How licensed corporations can strengthen their internal controls
The SFC’s April – June 2021 Quarterly Report states that of the total 245 breaches discovered during the SFC’s on-site inspections for that quarter, 65 of those breaches related to internal control weaknesses. The SFC further explained that these internal control weaknesses comprised deficiencies in areas such as:
- management review and supervision
- operational controls over the handling of client accounts
- segregation of duties
- information management
- adequacy of audit trail for internal control purposes
Accordingly, we take this opportunity to remind licensed corporations of the following tips to strengthen their internal controls.
Management review and supervision
- Written policies and procedures need to be well-communicated to and followed by staff.
- Clear reporting lines should be implemented with supervisory and reporting responsibilities assigned to the appropriate staff.
Operational controls over the handling of client accounts
- Effective internal controls should be implemented for the operation of bank accounts so that client money is properly safeguarded and regulated financial resources requirements are complied with.
Segregation of duties
- Where practicable, supervisory and other internal review or advisory functions should be effectively segregated from line operational duties.
- Certain operational functions must be segregated to avoid conflicts of interest, e.g. trade, settlement, risk management and accounting.
- Where a potential conflict of interests exists, the sales and dealing function should be segregated from the research function. Keep in mind that the SFC takes a pragmatic approach however; as such, the SFC will consider factors such as the size of the firm in determining the extent to which it can segregate duties.
- Qualified and experienced staff members should be assigned with managing information, whether it is information stored in physical or electronic form.
- Operating and information management systems should meet the licensed corporation’s needs and operate in a secure and adequately controlled environment.
- Information management reporting requirements should be clearly defined so that required internal and external reports can be produced in a timely manner.
- Key components of the design and implementation of an information management system should be adequately documented and regularly reviewed.
- With regards to electronic data processing, policies and procedures should be implemented to prevent and detect the occurrence of errors, omissions, etc., to the data.
- Management should maintain effective record retention policies.
Adequacy of audit trail for internal control purposes
- Audit trails should be clear and comprehensive, precisely recording all orders (both client and internally generated) from the time of origination through to execution and settlement. For clarity, sequential numbering and time-stamping facilities should be used when applicable. With such audit trails in place, suspected improprieties should be able to be thoroughly investigated.