National Bank of the Kyrgyz Republic

Кыр Рус En

Return back

Print version

Creation date: 2018-05-10

Appendix to Resolution No. 2017-P-12/25-3-(RLA)

of the National Bank of the Kyrgyz Republic Board as of June 15, 2017

RULES

for Formation of the Internal Control System and the Internal Audit in Banks and Non-banking Financial and Credit Institutions Licensed and Regulated by the National Bank of the Kyrgyz Republic

1. General Provisions

1. These Rules for formation of the internal control system and the internal audit in banks and non-banking financial and credit institutions licensed and regulated by the National Bank of the Kyrgyz Republic (hereinafter – the Rules) set the requirements to organization of the internal control system and the internal audit in the banks and the micro-finance companies authorized to mobilize deposits, including the banks and the micro-finance companies that carry out the operations under the Principles of Islamic Banking and Finance or have an “Islamic window”, in “Financial Company of the Credit Unions” OJSC, licensed and regulated by the National Bank of the Kyrgyz Republic (hereinafter – the National Bank) as well as in the State Development Bank of the Kyrgyz Republic (hereinafter – the bank).

2. The aim of the Rules is to determine the requirements to formation of the internal control system in the bank ensuring the effective control from the side of the Board of Directors, the Management Board of the bank over the activity of the bank and its financial position by ensuring:

- the proper practice of corporate management and the due level of the business ethics and culture;

- compliance of the bank and its employees with the requirements of the legislation and the regulatory legal acts of the Kyrgyz Republic;

- compliance of the bank and its employees with the requirements of policies and other internal documents of the bank;

- effective risk management in the bank through their timely detection, measurement, control and monitoring in order to ensure the adequacy of the bank’s capital to the level of the risks taken by it;

- timely detection and elimination of the shortcomings in the activity of the bank and its employees;

- creation of the adequate mechanisms in the bank in order to solve contingent and emergency situations.

3. The following terms are used in the Rules:

Internal audit is an activity (an independent expert function) to audit and to assess adequacy and effectiveness of the bank’s internal control system carried out by an independent internal audit service that is created to carry out the internal audit and to assist the management bodies of the bank to ensure effective and safe operation of the bank based on the objective assessment and the recommendations to improve the internal control system of the bank.

Internal control is a continuous process carried out by the bank in order to ensure a well-ordered and effective activity in accordance with the requirements of the legislation of the Kyrgyz Republic and the internal documents of the bank.

The internal control system of the bank is a set (system) of interconnected control measures at all levels of management and areas of the bank’s activity in order to ensure achievement of aims and organization of the bank’s safe activity.

The conflict of interests is a situation, under which the contradiction occurs between the personal interest of the bank’s officers and/or its employees and proper execution of their job duties or the property and other interests of the bank and (or) its employees and (or) clients that can entail the risks of unfavorable consequences for the bank and (or) its clients.

2. Organizing the Internal Control System

4. Organization of the risk management system is formed in accordance with the requirements of the Regulation “On Minimum Requirements to Risk Management in the Banks of the Kyrgyz Republic”.

5. The internal control system of the bank shall enable the bank on a constant basis to identify and to assess the risks that can have an unfavorable influence on achievement of the aims in the bank’s activity.

6. The internal control system of the bank shall include the following components:

- a relevant organizational structure of the bank that envisages competence, separation of authorities and responsibility of the management bodies, the structural subdivisions and the officers of the bank, the remuneration system in the bank;

- a relevant internal information system and a management reporting system enabling to take decisions in time and to ensure the information security;

- constant monitoring of the risk management and risk assessment system;

- relevant internal control procedures;

- periodical self-assessment of the internal control system in order to detect its shortcomings and to improve it.

7. The internal control is directed at achievement of the following aims by the bank:

- effectiveness and efficiency of the activity, effectiveness of assets and liabilities management, ensuring safety of assets, effective risk management;

- ensuring reliability, completeness, objectiveness and timeliness of preparation and submission of financial, regulatory and other reporting for internal and external users;

- compliance with the legislation of the Kyrgyz Republic and the internal documents of the bank.

8. A mother/banking holding company of the banking group is obliged to organize the internal control system in the banking group on a consolidated basis so that to ensure timely receipt of the information on the activity of the banking group’s members in order to assess the effectiveness of the activity of such members and their compliance with the requirements of the legislation and the internal documents.

9. The Board of Directors in the bank is obliged to ensure proper organization and operation of the bank’s internal control system and for purposes of effective fulfillment of the imposed duties shall monitor and control the issues of risk management, the activity of the internal audit and compliance-control services, compliance with the requirements of the legislation of the Kyrgyz Republic and the internal documents of the bank, including through the Committees authorized in these issues.

