129. The bank’s internal control structure is essential to the capital assessment process. Effective control of the internal capital adequacy assessment process should include an independent review and the involvement of both internal audit and external audit (refer to Appendix 3.1). Senior Management has a responsibility to ensure that the bank establishes a system for assessing the full scope of its risks, develops a system to relate risk to the bank’s capital level, and establishes a method for monitoring compliance with internal policies.
130. Internal Audit should perform an audit on the bank’s ICAAP report annually. The report has to be submitted no later than three (3) months after the submission of the ICAAP report to the bank’s reviewer and in copy to bsed.basel@cbuae.gov.ae.
131. Internal control functions should perform regular reviews of the risk management process to make sure its coherence, validity, and rationality. The review of the ICAAP should cover the following:
| | | (i) | Ensuring that the ICAAP is complete and suitable as of the bank’s context , operational conditions, the reliability of controls behind it;
| | (ii) | The process of identifying all material risks;
| | (iii) | Efficiency of the information systems that support the ICAAP;
| | (iv) | Ensuring that the measurement methodologies in use are suitable to support the ICAAP valuation,
| | (v) | Ensuring the accuracy, and comprehensive of the data input to the ICAAP;
| | (vi) | Rational behind the ICAAP output and assumptions in use;
| | (vii) | Rational and suitability of stress tests and analysis of assumptions;
| | (viii) | Consolidation of the ICAAP outcomes with the risk management (e.g., limit setting and monitoring); and
| | (ix) | Rational of the capital plan and internal capital targets.
|
|
132. In addition, the review should cover the integrity and validity of regulatory data submitted to the Central Bank during the course of the year relating to Pillar 1 capital requirements, which should address, but not be limited to the following:
| | | (i) | Appropriate classification of risk-weighted assets (RWA);
| | (ii) | Appropriate inclusion of the off-balance sheet values and the application of credit conversion factors (CCF); and
| | (iii) | Appropriate credit risk mitigation (CRM) methodology application and values.
|
|
133. The role and validity of internal control functions are also important and should be verified with regard to other topics. For example:
| | | (i) | All risk quantification methodologies and models must be subject to independent validation (internal/ external); and
| | (ii) | Internal Audit should perform an independent review of the bank’s capital framework implementation every year in accordance with the Capital Standards. If the Central Bank is not satisfied with the quality of work performed by the bank’s Internal Audit function, the Central Bank may require an external review.
|
|