CAPSTONE PROJECT REPORT

ON

A STUDY ON INTERNAL CONTROL SYSTEM IN INDIAN BANKING SECTOR

SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENT

FOR THE AWARD OF THE POST GRADUATE DIPLOMA IN MANAGEMENT

BY

S.PRAVEENKUMAR

REGISTRATION NO : PGDM16187009

SPECIALIZATION : FINANCE

UNDER THE GUIDANCE OF

PROF.DR.V.RAMASUBRAMANIAN

INSTITUTE FOR TECHNOLOGY AND MANAGEMENT

SIPCOT IT PARK, SIRUSERI, CHENNAI – 603 103

Submission Date: 16/04/2018____

 CERTIFICATE FROM THE GUIDE:

This is to certify that the Project Work titled ‘A Study on internal control system in Indian
banking sector’ is a bonafide work carried out by S. Praveen Kumar, a student of PGDM
program 2016 – 2018 of the ITM Business School, SIPCOT IT Park, Siruseri, Chennai, under
my guidance and direction.

Signature of Guide:

Name: Prof.Dr.V.Ramasubramanian Date: 16.04.2018

Designation: Professor Place: Chennai

2|Page
 ACKNOWLEDGEMENTS

First and foremost I would like to take this opportunity to record my sincere thanks to our
Director, Dr.Prasanna Sivanandam, who has always been a source of inspiration in all my
endeavours.

I would like to offer my sincere gratitude to my project guide,

Prof.Dr.V.Ramasubramanian, whose guidance, inspiration and encouragement has enabled
me to pursue and complete my project.

Last but not the least; I thank all my family members for their support and God for showering
his blessings in completing the project successfully.

Date: 16/04/2018 Name of the student: PRAVEENKUMAR S

Place: Chennai

3|Page
 TABLE OF CONTENTS

Page No
1. Introduction about Indian Banking Sector 07

Market size of the Indian Banking sector

2. Introduction on Basel Committee 10

3. Principles for the Assessment of Internal Control Systems 13

A. Management oversight and the control culture

1. Board of directors
2. Senior management
3. Control culture

B. Risk Recognition and Assessment

C. Control Activities and Segregation of Duties

D. Information and communication

E. Monitoring Activities and Correcting Deficiencies

4. Evaluation of internal control systems by supervisory authorities 37

5. Roles and Responsibilities of External Auditors 41

4|Page
Literature Review

There are many researches which emphasize the necessity and importance of internal control
system in the banking system. An insufficient internal control system often causes an inability
to detect fraudulent activities and a decrease in the performance of the bank (Adeyemi et al.
2011).

Credit risk management in Banks in India , Risk management, Banks, Management-

Department of Management Studies- DR. Ramasubramanian, V- 2014

The Basel Committee, (Basel 1998) along with banking supervisors throughout the world, has
focused increasingly on the importance of sound internal controls. Internal control is a process
affected by the board of directors, senior management and all levels of employees. It is not
solely a procedure or policy that is performed at a certain point in time, but rather it is
continually operating at all levels within the bank. The board of directors and senior
management are responsible for establishing the appropriate culture to facilitate an effective
internal control process and for monitoring its effectiveness on an ongoing basis; however,
each individual within a corporation must participate in the process.

Socol (Socol 2011) mentioned that the administration board and executive management
promotes high standards of ethics and integrity, establish an institutional culture highlighting
and demonstrating the importance of internal control on all organizational levels. All
employees of the bank must be aware of the role they have in the internal control system and
must be actively involved in this process. Internal control system asserts that the system should
be always kept under control and supervision since people tend to think about their interests
more rather than the interests of the corporation. If there is a failure in the financial accounting
system of a corporation, a decrease in assets and an increase in abuses will inevitably takes
place in the absence of an effective internal control system (Yayla 2006, p. 112).

Karagiorgos, Drogalas and Dimou (Karagiorgos et al. 2011) find a number of interactions
between components of internal control system and effectiveness of internal auditing within
Greek Banks.

Olatunji (Olatunji, 2009) examined the impact of internal control system in banking sector and

5|Page
according to the findings the lack of an effective internal control system is the major cause of
bank frauds in Nigeria. It is then concluded that the management of every bank should create
and establish a standard internal control system, strong enough to stand against the wiles of
fraud in order to promote continuity of operations and to ensure the liquidity, solvency and
going concern concept of the bank. Amudo and Inanga (Amudo et al. 2009) identify the
following six essential components of an effective internal control system; control
environment, risk assessment, control activities, information and communications, monitoring,
and information technology in their study. The findings of the study under evaluation results
are that measuring effectiveness of internal control is concerned with the existence and
functioning of the six major control components identified by the model.

One of the, perhaps the most prominent one, vital components of a bank’s structure in modern
banking system is internal control system in developed or developing countries. Because
effective and efficient performance of the system indicates that the bank operates as desired.
Consequently, investors and other customers in the market will prefer to use the services of
that bank since they will have confidence and peace of mind about bank’s financial stability
(Yavuz, 2002)

6|Page
Synopsis of the Project

Internal control is a system structured within the corporation whose goal is to raise
efficiency and effectiveness of activities. The system assures the conformity of
activities within the laws and regulations and improve the reliability of financial
reporting. Internal control system possesses vital importance for the institution to attain
its ultimate objectives. Internal control system allows banks to foresee potential
problems which may cause financial losses and thereby prevent or minimize any
future losses. Researches on the causes of bank failures mainly concluded that an
efficient and effective internal control system might prevent financial cost.

Internal control system can be generally defined as a system which has the features of
maintaining the assets of a company, ensuring accuracy and reliability of information
and reports related to accounting and other operations, and increasing the effectiveness
of the operations

Additionally, the system also covers all assessment and methods that are adopted in
order to detect the suitability of operations in accordance with policies determined by
management, implementing a chart of accounts and reporting system, specifying the
duties, authority and responsibilities, and organization plan of the cooperation (Cook et
al. 1980, p.198). In other words, internal control system which is created by
management and implemented by management and employees is a process which is
designed to ensure reasonable assurance to achieve pre-specified objectives
(Doyrangöl, 2002). According to the definition by COSO in 1992, an internal control
system is defined as a set of methods, designed and controlled by senior management
and board of directors to provide a limited assurance regarding reliability of financial
reporting, effectiveness and efficiency of operations and their compliance with laws and
regulations (Aksoy, 2007). The COSO definition and the model covering all
components of the internal control system is a guidance for other regulations throughout
the world.

