Introduction

Section 3 (8) (ii) (b) of the Banking Act Direction No. 11 of 2007 requires the Board of Directors (“the Board”) to report on internal control mechanism that confirms that the financial reporting system has been designed to provide reasonable assurance regarding the reliability of financial reporting, and that the preparation of Financial Statements for external purposes has been done in accordance with relevant accounting principles and regulatory requirements. This Report is prepared in line with the said regulatory requirements and Principle D.1.5 of the Code of Best Practices on Corporate Governance issued by the Institute of Chartered Accountants of Sri Lanka (CA Sri Lanka).

Responsibility

The Board acknowledges the responsibility for the adequacy and effectiveness of the DFCC Bank’s (“the Bank”) system of internal controls, which is designed to provide assurance on the maintenance of proper accounting records and the reliability of financial information generated and safeguarding of the assets of the Bank.

However, such systems are designed to manage the Bank’s key exposures to risk within acceptable risk parameters rather than to eliminate the risk of failure to achieve the business goals and objectives of the Bank. Therefore, the system of internal controls can only provide reasonable and not absolute assurance against errors or material misstatement of management and financial information and records or against financial losses and frauds.

Framework of Managing Material Risks of the Bank

The Board has set up an ongoing process for identifying, evaluating and managing the material risks faced by the Bank. This process has been in place for the year under review which includes enhancing the system of Internal controls as and when there are changes to the business environment and regulatory guidelines.

The Management assists the Board in the implementation of the Board’s policies and procedures on risk and control by identifying and assessing the risks faced in the design, operation and monitoring of suitable internal controls to mitigate and control these risks.

The process is regularly reviewed by the Board and is in accordance with the “Guidance for Directors of Banks on the Directors’ Statement on Internal Control” issued by CA Sri Lanka. The Board has assessed the internal controls over financial reporting taking into account relevant principles for the assessment of internal controls over the financial reporting system as given in the guidance.

The Board is of the view that the framework and the system of internal controls in place is sound and robust to provide reasonable assurance regarding the reliability of financial reporting, and that the preparation of Financial Statements for external purposes is in accordance with relevant accounting principles and regulatory requirements.

Key Features of the Process Adopted in Applying and Reviewing the Design and Effectiveness of the Internal Control System over Financial Reporting

The key processes that have been established in reviewing the adequacy and integrity of the system of internal controls with respect to financial reporting include the following:

