Guide for Directors and Managers of Liberian Banks

INTERNAL CONTROLS

A GUIDE FOR DIRECTORS AND MANAGERS OF LIBERIAN BANKS Bank Supervision Department Central Bank of Liberia Monrovia, Liberia March 2005

INTRODUCTION The single greatest factor contributing to operational failures in commercial banks is the lack of adequate internal controls. When one speaks of management, one is essentially speaking of internal controls. Internal controls exist in all banks, at least in some form of a policy document, even if the implementation of the practice is ineffectual or nonexistent. Inadequate internal controls may be evidenced in weak internal and external auditing less than factual loan portfolio examinations and less than accurate record keeping. Those inadequacies in internal controls can contribute to erroneous decisions. Further those erroneous decisions are directly and indirectly harmful to the bank's well being and to its current and future condition. It can be said with some accuracy that the more inadequate are a bank's internal controls, the greater the chance that that bank will not achieve its full earnings potential. It also can put the 'organization at an unnecessary level of risk for an insider to commit fraud or an outsider to be allowed unacceptable client behavior. Satisfactory internal controls contribute to effective management by both the bank's board and the bank's management. Assets can be protected and fraud and financial mismanagement can be prevented by a strong internal control culture within a bank. Internal controls are the means to ensure compliance with external laws and regulations as well as with a bank's own internal policies. There are basic precepts or principles that underlie effective internal controls that remain unchanged despite the tremendous progress in technological innovations in the banking industry. These basic precepts can include such elementary approaches as keeping good records, satisfactory methods for checking the accuracy of those records and a separation of record checkers from record keepers. The rapid growth of the risk management function in banks is based entirely on a solid foundation of satisfactory internal control. The Bank Supervision Department of the Central Bank of Liberia intends to contribute positively to the strengthening of the Liberian Banking Sector through the sharing of best international practice in the area of internal controls and by the establishment of these Guidelines for Bank Directors and Bank Managers in the support of that effort. The following guidelines and the questionnaires that follow are primarily for the use of the Director or Manager of a Liberian Bank. They are also for the use of bank management and the staff of the Bank Supervision Department of the Central Bank of Liberia. The Supervision Staff will utilize these guidelines in their Bank Examinations from this date forward. T. Negbalee Warner Executive Director, Bank Supervision Department Central Bank of Liberia Monrovia, Liberia March 2005

INTERNAL CONTROLS - BASIC ELEMENTS The structure and sophistication of any control system will depend on the size and complexity of the operations of the institution in which it is to operate. Irrespective of whether a bank is a small or rural bank or a large urban or international one, the internal control system in either should be efficient and manageable. The basic elements of an effective internal control system generally require the following:

1. Control Environment - an environment or culture where control is recognized and emphasized
2. Risk Assessment - the establishment of policies and procedures for risk assessment
3. Control Activities - the recognition that all activities require some measure of control
4. Accounting, Information and Communication Systems - the institution of accounting, information and communication systems
5. Self-Assessment or Monitoring - the establishment of policies and procedures for self-assessment and monitoring Each of these elements is treated below, along with a suggested list of questions that address these basic control activities. These questions, and the answers derived from them, should assist Bank Staff, as well as Bank Examination Staff to identify any weaknesses in a bank's internal control system.
6. Control Environment This element is the underlying foundation for all of he other elements of an internal control system. The control environment is indicative of the overall awareness of both a bank's board and management - and their attitude as well - in assigning an adequate level of importance to the control activities. The control environment reflects the overall contributions by a bank's board and management towards the necessary discipline and the appropriate structure for ensuring proper internal controls over a bank's operations. The essential components of an effective control environment include: • Personnel integrity and ethical values • Dedication to staff competence and skill enhancement • Participation of Board Members and Board Committees • Positive influence of Management's commitment • Organizational structure that enables the management of the bank

• Authority and responsibility that is clearly defined • Effective policies and practices for human resources 2. Risk Assessment Risk assessment is the umbrella term for the process and methodology by which a bank's board and management identify and analyze the various kinds of risk that might prevent a bank from realizing its budgetary objectives. Risk assessment is intended to assist in determining exactly what kinds of risks are present, how to manage those risks identified and what kinds of controls are needed to be established. Risks are not a static phenomenon but arise and change because of a number of factors, as: • A change in a bank's operating environment • A change in staffing, either through reassignments or new employees • A new or a revised information system • A change in a bank's growth pattern and / or rate • An introduction of new technology • An introduction of new or expanded business lines, products or activities • A merger or other corporate restructuring • A change in accounting requirements 3. Control Activities Control activities are all of the policies and procedures that have been instituted by the bank to direct bank staff in carrying out the directives of both board and management. All of these activities help the board and management control risks that could adversely affect the bank's operations and results. The policies that direct these control activities should also provide that the bank personnel who are responsible for these control activities do not evaluate their own work in these areas. Control activities are engaged in at various levels within the bank's organizational structure can include, inter alia, the following: Operational Performance - Control activities in this area include the review of risk in the actual financial performance compared against the budgeted forecasts. Any significant variances are then analyzed to determine whether any specific bank activity should be revised. Information Processing - Control activities in this area include the verification of the accuracy and completeness of bank transactions to determine whether they had been properly authorized. Control activities in the information area are broadly measured through two approaches - general controls and application controls. General controls are oversight over data center operations, including mainframes and servers, and

