______________________________________________________________________________

Statement of Guidance

Internal Controls in Banks

1. Statement of Objectives

1.1. To provide guidance on the requirement imposed on licensee by Rule 1(A).

1.2. To provide a standard of best practice to banks for the implementation of an
effective and sound Internal Control System.

2. Introduction

A system of effective controls is a critical component of bank management and a

foundation for the safe and sound operation of banking organisations. A system of
strong internal controls can help to ensure that the goals and objectives of a
banking organisation will be met, that the bank will achieve long-term profitability
targets, and maintain reliable financial and managerial reporting. Such a system
can also help to ensure that the bank will comply with laws and regulations as well
as policies, plans, internal rules and procedures, and decrease the risk of
unexpected losses or damage to the bank’s reputation.

3. Management Control Culture and Oversight

3.1. Directions

3.1.1 The board of directors should have responsibility for approving and
periodically reviewing the overall business strategies and significant
policies of the bank; understanding the major risks run by the bank,
setting acceptable levels for these risks and ensuring that senior
management takes the steps necessary to identify, measure, monitor
and control these risks; approving the organisational structure; and
_____________________________________________________________________________________________

Policy and Research Division Page 1 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
ensuring that senior management is monitoring the effectiveness of the
internal control system. The board of directors is ultimately responsible
for ensuring that an adequate and effective system of internal controls
is established and maintained.

3.1.2 The board of directors provides governance, guidance and oversight to

senior management. Board members should be objective, capable, and
inquisitive, with a knowledge or expertise of the activities of and risks
run by the bank. The board should consist of some members who are
independent from the daily management of the bank. A strong, active
board, particularly when coupled with effective upward communication
channels and capable financial, legal, and internal audit functions,
provides an important mechanism to ensure the correction of problems
that may diminish the effectiveness of the internal control system.

3.1.3 The board of directors should include in its activities (1) periodic
discussions with management concerning the effectiveness of the
internal control system, (2) a timely review of evaluations of internal
controls made by management, internal auditors, and external auditors,
(3) periodic efforts to ensure that management has promptly followed
up on recommendations and concerns expressed by auditors and
supervisory authorities on internal control weaknesses, and (4) a
periodic review of the appropriateness of the bank’s strategy and risk
limits.

3.2. Senior Management

3.2.1 Senior management should have responsibility for implementing

strategies and policies approved by the board; developing processes
that identify, measure, monitor and control risks incurred by the bank;
maintaining an organizational structure that clearly assigns
responsibility, authority and reporting relationships; ensuring that
_____________________________________________________________________________________________

Policy and Research Division Page 2 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
delegated responsibilities are effectively carried out; setting appropriate
internal control policies; and monitoring the adequacy and effectiveness
of the internal control system.

3.2.2 Senior management is responsible for carrying out the directives of the
board of directors, including the implementation of strategies and
policies and the establishment of an effective system of internal control.
Members of senior management typically delegate responsibility for
establishing more specific internal control policies and procedures to
those responsible for a particular business unit. Delegation is an
essential part of management; however, it is important for senior
management to oversee the managers to whom they have –delegated
these responsibilities to ensure that they develop and enforce
appropriate policies and procedures.

3.2.3 Compliance with an established internal control system is heavily

dependent on a well documented and communicated organisational
structure that clearly shows lines of reporting responsibility and
authority and provides for effective communication throughout the
organisation. The allocation of duties and responsibilities should ensure
that there are no gaps in reporting lines and that an effective level of
management control is extended to all levels of the bank and its various
activities.

3.2.4 It is important that senior management takes steps to ensure that

activities are conducted by qualified staff with the necessary experience
and technical capabilities. Staff in control functions must be properly
remunerated. Staff training and skills should be regularly updated.
Senior management should institute compensation and promotion
policies that reward appropriate behaviours and minimise incentives for
staff to ignore or override internal control mechanisms.

_____________________________________________________________________________________________

Policy and Research Division Page 3 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________

3.3. Control culture

3.3.1 The board of directors and senior management are responsible for
promoting high ethical and integrity standards, and for establishing a
culture within the organisation that emphasises and demonstrates to all
levels of personnel the importance of internal controls. All personnel at
a banking organisation need to understand their role in the internal
controls process and be fully engaged in the process.

3.3.2 An essential element of an effective system of internal control is a

strong control culture. It is the responsibility of the board of directors
and senior management to emphasise the importance of internal
control through their actions and words. This includes the ethical values
that management displays in their business dealings, both inside and
outside the organisation. The words, attitudes and actions of the board
of directors and senior management affect the integrity, ethics and
other aspects of the bank’s control culture.