• The Board has established Committees to assist them in exercising oversight on the effectiveness of the Bank’s daily operations and ensuring that they are in accordance with the corporate objectives, strategies and the budgetary targets as well as the policies and business directions that have been approved.
• Policies/Charters are developed covering all functional areas of the Bank and these are recommended by Board appointed Committees and are approved by the Board. Such Policies and Charters are reviewed and approved periodically.
• The Internal Audit Department of the Bank verifies compliance of operations with policies and procedures and the adequacy and effectiveness of the internal control systems including information system controls on an ongoing basis using samples and rotational procedures and highlights significant findings in respect of any non-compliance. On-site and Off-site audits are carried out on all units and branches, the frequency of which are determined by the level of risk assessed to provide an independent and objective report on operational and management activities of these units and branches. The annual audit plan is reviewed and approved by the Audit Committee and the findings of the audits are submitted to the Audit Committee for review at their periodic meetings.
• The offsite auditing initiatives were further strengthened to review the design and the effectiveness of the internal control system utilising appropriate tools/techniques and resources. In addition, monitoring over implementation of the new core banking system and related post implementation audits, reviews on data base security and cyber security reviews and potential fraud monitoring testing were performed during the year and submitted to the Board Audit Committee on a periodic basis.
• The Audit Committee of the Bank reviews internal control issues identified by the Internal Audit, the External Auditors, regulatory authorities, and management and evaluates the adequacy and effectiveness of the risk management and internal control systems. They also review the internal audit function focusing on the scope of audits and the quality of reporting. The minutes of the Audit Committee meetings are tabled for the information of the Board on a periodic basis. Further details of the activities undertaken by the Audit Committee of the Bank are set out in the Report of the Audit Committee on page 208.
• By obtaining services from a consultant, the Internal Audit Department conducted a special training on the importance of internal controls, risk and ownership culture among the management staff, Heads of Departments and Branch Managers during the year considering the emerging risks and regulatory risk landscape changes and further to strengthen the first and second lines of defence in the internal controls and governance structure of the Bank.
• Further in alignment with DFCC Bank’s unwavering dedication to combat fraud, the Internal Audit Department conducted knowledge sharing programmes throughout the International Fraud Awareness Week held from the 12th to the 18th of November 2023 to actively disseminate anti-fraud awareness among the DFCC group.
• The Board Integrated Risk Management Committee (BIRMC) was established by the Board to assist the Board to oversee the overall management of principal areas of risk of the Bank. The BIRMC includes representation from all key business and operations areas of the Bank and assists the Board in the implementation of policies, procedures and controls identified by the BIRMC.
• Operational Committees have also been established with appropriate mandates to ensure effective management and supervision of the Bank’s core areas of business operations. These committees include the Management Committee, Credit Committees, the Asset/Liability Committee, the Impairment Assessment Committee, Information Security Committee and the Information Technology Steering Committee.
• In assessing the internal controls over financial reporting identified officers of the Bank continued to review and update all procedures and controls that are connected with significant accounts and disclosures of the Financial Statements of the Bank. The Internal Audit Department continued to verify the suitability of design and effectiveness of these procedures and controls on an ongoing basis.
• As a result, additional Risk and Control Matrices for 10 significant processes were identified and added to further strengthen the internal control system of the Bank by the respective business and process owners after the intimation of the Internal Audit.
• Further special focus areas were identified and assessed for strengthening the control setup including information system controls adopted in the core banking system and the MIS reporting. The Bank continuously evaluates the evolving internal control environment with the implementation of the new core banking system and the effects of the ongoing digitalisation drive.
• The Bank had adopted SLFRS 9 and made an assessment of the objective of the business model and classification of financial assets as it best reflects the way the business is managed and information is provided to the Management. With the introduction of “Expected Credit Loss” under SLFRS 9, the Bank developed models to calculate Expected Credit Losses (ECLs). A number of key assumptions were made by the Bank in applying the requirements of SLFRS 9 to the models including selection and input of forward looking information. These models are inherently complex and judgment is applied in determining the correct construction of the same. These models were developed over the past years and reviewed by the management and amendments were made to the initial assumptions where necessary to reflect the recent and updated data and such amendments made were independently reviewed by External Auditors. The Committee reviewed the related Policies on principles, methodologies and assumptions during the year 2023 with consideration of elevated risks due to implications from the pandemic and the economic crisis, and application of the moratorium scheme while aligning with the governing requirements. Further related changes were reviewed and approved by the Board Audit Committee and the Board.

The Bank continues to focus on strengthening the review and testing process of the models developed and the Bank’s Internal Audit Department also will continue to review the same with more focus and a robust approach in the future.

The computation of impairment losses from loans and receivables have not been automated yet. Considering the complexity and level of estimation involved in this process, the Bank is in the process of evaluating the options available for automation. This evaluation process will also address the new parameter requirements, level of integration with the Core Systems and minimising the manual intervention.

Management Information

The comments made by the External Auditors in connection with internal control system for the financial year ended 31 December 2022 were reviewed during the year and appropriate steps have been taken to rectify the same.

The recommendations made by the External Auditors in the financial year ended to 31 December 2023 in connection with the internal control system will be addressed in future.

The Directors are of the opinion that these recommendations are intended to further improve the internal control system and they do not in any way detract from the conclusion that the financial reporting system is reliable to provide reasonable assurance that the Financial Statements for external use are true and fair and complies with Sri Lanka Accounting Standards and the regulatory requirements of the Central Bank of Sri Lanka.

Confirmation

Based on the above detailed internal control mechanism and related processes of the Bank, the Board confirms that the financial reporting system of the Bank has been designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of Financial Statements for external purposes is in accordance with Sri Lanka Accounting Standards and regulatory requirements of the Central Bank of Sri Lanka.

Review of the Statement by External Auditors

The External Auditors, Messrs KPMG, have reviewed the above Directors’ Statement of Internal Controls over Financial Reporting for the year ended 31 December 2023 and reported that nothing has come to their attention that causes them to believe that the statement is inconsistent with their understanding of the process adopted by the Board in the review of the design and effectiveness of the internal control system over financial reporting of the Bank. Their independent assurance report on the “Directors’ Statement of Internal Controls over Financial Reporting” is given on page 222 of this Annual Report.

By Order of the Board,

H A J de Silva Wijeyeratne
Chairman – Audit Committee

J Durairatnam
Chairman – Board of Directors

N H T I Perera
Director/Chief Executive Officer

19 February 2024