• CTRL Chapter 6 CTRL Chapter 6 Internal controls and assurance

    Note for Chapter 6

    An authorised firm’s internal control and assurance framework is made up of the policies, processes, tasks, behaviours and other aspects of its organisation that, taken together:

    • enable the firm to respond appropriately to business, operational, financial, compliance and other risks, and so facilitate its effective operation
    • safeguard the firm’s assets and ensure that its liabilities are identified and managed
    • ensure the quality of the firm’s internal and external reporting (which requires proper records and processes that generate a flow of timely, relevant and reliable information from internal and external sources)
    • ensure that the firm complies with applicable laws and regulations and with its internal policies.

     

    Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 6.1 CTRL Part 6.1 General

      • CTRL 6.1.1 Objectives of internal controls and assurance framework

        An authorised firm must establish and maintain an internal controls and assurance framework to ensure that:

        (a) the firm’s business is conducted efficiently;
        (b) the firm’s assets are safeguarded;
        (c) fraud and other unlawful acts are prevented or detected;
        (d) risk is managed effectively;
        (e) the firm’s financial records are accurate and complete; and
        (f) the preparation of the firm’s financial statements is timely.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.1.2 Independence of internal control and assurance functions etc

        (1) An authorised firm must ensure that each individual who exercises an internal control and assurance function is sufficiently free from influence to be effective in achieving the function’s purpose.
        (2) The requirement in subrule (1) is satisfied if reasonable measures have been taken to ensure that:
        (a) no such individual is remunerated in a way that would tend to undermine his or her independence and objectivity in exercising the function;
        Note For the requirements relating to a firm’s remuneration policy, see rule 3.1.16.
        (b) no such individual is involved in performing a function that generates, or is intended to generate, revenue for the firm;
        (c) no such individual is limited or restricted as to the matters that he or she can investigate or report on in the exercise of his or her function;
        (d) the reports and conclusions of such an individual can be honest and candid, without fear of reprisal; and
        (e) pressure or influence is not applied to such an individual to modify his or her reports or conclusions.
        Guidance
        An internal control and assurance function cannot be effective unless its exercise is independent. Independent means, broadly, that the individual who exercises the function is not subjected to pressure to mould or manipulate his or her conclusions or results. An internal control and assurance function that produces only results that are convenient to the firm’s governing body or management would not be regarded as satisfying rule 6.1.1.
        (3) An authorised firm must ensure that:
        (a) each individual who exercises an internal control and assurance function; and
        (b) each employee who is allocated responsibilities within the firm’s corporate governance framework and its risk management framework;
        has all of the following:
        (c) the necessary authority to exercise the function or carry out his or her duties;
        (d) access to all necessary information, documents and records of the firm;
        (e) appropriate access to the firm’s governing body and senior management.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.1.3 Direct access to governing body by certain individuals

        An authorised firm’s policies, procedures and controls must provide that an individual who is approved to exercise an internal control and assurance function for the firm is entitled to raise matters directly with the firm’s governing body, the chair of the body, or any relevant committee of the body, and to do so privately (that is, without the presence of any representative of the firm’s senior management).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.1.4 Certain individuals’ obligation to raise matters promptly

        An authorised firm’s policies, procedures and controls must provide that an individual who is approved to exercise an internal control and assurance function for the firm:

        (a) must promptly raise significant matters directly with the firm’s governing body, the chair of the body, or any relevant committee of the body; and
        (b) must promptly tell any other individual to whom this rule applies if the first individual becomes aware of a risk that might have (or a number of risks that, taken together, might have) a significant effect on:
        (i) the firm’s risk management strategy; or
        (ii) the other individual’s functions.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.1.5 Reports about internal control and assurance functions

