30. Adequate information and effective communication are essential to the proper functioning of a system of internal control. From the bank's perspective, in order for information to be useful, it must be relevant, reliable, timely, accessible, and provided in a consistent format. Information includes internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision making. Internal information is part of a record-keeping process that should include established procedures for record retention.

Principle 9: Senior management should establish effective channels of communication to ensure that all staff are fully aware of policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.

31. Without effective communication, information is useless. Senior management of banks need to establish effective paths of communication in order to ensure that the necessary information is reaching the appropriate people. This information relates both to the operational policies and procedures of the bank as well as information regarding the actual operational performance of the organisation.

32. The organisational structure of the bank should facilitate a complete flow of information - upward, downward and across the organisation. A structure that facilitates this flow ensures that information flows upward so that the board of directors and senior management are aware of the business risks and the operating performance of the bank. Information flowing down through an organisation ensures that the bank's objectives, strategies, and expectations, as well as its established policies and procedures, are communicated to lower level management and operations personnel. This communication is essential to achieve a unified effort by all bank employees to meet the bank's objectives. Finally, communication across the organisation is necessary to ensure that information that one division or department knows can be shared with other affected divisions or departments.

Principle 10: Senior management must ensure that there are appropriate information systems in place that cover all activities of the bank. These systems, including those that hold and use data in an electronic form, must be secure and periodically tested.

33. A critical component of a bank's operations is the establishment and maintenance of management information systems that cover the full range of its activities. This information is usually provided through both electronic and non-electronic means. Banks must be particularly aware of the organisational and internal control requirements related to processing information in an electronic form.

34. Electronic information systems and the use of information technology have risks that must be effectively controlled by banks in order to avoid disruptions to business and potential losses. Controls over information systems and technology should include both general and application controls. General controls are controls over the computer system (i.e., mainframe and end-user terminals) and ensure its continued, proper operation. For example, general controls include back-up and recovery procedures, software development and acquisition policies, maintenance procedures, and access security controls. Application controls are computerised steps within software applications and other manual procedures that control the processing of transactions. Application controls include, for example, edit checks and computer matching. Without adequate controls over information systems and technology, including systems that are under development, banks could experience the loss of data and programs due to inadequate physical and electronic security arrangements, equipment or systems failures, and inadequate backup and recovery procedures. Management decision-making could be adversely affected by unreliable or misleading information provided by systems that are poorly designed and controlled. Information processing could be curtailed or fail entirely if alternate compatible facilities are not available in the event of prolonged equipment failure. In extreme cases, such problems could cause serious difficulties for banks and even jeopardise their ability to conduct key business activities.