Download Internal Control Systems - Buisness Management - Lecture Notes and more Study notes Business Administration in PDF only on Docsity!
FRAMEWORK
FOR
INTERNAL CONTROL SYSTEMS
IN BANKING ORGANISATIONS
Risk Management Sub-group of the Basle Committee on Banking Supervision
Banque Nationale de Belgique, Brussels Mr. Philip Lefèvre
Commission Bancaire et Financière, Brussels Mr. Jos Meuleman
Office of the Superintendent of Financial Institutions, Ottawa Ms. Aina Liepins
Commission Bancaire, Paris Ms. Brigitte Declercy
Deutsche Bundesbank, Franfurt am Main Ms. Magdalene Heid
Bundesaufsichtsamt für das Kreditwesen, Berlin Mr. Uwe Neumann
Banca d’Italia, Rome Mr. Paolo Pasca
Bank of Japan, Tokyo Mr. Noriyuki Tomioka
Financial Supervisory Agency, Tokyo Mr. Kozo Ishimura
Banque Centrale du Luxembourg Ms. Isabelle Goubin
De Nederlandsche Bank, Amsterdam Mr. Job Swank
De Nederlandsche Bank, Amsterdam Mr. Paul Benschop
Finansinspektionen, Stockholm Mr. Jan Hedquist
Eidgenössiche Bankenkommission, Bern Ms. Renate Lischer
Financial Services Authority, London Mr. Stan Bereza
Federal Deposit Insurance Corporation, Washington, D.C. Mr. Mark Schmidt
Office of the Comptroller of the Currency, Washington, D.C. Mr. Kurt Wilhelm
European Commission, Brussels Mr. Nicholas Cook
Secretariat of the Basle Committee on Banking Supervision, Bank for International Settlements
Ms. Betsy Roberts
Framework for Internal Control Systems in Banking Organisations
INTRODUCTION
- As part of its on-going efforts to address bank supervisory issues and enhance supervision through guidance that encourages sound risk management practices, the Basle Committee on Banking Supervision^1 is issuing this fra mework for the evaluation of internal control systems. A system of effective internal controls is a critical component of bank management and a foundation for the safe and sound operation of banking organisations. A system of strong internal controls can help to ensure that the goals and objectives of a banking organisation will be met, that the bank will achieve long-term profitability targets, and maintain reliable financial and managerial reporting. Such a system can also help to ensure that the bank will comply with laws and regulations as well as policies, plans, internal rules and procedures, and decrease the risk of unexpected losses or damage to the bank’s reputation. The paper describes the essential elements of a sound internal control system, drawing upon experience in member countries and principles established in earlier publications by the Committee. The objective of the paper is to outline a number of princ iples for use by supervisory authorities when evaluating banks’ internal control systems.
- The Basle Committee, along with banking supervisors throughout the world, has focused increasingly on the importance of sound internal controls. This heightened interest in internal controls is, in part, a result of significant losses incurred by several banking organisations. An analysis of the problems related to these losses indicates that they could probably have been avoided had the banks maintained effective internal control systems. Such systems would have prevented or enabled earlier detection of the problems that led to the losses, thereby limiting damage to the banking organisation. In developing these principles, the Committee has drawn on lessons learned from proble m bank situations in individua l member countries.
- These principles are intended to be of general application and supervisory authorities should use them in assessing their own supervisory methods and procedures for monitoring how banks st ructure their internal control systems. While the exact approach chosen by individual supervisors will depend upon a host of factors, including their on-site
1
and off-site supervisory techniques and the degree to which external auditors are also used in the supervisory function, all members of the Basle Committee agree that the principles set out in this paper should be used in evaluating a bank’s internal control system.
- The Basle Committee is distributing this pa per to supervisory authorities worldwide in the belief that the principles presented will provide a useful framework for the effective supervision of inte rnal control systems. More generally, the Committee wishes to emphasise that sound internal controls are essential to the prudent operation of banks and to promoting stability in the financial system as a whole. While the Committee recognises that not all institutions may have implemented all aspects of this framework, banks are working towards adoption.
- The guidance previously issued by the Basle Committee typically included discussions of internal controls affecting specific areas of bank activities, such as interest rate risk, and trading and derivatives activities. In c ontrast, this guidance presents a framework that the Basle Committee encourages supervisors to use in evaluating the internal controls over all on- and off-balance sheet activities of banks and consolidated banking organisations. The guidance does not focus on specific areas or activities within a banking organisation. The exact application depends on the nature, complexity and risks of the bank’s activities.
- The Committee provides background information is section I, sets out the objectives and role of an internal control framework in Section II, and stipulates in sections III and IV of the paper thirteen principles for ba nking supervisory authorities to a pply in assessing banks’ internal control systems. In addition, Appendix I lists reference materials and Appendix II provides supervisory lessons learned from past internal control failures.
