Circular No. 44/2011/TT-NHNN dated December 29, 2011 of the State Bank of Vietnam providing for internal control system and internal auditing of credit institutions and foreign bank branches

THE STATE BANK OF VIETNAM

Circular No. 44/2011/TT-NHNN of December 29, 2011, providing for internal control system and internal auditing of credit institutions and foreign bank branches

Pursuant to June 16, 2010 Law No. 46/2010/QH12 on the State Bank of Vietnam;

Pursuant to June 16, 2010 Law No. 47/2010/QH12 on Credit Institutions;

Pursuant to the Government’s Decree No. 96/2008/ND-CP of August 26, 2008, defining the functions, tasks, powers and organizational structure of the State Bank of Vietnam;

The State Bank of Vietnam stipulates the internal control system and internal auditing of credit institutions and foreign bank branches as follows:

Chapter I

GENERAL PROVISIONS

Article 1. Scope of regulation

This Circular provides for the internal control system and internal auditing of credit institutions and foreign bank branches.

Article 2. Subjects of application   

1. Credit institutions;

2. Foreign bank branches;

3. Institutions and individuals related to the internal control system and internal auditing of credit institutions and foreign bank branches.

Article 3. Interpretation of terms

In this Circular, the terms below are construed as follows:

1. Internal control system means a combination of mechanisms, policies, processes, internal regulations and organizational structure of a credit institution or foreign bank branch which are developed in compliance with this Circular and implemented to prevent, detect or promptly handle risks and meet set requirements.

2. Internal auditing means independent and objective review and evaluation of the internal control system; independent assessment of the appropriateness and observance of internal regulations and policies, procedures and processes established within a credit institution or foreign bank branch; making of recommendations for improving the effectiveness of systems, processes and regulations, contributing to assuring the safe, effective and lawful operation of the credit institution.

3. Internal auditor means a person performing internal auditing work of a credit institution or foreign bank branch under this Circular.

4. State Bank branch means a branch of the State Bank in a province or centrally run city in which the head office of a credit institution or foreign bank branch is based.

Chapter II

INTERNAL CONTROL SYSTEM

Article 4. Requirements and principles of operation of the internal control system

1. Risks that are likely to adversely impact the operation effectiveness and objectives of a credit institution or foreign bank branch must be regularly and constantly identified, measured and assessed in order to promptly detect and prevent risks and take appropriate measures for risk management. When making a change in its business objectives or providing a new product or service or conducting a new business activity, a credit institution or foreign bank branch shall review and identify any related risks in order to establish, amend or supplement its internal control processes and regulations as appropriate.

2. Operation of the internal control system must be an integral part of day-to-day activities of a credit institution or foreign bank branch. Internal control shall be designed, installed and performed in all professional processes at all units and sections of a credit institution or foreign bank branch in the following forms:

a/ Clear and transparent decentralization and authorization of powers; assurance of clear separation of the tasks and powers of individuals and sections in the credit institution or foreign bank branch;

b/ Regulations on the specific risk limit for each individual or section in the performance of transactions;

c/ Process of appraisal, approval and permission of transactions; assurance of the principle that an individual professional process must involve at least 2 persons, one conducting and the other controlling the transaction. Neither can perform and decide on a certain professional process or transaction by himself/herself, except transactions within the limit permitted by the credit institution or foreign bank branch in compliance with law.

3. Decentralization or authorization of powers must be established and implemented in a reasonable, specific and clear manner to avoid a conflict of interests, adhering to the principle that a person may not hold different positions or perform different tasks with conflicting or overlapping purposes and interests; ensuring that all employees of a credit institution or foreign bank branch do not have conditions for manipulating operation, suppressing information for self-seeking purposes or covering acts of violation of laws and internal regulations of the credit institution or foreign bank branch.

4. The prescribed accounting and cost-accounting regime must be observed and there must be an internal system providing reasonable, reliable and timely information on finance, operation and compliance in the credit institution or foreign bank branch and the outside economic and market situation to serve effective governance and administration.

5. The information and information technology system of a credit institution or foreign bank branch must be reasonably and safely supervised and safeguarded. There must be an independent backup management mechanism to promptly respond to contingencies, including natural disaster, fire, explosion and hacking, and assure compliance with regulations on safety and confidentiality of the banking sector’s information technology system and regular and uninterrupted business operation of the credit institution or foreign bank branch.

6. All officers and employees of a credit institution or foreign bank branch must be aware of the importance of internal control and the role of each individual in the internal control process related to his/her assigned functions and tasks, and shall fully and effectively implement all relevant internal control regulations and processes.

7. Executive officers of operational sections and units and related persons shall regularly examine and evaluate the effectiveness and efficiency of the internal control system; any problems and shortcomings of the internal control system must be promptly reported to the management in charge; major problems and shortcomings which might cause damage and likelihood of risks must be promptly reported to the director general (director), Board of Directors, Members’ Council and Control Board.

8. Individuals and sections at all levels of a credit institution or foreign bank branch shall regularly and constantly examine and self-examine the observance of relevant internal regulations and processes and be answerable for results of their operational performance to the credit institution or foreign bank branch and law.

9. Heads of units and sections of a credit institution or foreign bank branch shall report on results of their assessment of the internal control system in their units and sections; and propose measures to address problems and shortcomings (if any) to the management in charge on a regular or case-by-case basis or at the request of the management in charge.