10. The Board of Directors in the bank monitors, controls and assesses the activity of the bank’s Management Board. The Board of Directors in the bank shall carry out the following activities:

1) in order to monitor, to control and to assess the activity of the Management Board in the bank, approve the assessment criteria of the Management Board of the bank that include, but are not limited to the following:

- correspondence of the bank’s activity to the internal documents (the policies) of the bank;

- sustainability of the bank’s financial position;

- effectiveness of the banking operations;

- quality of the bank’s operation on consideration of the client’s addresses occurred in the process of the banking services provision;

- compliance with the requirements of the legislation of the Kyrgyz Republic;

2) monitor and control correspondence of the professional level of the bank’s Management Board to the types, the level of complexity of the bank’s activity and its risk appetite;

3) receive the managerial information and listen to the report of the bank’s Management Board on the results of the activity that shall contain sufficient/exhaustive information on the following issues (but not limited to them):

- regarding achievement of the aims by the Management Board of the bank set in the strategy of the bank specifying the reasons, if any, preventing from their achieving;

- regarding assessment of internal and external operating conditions of the bank and organizations reporting to it and their changes;

- regarding compliance of the bank’s activity with the strategy and the policies approved by the Board of Directors of the bank;

- regarding the level of stability/volatility of the bank’s profitability;

- regarding the bank’s profitability by determining the fact that the bank’s profitability is a result of the bank’s strategy implementation or a result of the bank’s operations that increase the short-term profitability but cause the risk in the long term;

- regarding the state of the internal control in terms of its ability to enable the Management Board of the bank to detect in time incorrect, incomplete or unauthorized operations, shortcomings in the activity ensuring the safety of the assets, errors in compilation of the financial and regulatory reporting, violations of the bank’s internal documents, the legislation of the Kyrgyz Republic, to avoid the conflict of interests, internal abuses and fraud with regard to the related structures;

- regarding effectiveness of the risk management system in the bank;

- regarding the state and the adequacy of the internal models and the information systems for management of the bank and its risks, their ability to identify, to measure, to assess and to manage effectively the risks common to the bank specifying, if required, the needs in their optimization;

- regarding assessment of the bank’s capital adequacy to maintain its risk appetite and strategy;

- regarding the state of the financial statements in terms of reflecting full, accurate and reliable assessment of the bank’s financial position in it;

- regarding control and monitoring over submission of the regulatory reporting to the National Bank in terms of timeliness, reliability and completeness;

- regarding conformity of the activity results and the current risk appetite with the acceptable risk level determined in the strategy of the bank;

- regarding timeliness, completeness and quality of violations and shortcomings elimination by the Management Board of the bank that have been detected by the compliance-control service, an internal, external auditor and banking supervisory authorities;

- regarding fulfillment of the recommendations by the Management Board of the bank made by the compliance-control, the risk management, the internal audit services and the banking supervisory authorities.

Depending on the results of the special-purpose discussion and the assessment, the Board of Directors of the bank passes relevant decisions on each issue aimed to improve the activity of the bank and to ensure the financial sustainability of the bank specifying the necessity to elaborate and (or) to implement specific measures, responsible persons and their implementation periods, and entrusts a relevant authorized person (persons) with the monitoring and the control over fulfillment of the bank’s Board decisions.

11. The relevant control environment is established for all structural subdivisions of the bank, the branches and the daughter companies of the bank.

12. The effective internal control system shall ensure constant identification (detection), assessment of the risks accompanying the activity of the bank and taking adequate and timely measures to mitigate the risks. The internal control system shall be adjusted as far as any new or previously uncontrolled risks are detected (for example, due to introduction of new financial services and products, etc.).

13. The control measures include a set of control actions and responsibility of all management levels and fulfillment of the bank’s operations and shall ensure the relevant control over distribution of authorities and duties when carrying out the operations and the transactions of the bank.

The control actions shall be an integral part of the daily actions of all employees in the bank and shall be reflected in all operations of the bank.

3. Requirements to the Internal Control Procedures

14. The internal documents shall be developed and approved in the bank that contain a policy, methods and procedures of the internal control that shall be consistent, have a proper degree of detalization according to the scales and the complexity of the bank’s activity and shall be applied uniformly in all its subdivisions.

The specified internal documents shall be assessed at least once a year according to the significant changes for the bank in its activity and the state and according to the results of the assessment, if required, relevant alterations shall be introduced.

15. To ensure the effectiveness of the control measures, the Management Board of the bank shall:

- timely bring relevant internal documents (policies, procedures) to notice of those employees in the bank who shall use them in the course of their work;

- organize the training of the bank’s employees in relevant internal control procedures of the bank. The training includes clarification of the interrelation between fulfillment of the individual duties of each employee and the general objectives envisaged by the bank’s policy.

