RESPONSIBILITY

The Board of Directors (the Board) of Commercial Bank of Ceylon PLC (the Bank) wishes to present this Report on Internal Control over Financial Reporting and Risk Management, in line with the Section 3 (8) (ii) (b) of the Banking Act Direction No. 11 of 2007 on Corporate Governance for Licensed Commercial Banks in Sri Lanka issued by the Central Bank of Sri Lanka (CBSL) (which was revoked with effect from January 01, 2025, with the issuance of the Banking Act Direction No. 05 of 2024 on Corporate Governance for Licensed Banks) and Principle D.1.5 of the Code of Best Practice on Corporate Governance 2023 (Code) issued by CA Sri Lanka.

The Board is responsible for the adequacy and effectiveness of the system of risk management and internal controls in place at the Bank. However, such a system is designed to manage the Bank’s key areas of risk within an acceptable risk profile, rather than to eliminate the risk of failure to achieve business objectives of the Bank. Accordingly, the system of internal controls can only provide reasonable but not absolute assurance against material misstatements of management and financial information and records or against financial losses or fraud.

The Board has established an ongoing process for identifying, evaluating and managing the principal risks faced by the Bank and this risk management framework has been well established for many years with continuous enhancements on a need basis, which includes enhancing the system of internal controls as and when there are changes to the business environment or regulatory guidelines. The process is regularly reviewed by the Board and accords with the “Guidance for Directors of Banks on the Directors’ Statement on Internal Control” issued by CA Sri Lanka. The Board has assessed the internal controls taking into account all main principles for the assessment of an internal control system as given in the above-mentioned guidance.

The Board is of the view that the system of internal controls in place over financial reporting at the Bank is sound and adequate to provide reasonable assurance regarding the reliability of financial reporting, and that the preparation of Financial Statements for external purposes is in accordance with relevant accounting principles and regulatory requirements.

The Management assists the Board in the implementation of the Board’s policies and procedures on risk management and internal controls by identifying and assessing the risks faced, and in designing, implementing, operating and monitoring of suitable system of risk management and internal controls to mitigate and control these risks.

KEY FEATURES OF THE PROCESS ADOPTED IN APPLYING AND REVIEWING THE DESIGN AND EFFECTIVENESS OF THE INTERNAL CONTROL SYSTEM ON FINANCIAL REPORTING AND RISK MANAGEMENT

The key processes that have been established for reviewing the adequacy and integrity of the system of internal controls with respect to financial reporting and risk management include the following:

• Ten (10) Sub-committees have been established by the Board, including those mandatory committees as required by the Banking Act Direction No. 11 of 2007 aforesaid, the Listing Rules of the Colombo Stock Exchange, and the Banking Act Direction No. 01 of 2023, to assist the Board in ensuring the effectiveness of the Bank’s daily operations and that the Bank’s operations are conducted in line with the corporate objectives, strategies and the annual budget as well as the policies and business directions that have been approved by the Board. Details of the activities undertaken by each Sub-committee are set out on pages 214 to 237.
• Policies/Charters have been developed covering all functional areas of the Bank and these have been recommended by the Board appointed Committees and approved by the Board. These policies and Charters are reviewed and approved by the Board at least annually.
• The Board Audit Committee (BAC) approves the audit plan and reviews internal control issues identified by the Inspection/Internal Audit Department/Information Systems Audit Unit of the Bank (collectively referred to as “Internal Audit Department”), co-sourced internal auditors, regulatory authorities, external auditors and the Management, and evaluates the adequacy and effectiveness of the risk management and internal control systems. The BAC also carries out an annual evaluation to review the effectiveness of the internal audit function with particular emphasis on the scope, quality, independence of internal audit and the adequacy of resources. The Minutes of the BAC meetings are tabled at the meetings of the Board of Directors of the Bank on a periodic basis. Further details of the activities carried out by the BAC during the year under review are set out in the BAC Report on pages 214 to 217.
• The Internal Audit Department checks for compliance with policies and procedures and the effectiveness of the internal control systems/information system controls on an ongoing basis using samples and scheduled audit procedures. Further, Onsite, Online, Offsite and integrated audits are carried out covering all departments, branches, subsidiaries and overseas operations in accordance with the annual audit plan reviewed and approved by the BAC. The type and frequency of audits of these Business units are dynamically determined based on the assessed level of risk and changes in the control environment, ensuring the delivery of an independent and objective reports. Scope of online, real time and near real time audits was further enhanced to cover high-risk transactions of the Bank. In addition, monitoring over cyber security controls and modifications to core banking systems/databases was further strengthened utilising appropriate tools/techniques and resources. These audit procedures and techniques enable continuous testing of all controls, either on a near-real time or real time basis. Significant findings identified during internal audits are submitted to the BAC for review at its periodic meetings.
• In assessing the internal control system over financial reporting, identified officers of the Bank continued to review and update all procedures and controls that are connected with significant accounts and disclosures in the Financial Statements of the Bank. The Internal Audit Department continued to verify the suitability of design and effectiveness of these procedures and controls on an ongoing basis. The assessment included both local and overseas subsidiaries and the Bangladesh operations of the Bank as well.
• The Board Integrated Risk Management Committee (BIRMC) reviews the major risk exposures of the Bank and the steps taken to control those exposures. This includes assessing key risks such as credit, market, liquidity, data security and Information Technology. BIRMC works closely with the Board and the BAC in fulfilling responsibility for risk management and communicates the risk profile of the Bank to the Board periodically. Further details of the activities carried out by the BIRMC during the year under review are set out in the BIRMC Report on pages 218 to 220.

