With the gradual advancement of China’s financial reforms, commercial banks have gained tremendous opportunities, but they are also facing the challenge of breaking the barriers to market access for the banking industry and increasing competition in the same industry. In the face of fierce market competition, commercial banks often attach importance to short-term operating performance, but lack awareness of risk prevention and ignore long-term development strategies. In addition, commercial banks have shifted their focus from traditional businesses to explore and launch innovative businesses. They have also put forward higher requirements for commercial banks’ internal control and risk prevention and control systems.
After the “Guidelines for Internal Control of Commercial Banks” was promulgated, the supervisory and regulatory agencies’ requirements for the management of internal control of commercial banks have become increasingly stringent. An effective internal control system is very important for the development of commercial banks. In recent years, China’s commercial banks have developed rapidly, and major commercial banks are committed to the construction of internal control systems. It is precisely because of the lack of a complete internal control management system and the lack of awareness and prevention of various risks will cause vicious economic cases in the banking industry frequently. This will undoubtedly cause huge financial losses to commercial banks and also cause serious financial losses, threatening the safety of customers’ funds and the development of the banking industry. Therefore, it is urgent and important to strengthen the internal control system of commercial banks.
2. Literature Review
Academia’s research on internal control has achieved important results in the formation of academic theory and the design of rules and regulations. In 1992, the United States COSO Committee released the “Internal Control-Integration Framework”, which focused on the internal control theory, especially the overall framework of internal control. It became the most authoritative theoretical research result in the field of internal control, and was widely studied and applied. In 2013, the COSO Committee issued a newly revised Internal Control-Integration Framework. Compared with the old framework, the new framework has not changed the core definition of internal control, the five elements, and the criteria for evaluating the effectiveness of internal control. However, it emphasizes the important role of board supervision and corporate governance. In addition, the new framework includes both internal financial reporting and external non-financial reporting, and requires that internal control be transformed from a financial reporting-oriented control system to a comprehensive control system.
On the basis of the above-mentioned framework documents, the emergence of internal control issues is negatively related to the effectiveness of corporate governance, and the role of corporate governance should be brought into full play (Abbott, Parker, Peters, & Rama, 2007) . Monitoring is an aspect of internal control, which is the focus of work of inspectors, quality control personnel and internal auditors (Colbert, 2008) . It is necessary to report the monitoring results and measures taken in a timely manner. Different enterprises need to fully consider their own characteristics when establishing internal control systems, effectively improve the level of enterprise risk management and control, and ensure the effective development of various operating and management activities (Jokipii, 2010) . And the professionalism of financial personnel affects the implementation of the internal control system and is an important factor in achieving the internal control objectives (Li, Sun, & Ettredge, 2010) .
As for the internal control of commercial banks, the Basel Committee promulgated the “Internal Control System Framework of Banking Institutions.” The framework states that “the internal control of a commercial bank is a key component of bank management and the foundation for the safe and stable operation of a bank. A strong internal control system is conducive to achieving long-term profit goals for bank institutions and ensuring the reliability of financial statements and management reports.”
The China Banking Regulatory Commission issued the “Guidelines for Internal Control of Commercial Banks” in 2007, which guides to improve internal control systems, prevent financial risks, and ensure the smooth operation of the banking system. They require commercial banks to urge relevant personnel to follow internal control systems and standards, and promote business performance and management efficiency. In 2014, it was revised again, pointing out that commercial banks bear the primary responsibility for risk prevention and effective internal control is the premise of good operation.
Banks as a high-risk industry conducting currency business, internal control measures have great significance in preventing various risks (Shen, 2010) . The internal control of China’s commercial banks should be extended and we should pay more attention to non-financial reporting areas to prevent risks comprehensively (Zhang, 2014) . We should attach importance to corporate governance and appropriate incentive and restraint mechanisms to construct internal control environment (Sun, 2008) . And commercial banks should integrate the concept of comprehensive risk management into the entire process of audit and improve self-restraint mechanisms by strengthening re-supervision of internal controls (Jin, 2016) .
3. Case Study
3.1. Brief Introduction to Shanghai Pudong Development Bank
Shanghai Pudong Development Bank Co., Ltd. (SPD Bank) is one of the most representative nationwide joint-stock commercial banks in China. It was founded on August 28, 1992 with the approval of the People’s Bank of China and has been operating since January 9, 1993. As a listed entity, the Bank is highly regarded within China’s security market thanks to its outstanding performance record and business integrity. By adhering to its core value of “holding to integrity and striving for excellence,” SPD Bank continues to expand its capital base and strengthen its business through financial innovation.
By the end of September 2019, the Bank had total assets of RMB 6.79 trillion. Now, it operates a network of 41 branches and approximately 1700 banking outlets inside and outside China, and the number of employees exceeds 50,000. In recent years, the Bank has accelerated its internationalization and integration. It has been continuously expediting globalization as seen by the establishment of Hong Kong Branch, Singapore Branch, London Branch and SPDB International Holdings Ltd.