Article 5. Building and maintenance of operation of the internal control system

1. A credit institution or foreign bank branch shall build its internal control system to assist its director general (director) in managing all of its professional operations in an uninterrupted, safe and lawful manner.

2. A credit institution or foreign bank branch shall regularly control the observance of laws and internal regulations; directly control operations in all areas at its head office, transaction bureaus, branches, representative offices, non-business units and subsidiary companies. The credit institution shall regularly control the observance of laws and internal regulations by its associated companies under law.

3. Upon detecting errors, violations or problems in its business operation, a credit institution or foreign bank branch shall promptly devise and apply remedies.

Article 6. Self-examination and assessment of the internal control system

1. Annually, the director general (director) of a credit institution or foreign bank branch shall review, examine and assess the internal control system of each executive, business or operational unit or section and each operation.

2. The self-examination and assessment cover the review and assessment of the completeness, effectiveness and efficiency of the internal control system based on the identification and assessment of risks in order to identify existing problems of the internal control system as well as changes to the internal control system for addressing and remedying these problems.

3. The director general (director) of a credit institution or foreign bank branch shall make reports on results of self-examination and assessment of the internal control system. Such reports must update risks and summarize main operations of the credit institution or foreign bank branch, related risks and examination and control activities conducted in the entire credit institution or foreign bank branch or in each unit, section or operation.

4. A report on self-examination and assessment of the internal control system shall be sent to the Board of Directors or Members’ Council, Control Board and State Bank (the Banking Inspection and Supervision Agency or State Bank branch) within 30 days after the end of a fiscal year. Particularly, reports of people’s credit funds shall be sent to State Bank branches.

Article 7. Independent evaluation of the internal control system

1. Operation of the internal control system of a credit institution or foreign bank branch must be independently evaluated under Clause 3, Article 40 of the Law on Credit Institutions.

2. An independent evaluation by the internal audit of the internal control system covers the review, evaluation and reporting of the completeness, effectiveness and efficiency of the internal control system related to audited operations and areas by identifying and weighing risks and identifying existing problems of the internal control system to be addressed and remedied, and recommending changes to the internal control system.

3. Annually, the internal audit of a credit institution or foreign bank branch shall review and assess the appropriateness, effectiveness and efficiency of the internal control system. An independent evaluation report is a part of an annual internal auditing report.

Internal auditing results shall be promptly reported to the Board of Directors or Members’ Council and Control Board and sent to the director general (director) of the credit institution or foreign bank branch and concurrently to the State Bank (the Banking Inspection and Supervision Agency or State Bank branch). People’s credit funds shall send reports only to State Bank branches.

4. An independent evaluation by an independent audit of the internal control system shall be conducted under the State Bank’s regulations on independent auditing of credit institutions and foreign bank branches.

Chapter III

INTERNAL AUDIT

Section 1

GENERAL PROVISIONS

Article 8. Objectives and basic functions of internal audit

1. To operate for the safety and effectiveness of the credit institution or foreign bank branch.

2. To independently and objectively review and evaluate the completeness, appropriateness, effectiveness and efficiency of the internal control system in order to improve and perfect this system. To accomplish this objective, the unit performing internal auditing is encouraged to provide counseling, participate in building, improving and perfecting the internal control system on the condition that it does not breach the principle of independence and objectivity provided in this Circular.

3. To detect and prevent violations of law; to raise the effectiveness of the governance, administration and operation of the credit institution or foreign bank branch.

4. To assure the safety and confidentiality of information and uninterrupted operation of the operational information system.

5. To make recommendations to raise the effectiveness of the systems, processes and regulations, helping assure safe, effective and lawful operation of the credit institution or foreign bank branch.

Article 9. Basic principles of internal audit

1. Independence: The organization and operation of internal audit are independent from executive or operational units and sections of a credit institution or foreign bank branch, and internal auditors may not concurrently perform jobs subject to internal auditing. A credit institution or foreign bank branch shall assure that the internal audit is free from any intervention when making reports and evaluation.

2. Objectivity: The internal audit and internal auditors shall guarantee their objectivity, integrity, fairness and impartiality.

3. Professionalism: Internal auditors must be persons having essential knowledge, qualifications and skills in internal auditing and concurrently holding no positions and performing no other jobs of a credit institution or foreign bank branch; and adequate knowledge for identifying signs of fraud and risks in banking activities and measures of controlling information technology to perform their assigned tasks. The internal audit must have at least one auditor with adequate knowledge, qualification and skills for controlling key information technology and hi-tech auditing techniques.

Article 10. Requirements to assure compliance with basic principles of internal audit

1. Internal auditors shall exhibit a fair and impartial attitude and avoid any conflict of interests. They have the right and obligation to report on matters which might affect their independence and objectivity in the internal auditing jobs assigned by the head of the internal audit apparatus (below referred to as the chief internal auditor).

2. The chief internal auditor shall firmly uphold, monitor and guarantee the independence and objectivity of internal auditors. In case the independence or objectivity is affected or might be affected, the chief internal auditor shall report such to the Control Board.

