Internal Control

1. Internal Control concept in FirstBank
2. Components of FirstBank internal control environment
3. Responsibilities for internal control in the Bank
4. FirstBank internal control objectives
5. FirstBank internal control philosophy and principles
6. Structure of FirstBank Internal Control Division
7. Major internal control/audit reports to Board and senior management
8. Fraud management strategies in FirstBank
9. Adoption of Integrated Governance, Risks and Compliance (IGRC) framework

1 Internal Control concept in FirstBank

Internal Control in FirstBank refers to the overall operating framework of practices, systems, organisational structures, management philosophy, code of conduct, policies, procedures and actions, which exists in the Group and is designed to ensure:

1. that essential business objectives are met, including the effectiveness and efficiency of operations and the safeguarding of assets against losses;
2. the reliability of financial reporting and compliance with general accounting principles;
3. compliance with applicable laws and regulations including internal policies;
4. systematic and orderly recording of transactions; and
5. provision of reasonable assurance that undesired events will be prevented or detected and corrected.

FirstBank is committed to creating and maintaining a world-class internal control environment that is capable of sustaining its current leadership position in the financial services industry.

FirstBank operates in an environment that is continuously exposed to uncertainties and change. Such risks may prevent the institution from achieving its strategic business objectives. To effectively manage these risks, FirstBank Group has put in place internal control measures that cover the Bank and its subsidiaries.

The Bank has also instituted an effective and efficient internal control environment that ensures minimal operational losses arising from fraud, errors, operational lapses, armed robberies, customer dissatisfaction, customer complaints and other risk exposures.

Back to top

2 Components of FirstBank internal control environment

• A board of directors that is actively concerned with sound corporate governance coupled with effective management and control of the bank.
• An independent audit committee with strong oversight and constant monitoring of the Bank's controls.
• Executive Management that actively manages and operates the Bank in a sound and prudent manner.
• Strong organisational and procedural controls supported by an effective management information system aimed at prudent management of the Bank's exposure to risk.
• A robust independent control and audit mechanism that monitors the effectiveness and safety of all activities in the Bank.
• A functional risk management framework and structure.
• Risk recognition, assessment and management by Risk Management Directorate covering all categories of risks – credit, operational, information security, market and liquidity.
• Appropriate and standardised control activities covering all branches, departments, businesses and subsidiaries.
• Segregation of duties.
• Effective financial and management reporting system.
• Continuous and ongoing monitoring of control activities by an independent Internal Control Division.
• Independent evaluation of control activities on periodic basis by Internal Audit Division.
• Strong regulatory and policy compliance culture driven from the top to the lowest level.
• Tiered ownership of internal controls – Board of Directors, Executive Management, Divisional heads and staff.

Back to top

3 Responsibilities for internal control in the Bank

• Board of Directors, Audit Committee, Board Audit and Risk Assessment Committee – approve and monitor effectiveness of internal control system.
• GMD/CE and EXCO – design and maintain adequate system of internal controls.
• Top and middle management – implement and enforce internal controls.
• Internal Control and Internal Audit Divisions – review, monitor, evaluate and enforce internal controls in the Bank.
• All staff – own internal control measures inherent in their various job functions.

Back to top

4 FirstBank internal control objectives

• Achievement of business objectives.
• Safeguarding of assets.
• Reliability of financial records.
• Business/customer-oriented control practices.
• Automation of internal control and reconciliation activities.
• Zero tolerance for prudential provision on other assets.
• Minimise financial losses attributable to control infractions and reconciliation problems.
• Transaction safety.
• Risk-based departmental and independent control activities.
• Operational control efficiency and effectiveness.
• Strict compliance with regulations and internal policies.
• Zero tolerance for fraud, errors as well as control/regulatory infractions.
• Strict personal and business units responsibility for operational and control activities.
• Confidentiality, integrity and availability of assets.
• Business continuity and disaster recovery.

Back to top

5 FirstBank internal control philosophy and principles

Major internal control philosophy and principles of the Bank are reflected in seven documents as detailed below:

i. FirstBank Internal Control Framework – This document, which is predicated on COSO (Committee of Sponsoring Organisation) standard, provides policies aimed at achieving the following objectives in the Bank:

• proactive identification of key business risks with appropriate internal controls;
• ensuring quality of internal and external financial reporting;
• ensuring compliance with applicable laws, internal policies and regulations;
• identifying and exploiting opportunities for improving efficiency of processes and controls; and
• effective management of business operations and achievement of strategic objectives.

It also covers line of defence and control responsibilities of the Board of Directors, GMD/CE, executive management, Head Office departments, branches and subsidiaries.

ii. FirstBank Internal Control Policy – This document outlines best-practice control standards, roles and responsibilities of Directors, senior management, departments, subsidiaries and staff of the Bank.

iii. Firstbank Internal Control Guidelines – FirstBank has adopted COSO framework (customised to the Bank's local environment) for its internal control procedures and guidelines. The guidelines outline procedures for identification, management and documentation of relevant processes/sub-processes including mapping of specific risks and control mitigants.

iv. FirstBank Operational Procedure – Detailed Control, Accounting and Administrative Procedures (CAAP) manuals have been developed for all processes, activities, products and services of the Bank including business continuity and disaster recovery.

v. FirstBank Operational Desk Manual/Job card for operational activities.

vi. FirstBank Departmental and Independent Control Function Checklist used for managing supervisory and independent control risks.

vii. FirstBank Independent Control Function Proof Chart – standardised procedure for executing various independent control activities in the Bank.

