Instruction No. 061/CREPMF/2020 on the Organization of the Internal Control System for Regional Financial Market Actors in the UMOA

---

Union Monétaire Ouest Africaine

crepmf Conseil Régional de l'Epargne Publique et des Marchés Financiers

INSTRUCTION NO. 061/CREPMF/2020

ON THE ORGANIZATION OF THE INTERNAL CONTROL SYSTEM FOR REGIONAL FINANCIAL MARKET ACTORS IN THE UMOA

The Regional Council for Public Savings and Financial Markets

Having regard to the Convention of July 3, 1996 establishing the Regional Council for Public Savings and Financial Markets (hereinafter "Council" or "CREPMF") and its Annex on the Composition, Organization, Operation and Powers of the Council;

Having regard to General Regulation No. 001/97 of November 28, 1997 on the Organization, Operation and Supervision of the regional financial market, particularly Articles 23 and 54;

Having regard to Regulation No. 9/2006/CM/UEMOA of June 29, 2006 adopting Specific Accounting Rules applicable to approved participants in the regional financial market;

Having regard to Decision No. CM/DAC/04/04/2017 of April 14, 2017 by the UMOA Council of Ministers appointing the President of the Regional Council;

Having regard to the resolutions of the Regional Council at its 37th extraordinary session on December 17, 2019;

HEREBY ADOPTS

---

Instruction No. 061/CREPMF/2020

TITLE 1: GENERAL PROVISIONS

Article 1: Definitions

For the purposes of this Instruction:

a) Internal audit: Monitoring of the internal control system, governance framework and risk management framework, with an independent assessment of compliance with established policies and procedures and conformity to laws and regulations.

b) Risk mapping: A synthetic and visual representation of the market actor's risks. It serves as a tool to highlight priority risks. Risk mapping is established based on a rigorous identification and evaluation system of inherent risks of the market actor, derived from internal factors (business lines and activities, organizational changes, etc.) and external factors (economic conditions, technological advances, legislative and regulatory changes, etc.).

c) Internal audit charter: A document defining the positioning of the internal audit function within the approved entity and specifying its organization, powers, responsibilities and operating procedures.

d) Audit Committee: A committee established by the deliberative body to assist it in exercising its duties, particularly verifying the reliability and transparency of financial information, assessing the relevance of accounting methods as well as the quality of the Internal Control System (ICS) and risk management system, evaluating the audit strategy and proposing improvement avenues where appropriate.

e) Internal Control: Measures put in place by executive bodies to ensure that:

• the objectives set by the market actor are realistic and achieved;
• resources are used economically and efficiently, risks are adequately controlled;
• assets are protected;
• financial and management information are complete and reliable;
• laws and regulations as well as policies, plans, rules and internal procedures are respected.

f) Control cycle: The interval during which all activities and entities of the market actor will have been verified at least once by the internal control function.

---

Instruction No. 061/CREPMF/2020

g) Internal audit function: The function responsible for providing reasonable, independent and objective assurance regarding the quality and effectiveness of the ICS, governance frameworks, risk management and compliance functions, to facilitate the management of activities and incurred risks.

h) Control functions: The set of independent operational management functions whose role is to provide objective assessments of the actor's situation within their area of competence. They notably include the internal audit function, risk management function and compliance function.

i) Deliberative body: Board of Directors in public limited companies or its equivalent in other corporate forms. It is the body invested with all powers to control and influence the affairs of the approved actor within the limits of its corporate purpose and the prerogatives granted to the General Assembly.

j) Executive body: The set of committees or structures that contribute to the day-to-day management of an approved actor and ensure the effective implementation of the activity direction defined by the deliberative body.

k) Audit trail: A set of permanent internal procedures allowing operations to be reconstructed in chronological order, justifying any information with an original document from which it must be possible to trace, through an uninterrupted path, to the summary document and vice versa, and explaining the evolution of balances from one accounting statement to another, through the retention of movements affecting accounting items.

l) Internal control framework: A document describing the actor's Internal Control System.

m) Head of Internal Control (HIC): A person within the market actor responsible for managing the internal audit function.

n) Internal Control System (ICS): The set of rules, methods and control measures governing the organizational and operational structure of an approved actor. It includes reporting and control processes.

Article 2: Scope/Object This Instruction sets the rules applicable to internal control for approved actors in the regional financial market.

Article 3: Scope of Application This Instruction applies to the approved actors listed below, possessing legal personality, with the exception of Market Central Structures:

• Management and Intermediation Companies (MICs),

---

Instruction No. 061/CREPMF/2020

• Wealth Management Companies (WMCs),
• Self-managed Collective Investment Schemes (CIS),
• Management Companies for CIS,
• Custodian Account Banks,
• Business Introducers,
• Guarantors,
• Rating Agencies, any other entity approved or authorized by the Regional Council.