3. In internal auditing, a credit institution or foreign bank branch shall comply with the following provisions to assure independence and objectivity and prevent unfairness, prejudice and conflict of interests:

a/ Internal auditors may not audit internal regulations and policies, procedures and processes for which they are mainly responsible in the elaboration thereof;

b/ Internal auditors have no conflict of interests with audited units and sections; may not audit a unit or section of which the manager is an affiliated person of these internal auditors;

c/ Internal auditors may not participate in auditing an operation or section for which they are responsible within 3 years after they are decided no longer to conduct this operation or manage this section;

d/ Inspection measures must be taken to assure the independence and objectivity of the internal auditing right in the course of auditing at audited units and sections and at the stage of making and sending auditing reports;

e/ Audit recordings in internal auditing reports must be prudently analyzed and based on collected data and information to assure objectivity;

f/ Results of task performance of the chief internal auditor must be regularly inspected, reviewed and assessed by the Control Board;

g/ The internal audit shall remain independent and objective when auditing operations, processes and sections for which the internal audit has previously provided consultancy. In this case, the internal audit has the right and obligation to fully analyze and evaluate procedures, processes and internal control system. Responsibility for the operations, processes and sections for which the internal audit has previously provided consultancy still rests with heads of audited units or sections.

4. Credit institutions and foreign bank branches shall comply with Clause 3, Article 9, and Article 13 of this Circular to assure the professionalism of internal audit.

Article 11. Assurance of internal auditing quality

1. A credit institution or foreign bank branch shall adopt a process of monitoring and evaluating the quality of internal auditing. It shall conduct internal assessment of activities of its internal audit in order to assure the quality of internal auditing.

Internal assessment of internal auditing means the self-assessment of internal auditing at the end of an audit and annual general self-assessment of all internal auditing activities conducted by the internal audit itself in order to assure the quality of internal auditing.

2. Annual internal assessment results must be reported to the Control Board and recorded in annual internal audit reports.

Section 2

ORGANIZATION AND OPERATION OF INTERNAL AUDIT

Article 12. Organization of the internal audit

1. The internal audit of a credit institution (except the case specified in Clause 2 of this Article) shall be organized in a professionally uniform system or as an internal audit section at the head office of the credit institution, depending on the operation scale, level, scope and characteristics of the credit institution. The internal audit is attached to the Control Board and submits to the direction by the Control Board.

2. For a people’s credit fund that has only one full-time controller instead of a Control Board, its internal auditing shall be conducted by this full-time controller.

3. Depending on the operation scale, level, scope and characteristics of a credit institution and at the request of the Control Board, the Board of Directors or Members’ Council shall decide on the organizational apparatus of the internal audit, salaries, bonuses and responsibility allowances for internal auditors, chief internal auditor and deputy chief internal auditor(s).

4. Internal auditing of a foreign bank branch may be conducted by the internal audit of its head office or regional office in compliance with Clause 1, Article 89 of the Law on Credit Institutions.

Article 13. Criteria for internal auditors, chief internal auditors and deputy chief internal auditors

1. An internal auditor must fully satisfy the following criteria:

a/ Having integrity and a good sense of law observance;

b/ Having general knowledge about law, business administration and banking operations;

c/ Possessing a university or higher degree in an appropriate discipline and having adequate and updated knowledge about fields he/she is assigned to audit; an internal auditor of a people’s credit fund must possess a professional secondary or higher degree in an appropriate discipline;

d/ Being capable of collecting, analyzing, assessing and synthesizing information;

e/ Having knowledge and skills of internal auditing;

f/ Having experience of working in the finance or banking sector or having worked in auditing for at least 3 years. An internal auditor of a people’s credit fund must have experience of working in the finance or banking sector or have worked in auditing for at least one year;

g/ Upholding the rules of professional ethics provided in Article 22 of this Circular;

h/ Other criteria set by the credit institution.

2. In addition to the criteria specified in Clause 1 of this Article, an information technology auditor must have at least 3 years’ experience of working in information technology.

3. In addition to the criteria specified at Points a, b, d, e, g and h, Clause 1 of this Article, a chief internal auditor or deputy chief internal auditor must have a university or higher degree in banking, finance, accounting or auditing and at least 5 years’ experience of working in the finance or banking sector. A chief internal auditor of a people’s credit fund must have a professional secondary or higher degree in banking, finance, accounting or auditing and at least 2 years’ experience of working in the finance or banking sector.

Article 14. Appointment and dismissal of internal audit post holders

1. The chief internal auditor of a credit institution shall be appointed or dismissed by the Board of Directors or Members’ Council of this credit institution at the request of the head of the Control Board. The chief internal auditor of a foreign bank branch shall be appointed or dismissed by the competent person of the parent bank.

2. A deputy chief internal auditor and holders of other internal audit posts shall be appointed or dismissed by the Board of Directors or Members’ Council of the credit institution at the proposal of the chief internal auditor or by the director general (director) of the foreign bank branch at the request of the chief internal auditor.

Article 15. Scope of internal auditing

Internal auditing covers:

1. Auditing of all operations and professional processes and units and sections of the credit institution or foreign bank branch;

2. Unexpected auditing and provision of consultancy at the request of the Board of Directors or Members’ Council, Control Board and director general (director).

Article 16. Internal auditing activities

1. Principal internal auditing activities are to evaluate the completeness, effectiveness and efficiency of the internal control system.

