Skip to main content

Article (4): Effective System of Internal Controls

C 25/2022 Effective from 30/12/2022
1.The Internal Controls system must ensure effective operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported, compliance with Central Bank Laws and other relevant laws, Regulations and supervisory requirements and the Company's internal rules and decisions. It must cover all units and activities and must be regularly assessed, reviewed by the Board or the Board audit committee and updated as necessary. It must include appropriate control structure with control activities defined at every business unit level, as they must own, manage and report risks and must be accountable for establishing and maintaining effective Internal Controls policies and procedures. Control Functions must assess the adequacy of the controls used by the business units. The Internal Controls system must contain, at a minimum, the following components:
 
a.Segregation of duties and measures to prevent Conflicts of Interest, as follows:
 
1.Adequate independence and clear separation of duties and reporting lines between the persons who are responsible for certain processes or policies, and those who verify that the processes or policies are being applied.
 
2.Adequate independence, and clear separation of duties and reporting lines between those who design or operate certain controls and those who check if the controls are effective.
 
b.Policies and processes:
 
1.Incorporate adequate controls for all key business processes and policies, including processes for taking major business decisions and approving transactions, critical information technology functionalities, cyber security, access to critical information technology infrastructure by employees and related third parties and important legal and regulatory obligations.
 
2.Incorporate policies on training on controls, especially for Staff undertaking roles requiring elevated trust or responsibility, or Staff involved in the oversight of high-risk activities.
 
3.Centralised documented key processes and policies and their corresponding controls.
 
c.Information and communication:
 
1.All Staff must be fully aware of the requirements to comply with the Company's Internal Controls system.
 
2.The necessary information for decision making must be made available to decision makers in a timely manner, including, but not limited to, financial, operational, compliance and market information.
 
d.Monitoring and review:
 
1.Processes must be checked on a regular basis by the internal audit function to ensure that controls are effective.
 
2.The Internal Controls system must be assessed on a regular basis by the internal audit function, to determine its efficiency and effectiveness.
 
e.Reporting on the Internal Controls system must reference the policy for Internal Controls (such as responsibilities, compliance levels, validation and implementation of remediation plans), the stage of development, the performance of the business units, and deficiencies in application.
 
2.The Board must understand the control environment and direct Senior Management to ensure that for each business process and policy, there is an appropriate control. The Board must ensure the allocation of responsibilities for the design, documentation and operation of Internal Controls.
 
3.
a.For branches of foreign Companies, a senior management committee or equivalent must be in place that consists of local functionaries. These internal Control Functions should report directly to their entity-level counterpart and/or to the board and/or relevant committees.
 
b.Local functionaries stated in the aforementioned paragraph (a) may not undertake more than one Control Function.