2. The types of control breakdowns typically seen in problem bank cases can be grouped into five broad categories:

• Lack of adequate management oversight and accountability, and failure to develop a strong control culture within the bank. Without exception, cases of major loss reflect management inattention to, and laxity in, the control culture of the bank, insufficient guidance and oversight by boards of directors and senior management, and a lack of clear management accountability through the assignment of roles and responsibilities. These cases also reflect insufficient incentives to carry out strong line supervision and maintain a high level of control consciousness within business areas.

• Inadequate assessment of the risk of certain banking activities, whether on- or off-balance sheet. Many banking organisations that have suffered major losses neglected to continually assess the risks of new products and activities, or update their risk assessments when significant changes occurred in the environment or business conditions. Many recent cases highlight the fact that control systems that function well for traditional or simple products are unable to handle more sophisticated or complex products.

• The absence or failure of key control activities, such as segregation of duties, approvals, verifications, reconciliations, and reviews of operating performance. Lack of segregation of duties in particular has played a major role in the significant losses that have occurred at banks.

• Inadequate communication of information between levels of management within the bank, especially in the upward communication of problems. To be effective, policies and procedures need to be effectively communicated to all personnel involved in an activity. Some losses in banks occurred because relevant personnel were not aware of or did not understand the bank's policies. In several instances, information about inappropriate activities that should have been reported upward through organisational levels was not communicated to the board of directors or senior management until the problems became severe. In other instances, information in management reports was not complete or accurate, creating a favourable impression of a business situation that was in fact problematic.

• Inadequate or ineffective audit programs and other monitoring activities. In many cases, audits were not sufficiently rigorous to identify and report the control weaknesses associated with problem banks. In other cases, even though auditors reported problems, they were not corrected by management

3. The internal control framework underlying this guidance is based on practices currently in place at many major banks, securities firms, and non-financial companies, and their auditors. Moreover, this evaluation framework is consistent with the increased emphasis of banking supervisors on the review of a banking organisation's risk management and internal control processes. It is important to emphasise that it is the responsibility of a bank's board of directors and senior management to ensure that adequate internal controls are in place at the bank and to foster an environment where individuals understand and take seriously their responsibilities in this area. In turn, it is the responsibility of banking supervisors to assess the commitment of a bank's board of directors and management to the internal control process.