A. Legal Structure and General Information

1. What information is available within the conglomerate on the legal corporate and business line structures (including any information on regional or geographic structures)? How well do public disclosures (e.g., annual reports, public financial statements, etc.) capture the legal and business line structures of the conglomerate?

2. What factors influence the overall approach to corporate legal structure? How closely is the conglomerate's business line structure aligned with its corporate legal structure? If not closely aligned, what factors influenced the "divergent" structure?

3. What is the conglomerate's strategy with respect to corporate legal structure? What does management feel is/would be the optimal structure? What impediments exist that prevent management from implementing the optimal structure?

4. Which legal entities are regulated and by whom? Who is responsible for coordinating regulatory relationships? How is this achieved in practice? How does management view the regulatory structure(s) within which it must operate?

B. Management Structure

1. What information is available on the management structure of the conglomerate? To what level of management/employee is this information disseminated? How does management ensure that reporting lines are clear?

2. What is the overall management structure of the conglomerate? How closely does this structure align with business lines and/or corporate legal entities? What is the strategy in having this structure? What factors influenced the decision to adopt such a structure? What factors would cause management to reconsider its current management structure?

C. Corporate Governance and Management Oversight

1. How is the conglomerate managed and controlled -- on a global basis, on a regional, country or business line basis, or some combination of these? How does the conglomerate manage businesses that cut across geographic and legal boundaries?

2. What responsibilities do different types of managers (e.g., legal entity, corporate, business line, etc.) have within the conglomerate and how do these managers interact? For those conglomerates with regional or geographic managers, who reports to these managers?

3. What roles and responsibilities does the conglomerate's board of directors have? What is the composition of the board (e.g., outside directors)? What roles and responsibilities do the boards of legal entities have? What is the composition of these boards?

4. What are the major incentives provided to management to meet the organisation's goals and objectives? What are the major disincentives to management actions that impede meeting the organisation's goals and objectives?

5. What is the conglomerate's approach to staff recruitment and development? How are the conglomerate's objectives (business or otherwise) communicated to staff? How are strategic business and individual goals developed and monitored?

6. What is the conglomerate's strategy with respect to compensation? How is the conglomerate's compensation strategy developed and implemented? How do the conglomerate's business objectives and compensation methodology interact?

D. Capital Resources

1. What information is available on the allocation of capital on an economic and regulatory basis? What management information reports are produced on capital-related issues such as using assets to collateralise exposure to more than one liability and substantial double leverage?

2. What is the conglomerate's capital and capital allocation strategy? Where is capital held within the conglomerate and why is it held there? What factors affect the allocation of capital across the conglomerate (e.g., regulatory, risk factors, etc.)? How are decisions made on capital allocation? When regulators require capital in certain legal entities, how does this affect the consolidated conglomerate?

3. How are capital decisions affected by the legal entity and business line structures?

4. What restrictions are placed on the instruments available to the conglomerate for raising capital and what is the nature of the restrictions? What are the impediments to flows of capital among legal entities? To what extent, if any, are some legal entities able to raise capital on more favourable terms than others?

E. Intra-group and Related Entity Transactions and Financial Exposures

1. What information is available on the range of intra-group and related entity transactions and exposures? What kinds of management information reports are produced? How frequently are these reports produced?

2. What is the conglomerate's overall strategy with respect to intra-group transactions and exposures? What kinds of intra-group/related entity transactions or other arrangements are used (e.g., servicing agreements, back-to-back transactions, etc.)? How are intra-group and related entity exposures and transactions monitored?

3. What is the volume of intra-group/related entity transactions? the level of financial exposure? Does the conglomerate have limit structures in place for such transactions or exposures? What is the level of financial exposure to entities that are not wholly owned(<100%)? Does the conglomerate have limit structures in place for transactions and exposures to entities that are not 100% owned?

4. What factors affect legal entity booking decisions?

II. Risk Management

A. Risk Profile

1. What are the conglomerate's principal risks?

2. What are the major risk-taking legal entities within the conglomerate?

3. For each of the risks identified in 1. above:
   1. What risk information is available within the conglomerate and what is the frequency of the information? How does the conglomerate measure that type of risk (if applicable, indicate types of models, etc.)?

   2. What kinds of risk reports are available to risk takers, risk managers, senior managers and the board of directors? How frequently are these reports produced (e.g., global reports, business line reports)?

   3. Are there elements of the management of particular risks that are implemented on a centralised basis vs. decentralised basis (e.g., centralisation of information capture, decentralisation of limit setting process)? Which risks are managed centrally by one legal entity? What role do regional or geographic managers play in risk management?

