Standard 4.1 Internal control arrangements - Etusivu - … · · 2015-04-275.3 Arrangement of independent non-business functions_____15 5.3.1 ... internal control arrangements

Standard 4 .1

Internal contro l arrangements

Regulations and guidelines

How to read a standard

A standard is a collection of subject-specific regulations and guidelines which both obliges and guides

supervised entities and other financial market participants, indicates the quality level expected by the

supervisor, sets out the supervisor’s key principles of good practice and provides justification for

regulation.

Each paragraph in a standard is furnished with a

particular margin note:

Norm: A reference to a current legal or regulatory

provision.

Binding: A FIN-FSA regulation that is legally

binding on supervised entities or other financial

market participants, issued by the FIN-FSA by

virtue of its regulatory power based in Finnish

law.

Recommendation: FIN-FSA recommendatory

guidance to supervised entities or other financial

market participants.

Application guideline/example: A practical

application guideline or example related to a

norm, binding regulation or recommendation. A

reference to a FIN-FSA standard or a particular

point in the standard. See the attached example.

Justifications: An explanation of the

background, purpose and objectives of a

regulation or standard.

Sample standard only

FIN-FSA standards may be accessed from www.fin-fsa.fi/eng

THE FINANCIAL SUPERVISION AUTHORITY Issued on 27 May 2003

4 Capital adequacy and risk management Valid from 1 July 2003 until further notice

4.1 Internal control arrangements Changed on 16 December 2008

J. No. 5/790/2003 3 (27)

tel +358 10 831 51 For further details, please contact

fax +358 10 831 5328 Institutional Supervision, tel. +358 10 831 5207

[email protected]

www.rahoitustarkastus.fi

TABLE OF CONTENTS

1 Application ___________________________________________ 5

2 Objectives ____________________________________________ 7

3 International framework ________________________________ 8

4 Legal basis __________________________________________ 10

5 Key principles of internal control _________________________ 14

5.1 Internal control as part of skilled management based on sound and

prudent business principles _______________________________ 14

5.2 Responsibility for establishment and maintenance of internal control15

5.3 Arrangement of independent non-business functions ____________ 15

5.3.1 Risk control function ________________________________ 16

5.3.2 Compliance function _________________________________ 17

5.3.3 Internal audit function _______________________________ 17

6 Major elements of internal control ________________________ 18

6.1 Management policy and control culture ______________________ 18

6.2 Risk management _______________________________________ 19

6.3 Daily control and segregation of duties ______________________ 20

6.4 Reporting and communication _____________________________ 20

6.5 Monitoring the functioning of internal control __________________ 21

6.6 Prudential systems ______________________________________ 21

7 Reporting to FIN-FSA __________________________________ 23




J. No. 5/790/2003 4 (27)



[email protected]


8 Definitions __________________________________________ 24

9 Further details _______________________________________ 25

10 Revision history ______________________________________ 26




J. No. 5/790/2003 5 (27)



[email protected]


1 APPLICATION

Issued on 16.12.2008

Valid from 1 January 2009

(1) This standard comprises the key principles and arrangements of internal

control and of the risk management forming an integral part thereof. The

standard applies to the following companies as referred to in section 5 of the

Act on the Financial Supervision Authority:

credit institutions and their holding companies

investment firms and their holding companies

fund management companies

holding companies of financial and insurance conglomerates

whose primary business is financial

the central body referred to in the Act on Cooperative Banks

and Other Cooperative Credit Institutions (Cooperative Banks

Act) (1504/2001)

stock exchanges and organisations controlling stock exchanges

as referred to in chapter 1, section 5 of the Securities Markets

Act.

Issued on 27 May 2003

Valid from 1 July 2003

(2) In addition, the standard applies to parent companies of financial and

insurance conglomerates whose primary business is financial.


Valid from 1 July 2003 (3) Below, the general expression ‘supervised entity’ refers to all entities

mentioned in paragraphs 1 and 2.

