SYSC 14.1 Application
1This section applies to an insurer unless it is:
- (1)
- (2)
an incoming EEA firm; or
- (3)
This section applies to:
- (1)
an EEA-deposit insurer; and
- (2)
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
2This section does not apply
to an incoming ECA provider acting as such.
Internal controls: introduction
A firm must take reasonable steps to establish and maintain adequate internal controls.
The precise role and organisation of internal controls can vary from firm to firm. However, a firm's internal controls should normally be concerned with assisting its governing body and relevant senior managers to participate in ensuring that it meets the following objectives:
- (1)
safeguarding both the assets of the firm and its customers, as well as identifying and managing liabilities;
- (2)
maintaining the efficiency and effectiveness of its operations;
- (3)
ensuring the reliability and completeness of all accounting, financial and management information; and
- (4)
ensuring compliance with its internal policies and procedures as well as all applicable laws and regulations.
10When determining the adequacy of its internal controls, a firm should consider both the potential risks that might hinder the achievement of the objectives listed in SYSC 14.1.28 G, and the extent to which it needs to control these risks. More specifically, this should normally include consideration of:
- (1)
the appropriateness of its reporting and communication lines (see SYSC 3.2.2 G);
- (2)
how the delegation or contracting of functions or activities to employees, appointed representatives or, where applicable, its tied agents or other third parties (for example outsourcing) is to be monitored and controlled (see SYSC 3.2.3 G to SYSC 3.2.4 G and the additional guidance on the management of outsourcing arrangements is also provided in SYSC 13.9);
- (3)
the risk that a firm's employees or contractors might accidentally or deliberately breach a firm's policies and procedures (see SYSC 13.6.3 G);
- (4)
the need for adequate segregation of duties (see SYSC 3.2.5 G);
- (5)
the establishment and control of risk management committees;
- (6)
the need for risk assessment and the establishment of a risk assessment function (see SYSC 3.2.10 G);
- (7)
the need for internal audit and the establishment of an internal audit function and audit committee (see SYSC 3.2.15 G to SYSC 3.2.16 G).