Changing international regulations are old news these days, particularly in the foreign press.
Not to be outdone, in May and June, the Cayman Islands Monetary Authority implemented and updated new guidelines for internal controls in the financial services sector. If you are thinking "oh no, not another publication about Basel II or Sarbanes Oxley," think again.
The new guidance issued by CIMA addresses plain old internal controls. These new and updated guidelines transcend many sectors of the financial services industry in the Cayman Islands, including the Insurance industry, those providing Fiduciary Services including Trust Companies, Company Managers, and Corporate Service Providers and Securities Investment Businesses and banks.
Given this new guidance and combined with a global environment of increasing and evolving regulation, it is no surprise that senior management are faced with sleepless nights contemplating how to address this regulatory onslaught and the consequences of non-compliance.
CIMA's new guidance encompasses a broad range of internal control objectives, and are designed to ensure that comprehensive internal audit programmes are in place throughout the financial services sector. These are discussed briefly below:
Regarding the Statement of Guidance for Internal Controls in the Insurance Industry, which was revised in June, this focuses on several key areas, including; establishing and ensuring effective and efficient operations with delegation of authority and segregation of the key components of critical functions, and financial management for accounting procedures, regulations, control lists, and management information. Also addressed in the revised guidance are insurance activities, claims handling, and contract management and compliance.
The Statement of Guidance for Internal Controls for Trust Companies, Company Managers and Corporate Service Providers highlights areas including management and supervision by the board of directors, risk management and the risk assessment process, and operational controls. Operational areas of note include physical controls to restrict access to tangible assets such as cash, securities, and important documentation including trust agreements and certificates of incorporation.
Information management controls including the documentation of system design and implementation, data processing and data security policies, and effective record retention policies are also important components of this guidance.
SIB's Statement of Guidance for Internal Controls addresses the requirement for oversight by the board of directors over business activities, and the requirement for the board of directors to provide governance, guidance and oversight to senior management. Senior management is tasked with the responsibility for implementing strategies and policies that are approved by the board in addition to developing processes that identify, measure, monitor and control risks incurred by the organisation. The process of continuously performing a risk assessment is considered critical due to the fact that SIBs are in the business of risk-taking.
Therefore, as part of a strong internal control system, SIBs must continuously recognise and assess business risks. Operational controls such as segregation of duties, physical controls over assets, approvals, authorisations, verifications, and reconciliations are also deemed necessary.
Areas pervasive across the financial services industry include risk management practices and controls over management information systems and business continuity planning. The importance of regulatory compliance reporting is highlighted and particular focus is placed on compliance with application laws, regulations, rules, guidance, and statements, as well as industry codes of practice.
Adequate employee training is stressed as a vital element of effective risk management, although often overlooked, it is considered essential for strong corporate governance and compliance with regulatory requirements. Monitoring activities that require an effective and comprehensive internal audit of the internal control programme and systems by independent, appropriately trained and competent individuals is seen as a critical component of business management.
It is therefore no surprise that companies today need to ensure that they apply the appropriate levels of resource to monitor and manage regulatory developments affecting internal control. It is even more important that all levels of the business understand the importance of complying with internal control regulations and adopting relevant guidance.
How can this be simplified?
Often the task of meeting internal control requirements can be less daunting when one considers that there are external resources that have the skills and the technical expertise to assist with these monitoring requirements. Individuals skilled in performing operational risk assessments, reviews of operational and system controls, and individuals familiar with regulatory requirements in the Cayman Islands and overseas can provide assistance to ensure your organisation is able to adopt the new regulatory guidance.
Whether your needs are for a fully-outsourced internal audit program, whether you require a review of your risk assessment process, or whether you have a particular component of your operations that requires review, it is important that you ensure you have an experienced and skilled team to ensure that your internal control objectives are satisfied and that you are wide awake for your next eight o'clock meeting.
Janelle Mills is a Certified Public Accountant and a Certified Internal Auditor with over 10 years experience in finance and accounting in both public and private organisations. Janelle is a manager in the Enterprise Risk Services team at Deloitte. Deloitte provides a wide range of risk management services including information security, business continuity management, internal audit, control assurance, and system project assurance.