Issued on 16 December 2008


(4) Internal control shall cover all functions of the supervised entity. The

internal control arrangements must be commensurate with the supervised

entity’s organisational structure and the nature, scale and complexity of its

activities. Particular attention must be paid to the internal control

arrangements when the entity in question is a group or it is engaged in

business in several countries.




J. No. 5/790/2003 6 (27)



[email protected]




(5) If a supervised entity belongs to a group or another conglomerate, this

fact affects the organisation of its operations. A parent company guides and

controls the operations of its subsidiaries. Operations in the group can be

centrally planned and executed. Supervised entities that are subsidiaries shall

in the group see to the execution of the entity’s core operations and make

sure that related decisions are made in an appropriate manner in the entity.


Valid from 1 January 2009 (6) The standard applies to various supervised entities and functions. The

supervised entity shall consider the nature, scale and complexity of its

operations and other possible related factors when assessing how it in its

operations should meet the objectives of the standard in an appropriate and

efficient manner – what matters is that the board of directors can be assured

of the functioning and effectiveness of internal control. Compliance with

binding rules on internal control only as applicable requires a specific decision

by the board of directors concerning the observance of alternative control

practices. The supervised entity shall always ensure that the internal control is

adequate and commensurate with the risks involved in its operations.


Valid from 1 July 2003 (7) The Financial Supervision Authority (FIN-FSA) recommends that

supervised entities that are not bound by this standard also arrange their

internal control in accordance with the principles of the standard.


Valid from 1 January 2009 (8) The duties of the board of directors and the CEO and of the internal audit

and compliance functions and the performance of those duties have been

elaborated on in FIN-FSA standard 1.3 ‘Internal governance and organisation

of activities’.

Requirements on the integrity, fitness and professional competence (fitness

and propriety) of persons responsible for a supervised entity’s management

and core business functions and the principles to be followed in fit and proper

assessment have been dealt with in FIN-FSA standard 1.4 ‘Assessment of

fitness and propriety’.

Detailed risk management regulation is provided in the separate standards for

each risk area included in section 4 ‘Capital adequacy and risk management’

of the FIN-FSA set of regulations.

Separate standards have also been issued on the Internal Capital Adequacy

Assessment Process ICAAP (standard 4.2) and on outsourcing arrangements

(standard 1.6).

http://www.finanssivalvonta.fi/en/Regulation/Standards/Financial_sector/1_Corporate_governance_and_business_activity/Pages/1_3.aspx


http://www.finanssivalvonta.fi/en/Regulation/Standards/Financial_sector/4_Capital_adequacy_and_risk_management/Pages/4_2.aspx





J. No. 5/790/2003 7 (27)



[email protected]


2 OBJECTIVES


Valid from 1 July 2003 (1) Entities supervised by FIN-FSA must be managed by skilled professionals

and according to sound and prudent business principles, and internal control

arrangements must form an integral part of this process.


Valid from 1 January 2009 (2) The objective of the regulation of internal control arrangements is to

ensure that

the internal control of a supervised entity and of companies

within its consolidation group is commensurate with the nature,

scale and complexity of their activities

the supervised entity and companies within its consolidation

group do not take such risks in their activities as could

materially jeopardise the supervised entity’s capital adequacy,

liquidity or consolidated capital adequacy

the supervised entity’s internal control methods enable

detection, assessment and limitation of the risks involved in the

business

the supervised entity complies with the code of conduct in its

customer relations.


Valid from 1 January 2009 (3) Another objective of the standard is to provide a general presentation of

the most important principles to be applied by the supervised entity in its

internal control arrangements. In particular, the standard emphasises the

responsibility of the supervised entity’s board of directors for the

establishment and maintenance of internal control.




