A. Management Oversight and the Control Culture

1. Many internal control failures that resulted in significant losses for banks could have been substantially lessened or even avoided if the board and senior management of the organisations had established strong control cultures. Weak control cultures often had two common elements. First, senior management failed to emphasise the importance of a strong system of internal control through their words and actions, and most importantly, through the criteria used to determine compensation and promotion. Second, senior management failed to ensure that the organisational structure and managerial accountabilities were well-defined. For example, senior management failed to require adequate supervision of key decision-makers and reporting of the nature and conduct of business activities in a timely manner.

2. Senior management may weaken the control culture by promoting and rewarding managers who are successful in generating profits but fail to implement internal control policies or address problems identified by internal audit. Such actions send a message to others in the organisation that internal control is considered secondary to other goals in the organisation, and thus diminish the commitment to and quality of the control culture.

3. Some banks with control problems had organisational structures in which accountabilities were not clearly defined. As a result, a division of the bank was not directly accountable to anyone in senior management. This meant that no senior manager monitored the performance of these activities closely enough to notice unusual activities, financial and otherwise, and no senior manager had a comprehensive understanding of the operations and how profits were being generated. If management had understood the operations of the division, they may have been able to recognise warning signs (such as an unusual relationship of profit to levels of risk), investigate the operations and take steps to reduce the eventual losses. These problems could also have been avoided if line management had reviewed transactions and management information reports and held discussions with appropriate personnel about the nature of business transacted. Such approaches provide line management with an objective look at how decisions are being made and ensures that key personnel are operating within the parameters set by the bank and within the internal control framework.

B. Risk Assessment

4. In the recent past, inadequate risk assessment has contributed to some organisations' internal control problems and related losses. In some cases, the potential high yields associated with certain loans, investments, and derivative instruments distracted management from the need to thoroughly assess the risks associated with the transactions and devote sufficient resources to the continual monitoring and review of risk exposures. Losses have also been caused when management has failed to update the risk assessment process as the organisation's operating environment changed. For example, as more complex or sophisticated products within a business line are developed, internal controls may not be enhanced to address the more complex products. A second example involves entry into a new business activity without a full, objective assessment of the risks involved. Without this reassessment of risks, the system of internal control may not appropriately address the risks in the new business.

5. As discussed above, banking organisations will set objectives for operational efficiency and effectiveness, reliability in financial reporting and compliance with laws and regulations. Risk assessment entails the identification and evaluation of the risks involved in meeting those objectives. This process helps to ensure that the bank's internal controls are consistent with the nature, complexity and risk of the bank's on- and off-balance sheet activities.

C. Control Activities

6. In reviewing major banking losses caused by poor internal control, supervisors typically find that these banks failed to observe certain key internal control principles. Of these, segregation of duties, one of the pillars of sound internal control systems, was most frequently overlooked by banks that experienced significant losses from internal control problems. Often, senior management assigned a highly regarded individual responsibility for supervising two or more areas with conflicting interests. For example, in several cases, one individual supervised both the front and back offices of a trading desk. This permitted the individual to control transaction initiation (e.g., buying and selling securities or derivatives)as well as the related bookkeeping function. Assigning such conflicting duties to one individual gives that person the ability to manipulate financial data for personal gain or to conceal losses.

7. Segregation of duties is not limited to situations involving simultaneous front and back office control by one individual. It can also result in serious problems when an individual has responsibility for:

• approval of the disbursement of funds and the actual disbursement;
• customer and proprietary accounts;
• transactions in both the "banking" and "trading" books;
• informally providing information to customers about their positions while marketing to the same customers;
• assessing the adequacy of loan documentation and monitoring the borrower after loan origination; and
• any other areas where significant conflicts of interest emerge and are not mitigated by other factors⁴.

8. Shortcomings in control activities, however, reflect the failure of a variety of efforts to determine that business is being conducted in the expected manner, from high-level reviews to maintenance of specific checks and balances in a business process. For example, in several cases management did not appropriately respond to information they were receiving. This information took the form of periodic reports on the results of operations for all divisions of the organisation that informed management of each division's progress in meeting objectives, and allowed them to ask questions if the results were different from their expectations. Often, the divisions that later reported significant losses at first reported profits--far in excess of expectations for the apparent level of risk--that should have concerned senior management. Had thorough top level reviews occurred, senior management may have investigated the anomalous results and found and addressed some of the problems, thus limiting or preventing the losses that occurred. However, because the deviations from their expectations were positive (i.e., profits), questions were not asked and investigations were not started until the problems had grown to unmanageable proportions.

