Responsibility

In line with the Section 3 (8) (ii) (b) of the Banking Act Direction No. 11 of 2007, and principle D.1.5 of the Code of Best Practice on Corporate Governance 2017 (Code) issued by CA Sri Lanka, the Board of Directors presents this Report on Internal Control.

The Board of Directors (the Board) is responsible for the adequacy and effectiveness of the system of internal controls in place at Commercial Bank of Ceylon PLC (the Bank). However, such a system is designed to manage the Bank’s key areas of risk within an acceptable risk profile, rather than to eliminate the risk of failure to achieve the policies and business objectives of the Bank. Accordingly, the system of internal controls can only provide reasonable but not absolute assurance against material misstatements of management and financial information and records or against financial losses or fraud.

The Board has established an ongoing process for identifying, evaluating, and managing the significant risks faced by the Bank and this process has been in place for the year under review which includes enhancing the system of internal controls as and when there are changes to the business environment or regulatory guidelines. The process is regularly reviewed by the Board and accords with the “Guidance for Directors of Banks on the Directors’ Statement on Internal Control” issued by CA Sri Lanka. The Board has assessed the internal controls taking into account all main principles for the assessment of internal control system as given in that guidance.

The Board is of the view that the system of internal controls in place over financial reporting is sound and adequate to provide reasonable assurance regarding the reliability of financial reporting, and that the preparation of Financial Statements for external purposes is in accordance with relevant accounting principles and regulatory requirements.

The Management assists the Board in the implementation of the Board’s policies and procedures on risks and controls by identifying and assessing the risks faced, and in the design, operation, and monitoring of suitable internal controls to mitigate and control these risks.

Key features of the process adopted in applying and reviewing the design and effectiveness of the internal control system on financial reporting

The key processes that have been established in reviewing the adequacy and integrity of the system of internal controls with respect to financial reporting include the following:

• Various appointed committees are established by the Board to assist the Board in ensuring the effectiveness of the Bank’s daily operations and that the Bank’s operations are conducted in line with the corporate objectives, strategies and the annual budget as well as the policies and business directions that have been approved.
• Policies/Charters are developed covering all functional areas of the Bank and these are recommended by Board appointed committees and are approved by the Board. Such policies and charters are reviewed and approved periodically.
• The Inspection/Internal Audit Department/ IS Audit Unit of the Bank checks for compliance with policies and procedures and the effectiveness of the internal control systems/information system controls on an ongoing basis using samples and rotational procedures and highlights significant findings in respect of any non-compliance. On-site, Online and Off-site audits are carried out covering all departments, branches, subsidiaries and overseas operations in accordance with the annual audit plan reviewed and approved by the BAC. The type/frequency of audits of business units are determined by the level of risk assessed, to provide an independent and objective report. Findings of the internal audits are submitted to the BAC for review at their periodic meetings. Initiatives taken by Inspection/Internal Audit Department to audit certain selected areas of the business “online” during the year 2016 on a limited scope, were expanded to cover all branches in Sri Lanka and Bangladesh, Corporate Banking Unit, Digital Banking Unit, Card Centre, Treasury, Finance, and Subsidiaries – CBC Finance Limited, Commercial Bank of Maldives Private Limited and CBC Myanmar Microfinance Company Limited during 2020 as well. Scope of online, near time and real time audits was further enhanced to cover high risk transactions of the Bank during COVID-19 pandemic. In addition, monitoring over cybersecurity controls, modifications to core banking systems/databases was further strengthened utilising appropriate tools/techniques and resources. Through this initiative, the controls are being tested on a near or real time basis. A significant improvement in methodology was made by testing the entire population of the data rather than on a sample selected on a random basis. Also Off-site/Online audit were introduced during 2020 to test and verify internal controls relating to credit area of branches. The findings were tabled at the meetings of the BAC for review. The “Online Auditing” initiative has further strengthened the review of the design and effectiveness of the internal control system of the Bank.
• The BAC reviews internal control issues identified by the Internal Audit Department, regulatory authorities, External Auditors and the Management, and evaluates the adequacy and effectiveness of the risk management and internal control systems. The BAC also carries out an annual evaluation to review the effectiveness of the internal audit function with particular emphasis on the scope, quality, independence of internal audit, and the resources. The minutes of the BAC meetings are tabled at the meetings of the Board of Directors of the Bank on a periodic basis. Details of the activities undertaken by the BAC are set out in the “Report of the Board Audit Committee” which appears in the section on Board Committee Reports.
• In assessing the internal control system over financial reporting, identified officers of the Bank continued to review and update all procedures and controls that are connected with significant accounts and disclosures of the Financial Statements of the Bank. The Internal Audit Department continued to verify the suitability of design and effectiveness of these procedures and controls on an ongoing basis. The assessment included both local and foreign subsidiaries and the Bangladesh operations of the Bank as well.

Effective from January 01, 2018, the Bank adopted the Sri Lanka Accounting Standard - SLFRS 9 on “Financial Instruments”, which replaced the “incurred loss” model used under LKAS 39 with the forward looking “expected credit loss” model to calculate impairment provisions. This new methodology of computing impairment provisions had a significant impact on the Bank’s methodology adopted on calculating the impairment losses for loans and advances. The processes that are required to comply with new requirements of recognition, measurement, presentation, and disclosures were introduced and implemented and were continuously strengthened based on the feedback received from the External Auditor, Internal Audit Department, regulators, and the BAC. Continuous monitoring is in progress and steps are being taken to make further improvements to the processes where required, to enhance effectiveness and efficiency. The Bank has documented procedures relating to these new requirements and updates the procedure manuals as and when necessary and also obtained approval of the BAC and the Board for changes made to the documented procedures. The Bank’s Internal Audit Department commenced testing these processes since first quarter of 2013 and continued to do so in 2020 as well. The outcome of such exercise was tabled regularly for review by the BAC during the year 2020. Having recognised the need to introduce an automated platform for various computations required under SLFRSs and LKASs including loan impairments, the Bank signed up with a renowned software solutions provider to automate impairment calculations and this project is expected to be completed during 2021. With the implementation of the above software system, it is expected to eliminate manual intervention in calculating impairment provisions to a great extent.

The comments made by the External Auditor in connection with the internal control system over financial reporting in previous years were reviewed during the year and necessary steps have been taken to address them where appropriate. The recommendations made by the External Auditor in 2020 in connection with the internal control system over financial system will be dealt with in the future.

The Assurance Report of the External Auditors in connection with internal control over financial reporting appears in the section on Independent Assurance Report.

Confirmation

Based on the above processes, the Board of Directors confirms that the financial reporting system of the Bank has been designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of Financial Statements for external purposes has been done in accordance with the Sri Lanka Accounting Standards and regulatory requirements of the Central Bank of Sri Lanka.

Review of the statement by external auditors

The External Auditor, Messrs Ernst & Young, has reviewed the above Directors’ Statement on Internal Control included in this Annual Report of the Bank for the year ended December 31, 2020 and reported to the Board that nothing has come to their attention that causes them to believe that the statement is inconsistent with their understanding of the process adopted by the Board in the review of the design and effectiveness of the internal control system over financial reporting of the Bank. Their independent assurance report on the “Directors’ Statement on Internal Control over Financial Reporting” is given in the section on Governance and Risk Management of this Annual Report.

By Order of the Board,