Page 1 of 18

Internal Control and Compliance risk management has been a

significant and indispensable part of the banking organization to
flourish efficiency and effectiveness of management and to uplift
corporate governance. And Private Commercial banks in
Bangladesh are no exception of that.
Internal Control and Compliance risk management is a separate
department, full of diversified and structural mechanism which
doesnt let just cover internal audit or audit works, it
encompasses plenty of other significant core issues like internal
control body, establishing policy guidelines, internal rules and
regulations, complying with persistent laws and central banks
legal procedures.
This report is aimed for extracting something out which are:
To outline the standardized measurement criteria for the
Private commercial banks as per Bangladesh Banks
regulatory manuals.
To grow a practical experience in our mind about internal
control and compliance risk management in two private
commercial banks namely AB Bank and BRAC Bank ltd.
To bring the real picture out of the internal control
department and compliance culture in AB Bank and BRAC
Bank.
We have identified that both of the assigned banks AB Bank and BRAC Bank follow the
framework for internal control system and compliance regulations provided by Bangladesh
Bank with a reasonable and expected extent. They have a structured plan to improve their
internal control and compliance risk management more in successive periods.
The overall scenario of the internal control department and compliance risk management is
seemingly satisfactory. But there are scopes to improve in some areas.
It is really a bit tougher to recommend or suggest something to spot out any shortfall or any
major inconsistency in these two banks. Nevertheless, we think that the compliance culture
should be in a more regulated and structured way and Bangladesh Bank can update its
framework for internal control systems to keep pace our banking industry with the competitive
globalized banking community.


Executive
Summary
Page 2 of 18

Introductory Discussion on of the Topic:

Effective internal controls are the foundation of safe and sound banking. A properly designed
and consistently enforced system of operational and financial internal control helps a banks
board of directors and management safeguard the banks resources, produce reliable financial
reports, and comply with laws and regulations. Effective internal control also reduces the
possibility of significant errors and irregularities and assists in their timely detection when they
do occur.

Internal Control and Compliance risk management is not a new discovery as it effects
the whole of any organization. Effective internal control mechanism, sound corporate
governance, transparency, accountability have become significant issues to pave the way for
the banking industry to smooth performance. Banking has a diversified and complex financial
activity which is no longer limited within the geographic boundary of a country. Since its activity
involves high risk, the issue of effective internal control system, corporate governance,
transparency, accountability has become significant issues to ensure smooth performance of
the banking industry throughout the world. In many banks internal control is identified with
internal audit; the scope of internal control is not limited to audit work. It is an integral part of
the daily activity of a bank, which on its own merit identifies the risks associated with the
process and adopts a measure to mitigate the same. Internal Audit on the other hand is a part
of Internal Control system which reinforces the control system through regular review.

In Bangladesh, analysis on the performances of the banks has pointed out that an effective
internal control system could have contributed significantly in improving the performance of
the commercial banks if the control culture is brought in through policy guidelines and
structural changes at these banks.






Page 3 of 18


Literature Review
According to an IMF publication Internal Control refers to the mechanism in place on a
permanent basis to control the activities in an organization, both at a central and at a
departmental/divisional level. A key component of effective internal control is the operation of
a solid accounting and information system.
Internal Control is a process, effected by an organizations board of directors,
management and other personnel, to provide reasonable assurance regarding
achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
- COSO

Definition

Internal control is the process, effected by a company's board of directors, management and
other personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the effectiveness and efficiency of operations, the reliability of financial reporting
and compliance with applicable laws, regulations, and internal policies.
Internal controls are the policies and procedures established and implemented alone, or in
concert with other policies or procedures, to manage and control a particular risk or business
activity, or combination of risks or business activities, to which the company is exposed or in
which it is engaged.





