weak control cultures often had two common elements:

First, senior management failed to emphasise the importance of a strong system of

internal control through their words and actions, and most importantly, through the
criteria used to determine compensation and promotion.

Second, senior management failed to ensure that the organisational structure and
managerial accountabilities were well-defined. For example, senior management
failed to require adequate supervision of key decision makers and reporting of the
nature and conduct of business activities in a timely manner.

Senior management may weaken the control culture by promoting and rewarding
managers who are successful in generating profits but fail to implement internal
control policies or address problems identified by internal audit. Such actions send a
message to others in the organisation that internal control is considered secondary to
other goals in the organisation, and thus diminish the commitment to and quality of
the control culture.

3.2 Risk assessment and management:

Every financial institutions activity involves some kind of risk and this creates a
compulsion for the financial institutions that, as part of an internal control system,
these risks are being identified, assessed and mitigated. From an internal control
perspective, risk assessment involves; identification and evaluation of factors, both
internal and external, that could adversely affect performance, information and
compliance objectives of a financial institutions. Internal factors include: complexity,
nature and size of operations; quality of personnel and employee turnover; objectives
and goals, etc. External factors include: fluctuating economic conditions, changes in
the industry and technological advances, degree of aggressiveness of the market and
competition faced by the market participants, etc.It may be noted that it differs from
the risk management process, which typically focuses more on the review of business
strategies and plans developed to maximize the risk/reward trade-off within the
different areas of the financial institutions.

This risk identification should be done across the full spectrum of activities
addressing both measurable and non-measurable aspects of risks. Second part of risk
assessment evaluation is done to determine which risks are controllable by the
financial institutions and which are not. For those risks that are controllable, the
financial institutions must assess whether to accept those risks or the extent to which
it wishes to mitigate the risks through control procedures. For those risks that cannot
be controlled, the financial institutions must decide, for the present, whether to
accept these risks or to withdraw from or reduce the level of business activity
concerned. But for the future, internal controls may need to be revised to
appropriately address any new or previously uncontrolled risks.

An effective risk assessment system allows the board and the management to plan

5
for and respond to existing and emerging risks in the financial institutions activities.
For that matter, such a system needs to demonstrate following:

Board and management involve audit personnel or other internal control experts in
the risk assessment and risk evaluation process. Those experts should be competent,
knowledgeable, and provided with adequate resources.

As the risks mutate with time and with changing circumstances, the board and the
management, with due involvement of audit personnel, should appropriately
evaluate the risks and consider control issues related to existing products and those
relevant to new products and activities.

Risk coverage in the form of insurance (that is risk transfer) or provisioning

(contingency fund) in relation to the financial institutions risk profile is adequate.

In the recent past, inadequate risk assessment has contributed to some organisations
internal control problems and related losses. In some cases, the potential high yields
associated with certain loans, investments, and derivative instruments distracted
management from the need to thoroughly assess the risks associated with the
transactions and devote sufficient resources to the continual monitoring and review
of risk exposures. Losses have also been caused when management has failed to
update the risk assessment process as the organisations operating environment
changed. For example, as more complex or sophisticated products within a business
line are developed, internal controls may not be enhanced to address the more
complex products. A second example involves entry into a new business activity
without a full, objective assessment of the risks involved. Without this reassessment
of risks, the system of internal control may not appropriately address the risks in the
new business.

3.3 Instituting Controls:

Control activities are designed and implemented to address the risk that the financial
institutions identified through the risk assessment process as described above.
Control activities involve: (a) establishment of control policies and procedures, (b)
verification that the control policies and procedures are being complied with.
It is desired that control activities should involve all levels of personnel in the
financial institutions, including senior management as well as front line personnel.
Instituting an appropriate controls structure ensures the efficacy of an internal
control system. This process involves :

x Existence and compliance of policies and procedures ensuring that decisions

are made with appropriate approvals and authorizations for transactions and
activities while assuring that exceptions to the policies are minimal and
reported to the board and the top management;

x Timely reconciliation of accounts so that outstanding items, both on-and off-

balance-sheet, are resolved and cleared;

x Segregation of duties, existence of cross-checks, more-than-one-person

authorization, dual controls, joint custody of keys, safeguards for access to
and use of sensitive assets and records and forced leave policies, employees
rotation systems are functioning in sensitive positions or risk-taking activities
so that concerned employees do not have absolute control over areas;

6
 x Building of such reporting lines within a business or functional area that
independence of the control function is ensured;

x Accountability mechanism for the actions taken by the personnel as per their
responsibilities and authorities;

x Structure and functioning of compliance framework through which the board

and senior management establishes that compliance with applicable laws and
regulations is ensured.

In short, top level reviews; appropriate activity controls for different departments or
divisions; physical controls; checking for compliance with exposure limits and
follow-up on noncompliance; a system of approvals and authorizations; and, a
system of verification and reconciliation are major constituents of the control
activities.

3.4 Accounting Information and Communication Systems

An institutions accounting, information, and communication systems ensure that

risk-taking activities are within policy guidelines and that the systems are adequately
tested and reviewed.

For this the following is important to note;

x Effective internal control system requires that there is an effective reporting

system of information that is relevant to decision making. The information
should be reliable, timely accessible and provided in a consistent format.
x Information would have to include external market information about events
and conditions that are relevant to decision making. Internal information
include financial, operational and compliance data.
x There, should be appropriate committees within the organization which
would evaluate data received through various information systems. This will
ensure supply of correct and accurate information to the management.
x Internal information must cover all significant activities of the financial
institutions. These systems including those that hold and use data in
electronic form must be secure, monitored independently and supported by
contingency arrangements.
x Most importantly the channels of communication must ensure that all s fully
understand and adhere to policies and procedures effecting their duties and
responsibilities and that other relevant information is reaching the
appropriate personnel.

An accounting system is adequate if it properly identifies, assembles, analyzes,

classifies, records, and reports the institutions transactions in accordance with
prescribed formats and international best practices.

The adequacy of information systems is determined by the type, number, and depth
of reports it generates for operational, financial, managerial, and compliance-related
activities and the access and authorization to information systems. An ideal
information systems covers the full range of its activities in such a manner that
information remains understandable and useful for audit trail.
7
Adequate information and effective communication are essential to the proper
functioning of a system of internal control. From the financial institutions
perspective, in order for information to be useful, it must be relevant, reliable, timely,
accessible, and provided in a consistent format. Information includes internal
financial, operational and compliance data, as well as external market information
about events and conditions that are relevant to decision making. Internal
information is part of a record-keeping process that should include established
procedures for record retention.

On the one hand, the adequacy of communication systems is established by the fact
that it imparts significant information throughout the institution (from the top down
and from the bottom up, and laterally), ensuring that personnel understand
whatever has been communicated and on the other hand, communication system
should ensure that significant information is imparted to external parties such as
regulators, shareholders, and customers.

Without effective communication, information is useless. Senior management of

financial institutions need to establish effective paths of communication in order to
ensure that the necessary information is reaching the appropriate people. This
information relates both to the operational policies and procedures of the financial
institutions as well as information regarding the actual operational performance of
the organisation.

The organisational structure of the financial institutions should facilitate a complete

flow of information - upward, downward and across the organisation. A structure
that facilitates this flow ensures that information flows upward so that the board of
directors and senior management are aware of the business risks and the operating
performance of the financial institutions.

