Circular 38/2025/TT-NHNN regulation on internal control and internal audit of the State Bank of Vietnam

REGULATION

on internal control and internal audit of the State Bank of Vietnam

(Promulgated together with Circular No. 38/2025/TT-NHNN)

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Regulations prescribes the internal control and internal audit of the State Bank of Vietnam (below referred to as the State Bank).

Article 2. Subjects of application

1. Units within the State Bank system, including: Departments and equivalent units; regional branches of the State Bank; and public service units affiliated with the State Bank.

2. Bank controllers and persons performing internal control and internal audit functions of the State Bank.

3. Other organizations and individuals related to the internal control and internal audit activities of the State Bank.

Article 3. Interpretation of terms

In this Regulation, the terms below are construed as follows:

1. The State Bank’s internal control system means the entire set of regulations, procedures, and control measures that are compliant with the provisions of laws and established and organized to implement within units of the State Bank system with a view to achieving the objectives prescribed in Article 4 of this Regulation.

2. Internal control activities mean the supervisory activities of the subjects specified in Clause 6 and Clause 7 of this Article over the performance of tasks and exercise of powers by divisions, departments, and individuals within their respective units with a view to achieving the objectives prescribed in Article 4 of this Regulation.

3. Internal audit activities mean the inspection and assessment activities of the subjects specified in Clause 8 of this Article regarding the effectiveness and efficiency of the internal control system at the audited unit, and the provision of recommendations or advisory opinions with a view to achieving the objectives prescribed in Article 13 of this Regulation.

4. Risk-based internal control and internal audit means a method of supervision, inspection, and assessment based on the identification and assessment of materiality and risk levels in relation to each activity and operational process, prioritizing the allocation of resources to supervise, inspect, and assess operational activities and processes considered as material or presenting a high level of risk.

5. The dual control principle means the assignment of tasks, particularly high-risk operations requiring at least two persons for purposes of mutual supervision and cross-control.

6. The internal control unit means the unit assigned to perform internal control tasks at units within the State Bank system.

7. Internal control personnel means civil servants or public employees assigned and tasked with performing internal control at units within the State Bank system.  

8. Internal audit personnel means civil servants of the State Bank Inspectorate assigned and tasked with performing internal audit at units within the State Bank system.

9. A related person means a biological father, biological mother, adoptive father, adoptive mother, father-in-law, mother-in-law, wife, husband, biological child, adopted child, biological elder brother, biological elder sister, biological younger siblings, brother-in-law, younger brother-in-law, sister-in-law, younger sister-in-law.

Chapter II

INTERNAL CONTROL

Article 4. Objectives of internal control activities

1. To ensure that the operations of the unit comply with laws and regulations of the State Bank, and the unit’s internal regulations (if any).

2. To ensure the safe, efficient, and economical management and use of assets and other resources; and to prevent and limit risks.

3. To enhance the effectiveness and efficiency of the unit’s management, administration, and operational activities.

Article 5. Principles of internal control activities

1. To comply with laws and the State Bank’s regulations, and the unit’s internal regulations (if any).

2. To be appropriate to the unit’s scale, nature, and operational characteristics.

3. To implement in accordance with the internal control program approved by the head of the unit.

Article 6. Requirements for internal control activities

1. Internal control activities shall be conducted regularly and continuously and integrated with the unit’s day-to-day operations.

2. To ensure clear delineation of responsibilities and authorities between the unit’s leadership and each division, department, and individual, particularly with respect to high-risk operations, in order to prevent manipulation of activities by civil servants, public employees, and employees within the unit, and to implement the dual control principle.

3. Personnel assigned to perform internal control tasks shall satisfy the standards regarding qualifications, skills, experience, and ethical integrity applicable to civil servants and public employees in accordance with laws and the State Bank’s regulations; ensure relative independence in performing internal control tasks within their respective units.

Article 7. Scope and methods of internal control

1. Internal control activities shall be conducted with respect to all activities carried out by units within the State Bank system.

2. Internal control methods shall include: compliance monitoring and risk-based monitoring.

Article 8. Contents of internal control activities

1. Units, divisions, departments, and individuals shall regularly conduct self-reviews of their compliance with the provisions of laws, the State Bank’s regulations, and internal regulations (if any), in order to promptly identify deficiencies and inadequacies and propose appropriate additions and amendments.

