Request a demo
Decripting

Banks: the essential role of internal control

par Cécile Joly
6 minutes de lecture
4/23/25 10:15 AM
Banks: the essential role of internal control
10:26

In the complex and dynamic landscape of the banking sector, internal control is an essential pillar for ensuring the security, compliance and robustness of financial operations. This article aims to explore the different aspects of internal control in banking, focusing on its essential components, levels of control, existing models, and the importance of annual review in maintaining the effectiveness and relevance of the control system. We will also examine how modern tools can facilitate and optimize these control processes, while promoting a collaborative and flexible approach.

Internal control in banking: the essential duo of permanent and periodic controls

According to the standards set out in Regulation no. 97-02, financial institutions must have adequate internal controls, adapted to the nature and volume of their activities, their size, their locations and the risks they are exposed.

Internal control comprises two main aspects: permanent control and periodic control. Both are essential building blocks of an effective internal control system.

Permanent control

Permanent control refers to the day-to-day controls carried out by operational staff and their superiors as part of transaction processing. This level of control comprises two aspects: level 1 permanent control and level 2 permanent control. The first is carried out by operational staff, who identify the risks inherent in their activity and are required to comply with the procedures in force and the limits set. The second is carried out by agents who are independent of operational staff and dedicated to risk management.

Periodic control

Periodic control is carried out by the Internal Audit function. This function monitors the entire permanent control system, verifying its existence, compliance, operation and quality.

Three levels of control: a complementary approach

Setting up an effective internal control system requires effective coordination between the three levels of control: operational staff (1st level), key risk control functions (2nd level) and internal audit (3rd level).

tableau structuration du contrôle interne (2)

First level of control: operational staff

The first level of control is provided by operational staff. They carry out frequent, granular checks to ensure that the operations they perform comply with the procedures and limits set. These initial controls may be supplemented by a posteriori controls, carried out by the line manager. These may include random sampling checks to ensure that procedures and controls are being followed by employees on an ongoing basis.

Second level of control: key risk control functions

The second level of control is provided by key risk control functions. They implement the control plan defined by the Head of Permanent Control and Risk Management (RCPR), based in particular on identified risk zones. Their role is to ensure that first-level controls are in place, and that they are effective and properly implemented, by means of sample checks or checks based on a different line of analysis from that of level 1.

Third level of control: internal audit

The third level of control is provided by internal audit. Its mission is to verify the existence, compliance, operation and quality of the entire permanent control system.

Structuring internal control :

tableau structuration du contrôle interne (4)

Control models: an approach adapted to needs

There are two main control models: the Anglo-Saxon model and the French model. The choice between these two models depends on the company's internal control philosophy and organization.

The Anglo-Saxon model

The Anglo-Saxon model, also known as the "3 lines of defense", is based on the division of risk controls between three distinct groups of players. The first level carries out frequent, granular controls, the second level less frequent and less detailed controls, and finally, the third level carries out verifications according to a three- or four-year audit plan.

This approach can be likened to a medieval fortress with three concentric walls. Each player assesses its risks, builds its own wall and maintains its own defense against risk. Despite its earlier popularity, this model has recently evolved towards a more integrated one.

Advantages :

  • Rapid implementation, thanks to the independence of each player in its own line of defense
  • No need for complex coordination before or during operation.

Disadvantages:

  • Static, perpetuating existing practices
  • Less efficient use of resources due to duplication of vigilance
  • Risk of less balanced risk coverage
  • Less clear allocation and prioritization of responsibilities and corrective actions
  • More rigid, with less responsiveness to changes such as new products or regulatory developments

The French model

The French model, or "integrated model", differs fundamentally from the Anglo-Saxon model in its defense-in-depth approach. It consists of a single line of defense, structured around three players with different but complementary roles. As explained above, the first level is made up of the business lines, which provide the defense in the field; the second level is made up of key functions with specialized risk management teams; and finally, the third level is provided by the internal audit function, which periodically audits the entire permanent control system.

Unlike the Anglo-Saxon model, the third level must not duplicate the tasks of the second level, to avoid wasting resources and adding to the workload.

Advantages:

  • Encourages review and clarification of existing internal control principles
  • Consistent, clear organization, making it easier for decision-makers to understand.
  • Optimal use of resources
  • Efficient prioritization of risk coverage and corrective actions

Disadvantages :

  • Requires strong management commitment and involvement
  • Implementation requires preparation, time and initial adjustments
  • Demanding organization, requiring coordination and collective discipline among all players

Annual review of the system

The internal control system must be reviewed every year. This review enables any shortcomings to be identified and any necessary improvements to be implemented.

This is where we come back to the notion of risk mapping. Risk mapping is an ongoing process designed to identify, assess, measure and manage all the risks to which the bank is exposed. This process requires regular updating. The mapping system must be detailed, and the control plan must be adapted to the impact of the risk identified. These two elements, risk mapping and control plan, are interdependent and evolve together.

Examples of identified risks:

  • Operational risks: internal and external fraud, inadequate HR practices, deceptive business practices, damage to material assets, business interruption, poor performance or delivery, etc.
  • IT risks: inadequate resources, data loss, inadequate backup plan, fraudulent requests, inadequate authorization management, unauthorized data manipulation, failure of access control systems, etc.
  • Other risks: non-compliance, reputational risks, accounting risks, etc.

To ensure effective risk management, the control plan must be adjusted in line with the risks identified.

Facilitating control to guard against risk

It is vital to have the right tools to carry out these controls optimally and guard against risk. Control teams need easy access to data (e.g., covenant results, dates of receipt and verification, or supporting documents for monitoring counterparty/credit risk). Several approaches are possible.

You can opt for the traditional method of searching all shared emails and documents, but this approach is often time-consuming and tedious.

An effective alternative is to use tools that facilitate these checks with just a few clicks. This is precisely what Kls offers with its platform, which centralizes the data collected from customers and the actions taken. It also offers the possibility of exporting data for simplified consultation, all in one place.

Tools such as Kls Desk also provide an opportunity to bring Front and Middle Office functions closer together with risk and compliance functions. In fact, they make it possible to :

  1. Simplify the performance of controls by front-line operational staff, and thus promote their acceptability.

  2. Facilitate access to data for those in charge of second- and third-level controls, without having to call on and mobilize the 1st level.

Webinar : How to optimize document management for financing?  

 

Conclusion

Periodic and permanent controls are essential elements of banking risk management. For them to be effective, the responsibilities of the three levels of control need to be clearly differentiated, reference frameworks and tools need to be shared, general management needs to be exemplary, and business line managers and their teams need to be acculturated to risk management. An annual review of the system is essential to ensure its relevance and effectiveness. It should be noted that the French model is not the only one used by French banks, even though it seems to be recommended by the regulator since the decree of 02/25/2021.

To facilitate these control processes, which are often perceived as time-consuming and not value-adding by operational staff, the use of tools that centralize the information to be controlled is recommended. Today, this is a response to the need for flexible, collaborative access to data. Finally, business units must be able to simply modify the control verification points to be carried out according to changes in their risk mapping, their control plan and regulatory requirements.

Sources
Article précédent
← How does Kls ensure its sovereignty?