        (1) An authorised firm must ensure that each internal control and assurance function makes periodic written reports to the firm’s governing body, or a relevant committee of the body, about the matters in subrule (2).
        (2) The matters are the following:
        (a) how each internal control and assurance function is performing against the firm’s policies, procedures and controls for the function;
        (b) the shorter-term and longer-term objectives of each internal control and assurance function, and the progress made in achieving those objectives;
        (c) resources of staff, equipment, time and budget allocated to the internal controls and assurance framework and an analysis of the adequacy of those resources;
        (d) any material deficiency, material weakness or material failure of an internal control and assurance function, and the response to the deficiency, weakness or failure.
        Guidance
        The body or committee could also have regard to:
        • reports by the internal audit function that cover the other internal control and assurance functions
        • reports commissioned from third parties in relation the internal control and assurance functions.
        (3) The body or committee must determine:
        (a) how often such a report must be made; and
        (b) how serious a deficiency, weakness or failure must be to require reporting under subrule (2) (d).
        Note Under GENE, rule 4.1.3 (2) (g), an authorised firm must immediately tell the Regulatory Authority about any material deficiency, material weakness or material failure in the firm’s internal control and assurance functions.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 6.2 CTRL Part 6.2 Risk management function

      • CTRL 6.2.1 Authorised firms to have risk management function

        An authorised firm must establish and maintain a risk management function that is appropriate to the nature, scale and complexity of the firm’s business.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.2.2 What makes up authorised firm’s risk management function?

        (1) An authorised firm’s risk management function is made up of:
        (a) the individual (if any) who is approved to exercise the risk management function for the firm;
        (b) any other employees allocated to the function;
        (c) the part of the firm’s resources (other than staff) allocated to the function;
        (d) the firm’s risk management strategy;
        (e) the firm’s risk management policy; and
        (f) the records that the firm keeps in relation to risk management.
        Note 1 For the requirements relating to the risk management strategy, see rule 7.1.4.
        Note 2 There are also specific requirements in PINS for a QFC insurer’s risk management strategy and policy. See PINS, Chapter 2.
        (2) The purpose of an authorised firm’s risk management function is to monitor and control the firm’s risk exposure.
        (3) The risk management function must provide for timely monitoring of, advising on, investigating and reporting on all reasonably foreseeable material risks.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.2.3 Which firms must have individual to exercise risk management function?

        (1) A QFC bank must have an individual who is approved to exercise the risk management function for the firm.
        (2) A QFC insurer (other than a QFC captive insurer) must have an individual who is approved to exercise the risk management function for the firm.
        Note QFC bank, QFC insurer and QFC captive insurer are defined in the Glossary.
        (3) Any other authorised firm must have an individual who is approved to exercise the risk management function for the firm if it is appropriate to do so because of the nature, scale and complexity of the firm’s business.
        (4) The individual who is approved to exercise the risk management function for the following firms must be ordinarily resident in Qatar:
        (a) a QFC bank;
        (b) a QFC insurer (other than a QFC captive insurer) that is incorporated under the Companies Regulations.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 6.3 CTRL Part 6.3 Compliance oversight function

      • CTRL 6.3.1 Which firms must have compliance oversight function?

        An authorised firm must establish and maintain a compliance oversight function that is appropriate to the nature, scale and complexity of the firm’s business.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.3.2 Which firms must have individual to exercise compliance oversight function?

        (1) An authorised firm must have an individual who is approved to exercise the compliance oversight function for the firm.
        (2) The individual who is approved to exercise the compliance oversight function for the following firms must be ordinarily resident in Qatar:
        (a) a QFC bank;
        (b) a QFC insurer (other than a QFC captive insurer) that is incorporated under the Companies Regulations.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.3.3 What makes up authorised firm’s compliance oversight function?

