| 1. | The Internal Controls system must ensure effective operations, adequate control of risks, prudent conduct of business, reliability of financial and non-financial information reported, compliance with Central Bank Laws and other relevant laws, Regulations and supervisory requirements and the Company's internal rules and decisions. It must cover all units and activities and must be regularly assessed, reviewed by the Board or the Board audit committee and updated as necessary. It must include appropriate control structure with control activities defined at every business unit level, as they must own, manage and report risks and must be accountable for establishing and maintaining effective Internal Controls policies and procedures. Control Functions must assess the adequacy of the controls used by the business units. The Internal Controls system must contain, at a minimum, the following components:
| a. | Segregation of duties and measures to prevent Conflicts of Interest, as follows:
| 1. | Adequate independence and clear separation of duties and reporting lines between the persons who are responsible for certain processes or policies, and those who verify that the processes or policies are being applied.
| | 2. | Adequate independence, and clear separation of duties and reporting lines between those who design or operate certain controls and those who check if the controls are effective.
|
| | b. | Policies and processes:
| 1. | Incorporate adequate controls for all key business processes and policies, including processes for taking major business decisions and approving transactions, critical information technology functionalities, cyber security, access to critical information technology infrastructure by employees and related third parties and important legal and regulatory obligations.
| | 2. | Incorporate policies on training on controls, especially for Staff undertaking roles requiring elevated trust or responsibility, or Staff involved in the oversight of high-risk activities.
| | 3. | Centralised documented key processes and policies and their corresponding controls.
|
| | c. | Information and communication:
| 1. | All Staff must be fully aware of the requirements to comply with the Company's Internal Controls system.
| | 2. | The necessary information for decision making must be made available to decision makers in a timely manner, including, but not limited to, financial, operational, compliance and market information.
|
| | d. | Monitoring and review:
| 1. | Processes must be checked on a regular basis by the internal audit function to ensure that controls are effective.
| | 2. | The Internal Controls system must be assessed on a regular basis by the internal audit function, to determine its efficiency and effectiveness.
|
| | e. | Reporting on the Internal Controls system must reference the policy for Internal Controls (such as responsibilities, compliance levels, validation and implementation of remediation plans), the stage of development, the performance of the business units, and deficiencies in application.
|
|