Since its public listing on the stock market, SPD Bank has been ranked among the Top 100 Listed Companies in China by Asia Weekly for several consecutive years. In January 2019, the Bank ranked 18th on the Top 500 Banking Brands list released by the British magazine The Banker, with a brand value of USD 13,252 million, being 7th among Chinese banks. In June, the Bank ranked 65th on the Forbes Global 2000 list, being 13th among Chinese companies and 9th among Chinese banks. In July 2019, the Bank ranked 216th on the Fortune Global 500 list, being 56th among Chinese companies and 8th among Chinese commercial banks, demonstrating its sound competitiveness.
3.2. Analysis of the Internal Control of Shanghai Pudong Development Bank
SPDB has been continuously strengthening the company’s internal controls. In addition to basic internal control system for major products, it has also strengthened the internal control system of risk management, information technology security and others to meet the needs of internal and external environmental changes.
This paper is based on the five elements of COSO control framework. Through the in-depth analysis of the control environment, risk assessment, control activities, information and communication, monitoring of Shanghai Pudong Development Bank, we can find the defects of internal control system and give feasible suggestions.
• Control Environment
SPDB has six committees under the board of directors: a strategy committee, a nomination committee, a risk control and related party transactions committee, a remuneration and evaluation committee, an audit committee, and a capital and operations management committee. The board of directors attaches importance to the establishment of a reasonable and effective internal control system. By continuously regulating the company’s governance structure and strengthening risk management, it has achieved a good separation of duties in the company’s decision-making, implementation and supervision processes, laying a solid foundation for the company’s internal control.
SPDB can recognize the importance of internal control, but some managers and employees have misunderstandings on internal control. They think that internal control is only a variety of processes on staff handbook and do not realize that internal control, as a safe and effective supervision mechanism, is important for commercial banks to manage their own business and prevent risks. As a result, internal control cannot monitor and prevent risks in advance during the operation of SPDB, and cannot fundamentally eliminate hidden risks.
At the same time, SPDB lacks effective incentive and restraint mechanisms, which is important to achieve the goal of long-term development. The evaluation often focuses only on the assessment of results rather than the analysis of the process, the ranking of each branch in the system and not the changes in its ranking in the local industry. The assessments are often simple distinction between “excellent, good, average, and incompetent”, etc. without the specific and realistic evaluation content and evaluation standards. It is impossible to give feedback to employees in a timely manner, so the relevant incentive and restraint mechanisms have little effect. And there are no competitive pressures and constraints in the management positions, so some employees are unmotivated and decision makers still need to rely on their own moral consciousness to restrain themselves.
• Risk Assessment
Commercial banks face credit risk, operational risk and market risk. They need to establish a reasonable and effective risk management system to identify, control and monitor these risks. The company conducts risk assessment through scientific and effective means, which can identify internal and external risks. Risk assessment is an important prerequisite for commercial banks to control risks and develop correct business strategies.
At present, the risk assessment method of SPDB is relatively simple, and the assessment system is not sound enough. Taking the loan business as an example, in the management of loan companies, SPDB mainly focuses on these companies’ operating capabilities, profitability and development. Because it uses less quantitative analysis to evaluate risks, the evaluation results are very subjective and cannot accurately reflect the risk situation of the enterprise. The assessment of the repayment ability of the loan application company is still based on the analysis of the company’s financial statements. The main risks identified and evaluated include credit risk, operational risk, foreign exchange risk, interest rate risk, etc., but SPDB lacks necessary assessment for other risks. When inspecting the application materials, the handlers only pay attention to whether the information submitted by the loan company is complete and meets the requirements for handling business. However, the company lacks strict review procedures for false sales contracts, bad income certificates, etc., and an evaluation system for related risks is not perfect.
• Control Activities
It should be noted that SPDB has made great efforts in establishing a sound internal control system in recent years. However, if the specific control activities cannot be put in place, even if the system is designed well, it will only be a piece of paper and cannot truly improve and enhance internal control.
Banks’ business processes are interlinked. As long as one employee adheres to the system and implements control activities, the internal control problems can be effectively avoided. For example, in the credit department of SPDB, many bad debts are generated because loan managers disregard the internal control system of credit business and relax the standards to help enterprises obtain loans in order to complete the business indicators. Some managers have even helped the loan company to pass the examination of the risk management department, making the related control activities on credit risk have not been implemented at all. With the rapid development of credit card business, the bad debt rate of credit card loans is also rising. SPDB is the only bank with a non-performing loan ratio that rose by 0.25 percentage points in 2017. The annual bank reports show that the credit card bad debt rates of CITIC Bank, SPDB and Ping An Bank at the end of 2018 increased by 0.61%, 0.49%, and 0.14% respectively compared with the end of the previous year. And recently, media reports that the former leading company in the photovoltaic field, Jiangxi Saiwei LDK Solar High-tech Co., Ltd. is now close to bankruptcy, and all the RMB 1.510 billion loans provided by SPDB were unsecured credit loans.
In the course of business operations, an appropriate separation of duties should be implemented between departments and positions. For example, it is necessary to promise the separation of the storage of currency from the accounting processing. Important blank vouchers should be kept and used by different people. And the authorization and approval of capital transaction business should be separated from the specific handling. In addition, the system password should be changed regularly, but for the convenience of the operators, it may not change for a long time. The weak implementation of internal control activities may be an important problem for SPDB.