        (1) An authorised firm’s compliance oversight function is made up of:
        (a) the individual who is approved to exercise the compliance oversight function for the firm;
        (b) any other employees allocated responsibilities within the function;
        (c) the part of the firm’s resources (other than staff) allocated to the function;
        (d) the firm’s compliance policies and procedures; and
        (e) the records that the firm keeps in relation to compliance matters.
        Note Appropriate records must be kept of policies and procedures — see GENE, rule 6.1.1.
        (2) The purposes of an authorised firm’s compliance oversight function are the following:
        (a) to ensure that the firm complies with:
        (i) decisions of the Regulatory Authority;
        (ii) the firm’s internal policies, procedures and controls; and
        (iii) requirements and standards applicable to the firm under the law applicable in the QFC or any other applicable law;
        (b) to ensure that the firm’s business is conducted ethically and responsibly;
        (c) to minimise the risk of the firm or its facilities being used in the furtherance of financial crime.
        Guidance
        The compliance oversight function includes:
        • monitoring and assessing the adequacy and effectiveness of the firm’s compliance policies and procedures
        • participating in the process of approving new products or significant changes to existing products
        • monitoring and assessing the extent to which it complies with those policies and procedures
        • monitoring and assessing the adequacy and effectiveness of measures taken to correct any deficiencies
        • reporting to the firm’s governing body as necessary
        • maintaining and updating the firm’s compliance policies and procedures in conjunction with the firm’s senior executive function and senior management
        • providing advice and support to the firm’s senior executive function and senior management about compliance issues.
        Note For the meaning of financial crime, see the Glossary.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 6.4 CTRL Part 6.4 Internal audit function

      • CTRL 6.4.1 Which firms must have internal audit function?

        (1) A QFC bank or a QFC insurer (other than a QFC captive insurer) must establish and maintain an internal audit function.
        (2) An authorised firm that is not required by subrule (1) to have an internal audit function must establish and maintain such a function if it is appropriate to do so because of the nature, scale and complexity of the firm’s business.
        (3) The Regulatory Authority may direct an authorised firm to establish and maintain an internal audit function.
        (4) An authorised firm’s internal audit function must be appropriate to:
        (a) the nature, scale and complexity of the firm’s business; and
        (b) the firm’s risk profile and legal status.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.4.2 Which firms must have internal auditor?

        (1) A QFC bank must have an individual who is approved to exercise the internal audit function for the firm.
        (2) A QFC insurer (other than a QFC captive insurer):
        (a) must have an individual who is approved to exercise the internal audit function for the firm; or
        (b) may, with the permission of the Regulatory Authority, appoint a suitably qualified third party as internal auditor.
        (3) For Part 8.2, the appointment of a third party by a QFC insurer is a material outsourcing arrangement.
        (4) Any other authorised firm must have an individual who is approved to exercise the internal audit function for the firm if it is appropriate to do so because of the nature, scale and complexity of the firm’s business.
        (5) The Authority may direct an authorised firm to appoint an individual who is approved to exercise the internal audit function for the firm.
        Guidance
        For a firm that is part of a corporate group, the corporate group internal audit function may be used to perform the function for the firm. This means that the firm is not required to have a dedicated resource for the internal audit function. The work to be undertaken by the internal audit function would depend on the agreed risk-based audit plan for the firm and the corporate group-wide auditor would be best placed to decide that work.
        Note Nothing in this rule prevents a firm from appointing a corporate group employee to the internal audit function.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.4.3 What makes up authorised firm’s internal audit function?

        (1) An authorised firm’s internal audit function is made up of:
        (a) the firm’s internal auditor (if any);
        (b) any other employees who are allocated responsibilities within the function;
        (c) the part of the firm’s resources (other than staff) allocated to the function;
        (d) the firm’s audit charter and risk-based audit plan; and
        (e) the records that the firm keeps in relation to internal audit.
        Note For other audit requirements for firms, see GENE, Part 9.5.
        (2) The purpose of an authorised firm’s internal audit function is to provide independent assurance of:
        (a) the adequacy and effectiveness of the firm’s policies and procedures, and the documentation about them, for the firm as a whole, its corporate group, each subsidiary (if any) and each part of the firm (such as a business unit, business area or department);
        (b) the reliability and integrity of information and the means used to identify, measure, classify and report such information;
        (c) the accuracy and currency of the identification of risks and the agreed actions to address them;
        (d) the safeguarding of the firm’s assets and the assets of its depositors, policyholders, clients and other stakeholders;
        (e) the existence of those assets;
        (f) whether the firm’s assets are appropriately segregated from the assets of its depositors, policyholders, clients and other stakeholders; and
        (g) the performance of the firm’s external auditors, to the extent requested by its governing body and consistent with applicable law.
        (3) The internal audit function must carry out regular assessments of the firm’s internal audit policies, procedures and controls and incorporate any necessary improvements.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.4.4 Authority of internal auditor

