41. Although the board of directors and senior management bear the ultimate responsibility for an effective system of internal controls, supervisors should assess the internal control system in place at individual banks as part of their ongoing supervisory activities. The supervisors should also determine whether individual bank management gives prompt attention to any problems that are detected through the internal control process.

42. Supervisors should require the banks they supervise to have strong control cultures and should take a risk-focused approach in their supervisory activities. This includes a review of the adequacy of internal controls. It is important that supervisors not only assess the effectiveness of the overall system of internal controls, but also evaluate the controls over high risk areas (e.g., areas with characteristics such as unusual profitability, rapid growth, or new business activity). Bank supervisors should place special emphasis on written policies and procedures as a key communication mechanism.

43. Supervisors, in evaluating the internal control systems of banks, may choose to direct special attention to activities or situations that historically have been associated with internal control breakdowns leading to substantial losses. Certain changes in a bank's environment should be the subject of special consideration to see whether accompanying revisions are needed in the internal control system. These changes include:

1. a changed operating environment;
2. new personnel;
3. new or revamped information systems;
4. areas/activities experiencing rapid growth;
5. new technology;
6. new lines, products, activities (particularly complex ones);
7. corporate restructurings, mergers and acquisitions; and
8. expansion or acquisition of foreign operations (including the impact of changes in the related economic and regulatory environments).

44. To evaluate the quality of internal controls, supervisors can take a number of approaches. Supervisors can evaluate the work of the internal audit department of the bank through review of its work papers, including the risk assessment methodology used. If satisfied with the quality of the internal audit department's work, supervisors can use the reports of internal auditors as a primary mechanism for identifying control problems in the bank, or for identifying areas of potential risk that the auditors have not recently reviewed. Some supervisors may use a self-assessment process, in which management reviews the internal controls on a business-by-business basis and certifies to the supervisor that its controls are adequate for its business. Other supervisors may require periodic external audits of key areas, where the supervisor defines the scope. And finally, supervisors may combine one or more of the above techniques with their own on-site reviews or examinations of internal controls.

45. Supervisors in many countries conduct on-site examinations and a review of internal controls is an integral part of such examinations. An on-site review could include both a review of the business process and a reasonable level of transaction testing in order to obtain an independent verification of the bank's own internal control processes.

46. An appropriate level of transaction testing should be performed to verify:

• the adequacy of, and adherence to, internal policies, procedures and limits;
• the accuracy and completeness of management reports and financial records; and
• the reliability (i.e., whether it functions as management intends) of specific controls identified as key to the internal control element being assessed.

47. In order to evaluate the effectiveness of the five internal control elements of a banking organisation (or a unit/activity thereof) supervisors should:

• identify the internal control objectives that are relevant to the organisation, unit or activity under review (e.g., lending, investing, accounting);
• evaluate the effectiveness of the internal control elements, not just by reviewing policies and procedures, but also by reviewing documentation, discussing operations with various levels of bank personnel, observing the operating environment, and testing transactions;
• share supervisory concerns about internal controls and recommendations for their improvement with the board of directors and management on a timely basis, and;
• determine that, where deficiencies are noted, corrective action is taken in a timely manner.

48. Banking supervisory authorities that do not conduct routine on-site examinations typically make use of the work of external auditors. In those instances, the external auditors should be performing the review of the business process and the transaction testing described above.

49. In all instances, bank supervisors should review the external auditors' observations and recommendations regarding the effectiveness of internal controls and determine that bank management and the board of directors have addressed the concerns and recommendations expressed by the external auditors. The level and nature of control problems found by auditors should be factored into supervisors' evaluation of the effectiveness of a bank's internal controls.

50. Supervisors should also encourage bank external auditors to plan and conduct their audits in ways that appropriately consider the possibility of misstatement of banks' financial statements due to fraud. Any fraud found by external auditors, regardless of materiality, should be communicated to the appropriate level of management. Fraud involving senior management and fraud that is material to the entity should be reported to the board of directors and/or audit committee. External auditors may be expected to disclose fraud to certain supervisory authorities or others outside the bank in certain circumstances (subject to national requirements).

51. In reviewing the adequacy of the internal control process at individual banking organisations, supervisors should also determine that the process is effective across business lines and subsidiaries. It is important that supervisors evaluate the internal control process not only at the level of individual businesses or legal entities, but also across the wide spectrum of activities and subsidiaries within the consolidated banking organisation.