Information flowing down through an organisation ensures that the financial

institutions objectives, strategies, and expectations, as well as its established policies
and procedures, are communicated to lower level management and operations
personnel. This communication is essential to achieve a unified effort by all financial
institutions employees to meet the financial institutions objectives.

Finally, communication across the organisation is necessary to ensure that

information that one division or department knows can be shared with other affected
divisions or departments.

3.5 Self-Assessment and Monitoring:

An integral component of internal control system is self-assessment and monitoring
which includes:

x Board and senior management oversight of the internal control, control

reviews, and audit findings. Before starting full scale control review, the
board and senior management should give their approval of the overall scope
of the control review activities (e.g., audit, loan review, etc.).

x Frequent and comprehensive reporting of deviations to the board or board

8
 committee and senior management regarding sufficiency of details and
timely presentation to allow for resolution and appropriate action.

x Adequate documentation of management responses to audit or other control

review findings so that it can be tracked for adequate follow-up.

x Board or board committee or senior management review of the qualifications

and independence of the personnel evaluating controls (e.g., external
auditors, internal auditors, or line managers).

Financial institutions is a dynamic, rapidly evolving industry. Financial institutions

must continually monitor and evaluate their internal control systems in light of
changing internal and external conditions, and must enhance these systems as
necessary to maintain their effectiveness.

Monitoring the effectiveness of internal controls should be part of the daily

operations of the financial institutions but also include separate periodic evaluations
of the overall internal control process. The frequency of monitoring different
activities of a financial institutions should be determined by considering the risks
involved and the frequency and nature of changes occurring in the operating
environment. Ongoing monitoring activities can offer the advantage of quickly
detecting and correcting deficiencies in the system of internal control.

Such monitoring is most effective when the system of internal control is integrated
into the operating environment and produces regular reports for review. Examples
of ongoing monitoring include the review and approval of journal entries, and
management review and approval of exception reports.

9
(B) CONTROL PRINCIPLES

So far we have discussed about the elements of a sound internal control. Now the
question is how to assess the internal controls of a particular organization The
following principles related to the basic elements of control should be borne in mind
while assessing internal control:

A. Management Oversight and Control Environment

Principle 1:
The board of directors should have responsibility for approving and periodically
reviewing the overall business strategies and significant policies of the financial
institutions; understanding the major risks run by the financial institutions, setting
acceptable levels for these risks and ensuring that senior management takes the steps
necessary to identify, measure, monitor and control these risks; approving the
organizational structure; and ensuring that senior management is monitoring the
effectiveness of the internal control system. The board of directors is ultimately
responsible for ensuring that an
adequate and effective system of internal controls is established and maintained.

Principle 2:
Senior management should have responsibility for implementing strategies and
policies approved by the board;developing processes that identify, measure, monitor
and control risks incurred by the financial institutions; maintaining an organizational
structure that clearly assigns responsibility, authority and reporting relationships;
ensuring that delegated responsibilities are effectively carried out; setting
appropriate internal control policies; and monitoring the adequacy and effectiveness
of the internal control system.

Principle 3:
The board of directors and senior management are responsible for promoting high
ethical and integrity standards,and for establishing a culture within the organization
that emphasizes and demonstrates to all levels of personnel the importance of
internal controls. All personnel at a financial institutionsing organization need to
understand their role in the internal controls process and be fully engaged in the
process.

B) Risk Recognition and Assessment

Principle 4:
An effective internal control system requires that the material risks that could
adversely affect the achievement of the financial institutions goals are being
recognized and continually assessed. This assessment should cover all risks facing
the financial institutions (that is, credit risk, country and transfer risk, market risk,
interest rate risk, liquidity risk, operational risk, legal risk and reputational risk).
Internal controls may need to be revised to
appropriately address any new or previously uncontrolled risks.

C) Control Activities and Segregation of Duties

Principle 5:
Control activities should be an integral part of the daily activities of a financial
institutions. An effective internal control system requires that an appropriate control
10
structure be set up, with control activities defined at every business level. These
should include: top level reviews; appropriate activity controls for different
departments or divisions; physical controls; checking for compliance with exposure
limits and follow-up on non-compliance; a system of approvals and authorizations;
and, a system of verification and reconciliation. BIS Framework for Internal Control
Systems in Financial institutions.

Principle 6:
An effective internal control system requires that there is appropriate segregation of
duties and that personnel are not assigned conflicting responsibilities. Areas of
potential conflicts of interest should be identified, minimized, and subject to careful,
independent monitoring.

D) Information and communication

Principle 7:
An effective internal control system requires that there are adequate and
comprehensive internal financial, operational and compliance data, as well as
external market information about events and conditions that are relevant to decision
making. Information should be reliable, timely, accessible, and provided in a
consistent format.

Principle 8:
An effective internal control system requires that there are reliable information
systems in place that cover all significant activities of the financial institutions. These
systems, including those that hold and use data in an electronic form, must be secure,
monitored independently and supported by adequate contingency arrangements.

Principle 9:
An effective internal control system requires effective channels of communication to
ensure that all staff fully understand and adhere to policies and procedures affecting
their duties and responsibilities and that other relevant information is reaching the
appropriate personnel.

E) Monitoring Activities and Correcting Deficiencies

Principle 10:
The overall effectiveness of the financial institutions internal controls should be
monitored on an ongoing basis. Monitoring of key risks should be part of the daily
activities of the financial institutions as well as periodic evaluations by the business
lines and internal audit.

Principle 11:
There should be an effective and comprehensive internal audit of the internal control
system carried out by operationally independent, appropriately trained and
competent staff. The internal audit function, as part of the monitoring of the system
of internal controls, should report directly to the board of directors or its audit
committee, and to senior management.

Principle 12:
Internal control deficiencies, whether identified by business line, internal audit, or
other control personnel, should be reported in a timely manner to the appropriate
management level and addressed promptly. Material internal control deficiencies
should be reported to senior management and the board of directors.
11
4 RESPONSIBILITIES OF THE PARTIES TO INTERNAL CONTROL

The board of directors, senior management and other personnel of financial

institutions are responsible for establishing, maintaining, and operating an
appropriate internal control system on an ongoing basis.

4.1 Board of Directors:

The Board of Directors of all financial institutions is responsible for ensuring that an
adequate and effective internal control system exists in their organization and that
the senior management is maintaining and monitoring the performance of that
system. Moreover, Board should periodically review the internal control systems and
the significant findings. From the above it can be said that:

x The overall responsibility of setting acceptable level of risk, ensuring that the
senior management committee take necessary steps to identify , measure ,
monitor and control these risks, establishing broad business strategy,
significant policies and understanding significant risks of the company rests
with the Board of Directors.
x Through the establishment of an 'Audit Committee' of the Board and Internal
Control Department the Board of Directors can monitor the effectiveness of
internal control system.
x The internal as well as external audit reports will be sent to the board without
any intervention of the management and ensure that the management takes
timely and necessary actions as per the recommendations.
x The Board should have periodic review meetings with the senior
management to discuss the effectiveness of the internal control system of the
company and ensure that the management has taken appropriate actions as
per the recommendations of the auditors and internal control.

4.2 Management :
Senior management of financial institutions have the responsibility for implementing
strategies and policies as approved by the board in work place ; developing
processes that identify, measure, monitor and control risks incurred by the financial
institutions; maintaining an organizational structure that clearly assigns
responsibility, authority and reporting relationships; ensuring that delegated
responsibilities are effectively carried out; setting appropriate internal control
policies; and monitoring the adequacy and effectiveness of the internal control
system.

