Securities Services Act, 2004 (Act No. 36 of 2004)Code of Conduct for Authorised Users10. Internal control and risk management |
(1) | An authorised user shall employ the resources, procedures and technological systems necessary for the effective conduct of its business. |
(2) | The system of internal control employed by the authorised user shall be designed to ensure that— |
(a) | the relevant business can be carried on in an orderly and efficient manner; |
(b) | financial and other information used or provided by the authorised user is reliable; |
(c) | all transactions and financial commitments entered into are recorded and are within the scope of authority of the authorised user or the officer or employee acting on behalf of the authorised user; |
(d) | there are procedures to safeguard the assets of the authorised user and assets belonging to any other person for which the authorised user is accountable, and to control liabilities; and |
(e) | there are measures, so far as is reasonably practicable, to minimize the risk of loss to the authorised user or the clients of the authorised user from any irregularity, fraud or error and to detect any irregularity, fraud or error should they occur so that prompt remedial action may be taken by the authorised user or the management of the authorised user. |
(3) | An authorised user shall as far as is reasonable adopt sound risk management principles and procedures. |
(4) | The principles and procedures of risk management shall be designed to ensure that the records of the authorised user are maintained in such a manner as to promptly disclose financial and business information that will enable the authorised user or the management of the authorised user to— |
(a) | identify, quantify, control and manage the risk exposures of the authorised user; |
(b) | make timely and informed business decisions; |
(c) | monitor the performance and all aspects of the business of the authorised user; |
(d) | monitor the capital of the authorised user to ensure compliance with the capital adequacy requirements imposed in terms of the rules of the applicable self-regulatory organisation. |
(5) | An authorised user must be able to describe and demonstrate the objectives and operation of such systems, principles and procedures referred to in paragraphs (1) to (4) above to its auditor, the applicable self-regulatory organisation and the Registrar. |