16. The bank is obliged to exercise the preliminary control prior to actual conduct of banking and other operations (transactions) and uses the following types of the internal control:

- in the area of the bank’s officers selection, subject to agreement with the National Bank by a careful analysis of the qualification and the professional experience in the financial and economic and/or legal area required for fulfillment of definite work (job duties) and selection out of the candidates that are more skilled and qualified specialists having the impeccable reputation;

- in the area of the funds mobilization and placement through a preliminary analysis of the effectiveness of the operations carried out by the bank by determining the optimal means and methods for their conduct in order to prevent or to restrict the potential losses;

- in the area of the physical resources by providing the bank with required technical facilities, equipment, modern automated information systems and technologies based on the financial means of the bank and in accordance with the internal documents of the bank;

- in the area of separation of duties and authorities by developing and approving uniform internal documents determining methods, procedures, the manner for conduct of banking and other operations (transactions), objectives, functions and authorities of the subdivisions (the business lines, the business processes) and their heads, job descriptions of the employees as well as by setting and regular revising the limits and other restrictions;

- in other areas determined in the internal documents of the bank.

17. The current control over conducted banking and other operations (transactions) and another activity, compliance with the set procedures of a decision taking on conduct of banking and other operations (transactions), the established document flow shall be exercised within an operation day of the bank in the course of the entrusted duties fulfillment by the employee. The current control is exercised to prevent the facts of deviations from the requirements of the legislation, the internal documents of the bank, timely and reliable reflection of banking and other operations (transactions) in the accounting, ensuring the target use and the safety of the bank’s property.

18. The follow-up control is exercised after conduct of banking and other operations (transactions). In the process of the follow-up control relevance and correctness of the operations (the transactions), correspondence of the documents to the established forms and the requirements to their execution, compliance of the duties fulfilled by the employees with their job descriptions, observance of the established procedures of documents verification, agreement and endorsement are checked, effectiveness of the information security is assessed, distribution of the duties between the employees is analyzed, cause-and-effect relations of the violations and the shortcomings are revealed and the measures for their elimination are determined, planned and forecasted indicators are adjusted.

The procedure for exercise of the preliminary, current and follow-up control shall be set by the bank in the internal documents in accordance with the specific nature of the solved objectives.

19. The control actions include at least the following:

- the control exercised by the Board of Directors/the Management Board of the bank by requesting the reports and the information on the results of the structural subdivisions’ activity, clarifications of the heads of the structural subdivisions in order to detect the shortcomings in the internal control, the violations and the errors;

- the control actions implemented by the heads of the structural subdivisions in the bank by checking the reports of the subordinate employees on a constant and periodical (daily, weekly and/or monthly) basis;

- the control over physical presence exercised by checking the access restrictions to the tangible assets (cash, securities, etc.), recount of the tangible assets, separation of the responsibility for storage and use of the tangible assets, ensuring security of the premises for storage of the tangible assets;

- the legal control exercised by the expert review of the contractual relations on carried out banking and other operations (transactions) and another activity;

- the check against the set limits;

- the system of operations and transactions agreement and authorization, the check of their proper reflection in the accounting and the reporting;

- the technological control exercised in the process of preparation and conduct of banking and other operations (transactions) and another activity in the automated mode by checking compliance of relevant technical codes and standards in the area of the information systems and the information technologies;

- the control over the activity of a service provider’s organization under an outsourcing agreement;

- the check of compliance with the policies and the procedures of the bank when carrying out operations and transactions of the bank.

20. The control actions within separation of the duties shall contribute to exclusion of the conflict of interests and the conditions for its occurrence, commitment of illegal actions as well as prevention from providing the same structural subdivision or the same employee with the opportunity:

- to carry out banking operations and other transactions and to reflect them simultaneously in the accounting;

- to authorize payment of the funds and to make their actual payment;

- to assess reliability and completeness of the documents submitted upon loan disbursement and to carry out the monitoring of the loan repayment;

- to carry out actions in any other areas of the activity, where the conflict of interests can occur.

21. The areas of the potential conflicts of interests shall be determined, minimized and subject to independent monitoring.

22. In order to ensure separation of the responsibility when taking any decisions and when carrying out the operations and, thereby, to ensure protection against the fraudulent actions, no employee shall carry out the operations from the start and until the end (for example, an employee responsible for approval of the loan shall not be involved into conduct of settlement and cash operations on loan disbursement or an employee authorizing conduct of the operation shall not verify the balances on this operation with the ledger).

23. The internal control system shall be provided with the qualified specialists, the required information systems and the software and hardware facilities enabling to collect, to process, to analyze, to transmit and to protect the information used for the internal control.

The bank shall carry out a constant analysis of the existing information systems against their ability to ensure functioning of the internal control system in accordance with the requirements set by these Rules and to improve (to actualize) timely these systems or to introduce new ones.

