Internal Control and Internal Audit

Teija Korpiaho
Malta, 8/4/2010

21 February 2013

Page 1

CEIOPS

Index
Internal Control
Concept and elements
1. 2. 3. 4. Control environment Control activities Communication Monitoring

Documentation Compliance function

Internal Audit
Duties and responsibilities Proportionality

21 February 2013

Page 2

CEIOPS

INTERNAL CONTROL INTERNAL AUDIT

CEIOPS BUT BOTH ARE IMPORTANT ELEMENTS OF GOVERNANCE

21 February 2013 Page 3

CEIOPS

Article 41 - General governance requirements

an effective system of governance . sound and prudent management of the business. The system of governance shall be subject to regular internal review. The system of governance shall be proportionate to the nature, scale and complexity of the operations of the insurance or reinsurance undertaking. written policies in relation to internal control, internal audit Insurance and reinsurance undertakings shall take reasonable steps to ensure continuity and regularity in the performance of their activities, including the development of contingency plans.

21 February 2013

Page 4

CEIOPS

SRP ORSA
Strategic risk
Market Risk Underwriting risk

Risk Management
Credit Risk

SCR-std

Operational risk

Internal Control

24.4.2009

Page 5

CEIOPS

Article 46 - Internal control

1. undertaking shall have in place an effective internal control system. The system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking a compliance function.

24.4.2009

Page 6

CEIOPS

Internal Control the concept

A set of continually operating processes involving the administrative, management or supervisory body and all levels of personnel.

Designed to secure at least the following:

a) Effectiveness and efficiency of the undertakings operations in view of its risks and objectives; b) Availability and reliability of financial and non-financial information; and c) Compliance with applicable laws, regulations and administrative provisions.

The more principles (and risk) based regulation the more is required from the internal control and risk management of the undertakings
24.4.2009 Page 7

CEIOPS

Elements of Internal Control

Control environment Control activities
Integrity and Ethical values Competence
To ensure that management directives are carried out: approvals, verifications, authorizations etc. Reporting and communication lines All levels of the organization Management and supervisory activities, activities by the personnel Recommendations by Internal and external auditors

Communication
Monitoring

Compliance

24.4.2009

Page 8

CEIOPS

Documentation
A key element of Internal Control Well documented = written Approved by administrative or management body Updated at least annually Strategies on
Business, risk management (incl. liquidity, concentration risk, credit risk, operational risk), underwriting and reserving, investment and ALM, reinsurance, internal audit

Policies on
risk management, underwriting, remuneration, investment and ALM, internal control, outsourcing, disclosure, information

Plans on
contingency and compliance
24.4.2009 Page 9

CEIOPS

Article 46 - Internal control

1. ..

2. The compliance function shall include advising the administrative or management body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive. It shall also include an assessment of the possible impact of any significant changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of compliance risk.

24.4.2009

Page 10

CEIOPS

Compliance Function
Compliance risk = the risk of legal or regulatory sanctions, material financial loss or loss to reputation an undertaking may suffer as a result of not complying with laws, regulations and administrative provisions as applicable to its activities.

Compliance function - to ensure the undertaking comply with applicable laws and regulatory requirements.
Compliance plan

Reporting: to report any major compliance problems it identifies to the administrative or management body.
24.4.2009 Page 11

CEIOPS CEIOPS

One size does not fit all

The internal control system should take into consideration

The risks of the undertaking

The way undertaking is organized The information system in use The decision making system Etc. etc.

Make the internal control system right for your undertaking!

21 February 2013

Page 12

CEIOPS

Article 47 - Internal audit

1. Insurance and reinsurance undertakings shall provide for an effective internal audit function. The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance.

24.4.2009

Page 13

CEIOPS

Article 47 - Internal audit

2. The internal audit function shall be objective and independent from the operational functions. 3. Any findings and recommendations of the internal audit shall be reported to the administrative, management or supervisory body which shall determine what actions shall be taken with respect to each of the internal audit findings and recommendations and shall ensure that these actions are carried out.

21 February 2013

Page 14

CEIOPS

Internal Audit 1(2)

Systematic approach to evaluate and improve Independent
From audited activities Own initiative Free access to all information Under direct control of administrative, management or supervisory body Direct communication with staff Free to express opinion Resource, remuneration

Effective

Objective

24.4.2009

Page 15

CEIOPS

Internal Audit 2(2)

Audit charter
The purpose, authority and responsibility

Audit plan
Audit work for next year(s) Based on risk analysis

Annually reporting to the administrative, management or supervisory body Follow up of the recommendations

24.4.2009

Page 16

CEIOPS

Proportionality
1. All undertakings shall have internal audit function 2. The requirements of the directive should be proportionate to the nature, scale and complexity of the risks inherent in the business of an insurance or reinsurance undertaking.
Not the size of the undertaking!

The function must be in place but outsourcing is possible

21 February 2013

Page 17

Thank you
teija.korpiaho@bof.fi

21 February 2013

Page 18