The Board or the Board audit committee must review, at least annually, the effectiveness of the Company's Internal Controls system and processes, by means of:
a.
Periodic discussions with Senior Management about the effectiveness of the Internal Controls system.
b.
A timely review of evaluations of Internal Controls conducted by Senior Management, internal auditors, the Risk Management function and external auditors.
c.
Periodic follow up to ensure that Senior Management has promptly complied with the recommendations and concerns on control weaknesses expressed by Risk Management, internal auditors and external auditors and the Central Bank.
d.
A periodic review of the appropriateness of the internal controls, commensurate to the Company's strategy and Risk Limits.
2.
The Company's Internal Controls system must, at a minimum, address:
a.
Organisational structure: definitions of duties and responsibilities including clear delegations of authority, such as decision-making policies and processes and procedures, separation of critical functions, including, but not limited to, Risk Management, actuarial, accounting, audit and compliance.
b.
Accounting and financial reporting policies and processes.
c.
Checks and balances (or "four eyes" principle): segregation of duties, cross checking, dual control of assets and double signatures.
d.
Safeguarding assets and investment: physical control and computer access, measures of prevention and early detection and reporting of misuse, such as fraud, embezzlement, unauthorised trading and computer intrusion.