J. No. 5/790/2003 8 (27)



[email protected]


3 INTERNATIONAL FRAMEWORK


Valid from 1 January 2009 (1) The standard is based on the recommendations of the Basel Committee on

Banking Supervision and the Committee of European Banking Supervisors

(CEBS). In the October 2006 revision of its recommendation ‘Core Principles

for Effective Banking Supervision’, the Basel Committee has presented core

principles for internal control arrangements commensurate with the size of the

bank and the scale of the business. These principles include clear

arrangements for:

delegating authority and responsibility

separation of the functions that involve making commitments

on behalf of the bank, disbursement of funds from the bank,

and accounting for its assets and liabilities

reconciliation of these processes

safeguarding the bank’s assets

appropriate and independent functions to test the functioning

and effectiveness of internal control and adherence to applicable

laws and regulations.

Issued on 27 May 2003 Valid from 1 July 2003

(2) In September 1998, the Basel Committee issued the recommendation

‘Framework for Internal Control Systems in Banking Organisations’. In that

recommendation it emphasises that credit institutions’ board of directors, CEO

and other senior management as well as internal and external audit shall pay

increased attention to internal control arrangements and to ongoing

evaluation of their functioning. The principles of the recommendation

constitute the main contents of chapter 6 of this standard.


Valid from 1 January 2009 (3) In section 2.1 of the CEBS document ‘Guidelines on the Application of the

Supervisory Review Process under Pillar 2 (CP03 revised)’ of January 2006,

some basic principles assisting supervisors in achieving greater consistency

are presented in order to provide guidance on business organisation and

management and on assessment of internal control arrangements. Section




J. No. 5/790/2003 9 (27)



[email protected]


5.3 of this standard takes into account the principles of section 2.1 C of those

guidelines, ie principles for arranging independent non-business functions.




J. No. 5/790/2003 10 (27)



[email protected]


4 LEGAL BASIS


Valid from 1 January 2009 (1) The national regulatory framework for internal control arrangements is

based on the following EC directives:

Directive 2006/48/EC of the European Parliament and of the

Council relating to the taking up and pursuit of the business of

credit institutions (32006L0048; OJ L 177, 30.6.2006, p.

1−200)


Council on markets in financial instruments amending Council

Directives 85/611/EEC and 93/6/EEC and Directive 2000/12/EC

of the European Parliament and of the Council and repealing

Council Directive 93/22/EEC (32004L0039; OJ L 145,

30.4.2004, p. 1−44)

Commission Directive 2006/73/EC implementing Directive

2004/39/EC of the European Parliament and of the Council as

regards organisational requirements and operating conditions

for investment firms and defined terms for the purposes of that

Directive (32006L0073; OJ L 241, 2.9.2006, p. 26−58)


Council on the capital adequacy of investment firms and credit

institutions (32006L0049; OJ L 177, 30.6.2006, p. 201−255)

Council Directive 85/611/EEC on the coordination of laws,

regulations and administrative provisions relating to

undertakings for collective investment in transferable securities

(UCITS) (31985L0611; OJ L 375, 31.12.1985, p. 3−18) and


Council amending Council Directive 85/611/EEC on the

coordination of laws, regulations and administrative provisions

relating to undertakings for collective investment in transferable

securities (UCITS) with a view to regulating management

companies and simplified prospectuses (32001L0107; OJ L 41,

13.2.2002, p. 20−34)




J. No. 5/790/2003 11 (27)



[email protected]



Council on the supplementary supervision of credit institutions,

insurance undertakings and investment firms in a financial

conglomerate and amending Council Directives 73/239/EEC,

79/267/EEC, 92/49/EEC, 92/96/EEC, 93/6/EEC and 93/22/EEC,

and Directives 98/78/EC and 2000/12/EC of the European

Parliament and of the Council (32002L0087; OJ L 35,

11.2.2003, p. 1−27).


Valid from 1 January 2009 (2) Detailed provisions on internal control arrangements included in article 22

and Annex V of Directive 2006/48/EC deal with sound administrative

procedures and internal control arrangements as part of the criteria for taking

up the business of a credit institution. Annex V of Directive 2006/48/EC

includes detailed fundamental requirements on governance arrangements and

risk classification and management.


