Internal Controls

Internal controls are intended to keep a bank on track in achieving its goals and objectives while minimizing surprises. However, controls are only as effective—or as good—as the people charged with implementing them. For controls to work effectively, employees must not only abide by them, they must also be encouraged to report unethical behavior, such as theft or misuse of bank assets. Otherwise, the controls will fail. Although everyone in a bank has responsibility for ensuring the integrity of internal controls, the job of developing and maintaining the bank’s internal controls is usually vested with the chief executive officer.

The basic elements of a comprehensive internal control process are:

Control Environment
Risk Identification
Risk Assessment
Control Activities
Monitoring

The control environment is a critical determinant of internal control effectiveness. If the culture or value system of the organization in which controls are applied does not foster the appropriate conditions, they will lose their effectiveness. Thus, controls will fail if a bank condones ignoring controls, fails to hold individuals accountable for control violations, and permits individuals to gain personal advantage at the expense of the bank or prizes getting ahead at any cost.

Key to the control environment is management’s values and the operating conditions they establish—the “tone at the top.” Among other things, tone reflects the importance that management places on devising, implementing and adhering to the control process. It means being able to answer yes to question such as these:

• Does management stress, by word and example, integrity, honesty and ethical behavior in business dealings within the bank and with bank customers?
• Does management support a commitment to competence and encourage individuals to come forward when they suspect wrong doing?

If management lacks a commitment to the enforcement of controls, then controls will be largely ineffective because they will be ignored. One example is the 2002 failure of Enron and some of the causes of its well-reported demise. On paper, the company had strong controls that should have kept it out of trouble. However, poor organizational tone caused the firm to fail. For more information on Enron and its failure, read “The Pride and the Fall of Enron” by Tom Fowler. Enron’s case illustrates the importance of organizational tone in determining the effectiveness of risk management.

Back to top

In identifying risk, banks often use two review approaches: top down and bottom up.

Top-down reviews tend to be event-focused and are often conducted across the entire bank. These reviews may use the following resources and methods to identify internal and external events that could affect the bank, to determine if the bank is prone to specific failures, spotlight possible risk exposures and to create predictive tools for possible future risks:

• surveys, interviews or workshops with management and staff;
• breakdowns at other banks of similar size and serving similar communities;
• information from conference presentations, published supervisory guidance or law enforcement advisories; and
• detection of losses over time.

Bottom-up reviews tend to focus on internal and external risk exposures associated with individual bank activities. They are often performed by line officers and staff involved in the activity under review. The review may require group meetings with frank discussions and analysis of process flow charts to:

• determine weak points that could lead to a risk event, and
• identify procedural gaps and the possible risks they present.

Results from these business line reviews are then aggregated for the bank.

Regardless of the approach taken, it is important to develop a firm-wide view of the bank’s risk exposures and their nature. This comprehensive view of risk lays the groundwork for determining implications for the bank and for devising strategies for its control.

Back to top

Risk assessments in their simplest terms involve the determination of the impact on a bank by identified risks. Impact in this context is defined broadly and includes more than monetary loss; it could include legal and reputational risk. Keep in mind that it is important to note that risk can be positive as well as negative; positive risk events represent possible opportunities for the bank.

An important concept to consider when performing risk assessments is inherent risk. Inherent risk represents the intrinsic risk associated with an action or activity without any action to reduce or mitigate the risk by a bank. Inherent risk is made up of two components:

1. likelihood that an event will occur and
2. amount of loss associated with that event.

The likelihood dimension of inherent risk includes the chance that an event will occur during an associated time horizon. For example, you may have heard a newscaster reporting on a flood that experts consider to be a 100-year flood, meaning that a flood of that magnitude occurs approximately once every hundred years.

The likelihood of an event doesn’t have much meaning for risk unless there is a consequence associated with it. Using the flood example, if your bank is located on a hill that has never been covered with water, there probably won’t be any direct consequences to it from a 100-year flood event.

Some bank activities are inherently riskier than others because of the likelihood of their occurrence or consequences from their occurrence. Some factors that influence an activity’s inherent risk are transaction volume, dollar amount, newness and automation. The first two—transaction volume and dollar amount—affect the extent of gain or loss a bank can experience from a risk event. Newness influences the probability of loss simply because new activities are more likely to suffer unanticipated operational breakdowns than established activities. Automation affects both the amount and chance of loss. Automated systems provide many benefits because they facilitate completing tasks (sometimes menial, sometimes complex) at low cost with minimal human intervention; as a result, they are ubiquitous in a bank, increasing the possibility of loss associated with their breakdown.

Another part of the assessment process involves determining the interrelationship among the bank’s identified risks. It also includes pinpointing the circumstances or points where they are likely to occur. Regarding the former, the operation of a bank involves many processes. Some are independent of one another; some feed into one another. You should know these relationships to avoid unintended consequences from actions that may mitigate risk in one area but increase it in another area. For example, changes to a bank’s loan policy to tighten its lending practices and the terms of its lending invariably affect not only its credit risk but also its liquidity, market and operational risk.

