FRAMEWORKFORINTERNAL CONTROL SYSTEM

FRAMEWORK

FOR

INTERNAL CONTROL SYSTEMS

IN BANKING ORGANISATIONS

Basle Committee on Banking Supervision

Basle

September 1998

Risk Management Sub-group

of the Basle Committee on Banking Supervision

Co-Chairs:

Mr. Roger Cole – Federal Reserve Board, Washington, D.C.

Ms. Christine Cumming – Federal Reserve Bank of New York

Banque Nationale de Belgique, Brussels Mr. Philip Lefèvre

Commission Bancaire et Financière, Brussels Mr. Jos Meuleman

Office of the Superintendent of Financial Institutions, Ottawa Ms. Aina Liepins

Commission Bancaire, Paris Ms. Brigitte Declercy

Deutsche Bundesbank, Franfurt am Main Ms. Magdalene Heid

Bundesaufsichtsamt für das Kreditwesen, Berlin Mr. Uwe Neumann

Banca d’Italia, Rome Mr. Paolo Pasca

Bank of Japan, Tokyo Mr. Noriyuki Tomioka

Financial Supervisory Agency, Tokyo Mr. Kozo Ishimura

Banque Centrale du Luxembourg Ms. Isabelle Goubin

De Nederlandsche Bank, Amsterdam Mr. Job Swank

De Nederlandsche Bank, Amsterdam Mr. Paul Benschop

Finansinspektionen, Stockholm Mr. Jan Hedquist

Eidgenössiche Bankenkommission, Bern Ms. Renate Lischer

Financial Services Authority, London Mr. Stan Bereza

Federal Deposit Insurance Corporation, Washington, D.C. Mr. Mark Schmidt

Office of the Comptroller of the Currency, Washington, D.C. Mr. Kurt Wilhelm

European Commission, Brussels Mr. Nicholas Cook

Secretariat of the Basle Committee on Banking Supervision,

Bank for International Settlements

Ms. Betsy Roberts

Table of contents

Page

Introduction 1

I. Background 6

II. The objectives and role of the internal controls framework 8

III. The major elements of an internal control process

A. Management oversight and the control culture 10

1. Board of directors 10

2. Senior management 11

3. Control culture 12

B. Risk recognition and assessment 14

C. Control activities and segregation of duties 15

D. Information and communication 17

E. Monitoring activities and correcting deficiencies 19

IV. Evaluation of internal control systems by supervisory 23

V. Role and responsibilities of external auditors 26

Appendix I 27

Appendix II 28

Supervisory lessons learned from internal control failures

Framework for Internal Control Systems in Banking Organisations

1. As part of its on-going efforts to address bank supervisory issues and enhance

supervision through guidance that encourages sound risk management practices, the Basle

Committee on Banking Supervision1

control systems. A system of effective internal controls is a critical component of bank

management and a foundation for the safe and sound operation of banking organisations. A

system of strong internal controls can help to ensure that the goals and objectives of a banking

organisation will be met, that the bank will achieve long-term profitability targets, and

maintain reliable financial and managerial reporting. Such a system can also help to ensure

that the bank will comply with laws and regulations as well as policies, plans, internal rules

and procedures, and decrease the risk of unexpected losses or damage to the bank’s reputation.

The paper describes the essential elements of a sound internal control system, drawing upon

experience in member countries and principles established in earlier publications by the

Committee. The objective of the paper is to outline a number of principles for use by

supervisory authorities when evaluating banks’ internal control systems.

