Internal Control Concept in FirstBank

"Internal Control" in FirstBank refers to the overall operating framework of practices, systems, organisational structures, management philosophy, code of conduct, policies, procedures and actions which exist in the Group and designed to ensure:

1. Essential business objectives are met, including the effectiveness and efficiency of operations and the safeguarding of assets against loss;
2. The reliability of financial reporting and compliance with general accounting principles;
3. Compliance with applicable laws and regulations including internal policies;
4. Systematic and orderly recording of transactions;
5. Provision of reasonable assurance that undesired events will be prevented or detected and corrected.

FirstBank is committed to creating and maintaining a world-class internal control environment that is capable of sustaining its current leadership position in the financial services industry.

FirstBank operates in an environment that is continuously exposed to uncertainties and change. Such risks may prevent the institution from achieving its strategic business objectives. To effectively manage these risks, FirstBank Group has put in place internal control measures that cover the Bank and its subsidiaries.

The Bank has also instituted an effective and efficient internal control environment that ensures minimal operational losses arising from fraud, errors, operational lapses, armed robberies, customer dissatisfaction, customer complaints and other risk exposures.

Components of FirstBank Internal Control Environment

1. A Board of Directors that is actively concerned with sound corporate governance coupled with effective management and control of the Bank;
2. An independent Audit Committee with strong oversight and constant monitoring of the Bank's controls;
3. Executive Management that actively manages and operates the Bank in a sound and prudent manner;
4. Strong organisational and procedural controls supported by an effective management information system aimed at prudent management of the Bank's exposure to risk;
5. A robust independent control and audit mechanism that monitors the effectiveness and safety of all activities in the Bank;
6. A functional risk management framework and structure;
7. Risk recognition, assessment and management by Risk Management Directorate covering all categories of risks – credit, operational, information security, market and liquidity;
8. Appropriate and standardised control activities covering all branches, departments, businesses and subsidiaries;
9. Segregation of duties;
10. Effective financial and management reporting system;
11. Continuous and ongoing monitoring of control activities by an independent Internal Control Division;
12. Independent evaluation of control activities on a periodic basis by Internal Audit Division;
13. Strong regulatory and policy compliance culture driven from the top to the lowest level;
14. Tiered ownership of internal controls – Board of Directors, Executive Management, Divisional Heads and Staff.

Responsibilities for Internal Control in the Bank

1. Board of Directors, Board Audit Committee, Board Audit and Risk Assessment Committee – monitor effectiveness of internal control system;
2. GMD/CEO and EXCO – design and maintain adequate system of internal controls;
3. Top and middle management – implement and enforce internal controls;
4. Internal Control and Internal Audit Divisions – review, monitor, evaluate and enforce internal controls in the Bank;
5. All Staff – owned internal control measures inherent in their various job functions.

FirstBank Internal Control Objectives

1. Achievement of business objectives;
2. Safeguarding of assets;
3. Reliability of financial records;
4. Business/customer oriented control practices;
5. Automation of internal control and reconciliation activities;
6. Zero tolerance for prudential provision on other assets;
7. Minimise financial losses attributable to control infractions and reconciliation problems;
8. Transaction safety;
9. Risk-based departmental and independent control activities;
10. Operational control efficiency and effectiveness;
11. Strict compliance with regulations and internal policies;
12. Zero tolerance for fraud and errors as well as control/regulatory infractions;
13. Strict personal and Business Units responsibility for operational and control activities;
14. Confidentiality and integrity of information resources;
15. Business continuity and disaster recovery.

FirstBank Internal Control Philosophy and Principles

Major internal control philosophy and principles of the Bank are reflected in seven documents as detailed below:

1. FirstBank Internal Control Framework. This document, which is predicated on COSO (Committee of Sponsoring Organisation) standard, provides policies aimed at achieving the following objectives in the Bank:
   • Proactive identification of key business risks with appropriate internal controls;
   • Ensure quality of internal and external financial reporting;
   • Ensure compliance with applicable laws, internal policies and regulations;
   • Identify and exploit opportunities for improving efficiency of processes and controls; and
   • Effective management of business operations and achievement of strategic objectives.
   It also covers line of defence and control responsibilities of the Board of Directors, GMD/CE, Executive Management, Head Office Departments, branches and subsidiaries.
2. FirstBank Internal Control Policy. This document outlines best practice control standards, roles and responsibilities of Directors, senior management, departments, subsidiaries and staff of the Bank.
3. FirstBank Internal Control Guidelines. FirstBank has adopted the COSO framework (customised to the Bank's local environment) for its internal control procedures and guidelines. The guidelines outline procedures for identification, management and documentation of relevant processes/ sub-processes including mapping of specific risks and control mitigants.
4. FirstBank Operational Procedure. Detailed Control, Accounting and Administrative Procedures (CAAP) manuals have been developed for all processes, activities, products and services of the Bank, including business continuity and disaster recovery.
5. FirstBank Operational Desk Manual/Job Card for operational activities.
6. FirstBank Departmental and Independent Control Function Checklist. Used for managing supervisory and independent control risks.
7. FirstBank Independent Control Function Proof Chart. Standardised procedure for executing various independent control activities in the Bank.