2. To conduct self-monitoring of compliance with the accounting and financial regime, asset management, treasury/cash-vault safety and security, information technology, and the compliance, effectiveness, and efficiency of the operations of divisions, departments, and individuals within the unit; to promptly detect errors and risks and recommend remedial and corrective measures.

3. To establish mechanisms for the monitoring, management, and utilization of information systems, reporting systems, and internal information exchange, for risk prevention and incident handling in support of management and administration.

Article 9. Responsibilities and powers of the State Bank Inspectorate

1. To advise the Governor of the State Bank (below referred to as the Governor) in maintaining the State Bank’s internal control system in an effective and efficient manner.

2. To submit to the Governor for the promulgation of: internal control operating procedures of the State Bank; and written guidance on internal control operations applicable to units within the State Bank system.

3. To consolidate assessments and advise the Governor on the handling of issues arising in connection with internal control activities.

4. To monitor the implementation of recommendations by units within the State Bank system through the consolidation of reports on internal control performance results.

Article 10. Responsibilities and powers of the Head of the unit

1. Responsibilities:

a) To establish and organize internal control activities within the unit in accordance with this Regulation;

b) The head of the unit shall directly direct, or assign one deputy head to be in charge of internal control activities within the unit; arrange for the establishment of the internal control unit and internal control personnel within the unit;

c) To approve the unit’s internal control program;

d) To facilitate the internal control unit and internal control personnel in effectively performing their assigned tasks;

dd) For units that do not have an internal control unit, the head of the unit shall, based on the unit’s scale, nature of operations, and requirements of management, establish an internal control system within the unit in order to achieve the objectives prescribed in Article 4 of this Regulation;

e) To be answerable to the Governor for internal control within the unit.

2. Powers:

a) To proactively allocate resources and decide on specific measures and modalities for implementing internal control within the unit, in accordance with this Regulation;

b) To handle within his/her own competence, or propose to the competent authority the handling of organizations and individuals violating laws or the State Bank’s regulations as detected through internal control activities.

Article 11. Tasks and powers of the internal control unit and internal control personnel at units

1. Tasks:

a) To develop the annual internal control program and submit it to the head of the unit for approval no later than December 31 of each year;

b) To develop internal control programs other than the case prescribed in Point a, Clause 1 of this Article (if any) and submit them to the head of the unit for approval;

c) To organize the implementation of the internal control program after its approval;

d) To advise the head of the unit on the implementation of internal control activities in accordance with this Regulation;

dd) To recommend and propose to the head of the unit the handling within their own competence, or propose to the competent authority for the handling of organizations and individuals violating laws or the State Bank’s regulations as detected through internal control activities;

e) To be answerable to the head of the unit for the results of performance of assigned tasks.

2. Powers:

a) To get access to, and be provided, in a fully and timely manner, with all information and documents related to the unit’s operations for the performance of internal control tasks;

b) To propose that the head of the unit implement necessary measures to enhance the effectiveness and efficiency of internal control tasks within the unit; if the head of the unit fails to take action or takes action not in accordance with regulations, submit a written recommendation to the Governor (through the State Bank Inspectorate).

Article 12. Reporting on internal control

1. The internal control unit and internal control personnel shall make periodic or extraordinary reports on internal control results to the head of the unit; the contents and reporting deadlines shall be determined by the head of the unit.

2. Annually, the units specified in Clause 1, Article 2 of this Regulation shall report to the Governor (through the State Bank Inspectorate) on the results of implementation of internal control within their units no later than January 15 of the immediately following year, in accordance with the Appendix attached to this Regulation; make extraordinary reports at the proposal of the State Bank Inspectorate (if any).

3. If any arising risks result in the loss of money, assets, or an information security breach under the unit’s management, the unit shall promptly report in writing to the Governor (through the State Bank Inspectorate) within 24 hours from the time the incident is detected.

Chapter III

INTERNAL AUDIT

Article 13. Objectives of internal audit activities

1. To assess the effectiveness and efficiency of the State Bank’s internal control system and the effectiveness of internal control activities of the audited unit.

2. To assess the reliability of financial statements, the effectiveness of operations, and compliance with laws and the State Bank’s regulations and operating procedures, and ensuring the safety of assets.