Page 4 of 18



Objective of Internal Control

The primary objective of internal control system in a bank is to help the bank perform better
through the use of its resources. Through internal control system bank identifies its weaknesses
and takes appropriate measures to overcome the same. The main objectives of internal control
are as follows:
Efficiency and effectiveness of activities (performance objectives).
Reliability, completeness and timelines of financial and management information
(information objectives)
Compliance with applicable laws and regulations (compliance objectives)













Page 5 of 18



RESEARCH METHODOLOGY

The study contains both primary & secondary data. Primary data have been collected through
personal interview from respondents using the structured questionnaire. We were assigned
two banks first, BRAC Bank & Dhaka Bank respectively as sample. Later for data collection
problem with Dhaka Bank we have changed Dhaka Bank and select AB Bank with required
permission of our course instructor. So the target sample of the study was BRAC Bank & AB
Bank which have Internal control and compliance risk management for their business
operation. On the other hand secondary data were accumulated from related Annual reports of
the banks, published text books, related journals and web sites of the banks and Bangladesh
Banks. Participants were asked to help us to complete a questionnaire which consisted of
questions relating to Bangladesh Banks guidelines. Questionnaires have distributed to those
people who have a clear idea about Internal Control & Compliance Risk Management. The
questionnaires were all hand delivered with face to face talking.

ASSUMPTION OF THE STUDY

There is no research work which is free from assumptions. For every research, few assumptions
will have to be made. The assumptions are made with respect to the respondents, organization
& its conditions hoping that the results will be that of the presented objectives.
Collection of data through personal interview with structured questionnaire is easy and
correct.
The research methodology for the study is appropriate.
The sample size of two banks to analyze Internal Control & Compliance Risk
management is adequate and it represents the population of the study.



Page 6 of 18



ANALYSIS & FINDINGS

INTERNAL CONTROL UNIT:
Analysis:
Every banking organization must have a department or unit for internal control. The total
internal control system will work as per the directions delivered from this department. This
department features the process, policy guidelines or any other regulatory issues and
implement it properly as it thinks fit for its organization.
This department should have a structured organogram including banks managing director and
Board of Directors with their departmental officials and staffs headed by the head of the
department.
This department is to set out the internal control policies and other necessary guidelines to
ensure a transparent governance system.


Findings:

AB Bank

AB Bank ltd. has an internal control unit named as Internal Control & Compliance Division (ICCD)
in its organizational structure.
This department is basically designed as follows:


Page 7 of 18


BRAC Bank

BRAC Bank has also a structured internal control unit named as Regulatory & Internal Control
Department (R&ID) in its organizational structure.
This department is basically designed as follows:










MD & CEO
Company secretary and Head of Legal, Regulatory & Internal Control
Sr. manager (Legal) Head of Regulatory & Internal Control (TBA) Manager, Company Secretariat
Sr. Manager,
Compliance &
Monitoring (1)
Sr. Manager, IT
Audit & system
security (1)
Sr. Manager,
Internal audit &
Inspection, HO &
ROC (1)
Sr. Manager,
Internal Audit
& Inspection,
Br, SME, ROC,
RBO, SBO (1)
Company
Secretariat
Officer (1)
Associate
Manager,
Compliance
(1)
Page 8 of 18

INTERNAL CONTROL MANUAL:
Analysis:
This manual should contain three parts internal control over the operating activities of bank
(here, audit means the internal audit). They will monitor the functions of various departments
of the bank periodically on regular basis. Depending on the requirement they should carry out
inspection, surprise inspection in order to help avoiding any fraudulent activities which in turn
would strengthen the bank to set up sound structural base.
o Know Your Customer Policy (KYC)
o Code of Conduct / Ethics
o Gift giving & acceptance
o Monitoring Procedures
o Audit Guidelines

Findings:
AB Bank has a KYC policy where BRAC Bank has a form-based KYC policy. Both of the banks
informed us that they have a Code of Conduct or Ethics, monitoring procedures and separate
Audit Guidelines. AB Bank strictly prohibits any sort of gift giving to the auditors.
AUDIT MECHANISM:
Audit Mechanism refers to the type of audit design used to perform auditing activities in banks.
Here Both AB Bank and BRAC Bank apply RISK BASED AUDIT program where AB Bank uses
internal control questionnaire for only its Principal Office and they perform a Risk Weighted
Score Measurement to measure the risk management.