24. The procedure for control over management and ensuring of the safe information flows, including the procedure for protection from the unauthorized access and dissolution of the confidential information as well as from use of the confidential information for personal purposes shall be set in the internal documents of the bank taking into account these Rules and cover all areas of the bank’s activity and operations. For this purpose, the bank shall:

1) possess adequate and exhaustive financial and other required data in the online mode and have the information on events and conditions at the market that can influence the decision-taking process of the bank’s management;

2) ensure the internal control over the automated information systems and the hardware, including:

- the general control over the automated systems that envisages the control over the computer systems (the control over the host computer, the client-server system and the working places of the end users, etc.) exercised in order to ensure uninterrupted and continuous operation. The general control consists of performed by the bank data back-up procedures (copying) and functions recovery procedures of the automated information systems, provision of the support within the period of the automated information systems use including determination of the rules for purchase, development and maintenance of the software, the procedure for control over the physical access security;

- the software control that is exercised by the automated procedures integrated into the application programs as well as by the procedures carried out manually that control processing of the banking operations and other transactions (edit check, logical access control, internal back-up and data restoration procedures, etc.).

25. The control over ensuring timeliness, reliability and adequacy of the bank’s financial information requires checking at least the following:

- the accounting system in the bank against compliance with the International Financial Reporting Standards and the requirements of the legislation of the Kyrgyz Republic;

- in the bank carrying out the operations under the Principles of Islamic Banking and Finance – the accounting system in the bank against compliance with the standards of the Accounting and Auditing Organization for Islamic Financial Institutions (the AAOIFI) (if there are no definite standards – against compliance with the IFRS standards provided they do not contradict with the Sharia standards approved by the AAOIFI) and the safe standards of the banking practice adopted in the Kyrgyz Republic;

- presence of the internal document (the regulation) in the bank for making accounting records and entries;

- making the accounting records on a daily basis and reflecting each operation of the bank;

- presence of the reporting reflecting the financial position of the bank for each day;

- coincidence of the personal accounts’ data, especially ones related to deposits, loans, FX operations and other operations with the data of the bank’s ledger;

- making regular reconciliations by the employees that are not involved into the authorization process or reflection of the operations in the financial statements;

- presence of documentation formed in a way that any operation of the bank can be monitored from the beginning and until the end or the current state;

- presence of confirmation by the primary documents of all bank’s operations and confirmation of any changes in conduct of the operation by relevant records.

26. The monitoring of the internal control system in the bank is carried out on a constant basis that at least includes the following:

- monitoring of the bank’s internal control system that is based on conduct of the measures to prevent, to detect and to eliminate timely the violations and the errors in the actions of the employees and the operation of the systems (processing and storage of the information, safeguarding security systems and so on) of the bank. The procedure for conduct of the specified measures (methodology, rules, periodicity, the procedure for consideration of the monitoring results, etc.) shall be determined in the bank’s internal documents;

- assessment of the internal control risk (i.e. the risk that the envisaged control measures will not enable to prevent, to detect and to eliminate possible violations and errors). It is important to consider such qualities as competence and honesty of a specific employee, which shall be inherent in all employees of the bank required at this position and functional duties relevant for this position;

- fulfillment of the business recovery plan in the event of contingencies using back-up automated systems and/or devices including recovery of the systems critical for the bank’ activity supported by an external service provider. The internal documents shall determine the procedure to check fulfillment of these plans and to check the plans in terms of their practicability in the event of contingencies as well as the list of possible contingencies with regard to which the action plans are developed;

- elimination of the shortcomings in the activity of the employees, operation of the systems and the bank. The priority shall be detection of conditions and reasons that have led to deliberate or undeliberate actions that have entailed the negative consequences;

- presence of the internal control procedures that are a required but not residual condition. The Management Board of the bank shall ensure timely and qualified fulfillment of these procedures.

According to the results of the monitoring by the relevant services of the bank, a report shall be prepared specifying the detected shortcomings and the proposed measures to improve the effectiveness of some control procedures and/or the internal control system of the bank within the frameworks of the scheduled audits.

27. The internal audit, the risk management and the compliance-control services reporting to the Board of Directors must function on a regular basis in the bank.

4. Organizing the Compliance-control System

28. For purposes of the effective compliance-control in the bank, the Board of Directors of the bank is obliged to create the Compliance-control service. The Board of Directors of the bank taking into account the recommendations of the Appointment and Remuneration Committee shall appoint the head of the Compliance-control service and its employees, determine the amount of the labor remuneration and determine the number and the staff of this service.

A candidate for the position of the head of the Compliance-control service in the bank shall be approved by the National Bank in the manner set by the regulatory legal acts of the National Bank.

