Versions

 

OM-1.3.18

Internal control consists of five interrelated components:

(a) Control environment: The Board of Directors and senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organisation that emphasises and demonstrates to all levels of personnel the importance of internal controls. All personnel at a banking organisation need to understand their role in the internal controls process and be fully engaged in the process;
(b) Risk assessment: An effective internal control system requires that the material risks that could adversely affect the achievement of the bank's goals are being recognised and continually assessed. This assessment should cover all risks facing the bank and the consolidated banking organisation (that is, credit risk, country and transfer risk, market risk, profit rate risk, liquidity risk, operational risk, legal risk and reputational risk). Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks;
(c) Control activities: Control activities should be an integral part of the daily activities of a bank. An effective internal control system requires that an appropriate control structure is set up, with control activities defined at every business level. These should include: Top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorisations; and a system of verification and reconciliation;
(d) Information and communication: An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision-making. Information should be reliable, timely, accessible, and provided in a consistent format. It requires that there are reliable information systems in place that cover all significant activities of the bank. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements. It also requires effective channels of communication to ensure that all staff fully understand and adhere to policy and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel; and
(e) Monitoring activities: The overall effectiveness of the bank's internal controls should be monitored on an ongoing basis. Monitoring of key risks should be part of the daily activities of the bank, as well as periodic evaluations by the business lines and internal audit. There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately-trained and competent staff. The Internal Audit function, as part of the monitoring of the system of internal controls, should report directly to the Board of Directors or its Audit Committee, and to senior management. Internal control deficiencies, whether identified by business line, Internal Audit, or other control personnel, should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the Board of Directors.
Added: January 2020