Upload
ngothu
View
216
Download
0
Embed Size (px)
Citation preview
Internal Audit in a Solvency II World
A key function in a new governance framework
April 21st 2016
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World2
The insurance sector before Solvency IITestimony of the external auditor
Not existing in the large majority of insurance and reinsurance undertakings
Few synergies between Internal Audit function (when existing) and the External Audit
Lack of technical expertise for reinsurance and regulatory knowledge
Internal Audit intervention often driven by special circumstances e.g. concerns on specific topics at parent company level, newspaper publications…
Limited regulatory obligation mainly focused on AML
The stone age of Internal Audit function
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World3
A new regulation implies new obligations
Solvency II Directive, new risk-based regulatory framework for life, non-life and reinsurance undertakings, has been transposed in the Luxembourg Law the 7th
of December 2015 and entered into force the 1st of January 2016
What are new regulatory
requirements?
Is the internal control framework properly design?
Does it work effectively?
Is the current governance structure
appropriate?
Do risk management process comply with
regulatory obligations?
How to position key control functions within
the Company?
The Internal Audit function – anindependent function to supportthe Management and the Board ofDirectors that is part of a newgovernance framework
The Internal Audit function willhave to significantly contribute tothe identification of weaknesseswithin the organisation andprovide added value throughoutrecommendation of mitigatingactions
Do we comply with regulatory obligations?
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World4
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
Internal Audit framework and definitions1
Q & A7
Key takeaways5
PSA License6
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World5
International Professional Practices Framework (IPPF©)
The International Professional Practices Framework (IPPF) is the conceptual framework that organizesauthoritative guidance promulgated by the Institute of Internal Auditors (hereafter, “IIA”). A trustworthy,global, guidance-setting body, the IIA provides internal audit professionals worldwide with authoritativeguidance organized in the IPPF as mandatory guidance and strongly recommended guidance.
Mandatory guidance
Strongly recommended guidance
Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal auditing
Describe practices for effective implementation of The IIA's Definition of Internal Auditing, Code of Ethics, and Standards.
1
2
• Definition of Internal Auditing;• Code of Ethics;• International Standards for the
Professional Practice of Internal Auditing (Standards).
• Position Papers;• Practice Advisories;• Practice Guides.
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World6
Definition of Internal Auditing (1/2)
It helps an organization accomplish its objectives by bringing a systematic,disciplined approach to evaluate and improve the effectiveness of riskmanagement, control, and governance processes.
Internal auditing is an independent, objective assurance and consultingactivity designed to add value and improve an organization's operations.
STRATEGIC OBJECTIVES (i.e. new markets, new products, new clients)
OPERATIONS OBJECTIVES (i.e. IT system implementation)
REPORTING OBJECTIVES (i.e. group reporting of financial statements)
COMPLIANCE OBJECTIVES (i.e. AML/CTF, disclosure to investors)
ENTITY’S OBJECTIVES
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World7
Definition of Internal Auditing (2/2)Evolution of the concept of Internal Audit
Outdated definition Current definition
Appraisal function Assurance and consulting activity
Examine and evaluate activities Add value and improve organization
Assist members of the organization in the effective discharge of their responsibilities Help an organization accomplish its objectives
Promote effective control at reasonable cost
Evaluate and improve the effectiveness of risk management, control and governance
Definition Law of 7 December 2015 Art. 78: (…) La fonction d'audit interne évaluenotamment l'adéquation et l'efficacité du système de contrôle interne et les autres éléments du systèmede gouvernance.La fonction d'audit interne est exercée d'une manière objective et indépendante des fonctionsopérationnelles.Toute conclusion et toute recommandation de l'audit interne est communiquée à l'organed'administration, de gestion ou de contrôle qui détermine quelles actions doivent être menées pourchacune de ces conclusions et recommandations de l'audit interne et qui veille à ce que ces actionssoient menées à bien.