• Information and Communication
With the development of network, SPDB is constantly improving its own electronic information system to provide an efficient platform for information exchange and communication. SPDB not only focuses on the maintenance of internal computers, but also adopts a series of control measures to ensure information security. For example, each computer is encrypted and authorized to ensure the separation of duties between the information technology department and the business department. At the same time, management also actively communicates with employees and gives them timely feedback to ensure the orderly conduct of various business activities.
SPDB’s measures on information and communication are worthy of recognition, but there still exist some problems in the process. Some employees only pay attention to whether the collected materials are complete and whether they meet the needs of the business, but ignore the collection of internal control information and do not enter the internal control information into the system for future reference and review. In addition, SPDB sometimes fails to deliver the collected information to relevant departments in a timely manner and reduces the work efficiency. And SPDB should organize specialized personnel to conduct a professional analysis of the collected data to effectively predict internal control risks in advance.
SPD Bank’s supervision of internal control is mainly reflected in the vertical supervision of the internal audit department of the head office and the parallel supervision of branch function management departments. The comprehensive supervision mechanism ensures the legality and effectiveness of internal control. The internal audit department formulates the methods and procedures, identifies and measures various risks, timely discovers potential risk factors and reports to the relevant management.
Branch functional management departments shall make reasonable adjustments based on the internal control processes and specifications and form the internal control management system that is most suitable for the branch without violating the head office regulations. Besides, regular inspections are conducted to check and evaluate the implementation of internal control at various grass-roots operating banks. They collect relevant information in a timely manner, analyze internal control problems and provide feedbacks.
SPDB’s internal audit is mainly based on traditional audits, focusing on performance audits, compliance audits, and departure audits. The risk management audit is relatively weak. The audit concepts and audit methods are relatively backward, which actually leads to the failure of internal audit to identify the systemic risks of banks, and the internal control supervision is ineffective to some extent.
4. Suggestion and Conclusion
To form an effective internal control system, commercial banks in China, such as the Shanghai Pudong Development Bank, should first improve corporate governance and set up a sound mechanism of restriction and supervision. On the one hand, audit committee should be independent and authoritative, and be directly responsible to shareholders and investors of commercial banks, and truly play a supervisory role. On the other hand, all employees should understand the internal control concept and the bank should employ highly professional and ethical personnel for management positions.
At the same time, we must attach importance to the identification, analysis, and control of risks, actively collect internal control information, and establish a reliable risk database to effectively identify potential risks and improve risk assessment. Commercial banks need to make specific and effective risk assessment plans in accordance with their specific business scope.
In addition, it is necessary to improve the information exchange mechanism of commercial banks. We should establish an internal control information monitoring database, and continuously collect and summarize internal and external information related to internal control management. And the database will become a comprehensive tool for dynamic information analysis, and lay the foundation for the use of quantitative technology for internal control management.
Finally, commercial banks should establish a sound management structure and an excellent corporate culture. It is important to formulate a clear system of responsibilities to promote the smooth progress of internal control activities and strengthen the risk prevention awareness of all staff.
In the fierce market competition, commercial banks are facing huge risks and ensuring the smooth operation of commercial banks has an irreplaceable effect on the development of China’s market economy. In recent years, Chinese government departments have continuously strengthened supervision of the banking industry, but only relying on external constraints and supervision cannot guarantee the healthy development of commercial banks. Commercial banks should also pay more attention to internal control from top to bottom and constantly improve the internal control system.
For a high-risk industry such as a commercial bank, internal control involves all aspects, of which risk prevention and control is particularly important. At the same time, it is also necessary to continuously improve the organizational structure and create a good internal control environment. Commercial banks should improve the ability of risk assessment, detect risks timely and effectively, improve the execution of internal control activities and build smooth information exchanges and communication channel to ensure that internal control is effectively supervised. In the process of internal control activities, full participation and full implementation are required, and we must pay attention to the effectiveness and enforcement of various measures.
This paper is based on the five elements of COSO control framework, and selects the nationwide joint-stock commercial banks—Shanghai Pudong Development Bank as research case to study. But there still exist some limitations. Different banks have different internal control systems and characteristics, so the research object is relatively single. And our research is more limited at the theoretical level; in the future we can use more data analysis to make better recommendations for the internal control of commercial banks.
 Abbott, L. J., Parker, S., Peters, G. F., & Rama, D. V. (2007). Corporate Governance, Audit Quality, and the Sarbanes-Oxley Act: Evidence from Internal Audit Outsourcing. The Accounting Review, 82, 803-835.
 Jokipii, A. (2010). Determinants and Consequences of Internal Control in Firms: A Contingency Theory Based Analysis. Journal of Management Governance, 14, 115-144.
 Li, C., Sun, L. L., & Ettredge, M. L. (2010). Financial Executive Qualifications, Financial Executive Turnover, and Adverse SOX 404 Opinions. Journal of Accounting & Economics, 50, 93-110.