7|Page
Introduction about Indian banking Sector

The banking sector is the lifeline of any modern economy. It is one of the important
financial pillars of the financial sector, which plays a vital role in the functioning of an
economy. It is very important for economic development of a country that its financing
requirements of trade, industry and agriculture are met with higher degree of
commitment and responsibility. Thus, the development of a country is integrally linked
with the development of banking. In a modern economy, banks are to be considered not
as dealers in money but as the leaders of development. They play an important role in
the mobilization of deposits and disbursement of credit to various sectors of the
economy. The banking system reflects the economic health of the country. The strength
of an economy depends on the strength and efficiency of the financial system, which in
turn depends on a sound and solvent banking system. A sound banking system
efficiently mobilized savings in productive sectors and a solvent banking system
ensures that the bank is capable of meeting its obligation to the depositors. In India,
banks are playing a crucial role in socio-economic progress of the country after
independence. The banking sector is dominant in India as it accounts for more than half
the assets of the financial sector. Indian banks have been going through a fascinating
phase through rapid changes brought about by financial sector reforms, which are being
implemented in a phased manner. The current process of transformation should be
viewed as an opportunity to convert Indian banking into a sound, strong and vibrant
system capable of playing its role efficiently and effectively on their own without
imposing any burden on government. After the liberalization of the Indian economy,
the Government has announced a number of reform measures on the basis of the
recommendation of the Narasimhan Committee to make the banking sector
economically viable and competitively strong. 2 The current global crisis that hit every
country raised various issue regarding efficiency and solvency of banking system in
front of policy makers. Now, crisis has been almost over, Government of India (GOI)
and Reserve Bank of India (RBI) are trying to draw some lessons. RBI is making
necessary changes in his policy to ensure price stability in the economy. The main
objective of these changes is to increase the efficiency of banking system as a whole as

8|Page
well as of individual institutions. So, it is necessary to measure the efficiency of Indian
Banks so that corrective steps can be taken to improve the health of banking system

Market Size

• The Indian banking system consists of 19 public sector banks, 26 private sector
banks, 46 foreign banks, 56 regional rural banks, 1,574 urban cooperative banks
and 93,913 rural cooperative banks, in addition to cooperative credit institutions.
Public-sector banks control more than 70 per cent of the banking system assets,
thereby leaving a comparatively smaller share for its private peers. Banks are also
encouraging their customers to manage their finances using mobile phones.
• As the Reserve Bank of India (RBI) allows more features such as unlimited fund
transfers between wallets and bank accounts, mobile wallets are expected to
become strong players in the financial ecosystem.
• The unorganised retail sector in India has huge untapped potential for adopting
digital mode of payments, as 63 per cent of the retailers are interested in using
digital payments like mobile and card payments, as per a report by Centre for
Digital Financial Inclusion (CDFI).

ICRA estimates that credit growth in India’s banking sector would be at 7-8 per cent
in FY 2017-18.

9|Page
Introduction on Basel Committee

As part of its on-going efforts to address bank supervisory issues and enhance
supervision through guidance that encourages sound risk management practices, the
Basle Committee on Banking Supervision1 is issuing this framework for the evaluation
of internal control systems. A system of effective internal controls is a critical
component of bank management and a foundation for the safe and sound operation of
banking organisations. A system of strong internal controls can help to ensure that the
goals and objectives of a banking organisation will be met, that the bank will achieve
long-term profitability targets, and maintain reliable financial and managerial reporting.
Such a system can also help to ensure that the bank will comply with laws and
regulations as well as policies, plans, internal rules and procedures, and decrease the
risk of unexpected losses or damage to the bank’s reputation. The paper describes the
essential elements of a sound internal control system, drawing upon experience in
member countries and principles established in earlier publications by the Committee.
The objective of the paper is to outline a number of principles for use by supervisory
authorities when evaluating banks’ internal control systems.

10 | P a g e
 Basel Committee Auditing Process

The Basle Committee, along with banking supervisors throughout the world, has
focused increasingly on the importance of sound internal controls. This heightened
interest in internal controls is, in part, a result of significant losses incurred by several
banking organisations. An analysis of the problems related to these losses indicates that
they could probably have been avoided had the banks maintained effective internal
control systems. Such systems would have prevented or enabled earlier detection of the
problems that led to the losses, thereby limiting damage to the banking organisation. In
developing these principles, the Committee has drawn on lessons learned from problem
bank situations in individual member countries.

These principles are intended to be of general application and supervisory authorities

should use them in assessing their own supervisory methods and procedures for
monitoring how banks structure their internal control systems. While the exact approach
chosen by individual supervisors will depend upon a host of factors, including their on-

11 | P a g e
site and off-site supervisory techniques and the degree to which external auditors are
also used in the supervisory function, all members of the Basle Committee agree that
the principles set out in this paper should be used in evaluating a bank’s internal control
system.

The Basle Committee is distributing this paper to supervisory authorities worldwide in

the belief that the principles presented will provide a useful framework for the effective
supervision of internal control systems. More generally, the Committee wishes to
emphasise that sound internal controls are essential to the prudent operation of banks
and to promoting stability in the financial system as a whole. While the Committee
recognises that not all institutions may have implemented all aspects of this framework,
banks are working towards adoption.

The guidance previously issued by the Basle Committee typically included discussions
of internal controls affecting specific areas of bank activities, such as interest rate risk,
and trading and derivatives activities. In contrast, this guidance presents a framework
that the Basle Committee encourages supervisors to use in evaluating the internal
controls over all on- and off-balance sheet activities of banks and consolidated banking
organisations. The guidance does not focus on specific areas or activities within a
banking organisation. The exact application depends on the nature, complexity and risks
of the bank’s activities.

The Committee provides background information is section I, sets out the objectives
and role of an internal control framework in Section II, and stipulates in sections III and
IV of the paper thirteen principles for banking supervisory authorities to apply in
assessing banks’ internal control systems. In addition, Appendix I lists reference
materials and Appendix II provides supervisory lessons learned from past internal
control failures.

12 | P a g e
Principles for the Assessment of Internal Control Systems

Control

Environment

Monitoring Risk

Assessment

Internal Control

Of Banks

Information Control
&
Communicati Activities
on

Principles for the Assessment of Internal Control Systems

1. Management oversight and the control culture

Principle 1: The board of directors should have responsibility for approving and
periodically reviewing the overall business strategies and significant policies of the
bank; understanding the major risks run by the bank, setting acceptable levels for these
risks and ensuring that senior management takes the steps necessary to identify,
measure, monitor and control these risks; approving the organisational structure; and
ensuring that senior management is monitoring the effectiveness of the internal control
system. The board of directors is ultimately responsible for ensuring that an adequate
and effective system of internal controls is established and maintained.

13 | P a g e
Principle 2: Senior management should have responsibility for implementing strategies
and policies approved by the board; developing processes that identify, measure,
monitor and control risks incurred by the bank; maintaining an organisational structure
that clearly assigns responsibility, authority and reporting relationships; ensuring that
delegated responsibilities are effectively carried out; setting appropriate internal control
policies; and monitoring the adequacy and effectiveness of the internal control system.

Principle 3: The board of directors and senior management are responsible for
promoting high ethical and integrity standards, and for establishing a culture within the
organisation that emphasises and demonstrates to all levels of personnel the importance
of internal controls. All personnel at a banking organisation need to understand their
role in the internal controls process and be fully engaged in the process.

2. Risk Recognition and Assessment

Principle 4: An effective internal control system requires that the material risks that
could adversely affect the achievement of the bank’s goals are being recognised and
continually assessed. This assessment should cover all risks facing the bank and the
consolidated banking organisation (that is, credit risk, country and transfer risk, market
risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk).
Internal controls may need to be revised to appropriately address any new or previously
uncontrolled risks.

