Section 3 (8) (ii) (b) of the Banking Act Direction No. 11 of 2007 requires the Board of Directors (“the Board”) to report on internal control mechanism that confirms that the financial reporting system has been designed to provide reasonable assurance regarding the reliability of financial reporting, and that the preparation of Financial Statements for external purposes has been done in accordance with relevant accounting principles and regulatory requirements. This Report is prepared in line with the said regulatory requirements and Principle D.1.5 of the code of best practices on Corporate Governance issued by Institute of Chartered Accountants of Sri Lanka (CA Sri Lanka).
The Board acknowledges the responsibility for the adequacy and effectiveness of the DFCC Bank’s (“the Bank”) system of internal controls, which is designed to provide assurance on the maintenance of proper accounting records and the reliability of financial information generated and safeguarding of the assets of the Bank.
However, such systems are designed to manage the Bank’s key exposures to risk within acceptable risk parameters rather than to eliminate the risk of failure to achieve the business goals and objectives of the Bank. Therefore, the system of internal controls can only provide reasonable and not absolute assurance against errors or material misstatement of management and financial information and records or against financial losses and frauds.
Framework of managing material risks of the bank
The Board has set up an ongoing process for identifying, evaluating and managing the material risks faced by the Bank. This process has been in place for the year under review which includes enhancing the system of Internal controls as and when there are changes to the business environment and regulatory guidelines.
The Management assists the Board in the implementation of the Board’s policies and procedures on risk and control by identifying and assessing the risks faced in the design, operation and monitoring of suitable internal controls to mitigate and control these risks.
The process is regularly reviewed by the Board and is in accordance with the “Guidance for Directors of Banks on the Directors’ Statement on Internal Control” issued by CA Sri Lanka. The Board has assessed the internal control over financial reporting taking into account relevant principles for the assessment of internal control over financial reporting system as given in the guidance.
The board is of the view that the framework and the system of internal controls in place is sound and robust to provide reasonable assurance regarding the reliability of financial reporting, and that the preparation of financial statements for external purposes is in accordance with relevant accounting principles and regulatory requirements.
Key Features of the process adopted in applying and reviewing the design and effectiveness of the internal control system over financial reporting
The key processes that have been established in reviewing the adequacy and integrity of the system of internal controls with respect to financial reporting include the following:
- The Board has established Committees to assist them in exercising oversight on the effectiveness of the Bank’s daily operations and ensuring that they are in accordance with the corporate objectives, strategies and the budgetary targets as well as the policies and business directions that have been approved.
- Policies/Charters are developed covering all functional areas of the bank and these are recommended by Board appointed committees and are approved by the Board. Such Policies and Charters are reviewed and approved periodically.
- The Internal Audit Department of the Bank verifies compliance of operations with policies and procedures and the adequacy and effectiveness of the internal control systems including information system controls on an ongoing basis using samples and rotational procedures and highlights significant findings in respect of any non-compliance. On-site and Off-site audits are carried out on all units and branches, the frequency of which are determined by the level of risk assessed to provide an independent and objective report on operational and management activities of these units and branches. The annual audit plan is reviewed and approved by the Audit Committee and the findings of the audits are submitted to the Audit Committee for review at their periodic meetings.
The Initiatives taken by internal audit department to conduct off-site/remote audits and centralized monitoring audits during the COVID-19 Pandemic were expanded covering the branch network and departments as well as selected processes and significant risk areas in 2021. The Offsite auditing initiatives were further strengthened to review the design and the effectiveness of the internal control system utilizing appropriate tools/techniques and resources. In addition, monitoring over implementation of the new core banking system, reviews on Data base security and cyber security updates were performed during the year and submitted to Board audit committee on periodic basis.
- The Bank adopted a robust process in implementing the
new Core banking system which was lead by a “Core Banking Project steering committee” for the system migration. A well planned approach was deployed by the bank taking all necessary steps relating to data migration. Some of such steps included performing comprehensive reconciliations and matching data horizontally and vertically with legacy systems with involvement of branch banking and all business units. Progress of the core-banking system implementation was discussed at the audit committee on a periodic basis. A post migration verification was carried out and all critical exceptions are been addressed progressively.
