Internal Control Assessment: A Comprehensive Approach

As part of regular audits, banks’ internal control systems are periodically assessed by auditors to ensure their adequacy. This assessment involves evaluating various aspects of a bank’s internal control environment, including its policies, risk management practices, and accounting and communication systems.

Control Environment

The control environment is the foundation upon which a bank’s internal controls are built. It encompasses the tone at the top, leadership commitment, and employee awareness and understanding of internal controls. Auditors assess the following aspects of the control environment:

Internal Control Policies

• Are internal control policies communicated to all employees? (#1)
• Are staff conduct policies communicated to all employees? (#2)

These questions indicate that auditors evaluate whether the bank has effective communication channels in place to inform employees about internal control policies and staff conduct.

Risk Assessment

The risk assessment process is a critical component of internal controls, as it helps identify potential risks and ensures that appropriate controls are put in place. Auditors assess the following aspects of the risk assessment process:

Risk Management

• Do the bank’s board and management involve internal audit staff and other internal control staff in the risk assessment process? (#6)

This question implies that auditors review the involvement of internal audit staff in risk assessments to ensure adequate consideration of controls.

Control Activities

Control activities are the policies, procedures, and processes implemented to mitigate risks and ensure the achievement of objectives. Auditors assess the following aspects of control activities:

Existence and Implementation of Policies

• Do decision-making policies exist?
• Are verification and reconciliation procedures in place?
• Is separation of duties practiced?

These questions suggest that auditors evaluate whether the bank has effective control activities in place to mitigate risks.

Accounting, Information, and Communication Systems

The accounting, information, and communication systems are critical components of internal controls, as they provide accurate financial reporting and facilitate business operations. Auditors assess the following aspects:

Accounting Systems

• Are accounting policies communicated to all employees?
• Are accounting procedures in place for transactions processing?

These questions imply that auditors evaluate whether the bank’s accounting systems are adequate to support its business operations.

Self-Assessment or Monitoring

The self-assessment process is essential for identifying control weaknesses and implementing corrective actions. Auditors assess the following aspects:

Board Review of Management Actions

• Does the board review management actions related to control weaknesses?
• Are audit reports timely and sufficient?

These questions indicate that auditors evaluate whether the bank’s self-assessment processes are effective in identifying and addressing control weaknesses.

Conclusion

In summary, auditors periodically assess a bank’s internal control systems through various means:

1. Reviewing policies and procedures (Control Environment).
2. Evaluating risk assessment processes (Risk Assessment).
3. Assessing control activities (Control Activities).
4. Examining accounting and communication systems (Accounting, Information, and Communication Systems).
5. Monitoring self-assessment and reporting processes (Self-Assessment or Monitoring).

This comprehensive approach ensures that auditors can identify areas for improvement and provide recommendations to strengthen the bank’s internal controls.