Pinpointing the circumstances or points in a bank’s activities where risks occur helps determine the nature of the risks and the controls activities needed to mitigate them. To help see this, take any of the bank’s processes and follow it from where it starts to where it ends. Here’s an example for a bank’s lending function. The example is highly stylized but includes information on where controls such as higher level approvals and separation of duties may be applied.

• A customer comes to the bank with a loan proposal. The loan officer gathers the necessary information to determine the credit-worthiness of the borrower, the appropriateness of the loan in the context of the bank’s loan policy and the loan’s profitability to the bank.
• At that point, it must be determined whether the loan can be approved: If it cannot, the loan officer informs the customer of the bank’s decision; if it can be approved, the next decision determines who approves it.
• Depending upon the amount and consistency with provisions of the bank’s loan policy, the loan officer or a higher lending authority in the bank may approve the loan. With the loan approved, the necessary paper work (loan agreements, mortgages, collateral agreements, consumer notification forms, etc.) are prepared. The customer signs the forms, most often at the bank, and funds are disbursed, generally by check or deposit.
• The loan clerk then enters the loan into the bank’s loan system and the bank’s accounting area records the funds disbursement.
• Later, in keeping with the bank’s review process, the note journal is reconciled against the general ledger.

In reviewing this process, you should look for:

• key positions and decisions in the process, places where significant errors or misdeeds can occur;
• separation of duties—those who have custody over assets should not have the responsibility to make accounting entries pertaining to those assets; individuals who make accounting entries should not have the authority to review or reconcile those entries; furthermore, those who conduct an activity should not also have the responsibility to authorize or review the activity;
• independence of individuals performing control tasks—a subordinate cannot be relied upon to provide an independent check of a superior; and
• work being done to ensure that practice follows policy.

Back to top

The risk inherent in some activities might otherwise be unacceptable unless banks found ways to control or reduce their associated risks. Traditionally, banks have relied heavily on their internal controls process to manage operational risk. In many instances, this process is transparent because internal controls are built into the systems, processes and procedures that banks use to manage their risks.

Generally, internal controls are of two types: preventive and detective. Preventive controls intend to prevent the risk from occurring, just as a lock on a door is intended to reduce the risk of burglary. On the other hand, detective controls reveal the occurrence of a risk event so that corrective action can be taken to minimize loss, like the sounding of a home security system alarm that summons the police. In some instances, a control can perform both functions. In the list of internal controls below, the padlock denotes a preventive control while the magnifying glass indicates a detective control.

For more information on the specific controls, move your cursor over the terms below. The explanation and examples will display in the right-hand column.

Control Activities	Preventative	Detective
Segregation of Duties
Rotation of Duties
Dual Controls
Access Controls
Activity Controls
Information Processing Controls
Physical Controls
Exposure Limits
Approvals
Authorizations
Verification and Reconciliation
Established Lines of Authority
Top-level Reviews

Usually bank processes contain multiple controls. This layering strengthens overall control. In some instances, controls reinforce one another (e.g., internal and external door locks, vaults and alarm systems. In some cases, layering helps compensate for a missing control. For example, rotation of duties might compensate for lack of sufficient personnel to implement segregation of duties.

Back to top

Monitoring

Because internal controls represent a process, the process must be monitored to determine its continued effectiveness. This is often done through ongoing monitoring and separate evaluations.

Ongoing monitoring procedures are often built into the normal, recurring activities of a bank. They often include such things as routine management reviews, comparisons, reconciliations, exception reports and other actions taken by personnel doing their job. Ongoing monitoring procedures are generally performed while work is being done or soon after it is completed.

For example, at the end of the day tellers may be required to reconcile the balance in their drawers against receipts and payments made during business hours. The tellers’ supervisor reviews their reports, looking for large overages and shortages and compares reports over time for any evolving patterns. When the supervisor believes there is a problem, he or she will look into possible causes for it and determine what action should be taken. A possible cause might be one where a teller doesn’t follow policy and he or she leaves a drawer open and unattended when leaving the work area.

Separate evaluations often result from management’s request to look into a matter or because of risk assessments performed by the bank’s audit function. Closer evaluations generally occur after a possible problem is detected. Note that these types of evaluations can take the form of a self-assessment done by management, although the result may be biased in favor of management personnel conducting the assessment.

To reduce bias, the bank’s internal auditors or the external auditors frequently complete evaluations. Audit personnel normally aren’t involved in daily operations and can provide an independent check of the bank’s risk management process. Audits can be considered a second channel of information on how well the bank’s risk management systems and controls are functioning and whether there are any deficiencies that need to be corrected. To ensure this channel remains independent, it is important that the audit function report directly to the Audit Committee or the board of directors and not to the chief executive officer or bank president who may have responsibility for the bank’s internal controls.

1. A bank chief’s executive officer is often given primary responsibility for devising and implementing a bank’s internal controls. For this reason, the organizational structure needs to reflect a direct reporting relationship between the CEO and the bank’s internal audit function.
	True
	False

2. Inherent risk is defined as the risk associated with an action or activity before any risk mitigation is applied.
	True
	False

3. A bank’s lending is considered to have low inherent risk.
	True
	False

4. Audit reports and examination reports are two information sources that directors can use to help determine the adequacy of a bank’s internal control process and its management of operational risk.
	True
	False