Valid from 1 January 2009 (3) Corresponding requirements pertain to investment firms on the basis of

article 34 of Directive 2006/49/EC of the European Parliament and of the

Council on the capital adequacy of investment firms and credit institutions.

The article states that each investment firm shall fulfil the requirements in

article 22 of Directive 2006/48/EC.


Valid from 1 January 2009 (4) Requirements on adequate internal control mechanisms, effective risk

management principles and procedures, and independent risk management

arrangements in supplying investment services are included in article 13 of

Directive 2004/39/EC and articles 5−9 of Directive 2006/73/EC.


Valid from 1 January 2009 (5) Internal control and the risk management forming an integral part thereof

are regulated nationally through

section 49, subsection 1 of the Credit Institutions Act

(121/2007, CIA), which includes a general provision on risk

management. The corresponding provision concerning a

consolidation group is included in section 74 of the same Act

section 54, subsection 2 of the CIA, which requires that credit

institutions have principles and procedures for solvency and risk

management. The corresponding provision concerning a

consolidation group is included in section 78, subsection 2 of the

same Act

sections 33−35 of the Investment Firms Act (922/2007, IFA)

and section 46, subsection 1 of the same Act (reference

provision; see also section 2, subsection 5 of the CIA and




J. No. 5/790/2003 12 (27)



[email protected]


section 5, subsection 5 of the MFA)

section 30, subsection 1 of the Mutual Funds Act (48/1999,

MFA), which includes requirements on internal control and

adequate risk management systems, and section 6, subsection

5 of the same Act (as regards fund management companies

providing asset management, reference to section 46,

subsection 1 of the IFA and thereby to the CIA)

section 5 of the Cooperative Banks Act (1504/2001, CBA),

which includes a general provision on risk management, and

section 8, subsections 3 and 5 of the same Act, which deal with

the capital adequacy assessment process in the amalgamation

section 16, subsections 1−2 of the Act on Supervision of

Financial and Insurance Conglomerates (699/2004, CSA), which

include a general provision on risk management

chapter 3, section 17 of the Securities Markets Act (495/1989,

SMA), which includes a provision on arrangement of operations

and chapter 4, section 12 of the same Act, which includes a

requirement as regards securities intermediaries on a policy for

identification and prevention of conflicts of interest (see also

section 26, subsection 2 of the MFA on avoidance of conflicts of

interest).


Valid from 1 January 2009 (6) FIN-FSA’s power to issue binding regulations on the subject of the

standard is based on the following provisions:

section 2, subsection 5 and section 93, subsection 1 of the CIA

section 35 and section 46, subsection 1 (reference provision to

the CIA) and subsection 2 of the IFA

section 5, subsection 5, section 26, subsection 3 and section

30a, subsection 3 of the MFA as well as section 6, subsection 5

of the same Act (as regards fund management companies

providing asset management, reference to section 46,

subsection 1 of the IFA and thereby to the CIA)

section 5 and section 8, subsection 5 (capital adequacy

assessment process) of the CBA

section 16, subsection 3 of the CSA




J. No. 5/790/2003 13 (27)



[email protected]


chapter 3, section 17, subsection 3 and chapter 4, section 12,

subsection 4 of the SMA.




J. No. 5/790/2003 14 (27)



[email protected]


5 KEY PRINCIPLES OF INTERNAL

CONTROL

5.1 Internal control as part of skilled management

based on sound and prudent business principles

Justifications



(1) The supervised entity must have a skilled management that follows sound

and prudent business principles.

Justifications



(2) The key pillar of skilled management based on sound and prudent

business principles is effective and reliable internal control arrangements.

Justifications



(3) Internal control comprises economic and other control and is carried out

by the board of directors, CEO and other senior management as well as the

entire personnel. Internal control is by definition the part of management and

operations that seeks to ensure

accomplishment of stated goals and objectives

economic and effective use of resources

adequate management of risks inherent in operations

reliability and correctness of financial and other management

information

compliance with regulations

adequate safeguarding of operations, data and assets of

supervised entities and customers

adequately and appropriately organised manually operated and

IT-based systems to support the operations pursued.




