The Monetary Board approved the revised guidelines on internal control and internal audit raising the bar of control standards for BSP supervised financial institutions (FIs). The guidelines complement other BSP initiatives to further strengthen the quality of governance in the industry and align existing regulations with international standards and best practices.
The guidelines feature the fundamental elements of internal control namely, management oversight and control culture; risk recognition and assessment; control activities; information and communications; and monitoring activities and correcting deficiencies. These effectively broaden the regulatory expectations on internal control from previously being limited only to the implementation of basic internal control activities to promoting shared accountability of the board and personnel at all levels in the control process. The Monetary Board recognizes though, that there is no “one size fits all” internal control framework. As such, consistent with the principle of proportionality, FIs are expected to adopt internal control frameworks that are suited to their size, risk profile and complexity of operations.
The guidelines also cover the BSP’s expectations on the internal audit function highlighting that its role is to both assess and complement operational management, risk management, compliance and other control functions. FIs are generally allowed to outsource the internal audit function to have access to certain areas of expertise or address resource constraints provided that the scope of audit will not include areas that are covered by existing statutes on deposit secrecy. The guidelines however, clarified that arrangements where FIs that are part of group structures will opt to establish an internal audit function centrally in the parent bank will not fall under the outsourcing framework provided under existing regulations.
Finally, the qualifications of the head of the internal audit function were expanded so as to consider professionals from disciplines outside of the accountancy profession. Certified Public Accountants (CPAs) or Certified Internal Auditors (CIAs) are required for the head of the internal audit function of a universal/commercial bank. On the other hand, the head of the internal audit function of thrift, rural, and cooperative banks may be a graduate of any accounting, business, finance, or economics course but should have the technical proficiency on the conduct of internal audit. Regardless of academic background, heads of the internal audit function of all supervised FIs should meet the prescribed number of years of experience.