AUDIT COMMITTEE:

Analysis:
Every bank must have a separate internal audit committee as per Bangladesh banks internal
Control regulation. Through the establishment of Audit Committee the Board of Directors can
monitor the effectiveness if internal control system. Bangladesh Bank has already instructed
the banks to establish Audit Committee.
Page 9 of 18

Findings:
AB Bank

AB Bank has an internal Audit Committee comprising of a chairman and members.
The Audit Committee Personnel are:
Mr. Faisal M Khan Chairman
Mr. Sajedur Seraj Member
Mr. Golam Sarwar Member
Mr. Muhammad Tipu Sultan Member
Mr. D. S. Faisal Hyder Member

BRAC Bank

BRAC Bank also has an Audit Committee comprised of three members from the Board of
Directors including one independent director. The Audit Committee Personnel are:
Mr. Shib Narayan Kairy Chairman
Mr. Muhammad A. (Rummee) Ali Member
Ms. Nihad Kabir Member
Mr. Rais Uddin Ahmad Secretary

INTERNAL AUDIT SYSTEM
Analysis:
The internal control department requires a well-set internal audit system for the measurement
of the effectiveness of the organization. It covers an internal audit committee which we have
covered in the very earlier topic of our analysis and regulatory formulation.
Page 10 of 18

Findings:
Both of the banks AB bank and BRAC bank do have a structured internal audit system in their
respective organization. But BRAC bank adopts AUDIT UNIVERSE type of audit system which is
enabled to check Non-compliance and work as Key Risk Indicator (KRI) simultaneously.
MANCOM (Management Committee)
Analysis:
In setting out a strong internal control framework within the organization the role of Managing
Director is very important. The senior management will establish a Management Committee
(MANCOM), which will be responsible for the overall management of the bank.
The statutory functions of MANCOM are:
o MANCOM will put in place policies & procedures, identify measure, monitor and control
these risks with governance & guidance from the Board of Directors.
o MANCOM will put in place an internal control structure in the banking organization to
assign clear responsibility, authority and reporting relationship.
o MANCOM will monitor the adequacy and effectiveness of the internal control system
based on the banks established policy and procedures.
o MANCOM will review on a yearly basis the overall effectiveness of the internal control
system of the organization and provide a certification yearly to the Board of Directors.

Findings:
AB Bank
Obviously. AB Bank has a well-constituted 13 man MANCOM headed by their President & MD.
MANCOM of AB bank holds meeting in a year and the last meeting held in 2008. There is yet to
come out for 2009 but they are thinking that to do this year.
MANCOM review the internal control system on a yearly basis & provides certification to the
Board of Directors over the effectiveness of internal control policy.
BRAC Bank
As usual, BRAC Bank also has a 15-member well-placed MANCOM headed by their Managing
Director & CEO including Deputy MDs, Heads of departments, Company secretary and Chief
Information System.
Page 11 of 18

They exceptionally (MANCOM) holds meeting every month and talks about segregation of
duties, process policy spelled out, strategic alignment, peoples policy and human resource and
other domains. They (MANCOM) review a yearly basis the overall effectiveness of the internal
control system of the organization and provide a certification yearly to the Board of Directors.
DEPARTMENTAL CONTROL FUNCTIONS CHECKLIST (DCFCL):
Analysis:
The functions of DCFCL are as follows:
o The guideline/procedure deals with matters relating to review/verifications of
Departmental functions to ensure that prescribed procedures are being followed by
each department.
o All departments are required to check that prescribed controls are being observed and
laid down procedures are not overlooked & relaxed.
o Departmental Managers, Line Managers, Branch Managers will review the DCFCL to
ensure that control functions are performed and documented in the control sheets at
the prescribed frequencies i.e. Daily, weekly, monthly and quarterly.
o The DCFCL Checklist should be retained with the branch/departments for future
inspection by Internal Control and Senior Management.


Findings:
AB Bank
There is a Departmental Control Function Checklist (DCFCL) to verify the departmental
functions and prescribe controls and procedures.

BRAC Bank
BRAC bank also has a Departmental Control Function Checklist (DCFCL) to verify the
departmental functions and prescribe controls and procedures.
BRAC bank updates its DCFCL yearly and this department sends its forms to the banks officials.
All the branches including remote branches are audited annually to check compliance on
DCFCL, AML (Anti-money laundering), ICC (internal control & compliance), internal policies and
procedures.
Page 12 of 18

LOAN DOCUMENTATION CHECKLIST
Analysis:
The checklist deals with matters relating to security documentation for sanctioning and
drawdown credit facilities to ensure that prescribed documentation is being obtained to
safe guard banks legal charge.