J. No. 5/790/2003 15 (27)



[email protected]


5.2 Responsibility for establishment and maintenance

of internal control

Norm

Issued on 16.12.2008 Valid from 1 January 2009

(4) The board of directors is responsible for a supervised entity’s

administration and for an appropriate organisation of its operations.1

Justifications


(5) The responsibilities of the board of directors and the CEO are specified in

corporate legislation and in the articles of association and rules of the

supervised entity.

Justifications



(6) The appropriate organisation of operations includes adequate and

functioning establishment and maintenance of internal control.

Application guideline



(7) As regards the duties of the board of directors, this standard also takes

into account the possibility of a supervisory board within the supervised

entity. If there is a supervisory board, it is important that the segregation of

duties between the board of directors and the supervisory board is clearly

specified.




(8) A parent company’s board of directors should be assured of the

compliance with harmonised principles of internal control in all entities

controlled by the company. The conduct of the parent company’s board of

directors in this respect does not affect the responsibility of a subsidiary’s

board of directors for the internal control arrangements within its own

company.

5.3 Arrangement of independent non-business

functions

Binding



(9) In the supervised entity, the following independent non-business functions

shall be arranged to ensure effective and comprehensive internal control for

all areas of operation of the supervised entity:

risk control function

compliance function

internal audit function.

1 See chapter 6, section 2, subsection 1 of the Companies Act (CA), chapter 5, section 6, subsection 2 of the Cooperatives Act (COA) and section 52, subsection 1 of the Savings Bank Act (SBA).




J. No. 5/790/2003 16 (27)



[email protected]


Binding



(10) The board of directors shall ensure that the risk control function,

compliance function and internal audit function have sufficient and skilled

human resources commensurate with the nature, scale and complexity of the

supervised entity’s activities.

5.3.1 Risk control function

Binding



(11) An independent risk control function outside the risk-taking business

must be established to monitor the risk-taking activities.

Binding



(12) By controlling risks and risk management, the risk control function shall

ensure the supervised entity’s compliance with the risk management

principles and risk strategy approved by the board of directors. The function

shall maintain, develop and prepare risk management principles for approval

by the board of directors and design and develop procedures for controlling

risks and risk management. It shall make sure that each risk remains within

confirmed limits. It shall also make sure that the procedures available for

measuring each risk are appropriate and reliable. The procedures must

include assessment of the impact of exceptional situations (stress tests).

Binding



(13) In addition, the risk control function must ensure that the total effect of

all material business risks on the performance of the supervised entity and its

consolidation group and on the regulatory capital is reported to the board of

directors.

Binding Issued on 16.12.2008


(14) Furthermore, a comprehensive summary or account of the operations of

the risk control function and its observations shall be submitted at least once

a year to the board of directors. Measures taken to remedy possible

shortcomings shall be mentioned in the summary or account.

Justifications



(15) Based on the summary or account, the board of directors will make an

assessment of the reliability and effectiveness of risk control within the

supervised entity.




(16) No risk control function need be established if the nature and scale of the

business carried out by the supervised entity is such that the board of

directors is otherwise capable of ensuring the functioning and effectiveness of

risk management.

Binding



(17) Not to establish a risk control function in the supervised entity requires a

specific decision by the board of directors. The decision shall make it clear

how the board of directors can ensure the functioning and effectiveness of risk

management.




J. No. 5/790/2003 17 (27)



[email protected]


Binding



(18) If the supervised entity does not have a separate and independent risk

control function, it shall appoint a person responsible for the function.

5.3.2 Compliance function

Justifications



(19) The success of financial market participants requires that their customers

and the market have confidence in their activities. Careful compliance with

legislation, the guidelines and regulations issued by the authorities and the

self-regulation of the market will help to maintain such confidence.

Compliance with internal rules of the supervised entity, binding ethical

principles for the personnel and other instructions also support confidence.




