Internal Control is the process designed and effected by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of the DFCC Bank PLC’s (Bank) objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations.
Internal control consists of the following components:
- The control environment;
- The entity’s risk assessment process;
- The information system, including the related business processes, relevant to financial reporting and communication;
- Control activities; and
- Monitoring of controls.
The subset of this wider internal control system is the internal controls designed and implemented to provide reasonable assurance regarding the reliability of the financial reporting, and that the preparation of financial statements for external purposes has been done in accordance with relevant accounting principles and regulatory requirements.
The Board of Directors acknowledge their responsibility for the adequacy and effectiveness of the Bank’s system of internal controls which is designed to provide assurance on the maintenance of proper accounting records and the reliability of financial information generated, and safeguarding of the assets of the Bank.
However, such systems are designed to manage the Bank’s key exposures to risk within acceptable risk parameters, rather than to eliminate the risk of failure to achieve the business goals and objectives of the Bank. Therefore, the system of internal controls can only provide reasonable and not absolute assurance against errors or material misstatement of management and financial information and records or against financial losses or fraud.
Framework for Managing Material Risks of the Bank
The Board has set up an ongoing process for identifying, monitoring and managing the material risks faced by the Bank. This includes establishment of a dedicated Risk Management Department that provides regular reports on various risks, subject to an oversight by the Internal Audit Department through Internal Audit Reports that enables the Audit Committee to review the adequacy and effectiveness of the system of internal controls continuously to match the changes in the business environment or regulatory guidelines. In making this assessment, all key processes relating to material or significant transactions capture and recording in the books of accounts are identified and covered on an ongoing basis that is compatible with the guidance for Directors of Banks on the Directors’ Statement of Internal Control issued by The Institute of Chartered Accountants of Sri Lanka.
Key Internal Control Processes
- The Board has established Committees to assist the Board in exercising an oversight on the effectiveness of the Bank’s daily operations and ensuring that they are in accordance with the corporate objectives, strategies and the budgetary targets as well as the policies and business directions that have been approved.
- The Internal Audit Department of the Bank verifies compliance of operations with policies and procedures and the effectiveness of the internal control systems and highlights significant findings in respect of any non-compliance. Audits are carried out on all units and branches, the frequency of which are determined by the level of risk assessed, to provide an independent and objective report on operational and management activities of these units and branches. The annual audit plan is reviewed and approved by the Audit Committee and the findings of the audits are submitted to the Audit Committee for review at their periodic meetings.
- The Audit Committee of the Bank reviews internal control issues identified by the internal audit, the External Auditors, regulatory authorities and management and evaluates the adequacy and effectiveness of the risk management and internal control systems. They also review the internal audit function focusing on the scope of audits and the quality of reporting. The minutes of the Audit Committee meetings are tabled for the information of the Board on a periodic basis. Further details of the activities undertaken by the Audit Committee of the Bank are set out in the Audit Committee Report.
- The Board Integrated Risk Management Committee (BIRMC) is established by the Board to assist the Board to oversee the overall management of principal areas of risk of the Bank. The BIRMC includes representation from all key business and operations areas of the Bank and assists the Board in the implementation of policies, procedures and controls identified by the BIRMC.
- Operational Committees have also been established with appropriate mandates to ensure effective management and supervision of the Bank’s core areas of business operations. These committees include the Management Committee, the Credit Committee, the Asset/Liability Committee, the Impairment Assessment Committee and the Information Technology Steering Committee.
The key processes that have been established in reviewing the adequacy and integrity of the system of internal controls include the following:
Assessment of the Adequacy and Effectiveness of Internal Control
Although this process is carried out every year on a continuing basis, the Direction on Corporate Governance issued by the Central Bank of Sri Lanka requires the Board of Directors to provide a separate report on the Bank’s Internal Control mechanism that confirms that the financial reporting system has been designed to provide reasonable assurance regarding the reliability of financial reporting and that the preparation of financial statements for external purposes has been done in accordance with relevant accounting principles and regulatory requirements, supplemented with independent certification by the Auditor. The Auditors provide the independent Assurance Report in accordance with Sri Lanka Standard on Assurance Engagements (SLSAE) – 3050 issued by The Institute of Chartered Accountants of Sri Lanka.
In order to facilitate the tasks of the Auditors to issue the Independent Assurance Report, the SLSAE – 3050 requires documentation of all procedures and controls that are related to significant accounts and disclosures of the financial statements of the Bank with audit evidence of checks performed by the Bank on an ongoing basis.
The risk-based Internal Audit Plan implemented by the Internal Audit Department in consultation with the Board Committee on Audit specifically included on a sample basis, independent verification that the internal control process documented by the Bank and supported with audit evidence was in fact carried out on an ongoing basis.
Transition to New Sri Lanka Accounting Standards
Consequent to full convergence of Sri Lanka Accounting Standards with International Financial Reporting Standards and International Accounting Standards that became effective from the financial year to 31 March 2013, the bank implemented a process to make required adjustments to the financial statements prepared under the previous accounting standards. The process for making necessary adjustments continue to be made based on Excel software application. The process followed by the Bank for quantification of adjustments is continually reviewed and improved based on feedback received from the External Auditors and Internal Auditors. The testing of such process by the internal audit was carried out during the Period. These processes will be further improved on an ongoing basis.
The comments made by the External Auditors in connection with internal control system in the financial year to
31 March 2015 were reviewed during the current period and appropriate steps have been taken to rectify them. The recommendations made by the External Auditor, KPMG for the 9 months ended 31 December 2015 in connection with the internal control system will be addressed in the future.
The Directors are of the opinion that these recommendations are intended to further improve the internal control system and they do not any way detract from the conclusion that the financial reporting system is reliable to provide reasonable assurance that the financial statements for external use are true and fair and complies with Sri Lanka Accounting Standards and the regulatory requirements of the Central Bank of Sri Lanka.
This assessment of internal control process is confined to the Bank including DFCC Vardhana Bank PLC up to September 2015 on a standalone basis and for the combined entity from October 2015 to 31 December 2015, and did not include its other subsidiaries.
Based on the above processes, the Board confirms that the financial reporting system of the Bank has been designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes is in accordance with
Sri Lanka Accounting Standards and regulatory requirements of the Central Bank of Sri Lanka.
Review of the Statement by External Auditors
The External Auditors have reviewed the above Directors’ Statement on Internal Control for the 9 months ended 31 December 2015 and their Independent Assurance Report is on this report.
By Order of the Board,
P M B Fernando
Chairman - Audit Committee
C R Jansz
Chairman - Board of Directors
A R Fernando
24 February 2016