4.3 Audit Committee of the Board:

This Committee shall be formed by the Board of a company. The members of the
Audit Committee shall be the selected Directors and the Managing Director. The
Committee shall seat at least quarterly in a year. The Committee shall perform its
work through an Internal Control Unit comprising of the Audit & Inspection wing
and Compliance wing.

The Committee shall monitor the adequacy and effectiveness of the Internal Control
System based on established policies and procedure.
12
The Committee vide its two wing shall produce, on quarterly basis, a report on
internal control system and significant findings and present it to the Board.

The terms of reference of the Audit Committee, frequency of meeting , name of the
members of the Committee shall be decided by the Board.

4.4 External Auditor:

The external auditors are not part of a financial institution and, therefore, are not part
of its internal control system, yet they have an important impact on the quality of
internal controls through their audit activities, including discussions with
management and recommendations for improvement of internal controls. The
external auditors provide important feedback on the effectiveness of the internal
control system.

The concept of external reporting on internal controls is well established and

supported in the accounting literature. It is expected that external / statutory
auditors shall review control systems for the impact they have on financial reporting
and compliance with relevant policies, procedures, regulations and laws. The extent
of attention given to the internal control system may vary by auditor and by financial
institutions; however, it is generally expected that the auditor would identify
significant weaknesses that exist at a financial institutions and report material
weaknesses to management and the board in the form of an audit report/
management letter.

As regards internal control and the role of external auditors the following things
should be borne in mind by the auditors:
x External Auditors by dint of their independence from the management of the
financial institutions can provide unbiased recommendation on the strength
and weakness of the internal control system of the financial institutions.
x They can examine the records, transactions of the financial institutions and
evaluate its accounting policy, disclosure policy and methods of financial
estimation made by the Financial institutions; this will allow the board and
the management to have an independent overview on the overall control
system of the financial institutions.

It should be made obligatory on the part of the auditor to report to the Bangladesh
Bank immediately if during the course of audit the auditor come across any facts
which (1) might warrant qualification (2) endanger the entity audited and (3) indicate
that the organization has severely infringed the regulatory provisions/guidelines.

4.5 Regulator:

The Financial Institutions Department(FID) of Bangladesh Bank is the direct

supervisor of the financial institutions of Bangladesh. FID has many responsibilities
to the Financial Institutions to protect interest of the public and to maintain financial
discipline. The responsibilities of FID should be regulatory as well as advisory.

In order to achieve the regulatory and supervisory objectives the Bangladesh Bank
may introduce a comprehensive supervisory framework.

Supervision can be of two types:

13
 a. On Site Supervision and
b. Off Site Supervision

Off site supervision would structurally be an in-house review and analysis based on
various statutory returns and other statements.

On site supervision includes physical visit and inspection by Bangladesh Bank

Official ensuring regulatory compliance, evaluation of financial soundness, appraisal
of management and identification of areas requiring corrections, review of asset
quality , analysis of key financial indicators etc.

As a regulator the Bangladesh Bank may introduce a system whereby the name of
the Financial Institute which had not complied with the regulatory directions could
be published in the newspapers.

The Bank may make it compulsory for the NBFIs to do credit rating periodically.

The Bank may introduce an on-line corporate memory/profile building process

based on the observations generated from off-site surveillance system, , market
intelligence, complaints, supervisory rating, record of compliance with directions
and inspection findings.

Bangladesh Bank may think of devising a suitable system for co-ordinating the On-
site inspection in tandem with the other regulatory authorities so that these NBFIs
are subject to one shot examination by different regulatory authorities.

The Bank may think of introducing a supervisory rating system for the NBFIs. Such a
rating system should be designed on the basis of different levels of regulatory
compliance, capital adequacy and rating assigned by the credit rating agencies.

Based on the rating the NBFIs may be placed in three different supervisory watch
list with low, medium and high risks. The rating assigned may primarily be the tool
for triggering on-site inspection at various intervals.

It shall play its role as a watch dog, review the compliances of the regulations and
Circulars issued from time to time through periodic inspections and visits, issue new
directives for the betterment of macro economy, take corrective actions, if necessary,
provide necessary advises and clarifications to the NBFIS.

During the course of regular inspection of financial institutions or when required,

Financial institutions Department (FID)of Bangladesh Bank shall review the internal
control system of any financial institutions in order to ensure compliance with these
guidelines and all other relevant regulations and laws, circulars issued and enforced
from time to time. In addition to that, the FID may review the report of the internal
auditor of the financial institutions, assessment report of the management regarding
effectiveness of the internal control and Boards endorsement thereof and the
external/statutory auditors evaluation of the management regarding effectiveness of
the internal control.

In addition to the above the following points shall also apply to the regulators:

14
 x For the financial institutions Bangladesh Bank is the primary regulator, who
governs the activities of financial institutions. In addition Tax Authority,
Registrar of Joint Stock Company Finance Ministry, Securities and Exchange
Commission etc. are different types of Govt.bodies whose directives have
significant impact of financial institutions business.
x The internal control system should always take into account the financial
institutions internal processes to meet the regulatory requirement before
conducting any operation.
x The internal control system of the financial institutions must be designed in a
manner that the compliance with regulatory requirements is recognized in
each activity of the financial institutions. The financial institutions must
obtain regular information on regulatory changes and distribute among the
concerned department, so that they can take necessary, action to adapt to
such changes.
x The financial institutions must develop an effective communication process
which will allow smooth distribution of relevant regulations among different
departments and, personnel.

5 IMPLEMENTATION OF INTERNAL CONTROLS:

Various models/methodologies are used for the design and implementation of

internal controls. However, it is the decision of the organizations to decide what
model / strategy suit the size, nature, complexity, scope, risk exposure, etc. of their
activities. Nevertheless, following is a brief summary of the key points that should be
kept in mind while implementing the internal controls:

5.1 Compare current practices to the internal control system and identify gaps.
For an internal control expert, the most important consideration should be to
evaluate the existing system of internal control in comparison to one defined by these
guidelines and other international best practices. In this regard the first step is to
identify what is and what is not covered by existing practices.

5.2 Involve senior management, the audit committee, audit staff, other key players.
The thought process and implementation of change should not be considered as just
other audit things." Senior management and the audit committee must be perceived
as driving the change and developing the control culture.

5.3 Assess business environment, organization culture and key players.

Before the process of change is set in, it would be necessary to understand: (1) what
is changing in the culture (2) What is changing in the organizations businesses and
systems (3) Are there organizational initiatives which internal control system
implementation could link to (4) What is the perception about the internal auditing
function within the organization .

5.4 Decide on implementation strategy.

If the new practices can be designed to align with other organizational initiatives, or
if senior management has taken ownership, this step is relatively easy. In any case,
having a realistic implementation strategy is critical to success. Most implementers
introduce the new ideas slowly and informally, building on personal relationships
within the organization, listening as much as talking, and gradually building a
consensus for change.

15
5.5 Provide training to everyone involved.
The most critical factor to the successful implementation of a control model is that
everyone involved must understand internal control. Effective training depends
heavily on how concepts are phrased and the concrete examples and exercises which
make the concepts real to participants.