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World8
Code of Ethics defined by the IIA
States the principles and expectations governing behaviour of individuals and organisationsin the conduct of internal auditing
ConfidentialityInternal Auditors have the obligation not to
disclose any information without
appropriate authorisation unless
there is a legal of professional obligation
to do so
PRINCIPLES
CompetencyInternal Auditors apply the knowledge,
skills and experience needed in the performance of Internal Audit services
ObjectivityInternal Auditors make a balanced assessment of
all the relevant circumstances and are
not unduly influenced by own interests and by
others in forming judgments
IntegrityProvides the basis for reliance on
internal auditors’ professional judgment
INDEPENDENCE OF INTERNAL AUDIT
FUNCTION AND OF INTERNAL AUDITORS
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World9
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
Internal Audit framework and definitions1
Q & A7
Key takeaways5
PSA License6
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World10
Internal Audit vs External Audit function 1/2
Internal audit differs from the external audit in many aspects as shown below:
External Audit Internal Audit• Provides and opinion on financial reporting of
statutory account under IFRS• Scope of work includes both financial and
operational areas of statutory account under IFRS and Solvency II
• Reports to shareholders • Reports to the Board of Directors
• Independence is legally defined • Independence is ensured by the Board of Directors
Even if audit procedures may be similar (e.g. observations, sample based inspections),internal and external audit differ in the scope of the analysis, in the reporting andbelong to different «lines of defence»
However synergies might be implemented between Internal and External Audit
• Predefined time line • Flexibility in the execution of engagements during the year
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World11
Internal Audit vs External Audit function 2/2
Time horizons and report issuance are not comparable between both functions
Q1Risk Assessment /Reassessment to establish the Internal Audit Plan
Q1 / Q2Submission of the IA plan for approval to ExCo and BoD
Q2 / Q3 / Q4IA fieldwork and issuance of detailed reports / follow-up of Internal Audit findings of previous interventions
Beginning Q1Presentation of the results of the past year, respect of the IA plan to BoD
Q4Interim period - few days to several weeks depending of the size of the undertaking
Q1 / Q2Fieldwork intervention for Financial statement validation
Q2BoD – Submission of the Statutory Audit report by the BoD to the AGM
Q2Issuance of the Distinct Report to be sent to the CAA before a pre-defined date
External Audit
Internal Audit
N N+1 ……
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World12
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
Internal Audit framework and definitions1
Q & A7
Key takeaways5
PSA License6
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World13
The three lines of defense modelThe Three lines of defense model is to getting a regulatory obligation, while it was until now only a good market practice:
Where the Internal Audit function is:- Independent- Permanent (even if the outsourcing is authorized under certain conditions e.g. PSA licence for the
access to specific information / data)- Only function of the third line of defence- Support to the Executive Committee and to the Board of Director
Risk Management
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World14
The three lines of defense model
As the third line of defence, the internal audit function is uniquely positioned:• To provide with independent assessment of the governance system• To enhance the communication process among the different functions• To foster the use of a common language
A fundamental role in the assessment of the internal control and governance systems
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World15
The new regulatory frameworkLuxembourg Law of 7th of December 2015 on the insurance sector (“Loi du 7 décembre 2015 sur le secteur des assurances“) – Key articles
Art 71Governance General Requirements Establishment of an effective governance system that ensures sound and prudent management of the insurance & reinsurance activities
Risk ManagementImplementation of an effective risk management system comprising of strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis risks insurance and reinsurance companies face.
Internal Control System & Compliance Function Existence of an effective internal control system that includes at least the administrative and accounting procedures, the internal control framework, the appropriate provisions with regards to information flows at all levels of the company as well as the necessary responsibilities of the Compliance function.
Internal Audit FunctionEstablishment of a effective Internal Audit function that assesses the adequacy and effectiveness of the internal control system as well as all other elements of the governance system.
Actuarial FunctionEstablishment of an effective Actuarial function carried out by persons who have the required knowledge appropriate to the nature, scale and complexity of the risks inherent in the business of the insurance or reinsurance undertakings.
Art 74
Art 77
Art 78
Art 79
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World16
Insurance Sector vs. Banking Sector
Governance frameworks of both sectors are now extremely similar and answer to the same governance model
• Fit and proper• Lines of defence• Risk Management • Compliance • Internal Audit• ORSA
Law of 7 December 2015
CSSF Circular 12/552 as amended and 07/301
• Fit and proper• Lines of defence
• Risk Management • Compliance
• Internal Audit • ICAAP
Towards an homogenisation of the financial sector
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World17
Internal Audit Charter to establish the responsibilities of the IA function
Establishes in writing the objectives, responsibilities and authority of the IA function
Define the position of the IA function in the organization
Grant the IA function the right of initiative and the right to review all activities
Define responsibilities and reporting lines of the Chief Internal Auditor (CIA)
Establish the right for the CIA to directly and on his/her own initiative contact the Chairman of the BoD, or the members of the Audit Committee
Specify that IA missions are performed in accordance with the IIA Standards
Approved by the Authorized Management Confirmed, where appropriate, by the Audit Committee Approved by the BoD
Review and assessment of operations, regulatory compliance and internal governance arrangements
Compliance with laws, regulations, circulars and internal procedures
Efficiency/effectiveness of the internal control system
Adequacy of the administrative, accounting and IT organization
Safeguarding of securities and assets
Adequacy of segregation of duties
Accuracy and completeness of registration of transactions
Accuracy, completeness, timeliness of information to ExCo, BoD and CAA
Adequacy and effectiveness of Compliance and Risk Control
KEY R
ESPON
SIBILITIES
KEY
PR
INC
IPLE
S
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World18
Execution of Internal Audit work and reporting
• Summary of the activities performed during the year;• Main recommendations on (existing or emerging) problems;• Open issues from previous years;• Open discussion with BoD members or Audit Committee members with participation of
Executive Committee members
Internal Audit Plan1
Internal Audit Report(s)2
Internal Audit presentation3
• Written report for each mission;• Addressed to auditees, Authorized Management, BoD and Audit Committee;• Made available to Statutory Auditors.