Organisational Structure of the Internal Control and Reconciliation Division

Structure of FirstBank Internal Control Division

Internal Control and Reconciliation Division is dynamically structured to identify emerging/incremental areas of risk exposures aimed at instituting immediate preventive control measures.

Major features of the internal control structure include:

1. Group-wide independent control oversight with Resident Internal Control Officers (RICO) in all branches, Head Office departments and subsidiaries;
2. Proper branch profiling, risk rating and control vulnerability are considered in order to determine optimum RICO requirements and placements;
3. Institution of efficient staff deployment strategies that align staff quality with the risk rating of the branches;
4. Alignment of RICO specialist skills with the core competences required for specialised functions in the Bank, especially Head Office and subsidiaries;
5. Training, orientation and development of RICOs are predicated on ensuring superior knowledge of product features, policies, regulations, processes and systems inherent in processing activities under their purview.

Major Internal Control/Audit Reports to Board and Senior Management

1. Major Audit Issues and Countermeasures/Mitigants;
2. Fraud Recovery Status Report (N10 million and above);
3. Fraud Statistics: type and frequency with year-on-year comparison including general remedial actions;
4. Major Operational/Control lapses in Audit reports;
5. Control Situation Report;
6. Cash Tracking Report;
7. Prudential Provision on Other Assets;
8. Control Risk Rating of Business Units.

Fraud Management Strategies in FirstBank

Fraud Management Objectives

1. Prevention of fraud occurrence or losses. Where prevention is not possible, they should be promptly detected and mitigated;
2. Efficient Fraud Loss Mitigation Measures i.e. rapid escalation of fraud occurrence, insurance recovery, effective management of law enforcement agencies;
3. Prevent repeat of operational lapses and system defects that facilitate fraud incidence;
4. Minimise other operational losses associated with fraud losses.

Fraud Management Strategies

1. Implementation of world-class enterprise fraud management software with strong emphasis on automated fraud prevention and detection;
2. Implementation of world-class automated internal control and continuous monitoring solution;
3. Build fraud prevention and detection controls in processes and systems;
4. Strict compliance with internal policy, regulatory and statutory requirements;
5. Implementation of anti-fraud operational, supervisory and independent controls;
6. Proactive management of financial and non-financial risks;
7. Holding operators and supervisors personally responsible for fraud occurrence;
8. Conducting root cause analysis of fraud occurrence;
9. Automation of reconciliation activities;
10. Risk-based departmental and independent control checklist for supervisors and RICOs;
11. Enforcement of GL account ownership policy;
12. Strong handshake/partnership amongst various stakeholders responsible for fraud escalation, management and loss recovery;
13. Continuous awareness campaign on fraud learning points;
14. Dynamic/continuous control improvement measures;
15. Improve RICO manning and skill capacity;
16. Improve anti-fraud operational control capacities amongst operations staff;
17. Process optimisation and automation;
18. Frequent rotation of RICOs and operations staff;
19. Effective fraud escalation mechanism to all levels of management;
20. Effective implementation of whistle-blowing policy.

Adoption of Integrated Governance, Risks and Compliance (iGRC) Framework

To gain control over diverse risks through a consistent, coordinated and sustainable strategy, FirstBank has begun implementation of a leading practice – "integrated governance, risk and compliance", or iGRC.

The iGRC framework is a principles-guided, step-by-step, logical and scalable method that integrates governance, risk and compliance activities into a manageable and sustainable process.

The implementation of the iGRC has helped the Bank to achieve the following:

1. Avoid duplication of efforts;
2. Make better use of staff and resources;
3. Identify unmanaged/unknown risks through a practical but comprehensive evaluation process;
4. Improve the content, quality and timing of governance, risk and compliance analysis and reporting;
5. Implement a proactive approach to risk management;
6. Control the growth of governance, risk and compliance-related expenses;
7. Enable effective revenue generation and assurance function;
8. Establish a timely and consistent approach for assessing audit/compliance programmes across all business units in the organisation including the subsidiaries.

The implementation of iGRC is manifested in the following risk and governance structure of the Bank:

1. Risk Management Governance Framework, which encompasses Board of Directors, Board Credit Committee, Board Audit and Risk Assessment Committee, GMD/EXCO/ALCO, Risk Management Directorate, Internal Control and Audit;
2. Strong and well-defined relationship between the Risk Management Directorate and other key stakeholders and Divisions in the Bank;
3. Institution of Management Risk and Assessment Committee (MRAC) made up of the following officers of the Bank:

• Chief Compliance Officer – Chairman
• Chief Internal Auditor – Member
• Head, Internal Control – Member
• Head, Information Security – Member
• Head, Operational Risk Management – Member

The committee has provided a veritable platform for resolving common control, risk and audit issues in the Bank.