1. Policies and related procedures for the operation of derivatives activities should be an extension of the institution's overall structure of internal controls and should be fully integrated into routine work-flows. A sound system of internal controls should promote effective and efficient operations; reliable financial and regulatory reporting; and compliance with relevant laws, regulations and policies of the institution. In determining whether internal controls meet those objectives, the institution should consider the overall control environment of the organisation; the process for identifying, analysing and managing risk; the adequacy of management information systems; and adherence to control activities such as approvals, confirmations and reconciliations. Reconciliation control is particularly important where there are differences in the valuation methodologies or systems used by the front and back offices.
2. An important step in the process of reviewing internal controls is the frequency, scope and findings of independent internal and external auditors and the ability of those auditors to review the institution's derivatives activities. Internal auditors should audit and test the risk management process and internal controls on a periodic basis, with the frequency based on a careful risk assessment. The depth and frequency of internal audits should be increased if weaknesses and significant issues are discovered, or if significant changes have been made to product lines, modelling methodologies, the risk oversight process, internal controls or the overall risk profile of the institution. To facilitate the development of adequate controls, internal auditors should be brought into the product development process at the earliest possible stage.
3. Internal auditors are expected to evaluate the independence and overall effectiveness of the institution's risk management functions. In this regard, they should thoroughly evaluate the effectiveness of internal controls relevant to measuring, reporting and limiting risks. Internal auditors should evaluate compliance with risk limits and the reliability and timeliness of information reported to the institution's senior management and board of directors.
4. The internal auditors' assessment of the adequacy of internal controls involves a process of understanding, documenting, evaluating and testing an institution's internal control system. This assessment should include product or business line reviews which, in turn, should start with an assessment of the line's organisational structure. Especially for dealer operations, the auditors should check for adequate separation of duties (particularly between market-making personnel and functions of internal control and risk management), adequate oversight by a knowledgeable manager without day-to-day responsibilities in the dealer operation and the presence of separate reporting lines for risk management and internal control personnel on one side and for market-making personnel on the other. Product-by-product reviews of management structure should supplement the overall assessment of the organisational structure of the institution's derivatives business.
5. The institution should establish internal controls for key activities. For example, for transaction recording and processing, the institution should have written policies and procedures for recording trades, assess the trading area's adherence to policy and analyse the transaction processing cycle, including settlement, to ensure the integrity and accuracy of its records and management reports. The institution should review the revaluation process in order to assess the adequacy of written policies and procedures for revaluing positions and for creating any associated revaluation reserves. The institution should review compliance with revaluation policies and procedures, the frequency of revaluation and the independence and quality of the sources of revaluation prices, especially of instruments originated and traded in illiquid markets. All significant internal controls associated with the management of market risk, such as position versus limit reports and approval policies and procedures for limit exceptions, should also be reviewed. The institution should also review the credit approval process to ensure that the risks of specific products are adequately captured and that credit approval procedures are followed for all transactions. In this connection, institutions should recognise their combined credit exposure to a given counterparty that arise from transactions conducted throughout the bank.