2. Depending on the scale, level of risks as well as specific requirements of each credit institution or foreign bank branch, internal auditors may review and assess the following contents:

a/ The level of completeness, effectiveness and efficiency of the internal control system;

b/ The application, effectiveness and efficiency of the realization of risk management policies and processes of the credit institution or foreign bank branch, including processes performed via the information technology system;

c/ The adequacy, accuracy and safety of the management and financial information systems, including the e-information system and e-banking services;

d/ The adequacy, timeliness, truthfulness, reasonability and accuracy of the accounting system and financial statements as prescribed by law;

e/ Compliance with laws and regulations on prudential ratios in the operation of the credit institution or foreign bank branch, internal regulations, operation processes and rules, and rules of professional ethics;

f/ Internal mechanisms, policies, processes and regulations and organizational structure of the credit institution or foreign bank branch;

g/ Asset safeguards. Making proposals to improve the effectiveness of systems, processes and regulations to assure the safe, effective and lawful operation of the credit institution or foreign bank branch;

h/ The economicality and efficiency of activities and the use of resources, thereby comparing achieved results of these activities against set objectives;

i/ To perform other activities related to the internal auditors’ functions and tasks at the request of the Control Board and the Board of Directors or Members’ Council;

j/ In addition to Points a, b, c, d, e, f, g, h and i, Clause 2 of this Article, foreign bank branches shall conduct auditing under regulations of their parent banks and in compliance with this Circular.

Article 17. Internal auditing method

1. Internal auditing method is a “risk-oriented” auditing method which concentrates resources on auditing units, sections and processes considered highly risky.

2. Internal auditors shall identify, analyze and assess risks and compile a risk dossier for each operation of the credit institution or foreign bank branch. A risk dossier covers all possible risks and possible impacts of these risks on the operation of the credit institution or foreign bank branch and likelihood of these risks. Based on the assessment of the impacts and likelihood of risks, each risk may be rated high, medium or low. The assessment and classification of risks shall be conducted at least once a year.

3. Risk assessment results serve as a basis for the chief internal auditor to work with the Control Board, director general (director) and Board of Directors or Members’ Council in the elaboration of annual internal auditing plans. Risky operations shall be rated from high to low and highly risky operations shall be audited first with more resources and in a longer duration and more regularly than lowly risky ones.

4. Internal auditing plans must be elaborated on the basis of risk assessment results and updated, changed or adjusted according to developments or changes in the operation of credit institutions and foreign bank branches and changes in accompanied risks.

Section 3

TASKS, POWERS AND RESPONSIBILITIES OF THE INTERNAL AUDIT

Article 18. Tasks of the internal audit

1. To establish operational processes of internal auditing at the credit institution, submit them to the Control Board for consideration and approval after reporting to the Board of Directors or Members’ Council.

2. To elaborate annual or unexpected internal auditing plans and conduct internal auditing under these plans or conduct unexpected auditing at the request of the Board of Directors or Members’ Council and Control Board; to effectively implement approved internal auditing policies, processes and procedures.

3. To independently and objectively examine, review and evaluate all units, sections and operations of the credit institution or foreign bank branch (policies, procedures, processes or problems occurring in the operation) based on the risk level (high, medium or low) and their impacts on the operation of the credit institution or foreign bank branch. To promptly notify the nature and impacts of any problems which might adversely impact the operation of the credit institution or foreign bank branch and make practical recommendations to prevent and address these problems.

4. To propose measures to correct and address errors and mistakes; to propose remedies to violations; to recommend measures to improve and raise the effectiveness and efficiency of the internal control system.

5. To evaluate the appropriateness of activities to prevent and address already reported weaknesses and activities to improve the internal control system; and to monitor these activities until these problems are satisfactorily addressed.

6. To make auditing reports; to promptly notify and submit internal auditing results under Articles 26, 27 and 28 of this Circular.

7. To develop, adjust, supplement and perfect internal auditing methods and scope of operation of the internal audit in order to update and catch up with the development of banking activities.

8. To implement the process of assuring the quality of internal auditing work.

9. To make dossiers of qualifications and capacity and set necessary requirements for internal auditors to serve as a basis for recruitment, promotion, rotation and professional training and retraining; to work out plans to recruit and arrange sufficient personnel for uninterrupted off-site monitoring; to organize constant training for internal auditors to maintain and improve their professional capacity.

10. To maintain regular consultancy and exchange of opinions with independent audit firms and the State Bank (the Banking Inspection and Supervision Agency and State Bank branches) for their effective cooperation; to coordinate with outside agencies in performing work related to the functions and tasks of internal auditors.

11. To advise executive officers, the Board of Directors or Members’ Council of the credit institution or foreign bank branch and operational sections on the implementation of projects to develop and apply new or amend existing important operational processes; governance and administration mechanisms; process of risk identification, measurement, assessment and management, method of capital valuation; information, accounting and cost-accounting system; performance of new operations or provision of new products on the condition that the independence of the internal audit is not affected.

