CTRL 6.1.5 Reports about internal control and assurance functions

(1) An authorised firm must ensure that each internal control and assurance function makes periodic written reports to the firm’s governing body, or a relevant committee of the body, about the matters in subrule (2).
(2) The matters are the following:
(a) how each internal control and assurance function is performing against the firm’s policies, procedures and controls for the function;
(b) the shorter-term and longer-term objectives of each internal control and assurance function, and the progress made in achieving those objectives;
(c) resources of staff, equipment, time and budget allocated to the internal controls and assurance framework and an analysis of the adequacy of those resources;
(d) any material deficiency, material weakness or material failure of an internal control and assurance function, and the response to the deficiency, weakness or failure.
Guidance
The body or committee could also have regard to:
• reports by the internal audit function that cover the other internal control and assurance functions
• reports commissioned from third parties in relation the internal control and assurance functions.
(3) The body or committee must determine:
(a) how often such a report must be made; and
(b) how serious a deficiency, weakness or failure must be to require reporting under subrule (2) (d).
Note Under GENE, rule 4.1.3 (2) (g), an authorised firm must immediately tell the Regulatory Authority about any material deficiency, material weakness or material failure in the firm’s internal control and assurance functions.

 

Derived from QFCRA RM/2020-4 (as from 1st July 2021)