3.3.3 In varying degrees, internal control is the responsibility of everyone in a

bank. Almost all employees produce information used in the internal
control system or take other actions needed to effect control. An
essential element of a strong internal control system is the recognition
by all employees of the need to carry out their responsibilities
effectively and to communicate to the appropriate level of management
any problems in operations, instances of non-compliance with any code
of conduct, or other policy violations or illegal actions that are noticed.
This can best be achieved when operational procedures are contained in
clearly written documentation that is made available to all relevant
personnel. It is essential that all personnel within the bank understand
the importance of internal control and are actively engaged in the
process.

_____________________________________________________________________________________________

Policy and Research Division Page 4 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
3.3.4 In reinforcing ethical values, banking organisations should avoid
policies and practices that may inadvertently provide incentives or
temptations for inappropriate activities. Examples of such policies and
practices may include undue emphasis on performance targets or other
operational results, particularly short-term ones that ignore longer-
term risks; compensation schemes that overly depend on short-term
performance; ineffective segregation of duties or other controls that
could allow the misuse of resources or concealment of poor
performance; and insignificant or overly onerous penalties for improper
behaviours.

3.3.5 While having a strong internal control culture does not guarantee that
an organisation will reach its goals, the lack of such a culture provides
greater opportunities for errors to go undetected or for improprieties to
occur.

4. Risk Recognition and Assessment

4.1. An effective internal control system requires that the material risks that could
adversely affect the achievement of the bank’s goals are being recognised and
continually assessed. This assessment should cover all risks facing the bank
and the consolidated banking organisation (that is, credit risk, country and
transfer risk, market risk, interest rate risk, liquidity risk, operational risk,
legal risk and reputational risk). Internal controls may need to be revised to
appropriately address any new or previously uncontrolled risks.

4.1.1 Banks are in the business of risk-taking. Consequently it is imperative

that, as part of an internal control system, these risks are being
recognised and continually assessed. From an internal control
perspective, a risk assessment should identify and evaluate the internal
and external factors that could adversely affect the achievement of the
banking organisation’s performance, information and compliance
_____________________________________________________________________________________________

Policy and Research Division Page 5 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
objectives. This process should cover all risks faced by the bank and
operate at all levels within the bank. It differs from the risk
management process which typically focuses more on the review of
business strategies developed to maximise the risk/reward trade-off
within the different areas of the bank.

4.1.2 Effective risk assessment identifies and considers internal factors (such
as the complexity of the organisation’s structure, the nature of the
bank’s activities, the quality of personnel, organisational changes and
employee turnover) as well as external factors (such as fluctuating
economic conditions, changes in the industry and technological
advances) that could adversely affect the achievement of the bank’s
goals. This risk assessment should be conducted at the level of
individual businesses and across the wide spectrum of activities and
subsidiaries of the consolidated banking organisation. This can be
accomplished through various methods. Effective risk assessment
addresses both measurable and non-measurable aspects of risks and
weighs costs of controls against the benefits they provide.

4.1.3 The risk assessment process also includes evaluating the risks to
determine which are controllable by the bank and which are not. For
those risks that are controllable, the bank must assess whether to
accept those risks or the extent to which it wishes to mitigate the risks
through control procedures. For those risks that cannot be controlled,
the bank must decide whether to accept these risks or to withdraw from
or reduce the level of business activity concerned.

4.1.4 In order for risk assessment, and therefore the system of internal
control, to remain effective, senior management needs to continually
evaluate the risks affecting the achievement of its goals and react to
changing circumstances and conditions. Internal controls may need to
be revised to appropriately address any new or previously uncontrolled
_____________________________________________________________________________________________

Policy and Research Division Page 6 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
risks. For example, as financial innovation occurs, a bank needs to
evaluate new financial instruments and market transactions and
consider the risks associated with these activities. Often these risks can
be understood when considering how various scenarios (economic and
otherwise) affect the cash flows and earnings of financial instruments
and transactions. Thoughtful consideration of the full range of possible
problems, from customer misunderstanding to operational failure, will
point to important control considerations.

5. Control Activities and Segregation of Duties

5.1. Control activities should be an integral part of the daily activities of a bank. An
effective internal control system requires that an appropriate control structure
is set up, with control activities defined at every business level. These should
include: top level reviews; appropriate activity controls for different
departments or divisions; physical controls; checking for compliance with
exposure limits and follow-up on non-compliance; a system of approvals and
authorisations; and, a system of verification and reconciliation.