12. To perform other tasks assigned by the Board of Directors or Members’ Council and the Control Board.

Article 19. Powers of the internal audit

1. To be fully furnished with necessary resources (human resources, finance and other facilities).

2. To take the initiative in performing its tasks under approved auditing plans.

3. To be fully and timely provided with all information, documents and dossiers necessary for internal auditing.

4. To have access to and examine all operational processes and assets in the course of internal auditing.

5. To contact and interview all officers and employees of the credit institution or foreign bank branch on matters related to audited contents.

6. To receive materials, documents and minutes of meetings of the Board of Directors or Members’ Council, Control Board, managers and executive officers concerning internal auditing work.

7. To attend internal meetings under law or the charter or internal regulations of the credit institution or foreign bank branch.

8. To supervise, evaluate and monitor the correction, remedy and improvement by heads of units and sections regarding problems which are recorded and recommended by internal auditors.

9. To be protected from uncooperative acts of auditees.

10. To provide regular professional training for internal auditors so that they can be professionally qualified and capable for performing their assigned tasks.

11. To exercise other powers provided by law.

Article 20. Responsibilities of the internal audit

1. To keep confidential documents and information under current laws, this Circular, the charter and internal regulations on internal auditing of the credit institution or foreign bank branch.

2. To be answerable to the Control Board for internal auditing results, assessments, conclusions, recommendations and proposals in internal auditing reports.

3. To monitor results of post-internal auditing realization of recommendations by units and sections of the credit institution or foreign bank branch.

Section 4

INTERNAL AUDITING POLICIES AND PLANS

Article 21. Internal auditing policies

1. Internal auditing policies serve as official grounds, bases and guidance for internal auditing work and each internal auditor. Internal auditing policies include internal regulations on internal auditing, code of professional conduct, internal regulations on the organization and operation of the internal audit, internal auditing process and relevant regulations.

2. Internal regulations on internal auditing must briefly indicate general principles, purposes, operation scope, position, powers, functions and tasks of internal audit in a credit institution or foreign bank branch and its relationships with other units and sections, and include requirements on the independence, objectivity, fundamental principles and quality of internal auditing and professional qualifications of internal auditors. Internal regulations on internal auditing of a credit institution or foreign bank branch shall be elaborated in compliance with this Circular and other relevant laws.

3. The internal auditing process must provide processes and detailed guidance on the method of risk assessment, elaboration of annual internal auditing plans and plan for each audit, method of auditing, elaboration and sending of auditing reports, and preservation of internal auditing dossiers and documents. The internal auditing process may be provided in internal regulations on internal auditing.

4. Pursuant to this Circular, a credit institution or foreign bank branch shall elaborate its internal auditing policies and processes suitable to its operation characteristics. Credit institutions and foreign bank branches are encouraged to apply international practices in internal auditing which are not contrary to this Circular.

Article 22. Rules of professional ethics

1. A credit institution or foreign bank branch shall establish its code of professional ethics and maintain rules of professional ethics in order to promote an ethical culture among its employees in general and in the performance of internal auditing in particular. Internal auditors shall strictly observe the rules of professional ethics in the course of performing internal auditing and consultancy work.

2. An internal auditor shall observe and uphold at least the following rules of professional ethics:

a/ Integrity: He/she shall perform his/her assigned jobs with honesty, diligence and responsibility; observe the law and make disclosures expected by the law and the profession; not knowingly be a party to any illegal activity or engaged in acts that are discreditable to the profession of internal auditing or to the credit institution or foreign bank branch; always respect and contribute to the legitimate and lawful objectives of the credit institution or foreign bank branch;

b/ Objectivity: He/she shall exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about activities or processes that have been already or are being audited. He/she shall make a balanced assessment of all the relevant circumstances and are not unduly influenced by his/her own interests or by others in making comments or judgments;

c/ Confidentiality: He/she shall respect the value and ownership of information he/she receives and does not disclose information without appropriate authoriration unless there is a legal or professional obligation to do so;

d/ Responsibility: He/she shall always exhibit a high sense of responsibility, continually improve his/her proficiency and apply knowledge, skills and experience needed in the effective performance of internal auditing;

e/ Prudence: He/she shall exercise due professional care and possess needed skills of a prudent auditor for the following factors:

- Working time needed for accomplishing a set objective;

- Complexity, necessity or importance of matters so as to apply appropriate processes;

- Conformity and effectiveness of management, control and governance processes;

- Likelihood of material errors and misconducts;

- Operation expenses against potential benefits.

3. In addition to observing the rules of professional ethics specified in Clause 2 of this Article, a chief internal auditor shall also take monitoring, evaluation and management measures to assure that internal auditors observe the rules of professional ethics.

Article 23. Annual internal auditing plans

1. Based on the scale, growth rate and risk level of operations and available resources, a chief internal auditor shall work out annual internal auditing plans, stating the scope of audit, to be-audited entities, auditing objectives and duration, and allocation of resources.

2. An annual internal auditing plan of a credit institution or foreign bank branch must satisfy the following requirements:

a/ Risk-based orientation: Operations and executive and operational units and sections with high risk levels must be audited at least once a year;

b/ Assuring comprehensiveness: All operations and executive and operational units and sections of the credit institution or foreign bank branch must be audited; processes, units and sections which have been assessed as having the lowest risk level must also be audited at least once every three years;

c/ Reserving an adequate time volume for performing unexpected audits at the request of the Control Board or upon availability of information about signs of a violation or high risk level of an audited entity;

d/ Being adjustable upon occurrence of a fundamental change in the operation scale, risk evolution or available resources.