3. Control Activities and Segregation of Duties

Principle 5: Control activities should be an integral part of the daily activities of a bank.
An effective internal control system requires that an appropriate control structure is set
up, with control activities defined at every business level. These should include: top
level reviews; appropriate activity controls for different departments or divisions;
physical controls; checking for compliance with exposure limits and follow-up on non-
compliance; a system of approvals and authorisations; and, a system of verification and
reconciliation.
14 | P a g e
Principle 6: An effective internal control system requires that there is appropriate
segregation of duties and that personnel are not assigned conflicting responsibilities.
Areas of potential conflicts of interest should be identified, minimised, and subject to
careful, independent monitoring.

4. Information and communication

Principle 7: An effective internal control system requires that there are adequate and
comprehensive internal financial, operational and compliance data, as well as external
market information about events and conditions that are relevant to decision making.
Information should be reliable, timely, accessible, and provided in a consistent format.

Principle 8: An effective internal control system requires that there are reliable
information systems in place that cover all significant activities of the bank. These
systems, including those that hold and use data in an electronic form, must be secure,
monitored independently and supported by adequate contingency arrangements.

Principle 9: An effective internal control system requires effective channels of

communication to ensure that all staff fully understand and adhere to policies and
procedures affecting their duties and responsibilities and that other relevant information
is reaching the appropriate personnel.

5. Monitoring Activities and Correcting Deficiencies

Principle 10: The overall effectiveness of the bank’s internal controls should be
monitored on an ongoing basis. Monitoring of key risks should be part of the daily
activities of the bank as well as periodic evaluations by the business lines and internal
audit.

Principle 11: There should be an effective and comprehensive internal audit of the
internal control system carried out by operationally independent, appropriately trained
and competent staff. The internal audit function, as part of the monitoring of the system
of internal controls, should report directly to the board of directors or its audit
committee, and to senior management.

15 | P a g e
Principle 12: Internal control deficiencies, whether identified by business line, internal
audit, or other control personnel, should be reported in a timely manner to the
appropriate management level and addressed promptly. Material internal control
deficiencies should be reported to senior management and the board of directors.

Evaluation of Internal Control Systems by Supervisory Authorities

Principle 13: Supervisors should require that all banks, regardless of size, have an
effective system of internal controls that is consistent with the nature, complexity, and
risk inherent in their on- and off-balance-sheet activities and that responds to changes
in the bank’s environment and conditions. In those instances where supervisors
determine that a bank's internal control system is not adequate or effective for that
bank’s specific risk profile (for example, does not cover all of the principles contained
in this document), they should take appropriate action.

Background

The Basle Committee has studied recent banking problems in order to identify the major
sources of internal control deficiencies. The problems identified reinforce the
importance of having bank directors and management, internal and external auditors,
and bank supervisors focus more attention on strengthening internal control systems
and continually evaluating their effectiveness. Several recent cases demonstrate that
inadequate internal controls can lead to significant losses for banks.

16 | P a g e
The types of control breakdowns typically seen in problem bank cases can be
grouped into five categories:

• Lack of adequate management oversight and accountability, and failure to develop

a strong control culture within the bank. Without exception, cases of major loss
reflect management inattention to, and laxity in, the control culture of the bank,
insufficient guidance and oversight by boards of directors and senior management,
and a lack of clear management accountability through the assignment of roles and
responsibilities. These cases also reflect a lack of appropriate incentives for
management to carry out strong line supervision and maintain a high level of control
consciousness within business areas.

• Inadequate recognition and assessment of the risk of certain banking activities,

whether on- or off-balance sheet. Many banking organisations that have suffered
major losses neglected to recognise and assess the risks of new products and
activities or update their risk assessments when significant changes occurred in the
environment or business conditions. Many recent cases highlight the fact that
control systems that function well for traditional or simple products are unable to
handle more sophisticated or complex products.

• The absence or failure of key control structures and activities, such as segregation
of duties, approvals, verifications, reconciliations, and reviews of operating
performance. Lack of segregation of duties in particular has played a major role in
the significant losses that have occurred at banks.
• Inadequate communication of information between levels of management within
the bank, especially in the upward communication of problems. To be effective,
policies and procedures need to be effectively communicated to all personnel
involved in an activity. Some losses in banks occurred because relevant personnel
were not aware of or did not understand the bank’s policies. In several instances,
information about inappropriate activities that should have been reported upward

17 | P a g e
 through organisational levels was not communicated to the board of directors or
senior management until the problems became severe. In other instances,
information in management reports was not complete or accurate, creating a falsely
favourable impression of a business situation.

• Inadequate or ineffective audit programs and monitoring activities. In many cases,

audits were not sufficiently rigorous to identify and report the control weaknesses
associated with problem banks. In other cases, even though auditors reported
problems, no mechanism was in place to ensure that management corrected the
deficiencies.

The internal control framework underlying this guidance is based on practices currently
in place at many major banks, securities firms, and non-financial companies, and their
auditors. Moreover, this evaluation framework is consistent with the increased emphasis
of banking supervisors on the review of a banking organisation’s risk management and
internal control processes. It is important to emphasise that it is the responsibility of a
bank’s board of directors and senior management to ensure that adequate internal
controls are in place at the bank and to foster an environment where individuals
understand and meet their responsibilities in this area. In turn, it is the responsibility of
banking supervisors to assess the commitment of a bank’s board of directors and
management to the internal control process.

The Objectives and Role of the Internal Control Framework

Internal control is a process effected by the board of directors, 2 senior management

and all levels of personnel. It is not solely a procedure or policy that is performed at a
certain point in time, but rather it is continually operating at all levels within the bank.
The board of directors and senior management are responsible for establishing the
appropriate culture to facilitate an effective internal control process and for monitoring
its effectiveness on an ongoing basis; however, each individual within an organisation
must participate in the process. The main objectives of the internal control process can
be categorised as follows.

18 | P a g e
1. Efficiency and effectiveness of activities (performance objectives)

Performance objectives for internal controls pertain to the effectiveness and efficiency
of the b ank in using its assets and other resources and protecting the bank from
loss. The internal control process seeks to ensure that personnel throughout the
organisation are working to achieve its goals with efficiency and integrity, without
unintended or excessive cost or placing other interests (such as an employee’s, vendor’s
or customer’s interest) before those of the bank.

2. Reliability, completeness and timeliness of financial and management

information (information objectives)

Information objectives address the preparation of timely, reliable, relevant reports

needed for decision-making within the banking organisation. They also address the need
for reliable annual accounts, other financial statements and other financial-related
disclosures and reports to shareholders, supervisors, and other external parties. The
information received by management, the board of directors, shareholders and
supervisors should be of sufficient quality and integrity that recipients can rely on the
information in making decisions. The term reliable, as it relates to financial statements,
refers to the preparation of statements that are presented fairly and based on
comprehensive and well-defined accounting principles and rules.

3. Compliance with applicable laws and regulations (compliance objectives)

Compliance objectives ensure that all banking business complies with applicable laws
and regulations, supervisory requirements, and the organisation’s policies and
procedures. This objective must be met in order to protect the bank’s franchise and
reputation.

19 | P a g e
The Major Elements of an Internal Control Process

The internal control process, which historically has been a mechanism for reducing
instances of fraud, misappropriation and errors, has become more extensive, addressing
all the various risks faced by banking organisations. It is now recognised that a sound
internal control process is critical to a bank’s ability to meet its established goals, and
to maintain its financial viability.

