CIPR 3.2.2 Systems and controls generally

(1) An authorised firm must have the necessary systems and controls, in relation to every aspect of its operations, to ensure that the firm fully complies with these rules at all times.
(2) The systems and controls must be documented, and must be reviewed periodically (at least annually) to ensure that they are fit for their purpose.

Guidance

The Regulatory Authority expects that the review would be carried out by an individual or individuals of appropriate seniority and authority in the firm — for example, an individual exercising the senior management function (within the meaning given by CTRL, rule 3.1.6) for the firm.
(3) The outcome of each review of the systems and controls must be reported in a durable medium to the firm's governing body.
Derived from QFCRA RM/2019-2 (as from 1st January 2020).