5.6 Rectification & Improvement:

The findings of the internal audit department and that of other experts should be
reported back to the relevant staff/office for rectification and improvement of the
internal control system.
5.7 Instituting an appropriate organization structure:
Organization structure plays a vital role in establishing effective internal control
system. It is the sometimes called the pictorial representation of the chain of
command and the authority and supervision chain of an organization. The essence
of the ideal organizational structure that will facilitate effectiveness of the internal
control system is the segregation of duties. The financial institutions should,
depending on the nature of business, structure, size,location of its branches and
strength of its manpower try to establish an organizational structure which allow
segregation of duties among its key functions such as marketing, operations, credit,
financial administration etc.

Up to which level this segregation will take place will depend on an individual
financial institutions. For instance a financial institutions which has small branch
operations at remote places of the country may not find it feasible to have such
functional segregation of duties at that branch level. However at the higher level
such segregation should exist and where possible this should be extended to the
branch levels. In cases where such segregation is not possible, there must be certain
monitoring mechanism which should be independently reviewed to ensure all
policies and procedures are followed at the branch level. A detail guideline in this
respect is given in the following section.

5.7.1 Structure of the Internal Control Unit

For an effective control system a separate organizational structure is also provided
for this unit.

The audit committee of the board shall be the contact point for the internal control
unit. The unit should be adequately staffed so that it can perform its duty properly.
In order to ensure that availability of efficient people with internal control the
financial institutions will make it mandatory for all middle to senior management
staff to spend at least two years with internal control on secondment.

The head of internal control will report directly to the Audit Committee of the Board
He will be responsible for the both compliance and control related tasks which
include compliance with laws and regulation, audits and inspection, monitoring
activities and risk assessment.

The audit team of the internal control unit will perform periodic and special audit
and inspection.

The compliance unit will be responsible to ensure that financial institutions complies
with all regulatory requirement while conducting its business. They will maintain
liaison with the regulators at all level and notify the other units regarding regulatory
changes.

16
 Audit Committee of Board

Internal Control Unit

Audit & Inspection Compliance Wing

Wing

Inspector Inspector

Figure : Structure of Internal Control Unit

5.8 Preparing various guidelines/manuals

Each Financial institutions should have a policy guideline in line with relevany laws
and internal documents in order to ensure an effective control over its process in
various fields e.g. credit, human resources, finance & accounts, treasury, audit,
customer service etc. There should be a written policy guideline for each
Departments function which may be as follows.

5.8(a) Standard Operating Procedures -Credit & Operations

The main objective of lending money is to ensure maximum return of lend able fund.
This manual should highlight the process starting from review of credit proposals,
obligor risk rating, approving credit limit, disbursement of loans, monitoring of
credit risk etc. Various types of MIS should be provided in order to have better
control over assets of the financial institutions which can be generated if the system
is in place.

This manual should also contain role of Credit Admin., Trade Finance,
Reconciliations, Cash, Clients service, Treasury, Back office etc. It should also reflect
a clear guideline regarding Anti-Money Laundering activity in order to protect
Financial institutions interest. Credit Admin will be responsible for monitoring of
limits and outstanding as per credit approval.

This manual should cover the following areas inter alia:

Risk classes, lending limits and credit authorities

Investment policies
Policies on financial & other product & services
17
Lending guidelines
Approval processes
Documentations
Securities and collaterals etc.
Account Opening and closing
Payment monitoring procedures
Loan Administration
Treasury Operations
Anti-money Laundering procedures etc.

5.8(b) Finance & Accounting Manual

This manual should provide guidelines on financial activities regarding income and
expenditure of a financial institutions. They will look after if there is any
exaggeration of expenditure where it is necessary to get control. This manual must
incorporate a clause which shall make it mandatory to prepare and present an
annual budget which shall contain target business, revenue, expenses, capital
expenditures etc. This budget should be placed to the Board before starting of a new
year and a periodic review of the actual achievement. Through this process it can
also ensure the profitability of the financial institutions.

The basic content of Finance Manuals are:

Financial & Accounting Policies

Financial Accounting
Financial Management & Administration
Fixed Assets Control
Procurement of Goods and Services
Audit and Internal Control
General Clause
Capital structure policies
Treatment of Land, Building & Equipment
Capital Adequacy and Shareholders Equity
Treatment of revenue and expenditures
Income tax procedures
Write-off procedures etc.

5.8(c) Treasury Manual

This manual should include activities of fund transfer. Inter financial institutions
fund management is one by them. The manual should include the guideline so that
they may manage the financial institutions fund properly and profitably. There may
be some idle fund in the financial institutions which is to be taken into account so as
to make them invested in optimum profit seeking area. They should also ensure the
security of the fund. If possible, they may look into international money market
subject to the available opportunity in the money market arena.

While framing a treasury manual the following things should be considered inter alia
:

Internal Items
Liquidity
18
Cost of fund Vs. yield from assets
Policies & Procedure
Skill of staff etc.

External Items

Market Liquidity
Risks including changes in Exchange Rates
Changes in regulations etc.
Investments
Capital management etc.

5.8(d)Human Resource Policy Manual

They will, at first, ensure the proper distribution of available human resources in the
infrastructure of the financial institutions. It should also delineate the authority and
responsibility of each employees .To find out the right person for setting up them at
the right position is very crucial. The rewarding method of that department should
be impartial. They will ensure staff welfare which will ultimately encourage people
and create a healthy working atmosphere.

This manual should contain inter alia the following:

Recruitment policy
Background checking policy
Leave policy
Compensation policy
Reward and Recognition policy
Termination & retirement policy
Promotion and increment policy
Training guidelines
Employees code of conduct etc.

5.8(e)Information Technology Manual

This manual should contain the following areas:

MIS to be generated
Security of Data and programme
Back up system
Control mechanism of data and files
Disaster recovery plan
Networking
Hardware maintenance
Service agreements etc.
Training
Manpower backup
Power backup system
Data storage

19
6. EXAMINATION OR EVALUATION OF CONTROL

As soon as the implementation of control is completed the next question is how to

evaluate the effective functioning of this system. Evaluation may be done in the
following ways:

a. Verification of departmental function through Check List

b. Reviewing the documentation relating to operational activities through a
check list
c. Preparing quarterly report and reviewing the same
d. Risk analysis
e. Audit Process & communication of weakness

6.1Deprtmental Control Function Checklist (DCFCL) {Appendix 7.1 to 7.4}

a) The guideline/procedure deals with matters relating to review/verifications

of departmental functions to ensure that prescribed procedures are being
followed by each department.
b) All departments are required to check that prescribed controls are being
observed and laid down procedures are not overlooked & relaxed.
c) Departmental Managers/Branch Managers will review the DCFCL to ensure
that control functions are performed and documented in the control sheets
(Appendix 1) at the prescribed frequencies i.e. Daily, weekly, monthly and
quarterly.
d) The DCFCL Checklist should be retained with the branch/departments for
future inspection by Internal Control and Senior Management.

6.2 Loan Documentation Checklist {Appendix 7.6}

The checklist deals with matters relating to security/other documentation for

sanctioning credit facilities to ensure that prescribed documentation is being
obtained to safe guard financial institutions interest in case of litigation. Copy of
the loan documentation check list shall be sent to the lease/loans department for
their use.

6.3 Quarterly Operations Report {Appendix 7.5}

This guideline/procedure relates to reporting of operational functions of each

branch/centre under the following heads on the enclosed format:
i. Policies, Procedures and Controls
ii. Protection of Valuables
iii. Proofs/Verifications and Internal Checks
iv. Personal and Supervision and
v. Premises Management
vi. Confirmation on Regulatory Compliance

This report will be prepared by the Departmental/Branch Head . This will be

prepared in duplicate copies one copy is to be dispatched to Internal Audit
Department and another copy to the Audit Committee of the Board by 10th of the
20
following month.