3. Before November 30 every year, an internal auditing plan for the subsequent year must be sent to the Board of Director or Members’ Council, Control Board and director general (director) of a credit institution. Before December 31 every year, a foreign bank branch or the Control Board of a credit institution shall send such auditing plan to the State Bank (the Banking Inspection and Supervision Agency or State Bank branch). People’s credit funds shall send their internal auditing plans only to State Bank branches.

Article 24. Approval of internal auditing policies and plans

1. Internal auditing policies (except internal regulations on the organization and operation of the internal audit) shall be discussed by the Control Board and director general (director) and approved and signed by the head of the Control Board for issuance after reaching agreement with the chairman of the Board of Directors or Members’ Council.

2. Internal regulations on the organization and operation of the internal audit shall be approved and signed by the chairman of the Board of Directors or Members’ Council for issuance at the request of the Control Board.

3. Internal auditing plans shall be discussed by the Control Board and director general (director) and approved by the head of the Control Board after reaching agreement with the chairman of the Board of Directors or Members’ Council.

4. Within 10 working days after being approved, an internal auditing policy or plan of a credit institution or foreign bank branch (except internal auditing plans specified in Clause 3, Article 23 of this Circular) must be sent to the State Bank (the Banking Inspection and Supervision Agency or State Bank branch) for information and monitoring. People’s credit funds shall send their internal auditing policies and plans only to State Bank branches. The State Bank may give its opinions or request amendments to internal auditing policies if finding them unsatisfactory under this Circular.

Article 25. Implementation of internal auditing plans

1. A chief internal auditor shall organize the implementation of annual internal auditing plans and unexpected audits at the request of the Board of Directors or Members’ Council, Control Board and director general (director).

2. The scope, frequency, methods and processes of audit must assure that auditing results truly reflect the actual situation of audited contents.

Section 5

REPORTING AND PRESERVATION OF INTERNAL AUDITING DOSSIERS AND DOCUMENTS

Article 26. Auditing reports

1. The internal audit of a credit institution shall promptly make, complete and send an auditing report to the Board of Directors or Members’ Council, Control Board, director general (director) and the audited unit or section within one month after the completion of each audit.

2. An auditing report must clearly state the audited contents, scope of the audit, assessments and conclusions on the audited contents and grounds for making these opinions; weaknesses, problems, errors, violations and explanations of the audited entity; proposed measures to correct or remedy errors and handle violations; proposed measures to rationalize and improve operational processes, improve risk management policies and organizational structure of the credit institution or foreign bank branch (if any).

3. An auditing report must contain opinions of the leadership of the audited unit or section. In case the audited unit disagrees with results of the audit, the internal auditing report must clearly show disagreement of the audited unit and the reason.

Article 27. Irregular reports

1. A chief internal auditor shall make an irregular report as follows:

a/ Promptly reporting to the Control Board, Board of Directors or Members’ Council, director general (director) and the State Bank (the Banking Inspection and Supervision Agency or State Bank branch) upon detecting any material error or violation or identifying a high risk that might badly affect the operation of the credit institution.

b/ Promptly notifying the executive officer of the audited unit when the problems stated in the auditing report have not yet been addressed and remedied after a given period.

c/ After notifying the executive officer of the audited unit under Point b of this Clause, if the problems remain unaddressed, promptly reporting such in writing to the Control Board, Board of Directors, Members’ Council and director general (director) of the credit institution.

2. In case the internal auditing of a foreign bank branch is conducted by the internal audit of its head office or regional office, the parent bank of the foreign bank branch shall promptly report to the State Bank (the Banking Inspection and Supervision Agency or State Bank branch) upon detecting any material error or violation or identifying a high risk that might adversely affect the operation of the foreign bank branch.

Article 28. Annual auditing reports

1. Within 45 days after the end of a fiscal year, a chief internal auditor shall send a summarization report on the results of implementation of the internal auditing plan of this year to the Control Board, Board of Directors or Members’ Council and director general (director). Such report must clearly indicate the set auditing plan, already performed auditing jobs, major problems, mistakes or violations which have been detected; measures proposed by the internal auditors, assessment or the internal control system related to audited operations and recommendations for improving the internal control system; and the realization of measures, proposals and recommendations of the internal auditors.

2. Within 60 days after the end of a fiscal year, a credit institution or foreign bank branch shall send a summarization report on the results of implementation of the internal auditing plan of this year with contents specified in Clause 1 of this Article to the State Bank (the Banking Inspection and Supervision Agency or State Bank branch). People’s credit funds shall send such reports only to State Bank branches.

Article 29. Preservation of internal auditing dossiers and documents

1. Auditing reports, dossiers and documents must be preserved at the internal audit in accordance with law.

2. Dossiers and documents of each audit must be documented and filed in a temporal order so that individuals and institutions competent to exploit (having banking expertise and knowledge) may understand the performed audits and results of the audits.