29. To avoid the conflict of interests, the functions of the head of the Compliance-control service shall not include management of the activity in the subdivisions (the business lines, the business processes) and the employees of the bank, generating the risks (except for operation, reputation, strategic risks) involved into risk management, responsible for the accounting and the financial reporting in the bank, including management of the Internal audit service.

30. The Management Board of the bank receives the information on the shortcomings and the violations detected in the process of the compliance risk management specifying the reasons for their occurrence and the recommendations for their elimination from the Compliance-control service.

The Management Board of the bank according to the results of the received information analysis ensures taking remedial or disciplinary measures aimed at ensuring the effectiveness of the compliance risk management system functioning.

According to the results of the carried out work, the head of the Compliance-control service submits a report to the Board of Directors of the bank on an as-needed basis, but at least once a year. In addition, the head of the Compliance-control service shall prepare a report on the issues of anti-money legalization (laundering) and counter financing of terrorism or extremism as well as conduct of operations having the signs of the suspicious operations (AML/CFTE) in accordance with the requirements of the Regulation “On Minimum Requirements to Organization of the Internal Control in the Commercial Banks for Purposes of Anti-money Legalization (Laundering) and Counter Financing of Terrorism or Extremism”.

31. The Compliance control service develops a draft compliance program (plan) and submits the draft compliance program (plan) to the Board of Directors of the bank for approval.

32. The Compliance-control service efficiently reports to the Board of Directors of the bank on any significant shortcomings (events, transactions) that can lead to occurrence of the compliance risk.

33. The Compliance-control service operates based on the regulation on this service approved by the Board of Directors. The employees of the Compliance-control service cannot fulfill other work that is not related to the compliance-control.

34. The Compliance-control service shall perform, but not be limited to the following functions:

1) developing the manner, the methods and the procedures for detection, measurement, monitoring and control over the compliance risk of the bank, including on a consolidated basis;

2) preparing the compliance program (plan) determining the planned activity of the compliance-control subdivision including:

- on introduction and (or) check of relevant policies and procedures of the bank;

- on conduct of periodical checks (at least once a quarter) of the bank’s compliance with the legislation of the Kyrgyz Republic regulating the issues of banking services provision and banking operations conduct as well as the legislation of the foreign states significantly influencing the activity of the bank in order to determine the degree of the bank’s exposure to the compliance risk;

- on training of the staff in the issues of the compliance risk management;

3) assisting the Management Board of the bank in the bank’s compliance risk management;

4) controlling conduct of the monitoring over correspondence of the bank’s activity and its employees to the policies and the procedures of the compliance risk management according to the legislation of the Kyrgyz Republic;

5) controlling the organization of the bank’s operation on consideration of complaints (applications) of the bank’s clients;

6) advising the management and the employees of the bank on laws, rules and standards applied to the bank and relating to the compliance risk management, including the last changes in them;

7) controlling the organization of the bank’s operation on familiarization of all employees in the bank with the requirements of the bank’s internal documents regulating the procedure for provision of the banking services and conduct of the banking operations;

8) organizing the training of the bank’s employees in the issues of the compliance control;

9) coordinating the activity of the bank’s daughter organizations in the issues of the compliance risk management;

10) organizing in the bank the internal control on AML/CFTE according to the requirements of the regulatory legal acts on AML/CFTE of the National Bank;

11) providing the conclusion in the process of introduction of new banking products and services;

12) developing and carrying out the activities to control use of the insider and confidential information;

13) developing and carrying out the activities to detect, to assess and to control the conflict of interests;

14) monitoring compliance of the bank and its employees with the recommendations to eliminate the detected violations and shortcomings in the bank’s operation related to the compliance risk management and submitting the relevant information to the Board of Directors of the bank (an authorized Committee);

15) developing and maintaining the reporting system on the compliance risks and submitting the information on a periodical basis in the issues of the compliance risk management in the bank to the Board of Directors of the bank (an authorized Committee, the management board of the bank);

16) developing the procedure for interaction and coordination of work on the compliance risk management with the structural subdivisions of the bank, including with the Internal audit service.

35. The following requirements are set to the bank to determine the rights and the duties of the employees on interaction with the Compliance control service:

- the employees of the bank’s subdivisions shall provide an assistance to the Compliance-control service in fulfillment of its functions. The Management Board of the bank upon the recommendation of the head of the Compliance-control service sets the procedure for interaction of the bank’s structural subdivisions with the Compliance-control service;

- the employees of the bank, who have become aware of the banking legislation violations in carrying out the banking activity made by the employees of the bank when carrying out the banking operations (transactions) are obliged to bring these facts to notice of their immediate supervisor and the Compliance-control service;

- if in carrying out the banking operations (transactions), the employees have doubts about correspondence of a specific operation (transaction) or its part to the requirements of the current banking legislation and the standards of the professional activity when providing the banking services, they can apply for an advice to the Compliance-control service;

- the employees of the bank cannot without a preliminary notice to the Compliance-control service take part in the operations (the transactions) of the bank at the financial markets of other countries, if they are interested persons in their conduct, carry out the banking operations (transactions) in their own interests and at their own expense.