Control Environment Risk Assessment

• Integrity and Ethical Values • Company-wide Objectives

• Commitment to Competence • Process-level Objectives
• Board of Directors and Audit • Risk Identification and
Committee Analysis
• Management’s Philosophy • Managing Change
and Operating Style
• Organizational Structure
• Assignment of Authority and Information and Communication
Responsibility
• Human Resource Policies
• Quality of Information
and Procedures
• Effectiveness of
Communication
Control Activities

Monitoring
• Policies and Procedures
• Security (Application and
Network) • Ongoing Monitoring
• Application Change • Separate Evaluations
Management
• Business • Reporting Deficiencies
Continuity/Backups
• Outsourcing

Major Elements of an Internal Control Process

20 | P a g e
Internal control consists of five interrelated elements:

1. Management oversight and the control culture

2. Risk recognition and assessment

3. Control activities and segregation of duties

4. Information and communication

5. Monitoring activities and correcting deficiencies.

The problems observed in recent large losses at banks can be aligned with these five
elements. The effective functioning of these elements is essential to achieving a bank’s
performance, information, and compliance objectives.

A. Management Oversight and the Control Culture

1. Board of directors

Principle 1: The board of directors should have responsibility for approving and
periodically reviewing the overall business strategies and significant policies of the
bank; understanding the major risks run by the bank, setting acceptable levels for
these risks and ensuring that senior management takes the steps necessary to
identify, measure, monitor and control these risks; approving the organisational
structure; and ensuring that senior management is monitoring the effectiveness of
the internal control system. The board of directors is ultimately responsible for
ensuring that an adequate and effective system of internal controls is established and
maintained.

The board of directors provides governance, guidance and oversight to senior

management. It is responsible for approving and reviewing the overall business
strategies and significant policies of the organisation as well as the organisational
structure. The board of directors has the ultimate responsibility for ensuring that an
adequate and effective system of internal controls is established and maintained.
Board members should be objective, capable, and inquisitive, with a knowledge or
expertise of the activities of and risks run by the bank. In those countries where it is

21 | P a g e
 an option, the board should consist of some members who are independent from the
daily management of the bank. A strong, active board, particularly when coupled
with effective upward communication channels and capable financial, legal, and
internal audit functions, provides an important mechanism to ensure the correction
of problems that may diminish the effectiveness of the internal control system.

The board of directors should include in its activities (1) periodic discussions with
management concerning the effectiveness of the internal control system, (2) a timely
review of evaluations of internal controls made by management, internal auditors,
and external auditors, (3) periodic efforts to ensure that management has promptly
followed up on recommendations and concerns expressed by auditors and
supervisory authorities on internal control weaknesses, and (4) a periodic review of
the appropriateness of the bank’s strategy and risk limits.

One option used by banks in many countries is the establishment of an independent

audit committee to assist the board in carrying out its responsibilities. The
establishment of an audit committee allows for detailed examination of information
and reports without the need to take up the time of all directors. The audit committee
is typically responsible for overseeing the financial reporting process and the
internal control system. As part of this responsibility, the audit committee typically
oversees the activities of, and serves as a direct contact for, the bank’s internal audit
department and engages and serves as the primary contact for the external auditors.
In those countries where it is an option, the committee should be composed mainly
or entirely of outside directors (i.e., members of the board that are not employed by
the bank or any of its affiliates) who have knowledge of financial reporting and
internal controls. It should be noted that in no case should the creation of an audit
committee amount to a transfer of duties away from the full board, which alone is
legally empowered to take decisions.

22 | P a g e
 2. Senior management

Principle 2: Senior management should have responsibility for implementing

strategies and policies approved by the board; developing processes that identify,
measure, monitor and control risks incurred by the bank; maintaining an
organisational structure that clearly assigns responsibility, authority and reporting
relationships; ensuring that delegated responsibilities are effectively carried out;
setting appropriate internal control policies; and monitoring the adequacy and
effectiveness of the internal control system.

Senior management is responsible for carrying out the directives of the board of
directors, including the implementation of strategies and policies and the
establishment of an effective system of internal control. Members of senior
management typically delegate responsibility for establishing more specific internal
control policies and procedures to those responsible for a particular business unit.
Delegation is an essential part of management; however, it is important for senior

23 | P a g e
 management to oversee the managers to whom they have delegated these
responsibilities to ensure that they develop and enforce appropriate policies and
procedures.

Compliance with an established internal control system is heavily dependent on a

well-documented and communicated organisational structure that clearly shows
lines of reporting responsibility and authority and provides for effective
communication throughout the organisation. The allocation of duties and
responsibilities should ensure that there are no gaps in reporting lines and that an
effective level of management control is extended to all levels of the bank and its
various activities.

It is important that senior management takes steps to ensure that activities are
conducted by qualified staff with the necessary experience and technical
capabilities. Staff in control functions must be properly remunerated. Staff training
and skills should be regularly updated. Senior management should institute
compensation and promotion policies that reward appropriate behaviours and
minimise incentives for staff to ignore or override internal control mechanisms.

24 | P a g e
 3. Control culture

Principle 3: The board of directors and senior management are responsible for
promoting high ethical and integrity standards, and for establishing a culture within
the organisation that emphasises and demonstrates to all levels of personnel the
importance of internal controls. All personnel at a banking organisation need to
understand their role in the internal controls process and be fully engaged in the
process.

An essential element of an effective system of internal control is a strong control

culture. It is the responsibility of the board of directors and senior management to
emphasise the importance of internal control through their actions and words. This
includes the ethical values that management displays in their business dealings, both
inside and outside the organisation. The words, attitudes and actions of the board of
directors and senior management affect the integrity, ethics and other aspects of the
bank’s control culture.

25 | P a g e
 In varying degrees, internal control is the responsibility of everyone in a bank.
Almost all employees produce information used in the internal control system or
take other actions needed to effect control. An essential element of a strong internal
control system is the recognition by all employees of the need to carry out their
responsibilities effectively and to communicate to the appropriate level of
management any problems in operations, instances of non-compliance with the code
of conduct, or other policy violations or illegal actions that are noticed. This can best
be achieved when operational procedures are contained in clearly written
documentation that is made available to all relevant personnel. It is essential that all
personnel within the bank understand the importance of internal control and are
actively engaged in the process.

In reinforcing ethical values, banking organisations should avoid policies and

practices that may inadvertently provide incentives or temptations for inappropriate
activities. Examples of such policies and practices include undue emphasis on
performance targets or other operational results, particularly short-term ones that
ignore longer-term risks; compensation schemes that overly depend on short-term
performance; ineffective segregation of duties or other controls that could allow the
misuse of resources or concealment of poor performance; and insignificant or overly
onerous penalties for improper behaviours.

While having a strong internal control culture does not guarantee that an
organisation will reach its goals, the lack of such a culture provides greater
opportunities for errors to go undetected or for improprieties to occur.

B. Risk Recognition and Assessment

Principle 4: An effective internal control system requires that the material risks that
could adversely affect the achievement of the bank’s goals are being recognised and
continually assessed. This assessment should cover all risks facing the bank and the
consolidated banking organisation (that is, credit risk, country and transfer risk,
market risk, interest rate risk, liquidity risk, operational risk, legal risk and
reputational risk). Internal controls may need to be revised to appropriately address
any new or previously uncontrolled risks.
26 | P a g e
 Banks are in the business of risk-taking. Consequently it is imperative that, as part
of an internal control system, these risks are being recognised and continually
assessed. From an internal control perspective, a risk assessment should identify and
evaluate the internal and external factors that could adversely affect the achievement
of the banking organisation’s performance, information and compliance objectives.
This process should cover all risks faced by the bank and operate at all levels within
the bank. It differs from the risk management process which typically focuses more
on the review of business strategies developed to maximise the risk/reward trade-
off within the different areas of the bank.