Chapter IV

RESPONSIBILITIES OF RELEVANT UNITS

Section 1

RESPONSIBILITIES OF CREDIT INSTITUTIONS AND FOREIGN BANK BRANCHES

Article 30. Responsibilities of Board of Directors or Members’ Council

1. For the internal control system

a/ To annually examine and re-assess the internal control system, paying attention to the system of risk identification, measurement, assessment and management, capital valuation method, financial statement and management information systems;

b/ To issue and periodically review and re-assess the business strategy and major objectives and policies of the credit institution or foreign bank branch;

c/ To assure that the director general (director) establishes and maintains a rational and effective internal control system containing a system of risk identification, measurement, assessment and management; a capital valuation system; and truthful, rational, adequate and timely financial statement and management information systems;

d/ To monitor and urge the realization of instructions and requests of the State Bank on the internal control system in at the credit institution or foreign bank branch.

2. For internal auditing

a/ To issue internal regulations on the organization and operation of the internal audit, specifying its objectives, tasks, position, powers, responsibilities, reporting regime and relationship with other sections of the credit institution; responsibilities and powers of the chief internal auditor, and basic principles and requirements of internal auditing under this Circular;

b/ To decide on the organizational apparatus of the internal audit; appointment and dismissal of the chief internal auditor and other posts of the internal audit at the request of the Control Board;

c/ To furnish sufficient resources (human resources, finance and other facilities) and create favorable conditions for the internal audit to fulfill its tasks specified in this Circular;

d/ To decide on the realization of recommendations of internal auditors; to urge and monitor operational units in realizing these recommendations, and take measures for timely handling upon receiving reports specified in Articles 26, 27 and 28 of this Circular and proposals or recommendations of the head of the Control Board or the chief internal auditor;

e/ To decide on the financial regime and salary, bonus and allowance mechanism applicable to the internal audit and its staff according to its competence.

Article 31. Responsibilities of the director general (director)

1. For the internal control system

a/ To be answerable to the Board of Director or Members’ Council or the parent bank of the foreign bank branch for the implementation of the business strategy and major objectives and policies approved by the Board of Director or Members’ Council or the parent bank of the foreign bank branch;

b/ To be the first to take responsibility for conducting examination and assessment of the internal control system and the last to bear responsibility for the rationality, effectiveness and efficiency of the internal control system;

c/ To establish, maintain and develop a rational and effective internal control system to meet the requirements of risk identification, measurement, assessment and management, and a rational capital valuation method, assuring the safe, effective and lawful operation of the credit institution or foreign bank branch;

d/ To elaborate and issue specific operational processes for every operation of the credit institution or foreign bank branch; to assure the adoption of control and risk management policies associated with specific operational processes;

e/ To maintain and implement the organizational structure, power decentralization and authorization and business administration mechanisms in a transparent and effective manner;

f/ To maintain truthful, rational, adequate and timely financial and management information systems;

g/ To assure the observance of the law and internal regulations, processes and rules;

h/ To annually report to the Board of Directors or Members’ Council and Control Board of the credit institution or the parent bank of the foreign bank branch on results of the self-assessment of the internal control system, and make recommendations and proposals to adjust, supplement or perfect the internal control system;

2. For internal auditing

a/ To create favorable conditions for the internal audit to perform its assigned tasks and direct executive and operational units and sections to coordinate with the internal audit under internal regulations on internal auditing or as directed by the Board of Directors or Members’ Council;

b/ To urge executive and operational units and sections in realizing recommendations that have been agreed with the internal audit or as directed by the Board of Directors or Members’ Council; to notify the internal audit of the realization of recommendations as already agreed with the internal audit;

c/ To invite the internal audit to attend internal meetings;

d/ To promptly notify the internal audit of all cases of material loss or fraud and possible cases of risk, loss or fraud;

e/ To assure that the internal audit be adequately notified of changes and problems  arising in the operation of the credit institution, initiatives and new products in order to early identify related risks.

Article 32. Responsibilities of the Control Board

1. For the internal control system

a/ To direct and operate the internal audit in independently and objectively reviewing and evaluating the internal control system, including the risk identification and management system; the capital valuation method; financial statement and management information systems; and internal processes and regulations of the credit institution or foreign bank branch;

b/ To periodically notify the Board of Directors or Members’ Council and director general (director) of the internal control system; to make recommendations and proposals to adjust and perfect the internal control system.

2. For internal auditing

a/ To directly instruct, govern and supervise the operation of the internal audit;

b/ To review and evaluate internal auditing work to assure its effectiveness; to assume the prime responsibility for assuring the quality of internal auditing;

c/ To assure that internal auditing has an appropriate position in the credit institution and there is no irrational impediment to internal auditing;

d/ To elaborate, amend, supplement and constantly improve internal regulations on the organization and operation of the internal audit, then submit them to the Board of Directors or Members’ Council for decision;

e/ To approve internal auditing policies (except the case specified at Point d of this Clause); to approve and adjust annual internal auditing plans at the request of the chief internal auditor, assuring that these plans are risk-oriented;

f/ To assure effective coordination with independent audit firms, the State Audit and the State Bank (the Banking Inspection and Supervision Agency or State Bank branch);

g/ To consider and propose the Board of Directors or Members’ Council to appoint or dismiss the chief internal auditor and other posts of the internal audit and approve the organizational structure of the internal audit;

h/ To report directly to all bodies and levels inside and outside the credit institution under law and regulations of the credit institution; to send reports to the State Bank under this Circular.