   4. What risk control mechanisms does the conglomerate have in place (e.g., limit structures, vacation policy, compensation package, etc.)? Who is responsible for setting limits and how are they established? Are limits established for legal entities? business lines? consolidated conglomerate? Who monitors the limits or other mechanisms? What are the normal procedures if limits need to be exceeded?

   5. What are management's plans with respect to stress testing, contingency planning and back testing?

   6. What plans are there to change or enhance aspects of the risk management function (e.g., enhancements to systems, development of new measurement tools, etc.)?

B. New Products

1. How does the conglomerate define a new product? How is the introduction of new products managed within the conglomerate? What management reports are produced on the new product process? What process is used to determine whether or not a new product will be introduced or used by the conglomerate?

2. Who is responsible for the new product process? What role does internal audit and business unit management play in the new product process?

3. What are the conglomerate's plans with respect to introducing or using new products in the coming year? (e.g., new to the firm but not to the industry, new to the industry)

C. Liquidity Management

1. What types of information are available on liquidity? How frequently is this information produced?

2. Who is responsible for liquidity management? Which elements of liquidity management are centralised (at head office) and which elements are conducted at the local or legal entity level? How was this management arrangement determined?

3. Who is responsible for crisis and contingency funding planning? To what extent have such plans been elaborated?

III. Control Environment

A. Accounting Issues

1. What major accounting rules are used by the conglomerate? How are these rules applied across the conglomerate? How are the results of using the accounting rules of different jurisdictions reconciled on a global consolidated basis?

2. What area(s) of the conglomerate is responsible for accounting issues? What are the responsibilities and reporting lines of this area?

B. Actuarial Issues

1. Where relevant, what actuarial rules are used in the conglomerate? How are these rules applied across the firm?

2. What area(s) of the conglomerate is responsible for actuarial issues? What are the responsibilities of the actuary (or actuarial department)? To whom does the actuary report?

3. How does the conglomerate address actuarial issues (in-house? external?) What is the role of those resources?

C. Financial Control Function (responsible for the integrity of the conglomerate's books and records and financial reporting)

1. What types of management information reports are produced by the financial control function? What is the frequency and timeliness of these reports? How are reports produced? (e.g., for business lines? legal entities? consolidated conglomerate?)

2. How is the financial control function organised with respect to legal entities and business lines? How is it managed (centrally, along geographic lines, business lines)?

3. What is the role of the business unit in the development and implementation of internal control plans? To what extent are internal controls implemented at the local level vs. business line?

D. Compliance (compliance with relevant laws and regulations)

1. What types of information are available to monitor/ensure compliance? What methods does the conglomerate use to identify and report non-compliance problems or issues?

2. What is the structure of the conglomerate's compliance function? (e.g., separate? centralised, etc.?) How are responsibilities for compliance issues assigned? (e.g., legal)? If a separate function, to whom does the compliance function report? In practice, how are the compliance requirements of the conglomerate monitored and managed?

3. What are the roles of the different levels and types (e.g., legal entity, business line, etc.) of management in developing, maintaining and ensuring the conglomerate's control environment? What mechanisms are in place to identify and correct internal control breaches, violations, and other issues of non-compliance?

4. How are other types of problems, such as a failing counterparty or employee misconduct, identified, reported, and managed?

E. Internal Audit

1. What types of information, summaries and other reports (e.g., Board reports, senior management reports) are available on internal audits (e.g., performance reports, unresolved issues, etc.)? To whom is this information available? What is the process for following up or acting on issues identified by internal audit?

2. How is the internal audit function structured? What roles and responsibilities belong to the centralised element of the audit function, if there is one? What roles belong to decentralised units of the internal audit function, if any?

3. How does the conglomerate ensure sufficient independence of the internal audit function? To whom does the internal audit function report?

4. How will the conglomerate's approach to internal audit and internal controls change or expand in the future?

5. Are there any aspects of the internal audit function that are outsourced? If so, to whom are they outsourced? How is the determination made i.e. whether or not to outsource?

F. External Audit

1. What types of information are available on external audit issues? To whom is this information available? What kind of follow-up is conducted with respect to deficiencies or other issues identified by external audit? Who is responsible for the follow-up? What is the process to correct deficiencies?
2. What are the responsibilities of the external auditors? How does the external audit firm interact with the internal audit function? How closely do the external and internal audit functions work? How does the firm go about selecting its external auditor?

3. How does the conglomerate ensure the independence of the external audit process? What is the role of the non-executive board members with respect to external audit?