Article 14. Principles of internal audit activities

1. To comply with laws and the regulations, procedures, and plans approved by the Governor.

2. To assure the independence, integrity, and objectivity, and preservation of state secrets and the confidentiality of the audited unit.

3. Not to impede the normal operations of the audited unit.

4. To get access to documents, records, transactions, and other necessary materials of the audit subject for purposes of achieving the audit objectives.

Article 15. Requirements for internal audit activities

1. Internal audit activities shall be independently conducted, without interference in determining the scope, contents, and results of audit.

2. Internal audit personnel shall, in conducting audits, aim for, and ensure the compliance with the standards of internal audit in Vietnam and the professional ethical principles of internal audit promulgated by the competent state authority.

3. Internal audit personnel shall not be assigned to conduct internal audits of:

a) Activities or units that they shall implement or manage within three (03) years from the date of the decision discontinuing the implementation of such activities or the management of such department;

b) A unit that a related person of such internal audit personnel serves as a unit leader, chief accountant (or Head of the Accounting Division), head of the division/department in charge of internal control, or internal control personnel of that unit.

Article 16. Prohibited acts in internal audit activities

1. The following acts are strictly prohibited with respect to the State Bank Inspectorate, the Heads and members of the audit delegations:

a) Embezzlement, corruption, misconduct, waste, profiteering, harassment, and other unlawful acts against the audited unit in the course of implementing assigned tasks;

b) Taking advantage of or abusing assigned tasks and powers, and using related information for personal gain;

c) Colluding or conspiring with the audited unit to distort the contents of audited files and documents and the audit report;

d) Disclosing state secrets or the confidentiality of the audited unit; or disclosing information, circumstances, and audit results prior to official issuance or announcement;

dd) Committing other acts contrary to the provisions of laws and the State Bank’s regulations.

2. The following acts are strictly prohibited with respect to the audited unit and relevant organizations and individuals:

a) Refusing to provide information and documents (including information and documents containing state secrets) related to the audit plan and audit contents at the request of the State Bank Inspectorate or the internal audit delegations;

b) Obstructing or causing difficulties to internal audit activities;

c) Providing information and data related to the internal audit contents that are distorted, untruthful, incomplete, untimely, or lacking objectivity;

d) Bribing, offering bribes, or colluding with the audit delegations to distort the contents of audited files and documents and the audit report;

dd) Other prohibited acts as prescribed by laws and the State Bank’s regulations.

3. Organizations and individuals are strictly prohibited from unlawfully interfering with internal audit activities.

Article 17. Management and direction of internal audit activities

The Governor shall directly direct, or assign one Deputy Governor to be in charge of directing the State Bank’s internal audit activities, including:

1. To approve the State Bank’s annual internal audit plan and extraordinary internal audit plans at the request of the Governor (if any).

2. To promulgate regulations on the organization and operation of the Internal Audit Delegations; and the State Bank’s internal audit procedures (below referred to as the State Bank’s internal audit regulations and procedures).

3. To direct the State Bank Inspectorate to take necessary measures to ensure the effectiveness and efficiency of the State Bank’s internal audit activities.

Article 18. Scope, subjects, and method of internal audit

1. The scope of internal audit shall cover all activities of the State Bank.

2. The audit subjects of internal audit shall be all units prescribed in Clause 1, Article 2 of this Regulation.

3. The method of conducting internal audit shall be the risk-based audit method.

Article 19. Contents of internal audit activities

1. The State Bank’s internal audit activities include:

a) Financial audit: Assessing the reliability of the audited unit’s financial statements;

b) Compliance audit: Assessing and confirming the compliance with laws and the regulations and procedures that the audited unit is required to implement;

c) Operation audit: Assessing the effectiveness of operations and the safety of assets.

2. To recommend and advise the audited unit on corrective measures for any deficiencies, errors, or limitations, and to improve and enhance the effectiveness of internal control activities, ensuring the safety, efficiency, legal compliance, and the achievement of set objectives.

Article 20. Annual internal audit plan

1. The State Bank Inspectorate shall develop the State Bank’s annual internal audit plan, submit to the Governor for approval no later than December 31, and notify the units within the State Bank system of the approved internal audit plan for the implementation.

