[ BSP Circular No. 871, March 05, 2015 ]

INTERNAL CONTROL AND INTERNAL AUDIT



Adopted: 05 March 2015
Date Filed: 16 March 2015

The Monetary Board in its Resolution No. 230 dated 13 February 2015, approved the following amendments to Sections X185 - X185.12 and X186 - X186.4 of the Manual of Regulations for Banks (MORB) on the Internal Control System and Internal Audit Function in banks, respectively.

Policy Statement. It is the thrust of the Bangko Sentral ng Pilipinas to promote strong control environments in its supervised financial institutions to sustain their safe and sound operations. In this regard, the BSP is aligning its existing regulations, to the greatest extent possible, with international standards and best practices in internal control and internal audit as embodied in related documents issued by the Basel Committee on Banking Supervision (BCBS) and the Committee on Sponsoring Organizations of Treadway Commission (COSO).

Section 1. Internal Control Framework. Section X185 and Subsections X185.1 - X185.5 the MORB shall now read as follows:

(a)
Section X185. Internal control framework. Internal control is a process designed and effected by the board of directors, senior management, and all levels of personnel to provide reasonable assurance on the achievement of objectives through efficient and effective operations; reliable, complete and timely financial and management information; and compliance with applicable laws, regulations, supervisory requirements, and the organization ™s policies and procedures.




Banks shall have in place adequate and effective internal control framework for the conduct of their business taking into account their size, risk profile and complexity of operations. The internal control framework shall embody management oversight and control culture; risk recognition and assessment; control activities; information and communication; and monitoring activities and correcting deficiencies.




(b)
Subsection X185.1. Management oversight and control culture. Consistent with the principles provided under Subsections X141.3 and X142.3 of the MORB, the board of directors and senior management shall be responsible for promoting high ethical and integrity standards; establishing the appropriate culture that emphasizes, demonstrates and promotes the importance of internal control; and designing and implementing processes for the prevention and detection of fraud.




(1)
The board of directors shall be ultimately responsible for ensuring that senior management establishes and maintains an adequate, effective and efficient internal control framework commensurate with the size, risk profile and complexity of operations of the bank. The board of directors shall also ensure that the internal audit function has an appropriate stature and authority within the bank and is provided with adequate resources to enable it to effectively carry out its assignments with objectivity.




Further, the board of directors shall, on a periodic basis:




(i)
conduct discussions with management on the effectiveness of the internal control system;
(ii)
review evaluations made by the audit committee on the assessment of effectiveness of internal control made by management, internal auditors and external auditors;
(iii)
ensure that management has promptly followed up on recommendations and concerns expressed by auditors and supervisory authorities on internal control weaknesses; and
(iv)
review and approve the remuneration of the head and personnel of the internal audit function. Said remuneration shall be in accordance with the bank's remuneration policies and practices and shall be structured in such a way that these do not create conflicts of interest or compromise independence and objectivity.




The board of directors of universal/commercial banks shall likewise commission an assessment team outside of the organization to conduct an independent quality assurance review of the internal audit function at least every five (5) years.




(2)
The audit committee shall be responsible for overseeing senior management in establishing and maintaining an adequate, effective and efficient internal control framework. It shall ensure that systems and processes are designed to provide assurance in areas including reporting, monitoring compliance with laws, regulations and internal policies, efficiency and effectiveness of operations, and safeguarding of assets.




The audit committee shall oversee the internal audit function and shall be responsible for:




(i)
monitoring and reviewing the effectiveness of the internal audit function;
(ii)
approving the internal audit plan, scope and budget;
(iii)
reviewing the internal audit reports and the corresponding recommendations to address the weaknesses noted, discussing the same with the head of the internal audit function and reporting significant matters to the board of directors;
(iv)
ensuring that the internal audit function maintains an open communication with senior management, the audit committee, external auditors, and the supervisory authority;
(v)
reviewing discoveries of fraud and violations of laws and regulations as raised by the internal audit function;
(vi)
reporting to the board of directors the annual performance appraisal of the head of the internal audit function;
(vii)
recommending for approval of the board of directors the annual remuneration of the head of the internal audit function and key internal auditors;
(viii)
appointing, reappointing or removing the head of the internal audit function and key internal auditors; and
(ix)
selecting and overseeing the performance of the internal audit service provider.