5. Organizing the Internal Audit in the Bank

36. The internal audit system represents the system of organization, the policy, the procedures and the methods adopted by the bank to check and to assess objectively the effective functioning of the internal control and the risk management systems in all aspects of the bank’s activity in order to ensure the effective activity of the bank and to provide the effective recommendations for its improvement.

37. The Internal audit service is obliged to check the activity of the bank, including the internal control system and assessment of the effectiveness of the bank’s business processes.

The Internal audit service shall not be involved into conduct of banking and other operations (transactions) and another activity of the bank subject to the internal audit, development (preparation) of the bank’s internal documents (except for ones regulating the activity of the internal audit service) and be involved into the daily internal control procedures. The head and the employees of the Internal audit service have no right to sign payment instructions and (or) cash, accounting and other documents on behalf of the bank in accordance with which the bank assumes the banking risks or to endorse such documents, except for the documents that relate to fulfillment of immediate functions of the Internal audit service.

The Board of Directors of the bank taking into account the recommendations of the Appointment and Remuneration Committee appoints the head and the employees of the Internal audit service, determines the amount of the labor remuneration and determines the number and the staff of this service.

A candidate for the position of the head of the Internal audit service in the bank shall be approved by the National Bank in the manner set by the regulatory legal acts of the National Bank.

38. The activity of the Internal audit service shall be regulated by the internal document of the bank, at that, the following shall be determined in it:

- the aim and the area of the activity of the Internal audit service;

- principles (standards) and methods of the activity of the Internal audit service;

- objectives, functions, rights and duties of the Internal audit service;

- rights and duties of the head of the Internal audit service;

- conditions and the procedure for reporting of the Internal audit service to the Board of Directors (a supervisory board), the Audit Committee, the Management Board of the bank as well as the head of the bank’s subdivision, where the internal audit has been carried out on the results of the audits of the Internal audit service;

- conditions and the procedure for reporting of the Internal audit service to the Board of Directors (a supervisory board), the Audit Committee and the Management Board of the bank on the events that prevent the Internal audit service from fulfillment of its functions;

- conditions and the procedure for involvement of the Internal audit service into provision of the consultations when carrying out the current activity of the bank;

- responsibility of the head of the Internal audit service for non-fulfillment (undue fulfillment) of the imposed duties;

- the procedure for interaction of the Internal audit service with the subdivisions and the employees of the bank, the authorities of the Internal audit service regarding the access to the bank’s premises, to the bank’s documents as well as regarding receipt of the information and the clarifications from the employees of the bank that can be required to carry out its functions by the Internal audit service;

- the procedure for reporting of the Internal audit service on carried out and planned banking and other operations (transactions) and another activity of the bank, taken decisions and internal documents of the bank as well as other issues in the activity of the bank required for fulfillment of its functions by the Internal audit service;

- conditions and the procedure for taking decisions on involvement of a third-party organization into fulfillment of works to carry out the internal audit in the bank (outsourcing the internal audit) of some operations or areas of the activity (the business lines, the business processes), if the Board of Directors in the bank takes such a decision.

39. The activity of the Internal audit service in the bank shall be carried out in accordance with the following principles:

- independence and objectiveness.

The internal audit of the bank is independent on the current activity of the bank.

The internal auditors are independent, impartial, non-biased in their work and avoid the conflict of interests.

To ensure impartiality, the internal auditors shall not be involved into selection and fulfillment of the internal control measures and the risk management.

The internal auditors do not participate in the audit of the activity or the functions fulfilled by them within the last twelve months in this bank and its daughter companies. An auditor involved into the activity of the bank subject to the audit is not entitled to consider separate documents or operations that have been previously adopted or carried out with his involvement.

The remuneration of the internal audit employees shall not be related to the financial performance of the bank. The remuneration for work of the head or the employees of the Internal audit subdivision shall not create the conflict of interests and the damage to the independent assessment of the audit items. If the conflict of interests occurs, the employees of the internal audit shall notify the Audit Committee;

- professionalism and competence.

The professional competence of the employees of the bank’s Internal audit subdivision is a ground for effective internal audit in the bank.

The employees of the Internal audit subdivision shall have sufficient knowledge of the banking activity and the internal audit methods, have the skills to collect the required and adequate information, to analyze and to assess it for fulfillment of their job duties.

