PRINCIPLES FOR THE ASSESSMENT OF INTERNAL CONTROL SYSTEMS
Basle Committee on Banking Supervision
MANAGEMENT OVERSIGHT AND THE CONTROL CULTURE
Principle 1
The board of directors should have responsibility for approving strategies and policies; understanding the risks run by the bank; setting acceptable levels for these risks; ensuring that senior management takes the steps necessary to identify, monitor, and control these risks; approving the organizational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system.
Principle 2
Senior management should have responsibility for implementing strategies approved by the board; setting appropriate internal control policies; and monitoring the effectiveness of the internal control system.
Principle 3
The board of directors and senior management are responsible for promoting high standards of ethics and integrity and for establishing a culture within the organization that emphasizes and demonstrates to all levels of personnel the importance of internal controls. All levels of personnel at a banking organization need to understand their role in the internal control process and to be fully engaged in the process.
RISK ASSESSMENT
Principle 4
Senior management should ensure that the internal and external factors that could adversely affect the achievement of the bank’s objectives are being identified and evaluated. This assessment should cover all the various risks facing the bank (for example, credit risk, country and transfer risk, market risk, interest-rate risk, liquidity risk, operational risk, and risk to reputation).
Principle 5
Senior management should ensure that the risks affecting the achievement of the bank’s strategies and objectives are continually being evaluated. Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks.
CONTROL ACTIVITIES
Principle 6
Control activities should be an integral part of the daily operations of a bank. Senior management must set up an appropriate control structure to ensure effective internal controls, defining the control activities at every business level. These should include top-level reviews; appropriate activity controls for different departments or divisions; physical controls; periodic checking for compliance with exposure limits; a system of approvals and authorizations; and a system of verification and reconciliation.
Senior management must periodically ensure that all areas of the bank are in compliance with established policies and procedures.
Principle 7
Senior management should ensure that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimized, and carefully monitored.
INFORMATION AND COMMUNICATION
Principle 8
Senior management should ensure that there are adequate and comprehensive internal financial, operational, and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format.
Principle 9
Senior management should establish effective channels of communication to ensure that all staff are fully aware of policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.
Principle 10
Senior management must ensure that there are appropriate information systems in place that cover all activities of the bank.
These systems, including those that hold and use data in an electronic form, must be secure and periodically tested.
MONITORING
Principle 11
Senior management should continually monitor the overall effectiveness of the bank’s internal controls in helping to achieve the organization’s objectives. Monitoring of key risks should be part of the daily operations of the bank and should include separate evaluations as required.
Principle 12
There should be an effective and comprehensive internal audit of the internal control system carried out by appropriately trained and competent staff. The internal audit function, as part of the monitoring of the system of internal controls, should report directly to the board of directors or its audit committee and to senior management.
Principle 13
Identified internal control deficiencies should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the board of directors. |