In particular, the audit committee shall be responsible for:




(i)
ensuring the independence of the internal audit service provider;
(ii)
reporting to the board of directors on the status of accomplishments of the outsourced internal audit activities, including significant findings noted during the conduct of the internal audit;
(iii)
ensuring that the internal audit service provider comply with sound internal auditing standards such as the Institute of Internal Auditors ™ International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics;
(iv)
ensuring that the audit plan is aligned with the overall plan strategy and budget of the bank and is based on robust risk assessment; and
(v)
ensuring that the internal audit service provider has adequate human resources with sufficient qualifications and skills necessary to accomplish the internal audit activities.




(3)
Senior management shall be responsible for maintaining, monitoring and evaluating the adequacy and effectiveness of the internal control system on an ongoing basis, and for reporting on the effectiveness of internal controls on a periodic basis. Management shall develop a process that identifies, measures, monitors and controls risks that are inherent to the operations of the bank; maintain an organizational structure that clearly assigns responsibility, authority and reporting relationships; ensure that delegated responsibilities are effectively carried out; implement internal control policies and ensure that activities are conducted by qualified personnel with the necessary experience and competence. Management shall ensure that bank personnel undertake continuing professional development and that there is an appropriate balance in the skills and resources of the front office, back office, and control functions. Moreover, Management shall promptly inform the internal audit function of the significant changes in the bank ™s risk management systems, policies and processes.




(4)
All personnel need to understand their roles and responsibilities in the internal control process. They should be fully accountable in carrying out their responsibilities effectively and they should communicate to the appropriate level of management any problem in operations, action or behavior that is inconsistent with documented internal control processes and code of ethics.




(c)
Subsection X185.2. Risk recognition and assessment. An effective internal control system shall identify, evaluate and continually assess all material risks that could affect the achievement of the bank ™s performance, information and compliance objectives. The potential for fraud shall be considered in assessing the risks to the achievement of said objectives. Further, the risk assessment shall cover all risks facing the bank, which include, among others, credit; country and transfer; market; interest rate; liquidity; operational; compliance; legal; and reputational risks.




Effective risk assessment identifies and considers both internal (e.g., complexity of the organization's structure, nature of the bank ™s activities and personnel profile) and external (e.g., economic conditions, technological developments and changes in the industry) factors that could affect the internal control framework. The risk assessment shall be conducted at the level of individual business units and across all bank activities/groups/units and subsidiaries, in the case of a parent bank. Internal controls shall be revised to address any new or previously uncontrolled or unidentified risks.




(d)
Subsection X185.3 Control activities. Control activities shall form part of the daily activities of the bank and all levels of personnel in the bank. Control activities are designed and implemented to address the risks identified in the risk assessment process. These involve the establishment of control policies and procedures, and verification that these are being complied with.




Banks shall have in place control activities defined at every business level, which shall include a system that provides for top and functional level reviews; checking compliance with exposure limits and follow-up on noncompliance; a system of approvals and authorizations, which shall include the approval process for new products and services; and a system of verification and reconciliation.




Control activities complement existing policies, procedures and other control systems in place such as, among others, having clearly defined organizational structure and reporting lines, and arrangements for delegating authority; adequate accounting policies, records and processes; robust physical and environmental controls for tangible assets and access controls to information assets; and appropriate segregation of conflicting functions.




(1)
Clear arrangements for delegating authority. The functions and scope of authority and responsibility of each personnel should be adequately defined, documented and clearly communicated. The extent to which authorities may be delegated and the corresponding accountabilities of the personnel involved shall be approved by the appropriate level of management or the board of directors.




(2)
Adequate accounting policies, records and processes. Banks shall maintain adequate financial policies, records and processes. These records shall be kept up-to-date and contain sufficient detail to establish an audit trail. Further, banks shall conduct independent balancing and reconciliation of records and reports to ensure the integrity of the reported data and balances. Banks shall also put in place a reliable information system that covers all of its significant activities which shall allow the board of directors and management access to data and information relevant to decision making such as, among others, financial, operations, risk management, compliance and market information. Moreover, these systems shall be secured, monitored independently and supported by adequate contingency arrangements.