The items which are not applicable for individual Department should be marked as
N/A and no signature is required against the items marked as N/A.

Any deviation in the quarterly operations report must be reported in a separate

exception report or shall be marked specially in the report.

6.4. Risk Analysis of Control Functions

Individual items in the DCFCL need to be assigned a risk rating in terms of the
following dimensions:

a) Impact: Before taking into account the mitigation (i.e. Insurance) what is the
impact of the lapse/omission.

b) Probability: After taking into account of the mitigation what is the likelihood of
the event occurring.

To assist in this task, the following matrix (Table 1) can be used. However some
financial institutions may consider customization of this matrix to suit their own risk
profile. Where appropriate, additional details (e.g. financial values can be added).
The key principle is that all financial institutions should be able to differentiate
between different levels of risk in their own area of activity and then ensure
appropriate controls are established.

Scores should be plotted on the following table to determine a category of high,

medium and low risk.

3 High High High

P
r
o 2 Medium Medium High
b
a
b 1 Low Medium High
i
li
t 1 2 3
y
Impact

Table: Risk Assessment Matrix

21
To arrive at the decision of what constitutes a high, medium or low risk the following
template can be used

Risk Probability (after taking into
Score account of risk mitigation)
3 High probability or almost
certainty
High/frequently recurring
Governed by widely anticipated
external factors/frequency of
management review not
established
New area of risk with no policy
& procedure to deal with the
matter
Probability uncertain
Complex, requires specialized
skills to mitigate
2 Evidence of increasing trends
Management reviews largely to
manage exceptions
Policies exists but compliance is
complex
External factors have medium
bearing on ability to follow
established standards
Process requires moderate
degree of supervision
1 Unlikely
Isolated incident/Not likely to
be repeated
Frequent management review/
well documented
Clear policy exists
External factors have low
impact on ability follow
Impact (before taking into account of
mitigation)
Catastrophic/major impact on the
financial institutions
Potential loss in excess of BDT
1Million.
Serious regulatory implications
(Revocation of license,
imprisonment)/sanctions.
Potential/actual damage to
reputation
Major corporate governance failure
Significant impact on the financial
institutions.
Potential loss in excess of BDT
1,00,000
Possibility of fines/penalties from
regulators
Medium financial loss with some
potential for recovery
Medium level of reputation risk
Exposure due to control weakness
Potential or actual loss less than
BDT 1,00,000
Low impact on business or
reputation
Exposure on regulatory sanctions
low
Customer service issues are within
expected levels

6.5 Audit Procedure & Communication of weakness

Audit & Inspection and Compliance shall be under the control of Head of Internal
control. Major responsibilities entrusted to the Audit & Inspection Department shall
be to carry out Audit & Inspection of the various Departments/branches of the FIS in
accordance with the instruction contained in the internal control policy guidelines
and sometimes as per the direction of the Board or even as per the direction of the
Management. The inspection team may conduct surprise checking/investigation and
special inspection.

At the beginning of the year the Audit Team shall prepare a schedule for Audit and
Inspection of Departments or branches with the approval of the CEO. Audit shall be

22
carried out at periodic intervals whereas inspection may be carried out any time. The
audit shall basically be conducted based on some check list and the risk involved on
the area to be audited.

On completion of each audit /Inspection a report must be submitted to the Head of

Internal Control by the Head of Audit & Inspection within maximum 14 working
days for onward submission to the Audit Committee of the Board.

The Head of Compliance is responsible for implementation of Inspection Repots and

follow up with the Department/branches for regularization of the irregularities and
implementation of the observations/recommendations made in the Audit Report.

This Department is also responsible for submission of Audit Report and ensuring
compliance to the competent authority including preparation of Board Memos on
Audit & Inspection. Compliance of Bangladesh Bank Inspection Reports and follow
up of the same are the responsibility of this department.

General Guidelines for the Inspectors

1. The inspectors are the representatives of the Audit & Inspection and Compliance
Department. They must posses a high standard of integrity & competence and
are expected to have a thorough knowledge of working procedure of all the
departments/branches of a company. They must also have a good knowledge on
law and practices and should keep themselves abreast with the regulations and
developments in the particular sector. They should be conversant with the
prudential guidelines & circulars issued by Bangladesh Bank and other
regulatory bodies. They should be in a position to interpret the circulars in
proper perspective. They are however expected to provide appropriate
guidelines where necessary to solve the problems.

2. Inspectors will be personally responsible for the accuracy and correctness of the
figures and statements incorporated in the Report.

3. Irregularities shall be consecutively numbered and photocopy of the proof of

irregularities to be taken if possible.

4. Minor irregularities shall be rectified during the course of audit. Major lapses and
irregularities shall be listed and reported.

5. The inspector shall go through the progress in the way of compliance of the
previous report and if any previously reported irregularities is repeated the same
must be reported.

6. Where irregularities are due to negligence or inefficiency of any officer, past or

present, the inspector must report the name of the officials responsible.

7. Should any difference of opinion arises between the inspector and the official
upon some areas of irregularities then the inspectors shall incorporate in his
report the views of the officials together with his own comments.

8. Before undertaking audit & Inspection , the inspectors will hold consultation
with Head of the Department with a view to find out the special areas or

23
 problems which need to be looked into. He shall have a full idea on the check list
to be followed.

9. It is important for the inspectors to act as a sympathetic adviser to the staff of the
Department/branches they are auditing/inspecting. Faults must of course be
brought to light but report should be written with the recognition of the
difficulties and efforts of the staff as well as their shortcomings.

10. Inspectors shall discuss with the Head of the Department on the draft report and
shall obtain his/her signature thereon after the audit is completed and note down
his/her comments if any. These replies must be incorporated in the final
audit/Inspection Report. The report must be clearly and concisely written and
free from padding.

11. If the inspector feels the requirement to change any written policies or guidelines
he/she shall forward recommendations and the reason thereof to the Head of
Audit & Inspection and compliance Departments.

12. The Inspection Report shall be prepared in five copies:

One copy shall be forwarded to the Audit Committee of the Board

One copy shall be forwarded to the Managing Director/CEO
One copy shall be forwarded to the Head of Audit & Inspection
One copy shall be forwarded to the Head of Compliance
One copy shall be forwarded to the respective department/branch in charge

13. The inspection report shall not be a public documents. But the Bangladesh Bank
and any regulatory body shall have the authority/right to have a copy of it for their
use.

6.6 Compliance Process

Regulatory requirements are to be incorporated into the work process to ensure full
compliance. The financial institutions has to ensure that all guidelines received from
the regulatory authority are properly disseminated among the relevant departments.

A particular unit (if possible Internal Control) should be responsible of receiving

regulatory guidelines, maintaining proper record and distribution among all relevant
units. If required this unit would contact regulatory authorities for proper
clarifications on a particular issue and notify the concerned departments accordingly.

When regulatory inspection is conducted on the operation of the financial

institutions this unit should work as point of contact.

Once the audit report is received they must ensure that corrective measures are taken
and the appropriate response is made on a timely fashion. If any major lapse is
identified by the regulatory authority they must ensure that the Audit Committee of
the board is also notified along with the senior management of the branch.

