The precise role and organisation of internal controls can vary from firm to firm. However, a firm'sinternal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:
maintaining the efficiency and effectiveness of its operations;
ensuring the reliability and completeness of all accounting, financial and management information; and
ensuring compliance with its internal policies and procedures as well as all applicable laws and regulations.
8When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:
the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);
how the delegation or contracting of functions or activities to employees, appointed representatives or, where applicable, its tied agents or other third parties (for example outsourcing) is to be monitored and controlled (see SYSC 3.2.3 G to SYSC 3.2.4 G and the additional guidance on the management of outsourcing arrangements is also provided in SYSC 13.9);
the need for adequate segregation of duties (see SYSC 3.2.5 G);
the establishment and control of risk management committees;
the need for risk assessment and the establishment of a risk assessment function (see SYSC 3.2.10 G);
SYSC 14.1.29G(7) does not apply to a Solvency II firm, but only in relation to references to the internal audit function. It does apply to a Solvency II firm in relation to references to the internal audit committee.
For Solvency II firms, the PRA has made rules implementing the governance provisions of the Solvency II Directive relating to internal controls (article 46), see PRA Rulebook: Solvency II firms: Conditions Governing Business.
The Solvency II Regulation (EU) 2015/35 of 10 October 2014 also imposes specific requirements (see articles 266, 267 and 270).