Article 6
Information on internal controls
1. An applicant seeking authorisation to operate an APA or an ARM pursuant to Article 27d of Regulation (EU) No 600/2014 shall include in its application for authorisation detailed information regarding its internal controls’ environment. This shall include information regarding its internal control function, compliance function, risk management and its internal audit function.
2. The detailed information referred to in paragraph 1 shall contain:
|
(a) |
an outline of the organisation of the applicant’s internal control, risk management, compliance and internal audit functions, including where the applicant relies on outsourced functions; |
|
(b) |
an assessment of the key risks that may arise in the operation of the APA or ARM; |
|
(c) |
the applicant’s internal control policies and procedures to ensure the consistent and effective implementation of those policies; |
|
(d) |
any policies, procedures and manuals for monitoring and evaluating the adequacy and effectiveness of the applicant’s systems; |
|
(e) |
any policies, procedures and manuals for controlling and safeguarding the applicant’s information processing systems; |
|
(f) |
the identity of the internal bodies in charge of evaluating any findings resulting from the performance of the internal control and deciding on their outcome. |
3. With respect to the applicant’s internal audit function, the detailed information referred to in paragraph 1 shall contain the following:
|
(a) |
information on the applicant’s adherence to national or international professional standards; |
|
(b) |
any internal audit function charter, methodologies, and procedures; |
|
(c) |
an explanation of how the internal audit methodology, if any, is developed and applied taking into account the nature of the applicant’s activities, complexities and risks; |
|
(d) |
where there is an internal audit committee:
|