Annual Report 2024 Turning the Dream of Home into a Goal
Download report in PDF

Internal Control System

The Bank’s internal control system is structured in accordance with the requirements of the laws of the Republic of Kazakhstan, the Basel Committee on Banking Supervision, and best international practices. The Bank applies the COSO Integrated Framework (2013) in the construction of its internal control system. The Bank’s Internal Control System (hereinafter, the ICS) is a process embedded in the day-to-day activities performed by the Board of Directors, collegiate bodies, structural units and all employees of the Bank in the performance of their duties.

The Board of Directors oversees the activities of the Management Board by ensuring the implementation of the ICS and monitoring its condition. The Risk and Internal Control Committee of the Board of Directors monitors the functioning of the ICS and reviews the results of evaluations of its quality and effectiveness.

The Management Board is responsible for ensuring the existence and proper functioning of all components and principles of the ICS.

On a quarterly basis, the Bank’s authorized collegiate bodies review reports on operational risks, IT and information security risks, and internal control, based on which appropriate decisions are made. In addition, the Board of Directors reviews and approves the main internal documents regulating the Bank’s ICS.

Risk management procedures are designed to ensure a rapid response to emerging risks, along with their clear identification and assignment of risk owners. To gain a holistic and clear understanding of inherent risks, the Bank conducts annual risk identification and assessment exercises, which are reflected in the risk register, risk map, list of material risks, and the Risk Appetite Statement for the upcoming year, all of which are approved by the Board of Directors.

Approaches to risk identification, the procedures for risk identification and assessment, determination of response methods, and monitoring mechanisms are defined in internal documents under the Bank’s risk management framework.

The ICS of the Bank operates on a multi-level structure and encompasses all Bank departments. Internal control participants are designated based on the three lines of defense model:

The first line of defense is ensured by all structural units of the Bank and consists of controls developed to ensure the proper execution of day-to-day operations. These controls are designed by business units and are integrated into business processes to minimize risk and ensure compliance with both internal documents and external regulatory requirements. The business units themselves manage and monitor these controls, which entails their ability to identify risks, weaknesses in business processes, and potential unforeseen events, and to respond in a timely manner.

The second line of defense is provided by the internal control unit, which conducts monitoring, coordination, and documentation of the ICS, as well as by departments responsible for risk identification and assessment in specific areas of the Bank’s activities.

The third line of defense is ensured by the internal audit unit, which provides an independent assessment of the ICS effectiveness, based on audit results or separate evaluations of ICS efficiency.

The internal control unit also provides consulting support to Bank employees on internal control matters, in accordance with the Bank’s internal regulatory documents, the regulatory documents of Baiterek NMH JSC, the regulatory documents of the National Bank of the Republic of Kazakhstan, and the applicable laws, with the goal of ensuring the effective operation of the ICS. The internal control unit conducts annual internal training for all Bank employees on ICS, followed by testing.

As part of ICS monitoring and documentation activities, the internal control unit carries out selective audits of Bank business processes in accordance with the work plan or upon management’s request. These audits include diagnostics of the adequacy of control design to prevent or detect identified risks within processes, as well as testing the operational effectiveness of controls.

  • In 2024, the internal control unit audited five business processes, including:
  • Disbursement to recipients of lump‑sum pension withdrawals;
  • Servicing of savings deposits, current, and special accounts of individuals (a selective audit of seven subprocesses);
  • Lending (a selective audit of five subprocesses);
  • Handling of requests from individuals and legal entities;
  • Provision and servicing of budget loans under the With a Diploma to the Village program.

The diagnostics and control testing revealed findings such as the need for process/control optimization, lack of regulation in control procedures, presence of controls with partially effective design, and a significant proportion of manual controls necessitating automation. In response, recommendations were developed for process owners to improve partially effective controls, eliminate deficiencies, and improve regulation/automation/optimization of processes. The Bank’s Risk Committee reviewed the audit reports and approved corrective action plans to address identified deficiencies. The responsible structural units are carrying out activities to eliminate the violations and implement the corrective action plans.

Business process owners across all lines of defense annually identify risks within their respective processes and conduct self-assessments of the adequacy of internal control design to mitigate identified risks. The results are reflected in the Bank’s Matrix of Business Processes, Risks, and Controls (hereinafter, the Matrix). The Matrix for the upcoming reporting year, which includes business owner self-assessments, is updated with coordination and methodological support from the internal control unit and approved by the Board of Directors. Where necessary, business process owners develop and approve action plans to address internal control deficiencies, with subsequent monitoring of implementation.

Monitoring of the Bank’s ICS is carried out by departments across all three lines of defense, as well as by the Bank’s authorized collegiate bodies.