Article 4: Control Scope The corporate governance of approved actors in the regional financial market integrates an Internal Control System (ICS) on which sound and prudent management of the entity must be based. This system includes:

• monitoring the reliability and integrity of financial and operational information and the means used to identify, evaluate, classify and report this information;
• verifying the compliance of executed operations and organization with applicable legislative, regulatory and prudential provisions, professional standards and ethical practices, orientations and decisions of deliberative and executive bodies, particularly regarding risks, powers and signatures as well as internal procedures;
• monitoring and evaluating the effectiveness of the entity's risk management system.

Article 5: Establishment of an ICS Every approved actor, being a legal person, must establish an ICS specifying the organization and objectives of internal control as well as the means and organization designed to ensure its reliable operation. It is described in an internal control framework which forms an integral part of the approved actor's internal procedures. The internal control framework must be approved by the deliberative body of the approved actor before its implementation.

Article 6: Organization of the ICS Approved actors establish an organization and ICS adapted to the nature, environment, size, specificities, complexity and risk profile of their activities. They adopt a systematic and disciplined approach to control actions based on a control plan established from a risk map listing the risks they face.

---

Instruction No. 061/CREPMF/2020

TITLE 2: ROLE AND RESPONSIBILITIES OF DELIBERATIVE AND EXECUTIVE BODIES

Article 7: Common Provisions for Approved Actors Regarding the Deliberative Body's Responsibility The deliberative and executive bodies are responsible for the proper functioning of the actor's ICS. They must: a. ensure the establishment and updating of an organization, written control policies and procedures for sound and prudent management; b. define and validate, at an appropriate periodicity, the acceptable risk level to which the actor is exposed, particularly by setting acceptable limits for counterparty, liquidity and market risks as well as implementing appropriate mechanisms to manage operational and compliance risks; c. ensure the separation of incompatible tasks, particularly decision-making, asset custody, recording and control functions.

Article 8: Audit Committee The minimum powers of the Audit Committee consist in:

• examining the effectiveness of the established ICS to identify, evaluate, manage and control financial and non-financial risks;
• evaluating the internal control policy and control cycle, including escalation policies upon materialization of significant risks;
• participating in the selection of Statutory Auditors and examining their conclusions, in accordance with legal and regulatory provisions;
• analyzing the compliance with applied ethical and accounting principles against current professional standards;
• thoroughly reviewing annual summary statements before presentation to deliberative bodies;
• reviewing the internal control framework and internal audit charter before approval by the deliberative body;
• adopting the audit plan.

Article 9: Responsibilities of the Executive Body The executive body must establish an ICS adapted to the nature, environment, size, specificities, complexity and risk profile of the entity and monitor its adequacy and effectiveness. It ensures that policies and procedures are effectively developed and applied by competent personnel and that all concerned persons understand and assume their responsibilities. It defines the escalation criteria in response to materialized significant compliance risks and ensures the implementation of appropriate measures.

---

Instruction No. 061/CREPMF/2020

TITLE 3: COMPONENTS OF THE INTERNAL CONTROL SYSTEM (ICS)

Article 10: Control Environment The control environment must be based on:

• risk measurement systems for execution, settlement/delivery and liquidity risks resulting from different activities;
• daily monitoring systems for operations causing suspensions;
• control systems and procedures ensuring client asset security;
• compliance risk monitoring and management systems including conflict of interest prevention, market abuse mitigation, anti-money laundering/counter-terrorist financing diligence and client interest protection;
• the commitment of deliberative and executive bodies to promoting integrity and ethical values;
• the establishment of a culture reflected in strong adherence at all organizational levels to internal control and risk management requirements;
• supervision by each line manager of the effective application of internal control procedures by subordinates;
• effective involvement of deliberative and executive bodies in monitoring ICS results;
• the establishment by deliberative and executive bodies of qualitative criteria to measure and evaluate ICS effectiveness.

Article 11: Risk Assessment The internal control system must ensure that:

• risk management objectives and policies are disseminated and applied;
• compliance with risk limits is subject to monitoring;
• limit breaches are corrected in accordance with the actor's policies. The approved actor must identify and evaluate, on the one hand, internal factors (nature of activities, staff quality, organizational changes, workforce movements) and, on the other hand, external factors (economic conditions evolution, industry changes, technological advances that could compromise objective achievement). This evaluation, covering all entities and activities of the actor, must determine controllable and uncontrollable risks. Controllable risks by the actor must be brought to an acceptable level through internal control procedures. Regarding uncontrollable risks, the actor must decide to accept them, disengage, transfer them, or reduce the level of related activities. The actor's evaluation must notably consider all risks to which it is or could be exposed, particularly counterparty, market, liquidity, concentration and operational risks. The ICS must undergo revision to diligently address previously uncontrolled or poorly managed risks and new risks arising from significant internal and external environmental changes.