(3)
Robust physical and environmental controls to tangible assets and access controls to information assets. Banks shall adopt policies and practices to safeguard their tangible and information assets. These shall include, but shall not be limited to:




(i)
identifying officers with authorities to sign for and on behalf of the bank. Signing authorities shall be approved by the board of directors and the extent of authority at each level shall be clearly defined;
(ii)
implementing joint custody on certain assets. Joint custody shall mean the processing of transactions in the presence, and under the direct observation, of a second person. Both persons shall be equally accountable for the physical protection of the items and records involved. Provided: That persons who are related to each other within the third degree of consanguinity or affinity shall not be made joint custodians;
(iii)
adopting dual control wherein the work of one person is to be verified by a second person to ensure that the transaction is properly authorized, recorded and settled;
(iv)
incorporating sequence number control in the accounting system which shall also be used in promissory notes, checks and other similar instruments. Management shall also put in place appropriate controls to monitor the usage, safekeeping and recording of accountable forms;
(v)
restricting access to information assets by classifying information as to degree of sensitivity and criticality and identifying information owners or personnel with authority to access particular classifications based on job responsibilities and the necessity to fulfill one ™s duties; and
(vi)
implementing authentication and access controls prior to granting access to information such as, among others, implementing password rules. This shall be supplemented by appropriate monitoring mechanisms that will allow audit of use of information assets.
(4)
Segregation of conflicting functions. Banks shall ensure that areas of potential conflicts of interest shall be identified, minimized and subjected to independent monitoring. Further, appropriate segregation of functions shall be observed in identified areas that may pose potential conflict of interest. Moreover, periodic reviews of responsibilities and functions shall be conducted to ensure that personnel are not in a position to conceal inappropriate actions.




(e)
Subsection X185.4. Information and communication. An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external information about events and conditions that are relevant to decision making. Information shall be reliable, timely, accessible, and provided in a consistent format. Banks shall have in place a reliable management information system that covers significant activities of the bank and has the capability to generate relevant and quality information to support the functioning of internal control.




Banks shall also establish effective channels of communication to ensure that all personnel fully understand and adhere to policies and procedures and control measures relevant to their duties and responsibilities and that relevant information is reaching the appropriate personnel. Management shall also ensure that all personnel are cognizant 'of their duty to promptly report any deficiency to appropriate levels of management or to the board of directors, where required. These shall enable them to quickly respond to changing conditions and avoid unnecessary costs.




(f)
Subsections X185.5. Monitoring activities and correcting deficiencies. The overall effectiveness of the internal controls shall be monitored on an ongoing basis. Monitoring functions and activities shall be adequately defined by management, integrated in the operating environment and should produce regular reports for review. In this regard, all levels of review shall be adequately documented and results thereof reported on a timely basis to the appropriate level of management.




Evaluations of the effectiveness of the internal control system and the corresponding monitoring activities may be done by personnel from the same operational area in the form of self-assessment or from other areas such as internal audit: Provided, That, self-assessment done by business units shall be subject to independent validation.
Evaluations done shall be adequately documented and internal control deficiencies and weaknesses identified shall be reported on a timely basis to the appropriate level of management or the board of directors, where necessary, and addressed promptly.

Section 2. Subsections X185.6 - X185.12 of the MORB are hereby deleted. Examples of internal control measures are provided under Appendix A of this Circular as "Minimum Internal Control Measures".

Section 3. Internal Audit Function. Section X186 and Subsections X186.1- X186.4 of the MORB are hereby amended to read as follows:

a)
Sec. X186. Internal Audit Function. Internal audit is an independent, objective assurance and consulting function established to examine, evaluate and improve the effectiveness of internal control, risk management and governance systems and processes of an organization, which helps management and the board of directors in protecting the bank and its reputation. The internal audit function shall both assess and complement operational management, risk management, compliance and other control functions. In this respect, internal audit shall be conducted in frequencies commensurate with the assessed levels of risk in specific banking areas.



(1)
Permanency of the internal audit function. Each bank shall have a permanent internal audit function. In the case of group structures involving a parent bank and subsidiary or affiliate BSP-supervised financial institutions, the internal audit function shall either be established in each of the BSP-supervised financial institution or centrally by the parent bank.



(2)
Internal audit function in group structures. In case each BSP-supervised financial institution belonging to group structures has its own internal audit function, said internal audit function shall be accountable to the financial institution's own board of directors and shall likewise report to the head of the internal audit function of the parent bank within a reasonable period and frequency prescribed by the board of directors of the parent bank.



On the other hand, in case the parent bank ™s internal audit function shall cover the internal audit activities in the subsidiary or affiliate BSP- supervised financial institution, the board of directors of the parent bank shall ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the subsidiary or affiliate concerned.



