The central bank is proposing to implement an internal audit function for trust corporations owned by group structures, either by a banking or a non-banking group setup.
The Bangko Sentral ng Pilipinas (BSP) is currently circulating the draft circular amending regulations on the internal audit function of a trust corporation “belonging to a banking group or a group of NBFIs (non-bank financial institutions) to be covered by the group internal audit unit.”
An internal audit function is considered the third line of defense in a system of internal controls. “Internal audit is an independent, objective assurance and consulting function established to examine, evaluate and improve the effectiveness of risk management, internal control, and governance processes of an
organization,” explained the draft circular. As such, it said the internal audit function will “assess and complement the operational management, risk management, compliance and other control functions of a trust corporation.”
The BSP is giving banks and non-banks until August 10 to submit feedback or recommendations on the proposed circular.
The circular basically adopted the same rules on banks’ internal audit function to trust corporations, as stated in the provisions for the permanency of the internal audit function, and the internal audit function for group structures.
Similar with the rules for banks, the BSP said trust corporations that are in group structures will have a permanent internal audit function established either in the trust corporation or centrally by the parent bank or non-bank financial institution.
The BSP is also proposing that trust corporations in group structures will have its own internal audit function or have the group internal audit function perform the internal audit activities of the trust corporation. “In case of the latter, the board of directors of the trust corporation shall conduct a periodic self-assessment of the effectiveness of internal control, risk management and governance systems and processes in the trust corporation and report the results thereof to the group internal audit function to ensure that the scope of internal audit activities
is adequate considering the size, risk profile and complexity of operations of the trust corporation,” said the BSP.
The group internal audit function will be reported directly to the trust corporation’s board of directors. But, in cases when the risk assessment of the trust
corporation’s board of directors or of the BSP differs from the risk assessment of the group internal audit function, the BSP said such cases “may require the group internal audit function to subject the trust corporation to an immediate or more frequent internal audit.”
The proposed circular does not provide or include the outsourcing of internal audit activities of trust corporations, that the “engagement of the services of the group
internal audit function by a trust corporation belonging to a banking group or a group of non-bank financial institutions shall not fall under the
outsourcing framework …”
The outsourcing of internal audit activities are allowed – but limited – for banks except for areas covered by the deposit secrecy law.
But generally, banks are allowed to outsource the internal audit function for certain areas of expertise and where there are “resource constraints”. However financial institutions that are part of group structures can only establish an internal audit function centrally in the parent bank.