The term "controls" as used in this paper refers to basic internal accounting controls and risk management policies and procedures. Basic internal accounting controls refer to systems which are designed to provide reasonable assurance that transactions are properly recorded and verified including appropriate segregation of duties. Risk management and control systems refer to systems to manage market risk, credit risk, legal risk, operational risk, and liquidity risk.¹ The nature and scope of risk management and controls by necessity must fit the organization they are going to protect which means they can not be dictated in much detail from without, but must be designed from within to meet the needs of the organizational structure as well as a firm's business practices and appetite for risk. Irrespective of design and implementation, controls can provide only reasonable assurance with respect to fulfilling a firm's control objectives. The twelve "Elements of a Risk Management and Control System" discussed in Section IV constitute the control guidance for firms and supervisors. They are intended to be benchmarks which can be used by firms and supervisors in each jurisdiction to measure the adequacy of their control systems. The elements are grouped under five categories which are considered to be critical elements of any control system:

The Control Environment

1. Firms need to establish a mechanism to ensure that they have internal accounting controls and risk management controls. Supervisors need to establish a mechanism to ensure that the entities they regulate have internal accounting controls and risk management controls. The supervisory mechanism need not prescribe specific and detailed controls, but rather provide general guidance to firms.

2. Firms and supervisors need to determine that controls are set and monitored at the senior management level at a firm; responsibility for monitoring controls is clearly defined; and senior management promotes a culture of controls at all levels within a firm.

Nature and Scope of Controls

3. Firm guidance and guidance from supervisors should cover both internal accounting controls and risk management and controls. 4. Internal accounting controls for firms should include books and records requirements and segregation of duties controls that are designed to safeguard assets of the entity and to safeguard customer property. 5. Risk management and controls for firms should include controls for overall firm and individual trading desk limits, market risk, credit risk, legal risk, operational risk, and liquidity risk.

Implementation

6. Firm guidance from senior management to the business units regarding controls should contain general guidance at the most senior levels and specific and detailed guidance as the information flows to smaller business units and individual trading desks. 7. Firms should have and supervisors should require written documentation about their control procedures.

Verification

8. Firms and supervisors need to determine that controls, once established by management, are effectively operating as designed on a continuous basis. 9. Firms and supervisors need to establish mechanisms to verify that controls, once established, are being followed. The verification procedures should include internal audits, which should be independent of the trading desks and the revenue side of the business, and external audits by independent accountants. For supervisors, additional verification would be accomplished through an examination process. Firms need to determine that recommendations by auditing bodies and supervisors are properly implemented. 10. Firms and supervisors need to determine that controls, once established, keep pace with new products and industry technology.

Reporting

11. Firms need to establish and supervisors should require mechanisms to report material inadequacies or breakdowns in controls to senior management and supervisors on a timely basis. 12. Firms should be prepared to provide supervisors with relevant information about controls. Supervisors should have mechanisms to share information about controls with each other.

The recommendations in this paper are designed to help securities firms and their supervisors protect against the risks inherent in the financial and securities activities. The recommendations represent prudent standards that should be compared to the existing firm controls and supervisory frameworks. The rapid growth and complexity of traditional financial and securities activities requires that their associated risks be identified, monitored, and managed. The recommendations set forth in this paper apply to all types of financial and securities activities.

Footnote

1. These controls refer to the structure of the control environment, the nature and scope of risk management and internal controls, implementation, verification, and reporting taken as a whole. It is a framework by which management of a firm can independently monitor and verify the activities of its revenue producing and support operations.