The establishment of internal audit function centrally by the parent bank in group structures shall not fall under the outsourcing framework as provided under Section X162 of the MORB. In this respect, the head of the internal audit function of the parent bank shall define the internal audit strategies, methodology, scope and quality assurance measures for the entire group. Provided, That: this shall be done in consultation and coordination with the respective board of directors of the subsidiary or affiliate BSP-supervised financial institution. Provided, further, That: the board of directors of the subsidiary or affiliate BSP-supervised financial institution, shall remain ultimately responsible for the performance of the internal audit activities.



(3)
Outsourcing of internal audit activities. Banks may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities except for areas covered by existing statutes on deposit secrecy. Outsourcing of internal audit activities shall however, be done on a limited basis to have access to certain areas of expertise that are not available to the internal audit function or to address resource constraints. Provided, That: The internal audit activity shall not be outsourced to the bank ™s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the bank in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year œcooling of  period. Provided, further, That: The head of the bank's internal audit function shall ensure that the knowledge or inputs from the outsourced experts shall be assimilated into the bank to the greatest extent possible.



Non-complex thrift, rural and cooperative banks on the other hand, shall be allowed to outsource internal audit activities covering all areas of bank operations except for areas covered by existing statutes on deposit secrecy. Provided, That: The board of directors, through the audit committee, shall be ultimately responsible for the conduct of audit on areas covered by existing statutes on deposit secrecy.



(4)
Internal audit function of branches of foreign banks. Branches of foreign banks may establish their own internal audit function or may be covered by the regional/group internal audit function. Provided, That: in case the regional/group internal audit function performs the internal audit activities in branches of foreign banks, the Senior Management team in branches of foreign banks shall conduct a periodic self-assessment of the effectiveness of internal control, risk management and governance systems and processes in the branch and report the results thereof to the regional/group internal audit function to ensure that the scope of internal audit activities is adequate considering the size, risk profile and complexity of operations of the branch. Provided, further, That the regional/group internal audit function shall likewise inform the senior management team in branches of foreign banks of the results of internal audit conducted. Provided, finally, That in cases when the risk assessment of the senior management team in branches of foreign banks or of the BSP differs from the risk assessment of the regional/group internal audit function, the senior management team in branches of foreign banks or the BSP may require the regional/group internal audit function to subject the branch to an immediate or more frequent internal audit.



b)
Sec. X186.1. Qualifications of the Head of the Internal Audit Function. The head of the internal audit function must have an unassailable integrity, relevant education/experience/training, and has an understanding of the risk exposures of the bank, as well as competence to audit all areas of its operations. He must also possess the following qualifications:



(1)
The head of the internal audit function of a universal bank (UB) or a commercial bank (KB) must be a Certified Public Accountant (CPA) or a Certified Internal Auditor (CIA) and must have at least five (5) years experience in the regular audit (internal or external) of a UB or KB as auditor-in-charge, senior auditor or audit manager. He must possess the knowledge, skills, and other competencies to examine all areas in which the institution operates. Professional competence as well as continuing training and education shall be required to face up to the increasing complexity and diversity of the institution ™s operations.
(2)
The head of the internal audit function of a complex thrift bank (TB), rural bank (RB) and cooperative bank (Coop Bank); quasi-bank (QB) and; trust entity must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least five (5) years experience in the regular audit (internal or external) of a TB, national Coop Bank, QB or trust entity or, at least three (3) years experience in the regular audit (internal or external) of a UB or KB.
(3)
The head of the internal audit function of a simple or non-complex TB, RB and Coop Bank; and non-stock savings and loan association (NSSLA) must be a graduate of any accounting, business, finance or economics course with technical proficiency on the conduct of internal audit and must have at least two (2) years experience in the regular audit (internal or external) of a UB, KB, TB, RB, Coop Bank, QB or NSSLA.



A qualified head of the internal audit function of a UB or a KB shall be qualified to audit TBs, RB, Coop Banks, QBs, trust entities, NSSLAs, subsidiaries and affiliates engaged in allied activities, and other financial institutions under BSP supervision. A qualified internal auditor of a complex TB, RB and Coop Bank; QB and; trust entity shall likewise be qualified to audit non-complex TB, RB and Coop Bank and NSSLA.



The head of the internal audit function shall be appointed/reappointed or replaced with prior approval of the audit committee. In cases when the head of the internal audit function will be replaced, the bank shall report the same and the corresponding reason for replacement to the appropriate supervising department of the BSP within five (5) days from the time it has been approved by the board of directors.



c)
Sec. X186.2 Duties and responsibilities of the head of the internal audit function or the Chief Audit Executive.