Article 33. Responsibilities of the chief internal auditor

1. For the internal control system

To assure the performance and exercise of all internal auditing-related functions, tasks and powers of the internal control system under this Circular and relevant internal regulations of the credit institution.

2. For internal auditing

a/ To elaborate annual internal auditing plans and submit them to the Control Board for approval;

b/ To organize the implementation of internal auditing plans approved by the Control Board and unexpected audits as assigned by the Board of Directors or Members’ Council, Control Board and director general (director);

c/ To elaborate, amend, supplement and constantly improve internal auditing methods, policies and processes, and submit them to the Control Board;

d/ To assure that internal auditors are regularly trained and professionally qualified and skilled for the performance of internal auditing tasks;

e/ To adjust internal auditing plans before submitting them to the Control Board for approval;

f/ To request the participation of personnel of other sections of the credit institution in the internal audit when necessary, on the condition that the independence of the internal audit is ensured;

g/ To attend meetings under internal regulations of the credit institution and this Circular;

h/ To report to the Control Board, Board of Directors or Members’ Council and director general (director) when detecting weaknesses, problems, errors or violations of the control system and executive officers;

i/ To monitor the post-auditing realization of recommendations; to make and send reports specified in this Circular.

j/ To consider and propose the Control Board to request the Board of Directors or Members’ Council to appoint or dismiss deputy chief internal auditor(s) and holders of other internal audit posts or to approve the organizational structure of the internal audit;

k/ To be answerable to the Board of Directors or Members’ Council or Control Board for the results of audits performed by the internal audit.

Article 34. Responsibilities of internal auditors

1. To verify that information is sufficient, reliable, suitable and useful for the accomplishment of audit objectives.

2. To independently and objectively make audit conclusions and results based on appropriate analyses and assessments.

3. To keep relevant information to support audit conclusions and issue audit results.

4. To take responsibility before law and the chief internal auditor for the results of audits they perform.

Article 35. Responsibilities of executive and operational units and sections for internal auditing

1. To honestly and accurately provide adequate information, documents and dossiers necessary for internal auditing at the request of the internal audit and refrain from suppressing any information.

2. To promptly notify the internal audit upon detecting major weaknesses, problems, errors, violations, risks and asset losses (or danger of asset loss), or upon occurrence of a change in the internal control system at their units or sections.

3. To realize recommendations as already agreed with the internal audit and/or as directed by the Board of Directors or Members’ Council.

4. To create all favorable conditions for the internal audit to work in the most effective manner.

Section 2

RESPONSIBILITIES OF THE STATE BANK

Article 36. Responsibilities of the Banking Inspection and Supervision Agency

1. To inspect and supervise the observance of regulations on internal control system and internal auditing of credit institutions and foreign bank branches under this Circular.

2. To annually assess the quality and effectiveness of the internal auditing of credit institutions and foreign bank branches, and intensify consultancy and coordination with the internal audit units of credit institutions in order to improve the effectiveness of internal auditing and the inspection and supervision of credit institutions and foreign bank branches.

3. To handle according to its competence or propose the State Bank Governor to handle violations of this Circular and relevant laws.

4. To guide credit institutions, foreign bank branches and State Bank branches in implementing this Circular.

Article 37. Responsibilities of State Bank branches

1. To inspect and supervise or coordinate with the Banking Inspection and Supervision Agency in inspecting and supervising the observance of regulations on internal control system and internal auditing of credit institutions and foreign bank branches based in their localities under this Circular.

2. To handle according to their competence or propose the State Bank Governor to handle violations of this Circular and relevant laws.

3. To inspect and supervise the observance of regulations on internal control system and internal auditing of people’s credit funds under this Circular; and to annually evaluate the quality and effectiveness of internal auditing of people’s credit funds.

4. To receive internal auditing reports and plans of people’s credit funds.

Chapter V

IMPLEMENTATION PROVISIONS

Article 38. Transitional provisions

1. Within 6 months after the effective date of this Circular, credit institutions and foreign bank branches shall conduct review and self-adjustment so as to comply with the principles, requirements and regulations on internal control system and internal auditing provided in this Circular and send their internal regulations on internal auditing to the State Bank (the Banking Inspection and Supervision Agency or State Bank branches). People’s credit funds shall send their internal regulations on internal auditing only to State Bank branches.

2. By December 31, 2012, at the latest, credit institutions and foreign bank branches shall complete the adjustment of the organizational structure of their internal audit under the Law on Credit Institutions and this Circular.

Article 39. Effect

1. This Circular takes effect on February 12, 2012.

2. The State Bank Governor’s Decision No. 36/2006/QD-NHNN of August 1, 2006, promulgating the Regulation on internal inspection and control of credit institutions, and Decision No. 37/2006/QD-NHNN of August 1, 2006, promulgating the Regulation on internal auditing of credit institutions, cease to be effective on the effective date of this Circular.

Article 40. Organization of implementation

The chief of the Office, the Chief Banking Inspector-Supervisor, heads of units of the State Bank of Vietnam, directors of State Bank branches, chairpersons and members of Boards of Directors or Members’ Councils, heads and members of Control Boards, directors general (directors) of credit institutions and foreign bank branches and related organizations and individuals shall implement this Circular.-

For the State Bank Governor
Deputy Governor
TRAN MINH TUAN