The relationship between internal controls and banking operations and performance has been described by various authorities in different ways, typically according to a specific area of focus (Luchsinger, 2009; Okafor & Ibadin, 2009). One of the most obvious areas of focus with respect to the banking industry is risk and how internal controls can help manage it (McCarthy & Flynn, 2008). For instance, according to Hayes (2009), “Speed and care are usually mutually exclusive. At least, speed and careful spending of money usually are. Speed is to internal controls like interstate highways are to speed bumps; Speed is a risk” (p. 46). This means that one of the risks of electronic processing of transactions is that someone who is dishonest can do a lot of damage in a very short amount of time. Other than auditors, few people view internal controls in a very positive light. In describing them as “necessary evils,” that could best be ignored, Hayes (2009) remarked and asked: “As I often point out in my classes on fraud and internal controls, what good is to have authority if you can't override some internal controls from time to time?” (p. 46). Hence, Amudo & Eno (2009) stated that a critical evaluation of existing internal control structures in organizations ensures that the organization’s activities are carried out in accordance with established goals, policies and procedures.
Currently, internal control in Nigerian banks is mandated by Part 1 of the Banks and Other Financial Institutions Act (BOFIA) of 1991 (as amended) which provides that it is the responsibility of the board of directors of a bank to institute and implement proper policies and procedures, and an effective internal control system. This will help in monitoring and controlling all risks associated with every line of business and market served by the bank. To enhance this function, the board is also required to institute an effective audit process for the verification, among other duties that the board will specify, of how correctly and efficiently the internal control is implemented and how timely the bank’s risks are identified and addressed.
These provisions can be compared to the guidance from the international community such as the Basel Committee on Banking Supervision (1998, 2011) that assert that an effective internal control system is a sine qua non to achieving set goals and objectives in a banking organization. Prior to the design and introduction of the Basel Framework (1998) for Internal Control Systems in Banking Organizations, precisely at the study stage, the Committee grouped into five, the types of control breakdown they found in the problem banks they studied. The groups included (a) inadequate oversight and accountability by management, (b) improper and insufficient recognition and assessment of the risks that are inherent in different activities of the bank, (c) the absence or failure of major controls, (d) inadequate information dissemination between the different levels of management, and (e) poor monitoring of programs and activities.
Thus, to evaluate how effective the internal control system of a bank is, the Basel Committee recommended the application of 13 principles that cover the five elements of internal control. These principles are summarized as follows:
1. The board of directors of the bank has the responsibility to establish an adequate and effective system of internal control, and to approve policies and strategies necessary for the attainment of the corporate objectives. This done, the responsibility for their implementation through the promotion of high standards of ethics and integrity requires the collaborative efforts of both the board and the senior management of the bank.
2. There is the need to identify and classify risks, and to subject them to continuous monitoring and assessment with a view to upgrading the internal controls from time to time to deal with such risks that could frustrate the bank’s goals.
3. All forms of control activities that permeate the structure and activities of the bank should be regularly addressed. These include the segregation of duties and responsibilities, the security of internal financial, operational and compliance data, and the establishment of channels of effective communication. Akin to this, regular internal audit of the internal control system should be carried out.
To complement the Basel Framework principles, some best practices with respect to internal controls can also be discerned using the Sarbanes-Oxley Act of 2002 (hereinafter alternatively called “the Act” or “SOX”) provisions that are used in the United States and around the world (Bhamornsiri, Guinn, & Schroeder, 2009; Ernult & Ashta, 2008). One of such provisions is Section 302 of the Act, which made it mandatory for Chief Executive Officers (CEOs) and Chief Finance Officers (CFOs) to file annual reports that will show the changes made to their internal control system, if any. This is in compliance with the Security Exchange Act of 1934. Section 404 of SOX also compels management to state in the internal control report, their assessment of the internal control system, and to subject the assessment to external auditing. SOX pushes up the responsibility of companies over the issue of internal control as it additionally places personal responsibility for their effectiveness on the shoulders of the CEOs and CFOs, requiring that they commit to internal control integrity by personally signing the financial statements. The Act caps it all by imposing a criminal penalty for its violation (Defond & Lennox, 2011).
Following the rapid environmental and operational changes that affect the business world, it has been further recommended that continuous monitoring of an internal control system is essential for its continued effectiveness; otherwise, there is a danger that it would become obsolete (Nigrini & Johnson, 2008; Owusu-Ansah & Ganguli, 2010). It is, however, to be noted that record keeping is key to monitoring activities in public companies like the banks involved in this study. Through the records, evidence emerges to substantiate issues that may be contained in the internal control assessment report. In the main, banks and companies alike should devise peculiar approaches that would enable them achieve simultaneous monitoring and reporting, although it is a daunting task (Orcutt, 2009).
The Basel Framework prescriptions are complemented by COBIT (1996), which is primarily concerned with the need to monitor information systems effectively and efficiently.
Innovations in information technology have represented a dual-edged sword for many banks as they seek to integrate these technologies with their traditional operations (Johnson, 2010; Bielski, 2008). Information technology can prove very useful in promoting the effective operation of the mechanisms of internal control (Li, Peters, Richardson, & Watson, 2012; Lui, 2009; Masli et al., 2010; Moorthy, Seetharaman, Mohamed, Gopalan, & San, 2011). For industries to remain relevant, competitive, and profitable, they must square up to the challenges of information technology. It is argued that the banking industry stands out among industries that are regularly faced with rapid technological change that comes with numerous associated developmental costs including those of satisfying internal control reporting as required by law (Ho & Mallick, 2010; Owusu-Ansah & Ganguli, 2010). However, information technology can facilitate the administration of internal controls by banks, irrespective of their unique situations (Cook, Probert, & Martin, 2010; Schaefer & Peluchette, 2010; Schneider & Bruton, 2007; Steinhoff, 2008). In evaluating the effectiveness of internal control in the banking industry, the first step is to do an assessment of the risk profiles inherent in the activities and operations of the banks. Through this process, the major risks that face the banks are identified and classified as either likelihood or impact. Assessing and classifying risks can be done in many ways but with one ultimate goal of visualizing and identifying those risks that pose a potential threat to the achievement of organizational goals (Pereira & Santos, 2010).
Because risk assessment is a time-sensitive exercise that varies with the type of risk (strategic, operational, reporting, or compliance), the type of information technology used for administering internal controls also varies (Leih, 2006). These are especially important points when designing and implementing internal controls because the nature of the threat changes over time with the introduction of new viruses and malware that can disrupt a bank’s operations and compromise the integrity of its data (Johnson, 2010). Therefore, banks should ensure that virus and malware detection software is included as part of a layered security system in order to ensure that there are also human oversight controls and automated alerting mechanisms in place (Johnson, 2010).