COFA: Systems and controls
As the world is becoming increasingly digital, the SRA’s guidance, released on 4 July 2019, is making it clear that firms need to clearly document their IT systems and controls and that these are reviewed regularly. This should ideally be completed at least annually, depending on the size of the firm. The SRA’s guidance says that firms need to be able to demonstrate that they have effective processes in place to ensure the integrity of client records and funds.
This includes having fully documented systems notes in respect of billing, payments, client take-on etc., but also covers the use of firewalls, maintenance contracts and access control, including the use of tiered access where appropriate. Documentation will again be key here, with many firms having strong controls in place that are not necessarily formally documented. The SRA has indicated that they consider best practice to be for access passwords to be changed monthly, but at least annually.
These systems and controls should also be reviewed regularly to ensure they are fit for purpose. This should include the consideration of risk due to lack of oversight and control if only one person has access, as well as making contingency arrangements in the event of their absence. When considering this, the firm should take into account the volume and complexity of their transactions and implement a system proportional to their firm’s needs. In order to ensure this review process is clearly.
For further details or to speak to a member of our team, please click here.