35. Banking is a dynamic, rapidly evolving industry. Banks must continually monitor and evaluate their internal control systems in light of changing internal and external conditions, and must enhance these systems as necessary to maintain their effectiveness.

36. Monitoring the effectiveness of internal controls should be part of the daily operations of the bank but also include separate periodic evaluations of the overall internal control process. The frequency of monitoring different activities of a bank should be determined by considering the risks involved and the frequency and nature of changes occurring in the operating environment. Ongoing monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the system of internal control. Such monitoring is most effective when the system of internal control is integrated into the operating environment and produces regular reports for review. Examples of ongoing monitoring include the review and approval of journal entries, and management review and approval of exception reports.

37. In contrast, separate evaluations typically detect problems only after the fact; however, separate evaluations allow an organisation to take a fresh, comprehensive look at the effectiveness of the internal control system and specifically at the effectiveness of the monitoring activities. Separate evaluations of the internal control system often take the form of self-assessments when persons responsible for a particular function determine the effectiveness of controls for their activities. The documentation and the results of the evaluations are then reviewed by senior management. All levels of review should be adequately documented and reported on a timely basis to the appropriate level of management.

Principle 12: There should be an effective and comprehensive internal audit of the internal control system carried out by appropriately trained and competent staff. The internal audit function, as part of the monitoring of the system of internal controls, should report directly to the board of directors or its audit committee, and to senior management.

38. The internal audit function is an important part of the ongoing monitoring of the system of internal controls because it provides an independent assessment of the adequacy of, and compliance with, the established controls. By reporting directly to the board of directors or its audit committee, and to senior management, the internal auditors provide unbiased information about line activities. Due to the important nature of this function, internal audit must be staffed with competent, well-trained individuals who have a clear understanding of their role and responsibilities. The frequency and extent of internal audit review and testing of the internal controls within a bank should be consistent with the nature, complexity, and risk of the organisation's activities. In all cases, it is critical that the internal audit function is independent from the day-to-day functioning of the bank and that it has access to all activities conducted by the banking organisation.

39. It is important that the internal audit function reports directly to the highest levels of the banking organisation, typically the board of directors or its audit committee, and to senior management. This allows for the proper functioning of corporate governance by giving the board information that is unaltered in any way by the levels of management that the reports cover. The board should also reinforce the independence of the internal auditors by having such matters as their compensation or budgeted resources determined by the board or the highest levels of management rather than by managers who are affected by the work of the internal auditors.

Principle 13: Identified internal control deficiencies should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the board of directors.

40. Internal control deficiencies, or ineffective policies or procedures, should be reported to the appropriate person(s) as soon as they are identified, with serious matters reported to senior management and the board of directors. Once deficiencies or ineffective policies or procedures are reported, it is important that management corrects the deficiencies on a timely basis. The internal auditors should conduct follow-up reviews and immediately inform senior management or the board of any uncorrected deficiencies. In order to ensure that all deficiencies are addressed in a timely manner, management should establish a system to track internal control weaknesses and actions taken to rectify them.