Effective risk assessment identifies and considers internal factors (such as the
complexity of the organisation’s structure, the nature of the bank’s activities, the
quality of personnel, organisational changes and employee turnover) as well as
external factors (such as fluctuating economic conditions, changes in the industry
and technological advances) that could adversely affect the achievement of the
bank’s goals. This risk assessment should be conducted at the level of individual
businesses and across the wide spectrum of activities and subsidiaries of the
consolidated banking organisation. This can be accomplished through various
methods. Effective risk assessment addresses both measurable and non-measurable
aspects of risks and weighs costs of controls against the benefits they provide.

The risk assessment process also includes evaluating the risks to determine which
are controllable by the bank and which are not. For those risks that are controllable,
the bank must assess whether to accept those risks or the extent to which it wishes
to mitigate the risks through control procedures. For those risks that cannot be
controlled, the bank must decide whether to accept these risks or to withdraw from
or reduce the level of business activity concerned. 23. In order for risk assessment,
and therefore the system of internal control, to remain effective, senior management
needs to continually evaluate the risks affecting the achievement of its goals and
react to changing circumstances and conditions. Internal controls may need to be
revised to appropriately address any new or previously uncontrolled risks. For
example, as financial innovation occurs, a bank needs to evaluate new financial

27 | P a g e
 instruments and market transactions and consider the risks associated with these
activities. Often these risks can be best understood when considering how various
scenarios (economic and otherwise) affect the cash flows and earnings of financial
instruments and transactions. Thoughtful consideration of the full range of possible
problems, from customer misunderstanding to operational failure, will point to
important control considerations.

C. Control Activities and Segregation of Duties

Principle 5: Control activities should be an integral part of the daily activities of a

bank. An effective internal control system requires that an appropriate control
structure is set up, with control activities defined at every business level. These
should include: top level reviews; appropriate activity controls for different
departments or divisions; physical controls; checking for compliance with exposure
limits and follow-up on noncompliance; a system of approvals and authorisations;
and, a system of verification and reconciliation.

Control activities are designed and implemented to address the risks that the bank
identified through the risk assessment process described above. Control activities
involve two steps: (1) the establishment of control policies and procedures; and (2)
verification that the control policies and procedures are being complied with.
Control activities involve all levels of personnel in the bank, including senior
management as well as front line personnel. Examples of control activities include:

• Top level reviews - Boards of directors and senior management often request
presentations and performance reports that enable them to review the bank’s
progress toward its goals. For example, senior management may review reports
showing actual financial results to date versus the budget. Questions that senior
management generates as a result of this review and the ensuing responses of lower
levels of management represent a control activity which may detect problems such
as control weaknesses, errors in financial reporting or fraudulent activities.

• Activity controls - Department or division level management receives and reviews

standard performance and exception reports on a daily, weekly or monthly basis.

28 | P a g e
 Functional reviews occur more frequently than top-level reviews and usually are
more detailed. For instance, a manager of commercial lending may review weekly
reports on delinquencies, payments received, and interest income earned on the
portfolio, while the senior credit officer may review similar reports on a monthly
basis and in a more summarised form that includes all lending areas. As with the
top-level review, the questions that are generated as a result of reviewing the reports
and the responses to those questions represent the control activity.

• Physical controls - Physical controls generally focus on restricting access to

tangible assets, including cash and securities. Control activities include physical
limitations, dual custody, and periodic inventories.

• Compliance with exposure limits - The establishment of prudent limits on risk

exposures is an important aspect of risk management. For example, compliance with
limits for borrowers and other counterparties reduces the bank’s concentration of
credit risk and helps to diversify its risk profile. Consequently, an important aspect
of internal controls is a process for reviewing compliance with such limits and
follow-up on instances of non-compliance.

• Approvals and authorisations - Requiring approval and authorisation for

transactions over certain limits ensures that an appropriate level of management is
aware of the transaction or situation, and helps to establish accountability.

• Verifications and reconciliations - Verifications of transaction details and activities

and the output of risk management models used by the bank are important control
activities. Periodic reconciliations, such as those comparing cash flows to account
records and statements, may identify activities and records that need correction.
Consequently, the results of these verifications should be reported to the appropriate
levels of management whenever problems or potential problems are detected.

Control activities are most effective when they are viewed by management and all
other personnel as an integral part of, rather than an addition to, the daily activities
of the bank. When controls are viewed as an addition to the day-to-day activities,
they are often seen as less important and may not be performed in situations where

29 | P a g e
 individuals feel pressured to complete activities in a limited amount of time. In
addition, controls that are an integral part of the daily activities enable quick
responses to changing conditions and avoid unnecessary costs. As part of fostering
the appropriate control culture within the bank, senior management should ensure
that adequate control activities are an integral part of the daily functions of all
relevant personnel.

It is not sufficient for senior management to simply establish appropriate policies

and procedures for the various activities and divisions of the bank. They must
regularly ensure that all areas of the bank are in compliance with such policies and
procedures and also determine that existing policies and procedures remain
adequate. This is usually a major role of the internal audit function.

Principle 6: An effective internal control system requires that there is appropriate

segregation of duties and that personnel are not assigned conflicting responsibilities.
Areas of potential conflicts of interest should be identified, minimised, and subject
to careful, independent monitoring.

In reviewing major banking losses caused by poor internal controls, supervisors

typically find that one of the major causes of such losses is the lack of adequate
segregation of duties. Assigning conflicting duties to one individual (for example,
responsibility for both the front and back offices of a trading function) gives that
person access to assets of value and the ability to manipulate financial data for
personal gain or to conceal losses. Consequently, certain duties within a bank should
be split, to the extent possible, among various individuals in order to reduce the risk
of manipulation of financial data or misappropriation of assets.

Segregation of duties is not limited to situations involving simultaneous front and

back office control by one individual. It can also result in serious problems when
there are not appropriate controls in those instances where an individual has
responsibility for:

• approval of the disbursement of funds and the actual disbursement;

30 | P a g e
 • customer and proprietary accounts; • transactions in both the "banking" and
"trading" books;

• informally providing information to customers about their positions while

marketing to the same customers;

• assessing the adequacy of loan documentation and monitoring the borrower after
loan origination; and,

• any other areas where significant conflicts of interest emerge and are not mitigated
by other factors.

Areas of potential conflict should be identified, minimised, and subject to careful

monitoring by an independent third party. There should also be periodic reviews of
the responsibilities and functions of key individuals to ensure that they are not in a
position to conceal inappropriate actions. D. Information and Communication

Principle 7: An effective internal control system requires that there are adequate and
comprehensive internal financial, operational and compliance data, as well as
external market information about events and conditions that are relevant to decision
making. Information should be reliable, timely, accessible, and provided in a
consistent format.