5.1.1 Control activities are designed and implemented to address the risks
that the bank identified through the risk assessment process described
previously. Control activities involve two steps: (1) the establishment of
control policies and procedures; and (2) verification that the control
policies and procedures are being complied with. Control activities
involve all levels of personnel in the bank, including senior
management as well as front line personnel. Examples of control
activities include:

a) Top level reviews - Boards of directors and senior management

often request presentations and performance reports that enable
them to review the bank’s progress toward its goals. For example,
senior management may review reports showing actual financial
_____________________________________________________________________________________________

Policy and Research Division Page 7 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
results to date versus the budget. Questions that senior
management generates as a result of this review and the ensuing
responses of lower levels of management represent a control activity
which may detect problems such as control weaknesses, errors in
financial reporting or fraudulent activities.

b) Activity controls - Department or division level management

receives and reviews standard performance and exception reports
on a daily, weekly or monthly basis. Functional reviews occur more
frequently than top-level reviews and usually are more detailed. For
instance, a manager of commercial lending may review weekly
reports on delinquencies, payments received, and interest income
earned on the portfolio, while the senior credit officer may review
similar reports on a monthly basis and in a more summarised form
that includes all lending areas. As with the top-level review, the
questions that are generated as a –result of reviewing the reports
and the responses to those questions represent the control activity.

c) Physical controls - Physical controls generally focus on restricting

access to tangible assets, including cash and securities. Control
activities include physical limitations, dual custody, and periodic
inventories.

d) Compliance with exposure limits - The establishment of prudent

limits on risk exposures is an important aspect of risk management.
For example, compliance with limits for borrowers and other
counterparties reduces the bank’s concentration of credit risk and
helps to diversify its risk profile. Consequently, an important aspect
of internal controls is a process for reviewing compliance with such
limits and follow-up on instances of non-compliance.

e) Approvals and authorisations - Requiring approval and authorisation

_____________________________________________________________________________________________

Policy and Research Division Page 8 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
for transactions over certain limits ensures that an appropriate level
of management is aware of the transaction or situation, and helps to
establish accountability.

f) Verifications and reconciliations - Verifications of transaction details

and activities and the output of risk management models used by
the bank are important control activities. Periodic reconciliations,
such as those comparing cash flows to account records and
statements, may identify activities and records that need correction.
Consequently, the results of these verifications should be reported
to the appropriate levels of management whenever problems or
potential problems are detected.

5.1.2 Control activities are most effective when they are viewed by
management and all other personnel as an integral part of, rather than
an addition to, the daily activities of the bank. When controls are viewed
as an addition to the day-to-day activities, they are often seen as less
important and may not be performed in situations where individuals
feel pressured to complete activities in a limited amount of time. In
addition, controls that are an integral part of the daily activities enable
quick responses to changing conditions and avoid unnecessary costs.
As part of fostering the appropriate control culture within the bank,
senior management should ensure that adequate control activities are
an integral part of the daily functions of all relevant personnel.

5.1.3 It is not sufficient for senior management to simply establish

appropriate policies and procedures for the various activities and
divisions of the bank. They must regularly ensure that all areas of the
bank are in compliance with such policies and procedures and also
determine that existing policies and procedures remain adequate. This
is usually a major role of the internal audit function.

_____________________________________________________________________________________________

Policy and Research Division Page 9 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
5.2. An effective internal control system requires that there is appropriate
segregation of duties and that personnel are not assigned conflicting
responsibilities. Areas of potential conflicts of interest should be identified,
minimised, and subject to careful, independent monitoring.

5.2.1 Assigning conflicting duties to one individual (for example,

responsibility for both the front and back offices of a trading function)
gives that person access to assets of value and the ability to manipulate
financial data for personal gain or to conceal losses. Consequently,
certain duties within a bank should be split, to the extent possible,
among various individuals in order to reduce the risk of manipulation of
financial data or misappropriation of assets.

5.2.2 Segregation of duties is not limited to situations involving simultaneous

front and back office control by one individual. It can also result in
serious problems when there are not appropriate controls in those
instances where an individual has responsibility for:

a) Approval of the disbursement of funds and the actual disbursement;

b) Customer and proprietary accounts;

c) Transactions in both the "banking" and "trading" books;

d) Informally providing information to customers about their positions

while marketing to the same customers;

e) assessing the adequacy of loan documentation and monitoring the

borrower after loan origination; and,

f) any other areas where significant conflicts of interest emerge and

are not mitigated by other factors.