(1)
To demonstrate appropriate leadership and have the necessary skills to fulfill his responsibilities for maintaining the unit's independence and objectivity;
(2)
To be accountable to the board of directors or audit committee on all matters related to the performance of its mandate as provided in the internal audit charter. The head of the internal audit function shall submit a report to the audit committee or board of directors on the status of accomplishments of the internal audit unit, including findings noted during the conduct of the internal audit as well as status of compliance of concerned departments/units.
(3)
To ensure that the internal audit function complies with sound internal auditing standards such as the Institute of Internal Auditors ™ International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics;
(4)
To develop an audit plan based on robust risk assessment, including inputs from the board of directors, audit committee and senior management and ensure that such plan is comprehensive and adequately covers regulatory matters. The head of the internal audit function shall also ensure that the audit plan, including any revisions thereto, shall be approved by the audit committee;
(5)
To ensure that the internal audit function has adequate human resources with sufficient qualifications and skills necessary to accomplish its mandate. In this regard, the head of the internal audit function shall periodically assess and monitor the skill-set of the internal audit function and ensure that there is an adequate development program for the internal audit staff that shall enable them to meet the growing technical complexity of banking operations.



d)
Subsection X186.3 Professional competence and ethics of the internal audit function. The internal audit function shall be comprised of professional and competent individuals who collectively have the knowledge and experience necessary in the conduct of an effective internal audit on all areas of bank ™s operations. The skill set of the internal audit staff shall be complemented with appropriate audit methodologies and tools as well as sufficient knowledge of auditing techniques in the conduct of audit activities.



All internal audit personnel shall act with integrity in carrying out their duties and responsibilities. They should respect the confidentiality of information acquired in the course of the performance of their duties and should not use it for personal gain or malicious actions. Moreover, internal audit personnel shall avoid conflicts of interest. Internally-recruited internal auditors shall not engage in auditing activities for which they have had previous responsibility before a one-year œcooling off  period has elapsed. The internal audit personnel shall adhere at all times to the bank ™s Code of Ethics as well as to an established code of ethics for internal auditors such as that of the Institute of Internal Auditors.



e)
Subsection X186.4. Independence and objectivity of the internal audit function. The internal audit function must be independent of the activities audited and from day-to-day internal control process. It must be free to report audit results, findings, opinions, appraisals and other information through clear reporting line to the board of directors or audit committee. It shall have authority to directly access and communicate with any officer or employee, to examine any activity or entity of the bank, as well as to access any records, files or data whenever relevant to the exercise of its assignment.



If independence or objectivity of internal audit function is impaired, in fact or appearance, the details of the impairment must be disclosed to the audit committee. Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.



The internal audit function shall inform senior management of the results of its audits and assessment. Senior management may consult the internal auditor on matters related to risks and internal controls without tainting the latter ™s independence. Provided, That: the internal auditor shall not be involved in the development or implementation of policies and procedures, preparation of reports or execution of activities that fall within the scope of his review.



Staff of the internal audit function shall be periodically rotated, whenever practicable, and without jeopardizing competence and expertise to avoid unwarranted effects of continuously performing similar tasks or routine jobs that may affect the internal auditor's judgment and objectivity.



f)
Subsection X186.5 Internal audit charter. Banks shall have an internal audit charter approved by the board of directors. The internal audit charter shall be periodically reviewed by the head of the internal audit function and any changes thereto shall be approved by the board of directors.



The internal audit charter shall establish, among others, the following:



(1)
Purpose, stature and authority, and responsibilities of the internal audit function as well as its relations with other control functions in the bank. The charter shall recognize the authority of the internal audit function, to initiate direct communication with any bank personnel; to examine any activity or entity; and to access any records, files, data and physical properties of the bank, in performing its duties and responsibilities;
(2)
Standards of independence, objectivity, professional competence and due professional care, and professional ethics;
(3)
Guidelines or criteria for outsourcing internal audit activities to external experts;
(4)
Guidelines for consulting or advisory services that may be provided by the internal audit function;
(5)
Responsibilities and accountabilities of the head of the internal audit function;
(6)
Requirement to comply with sound internal auditing standards such as the Institute of Internal Auditors ™ International Standards for the Professional Practice of Internal Auditing and other supplemental standards issued by regulatory authorities/government agencies, as well as with relevant code of ethics; and
(7)
Guidelines for coordination with the external auditor and supervisory authority.



g)
Subsection X186.6. Scope. All processes, systems, units, and activities, including outsourced services, shall fall within the overall scope of the internal audit function. The scope of internal audit shall cover, among others, the following:



(1)
Evaluation of the adequacy, efficiency and effectiveness of internal control, risk management and governance systems in the context of current and potential future risks;
(2)
Review of the reliability, effectiveness and integrity of management and financial information systems, including the electronic information system and electronic banking services;
(3)
Review of the systems and procedures of safeguarding the bank ™s physical and information assets;
(4)
Review of compliance of trading activities with relevant laws, rules and regulations;
(5)
Review of the compliance system and the implementation of established policies and procedures; and
(6)
Review of areas of interest to regulators such as, among others monitoring of compliance with relevant laws, rules and regulations, including but not limited to the assessment of the adequacy of capital and provisions; liquidity level; regulatory and internal reporting.

Section 4. Trust Operations. The provisions of Subsection X426.1 of the MORB shall now read as follows:

a)
X426.1 Internal audit. The bank ™s internal auditor shall include among his functions, the conduct of annual audit of the trust department or investment management department. However, should the board of directors, in a resolution entered in its minutes, require the internal auditor to adopt a suitable continuous audit system to supplement and/or to replace the performance of the annual audit, the audit may be conducted in intervals commensurate with the assessed levels of risk in trust and investment management operations; Provided, That such intervals shall be supported and reassessed regularly to ensure appropriateness given the current risk and volume of the trust and investment management operations. In any case, the audit shall ascertain whether the institution's trust and other fiduciary business and investment management activities have been administered in accordance with laws, BSP rules and regulations, and sound trust or fiduciary principles.

Section 5. Applicability to non-bank financial institutions. The provisions of this Circular shall likewise apply to non-bank financial institutions and shall amend the relevant provisions of the Manual of Regulations for Non-Bank Financial Institutions (MORNBFI) as follows:

a)
Sections 1 and 2 of this Circular shall likewise amend Section 4185Q of the MORNBFI.
b)
Subsections 3.a.1 to 3.a.3 and Subsections 3.b to 3.g of this Circular shall likewise amend Subsection 4185Q.9, Section 4186Q, and Subsections 4186Q.2 to 41860.4 of the MORNBFI with the following changes:


"Section 3.a.3. Outsourcing of internal audit activities. QBs that are not part of group structures may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities covering all areas of its operations. Provided, That: the board of directors of the QB shall remain ultimately responsible for the conduct of effective internal audit. Provided, further, That: The internal audit activities shall not be outsourced to the QB ™s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the QB in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year "cooling off" period.
c)
Section 4 of this Circular shall likewise amend Section 4426Q.1 of the MORNBFI.
d)
Sections 1 and 2 of this Circular shall be adopted under Section 4163S of the MORNBFI.
e)
Subsections 3.a.1 to 3.a.3 and Subsections 3.b to 3.g of this Circular shall likewise amend Section 4164S and Subsections 4164S.1 to 4164S.4 of the MORNBFI with the following changes:


"Section 3.a.3. Outsourcing of internal audit activities. NSSLAs may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities covering all areas of its operations. Provided, That: the board of trustees of the NSSLA shall remain ultimately responsible for the conduct of effective internal audit. Provided, further, That: The internal audit activity shall not be outsourced to the NSSLA ™s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the NSSLA in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year "cooling off" period.


f)
Sections 1 and 2 of this Circular shall likewise be adopted under Section 4163N of the MORNBFI.
g)
Subsections 3.a.1 to 3.a.3 and Subsections 3.b to 3.g of this Circular shall likewise amend Section 4164N and Subsections 4164N.1 to 4164N.4 of the MORNBFI with the following changes:


"Section 3.a.3. Outsourcing of internal audit activities. NBFls may outsource, in accordance with existing BSP regulations on outsourcing, internal audit activities covering all areas of its operations. Provided, That: the board of directors of the NBFI shall remain ultimately responsible for the conduct of effective internal audit. Provided, further, That: The internal audit activity shall not be outsourced to the NBFl ™s own external auditor/audit firm nor to internal audit service provider that was previously engaged by the NBFI in the same area intended to be covered by the internal audit activity that will be outsourced, without a one-year "cooling of" period.

Section 6. Repealing Clause. This Circular supersedes/amends/modifies the provisions of existing circulars, memoranda, and/or regulations that are inconsistent herewith.

Section 7. Effectivity. This Circular shall take effect fifteen (15) calendar days after its publication either in the Official Gazette or in a newspaper of general circulation.


FOR THE MONETARY BOARD:

(SGD) VICENTE S. AQUINO
Officer-in-Charge