Findings:
AB Bank
AB Bank follows a Loan Documentation Checklist system to care about their loan sanctioning
and drawdown of credit facilities.

BRAC Bank
BRAC Bank also adopts Loan Documentation Checklist system to care about their loan
sanctioning and drawdown of credit facilities as they described about their diversified loan as
for instance, 57% mortgage free loan for the poorer section of the society. Management check
with T forms including loan application forms, guarantors copy but they dont get the copy of
the lease agreement if held.

CREDIT POLICY MANUAL
Analysis:
The main objective of lending money is to ensure maximum return of lendable fund. This
manual should highlight the process starting from review of credit proposals, obligor risk rating,
approving credit limit, disbursement of loans, monitoring of credit risk etc.
Various types of MIS should be provided in order to have better control over assets of the bank.
Risk classes, lending limits and credit authorities
Lending guidelines
Approval processes
Documentations
Secured loans and collaterals

Page 13 of 18

Findings:

AB Bank
They follow the regulations as per the Credit Policy Manual of Bangladesh Bank formulated.
They adopt Credit Policy & Risk Management Guide (CPRMG) as credit risk is one of the
important element of their risk based audit and operational manuals Board Operational manual
(BOM).


BRAC Bank
BRAC Bank also has a separate credit policy manual to comply with the Bangladesh bank
regulations. Besides, they also conform to the VISA standards of Audit Guide, MasterCard
standards, IT standards and SWIFT standards.
Most interestingly, BRAC bank conducts CAMELS rating internally 4 (four) times a year apart
from Bangladesh Banks regulatory CAMELS rating.











Page 14 of 18

Compliance of the Framework of Internal Control Systems
At a Glance:

Subject AB Bank BRAC Bank
Internal Control Unit / Department
Internal Control Manual
Regulatory inspection on the operation
Yearly Audit Plan
Periodic Meeting with Senior Mgt. X
Audit Committee (Internal)
Summary report to the MD & Audit
Committee

Surprise Check
Segregation of Duties
Code of Ethics
Internal Audit System
Participation of employees in the
improvement of internal control system

Access to the external auditors to evaluate &
comment on internal control

MANCOM
Yearly review & Certification by MANCOM
Credit policy manual
Operation manual
Treasury manual X
HR policy manual
Know Your Customer (KYC) policy
Anti-Money Laundering policy
Asset- Liability Committee (ALCO)
DCFCL
Loan Documentation Checklist
Quarterly Operation Report
CAMELS rating
Manpower of the department 96 53



Page 15 of 18



C O N C L U S I O N

To complete our assigned task we collected information from two renowned banks in
Bangladesh namely AB Bank and BRAC bank. We got our level of satisfaction in working and
interacting with these two banks. It was really a comfortable visit to both of the banks as they
approximately maintain full compliance with the framework for the internal control systems of
Bangladesh Bank. They are successful enough to cope with the internal control policy and
compliance with laws and regulations and here we find the difficulty as we hardly can get any
major deficiency or any sort of inconsistency in them.
We think they are not yet in full complacence with their belongings in their respective internal
control and Compliance department; they still hunt for more of better models.












Page 16 of 18



Recommendation of the Study

It is really tough to go for spotting out any major shortfall or any deficiencies in both of the
banks as they fulfilled our level of expectation in that study. Nevertheless, there are some short
areas where they can still go for improving and redefining the job with a plan for instance,
holding regular yearly meeting of MANCOM to increase the professional relationship with the
Board of Directors and building a Treasury Manual for better Treasury management in AB Bank.
And BRAC Banks internal control department can collect the lease agreement papers in case of
more secured Loan Documentation Checklist System.











Page 17 of 18




BIBLIOGRAPHY

1. www.bangladeshbank.org (Bangladesh Banks official website)
2. www.bracbank.com (BRAC Banks website)
3. www.abbank.com.bd (AB Banks website)
4. Framework for the Internal Control System & Compliance of Bangladesh Bank
5. Comptrollers handbook of Internal Control, JAN 2001 (USA)
6. A General Textbook of Banking by L.R Chowdhury














Page 18 of 18



ATTACHMENT

1. Questionnaire on INTERNAL CONTROL & COMPLINCE RISK MANAGEMENT filled by each
bank.
2. Organogram of BRAC Bank
3. Framework of Summary of Risk Based Audit of AB Bank