Principles for the Assessment of Internal Control Systems
Management oversight and the control culture
Principle 1: The board of directors should have responsibility for approving and periodically reviewing the overall business strategies and signific ant policies of the bank; understanding the major risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, measure, monitor and control these risks; approving the organisational structure; and ensuring that senior management is mon itoring the effectiveness of the internal control system. The board of d irectors is ultimately responsible for ensuring that an adequate and effective system of i nternal controls is established and maintained.
Principle 6: An effective internal control system requires that there is appropriate segregation of duties and that pe rsonnel are not assigned conflicting responsibilities. Areas of potential conflicts of i nterest should be identified, minimised, and subject to careful, independent monitoring.
Information and communication
Principle 7: An effective internal control system req uires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are rel evant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format.
Principle 8: An effective internal control system req uires that there are reliable information systems in place that cover al l significant activities of th e bank. These systems, including those that hold and use data in an electronic form, mu st be secure, monitored independently and supported by adequate contingency arrangements.
Principle 9: An effective internal control system requires effective channels of communication to ensure that all staff fu lly understand and adhere to policies and procedures affecting their duties and r esponsibilities and that othe r relevant information is reaching the appropriate personnel.
Monitoring Activities and Correcting Deficiencies
Principle 10: The overall effectiveness of the bank’s internal controls should be monitored on an ongoing basis. Monitoring of key risks should be part of the daily activities of the bank as well as periodic evaluations by the business lines and internal audit.
Principle 11: There should be an effective and comprehensive internal audit of th e internal control system carried out by operationally independent, appropriately trained and competent staff. The internal audit function, as part of the monitoring of the system of internal controls, should report directly to th e board of d irectors or i ts audit committee, and to senior management.
Principle 12: Internal control deficiencies, whether identified by business line, internal audit, or other control personnel, should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the board of directors.
Evaluation of Internal Control Systems by Supervisory Authorities
Principle 13: Supervisors should require that all banks, regardless of size, have an effective system of internal controls that is consistent with the nature, complexity, and risk inherent in their on- and off-balance-sheet activities and that responds to changes in the bank’s environment and conditions. In those instances where supervisors determine that a bank's internal control system is not adequate or effective for that bank’s specific risk profile (for example, does not cover al l of th e principles contained in this document), they should take appropriate action.
problems became severe. In other instances, information in management reports was not complete or accurate, creating a falsely favourable impression of a business situation.
- Inadequate or ineffective audit programs and monitoring activities****. In m any cases, audits were not sufficiently rigorous to identify and report the control weaknesses associated with problem banks. In other cases, even though auditors reported problems, no mechanism was in place to ensure that management corrected the deficiencies.
- The internal control framework underlying this guidance is based on practices currently in place at many major banks, securities firms, and non-financial companies, and their auditors. Moreover, this evaluation framework is consistent with the increased emphasis of banking supervisors on the review of a banking organisation’s risk management and internal control processes. It is important to emphasise that it is the responsibility of a bank’s board of directors and senior management to ensure that adequate internal controls are in place at the bank and to foster an environment where individuals understand and meet their responsibilities in this area. In turn, it is the responsibility of banking supervisors to assess the commitment of a bank’s board of directors and management to the internal control process.
II. The Objectives and Role of the Internal Control Framework
- Internal control is a process effected by the board of directors,^2 senior management and all levels of personnel. It is not solely a procedure or policy that is performed at a certain point in time , but rather it is continually operating at all levels within the bank. The board of directors and senior management are responsible for establishing the appropriate culture to fa cilitate an effective internal control process and for monitoring its effectiveness on an ongoing basis; however, each individual within an organisation must participate in the process. The main objectives of the internal control process can be categorised as follows: 3
- efficiency and effectiveness of activities (performance objectives);
- reliability, completeness and timeliness of fina ncial and management information (information objectives); and
- compliance with applicable laws and regulations (compliance objectives).
- Performance objectives for i nternal controls pertain to the effectiveness and efficiency of the bank in using its assets and other resources and protecting the bank from loss. The internal control process seeks to ensure that personnel throughout the organisation are working to achieve its goals with efficiency and integrity, without unintended or excessive cost or placing other interests (such as an employee’s, vendor’s or customer’s interest) before those of the bank.
- Information objectives address the preparation of timely, reliable, relevant reports needed for decision-making within the banking organisation. They also address the need for reliable annual accounts, other financial statements and other financial-related disclosures and reports to shareholders, supervisors, and other external parties. The i nformation received by management, the board of directors, shareholders and supervisors should be of sufficient quality and integrity that recipients can rely on the information in making decisions. The term reliable, as it relates to financial statements, refers to the preparation of sta tements that are