Financial Standards and Codes: Report of Advisory
Group on Banking Supervision

Internal Control

Introduction

A study of banking problems in general would indicate that absence of a healthy culture of internal control manifested most often in a lack of adequate and effective control systems, and non-compliance with those which are in existence, is at the core of many banking problems. The BCBS had issued a Framework for Internal Control Systems in Banking Organisations (September 1998) to enable supervisors to evaluate control systems in banks. As explained in the BCBS paper, "A system of effective internal controls is a critical component of bank management and a foundation for the safe and sound operation of banking organisations. A system of strong internal controls can help to ensure that the goals and objectives of a banking organisation will be met, that the bank will achieve long-term profitability targets, and maintain reliable financial and managerial reporting. Such a system can also help so that the bank will comply with laws and regulations as well as policies, plans, internal rules and procedures, and decrease the risk of unexpected losses or damage to the bank’s reputation." The BCBS paper formed the basis of the Group’s assessment of the level of compliance in India. The Group’s assessment has been provided in Annex 3. The assessment, for obvious reasons, is not bank-specific and is, therefore, based on the Group’s view on the systems existing in banks in India as a whole. Areas where, in the opinion of the Group, gaps exist in the present position obtaining in India vis-à-vis the principles and where necessary action could be initiated are discussed in the following paragraphs.

An effective oversight over internal control by the management requires, among other things, that the Boards of Directors of banks include in their activities, periodic discussions with management concerning the effectiveness of the internal control systems and ensure that the management has appropriately followed up on the recommendations and concerns on internal control weaknesses expressed by auditors and supervisory authorities. However, in India, the systems of periodic discussions by the board with the management or follow-up of evaluation and review reports is not very well established. The attention paid at the board level to evaluation and review reports on internal control systems in banks is mostly routine and more often than not receives limited attention except when a bank has got into some trouble because of failure/breakdown of the system. Such reviews and evaluations are generally not used as important tools of management information and control. Boards of most banks, particularly public sector banks, would need to undergo an attitudinal change towards such evaluations/ reviews so that they have a better and firmer say in the maintenance and improvement of internal control systems in banks. In depth discussions on periodic reports on internal control systems of banks between the management and their boards should be institutionalised. RBI may consider advising all banks to take steps in this regard.

Since internal control is the responsibility of every employee of a bank, it is essential that all personnel within the bank understand its importance and are actively engaged in the process. Therefore, establishing a strong control culture requires banks to regularly reorient and train their personnel so that they fully understand the importance of internal controls in their respective stations. The boards of banks should specifically pay attention to creating and sustaining a culture of control in banks.

The principles suggest that, in reinforcing ethical values, banking organisations should avoid policies and practices that may inadvertently provide incentives or temptations for inappropriate activities. Since, as yet, in India, there is very little incentive or disincentive for good or bad performance, it is important that criticality of internal controls is never lost sight of.

Internal control should include an assessment of all the various risks facing banks, including credit, operational, legal and reputation risks. RBI has issued comprehensive risk management guidelines to banks in terms of which they are required to identify and assess all business and operational risks and formulate and put in place appropriate risk management systems. Scientific risk management is, however, still in the initial stages in most Indian banks, particularly the old private sector and public sector banks. The current situation calls for greater orientation of the banks’ managements and their boards towards better understanding of risks and their management.

With a few exceptions, there is not much conscious effort in banks to measure different kinds of risk and decide the level of acceptability of such risks at the board level. RBI may consider outlining clearly the role of the boards of banks in risk management. Risk-based supervision of banks by RBI has to be mirrored in their boards’ supervision and guidance

Evaluation of risks affecting banks’ strategies and objectives by the senior management has to be continuous and needs to be placed on a formal basis. On the basis of such evaluations, internal controls will have to be revised to appropriately address any new or previously uncontrolled risks.

Control activities need to be seen as a part of day-to-day work rather than in addition to the daily operations. As part of fostering an appropriate control culture within the bank, senior management should ensure that adequate control activities are defined at every business level and are an integral part of the daily functions of all relevant personnel. While in most Indian banks such checks and controls are in place, there is no uniformity in regard to the standards of compliance. Control activities in these banks are more procedure driven than as means of conscious and proactive risk management. Although the procedures established do help in management of risk to some extent, compliance with these procedures at the operating levels, which includes the frontline, is not with the understanding and awareness that the objective behind the given procedures is risk management. Lack of such awareness affects the quality of compliance. An assessment of the control environment and the involvement of the top management in fostering a strong control culture should be a mandatory part of the on-site supervision process adopted by RBI for each bank.