This unit must arrange appropriate training for employees so that employees are
aware of the regulations that are necessary to accomplish their jobs.

24
 APPENDIX 7.1

DEPARTMENTAL CONTROL FUNCTION CHECKLIST QUARTERLY

This is sample list of control functions. Each financial institutions will develop the list according
to their own requirements

Area Function Responsibility Qtr 1 Qtr 2 Qtr 3 Qtr 4

Quarterly To check CEO & Head

Budget Review whether of Dept
achievement is
OK or not and
how to
overcome the
deficit

Quarterly To see whether Head of

Performance employees are Department
review of lagging behind
employees their
individual
target and to
know their
problems and
how to
overcome
Stock Taking To verify stock Head of
position Administration
Reports Check the copy Head of
of the reports respective
with regulators departments
deadlines

At present
there are 6
such reports
for Bangladesh
Bank
All security Take the By appropriate
documents inventory person other
including post than the
dated cheques custodian

25
 APPENDIX 7.2

DEPARTMENTAL CONTROL FUNCTION CHECKLIST MONTHLY

This is sample list of control functions. Each financial institutions will develop the list according to their own
requirements
Area Function Responsibility
Financial Check whether the Head of
Statements monthly statements are Accounts
prepared as per the
deadline of
Board/shareholders
Insurance See whether renewal is Head of Admin
Coverage necessary- Gen & Life
TDR Verify TDR held with GL Manager , Date Date Date Date
on last day of the month Treasury
Department Initial Initial Initial Initial
Holiday File Check with independent Head of HRD
source ie, Central Bank
for local Holidays and
check with Govt.
Calendars
Reports Check the copy of the Head of
reports with regulators respective
deadlines & see departments
deviations

Accruals of Check whether all income Head of

Income & and expenses have been Accounts
Expenses accrued as per companies
policies, regulatory
requirement

Physical Check whether movement Manager

security of register and requisition Administration
Assets slip are kept against assets together with
movement. Fixed asset Manager
Register is marked Accounts
accordingly
See whether insurance
coverage is still effective
on the day of verification
Bank See whether all Bank Head of
Reconciliation Reconciliations were done Accounts
properly

26
 APPENDIX 7.3

DEPARTMENTAL CONTROL FUNCTION CHECKLIST WEEKLY

This is sample list of control functions. Each financial institutions will develop the list according to their own
requirements

Area Function Responsibility W1 W2 W3 W4

Reports Check the copy of the Head of

reports with regulators respective
deadlines & see departments
deviations

Premise See whether fire Manager

protection extinguishers are in Administration
place. Necessary
direction to operate the
same are kept beside the
extinguishers
Documentation See whether all Manager
documentation related to Operations
credit is completed by
operations dept. as per
document check list
MIS Check whether the MIS is Manager,
updated with inputs from Operations
various dept.
CRR & SLR Check the amount of Accounts
Requirements CRR & SLR requirement Department
based on the liability

27
 APPENDIX 7.4

DEPARTMENTAL CONTROL FUNCTION CHECKLIST DAILY

This is sample list of control functions. Each financial institutions will develop the list according to their own
requirements

Area Function Responsibility

Vouchers & posting Check on sample basis whether Manager

vouchers are properly raised and Accounts
authorized as per Accounting
manual

Check whether vouchers are

posted regularly
Receivable/payable Have the explanation of the head Proper
account and see whether they are required authority
at all.
Correction entry Check the nature of correction Proper
entry passed authority
Reports Check the copy of the reports as Proper
per check list with regulators authority
deadlines & see deviations

Accruals of Income Check whether all income and Head of

& Expenses expenses have been accrued as Accounts
per companies policies, regulatory
requirement
CRR Requirements Check the amount of CRR Head of
requirement based on the liability Treasury
with current account balance with
Bangladesh Bank
Computer Back Check whether Back up of Head of IT
Ups programme files and other
important files are taken.
Filing of Check whether copies all Designated
Correspondences outgoing letters are kept in Master Department
File and Specific Files
Updating money Prepare call money Manager ,
market transaction correspondences, information on Treasury
call rate
Updating See whether every day entry has
operations software been given in the system
and information
Updating share Manager, Merchant Banking Proper
price index and authority
other merchant
banking
information

28
 APPENDIX 7.5

QUARTERLY OPERATIONS REPORT

Date :

From : Audit & Inspection Department

To : Head of Internal Control Unit

Copy : Compliance Department

Quarter Ended on :

POLICIES, PROCEDURES AND CONTROLS

1. FINANCIAL INSTITUTIONS DEPARTMENT (FID) AUDIT & FOLLOW UPS

The Branch/Centre was last audited by the Audit Team of FID on

..
We confirm that adequate corrective actions have been initiated to remove the
deficiencies other than the following papers of their Audit Report.

Audit Observation Target Date of Rectification Reason for failure to rect.

Para no.

Enclosure : Bangladesh Bank Audit Report & Findings

2. INTERNAL CONTROL

The Companys internal control situation was last audited by the FID on
,,,,,,,,,,,,,,,,,,,,, We confirm that adequate corrective actions have been initiated
to remove the deficiencies other than the following para of the report.
Observation Target Date of Rectification Reason for failure to rect.

3. REGULATORY COMPLIANCE
(a) Financial Institutions Act 1993 and FI Regulations 1994 and FID Circulars

We confirm that requirements of Bangladesh Bank have been complied with

except the following:

Sl. No Sections and FID Circulars reference Risk Remarks

29
 (b) Income Tax Ordinance 19984 and Income Tax Rules

We confirm that requirements of Income Tax Ordinance 19984 and Income

Tax Rules have been complied with except the following:

(C) Companies Act 1994

We confirm that requirements of the Companies Act 1994 have been

complied with except the following:

(d ) Securities and Exchange Ordinance

We confirm that requirements of the Securities & Exchange Commission

Ordinance and Rules complied with except the following:

(e) Dhaka Stock Exchange Listing Rules

We confirm that requirements of the Dhaka Stock Exchange Listing Rules have
been complied with except the following:

(f) Shops and Establishment Act

We confirm that requirements of the Shops & Establishment Act have been
complied with except the following:

(g) Other Rules & Regulations

4. Computer ACCESS ( if available)

a. We confirm that a full review of Access Levels is made to ensure that no

conflicts exist and no official is holding both IDs to input transactions and Authorise
such transactions.
b. We also confirm that Administrator Passwords are held in dual custody and
the both custodians review the Administrator Journal Report and the Audit Trail
Report (which reports all user access maintenance) and investigate all activities on a
daily basis.

5. CUSTOMER SERVICES STANDARDS

a. The Customer Services Standards of all departments have been checked and
documented as per guidelines from the Company . The shortfalls detected
during the last quarter have been/will be removed within the target set.
b. Customers queries are meet in time as per the time frame fixed by the
company and customers satisfaction note is received and preserved

30
6. DEPARTMENTAL CONTROL FUNCTIONS CHECK LISTS

a. The DCFCLs were completed and documented as per Companys Guidelines

by the concerned departments which are being/have been verified by the designated
independent officials on _______
b. We confirm that no shortfalls have been identified by the Independent
Reviewer and/or the shortfalls identified by him/her are being rectified and will be
completed by __________________ under advice to Head of Compliance.

8. INTERNAL CHECKS

We confirm that all Internal Checks as per Companys Guidelines applicable to us

are being undertaken by the Independent officials designated in writing. All papers
and the reviewers certificates are retained under the control of the Head of
Department for future review by the Bangladesh Financial institutions audit team/
Internal Control Team.