_____________________________________________________________________________________________

Policy and Research Division Page 10 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
5.2.3 Areas of potential conflict should be identified, minimised, and subject
to careful monitoring by an independent third party. There should also
be periodic reviews of the responsibilities and functions of management
and staff to ensure that they are not in a position to conceal
inappropriate actions.

6. Information and Communication

6.1. An effective internal control system requires that there are adequate and
comprehensive internal financial, operational and compliance data, as well as
external market information about events and conditions that are relevant to
decision making. Information should be reliable, timely, accessible, and
provided in a consistent format.

6.1.1 Adequate information and effective communication are essential to the

proper functioning of a system of internal control. From the bank’s
perspective, in order for information to be useful, it must be relevant,
reliable, timely, accessible, and provided in a consistent format.
Information includes internal financial, operational and compliance
data, as well as external market information about events and
conditions that are relevant to decision making. Internal information is
part of a record-keeping process that should include established
procedures for record retention.

6.2. An effective internal control system requires that there are reliable
information systems in place that cover all significant activities of the bank.
These systems, including those that hold and use data in an electronic form,
must be secure, monitored independently and supported by adequate
contingency arrangements.

6.2.1 A critical component of a bank’s activities is the establishment and

maintenance of management information systems that cover the full
_____________________________________________________________________________________________

Policy and Research Division Page 11 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
range of its activities. This information is usually provided through both
electronic and non-electronic means. Banks must be particularly aware
of the organisational and internal control requirements related to
processing information in an electronic form and the necessity to have
an adequate audit trail. Management decision-making could be
adversely affected by unreliable or misleading information provided by
systems that are poorly designed and controlled.

6.2.2 Electronic information systems and the use of information technology

have risks that must be effectively controlled by banks in order to avoid
disruptions to business and potential losses. Since transaction
processing and business applications have expanded beyond the use of
mainframe computer environments to distributed systems for mission-
critical business functions, the magnitude of risks also has expanded.
Controls over information systems and technology should include both
general and application controls. General controls are controls over
computer systems (for example, mainframe, client/server, and end-
user workstations) and ensure their continued, proper operation.
General controls include in-house back-up and recovery procedures,
software development and acquisition policies, maintenance (change
control) procedures, and physical/logical access security controls.
Application controls are computerised steps within software
applications and other manual procedures that control the processing
of transactions and business activities. Application controls include, for
example, edit checks and specific logical access controls unique to a
business system. Without adequate controls over information systems
and technology, including systems that are under development, banks
could experience loss of data and programs due to inadequate physical
and electronic security arrangements, equipment or systems failures,
and inadequate in-house backup and recovery procedures.

6.2.3 In addition to the risks and controls above, inherent risks exist that are
_____________________________________________________________________________________________

Policy and Research Division Page 12 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
associated with the loss or extended disruption of services caused by
factors beyond the bank’s control. In extreme cases, since the delivery
of corporate and customer services represent key -transactional,
strategic and reputational issues, such problems could cause serious
difficulties for banks and even jeopardise their ability to conduct key
business activities. This potentially requires the bank to establish
business resumption and contingency plans using an alternate off-site
facility, including the recovery of critical systems supported by an
external service provider. The potential for loss or extended disruption
of critical business operations requires an institution-wide effort on
contingency planning, involving business management, and not focused
on centralised computer operations. Business resumption plans must
be periodically tested to ensure the plan’s functionality in the event of
an unexpected disaster.

6.3. An effective internal control system requires effective channels of

communication to ensure that all staff fully understand and adhere to policies
and procedures affecting their duties and responsibilities and that other
relevant information is reaching the appropriate personnel.

6.3.1 Without effective communication, information is useless. Senior

management of banks need to establish effective paths of
communication in order to ensure that the necessary information is
reaching the appropriate people. This information relates both to the
operational policies and procedures of the bank as well as information
regarding the actual operational performance of the organisation.

6.3.2 The organisational structure of the bank should facilitate an adequate

flow of information - upward, downward and across the organisation. A
structure that facilitates this flow ensures that information flows
upward so that the board of directors and senior management are

_____________________________________________________________________________________________

Policy and Research Division Page 13 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
aware of the business risks and the operating performance of the bank.
Information flowing down through an organisation ensures that the
bank’s objectives, strategies, and expectations, as well as its
established policies and procedures, are communicated to lower level
management and operations personnel. This communication is
essential to achieve a unified effort by all bank employees to meet the
bank’s objectives. Finally, communication across the organisation is
necessary to ensure that information that one division or department
knows can be shared with other affected divisions or departments.

