• CTRL Part 6.1 CTRL Part 6.1 General

    • CTRL 6.1.1 Objectives of internal controls and assurance framework

      An authorised firm must establish and maintain an internal controls and assurance framework to ensure that:

      (a) the firm’s business is conducted efficiently;
      (b) the firm’s assets are safeguarded;
      (c) fraud and other unlawful acts are prevented or detected;
      (d) risk is managed effectively;
      (e) the firm’s financial records are accurate and complete; and
      (f) the preparation of the firm’s financial statements is timely.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 6.1.2 Independence of internal control and assurance functions etc

      (1) An authorised firm must ensure that each individual who exercises an internal control and assurance function is sufficiently free from influence to be effective in achieving the function’s purpose.
      (2) The requirement in subrule (1) is satisfied if reasonable measures have been taken to ensure that:
      (a) no such individual is remunerated in a way that would tend to undermine his or her independence and objectivity in exercising the function;
      Note For the requirements relating to a firm’s remuneration policy, see rule 3.1.16.
      (b) no such individual is involved in performing a function that generates, or is intended to generate, revenue for the firm;
      (c) no such individual is limited or restricted as to the matters that he or she can investigate or report on in the exercise of his or her function;
      (d) the reports and conclusions of such an individual can be honest and candid, without fear of reprisal; and
      (e) pressure or influence is not applied to such an individual to modify his or her reports or conclusions.
      Guidance
      An internal control and assurance function cannot be effective unless its exercise is independent. Independent means, broadly, that the individual who exercises the function is not subjected to pressure to mould or manipulate his or her conclusions or results. An internal control and assurance function that produces only results that are convenient to the firm’s governing body or management would not be regarded as satisfying rule 6.1.1.
      (3) An authorised firm must ensure that:
      (a) each individual who exercises an internal control and assurance function; and
      (b) each employee who is allocated responsibilities within the firm’s corporate governance framework and its risk management framework;
      has all of the following:
      (c) the necessary authority to exercise the function or carry out his or her duties;
      (d) access to all necessary information, documents and records of the firm;
      (e) appropriate access to the firm’s governing body and senior management.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 6.1.3 Direct access to governing body by certain individuals

      An authorised firm’s policies, procedures and controls must provide that an individual who is approved to exercise an internal control and assurance function for the firm is entitled to raise matters directly with the firm’s governing body, the chair of the body, or any relevant committee of the body, and to do so privately (that is, without the presence of any representative of the firm’s senior management).

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 6.1.4 Certain individuals’ obligation to raise matters promptly

      An authorised firm’s policies, procedures and controls must provide that an individual who is approved to exercise an internal control and assurance function for the firm:

      (a) must promptly raise significant matters directly with the firm’s governing body, the chair of the body, or any relevant committee of the body; and
      (b) must promptly tell any other individual to whom this rule applies if the first individual becomes aware of a risk that might have (or a number of risks that, taken together, might have) a significant effect on:
      (i) the firm’s risk management strategy; or
      (ii) the other individual’s functions.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)

    • CTRL 6.1.5 Reports about internal control and assurance functions

      (1) An authorised firm must ensure that each internal control and assurance function makes periodic written reports to the firm’s governing body, or a relevant committee of the body, about the matters in subrule (2).
      (2) The matters are the following:
      (a) how each internal control and assurance function is performing against the firm’s policies, procedures and controls for the function;
      (b) the shorter-term and longer-term objectives of each internal control and assurance function, and the progress made in achieving those objectives;
      (c) resources of staff, equipment, time and budget allocated to the internal controls and assurance framework and an analysis of the adequacy of those resources;
      (d) any material deficiency, material weakness or material failure of an internal control and assurance function, and the response to the deficiency, weakness or failure.
      Guidance
      The body or committee could also have regard to:
      • reports by the internal audit function that cover the other internal control and assurance functions
      • reports commissioned from third parties in relation the internal control and assurance functions.
      (3) The body or committee must determine:
      (a) how often such a report must be made; and
      (b) how serious a deficiency, weakness or failure must be to require reporting under subrule (2) (d).
      Note Under GENE, rule 4.1.3 (2) (g), an authorised firm must immediately tell the Regulatory Authority about any material deficiency, material weakness or material failure in the firm’s internal control and assurance functions.

       

      Derived from QFCRA RM/2020-4 (as from 1st July 2021)