2 August 2015 Page 1 Internal Control and Internal Audit Teija Korpiaho Malta, 8/4/2010.

April 19, 2023 Page 1

Internal Control and Internal AuditInternal Control and Internal Audit

Teija KorpiahoMalta, 8/4/2010

CEIOPS

April 19, 2023 Page 2

Index

• Internal Control– Concept and elements

1. Control environment2. Control activities3. Communication4. Monitoring

– Documentation

– Compliance function

• Internal Audit– Duties and responsibilities

– Proportionality

CEIOPS

CEIOPS… CEIOPS…

April 19, 2023 Page 3

BUT BOTH ARE IMPORTANT ELEMENTS OF GOVERNANCE BUT BOTH ARE IMPORTANT ELEMENTS OF GOVERNANCE

INTERNAL CONTROL

≠

INTERNAL AUDIT

CEIOPS

April 19, 2023 Page 4

Article 41 - General governance requirements

•… an effective system of governance …. sound and prudent management of the business.•The system of governance shall be subject to regular internal review.•The system of governance shall be proportionate to the nature, scale and

complexity of the operations of the insurance or reinsurance undertaking.•written policies …in relation to … internal control, internal audit•Insurance and reinsurance undertakings shall take reasonable steps to

ensure continuity and regularity in the performance of their activities, including the development of contingency plans.

CEIOPS

Underwritingrisk

Market Risk Credit Risk

Operationalrisk

Strategic risk

SCR-std

Risk Management

ORSA

SRP

Internal Control

24.4.2009 Page 5

CEIOPS

Article 46 - Internal control

1. …undertaking shall have in place an effective internal control system.

The system shall at least include

– administrative and accounting procedures,

– an internal control framework,

– appropriate reporting arrangements at all levels of the undertaking

– a compliance function.

24.4.2009 Page 6

CEIOPS

Internal Control – the concept

• A set of continually operating processes involving the administrative, management or supervisory body and all levels of personnel.

• Designed to secure at least the following: a) Effectiveness and efficiency of the undertaking’s operations in

view of its risks and objectives;

b) Availability and reliability of financial and non-financial information; and

c) Compliance with applicable laws, regulations and administrative provisions.

The more principles (and risk) based regulation the more is required from the internal control and risk management of

the undertakings

24.4.2009 Page 7

CEIOPS

Elements of Internal Control

• Control environment– Integrity and Ethical values– Competence

• Control activities– To ensure that management directives are carried out:

approvals, verifications, authorizations etc.• Communication

– Reporting and communication lines– All levels of the organization

• Monitoring– Management and supervisory activities, activities by the

personnel– Recommendations by Internal and external auditors

• Compliance

24.4.2009 Page 8

CEIOPS

Documentation

• A key element of Internal Control• Well documented = written• Approved by administrative or management body• Updated at least annually• Strategies on

– Business, risk management (incl. liquidity, concentration risk, credit risk, operational risk), underwriting and reserving, investment and ALM, reinsurance, internal audit

• Policies on– risk management, underwriting, remuneration, investment and

ALM, internal control, outsourcing, disclosure, information

• Plans on – contingency and compliance

24.4.2009 Page 9

CEIOPS

Article 46 - Internal control

1. …..

2. The compliance function shall include advising the administrative or management body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive. It shall also include an assessment of the possible impact of any significant changes in the legal environment on the operations of the undertaking concerned and the identification and assessment of compliance risk.

24.4.2009 Page 10

CEIOPS

Compliance Function

• Compliance risk = the risk of legal or regulatory sanctions, material financial loss or loss to reputation an undertaking may suffer as a result of not complying with laws, regulations and administrative provisions as applicable to its activities.

• Compliance function - to ensure the undertaking comply with applicable laws and regulatory requirements.

• Compliance plan

• Reporting: to report any major compliance problems it identifies to the administrative or management body.

24.4.2009 Page 11

CEIOPS

April 19, 2023 Page 12

Make the internal control system right for your undertaking! Make the internal control system right for your undertaking!

CEIOPS

The internal control system should take into consideration

• The risks of the undertaking

• The way undertaking is organized

• The information system in use

• The decision making system

• Etc. etc.

One size does not fit all

CEIOPS

Article 47 - Internal audit

1. Insurance and reinsurance undertakings shall provide for an effective internal audit function.

The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance.

24.4.2009 Page 13

CEIOPS

Article 47 - Internal audit

2. The internal audit function shall be objective and independent from the operational functions.

3. Any findings and recommendations of the internal audit shall be reported to the administrative, management or supervisory body which shall determine what actions shall be taken with respect to each of the internal audit findings and recommendations and shall ensure that these actions are carried out.

April 19, 2023 Page 14

CEIOPS

Internal Audit 1(2)

• Systematic approach to evaluate and improve

• Independent– From audited activities– Own initiative– Free access to all information– Under direct control of administrative, management or

supervisory body– Direct communication with staff– Free to express opinion

• Effective– Resource, remuneration

• Objective

24.4.2009 Page 15

CEIOPS

Internal Audit 2(2)

• Audit charter– The purpose, authority and responsibility

• Audit plan– Audit work for next year(s)

– Based on risk analysis

• Annually reporting to the administrative, management or supervisory body

• Follow up of the recommendations

24.4.2009 Page 16

CEIOPS

Proportionality

1. All undertakings shall have internal audit function

2. The requirements of the directive should be proportionate to the nature, scale and complexity of the risks inherent in the business of an insurance or reinsurance undertaking.

Not the size of the undertaking!

The function must be in place but outsourcing is possible

April 19, 2023 Page 17

April 19, 2023 Page 18

Thank youThank you

[email protected]