(20) Provisions on the compliance function are included in FIN-FSA Standard

1.3 ‘Internal governance and organisation of activities’.

5.3.3 Internal audit function

Justifications



(21) Internal audit is an independent and objective assessment and

verification function to test the adequacy, functioning and effectiveness of

internal control.




(22) Provisions on the internal audit and internal audit arrangements are

included in FIN-FSA Standard 1.3 ‘Internal governance and organisation of

activities’.






J. No. 5/790/2003 18 (27)



[email protected]


6 MAJOR ELEMENTS OF INTERNAL

CONTROL

6.1 Management policy and control culture

Norm



(1) The board of directors is responsible for a supervised entity’s

administration and for the appropriate organisation of its operations.2

Binding



(2) Functioning and effective internal control requires that the board of

directors, CEO and other senior management:

promote the formation of a corporate culture that accepts

internal control as a normal and necessary part of corporate

operations

ensure that the employees are skilled, that they are suitable for

and committed to their job, and that they understand the

importance of internal control and their own contribution to it.

Application guideline/example



(3) Typical duties of the board of directors as regards internal control are to:

bear primary responsibility for internal control and its

functioning

approve the principles of risk management and ensure that they

contain a procedure for the start-up of new business activities

and for introducing new products

be assured of the functioning of risk management and of its

compliance with legislation and authority regulations or

guidelines

decide on reporting and other internal control procedures

through which the board of directors monitors operations,

2 See chapter 6, section 2, subsection 1 of the CA, chapter 5, section 6, subsection 2 of the COA and section 52, subsection 1 of the SBA.




J. No. 5/790/2003 19 (27)



[email protected]


operating performance and the risks involved in the operations.

Norm



(4) The CEO shall take care of the executive management of the company in

accordance with instructions issued by the board of directors.3

Application

guideline/example



(5) The duties of the CEO and other senior management include:

ensuring that the practical measures of internal control are

taken

developing and maintaining procedures that are based on risk

management principles approved by the board of directors and

through which risks are recognised, assessed and measured as

well as monitored and limited; these procedures shall be

documented

maintaining an organisational structure in which responsibilities,

powers and reporting relationships are clearly and

comprehensively defined in writing

arranging independent non-business functions to ensure

effective and comprehensive internal control for all areas of

operation of the supervised entity.

6.2 Risk management

Justifications



(6) Risk management forms an integral part of internal control. The purpose

of risk management is to ensure that material risks are recognised, assessed

and measured as well as monitored as part of the daily management of

business activities.

Binding

Issued on 27 May 2003 Valid from 1 July 2003

(7) Risk management shall cover all material business risks of the supervised

entity: both internal and external, both measurable and non-measurable, both

risks controllable by the supervised entity and risks that cannot be controlled,

ie risks that the supervised entity can only protect itself against. The

supervised entity shall specify measurement methods for measurable risks

and develop appropriate assessment methods for the management of non-

measurable risks.

Binding



(8) The supervised entity must continuously develop and maintain risk

management procedures to ensure that all new and material but so far

unrecognised risks also become covered by risk management.

3 See chapter 6, section 17, subsection 1 of the CA, chapter 5, section 6, subsection 2 of the COA and section 56 of the SBA.




J. No. 5/790/2003 20 (27)



[email protected]





(9) Detailed risk management regulation by risk area is provided in the

separate standards for each risk area included in section 4 of FIN-FSA’s set of

regulations.

6.3 Daily control and segregation of duties

Binding



(10) Internal control shall be part of the supervised entity’s daily activities.

Justifications



(11) Functioning and effective internal control requires that an appropriate

internal control structure is set up in the supervised entity with control

activities defined at every business level.

Justifications Issued on 16.12.2008


(12) Functioning and effective internal control also requires appropriate

segregation of duties between different individuals and that measures are

taken to ensure that no member of the supervised entity’s personnel, as a

representative of the entity, monitors its own business or the business of

related entities or otherwise influences and/or participates in decision-making

concerning such business. Possible high-risk combinations of duties in an

individual’s job description, or conflicts of interest, shall be recognised and, if

possible, eliminated.

