1. The Board or the Board audit committee must review, at least annually, the effectiveness of the Bank’s internal control system and processes by means of:

1. a.periodic discussions with Senior Management concerning the effectiveness of the internal control system;
2. b.a timely review of evaluations of internal controls made by Senior Management, internal auditors, and external auditors;
3. c.periodic efforts to ensure that Senior Management has promptly followed up on recommendations and concerns expressed by internal auditors and external auditors and the Central Bank on internal control weaknesses, and
4. d.a periodic review of the appropriateness of the Bank’s strategy and risk limits.

2. Banks’ internal controls must, at a minimum, address:

1. a.Organizational structure: definitions of duties and responsibilities including clear delegation of authority, such as loan approval limits, decision-making policies and processes and separation of critical functions, including but not limited to business origination, payments, reconciliation, risk management, accounting, audit and compliance;
2. b.Accounting and financial reporting policies and processes: reconciliation of accounts, control lists, information for management;
3. c.Checks and balances (or “four-eyes” principle): segregation of duties, cross-checking, dual control of assets, double signatures; and
4. d.Safeguarding assets and investments: physical control and computer access, measures for the prevention and early detection and reporting of misuse, such as fraud, embezzlement, unauthorized trading and computer intrusion.

3. The relationship between a Bank’s business units, the support and control functions and the internal audit function comprises the three lines of defence model:

1. a.The business units are the first line of defence. They undertake risks within assigned limits of risk exposure and are responsible and accountable for identifying, assessing and controlling the risks of their business.
2. b.The second line of defence includes the support and control functions, such as risk management, compliance, legal, human resources, finance, operations, and technology. Each of these functions, in close relationship with the business units, ensures that risks in the business units have been appropriately identified and managed. The business support and control functions work closely to help define strategy, implement Bank policies and procedures, and collect information to create a Bank-wide view of risks.
3. c.The third line of defence is the internal audit function that independently assesses the effectiveness of the processes created in the first and second lines of defence, and provides assurance on these processes.

4. The responsibility for internal control does not transfer from one line of defence to the next line.