- The Audit Committee of the Bank reviews internal control issues identified by the internal audit, the External Auditors, regulatory authorities, and management and evaluates the adequacy and effectiveness of the risk management and internal control systems. They also review the internal audit function focusing on the scope of audits and the quality of reporting. The minutes of the Audit Committee meetings are tabled for the information of the Board on a periodic basis. Further details of the activities undertaken by the Audit Committee of the Bank are set out in the Report of the Audit Committee on page 148.
- The Board Integrated Risk Management Committee (BIRMC) was established by the Board to assist the Board to oversee the overall management of principal areas of risk of the Bank. The BIRMC includes representation from all key business and operations areas of the Bank and assists the Board in the implementation of policies, procedures and controls identified by the BIRMC.
- Operational Committees have also been established with appropriate mandates to ensure effective management and supervision of the Bank’s core areas of business operations. These committees include the Management Committee, Credit Committees, the Asset/Liability Committee, the Impairment Assessment Committee, and the Information Technology Steering Committee.
- In assessing the internal controls over financial reporting identified officers of the bank continued to review and update all procedures and controls that are connected with significant accounts and disclosures of the financial statements of the bank. The Internal Audit Department continued to verify the suitability of design and effectiveness of these procedures and controls on an ongoing basis. Further special focus areas were identified and assessed for strengthening the control setup including information system controls adopted in the core banking system and the MIS reporting. The bank continuously evaluates the evolving internal control environment with the implementation of the new core banking system and the effects of the ongoing digitalisation drive.
The Bank adopted SLFRS 9 from 1 January 2018 and made an assessment of the objective of the business model and classification of financial assets as it best reflects the way the business is managed and information is provided to management.
With the introduction of “expected credit loss” under SLFRS 9, the Bank developed models to calculate Expected Credit Losses (ECLs). Number of key assumptions were made by the Bank in applying the requirements of SLFRS 9 to the models including selection and input of forward looking information. These models are inherently complex and judgment is applied in determining the correct construction of the same. These models were developed over the past years and reviewed by the management and amendments were made to the initial assumptions where necessary to reflect the recent and updated data and such amendments made were independently reviewed by External Auditors. The Committee reviewed the related Policies on principles, methodologies and assumptions during the year 2021 with consideration of elevated risks due to implications from the Pandemic Situation and applied the moratorium scheme while aligning with the governing requirements. Further related changes were reviewed and approved by the Board Audit Committee and the Board.
The Bank continues to focus on strengthening the review and testing process of the models developed and the Bank’s Internal Audit Department also will continue to review the same with more focus and robust approach in the future.
The computation of impairment losses from loans and receivables has not been automated yet. Considering the complexity and level of estimation involved in this process, the Bank is in the process of evaluating the options available for automation. This evaluation process will also address the new parameter requirements, level of integration with the Core systems and minimizing the manual intervention.
The comments made by the External Auditors in connection with internal control system for the financial year ended 31 December 2020 were reviewed during the year and appropriate steps have been taken to rectify the same.
The recommendations made by the External Auditors in the financial year ended to 31 December 2021 in connection with the internal control system will be addressed in future.
The Bank has implemented new core banking system during the year and independent post implementation review is in progress. Findings and recommendations, if any will be addressed by the bank during the next financial year.
The Directors are of the opinion that these recommendations are intended to further improve the internal control system and they do not in any way detract from the conclusion that the financial reporting system is reliable to provide reasonable assurance that the Financial Statements for external use are true and fair and complies with Sri Lanka Accounting Standards and the regulatory requirements of the Central Bank of Sri Lanka.
Based on the above detailed internal control mechanism and related processes of the Bank, the Board confirms that the financial reporting system of the Bank has been designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes is in accordance with Sri Lanka Accounting Standards and regulatory requirements of
the Central Bank of Sri Lanka.
Review of the Statement by External Auditors
The External Auditors, Messrs KPMG, have reviewed the above Directors statement on Internal Control over financial reporting for the year ended 31 December 2021 and reported that nothing has come to their attention that causes them to believe that the statement is inconsistent with their understanding of the process adopted by the Board in the review of the design and effectiveness of the internal control system over financial reporting of the Bank. Their independent assurance report on the “Directors’ Statement of Internal Control Over Financial Reporting” is given on page 160 of this Annual Report.
By Order of the Board,
P M B Fernando
Chairman – Audit Committee
Chairman – Board of Directors
N H T I Perera
17 February 2022