Application

guideline/example



(13) Daily control activities include reports to the board of directors, CEO and

other senior management, appropriate measurements applicable to each

business area and unit, physical controls, checking for compliance with agreed

exposure limits and operating principles/instructions and follow-up on non-

compliance, a system of approvals and authorisations, and different

verification and reconciliation measures.




(14) Management of conflicts of interest and other organisation of activities of

supervised entities providing investment services have been regulated in

detail in FIN-FSA Standard 1.3 ‘Internal governance and organisation of

activities’.

6.4 Reporting and communication

Justifications


(15) One of the preconditions of effective internal control is that the board of

directors, CEO and other senior management, as a basis for its decision-

making, is provided with adequate and comprehensive information, such as

its own internal financial and operational data and data on compliance with

external regulations and internal procedures as well as external data on the

business environment and market developments. The information shall be




J. No. 5/790/2003 21 (27)



[email protected]


reliable, material, timely, and provided in the agreed format.

Recommendation


(16) To ensure effective internal control, the flow of necessary information

should be free upward, downward and laterally throughout the organisation.

Justifications Issued on 16.12.2008


(17) A well-implemented organisational structure supports the upward flow of

information so that the board of directors, CEO and other senior management

get the information they need (on operating performance, risks, deviations,

observations of effective control etc.). An appropriate downward flow of

information ensures that the personnel have knowledge of policies and

procedures approved by the board of directors that are necessary for

executing their duties, and that they are also provided with other information

needed for executing their duties.

Binding



(18) The CEO and other senior management of the supervised entity shall

ensure that individuals at all levels in the organisation receive the information

they need for executing their duties.

6.5 Monitoring the functioning of internal control

Binding



(19) The functioning of internal control in the supervised entity shall be

assessed effectively and from a variety of perspectives. At agreed intervals,

internal control shall also be audited as a larger whole.

Justifications



(20) A precondition of effective and versatile internal control is that any

shortcomings and development issues therein detected in the business

activities of the supervised entity are documented and reported to the

appropriate management level and remedied promptly.

Recommendation



(21) Material observations should be reported all the way to the CEO and

board of directors. Summarising reports should also be prepared on identified

issues and corrective measures so that the supervised entity’s board of

directors and CEO can obtain an overall picture of the functioning and

effectiveness of internal control.

6.6 Prudential systems

Binding



(22) The supervised entity shall have adequate and appropriately designed

manual and IT systems commensurate with the nature and complexity of its




J. No. 5/790/2003 22 (27)



[email protected]


activities. The systems shall form the basis for the entity’s operational

activities.

Binding

Issued on 16 December 2008 Valid from 1 January 2009

(23) The activities, data processing and communication of the supervised

entity shall be arranged in an adequately prudential manner and the assets

and information shall also be secured.




(24) Detailed regulation on IT systems and IT security is provided in FIN-FSA

Standard 4.4b ‘Management of operational risk’.

http://www.finanssivalvonta.fi/en/Regulation/Standards/Financial_sector/4_Capital_adequacy_and_risk_management/Pages/4_4b.aspx




J. No. 5/790/2003 23 (27)



[email protected]


7 REPORTING TO FIN-FSA

Justifications



(1) The internal control arrangements do not involve a separate, regular

obligation of reporting to FIN-FSA.




(2) However, the supervised entities shall in their financial statements also

provide regular information on arrangements for internal control and for the

risk management forming an integral part thereof.




(3) Detailed regulation of the contents of the information to be presented in

the financial statements is provided in the section ‘Accounting and financial

statements’ in FIN-FSA’s set of regulations.