2. The annual internal audit plan shall clearly determine the content, scope, and subjects of the audit, and satisfy the following requirements:

a) All activities and units shall be reviewed and assessed; To prioritize auditing activities and units with high risk levels, and schedule audits at appropriate intervals and frequencies;

b) To provide for sufficient time reserves to conduct extraordinary audits upon the Governor’s request or when there are indications of violations or high risks;

c) The plan shall be adjusted when there are fundamental changes in content, risk scope, available resources, or at the request of the Governor.

Article 21. Implementation of the annual internal audit plan and audit decision

1. Based on the approved annual internal audit plan, the Chief Inspector of the State Bank shall organize the implementation of audits in accordance with the State Bank’s internal audit regulations and procedures; issue a detailed audit plan that is appropriate to the resources and actual conditions of each audit, including: estimated time for conducting the audit, the composition of the audit delegation, content, scope, and subjects of the audit, and other related requirements.

2. The Chief Inspector of the State Bank, under the Governor’s authorization, shall sign the audit decision in accordance with the approved annual internal audit plan. The audit decision shall include these following contents:

a) Legal basis for conducting the audit;

b) Audited units;

c) Objectives, content, and scope of the audit;

d) Time and location of the audit;

dd) Head and members of the audit delegation;

e) Other contents (if any).

3. The audit decision shall be notified to the audited unit no later than three (03) working days prior to the implementation of the audit, except in the case of an extraordinary audit conducted at the request of the Governor.

Any decision amending or supplementing the audit decision (if any) shall be promptly notified to the audited unit and the audit delegation.

Article 22. Internal audit report

1. An audit report shall be prepared for each audit and issued in accordance with the State Bank’s internal audit procedures.

2. The State Bank Inspectorate shall consolidate and assess the results of implementation of the annual audit plan and report to the Governor no later than January 31 of the immediately following year.

3. Extraordinary report: When serious violations are detected, or there is a risk of loss of asset safety, information security, or the reputation of the State Bank, or at the request of the Governor, the State Bank Inspectorate shall report in writing to the Governor within 48 hours from the time such violation is detected or from the time receiving the Governor’s request.

Article 23. Forms of disposition in the internal audit report and implementation of recommendations in internal audit activities

1. Forms of disposition in the internal audit report include:

a) Recommendation: an advisory opinion provided for purposes of risk prevention and improving the quality and efficiency of operations;

b) Proposal: a requirement to rectify operations and remedy deficiencies, errors, and limitations; to conduct accountability review; or to submit to the Governor for consideration of disposition in accordance with regulations.

2. Responsibilities for implementation

a) The audited unit and other relevant units shall fully and timely implement the recommendations set out in the audit report;

b) The audited unit is encouraged to study and apply recommendations in order to revise, supplement, and improve operating procedures, prevent risks, and enhance operational effectiveness.

Article 24. Tasks and powers of the State Bank Inspectorate

1. Tasks:

a) To organize the assessment of risks in the State Bank’s operations; to prepare the annual internal audit plan and extraordinary internal audit plans at the Governor’s request and submit them to the Governor for approval; and to implement internal audit activities in accordance with the approved annual internal audit plan;

b) To monitor, supervise, and inspect the implementation of the recommendations in the audit report;

c) To submit to the Governor for the promulgation of the State Bank’s internal audit regulations and procedures;

d) To issue written guidance on the State Bank’s internal audit regulations and procedures;

dd) To coordinate with relevant units in developing professional and technical standards for bank controllers as a basis for recruitment, utilization, and the organization of training and professional development for internal control personnel and internal audit personnel.

2. Powers:

a) To be ensured of the necessary resources and conditions to meet the requirements of internal audit activities;

b) To get access to, exchange with, and interview civil servants, public employees, and workers of the audited unit regarding issues related to the contents and scope of the audit;

c) To propose to the Governor the consideration and resolution of difficulties and issues arising in internal audit activities;

d) To propose to the Governor the consideration of accountability and the disposition of organizations and individuals that fail to comply with the audit decision or internal audit proposals;

dd) To exercise other powers assigned by the Governor and as prescribed by laws.

Article 25. Responsibilities and powers of the Chief Inspector of the State Bank

1. Responsibilities:

a) To be answerable to the Governor for the results of internal audit activities;

b) To consider and resolve, within his/her own competence, complaints and petitions of the audited unit;

c) To perform other tasks, as requested by the Governor, relating to internal audit activities.