Article 12: Control Activities The approved actor must ensure that adequate control activities, proportional to the stakes of each process and designed to ensure necessary measures are taken to manage risks affecting objective achievement, are integrated into the daily functions of all personnel. To this end, it must establish control activities at all levels and within every function to guarantee the effective implementation of measures taken to mitigate identified risks through the risk assessment process described in Article 11. Furthermore, particular attention must be paid to the design/implementation and operating controls of information systems. Control activities revolve around two steps:

• establishing control activities through policies approved by the deliberative body, specifying pursued objectives and formalized procedures implementing said policies;
• verifying compliance with these policies and procedures and ensuring control traceability. Control activities are oriented towards preventive or detection controls. They are carried out using manual, automated, physical or hierarchical controls. The actor must ensure an optimal combination of these control types. They must be defined according to the nature of the objectives they relate to. The actor must ensure that policies and procedures governing control activities remain adapted to its internal and external environment. Control activity effectiveness requires, beforehand, ensuring appropriate separation of functions and avoiding conflicting responsibilities. Any area susceptible to conflicts of interest must be identified, circumscribed as closely as possible and subject to attentive monitoring by an independent third party.

Article 13: Information and Communication The information and communication channels established within the approved actor must enable any staff member to access the information needed for assigned control activities. Information systems must, on the one hand, cover all important activities of the actor and, on the other hand, guarantee the quality of accounting, prudential, operational or compliance-related data and information. These data must be exhaustive, reliable, relevant, up-to-date, accessible and presented in a coherent form to facilitate all ICS components. Regarding accounting and financial data, the actor must ensure an audit trail exists and comply with applicable accounting framework provisions. Audit trail components must be retained for at least ten years. Systems using computerized data must undergo controls to ensure permanent proper functioning, including internal backup and recovery procedures, software development and acquisition policies, maintenance procedures, and physical and logical access security controls. The actor must establish an IT business continuity and contingency plan compliant with the Circular on minimum functional software requirements and information system security. The ICS must integrate effective internal communication in terms of timeliness, recipients and content to enable concerned actors to exercise their responsibilities. These actors must know their roles and obligations as well as interconnections with other organizational units.

Article 14: ICS Lines of Defense The ICS is organized to provide objective assessments of the market actor's situation, risk management and operational compliance with applicable rules and procedures. It includes:

• ongoing control corresponding, on the one hand, to all controls performed by operational units and their hierarchy in daily operations (first line of defense), and on the other hand, controls executed by independent support functions (second line of defense);
• periodic control corresponding to post-facto controls based on a risk-based control plan (last line of defense represented by internal audit). The risk-based control plan must be realistic and flexible to ensure the control cycle is met and unexpected activities are handled. It must be regularly updated to respond to internal and external environmental changes. However, the actor must ensure rigorous coordination of control activities across different lines of defense to guarantee effective ICS functioning. Furthermore, the actor's Statutory Auditors, CREPMF and other supervisors constitute a complementary line of defense regarding their independent and objective reviews of the three lines' control activities.

---

Instruction No. 061/CREPMF/2020

TITLE 4: DESIGNATION, REVOCATION AND RESPONSIBILITY OF THE HEAD OF INTERNAL CONTROL (HIC)

Article 15: Designation of the Head of Internal Control Upon proposal by the executive body, the market actor's deliberative body designates a Head of Internal Control who must possess functional independence and enjoy broad powers regarding the scope of interventions, communication of work to said bodies and the General Secretariat of the Regional Council. To consolidate this independence, the Head of Internal Control must be attached to the deliberative body, to which it reports.

Article 16: Revocation of the Head of Internal Control The market actor must, within fifteen (15) days following the revocation of the Head of Internal Control, notify the Regional Council indicating reasonable grounds.

Article 17: Responsibility of the Head of Internal Control The Head of Internal Control is responsible for managing the internal audit function. He/She is responsible for preparing the control plan based on risk mapping, participating in its execution, ensuring compliance with the control cycle and guaranteeing the quality of the function's work. He/She verifies that identified internal control anomalies and deficiencies are documented in a written report. He/She assesses the constituent elements (components) of the ICS, develops the internal control framework, ensures its regular revision and disseminates it to all stakeholders after approval by the deliberative body, where applicable, through the Audit Committee. The Head of Internal Control may, provided there is no conflict of interest and respecting the separation of functions:

• be involved upstream in projects to proactively identify and evaluate potential compliance risks;
• assist in raising awareness and training staff and provide guidance on the appropriate application of laws and regulations. Furthermore, the Head of Internal Control ensures compliance with CREPMF information reporting obligations within required deadlines and formats. He/She informs the CREPMF of any related difficulties, where applicable. He/She is bound by professional secrecy.

Article 18: Internal Audit Charter The Head of Internal Control must draft and review the internal audit charter at least every three (03) years and submit it for approval by the deliberative body, where applicable, through the Audit Committee. The internal audit charter specifies the position of the internal audit function within the market actor's organization, its mission, powers, obligations and scope of intervention. It defines the function's characteristics and its operating and communication methods with non-function personnel. It specifies in particular:

• the internal audit's position within the approved actor, its powers, obligations and relations with other control functions;
• the mission and scope of intervention of the internal audit function;
• essential characteristics of the internal audit function, particularly independence, objectivity, confidentiality, competence, professional diligence and integrity;