MaGo

MaGo

12 Internal control system

12.1 General

230 Undertakings must structure their internal control system in accordance with their risk profile. The internal control system must be incorporated appropriately into the organisational and operational structures and processes so that it fulfils its purpose.

231 The internal control system must also take into account any outsourced units and processes.

12.2 Internal control framework and reporting arrangements

232 Undertakings must set out the principles, procedures and measures related to the internal controls in the internal control framework. The internal control framework must be appropriate to the risk profile.

233 The nature, frequency and scope of the internal controls in particular must be based on the risks of the relevant units and processes.

234 The individuals appointed to implement the internal controls must have all of the necessary information available. Corresponding information and communication systems must be established for this.

235 The adequacy and effectiveness of the internal controls must be monitored on an ongoing basis using appropriate procedures.

236 The results of the monitoring must be reported to the full management board on a regular basis, and at least once a year. Ad-hoc reports are also required in specific situations, particularly in the event of significant deficiencies in the internal controls. The management board must ensure that the required adjustments are implemented in good time.

Source: https://www.bafin.de/ref/19621462