Back to top

Internal Control and Reconciliation Division is dynamically structured to identify emerging/incremental areas of risk exposures aimed at instituting immediate preventive control measures.

Major features of the Internal Control Structure include:

1. Group-wide independent control oversight with Resident Internal Control Officers in all branches, Head Office departments and subsidiaries.
2. Branch profiling, risk rating and control vulnerability are considered for the determination of optimum Resident Internal Control Officers (RICO) requirements and placements.
3. Institution of efficient staff deployment strategies that aligns staff quality with the risk rating of the branches.
4. Alignment of Resident Internal Control Officers (RICO) specialist skills with the core competencies required for specialised functions in the Bank especially Head Office and subsidiaries.
5. Training, orientation and development of RICOs are predicated on ensuring superior knowledge of product features, policies, regulations, processes and systems inherent in processing activities under their purview.

Back to top

7 Major internal control/audit reports to Board and senior management

1. Major audit issues and countermeasures/mitigants.
2. Fraud recovery status report (N10m and above).
3. Fraud statistics type and frequency with year-on-year comparison including general remedial actions.
4. Major operational/control lapses in audit reports.
5. Control situation report.
6. Cash tracking report.
7. Prudential provision on other assets.
8. Account opening documentation deficiency report.
9. Unusual incidence report.
10. Control risk rating of business units.

Back to top

8 Fraud management strategies in FirstBank

8.1 Fraud management objectives

• Prevention of fraud occurrence or losses. Where prevention is not possible they should be promptly detected and mitigated.
• Efficient fraud loss mitigation measures, i.e., rapid escalation of fraud occurrence, insurance recovery and effective management of law enforcement agencies.
• Prevent repeat of operational lapses and system defects that facilitate fraud incident.
• Minimise other operational losses associated with fraud losses.
• Automation of fraud preventive and detective measures.

8.2 Fraud management strategies

• Implementation of world-class enterprise fraud management software with strong emphasis on automated fraud prevention and detection.
• Implementation of world-class automated internal control and continuous monitoring solution.
• Building fraud prevention and detection controls in processes and systems.
• Strict compliance with internal policy, regulatory and statutory requirements.
• Implementation of anti-fraud operational, supervisory and independent controls.
• Proactive management of financial and non-financial risks.
• Holding operators and supervisors personally responsible for fraud occurrence.
• Conducting root cause analysis of fraud occurrence.
• Automation of reconciliation activities.
• Risk-based departmental and independent control checklist for supervisors and RICOs.
• Enforcement of GL account ownership policy.
• Strong handshake/partnership among various stakeholders responsible for fraud escalation, management and loss recovery.
• Continuous awareness campaign on fraud learning points.
• Dynamic/continuous control improvement measures.
• Improve Resident Internal Control Officer's (RICO) manning and skill capacity.
• Improve anti-fraud operational control capacities among operations staff.
• Process optimisation and automation.
• Frequent rotation of RICOs and operations staff.
• Effective fraud escalation mechanism to all levels of management.
• Effective implementation of whistle-blowing policy.

Back to top

9 Adoption of Integrated Governance, Risks and Compliance (IGRC) framework

To gain control over diverse risks through a consistent, coordinated and sustainable strategy, FirstBank has commenced implementation of leading practice 'integrated governance, risk and compliance' ('IGRC') strategy. The IGRC framework is a principles-guided, step-by-step, logical and scalable method that integrates governance, risk and compliance activities into a manageable and sustainable process.

The implementation of the IGRC has helped the Bank to achieve the following:

• avoid duplication of efforts;
• make better use of staff and resources;
• identify unmanaged/unknown risks through a practical but comprehensive evaluation process;
• improve the content, quality and timing of governance, risk and compliance analysis and reporting;
• implement a proactive approach to risk management;
• control the growth of governance, risk and compliance-related expenses;
• enable effective revenue generation and assurance function; and
• establish a timely and consistent approach for assessing audit/compliance programmes across all business units in the organisation including the subsidiaries.

The implementation of IGRC is manifested in the following risk and governance structure of the Bank:

1. Risk Management Governance Framework, which encompasses Board of Directors, Board Credit Committee, Board Audit and Risk Assessment Committee, MD/EXCO/ ALCO, Risk Management Directorate, Internal Control and Audit;
2. a strong and well-defined relationship between the Risk Management Directorate and other key stakeholders and Divisions in the Bank; and
3. Institution of Management Risk and Assessment Committee (MRAC) as a veritable platform for resolving common control, risk and audit issues in the Group.

Back to top