2. The Basle Committee, along with banking supervisors throughout the world, has

focused increasingly on the importance of sound internal controls. This heightened interest in

internal controls is, in part, a result of significant losses incurred by several banking

organisations. An analysis of the problems related to these losses indicates that they could

probably have been avoided had the banks maintained effective internal control systems. Such

systems would have prevented or enabled earlier detection of the problems that led to the

losses, thereby limiting damage to the banking organisation. In developing these principles,

the Committee has drawn on lessons learned from problem bank situations in individual

3. These principles are intended to be of general application and supervisory

authorities should use them in assessing their own supervisory methods and procedures for

monitoring how banks structure their internal control systems. While the exact approach

chosen by individual supervisors will depend upon a host of factors, including their on-site

The Basle Committee on Banking Supervision is a Committee of banking supervisory authorities which

was established by the central bank Governors of the Group of Ten countries in 1975. It consists of senior

representatives of bank supervisory authorities and central banks from Belgium, Canada, France,

Germany, Italy, Japan, Luxembourg, Netherlands, Sweden, Switzerland, United Kingdom and the United

States. It usually meets at the Bank for International Settlements in Basle, where its permanent Secretariat

is issuing this framework for the evaluation of internal

- 2 -

and off-site supervisory techniques and the degree to which external auditors are also used in

the supervisory function, all members of the Basle Committee agree that the principles set

out in this paper should be used in evaluating a bank’s internal control system.

4. The Basle Committee is distributing this paper to supervisory authorities

worldwide in the belief that the principles presented will provide a useful framework for the

effective supervision of internal control systems. More generally, the Committee wishes to

emphasise that sound internal controls are essential to the prudent operation of banks and to

promoting stability in the financial system as a whole. While the Committee recognises that

not all institutions may have implemented all aspects of this framework, banks are working

5. The guidance previously issued by the Basle Committee typically included

discussions of internal controls affecting specific areas of bank activities, such as interest rate

risk, and trading and derivatives activities. In contrast, this guidance presents a framework

that the Basle Committee encourages supervisors to use in evaluating the internal controls

over all on- and off-balance sheet activities of banks and consolidated banking organisations.

The guidance does not focus on specific areas or activities within a banking organisation. The

exact application depends on the nature, complexity and risks of the bank’s activities.

6. The Committee provides background information is section I, sets out the

objectives and role of an internal control framework in Section II, and stipulates in sections III

and IV of the paper thirteen principles for banking supervisory authorities to apply in

assessing banks’ internal control systems. In addition, Appendix I lists reference materials

and Appendix II provides supervisory lessons learned from past internal control failures.

Principles for the Assessment of Internal Control Systems

Management oversight and the control culture

The board of directors should have responsibility for approving and periodically

reviewing the overall business strategies and significant policies of the bank;

understanding the major risks run by the bank, setting acceptable levels for these

risks and ensuring that senior management takes the steps necessary to identify,

measure, monitor and control these risks; approving the organisational structure;

and ensuring that senior management is monitoring the effectiveness of the

internal control system. The board of directors is ultimately responsible for

ensuring that an adequate and effective system of internal controls is established

- 3 -

Senior management should have responsibility for implementing strategies and

policies approved by the board; developing processes that identify, measure,

monitor and control risks incurred by the bank; maintaining an organisational

structure that clearly assigns responsibility, authority and reporting relationships;

ensuring that delegated responsibilities are effectively carried out; setting

appropriate internal control policies; and monitoring the adequacy and

effectiveness of the internal control system.

The board of directors and senior management are responsible for promoting high

ethical and integrity standards, and for establishing a culture within the

organisation that emphasises and demonstrates to all levels of personnel the

importance of internal controls. All personnel at a banking organisation need to

understand their role in the internal controls process and be fully engaged in the

Risk Recognition and Assessment

An effective internal control system requires that the material risks that could

adversely affect the achievement of the bank’s goals are being recognised and

continually assessed. This assessment should cover all risks facing the bank and

the consolidated banking organisation (that is, credit risk, country and transfer

risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and

reputational risk). Internal controls may need to be revised to appropriately

address any new or previously uncontrolled risks.

Control Activities and Segregation of Duties

Control activities should be an integral part of the daily activities of a bank. An

effective internal control system requires that an appropriate control structure is

set up, with control activities defined at every business level. These should include:

top level reviews; appropriate activity controls for different departments or

divisions; physical controls; checking for compliance with exposure limits and

follow-up on non-compliance; a system of approvals and authorisations; and, a

system of verification and reconciliation.

- 4 -

An effective internal control system requires that there is appropriate segregation

of duties and that personnel are no