J. No. 5/790/2003 24 (27)



[email protected]


8 DEFINITIONS



Independent non-business functions neither participate in the business

management nor carry responsibility for the financial performance. As a rule,

a function may be considered independent when the following terms and

conditions are fulfilled:

within the organisation the function is separated from the activities

that it controls. The manager of the function is placed under a person

who is not responsible for the activities that the function controls

the staff of the function performs no duties that are included in those

that the function is supposed to control

the manager of the function is accountable directly to the board of

directors, CEO and other senior management and/or the audit

committee

the employment of the staff of the function is not connected to the

financial performance of the activities that the function controls.


Valid from 1 January 2009 Other senior management includes persons that in addition to the board of

directors and the CEO actually manage the activities of the supervised entity.

For example, the manager of an important business line of the supervised

entity may be such a person. Together with the board of directors and the

CEO, the members of other senior management constitute the senior

management of the supervised entity.




J. No. 5/790/2003 25 (27)



[email protected]


9 FURTHER DETAILS

Please find the necessary contact information in the list of Persons

responsible for standards provided on the FSA website. For further

information, please contact:

Institutional Supervision, tel. +358 10 831 5207

http://www.finanssivalvonta.fi/en/Regulation/Standards/Financial_sector/Persons_in_charge/Pages/Default.aspx

http://www.finanssivalvonta.fi/en/Regulation/Standards/Financial_sector/Persons_in_charge/Pages/Default.aspx




J. No. 5/790/2003 26 (27)



[email protected]


10 REVISION HISTORY

When this standard entered into force (on 1 July 2003), it repealed the

following FIN-FSA regulations and guidelines:

Regulation on risk management and other aspects of internal

control in credit institutions (108.1)

Guideline on risk management and internal control principles as

well as internal audit function of credit institutions (108.2), with

the exception of the provisions on data processing and internal

audit. Details on those will be provided in standards to be

completed at a later date.

Guideline on risk management and other aspects of internal

control in stock exchange (202.13), with the exception of the

provisions on data processing and internal audit. Details on

those will be provided in standards to be completed at a later

date.

Regulation on risk management and other aspects of internal

control in investment firms (203.27)

Guideline on risk management and internal control principles as

well as internal audit function of investment firms (203.28),

with the exception of the provisions on data processing and

internal audit. Details on those will be provided in standards to

be completed at a later date.

Guideline on risk management and other aspects of internal

control in central securities depository (206.4), with the

exception of the provisions on data processing and internal

audit. Details on those will be provided in standards to be

completed at a later date.

Section 5.4 has been repealed by Standard 1.6 ‘Outsourcing arrangements’,

which became valid on 1 November 2007.




J. No. 5/790/2003 27 (27)



[email protected]


On 16 December 2008, the standard has been revised as follows:

Issued on 16 December 2008, valid from 1 January 2009

Changes in the international and national regulatory framework

have been taken into account.

The scope of application has been extended to include fund

management companies, holding companies of financial and

insurance conglomerates whose primary business is financial,

and stock exchanges and organisations controlling stock

exchanges as referred to in chapter 1, section 5 of the

Securities Markets Act.

The objectives of the standard have been presented more

clearly.

The name of the standard has been changed from

‘Establishment and maintenance of internal control and risk

management’ to ‘Internal control arrangements’.

A new section 5.3 ‘Arrangement of independent non-business

functions’ has been added.

The previous section 5.3 ‘Independent risk management

assessment’ has been moved and included as subsection 5.3.1

‘Risk control function’ after revision of the function task

description.

Two new subsections 5.3.2 ‘Compliance function’ and 5.3.3

‘Internal audit function’ have been added.

New margin notes have been introduced.

The definition of independent function has been revised.

The definitions of board of directors and senior management

have been removed.

A new definition of other senior management has been added.

The text of the standard has been rephrased.

All earlier versions of the standard have been gathered under Regulation/FSA

standards on the FIN-FSA website.

Documents

Standard 4.1 Internal control arrangements - Etusivu - … · · 2015-04-275.3 Arrangement of independent non-business functions_____15 5.3.1 ... internal control arrangements