Since the adoption of the Sri Lanka Accounting Standard – SLFRS 9 on ‘Financial Instruments’, which became effective from January 01, 2018, the Bank introduced and implemented the processes that are required to comply with the requirements of recognition, measurement, presentation and disclosures under the above Accounting Standard. These processes are continuously strengthened based on the feedback received from the External Auditor, Internal Audit Department, regulators and the BAC. Continuous monitoring is in progress and steps are being taken to further improve the processes where required, and to enhance effectiveness and efficiency. The Bank has documented the procedures relating to these requirements and updates the procedure manuals as and when necessary and also obtains approval of the Board with the recommendation of the BAC for changes made to the documented procedures. The Bank’s Internal Audit Department conducts tests on these processes and the observations from these exercises are regularly tabled for review by the BAC during the year 2024 as well.

Having recognised the need to introduce an automated platform for various computations required under SLFRSs and LKASs including loan impairment, the Bank automated impairment calculations through a renowned software solution and commenced computation of impairment for loans and advances based on this automated impairment solution when preparing its Financial Statements from the second quarter of 2023. However, the Bank continued with the manual calculation of impairment as a parallel exercise till December 2023, despite the successful live deployment of the software solution. This was due to the continuous refinements required in the computation of impairment given the macro-economic challenges faced by the country, the consequent impact on the Bank’s customers in most of the industries and the evolving regulatory requirements which are in addition to the requirements of the Sri Lanka Accounting Standards. After a comprehensive evaluation of the results of the two methodologies, namely impairment results under manual calculation and the automated impairment solution, the Bank decided to use the impairment results from automated impairment solution for the preparation of financial statements for the financial year 2023 onwards with the approval of the Board of Directors and discontinued the manual calculation of impairment from the beginning of January 2024. The Bank has a documented Financial Statements Closure Process in place which was developed with the support of an external consultant and validated by an independent consultant. These proactive measures helped the Bank to ensure that the Bank is in compliance with the requirements of the Banking Act Direction Nos. 13 and 14 on “Classification, Recognition and Measurement of Credit Facilities and other Financial Assets in Licensed Banks” issued by the CBSL which became effective from January 01, 2022. The Bank also documented the risks and controls underlying the automated impairment calculations referred to above. Further, despite the improvements in the economic factors during the year ended December 31, 2024, the Bank has reviewed the requirement for impairment and has made adequate provisions to address any expected credit losses.

The comments made by the External Auditor in the Management Letter in connection with the internal control system over financial reporting in previous years and the recommendations made in the Statutory Examination Reports of the CBSL were continuously reviewed and necessary steps were taken to address them with regular reports from the Management and updates to the BAC and the Board, where appropriate. The recommendations made by the External Auditor in 2024 in connection with the internal control system over financial reporting will be dealt with in the future.

CONFIRMATION

Based on the above processes, the Board of Directors confirms that the financial reporting system of the Bank has been designed to provide a reasonable assurance regarding the reliability of financial reporting and the preparation of Financial Statements for external purposes has been done in accordance with the Sri Lanka Accounting Standards and regulatory requirements of the CBSL.

REVIEW OF THE STATEMENT BY EXTERNAL AUDITORS

The External Auditor, Messrs KPMG, has reviewed the Directors’ Statement on Internal Control over Financial Reporting and Risk Management included in this Annual Report for the year ended December 31, 2024 and reported to the Board that nothing has come to their attention that causes them to believe that the statement is inconsistent with their understanding of the process adopted by the Board in the review of the design and effectiveness of the internal control system over financial reporting and risk management of the Bank. Their independent assurance report on the Directors’ Statement on Internal Control over Financial Reporting is given on page 250 of this Annual Report.

By Order of the Board,

* Chairman of the Board Audit Committee up to December 31, 2024. Appointed as the Chairman of the Board Integrated Risk Management Committee with effect from January 01, 2025

**Appointed as the Chairman of the Board Audit Committee with effect from January 01, 2025

*** Chairperson of the Board Integrated Risk Management Committee up to December 31, 2024