D. Information and Communication

9. Some banks have experienced losses because information in the organisation was not reliable or complete and because communication within the organisation was not effective. Financial information may be misreported internally; incorrect data series from outside sources may be used to value financial positions; and small, but high-risk activities may not be reflected in management reports. In some cases, banks failed to adequately communicate employees' duties and control responsibilities or disseminated policies through channels, such as electronic mail, that did not ensure that the policy was read and retained. As a result, for long periods of time, major management policies were not carried out. In other cases, adequate lines of communication did not exist for the reporting of suspected improprieties by employees. If channels had been established for communication of problems upward through the organisational levels, management would have been able to identify and correct the improprieties much sooner.

E. Monitoring

10. Many banks that have experienced losses from internal control problems did not effectively monitor their internal control systems. Often the systems did not have the necessary built-in ongoing monitoring processes and the separate evaluations performed were either not adequate or were not acted upon appropriately by management.

11. In some cases, the absence of monitoring began with a failure to consider and react to day-to-day information provided to line management and other personnel indicating unusual activity, such as exceeded exposure limits, customer accounts in proprietary business activities, or lack of current financial statements from borrowers. In one bank, losses associated with trading activities were being concealed in a fictitious customer account. If the organisation had a procedure in place that required statements of accounts to be mailed to customers on a monthly basis and that customer accounts be periodically confirmed, the concealed losses would likely have been noticed long before they were large enough to cause the failure of the bank.

12. In several other cases, the organisation's division or activity that caused massive losses had numerous characteristics indicating a heightened level of risk such as unusual profitability for the perceived level of risk and rapid growth in a new business activity that was geographically distant from the parent organisation. However, due to inadequate risk assessment, the organisations did not provide sufficient additional resources to control or monitor the high risk activities. In fact in some instances, the high risk activities were operating with less oversight than activities with much lower risk profiles--several warnings from the internal and external auditors regarding the activities of the division were not acted upon by management.

13. While internal audit can be an effective source of separate evaluations, it was not effective in many problem banking organisations. A combination of three factors contributed to these inadequacies: the performance of piecemeal audits, the lack of a thorough understanding of the business processes, and inadequate follow-up when problems were noted. The fragmented audit approach resulted primarily because the internal audit programs were structured as a series of discrete audits of specific activities within the same division or department, within geographic areas, or within legal entities. Because the audit process was fragmented, the business processes were not fully understood by internal audit personnel. An audit approach that would have allowed the auditors to follow processes and functions through from beginning to end (i.e., follow a single transaction through from the point of transaction initiation to financial reporting phase) would have enabled them to gain a better understanding. Moreover, it would have provided the opportunity to verify and test the adequacy of controls at every step of the process.

14. In some cases, inadequate knowledge and training of internal audit staff in trading products and markets, electronic information systems, and other highly sophisticated areas also contributed to internal audit problems. Because the staff did not have the necessary expertise, they were often hesitant to ask questions when they suspected problems, and when questions were asked, they were more likely to accept an answer than to challenge it.

15. Internal audit may also be rendered ineffective when management does not appropriately follow-up on problems identified by auditors. The delays may have occurred because of a lack of acceptance by management of the role and importance of internal audit. In addition, the effectiveness of internal audit is impaired when senior management and members of the board of directors (or audit committee, as appropriate) failed to receive timely and regular tracking reports that indicate critical issues and the subsequent corrective actions taken by management. This type of periodic tracking device can help senior management confront important issues in a timely manner.

Footnote:

4. To illustrate a potential conflict of interest that is mitigated by other controls, an independent loan review, through its monitoring activities of a bank's credit grading system, may compensate for the potential conflict of interest that arises when a person who is responsible for assessing the adequacy of loan documentation also monitors the creditworthiness of the borrower after loan origination.