Adequate information and effective communication are essential to the proper

functioning of a system of internal control. From the bank’s perspective, in order for
information to be useful, it must be relevant, reliable, timely, accessible, and
provided in a consistent format. Information includes internal financial, operational
and compliance data, as well as external market information about events and
conditions that are relevant to decision making. Internal information is part of a
record-keeping process that should include established procedures for record
retention.

Principle 8: An effective internal control system requires that there are reliable
information systems in place that cover all significant activities of the bank. These

31 | P a g e
 systems, including those that hold and use data in an electronic form, must be secure,
monitored independently and supported by adequate contingency arrangements.

A critical component of a bank’s activities is the establishment and maintenance of

management information systems that cover the full range of its activities. This
information is usually provided through both electronic and non-electronic means.
Banks must be particularly aware of the organisational and internal control
requirements related to processing information in an electronic form and the
necessity to have an adequate audit trail. Management decision-making could be
adversely affected by unreliable or misleading information provided by systems that
are poorly designed and controlled.

Electronic information systems and the use of information technology have risks
that must be effectively controlled by banks in order to avoid disruptions to business
and potential losses. Since transaction processing and business applications have
expanded beyond the use of mainframe computer environments to distributed
systems for mission critical business functions, the magnitude of risks also has
expanded. Controls over information systems and technology should include both
general and application controls. General controls are controls over computer
systems (for example, mainframe, client/server, and end-user workstations) and
ensure their continued, proper operation. General controls include in-house back-up
and recovery procedures, software development and acquisition policies,
maintenance (change control) procedures, and physical/logical access security
controls. Application controls are computerised steps within software applications
and other manual procedures that control the processing of transactions and business
activities. Application controls include, for example, edit checks and specific logical
access controls unique to a business system. Without adequate controls over
information systems and technology, including systems that are under development,
banks could experience loss of data and programs due to inadequate physical and
electronic security arrangements, equipment or systems failures, and inadequate in-
house backup and recovery procedures.

32 | P a g e
 In addition to the risks and controls above, inherent risks exist that are associated
with the loss or extended disruption of services caused by factors beyond the bank’s
control. In extreme cases, since the delivery of corporate and customer services
represent key transactional, strategic and reputational issues, such problems could
cause serious difficulties for banks and even jeopardise their ability to conduct key
business activities. This potential requires the bank to establish business resumption
and contingency plans using an alternate off-site facility, including the recovery of
critical systems supported by an external service provider. The potential for loss or
extended disruption of critical business operations requires an institution-wide effort
on contingency planning, involving business management, and not focused on
centralised computer operations. Business resumption plans must be periodically
tested to ensure the plan’s functionality in the event of an unexpected disaster.

Principle 9: An effective internal control system requires effective channels of

communication to ensure that all staff fully understand and adhere to policies and
procedures affecting their duties and responsibilities and that other relevant
information is reaching the appropriate personnel. Without effective
communication, information is useless. Senior management of banks need to
establish effective paths of communication in order to ensure that the necessary
information is reaching the appropriate people. This information relates both to the
operational policies and procedures of the bank as well as information regarding the
actual operational performance of the organisation.

The organisational structure of the bank should facilitate an adequate flow of

information - upward, downward and across the organisation. A structure that
facilitates this flow ensures that information flows upward so that the board of
directors and senior management are aware of the business risks and the operating
performance of the bank. Information flowing down through an organisation ensures
that the bank’s objectives, strategies, and expectations, as well as its established
policies and procedures, are communicated to lower level management and
operations personnel. This communication is essential to achieve a unified effort by
all bank employees to meet the bank’s objectives. Finally, communication across

33 | P a g e
 the organisation is necessary to ensure that information that one division or
department knows can be shared with other affected divisions or departments. E.
Monitoring Activities and Correcting Deficiencies

Principle 10: The overall effectiveness of the bank’s internal controls should be
monitored on an ongoing basis. Monitoring of key risks should be part of the daily
activities of the bank as well as periodic evaluations by the business lines and
internal audit.

Since banking is a dynamic, rapidly evolving industry, banks must continually

monitor and evaluate their internal control systems in the light of changing internal
and external conditions, and must enhance these systems as necessary to maintain
their effectiveness. In complex, multinational organisations, senior management
must ensure that the monitoring function is properly defined and structured within
the organisation.

Monitoring the effectiveness of internal controls can be done by personnel from

several different areas, including the business function itself, financial control and
internal audit. For that reason, it is important that senior management makes clear
which personnel are responsible for which monitoring functions. Monitoring should
be part of the daily activities of the bank but also include separate periodic
evaluations of the overall internal control process. The frequency of monitoring
different activities of a bank should be determined by considering the risks involved
and the frequency and nature of changes occurring in the operating environment.

Ongoing monitoring activities can offer the advantage of quickly detecting and
correcting deficiencies in the system of internal control. Such monitoring is most
effective when the system of internal control is integrated into the operating
environment and produces regular reports for review. Examples of ongoing
monitoring include the review and approval of journal entries, and management
review and approval of exception reports.

In contrast, separate evaluations typically detect problems only after the fact;
however, separate evaluations allow an organisation to take a fresh, comprehensive

34 | P a g e
 look at the effectiveness of the internal control system and specifically at the
effectiveness of the monitoring activities. These evaluations can be done by
personnel form several different areas, including the business function itself,
financial control and internal audit. Separate evaluations of the internal control
system often take the form of self-assessments when persons responsible for a
particular function determine the effectiveness of controls for their activities. The
documentation and the results of the evaluations are then reviewed by senior
management. All levels of review should be adequately documented and reported
on a timely basis to the appropriate level of management.

Principle 11: There should be an effective and comprehensive internal audit of the
internal control system carried out by operationally independent, appropriately
trained and competent staff. The internal audit function, as part of the monitoring of
the system of internal controls, should report directly to the board of directors or its
audit committee, and to senior management. 40. The internal audit function is an
important part of the ongoing monitoring of the system of internal controls because
it provides an independent assessment of the adequacy of, and compliance with, the
established policies and procedures. It is critical that the internal audit function is
independent from the day-to-day functioning of the bank and that it has access to all
activities conducted by the banking organisation, including at its branches and
subsidiaries.

By reporting directly to the board of directors or its audit committee, and to senior
management, the internal auditors provide unbiased information about line
activities. Due to the important nature of this function, internal audit must be staffed
with competent, welltrained individuals who have a clear understanding of their role
and responsibilities. The frequency and extent of internal audit review and testing
of the internal controls within a bank should be consistent with the nature,
complexity, and risk of the organisation’s activities.

It is important that the internal audit function reports directly to the highest levels of
the banking organisation, typically the board of directors or its audit committee, and
to senior management. This allows for the proper functioning of corporate

35 | P a g e
 governance by giving the board information that is not biased in any way by the
levels of management that the reports cover. The board should also reinforce the
independence of the internal auditors by having such matters as their compensation
or budgeted resources determined by the board or the highest levels of management
rather than by managers who are affected by the work of the internal auditors.

Principle 12: Internal control deficiencies, whether identified by business line,

internal audit, or other control personnel, should be reported in a timely manner to
the appropriate management level and addressed promptly. Material internal control
deficiencies should be reported to senior management and the board of directors.