The employees of the Internal audit service shall know the International Auditing Standards and the International Financial Reporting Standards. In the bank carrying out the operations in accordance with the Principles of Islamic Banking and Finance, the employees of the Internal audit service shall know the International Auditing Standards, the International Financial Reporting Standards and the standards of the Accounting and Auditing Organization for Islamic Financial Institutions (the AAOIFI);

- professional ethics.

The internal auditors in their activity comply with the code of ethics and the requirements of the Kyrgyz legislation and follow the international internal audit standards.

40. The Internal audit service is obliged to:

- develop an internal document of the bank regulating the activity of the Internal audit service;

- develop a plan of work for the Internal audit service, submit it for approval to the Board of Directors (a supervisory board) as well as inform the Board of Directors (a supervisory board) and the Audit Committee about its fulfillment;

- determine the riskiest operations and areas of the activity (the business lines, the business processes) to prepare the plan of work for the Internal audit service;

- assess in the course of the audits the effectiveness of the internal control system on a consolidated basis including the check of the internal control procedures in the areas of the activity (the business lines, the business processes);

- assess in the course of the audits the effectiveness of the risk management system on a consolidated basis, including the check against completeness of application and correctness of the assessment methodology of the banking risks, the banking risks management procedures, as well in the organizations included into the banking group and (or) the banking holding, the head organization of which is this bank;

- assess reliability and completeness of the information provided to the bank on the activity of the organizations included into the banking group and (or) the banking holding, the head organization of which is this bank so that the bank can assess the risk level of such participants as well as assess the effectiveness of their activity and their compliance with the requirements of the legislation and the internal documents;

- check organization of the activity of information systems, information flow management (information receipt and transmission) and information security, including control over the integrity of the databases and their protection against the unauthorized access and (or) use, presence of the action plans in the event of contingencies;

- check organization of the work on anti-money legalization (laundering) and counter financing of terrorism or extremism;

- check compliance with the banking legislation and the internal documents of the bank when carrying out the activity of the bank;

- check reliability, completeness, objectiveness and timeliness for submission of the reporting and other information in accordance with the banking legislation to the National Bank and other government authorities;

- check reliability, completeness, objectiveness and timeliness for submission of the management reporting and other information to the management bodies of the bank in accordance with the internal documents of the bank;

- check safety of the assets and the investments, including actual presence and reflection in the accounting;

- check organization of the work with addresses of the citizens and the legal entities;

- check compliance with the banking legislation on bank, commercial and other secrecy protected by the legislation;

- check compliance with the requirements of the National Bank to disclosure of the information;

- detect the conflict of interests in the bank, the areas and the conditions of its occurrence and assess the effectiveness of the measures taken by the bank for its exclusion;

- check the effectiveness of the taken measures to remedy the detected violations and shortcomings in the activity of the bank according to the results of the previous audits as well as the audits of the National Bank and the external auditors, including in organization of the business processes, the internal control and the risk management and fulfillment of the recommendations for their improvement;

- check other issues envisaged by the internal documents of the bank;

- report to the Audit Committee and the Management Board of the bank on the results of the audits carried out by the Internal audit service;

- report to the Audit Committee and the Management Board of the bank on the state of the internal control system, on ensuring compliance with legitimacy and effectiveness of the bank’s activity;

- submit its proposals on improvement of the bank’s activity, including the internal control, the risk management, organization of the business processes.

41. In the bank carrying out the operations under the Principles of Islamic Banking and Finance, in absence of the department responsible for the monitoring of compliance with the Sharia standards, an authorized internal auditor checking compliance with the Sharia standards, shall audit the bank’s compliance with the Sharia standards and submit the reports to the Board of Directors, the Sharia Council, the Audit Committee and a copy – to the Management Board of the bank.

42. The quality assurance program of the Internal audit service represents a set of the activities aimed to ensure effectiveness of the aim and the objectives of the Internal audit service and further improvement of its activity based on the detected problems.

43. The internal audit program shall:

- be prepared prior to conduct of the audit in writing with clearly determined aims of the audit;

- be approved by the Audit Committee;

- provide for the scope of works sufficient to achieve the aims of the audit;

- include detailed subprograms and relevant procedures for each audited operation;

- include description of the required actions that depend on the actual volume and the complexity of the audited operation;

- provide for direct reconciliation of the bank’s financial reporting, especially of loan and deposit accounts;

- include other required measures for qualitative and exhaustive fulfillment of the objectives of the Internal audit service.