system software procurement, maintenance and access. Application controls are the oversight for the programs that the bank utilizes to process and monitor transactions. . Physical Controls - Control activities in this area generally refer to the physical security of the bank's assets, including all bank records. Segregation of Duties - Control activities in this area refer to the assignment of the various duties involved in a transaction, or any bank activity, to different persons. This approach is intended to prevent a bank employee from being in a position to effect and conceal an irregular or illegal activity in the course of that person's normal duties. 4. Accounting, Information and Communication Systems The various systems as accounting, information and communication manage data and information in ways that enable bank personnel to perform their tasks. Accounting systems are the procedures and records that manage the bank's transactions. Information systems provide reports on all bank activities so that bank directors and management can direct the activities of the bank. Communication systems are the providers of information both within the bank and to external users of bank information such as customers, shareholders and supervisors. 5. Self-Assessment or Monitoring Self-assessment or monitoring is intended to provide an oversight function in assessing the performance of the bank's control systems. Bank directors and management constantly review internal controls for their proper functioning and for modifications to the internal control systems when deemed necessary. Self-assessment is only one approach to a basic review of these internal control activities; however, self-assessment cannot the only approach to assessment of the effectiveness of a bank's internal control systems. Internal and external audits provide a more independent approach to the assessment of the bank's internal control function. Supervisory examinations additionally provide another layer of assessment of these controls. Internal Control Questionnaires - for use by Internal Bank Staff and by Bank Supervision Staff

1. Control Environment - Questionnaire Yes No 1 1 Are policies and procedures periodically reviewed by the board to ensure that appropriate internal controls have been established? 1 1 Is there a monitoring system in the bank to determine compliance with internal controls and are instances of noncompliance reported to the board? 1 1 Does the board take appropriate follow-up action in instances of noncompliance that are reported to it? 1 1 Does bank management allow access to all bank records to the board or board representatives? 1 1 Are board decisions made collectively and not controlled by a dominant individual or group? 1 1 Does the board receive appropriate and current information from the bank's accounting, information and communication systems to make informed and timely decisions? 1 1 Does the board receive sufficient information about the bank's internal risk assessment process? 1 1 Does the board review the qualifications and the independence of the bank's internal auditors? 1 1 Does the board review the qualifications and the independence of the bank's external auditors? 1 1 Do the bank's internal auditors report their findings directly to the board or to a board committee? 1 1 Do the bank's external auditors report their findings directly to the board or to a board committee? 1 1 Do the bank's internal auditors periodically assess the adequacy of the bank's internal control systems? 1 1 Do the bank's external auditors periodically assess the adequacy of the bank's internal control systems? 1 1 Are internal control policies communicated to all of the bank's employees?

1 1 Are staff conduct policies communicated t6 all of the bank's employees? 1 1 Do policies on staff ethics or codes of conduct exist? 1 1 Do audit procedures or other control systems exist to test on a periodic basis for staff compliance with ethics policies or codes of conduct? 2. Risk Assessment -Questionnaire Yes No 1 1 Do the board and management appropriately evaluate risks when the bank is planning and approving new products or activities? 1 1 Do the board and management appropriately discuss and plan for control systems when the bank is planning and approving new products or activities? 1 1 Is internal audit staff, or other internal control staff, involved in discussions about appropriate controls when the bank is developing new products and activities? 1 1 Do the bank's board and management involve internal audit staff, and other internal control staff, in the risk assessment process? 1 1 Do the bank's board and management consider and appropriately address technology issues in the risk assessment process? 1 1 Are there sufficient personnel who are competent and knowledgeable to manage current and proposed bank activities in all areas? 1 1 Have these staff members been provided with adequate resources to manage these bank activities? 1 1 Are there sufficient personnel who are competent and knowledgeable to manage the bank's risk management activities? 1 1 Have these staff members been provided with adequate resources to manage these bank risk management activities? 3. Control Activities -Questionnaire Yes No 1 1 Do policies and procedures exist to provide that decisions are made with appropriate approvals?

1 1 Do processes exist to provide independent verification of a sufficient sample of transactions to ensure integrity of the decision making process? 1 1 Do processes exist to provide that there is ongoing and independent reconciliation of all bank balances, both asset and liability and on- and off balance sheet items? 1 1 Are the decision-making authorities for all risk taking areas separate from the reconciliation activities for those areas? 1 1 Do policies and procedures exist to provide that all exceptions to policy are minimal and are reported to management in each instance of exception? 1 1 Does the personal leave policy for all bank staff provides that each employee has an absence for two consecutive weeks at least once annually? 1 1 Are there provisions in the personnel policies of the bank to provide for periodic rotation of staff duties? 1 1 Are dual controls over bank assets and separation of duties provided for in he bank's organizational structure? 4. Accounting, Information and Communication Systems -Questionnaire Yes No 1 1 Do the bank's accounting systems properly manage and report bank transactions in accordance with the proper accounting standards? 1 1 Are appropriate and sufficient reports produced by the bank for the proper management and control of the bank? 1 1 Are the bank's accounting, information and communication systems able to identify whether all risk taking activities within the bank are within the bank's policy guidelines? 1 1 Do all bank personnel in the areas of control understand their roles? 1 1 Do all bank personnel in the areas of control understand how their activities relate to others? 1 1 Do all bank personnel in the areas of control understand their accountability for their activities? 1 1 Self-Assessment or Monitoring -Questionnaire

1 1 Is No Does the board review management's actions in dealing with control weaknesses and verify that the actions taken by bank management are appropriate and adequate? 1 1 Is there sufficient detail in audit reports, or other control assessment reports, for the bank's board and management to understand the situation as regards internal controls? 1 1 Are audit reports, or other control assessment reports, timely enough so that the bank's board and management are able to take appropriate action? 1 1 Does the board, or a board committee, approve the appointment of the bank's internal audit personnel? . 1 1 Does the board, or a board committee, approve the scope of all internal activities that review internal controls? 1 1 Does the board, or a board committee, review the results of all internal and external audits? 1 1 Does the board, or a board committee, approve the bank's systems of internal controls