Effective internal control requires that there are adequate and comprehensive internal financial, operational and compliance data as well as external market information about events and conditions that are relevant to decision making. Information should be reliable, timely, accessible, and provided in a consistent format. The quality and timeliness of MIS in most of the banks in the public sector and some in the private sector leave much scope for improvement. Low level of computerisation and networking is largely responsible for data quality issues in MIS. The quality of MIS is an area of potential risk both from the point of view of internal control and regulatory oversight and the banks have to recognise it as such.

RBI has issued detailed guidelines to banks regarding the development and implementation of appropriate record management policies and processes. Although generally there are established policies and procedures in this regard, as most of the records continue to be maintained manually, retrieval, presentation and analysis of data are invariably lagged

The responsibility of ensuring appropriate information systems covering all activities and the integrity of such systems is enjoined on the senior management of banks. However, greater awareness needs to be promoted among senior management in regard to security, risk and controls in computerised environment.

Monitoring overall effectiveness of banks’ internal controls is an important responsibility of the senior management. The monitoring has to be continuous and systems have been evolved in most developed economies which enable ongoing daily monitoring of internal control/risk management systems. However, monitoring of key risks on a daily basis is not common in the Indian system. Such monitoring excepting in the case of market risks for treasury related operations, is yet to be accepted in Indian banks as a part of normal day to day operations.

Activities or situations that have historically been associated with internal control breakdowns in banks require special attention of the supervisors. Similarly, it has to be seen whether changes in banks’ environment necessitate changes in the internal control systems. While these do receive the attention of supervisors in India, the supervisor’s on-site inspection of banks is at present not fully tailored to specific banks’ environment and is thus not quite individualised. RBI may consider taking steps so that such inspections are individualised and a more bank-specific approach is adopted in on-site inspections. As this happens, specific changes in a particular bank’s operating environment will automatically receive special consideration of the supervisor leading to better evaluation of the bank’s risk management and internal control systems.

While weaknesses in internal control are communicated by external auditors either orally or in writing to the management, there is no practice of external auditors directly communicating their observations and concerns to the supervisors. As stated elsewhere in the report, such sharing of material information with the supervisors may be made legally mandatory for the external auditors.

The boards of banks in India have the responsibility for approving strategies and policies and setting acceptable levels for risk exposures. It is also their responsibility to ensure that senior management monitors the effectiveness of internal control systems. RBI has prescribed a set of mandatory reviews that need to be undertaken by the board or specialised committees of the board. Internal control strategies, policies and procedures are typically approved by the board and communicated to all levels of hierarchy for implementation.

Banks in India have a well-documented and communicated organisational structure that clearly shows lines of reporting responsibility and authority and provides for effective communication throughout the organisation. Corporate values, codes of conduct, standards of appropriate behaviour, etc., are well articulated and these emphasise the importance of internal controls. Bank managements endeavour to ensure that all levels of personnel understand their roles in the internal controls and are fully engaged in the process. There is appropriate segregation of duties and personnel are not assigned conflicting responsibilities. Areas of potential conflicts of interest are normally identified, minimised, and carefully monitored through a system of management audit. Organisational structure of banks ensures appropriate multi-directional information flows across the organisation. Policies and procedures affecting duties and responsibilities of staff are communicated to all concerned personnel.

Banks have systems of periodic internal audit and inspection by persons specially designated for the purpose. Such periodic evaluation of internal control systems are properly documented and reviewed by senior managements at different levels. These audits/inspections are effective means of determining effectiveness of controls for both the operating level staff as wells as the senior management responsible for the effectiveness of the internal control systems. Internal control has been integrated into the operating environment. Thus, banks have introduced systems for ongoing monitoring through concurrent auditors who monitor the effectiveness of internal controls on an ongoing basis. Frequency of internal audits, which is normally once a year or linked to the internal ratings of banks, is increased whenever there is a change in the management’s perception of risks emanating from the activities at particular branches. Internal audit function is independent from day to day functioning of banks and has access to all activities conducted by the banking organisation.

RBI requires all banks to have effective internal control systems consistent with the level of their activities and risks. RBI also evaluates the adequacy and effectiveness of the internal control systems in banks during the onsite inspection process. This is factored in the risk assessment of banks under the CAMELS framework. Necessary follow-up action is taken to ensure that the banks concerned take appropriate corrective action.

RBI has issued comprehensive risk management guidelines to banks in terms of which they are required to identify and assess all business and operational risks and formulate and put in place appropriate risk management systems. Scientific risk management is, however, still in the initial stage in most of the banks, particularly the old private sector and public sector banks. The current situation calls for greater orientation of the banks’ managements and their boards towards better understanding of risks and their management. Monitoring of key risks also needs to be on a daily basis.

The other areas where appropriate action could be initiated are in the areas of performance related compensation, quality of MIS and in increasing awareness about the risks involved in and the controls required in working in a computerised environment. However, it may be concluded that the overall level of compliance by the Indian banking system with the principles laid out in the paper is high.