Internal control deficiencies, or ineffectively controlled risks, should be reported to

the appropriate person(s) as soon as they are identified, with serious matters reported
to senior management and the board of directors. Once reported, it is important that
management corrects the deficiencies on a timely basis. The internal auditors should
conduct follow-up reviews or other appropriate forms of monitoring, and
immediately inform senior management or the board of any uncorrected
deficiencies. In order to ensure that all deficiencies are addressed in a timely manner,
senior management should be responsible for establishing a system to track internal
control weaknesses and actions taken to rectify them.

The board of directors and senior management should periodically receive reports
summarising all control issues that have been identified. Issues that appear to be
immaterial when individual control processes are looked at in isolation, may well
point to trends that could, when linked, become a significant control deficiency if
not addressed in a timely manner.

36 | P a g e
 Evaluation of Internal Control Systems by Supervisory Authorities

Principle 13: Supervisors should require that all banks, regardless of size, have an
effective system of internal controls that is consistent with the nature, complexity,
and risk inherent in their on- and off-balance-sheet activities and that responds to
changes in the bank’s environment and conditions. In those instances where
supervisors determine that a bank's internal control system is not adequate or
effective for that bank’s specific risk profile (for example, does not cover all of the
principles contained in this document), they should take appropriate action.

Although the board of directors and senior management bear the ultimate
responsibility for an effective system of internal controls, supervisors should assess
the internal control system in place at individual banks as part of their ongoing
supervisory activities. The supervisors should also determine whether individual
bank management gives prompt attention to any problems that are detected through
the internal control process.

Supervisors should require the banks they supervise to have strong control cultures
and should take a risk-focused approach in their supervisory activities. This includes
a review of the adequacy of internal controls. It is important that supervisors not
only assess the effectiveness of the overall system of internal controls, but also
evaluate the controls over high-risk areas (e.g., areas with characteristics such as
unusual profitability, rapid growth, new business activity, or geographic remoteness
from the head office). In those instances where supervisors determine that a bank’s
internal control system is not adequate or effective for that bank’s specific risk
profile, they should take appropriate action. This would involve communicating
their concerns to senior management and monitoring what actions the bank takes to
improve its internal control system.

Supervisors, in evaluating the internal control systems of banks, may choose to

direct special attention to activities or situations that historically have been
associated with internal control breakdowns leading to substantial losses. Certain
changes in a bank’s environment should be the subject of special consideration to

37 | P a g e
 see whether accompanying revisions are needed in the internal control system.
These changes include:

(1) a changed operating environment;

(2) new personnel;

(3) new or revamped information systems;

(4) areas/activities experiencing rapid growth;

(5) new technology;

(6) new lines, products, activities (particularly complex ones);

(7) corporate restructurings, mergers and acquisitions; and

(8) expansion or acquisition of foreign operations (including the impact of changes

in the related economic and regulatory environments).

To evaluate the quality of internal controls, supervisors can take a number of

approaches. Supervisors can evaluate the work of the internal audit department of
the bank through review of its work papers, including the methodology used to
identify, measure, monitor and control risk. If satisfied with the quality of the
internal audit department’s work, supervisors can use the reports of internal auditors
as a primary mechanism for identifying control problems in the bank, or for
identifying areas of potential risk that the auditors have not recently reviewed. Some
supervisors may use a self-assessment process, in which management reviews the
internal controls on a business-by-business basis and certifies to the supervisor that
its controls are adequate for its business. Other supervisors may require periodic
external audits of key areas, where the supervisor defines the scope. And finally,
supervisors may combine one or more of the above techniques with their own on-
site reviews or examinations of internal controls.

Supervisors in many countries conduct on-site examinations and a review of internal

controls is an integral part of such examinations. An on-site review could include
both a review of the business process and a reasonable level of transaction testing in

38 | P a g e
 order to obtain an independent verification of the bank's own internal control
processes.

An appropriate level of transaction testing should be performed to verify:

• the adequacy of, and adherence to, internal policies, procedures and limits;

• the accuracy and completeness of management reports and financial records; and

• the reliability (i.e., whether it functions as management intends) of specific

controls identified as key to the internal control element being assessed.

In order to evaluate the effectiveness of the five internal control elements of a

banking organisation (or a unit/activity thereof) supervisors should:

• identify the internal control objectives that are relevant to the organisation, unit or
activity under review (e.g., lending, investing, accounting);

• evaluate the effectiveness of the internal control elements, not just by reviewing
policies and procedures, but also by reviewing documentation, discussing operations
with various levels of bank personnel, observing the operating environment, and
testing transactions;

• share supervisory concerns about internal controls and recommendations for their
improvement with the board of directors and management on a timely basis, and;

• determine that, where deficiencies are noted, corrective action is taken in a timely
manner.

Banking supervisory authorities that have the legal basis or other arrangements to
direct the scope of and make use of the work of external auditors often or always do
so in lieu of on-site examinations. In those instances, the external auditors should be
performing the review of the business process and the transaction testing described
above under specific engagement arrangements. In turn, the supervisors should
assess the quality of the auditors’ work.

In all instances, bank supervisors should take note of the external auditors'
observations and recommendations regarding the effectiveness of internal controls

39 | P a g e
 and determine that bank management and the board of directors have satisfactorily
addressed the concerns and recommendations expressed by the external auditors.
The level and nature of control problems found by auditors should be factored into
supervisors’ evaluation of the effectiveness of a bank's internal controls.

Supervisors should also encourage bank external auditors to plan and conduct their
audits in ways that appropriately consider the possibility of material misstatement
of banks' financial statements due to fraud. Any fraud found by external auditors,
regardless of materiality, must be communicated to the appropriate level of
management. Fraud involving senior management and fraud that is material to the
entity should be reported by the external auditors to the board of directors and/or the
audit committee. External auditors may be expected to disclose fraud to certain
supervisory authorities or others outside the bank in certain circumstances (subject
to national requirements).

In reviewing the adequacy of the internal control process at individual banking

organisations, home country supervisors should also determine that the process is
effective across business lines, subsidiaries and national boundaries. It is important
that supervisors evaluate the internal control process not only at the level of
individual businesses or legal entities, but also across the wide spectrum of activities
and subsidiaries within the consolidated banking organisation. For this reason,
supervisors should encourage banking groups to use common auditors and common
accounting dates throughout the group, to the extent possible.

40 | P a g e
 Roles and Responsibilities of External Auditors

Although external auditors are not, by definition, part of a banking organisation and
therefore, are not part of its internal control system, they have an important impact
on the quality of internal controls through their audit activities, including discussions
with management and recommendations for improvement to internal controls. The
external auditors provide important feedback on the effectiveness of the internal
control system.

While the primary purpose of the external audit function is to give an opinion on the
annual accounts of a bank, the external auditor must choose whether to rely on the
effectiveness of the bank’s internal control system. For this reason, the external
auditors have to obtain an understanding of the internal control system in order to
assess the extent to which they can rely on the system in determining the nature,
timing and scope of their own audit procedures.

The exact role of external auditors and the processes they use vary from country to
country. Professional auditing standards in many countries require that audits be
planned and performed to obtain reasonable assurance that financial statements are
free of material misstatement. Auditors also examine, on a test basis, underlying
transactions and records supporting financial statement balances and disclosures. An
auditor assesses the accounting principles and policies used and significant estimates
made by management and evaluates the overall financial statement presentation. In
some countries, external auditors are required by the supervisory authorities to
provide a specific assessment of the scope, adequacy and effectiveness of a bank’s
internal control system, including the internal audit system.

