STAGE I: PROCESS AND CONTROL DOCUMENTATION

Overview of work performed by the management

Management is required to base its assessment of the Banks internal controls over financial reporting (ICFR) on a
suitable recognized control framework. The Committee of Sponsoring Organization (COSO) framework is regarded
as one of the most widely applied model and accordingly the Bank has adopted a COSO framework to benchmark
its process and control documentation with respect to ICFR.
For the purpose of ICFR, significant accounts in the financial statements were identified using combination of
qualitative and quantitative factors (including factors such as subjectivity and estimation, volume of transaction,
complexity of transaction, extent of IT dependency and susceptibility of loss due to fraud or error, etc.) Processes
affecting such accounts were identified from the process listing and mapped thereto. All relevant financial statement
assertions were also mapped to the significant accounts.
The following processes were documented based on the above mentioned scoping exercise carried out by the
management.
Entity Level Controls (ELCs)
Finance and Accounts
Treasury Function
Banking Operations
Credit Management
Credit Operations (Branch)
Credit Administration
Risk Management
Recovery and Special Assets Management
Human Resource Management
General Services
Information System
Legal Matters
For each of these processes (other than entity level controls) the management has documented process flow charts,
risk and control matrix, process descriptions and a manual for accounting and financial reporting. With respect to
entity level controls the management has documented aspects relating to the entitys control environment,
compliance division, internal audit function and risk assessment.
Procedures performed by us with respect to this stage
Reviewed the scoping study performed by the management for identification of significant accounts and
disclosures. This included review of whether the scoping was conducted on the Banks statement of financial
position and profit and loss account supported by the relevant detailed notes to the financial statements and
breakdown of the information, as available in the supporting records.
Assessed whether the relevant quantitative and qualitative factors and materiality at the financial statements level
have been considered by the management while identifying the significant accounts and disclosures.
Reviewed managements process for identification of cycles / sub cycles and processes / sub-processes (e.g.
Deposits and Markup-interest payable, Cash, Treasury, Fixed Assets with sub processes such as Markup accrual and
payment, Disposal of furniture, fixture and office equipment etc.) that are covered in the Banks process flow
documentation and assessed their adequacy in terms of coverage of all significant areas of the Banks operations.
Reviewed managements documentation of the control environment i.e. processes and controls relating to overall
governance, organizational structure, delegation of authority, monitoring of controls etc.

 Reviewed the managements process for identification of the relevant financial statement assertions for each of
the significant accounts and disclosures.
Evaluated the design of the risk control matrices with respect to the following aspects:
1. Risk control matrices are developed for all the relevant cycles / sub-cycles and processes / sub-processes;
2. All significant financial reporting risks are clearly defined;
3. Risk control matrices incorporate all relevant financial statement assertions;
4. All significant financial reporting controls are duly incorporated with clear description and appropriately mapped
to the relevant financial reporting risks and financial statement assertions relating to significant accounts and
disclosures;

5. Frequency of control performance and authorities responsible for control activities are duly identified in the
matrices; and
6. Analysis of the control (i.e. whether the control is preventive or detective in nature, manual or automated) is
provided in the matrices.
Our procedures comprised of walkthrough tests on a sample of the significant processes and inquiries of
respective business units personnel to assess whether the documentation reasonably covers, end to end, activities and
controls in all the relevant cycles / sub cycles and processes / sub processes.

STAGE II: IDENTIFICATION OF GAPS AND RECOMMENDATIONS

Overview of work performed by the management
In assessing the design of controls, management determined whether the controls (procedures, processes and
systems) would, if operating as intended, provide reasonable assurance that managements control objectives are
being met vis--vis the relevant financial statement assertions for all significant accounts and disclosures (referred to
as design effectiveness). The gap analysis with respect to the design of controls of the Bank was carried out as part
of the risk and control assessment process which was conducted and completed initially at the time of compliance of
SBPs ICFR requirements. Based on the gap analysis exercise, Risk Control Matrix (RCM) was formulated keeping
in view all policies and procedures of the Bank. A risk and control matrix was prepared for each significant process.
Procedures carried out by us with respect to this stage
Our procedures included inquiries of management to understand the methodology of identification of gaps and
review of the gap analysis reports, if any, to assess the reasonableness of the gaps identified. We tested the design
effectiveness of key controls by determining whether the Banks controls, if they are operating as prescribed by
persons possessing the necessary authority and competence to perform the control effectively satisfy the Banks
control objectives and can effectively prevent or detect material misstatements in the financial statements. The
procedures that we performed to test the design effectiveness included a mix of inquiry of appropriate personnel,
observation of the Banks operations and inspection of relevant documentation. In performing our walkthrough tests
we followed a transaction from origination through the Banks processes until it is reflected in the Banks financial
records using the same documents and information that the Bank personnel use.

STAGE III: DEVELOPMENT OF DETAILED REMEDIATION / IMPLEMENTATION PLANS

Identification of gaps, review of controls and upgradation of business processes is an iterative process. Subsequent
identification of gaps and remediation thereof is taken as a continuous process by the Bank, whereby the gaps are
identified by the user departments on happening of contingencies that arise the need for revision / upgradation of
controls. The risk and controls so identified are considered and approved by Internal Control on Financial Reporting
Department (ICFRD), and relevant process owners possessing the relevant expertise before implementation and
subsequent upgradation of documentation.

STAGE IV: DEVELOPMENT OF MANAGEMENT TESTING PLANS

Overview of work performed by the management
The Bank has developed a Test Plan Document (TPD) which addresses the aspect relating to management testing for
evaluation of operating effectiveness of controls. The testing plans for each risk entity are included as part of the
TPD which are reviewed and updated by Internal Control on Financial Reporting Department (ICFRD). For the
purpose of testing, all key controls are considered by the management.
For the purpose of testing, an Internal Control on Financial Reporting Department (ICFRD) has been established. In
case of branches, the testing is performed by process owners. Results of the testing conducted at branches are
forwarded to Compliance Department established at each zonal office which are then forwarded to Internal Control
on Financial Reporting Department. ICFRD checks the results of testing conducted at the branches on sample basis.
Re-testing is done on a sample depending upon the risks identified in the processes.
Procedures carried out by us with respect to this stage
Reviewed the testing plans with respect to the following key elements:
Key controls to be tested (including entity level controls)
Extent of testing
Timing of procedures
Description of the test
Test performing authorities
Reviewed whether testing responsibilities have been appropriately and clearly assigned to the relevant testing
authorities considering the test performing function, frequency of control performance, independence from control
operations, testing being integrated into operations etc.
Assessed whether adequate testing structure has been designed considering independence / practicality
perspectives.
Reviewed whether an adequate reporting framework has been developed by the management for reporting /
documentation of the results of evaluation of operating effectiveness of key financial reporting controls.

STAGE V: IMPLEMENTATION OF PROJECT INITIATIVES, AS PLANNED Identification of new business

needs and implementation of new projects is a regular feature of businesses. Needs for identification and
implementation of new projects may arise, among other things, due to any of the following:
Change in processes
Automation
New product and process development
Development or implementation of new IT solution
Changes in internal control structure
Once needs for new projects are identified, they should go through a formal documented process for approval prior
to implementation. The documented procedures for approval and implementation of projects should clearly describe
the following:
Roles and responsibilities of project identifiers
Approving authority
Procedures and protocols for implementation
Procedures for taking sign-off from user departments
Post implementation reviews
Quality assurance

STAGE VI: QUALITY ASSURANCE / VALIDATION ON THE INITIATIVES COMPLETED

Initiatives regarding upgradation of processes and controls are taken after the change requests raised by the user
departments have been reviewed and approved by ICFRD and process owners possessing the relevant expertise.
Overview of work performed by the management
ICFRD visits different departments and discusses the process related controls and gaps with process owners. ICFRD
collects and evaluates evidences regarding implementation of new processes and upgradation of processes and
controls. After implementation of new controls and / or processes, ICFRD and Internal Audit function update their
testing criteria and validate the newly implemented controls. In case of subsequent identification, if any, of design
gaps by Internal Audit function, recommendations are submitted to ICFRD for review and upgradation, if necessary.
RIAZ AHMAD AND COMPANY Chartered Accountants ILYAS SAEED & COMPANY Chartered Accountants
Internal Control Over Financial Reporting (ICFR) For the year ended 31 December 2014 20

STAGE VII: CONDUCT OF MANAGEMENT TESTING OF KEY CONTROLS AND REPORTING OF

RESULTS
Overview of work performed by the management
Management has established the Internal Control on Financial Reporting Department to conduct testing of key
controls. User departments, after testing of key controls, send information to Internal Control on Financial Reporting
Department. ICFRD reviews the information on random basis. Each control issue raised via self-assessment is
tracked and monitored for remediation and closure by branch compliance officers (BCO). BCOs have been
appointed in 37 selected branches to ensure compliance; they forward their reports on the prescribed formats to
Head Office compliance department for review. Branch compliance officers review branch operations on prescribed
sheets and point out exceptions to branch managers (BM) on daily basis for immediate rectification. Outstanding
exceptions are consolidated and reported by BCOs at the end of every month.
Procedures carried out by us with respect to this stage
Reviewed that the testing of key controls has been performed by the management in accordance with the
management testing plans. Reviewed whether the extent of testing carried out by the management adequately
supports the managements conclusion on the operating effectiveness of key controls and that it is in line with the
extent identified in the testing plan. Reviewed the appropriateness of the timing of tests of key controls e.g., whether
a key control required to be tested at quarter end has been tested at the quarter end. Reviewed that the control has
been exercised for a reasonable period so that sufficient evidence is available with respect to the performance of the
control and to support conclusions regarding the effectiveness of key control. Independently reviewed the results
obtained from management testing, considering the risk the control was intended to mitigate, nature of exceptions
identified during testing, resolution of exceptions and the process for correcting recurring exceptions. RIAZ
AHMAD AND COMPANY Chartered Accountants ILYAS SAEED & COMPANY Chartered Accountants
Internal Control Over Financial Reporting (ICFR) For the year ended 31 December 2014 21

Reviewed whether the results of tests performed and the related conclusions have been reported to the relevant
authorities in accordance with the testing / reporting framework and appropriate actions taken by such authorities.