10. RECOVERY OF COSTS

We confirm that the costs of telex/swift/telegrams/telephone/fax and other charges

have been recovered from the Customers where applicable and credited to
Processing Fee A/C

11. FRAUDS, FORGERIES & OPERATING LOSSES

Following transaction(s) involving Frauds/Forgeries/Other Operating Losses

has/have been detected during the quarter ended on ___________ and reported to
Internal Compliance Department

12. RETURNS

We confirm that returns to all Regulatory Bodies have been submitted within the
schedule dates except the following:

Title of Return Due Date Act Date Reasons for Delay

13. LEGAL

We confirm that legal matters are being monitored by us as per Company Policy The
following litigations are pending as of the reporting date:

Party Case Initiated on Brief Description Status

31
14. COMMUNICATIONS

Following meetings of the management were held during this quarter to improve
communication among the members of Officer/Staff. We enclose a copy of the
minutes of the meetings held for information and record.

Name of the Meeting Date of Meeting

15. FIXED ASSETS

We confirm that:

x Quarterly as on March, June and September and December all items of Fixed
Assets were physical check and verified with Fixed Assets Register and
General Ledger.
x The entries passed through Profit and Loss A/c in respect of sale of Fixed
Assets for the quarter ended have been reviewed to ensure that no entry is
outstanding in the books.
x Fixed Assets sold during the quarters have been reviewed for tax purposes
x Fixed Assets of the Company have been physically checked on sample basis
by the independent officers designated by Internal Control team.
x Proper tender/quotations were received before disposing off the assets.

PROTECTION OF VALUABLES

1. MAINTENANCE OF KEYS

We confirm that the Key Register is being maintained as per prescribed procedure.
Dual keys have been maintained in sensitive areas.

2. SAFE CUSTODY

We confirm that Safe Custody items are being maintained under dual custody and
the Last complete independent physical verification of Safe Custody items as per
Internal Control Depts instructions was undertaken on __________. We enclose a
copy of the certificate received from the designated reviewer(s).

3. SAFE DEPOSIT LOCKERS

We confirm that keys to lockers are kept under dual control. The Head of Finance
shall supervise the things.

4. STOCK OF STATIONERY

Stock of Stationery are being kept under dual custody and Bulk/Working Stocks
are being verified each month end by Manager Administration together with
Manager Finance.

32
 5. CASH.

Cash/Prize Bonds / Sanchaya Patras/ Bonds were kept in safe fire proof vault under
dual key. Cash is counted on a daily basis and reconciled with GL balance. Bond
and other instruments are counted for number and value at the end of each month
and tallied with GL balance.

6. SIGNATURE BOOKS

Daily signature book or Attendance Register is maintained at the proper place and
every staff shall put his signature thereon as per Companys policy. The Head of
Administration shall supervise at random each month whether the employees are
putting their signature properly. After verification he shall put his own signature
with date.

VERIFICATIONS

1. All accounts in GL/ Subsidiary ledger were proved and verified during the
quarter and the following wrong entries were detected and rectified promptly
with the consent of Head of Finance & Accounts:

GL Head Voucher no. Vr. Date Amount Appropriate Head

2. We confirm that all outstanding entries in General Suspense (Assets & Liabilities)
are being followed up for early liquidation. We enclose the statements of General
Suspense Accounts as on March, June, September and December for your perusal :

Suspense March qtr June qtr Sept qtr Dec qtr

Account Amt Correct Amt Correct Amt Correct Amt Correct
Head & Head & Head & Head &
Date of Date of Date of Date of
correcti correction correctio correction
on n

PERSONNEL & SUPERVISION

1. Following transfers/movements were affected during the quarter as regards

staff of the Company:

33
Name Transferred Transferred Period with
From To present dept

LEAVE PROGRAMMES

1. Officers/staff are being granted leave as per leave program. Exception are
given below:

Name of staff Department No. of days accumulated

2. Unionized staff has leave were enjoyed by the following staff as per
Service Regulations:

Name of staff Department No. of days Action taken

3. Arrangements have been made to allow all employees including Management

Staff to avail of 10 days uninterrupted leave or half of annual leave entitlement,
whichever is the lesser in terms of service rules.

TRAINING PROGRAMME

Following Officers / staffs have undergone training both inside and overseas
during the quarter :

Name of Department Duration Subject of Place of Cost of Total

Participant of training Training the number of
Training training training
availed in
this
Company

PREMISES MANAGEMENT

1. FIRE/SAFETY STANDARDS

a) Following items have been checked during the quarter ended

March/June/September/December _________.
34
 Fire/Safety Procedure Ref: Standard Achieved/Shortfalls detected

i)

ii)

iii)

iv)

b) Half-yearly Self Audit of Fire/Safety Standards was undertaken and the return
st st
submitted to you for the period ended 31 January / 31 July . by a

separate letter on .

c) We confirm that:

i) Close Circuit Camera was/is functioning properly.

ii) Security Alarm system was functioning properly.

iii) Recording of the arrival and departure time of all personnel

occupying the Premises outside working hours and after financial
institutions hours are being documented/reviewed by the Manager
,Administration on the Registers maintained for these purposes.

d) All electric wiring were checked by M/s .. on

and certificates obtained and kept in file for future audit /
inspection. We enclose a copy of the certificate for our record.

e). The premises were inspected on holidays by the officers on rotation.

Immediate action was taken on shortfalls detected through the checklist
maintained which is retained after taking appropriate action as applicable
for future audit/inspection.
f) The premise and the equipment and assets are under fire insurance cover
which is renewed and updated. Besides there is a burglary insurance for the
assets.

(Head of Finance & Administration) (Depart. Manager)

35
 APPENDIX 7.6

LOAN DOCUMENTATION CHECKLIST

Borrower :

Registered Address :

STATUS: Individual / Proprietorship / Partnership / Limited Company A/c No.

First obtain General Documents. Then identify the Collateral and obtain specific
documents listed hereunder. Leave out documents not called for by the terms of the
Credit Approval and Facilities Advice Letter (Sanction Letter).

Sl. DESCRIPTION REQD DATE DATE EXPIRY ORIGINAL TAKA

No . () OF RECEIVED DOC AMOUNT
DOC. LOCATED
IN
GENERAL
A.
DOCUMENTS
1. Letter of Borrower
requesting for new
facilities / renewal
2. Authority of Borrow to
Borrow (Letter of
authority from partners
in case of partnership
concern and resolution in
case of limited company)
with list of
Partners/Directors
3. Form XII (Particulars of
Directors) certified by
RJSC regarding list of
existing Directors for
limited company
4. Sanction Letter: accepted
unconditionally by
Borrower
Demand Promissory
5.
Note
6. Letter of Continuity
7. Deed of Partnership (for
Partnerships; Borrower /
third party), By-Laws etc.
36
8. Memorandum and
Articles of Association
(for limited company
Borrower / third party)
with Certificate of
Incorporation
9. Letter of Arrangement
10. Letter of Disbursement
11 Revival Letter

B. LIEN OF ACCOUNT
1. Resolution to lien account
proceeds (for Third Party
partnerships and limited
cos.)
2. Letter of Lien and Set- Off
(Pledge Agreement)

PLEDGE OF
C.
DEPOSITS/S. PATRA
1. Resolution to deposit (for
Third Party partnerships
and limited company)
2. Fixed Deposit Receipts /
Sanchaya Patra / Bonds
endorsed by holder(s)
3. Letter of Guarantee by
depositor (if the deposit
stands in the name of
Third Party)
Sl. DESCRIPTION REQD DATE DATE EXPIRY ORIGINAL TAKA
No . () OF RECEIVED DOC AMOUNT
DOC. LOCATED
IN
4. Letter of Lien and Set Off
(Pledge Agreement)
5. Letter of Authority for
encashment of Sanchaya
Patra/ Fixed Deposits

D. PLEDGE OF SHARES
1. Resolution to deposit (for
Third Party partnerships
and limited company)
2. Share certificates
3. Blank transfer forms for
each share certificate
(Form 117)
Memorandum of Deposit
4.
of Shares
37
5. Letter of Guarantee by
the shareholder (if the
share stands in the name
of person other than
borrower)
6. Irrevocable letter of
authority for collection of
dividends, bonus etc.
addressed by the
shareholder to the
relative company.
7. Notice of pledge by the
shareholder to the
relative companies.