2. Powers:

a) To sign the audit decision under the Governor’s authorization in accordance with regulations;

b) To decide on the access to and use of internal audit records for work purposes or to provide for relevant organizations or individuals, in compliance with law provisions and the State Bank’s regulations;

c) To exercise other powers assigned by the Governor and as prescribed by laws.

Article 26. Internal audit delegation

1. The internal audit delegation shall be established to perform audit tasks in accordance with the approved plan.

2. The composition of the audit delegation includes the Head of Delegation, Deputy Head of Delegation (if any), and members. The internal audit delegation shall be established by the Chief Inspector of the State Bank, based on the requirements of the audit.

3. Standards for the Head of the audit delegation and the Deputy Head of the audit delegation

a) To possess professional qualifications, leadership capacity, and work experience appropriate to the assigned duties;

b) To hold the rank of Principal Specialist (or equivalent), or to hold a position of Deputy Head of Division (or equivalent) or higher.

4. The operation of the internal audit delegation, and the tasks, powers, and responsibilities of the Head of the audit delegation and members of the audit delegation, shall be implemented in accordance with the State Bank’s internal audit regulations and procedures.

Article 27. Responsibilities and powers of the audited unit

1. Responsibilities:

a) To comply with the internal audit decision of the State Bank;

b) To fully and timely provide all information, documents, records, and reports (including information, documents, records, and reports containing state secrets) related to the audit contents; and to be answerable to the Governor for the accuracy, truthfulness, and objectivity of the information and documents provided;

c) To provide full and timely explanations and information on matters attached to the audit contents upon request, and to assume responsibility for the contents of such explanations;

d) To facilitate the audit delegation in the course of performing its duties;

dd) To implement audit proposals (including recommendations for extraordinary inspections by the audit delegation) and report in writing on the implementation status of such proposals to the State Bank (through the State Bank Inspectorate).

2. Powers:

a) To refuse to provide information and documents not related to the audit contents;

b) To provide written explanations and reserve its viewpoints and explanatory opinions (if any) regarding matters stated in the draft audit report;

c) To file complaints regarding audit assessments, conclusions, and proposals;

d) To file complaints or request the replacement of the Head of the audit delegation or members of the audit delegation when there is evidence of violations of laws or violating the provisions of this Regulation (including failure to satisfy the requirements prescribed in Article 15 of this Regulation) that affect the integrity and objectivity of the audit results;

dd) To exercise other powers as prescribed by laws and the State Bank’s regulations.

Article 28. Quality control of internal audit activities

1. Internal audit activities, and each internal audit of the State Bank, shall be subject to internal supervision and assessment in order to ensure the compliance with laws and to enhance audit effectiveness and quality.

2. The Chief Inspector of the State Bank shall prescribe, guide, and organize the assessment and quality control of the State Bank’s internal audit activities in accordance with assigned requirements and tasks.

Article 29. Internal audit dossiers

1. Documents of each audit shall be compiled into an audit dossier.

2. Responsibilities for and methods of compilation and the components and index of audit dossiers shall be implemented in accordance with the State Bank’s internal audit procedures.

3. The custody and retention of internal audit dossiers shall be implemented in accordance with the provisions of laws and the State Bank’s retention regulations.

Chapter IV

BANK CONTROLLER

Article 30. Bank controller

1. Civil servants performing internal control and internal audit functions at the State Bank shall be considered for appointment to the rank of bank controller upon fully satisfying the conditions and standards as prescribed by the State Bank.

2. The rank of bank controller includes: bank controller, principal bank controller, and senior bank controller.

3. Bank controllers shall perform their functions, tasks, and powers in accordance with regulations promulgated by the Governor and other relevant documents; and shall be entitled to regimes and policies in accordance with the provisions of laws and the State Bank’s regulations.

Article 31. Appointment and removal of bank controllers

1. Based on the conditions and standards prescribed by the Governor, units shall prepare dossiers proposing the appointment or removal of bank controllers and submit them to the Department of Personnel and Organization.

2. The Department of Personnel and Organization shall assume the prime  responsibility for, and coordinate with the State Bank Inspectorate in submitting to the Governor for the decision on the appointment or removal of bank controllers in accordance with regulations./.

* All Appendices are not translated herein.