        An authorised firm’s internal audit policies, procedures and controls must provide that:

        (a) the firm’s internal auditor, and any employee allocated responsibilities within the internal audit function, must have access to, and must review, any information, documents and records of the firm that he or she considers necessary to carry out an audit or other review; and
        (b) the internal auditor has the authority:
        (i) to undertake, on his or her own initiative, a review of any area or any function of the firm consistently with the internal audit function’s purpose;
        (ii) to require an appropriate management response to an internal audit report, including the development of a suitable remediation or mitigation plan or other follow-up plan; and
        (iii) to decline to undertake an audit or review, or take on any other duty, that he or she believes is inconsistent with the internal audit function’s purpose or the firm’s internal audit policies and procedures.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL Part 6.5 CTRL Part 6.5 Actuarial function

      • CTRL 6.5.1 Which QFC insurers must have actuarial function?

        (1) This rule applies to a QFC insurer if:
        (a) the insurer conducts long term insurance business (within the meaning given by PINS, rule 1.2.5 (2)); or
        (b) the insurer conducts general insurance business (within the meaning given by PINS, rule 1.2.5 (1)), and:
        (i) more than 15% of the insurer’s gross outstanding liabilities are attributable to contracts of insurance for general insurance business in PINS category 1; or
        (ii) more than 20% of the insurer’s gross outstanding liabilities are attributable to contracts of insurance for general insurance business in PINS category 4.
        (2) However, this rule does not apply to a QFC captive insurer.
        Note For the obligations of a QFC captive insurer in relation to the actuarial function, see CAPI, Chapter 7.
        (3) A QFC insurer to which this rule applies must establish and maintain an actuarial function that is appropriate to the nature, scale and complexity of the insurer’s business.
        (4) In subrule (1):
        PINS category 1 and PINS category 4 have the respective meanings given by PINS, rule 1.2.8.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.2 Which QFC insurers must have individual to exercise actuarial function?

        (1) A QFC insurer to which rule 6.5.1 applies must have an individual who is approved to exercise the actuarial function for the firm (an approved actuary).
        (2) The individual must not be one who:
        (a) exercises the senior executive, executive governance or non-executive governance function for the insurer or a related body corporate (except a related body corporate that is a subsidiary of the insurer); or
        (b) is an employee or director of an approved auditor (under the Companies Regulations, article 85 (1)) for the insurer.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.3 CTRL 6.5.3 What makes up QFC insurer’s actuarial function?

        (1) A QFC insurer’s actuarial function is made up of:
        (a) each approved actuary for the insurer;
        (b) any other employees who are allocated responsibilities within the actuarial function;
        (c) the part of the insurer’s resources (other than staff) allocated to the function;
        (d) the insurer’s actuarial policies and procedures; and
        (e) the records that the insurer keeps in relation to actuarial matters.
        Note See PINS, Chapter 9, for an insurer’s obligations in relation to actuarial reporting.
        (2) The purpose of the actuarial function of a QFC insurer is to advise the insurer on, and to monitor, investigate and report on, risks that materially affect:
        (a) the insurer’s ability to meet its liabilities to policyholders;
        (b) its capital requirements and solvency position;
        (c) its technical provisions; and
        (d) the setting of its premiums or prices.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 6.5.3 Guidance

          The matters about which an insurer’s actuary might advise the insurer include:

          • the insurer’s actuarial and financial risks
          • its investment policies and the valuation of its assets
          • its solvency position, including the calculation of the minimum capital required for regulatory purposes and liability and loss provision
          • its prospective solvency position
          • its risk management strategy, and its risk assessment and management policies, procedures and controls relevant to actuarial matters or the financial condition of the firm
          • distribution of policy dividends or other benefits
          • underwriting policies
          • reinsurance arrangements
          • product development and design, including the terms and conditions of insurance contracts
          • the sufficiency and quality of data used to calculate technical provisions
          • risk modelling in the insurer’s own risk and solvency assessment
          • the insurer’s use of internal models.