One consistency among countries, however, is the expectation that external auditors
will gain an understanding of a bank’s internal control process to the extent that it
relates to the accuracy of the bank’s financial statements. The extent of attention
given to the internal control system varies by auditor and by bank; however, it is
generally expected that material weaknesses identified by the auditors would be
reported to management in confidential management letters and, in many countries,

41 | P a g e
 to the supervisory authority. Furthermore, in many countries external auditors may
be subject to special supervisory requirements that specify the way that they evaluate
and report on internal controls.

Recommendation

The system of internal control is designed to ensure efficient financial and economic
activities, management of assets and liabilities, risk maintenance at a level not
threatening the interests of the Bank’s shareholders and customers, and compliance
with other requirements set forth by the regulatory documents of the Banks.

Learning Outcomes

A. Management Oversight and the Control Culture

I have learnt about Many internal control failures that resulted in significant losses
for banks couldhave been substantially lessened or even avoided if the board and
senior management of the organisations had established strong control cultures.
Weak control cultures often had two common elements. First, senior management
failed to emphasise the importance of a strong system of internal control through
their words and actions, and most importantly, through the criteria used to
determine compensation and promotion. Second, senior management failed to
ensure that the organisational structure and managerial accountabilities were well
defined. For example, senior management failed to require adequate supervision of
key decision-makers and reporting of the nature and conduct of business activities
in a timely manner.

B. Risk Recognition and Assessment

I have learnt about banking organisations will set objectives for the efficiency
and effectiveness of activities, reliability and completeness of financial and
management information, and compliance with laws and regulations. Risk
assessment entails the identification and evaluation of the risks involved in meeting
those objectives. This process helps to ensure that the bank’s internal controls are

42 | P a g e
 consistent with the nature, complexity and risk of the bank’s on- and off-balance
sheet activities.

C. Information and Communication

I have learnt about Some banks have experienced losses because information in the
organisation was not reliable or complete and because communication within the
organisation was not effective. Financial information may be misreported
internally; incorrect data series from outside sources may be used to value financial
positions; and small, but high-risk activities may not be reflected in management
reports. In some cases, banks failed to adequately communicate employees’ duties
and control responsibilities or disseminated policies through channels, such as
electronic mail, that did not ensure that the policy was read, understood and
retained. As a result, for long periods of time, major management policies were not
carried out. In other cases, adequate lines of communication did not exist for the
reporting of suspected improprieties by employees. If channels had been established
for communication of problems upward through the organisational levels,
management would have been able to identify and correct the improprieties much
sooner.

D. Monitoring Activities and Correcting Deficiencies

I have learnt about Many banks that have experienced losses from internal control
problems did not effectively monitor their internal control systems. Often the systems did
not have the necessary built-in ongoing monitoring processes and the separate
evaluations performed were either not adequate or were not acted upon appropriately by
management.

References
1.The effectiveness of Internal Control Systems of banks: The case of Ghanaian
banks - International Journal of Accounting and Financial Reporting- Philip Ayagre
(Corresponding author)

43 | P a g e
 2.Acquah, P. (2009, May). Enhancing confidence in the Ghanaian financial system
in the midst of global financial crisis. Key note address at the Ghanaian Banking
Awards . Accra.
3.Addo. (2000, 9 6). Liquidation of BHC, Co-operative Bank. Retrieved July 15,
2014, from modernghana:
http://www.modernghana.com/news/10051/1/liquidation-of-bhc-co-operative-
bank.
4.Amudo, A., & Inanga, L. (2009). Evaluation of Internal Control Systems: A Case
Study from Uganda. International Research Journal of Finance and Economics ,
125-144.
5.Apostolou, B., & Jeffords, R. (1990). Working with the audit committee: Internal
auditing briefings. USA: The Institute of Internal Auditors, Inc.
6.Arens, A. A., & Loebbecke, J. K. (1997). Auditing an integrated approach (7th
ed.). . USA: Prentice-Hall.
7.Bank of Ghana, (2007). Bank of Ghana, 2007 annual report. Bank of Ghana,2007
annual report 8. Accra: Bank of Ghana. Basel. (2004). Bank Failures in Mature
Economies.
9. Basel: Bank for International Settlements. Basel. (1998). Framework for internal
conrtol system in banking organisations.
10. Basel: Basel committee. BBC. (2012, December 11).
11. BBC News. Retrieved August 6, 2014, from BBC:
http://www.bbc.com/news/business-
12. COSO. COSO. (1992). Internal Control-Integrated Framework. New Jersey:
COSO.
Field, A. (2000). Discovering Statistics Using SPSS for Windows, . SAGE
Publications, London .
13. Grieves, J. (2000). Introduction: the Origins of Organisation Development .
Journal of Management Development , Vol.19, no.5, p.345.
14. Harvey, D., & Brown, D. (1998). An Experiential Approach to Organisation
Development, 3rd Edition. , Prentice Hall, p.68.

44 | P a g e
 15. Hermanson, D. R., Smith, J. L., & Stephens, N. M. (2012). How Effective are
Organizations‟ Internal Controls? Insights into Specific Internal Control Elements.
American Accounting Association, A31–A50.
16. IFAC. (2012). Final Pronouncement: June 2012. Retrieved June 24, 2014,from
Evaluating and Improving Internal Control in Organizations
17. Aksoy, T. (2007), Basel II ve İç Kontrol. Ankara, Basak Publishing.
18. Adeyemi, B. & Adenugba, A., (2011), Corporate Governance in the Nigerian
Financial Sector: The Efficacy of Internal Control and External Audit, Global
Conference on Business and Finance Proceedings, 6(2), 699-707.
19. Amudo, A. & Inanga, E.L. (2009), Evaluation of Internal Control Systems : A
case study from Uganda, International Research Journal of Finance and Economics,
Issue: 27, 1450-2887.
20. Bankaların İç Denetim ve Risk Yönetimi Sistemleri Hakkında Yönetmelik,
2001, 24312 sayılı Resmi Gazete.
21. Bankaların İç Sistemleri Hakkında Yönetmelik, 2006, 26333 sayılı Resmi
Gazete. Bankaların İç Sistemleri Hakkında Yönetmelik, 2012, 28337 Sayılı Resmi
Gazete.
22. Bankacılık Sektörü Yeniden Yapılandırma Programı Gelişme Raporu – 2002,
BDDK.
23. Bozkurt, N. (2009), İşletmelerin Kara Deliği Hile Çalışan Hileleri, İstanbul.
24. Cendrowski, H. & Martin, J.P. & Petro, L.W. (2007), The Handbook of Fraud
Deterrence, Wiley, John&Sons.
25.COSO (1999), Internal Control Integrated Framework, The Committed
Sponsoring Organizaion (COSO) of The National Commission of Fraudulent
Financial Reporting the (Treadway Commission).
26. Catıkkas, Ö. & Yurtsever G., (2007), Türkiye Uygulamaları Açısından Denetim
Komiteleri Üzerine Bir Değerlendirme, Mali Çözüm, Issue:81. Doyrangöl, N.C.
(2007), İşletme Çevresindeki Olumsuz Gelişmeler Karşısında İç Denetimin Yeri.

45 | P a g e