2. The Basle Committee, along with banking supervisors throughout the world, has focused increasingly on the importance of sound internal controls. This heightened interest in internal controls is, in part, a result of significant losses incurred by several banking organisations. An analysis of the problems related to these losses indicates that they could probably have been avoided had the banks maintained effective internal control systems. Such systems would have prevented or enabled earlier detection of the problems that led to the losses, thereby limiting damage to the banking organisation. In developing these principles, the Committee has drawn on lessons learned from problem bank situations in individual member countries.

3. These principles are intended to be of general application and supervisory authorities should use them in assessing their own supervisory methods and procedures for monitoring how banks structure their internal control systems. While the exact approach chosen by individual supervisors will depend upon a host of factors, including their on-site and off-site supervisory techniques and the degree to which external auditors are also used in the supervisory function, all members of the Basle Committee agree that the principles set out in this paper should be used in evaluating a bank's internal control system.

4. The Basle Committee is distributing this paper to supervisory authorities worldwide in the belief that the principles presented will provide a useful framework for the effective supervision of internal control systems. More generally, the Committee wishes to emphasise that sound internal controls are essential to the prudent operation of banks and to promoting stability in the financial system as a whole.

5. The guidance previously issued by the Basle Committee typically included discussions of internal controls affecting specific areas of bank activities, such as interest rate risk, and trading and derivatives activities. In contrast, this guidance presents a framework that the Basle Committee encourages supervisors to use in evaluating the internal controls over all on- and off-balance sheet activities of banking organisations. The guidance does not focus on specific areas or activities within a banking organisation. The exact application depends on the nature, complexity and risks of the bank's operations. The Committee stipulates in sections III and IV of the paper fourteen principles for banking supervisory authorities to apply in assessing banks' internal control systems. In addition, the Appendix provides supervisory lessons learned from past internal control failures.

Principles for the Assessment of Internal Control Systems

Management oversight and the control culture

Principle 1: The board of directors should have responsibility for approving strategies and policies; understanding the risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, monitor and control these risks; approving the organisational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system.

Principle 2: Senior management should have responsibility for implementing strategies approved by the board; setting appropriate internal control policies; and monitoring the effectiveness of the internal control system.

Principle 3: The board of directors and senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organisation that emphasises and demonstrates to all levels of personnel the importance of internal controls. All levels of personnel at a banking organisation need to understand their role in the internal controls process and be fully engaged in the process.

Risk Assessment

Principle 4: Senior management should ensure that the internal and external factors that could adversely affect the achievement of the bank's objectives are being identified and evaluated. This assessment should cover all the various risks facing the bank (for example, credit risk, country and transfer risk, market risk, interest rate risk, liquidity risk, operational risk, legal risk and reputational risk).

Principle 5: Senior management should ensure that the risks affecting the achievement of the bank's strategies and objectives are continually being evaluated. Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks.

Control Activities

Principle 6: Control activities should be an integral part of the daily operations of a bank. Senior management must set up an appropriate control structure to ensure effective internal controls, defining the control activities at every business level. These should include: top level reviews; appropriate activity controls for different departments or divisions; physical controls; periodic checking for compliance with exposure limits; a system of approvals and authorisations; and, a system of verification and reconciliation. Senior management must periodically ensure that all areas of the bank are in compliance with established policies and procedures.

Principle 7: Senior management should ensure that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimised, and carefully monitored.

Information and communication

Principle 8: Senior management should ensure that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format.

Principle 9: Senior management should establish effective channels of communication to ensure that all staff are fully aware of policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.

Principle 10: Senior management must ensure that there are appropriate information systems in place that cover all activities of the bank. These systems, including those that hold and use data in an electronic form, must be secure and periodically tested.

Monitoring

Principle 11: Senior management should continually monitor the overall effectiveness of the bank's internal controls in helping to achieve the organisation's objectives. Monitoring of key risks should be part of the daily operations of the bank and should include separate evaluations as required.

Principle 12: There should be an effective and comprehensive internal audit of the internal control system carried out by appropriately trained and competent staff. The internal audit function, as part of the monitoring of the system of internal controls, should report directly to the board of directors or its audit committee, and to senior management.

Principle 13: Identified internal control deficiencies should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the board of directors.

Evaluation of Internal Control Systems by Supervisory Authorities

Principle 14: Supervisors should require that all banks, regardless of size, have an effective system of internal controls that is consistent with the nature, complexity, and risk of their on- and off-balance-sheet activities and that responds to changes in the bank's environment and conditions. In those instances where supervisors determine that a bank's internal control system is not adequate (for example, does not cover all of the principles contained in this document), they should take action against the bank to ensure that the internal control system is improved immediately.

6. Comment is invited on all aspects of this paper, including the Appendix, by 30thMarch 1998.

Footnote:

1. The Basle Committee on Banking Supervision is a Committee of banking supervisory authorities which was established by the central-bank Governors of the Group of Ten countries in 1975. It consists of senior representatives of bank supervisory authorities and central banks from Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, Netherlands, Sweden, Switzerland, United Kingdom and the United States. It usually meets at the Bank for International Settlements in Basle, where its permanent Secretariat is located.