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.4 QFC insurer to give notice before removing approved actuary

        (1) A QFC insurer that has an approved actuary must give the Regulatory Authority reasonable advance notice of any intention to remove the actuary.
        (2) The notice must set out the reasons for the removal.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.5 QFC insurer to give notice if appointment of approved actuary ends

        If the appointment of a QFC insurer’s approved actuary ends for any reason, the insurer must tell the Regulatory Authority immediately, but by no later than the second business day after the day the appointment ends:

        (a) that the appointment has ended; and
        (b) the reasons for the ending of the appointment.
        Note For the obligation of the approved actuary to notify the Regulatory Authority if his or her appointment ends, see FSR, article 91 (Resignation of auditors and actuaries).

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.6 QFC insurer to appoint actuary if vacancy arises

        If at any time there is no approved actuary for a QFC insurer to which rule 6.5.1 applies, the insurer must appoint an individual to the actuarial function as soon as practicable, but within 3 months after the day the vacancy arises.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.7 Authority of QFC insurer’s approved actuary

        The actuarial policies, procedures and controls of a QFC insurer to which rule 6.5.1 applies must provide that:

        (a) the insurer’s approved actuary must have access to, and must review, any information, documents and records of the insurer that he or she considers necessary to carry out a review; and
        (b) the approved actuary has the authority:
        (i) to undertake, on his or her own initiative, a review of any area or any function of the insurer consistently with the actuarial function’s purpose;
        (ii) to require an appropriate management response to an actuarial report, including the development of a suitable remediation or mitigation plan or other follow-up plan; and
        (iii) to decline to undertake a review, or take on any other duty, that he or she believes is inconsistent with the actuarial function’s purpose or the insurer’s actuarial policies and procedures.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

      • CTRL 6.5.8 CTRL 6.5.8 Regulatory Authority may appoint actuary in certain circumstances

        (1) If no individual is approved to exercise the actuarial function for a QFC insurer to which rule 6.5.1 applies within 28 days after a vacancy arises, the Regulatory Authority may appoint an actuary, or 2 or more actuaries, to exercise any part of the actuarial function for the insurer on the following terms:
        (a) the insurer is to remunerate the actuary or actuaries on a basis agreed between the insurer and the actuary or, if there is no agreement, on a reasonable basis;
        (b) each actuary is to hold office until he or she resigns or an actuary is approved for the insurer;
        (c) each actuary has the same authority within the insurer that he or she would have as an approved actuary.
        (2) The insurer must comply with, and is bound by, the terms on which the Authority appoints an actuary under subrule (1).
        (3) An actuary appointed by the Authority under subrule (1) is not an approved actuary.

         

        Derived from QFCRA RM/2020-4 (as from 1st July 2021)

        • CTRL 6.5.8 Guidance

          1 Rule 6.5.8 allows, but does not require, the Regulatory Authority to appoint an actuary if no actuary has been approved for the insurer within the 28-day period referred to in rule 6.5.8 (1). In considering whether to use that power, the Authority would take into account the likely delay until the insurer can make an appointment, and the urgency of any pending duties of the actuary.
          2 The Authority would not normally seek to appoint an actuary under rule 6.5.8 if the insurer concerned has applied for the approval of an individual to exercise the actuarial function and that application is still being considered.
          3 If the Authority appoints an actuary, the insurer remains obliged to appoint an individual to the actuarial function and must seek the Authority’s approval of the individual (even if the individual it proposes to appoint is the actuary appointed by the Authority).

           

          Derived from QFCRA RM/2020-4 (as from 1st July 2021)