Article 20
Information on internal controls
(Article 27da(2), point (d), of Regulation (EU) No 600/2014)
1. An applicant seeking authorisation to operate a CT pursuant to Article 27db of Regulation (EU) No 600/2014 shall include in its application for authorisation detailed information regarding its internal control’s environment. This shall include information regarding its internal control function, compliance function, risk management function and its internal audit function.
2. The detailed information set out in paragraph 1 shall contain:
|
(a) |
an outline of the organisation of the applicant’s internal control, risk management, compliance and internal audit functions, including where the applicant relies on outsourced functions; |
|
(b) |
an assessment of the key risks that may arise in the operation of the CT; |
|
(c) |
the applicant’s internal control policies and procedures to ensure the consistent and effective implementation of those policies; |
|
(d) |
any policies, procedures and manuals for monitoring and evaluating the adequacy and effectiveness of the applicant’s systems; |
|
(e) |
any policies, procedures and manuals for controlling and safeguarding the applicant’s information processing systems; |
|
(f) |
the identity of the internal bodies in charge of evaluating any findings resulting from the performance of the internal control and deciding on their outcome. |
3. With respect to the applicant’s internal audit function, the detailed information referred to in paragraph 1 shall contain the following:
|
(a) |
information on the applicant’s adherence to national or international professional standards; |
|
(b) |
any internal audit function charter, methodologies, and procedures; |
|
(c) |
an explanation of how the internal audit methodology, if any, is developed and applied taking into account the nature of the applicant’s activities, complexities and risks; |
|
(d) |
where there is an Internal Audit Committee:
|