They should evaluate the independence and overall effectiveness of the risk management function (especially relating to measuring, reporting and limiting risks) and confirm that all risk profile data is accurate. They must ensure that risk controllers and risk takers are complying with established risk management policies, and that proper documentation on the risk management process and internal controls is in place. Internal auditors’ reports should be sent directly to senior managers and the supervisory board, which on their part must study these reports and, if necessary act upon them.

The supervisory board should set up an audit committee (comprised entirely of non-executive Directors) to ensure senior managers do not override internal controls in their daily operations. This function of compliance testing requires systematic identification, testing, and evaluation of critical internal controls to determine whether established procedures are followed. The committee must be able to refer to the firm’s internal and external auditors but must also have access to outside experts.

They should also encourage banks with whom the firm has regular dealing contacts to ‘inform’ senior management of any large/unusual trades. Outsiders’ eyes are a good and free method of internal control.

Box 3

Merck’s risk audit

Merck’s chairman, president and chief executive officer, Raymond Gilmartin and chief financial officer, Judy Lewent are confident that their internal control systems are strong. He states in the company’s 1996 annual report: «The independent public accountants have audited the Company’s consolidated financial statements as described in their report. Although their audits were not designed for the purpose of forming an opinion on internal controls, the Company’s accounting systems, procedures and internal controls were subject to testing and other auditing procedures sufficient to enable the independent public accountants to render their opinion on the Company’s financial statements». «The recommendations of the internal auditors and independent public accountants are reviewed by management. Control procedures have been implemented or revised as appropriate to respond to these recommendations. No material control weaknesses have been brought to the attention of management. In management’s opinion, for the year ended December 31, 1995, the internal control system was strong and accomplished the objectives discussed herein (in Box 4)». Mr Gilmartin’s and Ms Lewent’s public signing off on the robustness of the firm’s internal control systems engenders an accountability on their part which will encourage them to ensure that their systems are indeed as water-tight as they can possibly be.