PLEDGE OF
E.
INVENTORY
Letter of Pledge / Pledge
1.
Agreement
Letter of Disclaimer (if
2.
required)
3. RJSC Search Report (for
limited company
partnerships; Borrower /
third party)
4. RJSC Form 18, and receipt
of filing with RJSC
Certificate of registration
5.
from RJSC
6. Modification of Letter of
Pledge / Pledge
Agreement of Inventory
7. RJSC Form 19, and receipt
of filing with RJSC
8.
Insurance Policy

HYPOTHECATION OF
F.
INVENTORY
1. Resolution to hypothecate
inventory (for Third Party
partnerships and limited
cos.)
2. Letter of Hypothecation
of Inventory /
Hypothecation
Agreement
3. RJSC Search Report (for
limited company.
partnerships;
borrower/third party)

38
4. RJSC Form 18, and receipt
of filing with RJSC
Certificate of registration
5.
from RJSC
Modification of Letter of
6. Hypothecation of
Inventory
Sl. DESCRIPTION REQD DATE DATE EXPIRY ORIGINAL TAKA
No . () OF RECEIVED DOC AMOUNT
DOC. LOCATED
IN
of Inventory
7. RJSC Form 19, and receipt
of filing with RJSC
Insurance Policy - jointly
8.
insured

G. TRUST RECEIPT
1. Trust Receipt Agreement

H. HYPOTHECATION OF
RECEIVABLES/BOOK
DEBTS
1. Resolution to hypothecate
receivables / book debts
(for Third Party
partnerships and limited
company)
2. Letter of Hypothecation
of Receivables / Book
Debts (Hypothecation
Agreement)
3. RJSC Search Report (for
limited
company/registered
partnerships;
borrower/third party)
4. RJSC Form 18, and receipt
of filing with RJSC
Certificate of registration
5.
from RJSC
6. Modification of Letter of
Hypothecation of
Receivables
7. RJSC Form 19, and receipt
of filing with RJSC

I. HYPOTHECATION OF
MACHINERY AND
EQUIPMENT

39
1. Resolution to hypothecate
inventory (for Third Party
partnerships and limited
cos.)
2. Letter of Hypothecation
of Machinery and
Equipment /
Hypothecation
Agreement
3. RJSC Search Report (for
limited company.
partnerships;
borrower/third party)
4. RJSC Form 18, and receipt
of filing with RJSC
Certificate of registration
5.
from RJSC
6. Modification of Letter of
Hypothecation of
Machinery & Equipment
7. RJSC Form 19, and receipt
of filing with RJSC
Latest list of machinery &
8.
equipment
9.
Insurance Policy

ASSIGNMENT OF
J.
RECEIVABLES
1. Resolution to assign
receivables (for Third
Party partnerships and
limited cos.)

Sl. DESCRIPTION REQD DATE DATE EXPIRY ORIGINAL TAKA

No . () OF RECEIVED DOC AMOUNT
DOC. LOCATED
IN
Deed of Assignment of
2.
receivables
3. Notification and
acknowledgement of
assignment and
confirmation of
receivables from the
debtor
4. Letter of arrangement of
Escrow Account among
three parties, lessor,
lessee and the bank.
K. MORTGAGE

40
1. Letter of nomination of
third party mortgagor
from Borrower with
attested specimen
signature of mortgagor
2. Resolution to mortgage
and guarantee (for Third
Party partnerships and
limited company)
3. Copy of valid ID (for
Third Party individual
mortgagor)
4. Personal Guarantee from
Third Party mortgagor
5. Original title deeds of
mortgagor and previous
owners (Bia- Deed)
C.S., S.A. and R.S.
6.
Parchas
7. Mutation Parchas in
mortgagors name,
certified by Assistant
Commissioner of Land
8. Duplicate carbon receipt
for mutation case
9. Letter of no objection of
lessor for mortgagor to
mortgage (for leasehold
property)
10. Land development tax
receipts of the
immediately preceding
Bengali year
11. Municipal holding tax
receipts for property in
municipalities
12. Building/factory plan
with letter of approval
Real Estate Appraisal /
13.
Valuation report
14. RJSC Search Report (for
limited
company/registered
partnerships;
borrower/third party)
15. Memorandum of deposit
of title deeds (for
equitable mortgages)
with legal counsels
approved draft.

41
16. Mortgage Deed and
registration receipt
endorsed by mortgagor
(for legal/Registered
mortgage) along with
Power of Attorney
17. RJSC Form 18, and
receipt of filing with
RJSC if property in the
name of ltd cos.
Certificate of registration
18.
from RJSC
19. Modification of
Memorandum of deposit
of title deeds
20. RJSC Form 19, and
receipt of filing with
RJSC
21. Income Tax Clearance
Certificate as required
for Registration
Non Encumbrance
22. Certificate from Land
Registrar

Sl. DESCRIPTION REQD DATE DATE EXPIRY ORIGINAL TAKA

No . () OF RECEIVED DOC AMOUNT
DOC. LOCATED
IN
Registrar
L. GUARANTEE
1. List of
Directors/Partners with
specimen signatures,
certified by company
secretary or chairman, or
managing partner (for
limited company and
partnerships)
2. Resolution to guarantee
(for limited company and
partnerships)
3. Net Worth Statements
(NWS) for
individuals/guarantors
4. Letter of Guarantee
Letter of Counter
5.
Indemnity

TERM LOAN
M.
AGREEMENT

42
1. Term loan agreement
between Borrower and
the Company
2. Draft Term Loan
Agreement approved by
Head of Credit Risk
Management Division
and Legal Counsel.

SECURITY SHARING
N.
AGREEMENT
Whether Charge is
created to RJSC
1
Through Form XVIII
and Form XIX
Security Sharing
2.
Agreement
3. Draft Security Sharing
Agreement approved by
Head of Credit Risk
Management Division
and Legal Counsel.
4.
O. SYNDICATION
1. Accepted Mandate Letter
2. Accepted Term Sheet
Information
3.
Memorandum
4. Participation letters
5. Facilities Agreement
Powers of Attorney of
6.
participants
7. Accepted Fee Letter
8. Legal counsels opinion
9. Head of Credit Risk
Management and Legal
Counsel approval of
documents.
P. OTHER DOCUMENTS

DEPARTMENT/UNIT NAME DATE SIGNATURE

MANAGER:
CREDIT
ADMINISTRATION:

43