44. The minimum scope of the internal audit program includes, but is not limited to the following:

- compliance of the carried out operation with the set policies and procedures;

- presence of relevant instructions and approvals (sanctions) of the Management Board of the bank regarding conduct of the operation;

- correct reflection of the bank’s assets and liabilities on the book-keeping accounts;

- correct reflection of the bank’s income and expenses;

- correct reflection of the bank’s other property (collateral) on the book-keeping accounts and assessment of the effective control over the physical presence of the collateral;

- correct reflection of the bank’s off-balance sheet liabilities as well as complete off-system accounting (for example, accounting of written off loans, etc.);

- presence of the clear and properly authorized documentation for each operation from the beginning until the end;

- safety and adequacy of the information systems, including the computer equipment, the software, the incoming and outgoing information, the action plans in the event of contingencies;

- compliance with the legislation of the Kyrgyz Republic, the regulatory legal acts of the National Bank and the internal documents of the bank.

45. The periodicity of the internal audits depends on the risk related to the audited operation, at that, the type of the operation, its complexity, the assets and the liabilities related to the audited operation from the viewpoint of their match, relevance and effectiveness, presence and adequacy of the policies and the procedures for conduct of the operation and the internal control measures shall be taken into consideration.

46. The working documents of the internal audit results shall include the audit program of the operation, the analytical part, what procedures have been carried out, the degree of testing (continuous, random), the conclusions and the information confirming the conclusions made by the internal auditor.

47. The audit report shall:

- be prepared as soon as possible after completion of the internal audit;

- contain aims, the audit scale, the conclusion and detailed recommendations to solve each detected problem. The recommendations shall include a brief description of detected problems specifying the reasons for their occurrence as well as risks influencing the activity of the bank, required remedial actions, including revision of relevant policies and procedures of the bank, periods for fulfillment of the remedial actions and responsible persons;

- be directly submitted to the Board of Directors and the Audit Committee. After consideration by the Audit Committee, this report shall be submitted to the Management Board of the bank.

48. The effectiveness of the internal audit depends on the subsequent measures taken by the Management Board and the Board of Directors to make sure that all adopted recommendations are considered in time and properly. The Board of Directors is responsible for creation of the relevant policy with regard to the subsequent measures on fulfillment of the recommendations aimed to strengthen the internal control system.

49. Based on the audit report, the Audit Committee approves the plan of the activities to introduce the remedial actions into the internal control system of the bank and provides for the measures to monitor effectiveness and timeliness of their introduction that are approved by the Board of Directors.

50. The internal audit of the high risk (for example, the operations with cash, remittances) operations and the areas of the bank’s activity shall be carried out at least once a year. The internal audit of the activity and the operations of the bank with the low risks – at least once in three years.

51. In the end of each year the Internal audit service submits a review report on fulfillment of the planned activities on the internal audit of the bank for a reporting year to the Board of Directors. Taking into account the results for a reporting year, the Internal audit service submits the internal audit plan for the next year to the Board of Directors within 1 month after the end of a financial year.

52. Annually the Internal audit service shall submit the internal audit plan for the next year approved by the Board of Directors that is based on the detected current risks of the bank to the National Bank.

6. Final Provisions

53. The Board of Directors of the bank ensures to bring the strategies, the policies and other internal documents of the bank to notice of the senior employees of the bank and the employees of the bank. The heads of the bank’s structural subdivisions shall take personal responsibility for bringing to notice of their employees the importance of the internal control function and the necessity to adhere to the internal documents of the bank.

54. The Board of Directors assesses correspondence of the heads of the Compliance-control, the Internal audit, the Risk management services to the set qualification requirements and the requirements to the business reputation with the periodicity enough to ensure maintenance of their qualification and business reputation at the proper level.

55. The National Bank can carry out planned and unplanned discussions with the heads of the Compliance-control, the Risk management and the Internal audit services in the issues related to the activity of the bank.

56. If the heads of the Internal audit, the Compliance-control, the Risk management services dismiss, the bank is obliged to notify the National Bank within three business days about their dismissal describing the reasons for their dismissal.

Procurements and sales

!

Careers

!

Consumer rights protection

Сontact information

Public Information Service

+996 (312) 61-04-86
Information Service

+996 (312) 66-90-11
+996 (312) 66-90-12
Numismatic museum

+996 (312) 66-90-08
+996 (312) 61-24-14
Consumer protection department

+996 (312) 31-29-48
+996 (312) 31-31-89
+996 (312) 31-31-22
+996 (555) 85-57-48
+996 (770) 73-73-49
WhatsApp

+996 (501) 89-00-00
Fax

+996 (312) 61-04-56
+996 (312) 61-07-30
Inform about corruption

+996 (312) 61-10-51
Webmaster

webmaster@nbkr.kg
E-mail

mail@nbkr.kg
Working with the media

press@nbkr.kg

National Bank of the Kyrgyz Republic

168 Chuy Avenue, Bishkek, 720001, Kyrgyz Republic

Сontact information

Quick links

Government bodies:

Subsidiary organizations:

Userful links: