Citibank N.A.

- Pakistan Branches

IMPORTS

Risk & Control Evaluation (RCE)

Citibank N.A. - Pakistan Branches Risk and Control Evaluation (RCE) Matrix Trade Finance - Imports TABLE OF CONTENTS S. No. 1 2 Section Objective Definitions 2.1 COSO category 2.2 COSO Component 2.3 Financial Statement Assertions a b c Assertions about classes of transactions and events Assertions about account balances Assertions about presentation and disclosure 2 2 3 3 4 4 Page 1

2.4 Information Processing Objectives 2.5 Key Controls 2.6 Financial Reporting Risk Assessment Criteria 3 Risk and control evaluation matrix 4 5

Citibank N.A. - Pakistan Branches Risk and Control Evaluation (RCE) Matrix - Introduction Trade Finance - Imports 1. Objective

The objective of risk and control evaluation is to identify the design deficiencies within the internal controls established by the management over the business processes. A design deficiency exists when either a necessary control is missing or an existing control is not properly designed so that even when the control is operating as designed the control objective is not always met. This document is prepared based on the understanding of the process (as documented in process flow charts) and risk and control workshop conducted with the process owners. Management will update its evaluation of internal controls by identifying significant risks and changes in internal controls both at entity level and process / activity level.

Page 1 of 8

Citibank N.A. - Pakistan Branches Risk and Control Evaluation (RCE) Matrix - Introduction Trade Finance - Imports

2.

Definitions 2.1 COSO Category Operational Financial reporting Compliance To ensure effectiveness and efficiency of operations. To ensure reliability, completeness and timeliness of financial and management information. To ensure compliance with policies, procedures, regulations and laws.

2.2 COSO Component Control Environment The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the entitys people; managements philosophy and operating style; the way the management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the Board of Directors. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Because economic, industry, regulatory and operating conditions will continue to change, mechanisms are needed to identify and deal with the special risks associated with change. Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address risks to achievement of the entitys objectives. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Risk Assessment

Control Activities

Page 2 of 8

Citibank N.A. - Pakistan Branches Risk and Control Evaluation (RCE) Matrix - Introduction Trade Finance - Imports Information and Communication Pertinent information must be identified, captured and communicated in a form and timeframe that enables people to carry out their responsibilities. Information systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. They deal not only with internally generated data, but also information about external events, activities and conditions necessary to informed business decision-making and external reporting. Effective communication also must occur in a broader sense, flowing down, across and up the organization. Internal control systems need to be monitored a process that assesses the quality of the systems performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties.

Monitoring

2.3 Financial statement assertions i) Assertions about classes of transactions and events Occurrence Completeness Accuracy Cut off Classification Transactions and events that have been recorded have occurred and pertain to the entity. Transactions and events that should have been recorded have been recorded. Amounts and other data relating to recorded transactions and events have been recorded appropriately. Transactions and events have been recorded in the correct accounting period. Transactions and events have been recorded in the proper accounts.

Page 3 of 8

Citibank N.A. - Pakistan Branches Risk and Control Evaluation (RCE) Matrix - Introduction Trade Finance - Imports

ii)

Assertions about account balances Existence Rights and Obligations Completeness Valuation and Allocation Assets, liabilities, and equity interests exist. The entity holds or controls the rights to assets, and liabilities are the obligations of the entity. All assets, liabilities and equity interests that should have been recorded have been recorded. Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts and any

iii) Assertions about presentation and disclosure Occurrence and Rights and Obligations Completeness Classification and Understandability Accuracy and Valuation Disclosed events, transactions, and other matters have occurred and pertain to the entity.

All disclosures that should have been included in the financial statements have been included. Financial information is appropriately presented and described, and disclosures are clearly expressed.

Financial and other information are disclosed fairly and at appropriate amounts.

2.4 Information Processing Objectives Completeness Accuracy Validity Restricted Access All transactions that occur are entered and accepted for processing once and only once. Transactions are recorded at the correct amount in the appropriate account and proper period. Only authorized transactions that actually occurred and are related to the organization are recorded. Data is protected against unauthorized amendments and access to confidential data and physical assets is appropriately restricted to authorized personnel.

Page 4 of 8

Citibank N.A. - Pakistan Branches Risk and Control Evaluation (RCE) Matrix - Introduction Trade Finance - Imports 2.5 Key Controls Key controls are the ones on which management intends to base its assertion. The choice of the controls to test depends on the evaluation of:

i) ii)

Whether the controls to be relied on are likely to be effective in supporting the related financial statement assertion, and Whether the controls can be tested more effectively and efficiently than the other controls.

Page 5 of 8

Citibank N.A. - Pakistan Branches Financial Reporting Risk Assessment Criteria Trade Finance - Imports
2 - Probability of the event occuring Highly Likely / Chances of occurance are high High Moderate High High

Occasional / Chances of occurance are less than Moderate high

Low

Moderate

High

Unlikely / Chances of occurance are very low Low Low Low Moderate

Impact of the event occuring

Financial Single Event

Low Moderate Adverse impact on actual revenues or actual Adverse impact on actual revenues or actual costs of < PKR 2.9 million costs of PKR 2.9 million - PKR 29 million External audit raises some isolated findings External audit management letter contains significant issues

High Adverse impact on actual revenues or actual costs PKR 29 million. External audit qualification on the report and accounts

N/A = Not Applicaple as not a Financial Reporting Risk

CITIBANK N.A. - PAKISTAN BRANCH RISK AND CONTROL EVALUATION (RCE) MATRIX TRADE FINANCE - IMPORTS RISK REF# RISK CONTROL REFERENCE CONTROL DESCRIPTION COSO CATEGORY
CONTROL ENVIRONMENT OPERATIONAL COMPLIANCE FINANCIAL REPORTING

COSO COMPONENT
INFORMATION AND COMMUNICATION RISK ASSESSMENT MONITORING

CONTROL CLASSIFICATION
DETECTION AND CORRECTION PREVENTIVE

CONTROL TYPE
AUTOMATED

CONTROL EVIDENCE

PERFORMED BY
MULTIPLE TIMES A DAY AS AND WHEN REQUIRED

FREQUENCY
FORTNIGHTLY QUARTERLY

FINANCIAL STATEMENT ASSERTIONS

VALUATION AND ALLOCATION COMPLETENESS CLASSIFICATION COMPLETENESS EXISTENCE / OCCURRENCE RIGHTS AND OBLIGATION

INFORMATION PROCESSING
RESTRICTED ACCESS ACCURACY VALIDITY

IMPACT

LIKELIHOOD

RISK ASSESSMENT

KEY CONTROL

ACCURACY

CONTROL ACTIVITIES

ANNUALLY

MONTHLY

CUT-OFF

MANUAL

WEEKLY

DAILY

YES / NO

A.1 LC OPENING / AMENDMENT / CANCELLATION 1 Client may submit an incorrect, incomplete or unauthorised LC application. A.1.1 A.1.2 TSU Processor checks the LC application with supporting documents for completeness and accuracy and runs a standard checklist. TSU Processor refers to Citiservices/RM for rectification in case of discrepency. TSU Supervisor verifies the customer signature on the LC application and after matching, places his initials on the LC application. Once the transaction details have been entered in the system by the TSU Processor, the TSU Supervisor approves the entries in the system after matching the details with the transaction documents. TSU Processor checks for available credit lines in the system and on availability books a Contingent liability. If no credit line is available, the processor will not be allowed to enter the deal in the system. Incase of offering, the offering sheet is referred to RM/SM/CRM through Citiservice. TSU Processor scrutinizes the documents (HS Code is matched for every item) once received from Citiservices for the items mentioned in the LC against banned item list as per Import Policy Order. Bank's system is integrated with the CITIBANK US, which have placed controls for ensuring that transactions are not entered for blacklisted / banned beneficiary. System will restrict such transactions. Compliance Department updates the system on timely basis as required by the current regulatory bodies. Further, TSU Staff are provided trainings and updates by the Bank, as and when required.

Checklist, "SV" initials on Application

TSU Processor TSU Supervisor

N/A

N/A

N/A

Yes

Fictitious LCs may be opened and entered into the records of the bank.

A.1.4

System Log

TSU Processor TSU Supervisor

High

Low

Moderate

Yes

The customer may not have an approved LC line or his LC line may be exhausted. OR LC may be issued / enhanced in excess of customer's available limit. Goods to be imported under L/C may be on the banned item list as per Import Policy Order.

A.1.3

Availment Ticket

TSU Processor

High

Low

Moderate

Yes

A.1.2

R R R

R R

R R

R R

Checklist signed off by processor

TSU Processor

R R

N/A

N/A

N/A

No

Beneficiary may be blacklisted from doing export business as per ICC requirements.

GENERAL

System Based

N/A

N/A

N/A

Yes

Existing import policy and customs tariff may not be complied with. OR Notification issued by SBP from time to time with respect to LCs are overlooked or not disseminated to all concerned persons / departments. Different LCs may be opened with the same number. Transaction details entered in the system may be incomplete or incorrect or may not be entered at all.

GENERAL

System Based

N/A

N/A

N/A

Yes

A.1.4

A.1.4

A unique LC number is generated by the system after it has been authorised by the TSU Supervisor. The same number then cannot be allocated to another L/C. Supervisor reviews and approves the entries on the system and swift is relayed to the exports bank through the system and sends the relayed copy to CitiServices department. Supervisor then signs the checklist prepared by Processor. Supervisor reviews and approves the entries on the system and swift is relayed to the exports bank through the system and sends the relayed copy to CitiServices department. Supervisor then signs the checklist prepared by Processor. Supervisor reviews and approves the entries on the system and swift is relayed to the exports bank through the system and sends the relayed copy to CitiServices department. Supervisor then signs the checklist prepared by Processor. System automatically computes the income / charges related to issuance or amendment of LC. On a monthly basis, the Outstanding LC report is generated from the system to monitor LC that have expired. System automatically reverse the contingent liability under LC after 30 buffer days. Where client requests to cancel LC, processor intimates to beneficiarys bank for the same and obtains beneficiarys consent. Where beneficiary declines to give his consent, LC shall not be cancelled. TSU Processor deducts the LC cancellation charges from the clients account and supervisor approves it, and the same is intimated to the client. System automatically computes the cancellation charges. TSU Supervisor receives the request letter and verifies the signatures of client. TSU Processor files and / or scans relevant documents before storing in fire-proof cabinet. TSU Head / TSU Supervisor ensures that trade transaction shall be completed within defined and approved Turn Around Time (TAT). TSU Processor scrutinizes the documents and runs a standard checklist and matches with the LC Terms for any discrepancy. The checklist is then signed off by the Processor and the Supervisor as evidence of review. Foreign Bill stamp (amounting 0.2% of BE amount) is affixed on BE as per the Stamp Act. TSU Supervisor ensures that foreign Bill Stamp is affixed on BE. Processor obtains bill of exchange (BOE)from client for acceptance of LC Usance / Contract on DA basis. Signature on BOE is verified by the processor. TSU Supervisor approves and signs the acceptance memo in which maturity details have been calculated by the TSU Processor. TSU Supervisor matches the transaction details entered in the system with the transaction documents and approves the entries in the system after the details have been entered in the system by TSU Processor. CitiService receives acknowledged acceptance memo from client and forwards it to TSU Supervisor who then verifies the signature of the client. Acknowledgement is obtained from the customer on the LC file at the time of handing over of the endorsed bill of lading / airway bill by Citiservice. Log is maintained at TSU for handing over to Citiservice for document delivery. Fees and other charges calculated by the system are authorized by TSU Supervisor in the system, after details are entered by the TSU Processor. On the basis of acceptance memo, TSU Processor booked CLFA entry in the system (i.e. contingent liability changed to an absolute liability) and TSU Supervisor reviews and authorizes the transaction. TSU Processor files and / or scans relevant documents before storing in fire-proof cabinet. TSU Processor checks maturity report on daily basis for upcoming maturities and intimates the same to client for payment. TSU Processor runs a standard checklist for scrutinizing the documents received under LC Sight and signs it off. In case of any discrepancy found in shipping documents under LC Usance, the same is intimated to the beneficiarys bank within five working days from the receipt of shipping documents Acknowledgement is obtained from the customer on the LC file at the time of handing over of the endorsed bill of lading / airway bill by Citiservices. Log is maintained at TSU for handing over to Citiservices for document delivery. TSU Supervisor reviews and approves the entries in the system after details have been entered by TSU Processor.

R R R

R R

R R R

System generated LC Number

System Based

R R R R R R R

R R R

R R R

N/A

N/A

N/A

No

System Log

TSU Supervisor

High

Low

Moderate

Yes

The terms and conditions of LC opened / amended may be different from the LC application / amendment request.

A.1.4

System Log

TSU Supervisor

N/A

N/A

N/A

Yes

10

LC commission and other charges may be incorrectly calculated and recorded on the LC file and LC application. OR charges may not be deducted on timely basis.

A.1.4

System Log, Schedule of Charges

System Based TSU Supervisor

High

Low

Moderate

Yes

11

LC may not be monitored for expiry.

A.1A.3 A.1A.4

R R

R R

R R

R R

Outstanding LC Report, System Log

System Based

R R

High

Low

Moderate

Yes

12

Due diligence may not be placed while cancelling LC. System may not be updated on timely basis for the cancellation transaction. OR System may be updated with the incorrect details / amount for cancellation. LC cancellation may not be authorized by the customer. Documents may not be filed / maintained appropriately. Customer application may not be processed in a timely manner which may result in loss of business.

A.1A.2

LC cancellation Request, Beneficiary's consent

TSU Processor

N/A

N/A

N/A

No

13

A.1A.4

R R R R

R R R R

R R R R

R R R R

System Log, Schedule of Charges

System Based TSU Supervisor

R R R R

Moderate

Low

Low

Yes

14 15 16

A.1A.1 A.1.5 A.1A.5 GENERAL

"SV" initials on Application LC File Documented Turn Around Time (TAT)

TSU Supervisor TSU Processor TSU Head / TSU Supervisor

N/A N/A N/A

N/A N/A N/A

N/A N/A N/A

Yes No No

A.2 LC USANCE / CONTRACT ON D.A. BASIS - ACCEPTANCE LC documents received from the negotiating bank may not agree with the terms of the LC. Foreign bill stamp may not be affixed on the bills of exchange at all or an incorrect foreign bill stamp may be affixed. Fictious / Fraudulent acceptance may be provided by the client. Maturity details may be incorrectly determined and documented Fictitious acceptances may be entered into the System. Acceptance may be intimated to the negotiating bank without customer acceptance. Dispute with the customer may arise regarding the receipt of shipping documents. Acceptance fee and other charges may be incorrectly calculated or may not be posted into the system at all or on a timely basis. Contingent liability under LC may not be reversed after acceptance or acceptance may not be posted into system or posted incorrectly.

A.2.1

R R R R R R R R R R R R R

R R R R R R R R R R R R

R R R R R R R R R R R

R R R R R R R R R R R R R

Checklist signed off

TSU Processor

R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R R

N/A

N/A

N/A

Yes

A.2.5

FB Stamp Affixed on BE

TSU Supervisor

N/A

N/A

N/A

Yes

A.2.1 A.2.2 A.2.3

"SV" initials on BE Acceptance Memo approved by Supervisor

TSU Processor

N/A

N/A

N/A

No

TSU Supervisor

N/A

N/A

N/A

Yes

A.2.5

System Log

TSU Supervisor

High

Moderate

High

Yes

A.2.4

"SV" initials on Acceptance Memo Customer acknowledgement in L/C file. System Log, Schedule of charges

CitiServices TSU Supervisor CitiServices TSU Processor System Based TSU Supervisor

N/A

N/A

N/A

No

A.2.6

N/A

N/A

N/A

No

A.2.5

Moderate

Moderate

Moderate

Yes

A.2.5

System Log

TSU Supervisor

High

Low

Moderate

Yes

Documents may not be filed / maintained A.2.7 appropriately. A.3 IMPORT LC / CONTRACT / ADVANCE - PAYMENT AND RETIREMENT 10 1 Payment may not be made upon maturity for LC Usance. A.3.2

Import Files

TSU Processor

N/A

N/A

N/A

No

System Maturity Report

TSU Processor

High

Low

Moderate

Yes

LC documents received from the negotiating bank may not agree with the terms of the LC Sight.

A.3.1

Checklist signed off by TSU Processor

TSU Processor

N/A

N/A

N/A

Yes

Dispute with the customer may arise regarding the receipt of shipping documents. Contingent liability under LC may not be reversed upon payment to beneficiary's bank.

A.3.6

R R R

R R

R R

R R R

Acknowledgement of Customer, Log maintained at Citiservices System Log

CitiServices TSU Processor

R R R R R R R R R

N/A

N/A

N/A

No

A.3.5

TSU Supervisor

High

Low

Moderate

Yes

Page 5 of 10

CITIBANK N.A. - PAKISTAN BRANCH RISK AND CONTROL EVALUATION (RCE) MATRIX TRADE FINANCE - IMPORTS RISK REF# RISK CONTROL REFERENCE CONTROL DESCRIPTION COSO CATEGORY
CONTROL ENVIRONMENT OPERATIONAL COMPLIANCE FINANCIAL REPORTING

COSO COMPONENT
INFORMATION AND COMMUNICATION RISK ASSESSMENT MONITORING

CONTROL CLASSIFICATION
DETECTION AND CORRECTION PREVENTIVE

CONTROL TYPE
AUTOMATED

CONTROL EVIDENCE

PERFORMED BY
MULTIPLE TIMES A DAY AS AND WHEN REQUIRED

FREQUENCY
FORTNIGHTLY QUARTERLY

FINANCIAL STATEMENT ASSERTIONS

VALUATION AND ALLOCATION COMPLETENESS CLASSIFICATION COMPLETENESS EXISTENCE / OCCURRENCE RIGHTS AND OBLIGATION

INFORMATION PROCESSING
RESTRICTED ACCESS ACCURACY VALIDITY

IMPACT

LIKELIHOOD

RISK ASSESSMENT

KEY CONTROL

ACCURACY

CONTROL ACTIVITIES

ANNUALLY

MONTHLY

CUT-OFF

MANUAL

WEEKLY

DAILY

YES / NO

Payment amount, relevant income and charges may not be deducted, or may be deducted incorrectly.

A.3.5 A.3A.2

Fees and other charges are calculated by the system upon entering of transaction details and are then authorized by TSU Supervisor in the system. On the basis of Deal Slip as received from treasury, TSU Processor enters the FX rate and debits the payment amount from the customer's account, and TSU Supervisor reviews and authorizes the transaction. System generates the bill once the documents are scanned and saved on the system, therefore the bill cannot be raised twice. TSU Processor prepares an acceptance memo highlighting the discrepancy which is then reviewed by the TSU Supervisor. CitiServices receives acknowledged acceptance memo from client and forwards it to TSU Supervisor who then verifies the signature of the client. TSU Processor files and / or scans relevant documents before storing in fire-proof cabinet. TSU Supervisor receives the request letter and verifies the signatures of client. TSU Supervisor receives the request letter and verifies the signatures of client. TSU Processor checks in the system for available credit lines. Where limit lines are not available, the system will not allow the transaction to be entered. In this case the TSU Processor contacts the RM for further processing. TSU Supervisor reviews the shipping guarantee after it is prepared by the the TSU Processor and it is then signed by two authorized signatories.

System Log, Schedule of Charges

TSU Processor TSU Supervisor

High

Low

Moderate

Yes

The negotiating bank may be remitted twice.

A.3.5

System Restriction

System Based

High

Low

Moderate

Yes

Discrepant document may be processed for payment without client's consent.

A.3.3 A.3.4

R R R R R R

R R R R R R

R R R R R R

R R R R R R

Acceptance Memo signed by customer and "SV" initials on it

CitiServices TSU Processor TSU Supervisor

R R R R R R

N/A

N/A

N/A

No

Documents may not be 8 appropriately. A.4 SHIPPING GUARANTEE 1 2

filed

/ maintained

A.3.7 A.3A.3

Import Files

TSU Processor

N/A

N/A

N/A

No

Unauthorized application / request may be provided for issuance of shipping guarantee. Fictious or Fraudulent documents may be provided for issuance of shipping guarantee. Shipping guarantee is processed for a customer whose approved credit line does not include this facility. OR Shipping guarantee may be issued beyond limit exposure. Unauthorized shipping guarantee may be issued. Incorrect or unathorized entries may be posted in the system. OR Fictitious Shipping Guarantees may be opened and entered into the records of the bank Shipping Guarantee may be issued without obtaining appropriate margin from the customer as required by applicable import related regulations/notifications from time to time. Different Shipping Guarantees may be opened with the same number or Shipping Guarantee does not have a unique sequential serial number. Shipping Guarantee may be issued but not recorded in the system at all or on a timely basis. Shipping Guarantee may be endorsed in the name of an unauthorized shipping company

A.4.1 A.4.1

"SV" initials on request Letter "SV" initials on request Letter

TSU Supervisor TSU Supervisor

N/A N/A

N/A N/A

N/A N/A

No No

A.4.2

System Limit

System Based TSU Processor

N/A

N/A

N/A

Yes

A.4.3

Authorized Signatories and stamp

TSU Supervisor Authorized Signatories

N/A

N/A

N/A

Yes

A.4.3 A.4.4

TSU Supervisor reviews and approves the entries in the system for issuance of shipping guarantee.

System Log

TSU Supervisor

High

Low

Moderate

Yes

A.4.3

TSU Processor recovers 100% cash margin (in case of LC Sight) or obtains Trust Receipt (in case of Usance LC) from client and records the entry in the system. TSU Supervisor reviews and approves the transaction in the system. System automatically generates the transaction number, once details entered by TSU Processor. TSU Supervisor reviews and approves the entries in the system for issuance of shipping guarantee. TSU Supervisor reviews the shipping guarantee after it is prepared by the the TSU Processor and it is then signed by two authorized signatories. TSU Processor cancels the shipping guarantee document by marking cancelled on the original guarantee text and passes the entries in the system for reversal. TSU Supervisor reviews and approves the entries in the system. TSU Processor files and / or scans relevant documents before storing in fire-proof cabinet.

Transaction Sheet, System Log

TSU Supervisor

Moderate

Low

Low

Yes

A.4.2A

R R R R R

R R R R R

R R R R R R R R R

Transaction Sheet

System Based

R R R R R R R R R R R R R R R

R R

R R R

N/A

N/A

N/A

Yes

A.4.3

Transaction Sheet, System Log Authorized Signatories and stamp

TSU Supervisor TSU Supervisor Authorized Signatories

Moderate

Low

Low

Yes

A.4.3

N/A

N/A

N/A

Yes

10

Shipping guarantee may be retired reversing margin and contingent liability. Documents may not be appropriately. filed

without

A.4.5

Transaction Sheet, System Log

TSU Processor TSU Supervisor

Moderate

Low

Low

Yes

11

/ maintained

A.4.5

Import Files

TSU Processor

N/A

N/A

N/A

No

N/A = Not Applicaple as not a Financial Reporting Risk

Page 6 of 10