Principle 1: The board of directors should have responsibility for approving strategies and policies; understanding the risks run by the bank, setting acceptable levels for these risks and ensuring that senior management takes the steps necessary to identify, monitor and control these risks; approving the organisational structure; and ensuring that senior management is monitoring the effectiveness of the internal control system.

10. The board of directors provides governance, guidance and oversight to senior management. It is responsible for setting the broad strategies and major policies of the organisation and approving the overall organisational structure. The board of directors has the ultimate responsibility for ensuring that an adequate system of internal controls is established and maintained. Effective board members are objective, capable, and inquisitive, with a knowledge of the activities of and risks run by the bank. A strong, active board, particularly when coupled with effective upward communication channels and capable financial, legal, and internal audit functions, is often best able to ensure the correction of problems that may diminish the effectiveness of the internal control system.

11. The board of directors should include in its activities (1) periodic discussions with management concerning the effectiveness of the internal control system, (2) a timely review of evaluations of internal controls made by management, internal auditors, and external auditors, and (3) periodic efforts to ensure that management has appropriately followed up on recommendations and concerns expressed by auditors and supervisory authorities on internal control weaknesses.

12. One option used by banks in many countries is the establishment of an independent audit committee to assist the board in carrying out its responsibilities. The establishment of an audit committee allows for detailed examination of information and reports without the need to take up the time of all directors and ensures that the particular questions concerned receive proper attention. The audit committee is typically responsible for overseeing the financial reporting process and the internal control system. As part of this responsibility, the audit committee typically oversees the operations of, and serves as a direct contact for, the bank's internal audit department and engages and serves as the primary contact for the external auditors. In those countries where it is an option, the committee should be composed entirely of outside directors (i.e., members of the board that are not employed by the bank or any of its affiliates) who have knowledge of financial reporting and internal controls. It should be noted that in no case should the creation of an audit committee amount to a transfer of duties away from the full board, which alone is legally empowered to take decisions.

2. Senior management

Principle 2: Senior management should have responsibility for implementing strategies approved by the board; setting appropriate internal control policies; and monitoring the effectiveness of the internal control system.

13. Senior management is responsible for carrying out directives approved by the board of directors, including the implementation of strategies and policies and the establishment of an effective system of internal control. Members of senior management typically delegate responsibility for establishing more specific internal control policies and procedures to those responsible for a particular unit's activities or functions. Consequently, it is important for senior management to ensure that the managers to whom they have delegated these responsibilities develop and enforce appropriate policies and procedures.

14. Compliance with an established internal control system is heavily dependent on a well-documented and communicated organisational structure that clearly shows lines of reporting responsibility and authority and provides for effective communication throughout the organisation. The allocation of duties and responsibilities should ensure that there are no gaps in reporting lines and that an effective level of management control is extended to all levels of the bank and its various activities.

15. It is important that senior management takes steps to ensure that activities are conducted by qualified staff with the necessary experience and technical capabilities. Staff should be properly compensated and their training and skills periodically updated. Senior management should institute compensation and promotion policies that reward appropriate behaviours and minimise incentives for staff to ignore or override internal control mechanisms.

3. Control culture

Principle 3: The board of directors and senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organisation that emphasises and demonstrates to all levels of personnel the importance of internal controls. All levels of personnel at a banking organisation need to understand their role in the internal controls process and be fully engaged in the process.

16. An essential element of an effective system of internal control is a strong control culture. It is the responsibility of the board of directors and senior management to emphasise the importance of internal control through their actions and words. This includes the ethical values management displays in their business dealings, both inside and outside the organisation. The words, attitudes and actions of the board of directors and senior management affect the integrity, ethics and other aspects of the bank's control culture.

17. In varying degrees, internal control is the responsibility of everyone in a bank. Almost all employees produce information used in the internal control system or take other actions needed to effect control. An essential element of a strong internal control system is the recognition by every employee of the need to carry out their responsibilities effectively and to communicate to the appropriate level of management any problems in operations, instances of non-compliance with the code of conduct, or other policy violations or illegal actions that are noticed. This can best be achieved when operational procedures are contained in clearly written documentation that is made available to all relevant personnel. It is essential that all personnel within the bank understand the importance of internal control and are actively engaged in the process.

18. In reinforcing ethical values, banking organisations should avoid policies and practices that may inadvertently provide incentives or temptations for inappropriate activities. Examples of such policies and practices include undue emphasis on performance targets or other operational results, particularly short term ones; high performance-dependent compensation rewards; ineffective segregation of duties or other controls that may offer temptations to misuse resources or conceal poor performance; and insignificant or overly onerous penalties for improper behaviours.

19. While having a strong internal control culture does not guarantee that an organisation will reach its goals, the lack of such a culture provides greater opportunities for errors to go undetected or for improprieties to occur.