7. Monitoring Activities and Correcting Deficiencies

7.1. The overall effectiveness of the bank’s internal controls should be monitored
on an ongoing basis. Monitoring of key risks should be part of the daily
activities of the bank as well as periodic evaluations by the business lines and
internal audit.

7.1.1 Since banking is a dynamic, rapidly evolving industry, banks must

continually monitor and evaluate their internal control systems in the
light of changing internal and –external conditions, and must enhance
these systems as necessary to maintain their effectiveness. In complex,
multinational organisations, senior management must ensure that the
monitoring function is properly defined and structured within the
organisation.

7.1.2 Monitoring the effectiveness of internal controls can be done by

personnel from several different areas, including the business function
itself, financial control and internal audit. For that reason, it is
important that senior management makes clear which personnel are
responsible for which monitoring functions. Monitoring should be part
of the daily activities of the bank but also include separate periodic
_____________________________________________________________________________________________

Policy and Research Division Page 14 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
evaluations of the overall internal control process. The frequency of
monitoring different activities of a bank should be determined by
considering the risks involved and the frequency and nature of changes
occurring in the operating environment.

7.1.3 Ongoing monitoring activities can offer the advantage of quickly

detecting and correcting deficiencies in the system of internal control.
Such monitoring is most effective when the system of internal control is
integrated into the operating environment and produces regular reports
for review. Examples of ongoing monitoring include the review and
approval of journal entries, and management review and approval of
exception reports.

7.1.4 In contrast, separate evaluations typically detect problems only after

the fact; however, separate evaluations allow an organisation to take a
fresh, comprehensive look at the effectiveness of the internal control
system and specifically at the effectiveness of the monitoring activities.
These evaluations can be done by personnel from several different
areas, including the business function itself, financial control and
internal audit. Separate evaluations of the internal control system often
take the form of self-assessments when persons responsible for a
particular function determine the effectiveness of controls for their
activities. The documentation and the results of the evaluations are
then reviewed by senior management. All levels of review should be
adequately documented and reported on a timely basis to the
appropriate level of management.

7.2. There should be an effective and comprehensive internal audit of the internal
control system carried out by operationally independent, appropriately trained
and competent staff. The internal audit function, as part of the monitoring of
the system of internal controls, should report directly to the board of directors
or its audit committee, and to senior management.
_____________________________________________________________________________________________

Policy and Research Division Page 15 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________

7.2.1 The internal audit function is an important part of the ongoing

monitoring of the system of internal controls because it provides an
independent assessment of the adequacy of, and compliance with, the
established policies and procedures. It is critical that the internal audit
function is independent from the day-to-day functioning of the bank
and that it has –access to all activities conducted by the banking
organisation, including at its branches and subsidiaries.

7.3. Internal control deficiencies, whether identified by business line, internal

audit, or other control personnel, should be reported in a timely manner to
the appropriate management level and addressed promptly. Material internal
control deficiencies should be reported to senior management and the board
of directors.

7.3.1 Internal control deficiencies, or ineffectively controlled risks, should be

reported to the appropriate person(s) as soon as they are identified,
with serious matters reported to senior management and the board of
directors. Once reported, it is important that management corrects the
deficiencies on a timely basis. The internal auditors should conduct
follow-up reviews or other appropriate forms of monitoring, and
immediately inform senior management or the board of any
uncorrected deficiencies. In order to ensure that all deficiencies are
addressed in a timely manner, senior management should be
responsible for establishing a system to track internal control
weaknesses and actions taken to rectify them.

7.3.2 The board of directors and senior management should periodically

receive reports summarising all control issues that have been identified.
Issues that appear to be immaterial when individual control processes
are looked at in isolation, may well point to trends that could, when
linked, become a significant control deficiency if not addressed in a
_____________________________________________________________________________________________

Policy and Research Division Page 16 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc
______________________________________________________________________________
timely manner.

8. General Guidance

These guidelines have been developed using Framework for Internal Control
Systems in Banking Organisations, September 1998, issued by the Basel
Committee on Banking Supervision. For further guidance, institutions should
consult papers issued by the Basel Committee on Banking Supervision, and
the regulatory manuals from other internationally recognised regulators such
as the Comptroller of the Currency (OCC), the Federal Reserve, and the
Financial Services Authority (FSA).

_____________________________________________________________________________________________

Policy and Research Division Page 17 of 17

L:\Administration\IT
Division\Projects\Website\Content\Updates\SOG\SOG_Internal_Controls_in_Banks.doc