24. Control activities are designed and implemented to address the risks that the bank identified through the risk assessment process described above. Control activities involve three steps:

1. the establishment of policies;
2. the performance of procedures in accordance with those policies; and,
3. verification that the policies are being complied with. Control activities involve all levels of personnel in the bank, including senior management as well as front line personnel. Examples of control activities include:

Top level reviews - Boards of directors and senior management often request presentations and performance reports that enable them to review the bank's progress toward its goals. For example, senior management may review reports showing actual financial results to date versus the budget. Questions that senior management generates as a result of this review and the ensuing responses prepared by lower levels of management represent a control activity which may detect problems such as control weaknesses, errors in financial reporting or fraudulent activities.

Activity controls - Department or division level management receives and reviews standard performance and exception reports on a daily, weekly or monthly basis. Functional reviews occur more frequently than top level reviews and usually are more detailed. For instance, a manager of commercial lending may review weekly reports on delinquencies, payments received, and interest income earned on the portfolio, while the senior credit officer may review similar reports on a monthly basis and in a more summarised form that includes all lending areas. Like the top level review, the questions that are generated as a result of reviewing the reports and the responses to those questions represent the control activity.

Physical controls - Physical controls generally focus on restricting access to physical assets, including securities and other financial assets. Control activities include physical limitations, dual custody, and periodic inventories.

Compliance with exposure limits - The establishment of prudent limits on risk exposures is an important aspect of risk management. For example, compliance with limits for borrowers and other counterparties reduces the bank's concentration of credit risk and helps to diversify its risk profile. Consequently, an important aspect of internal controls is the periodic review of compliance with such limits.

Approvals and authorisations - Requiring approval and authorisation for transactions over certain limits ensures that an appropriate level of management is aware of the transaction or situation, and helps to establish accountability.

Verifications and reconciliations - Verifications of transaction details and activities and the output of risk management models used by the bank are important control activities. Periodic reconciliations, such as those comparing cash flows to account records and statements, may identify activities and records that need correction. Consequently, the results of these verifications should be periodically reported to the appropriate levels of management.

25. Control activities are most effective when they are viewed by management and all other personnel as an integral part of, rather than an addition to, the daily operations of the bank. When controls are viewed as an addition to the day-to-day operations, they are often seen as less important and may not be performed in situations where individuals feel pressured to complete activities in a limited amount of time. In addition, controls that are an integral part of the daily operations enable quick responses to changing conditions and avoid unnecessary costs. As part of fostering the appropriate control culture within the bank, senior management should ensure that adequate control activities are an integral part of the daily functions of all relevant personnel.

26. It is not sufficient for senior management to simply establish appropriate policies and procedures for the various activities and divisions of the bank. They must periodically ensure that all areas of the bank are in compliance with such policies and procedures and also determine that existing policies and procedures remain adequate. This function is usually carried out as part of the internal audit department.

Principle 7: Senior management should ensure that there is appropriate segregation of duties and that personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest should be identified, minimised, and carefully monitored.

27. In reviewing major banking losses caused by poor internal controls, supervisors typically find that one of the major causes of such losses is the lack of adequate segregation of duties. Assigning conflicting duties to one individual (for example, responsibility for both the front and back offices of a trading function) gives that person access to assets of value and the ability to manipulate financial data for personal gain or to conceal losses. Consequently, certain duties within a bank should be split among various individuals in order to reduce the risk of manipulation of financial data or misappropriation of assets.

28. Segregation of duties is not limited to situations involving simultaneous front and back office control by one individual. It can also result in serious problems when there are not appropriate controls in those instances where an individual has responsibility for:

• approval of the disbursement of funds and the actual disbursement;
• customer and proprietary accounts;
• transactions in both the "banking" and "trading" books;
• informally providing information to customers about their positions while marketing to the same customers;
• assessing the adequacy of loan documentation and monitoring the borrower after loan origination; and,
• any other areas where significant conflicts of interest emerge and are not mitigated by other factors.

29. Areas of potential conflict should be identified, minimised, and carefully monitored. There should also be periodic reviews of the responsibilities and functions of key individuals to ensure that they are not in a position to conceal inappropriate actions.