• Established by the CIA;• Multi-year framework (3 years);• Covers all activities and functions;• Discussed with Authorized Management;• Approved by Authorized Management and BoD;• Reviewed annually;• Define objectives, scope, frequency and resources of each mission.
Key principles
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World19
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
Internal Audit framework and definitions1
Q & A7
Key takeaways5
PSA License6
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World20
Internal Audit Timeline
PRE-AUDIT
AUDIT
POST AUDIT
Audit frequency
Risk prioritization
Risk model development
Audit Units definition
DraftIA Report
Document audit
procedures
Audit procedures(Testing)
Sampling
Follow-upReportingDebriefing
Three main phases have to be distinguished to conduct correctly internal audit tasks and takeproperly into account business of the company, its organization, its regulatory obligations andmain related risks
ApprovalAudit PlanResource allocation
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World21
Phase I: Pre-AuditDesigning 3Y Internal Audit Plan
Step 1 - Definition of audit units based on the understanding of the business objectives
Step 2 – Development of a risk model
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World22
From functional map to audit units (Life business)
Actors Distribution («front office») Common functions
Client relationship («middle office»)
Management («back office»)
Support functions
Commercial activities
Commercial and operational
marketing support
Management of client relationship
Management of client information
Workflow management
Archiving
Document management
Premium collection
Litigations management
Co-insurance
Reinsurance
Finance &Accounting
InternalAudit HR IT Risk
managementActuarialfunction
Individual insurance
Collective insurance
Clients/ policies
Prospects
Intermediaries
Management of distribution channels
Web Extranet
Development
Strategic marketing
Product and service
development
Actuarial support
Service providers
Helpdesk
Printing
Claims management
Policy management
UnderwritingKYC/AML
Intermediaries
Investment services (UL)
compliancefunction
Legalfunction
Outsourcing oversight
Legal and tax support
Designing 3Y Internal Audit PlanOverview of the Internal Audit Universe
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World23
Phase I: Pre-AuditDesigning 3Y Internal Audit Plan
Step 3 - Prioritize risks & Develop risk focused internal audit plan
• Risk is defined as the possibility that an event will occur,which will impact an organization's achievement ofobjectives. The risk is measured in terms of likelihood andimpact.
• An assessment of the probability and impact level isperformed for the respective audit units forming the audituniverse
Step 4 - Audit frequency / depth andResources Requirements
Risk Category Audit cycles depth and frequency
H A standard audit and two limited reviews during the 3-year period
M A standard audit and a limited review during the 3-year period
L A limited review during the 3-year period
• The rating attributed to each internal audit unit will enableto define the depth and frequency to be performed for eachone on a three year basis
• Ratings have to be reassessed on an annual basis by theinternal auditor and submitted for approval
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World24
Phase I: Pre-AuditDesigning 3Y Internal Audit Plan
Example of Internal Audit units
Insurance type Risk category
Risk description
Risk Rating Frequency
Life Insurance Compliance Deficiency of the AML controlframework
Medium Twice during IA plan but yearly due to regulatory
constraint
Life Insurance Reporting Technical provision controls not
correctly designed
Medium Twice during IA plan
Life / Non Life Insurance
Strategic IT system migration not
correctly managed
High Every year of the plan
Life / Non Life / Reinsurance
Compliance ORSA review High to Medium Every year of the plan
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World25
3-Year Internal Audit Strategic Plan
Extremely important step for ensuring a proper execution of the audit work.
It specifically outlines the audit procedures required to accomplish the engagement objectives : keys processes to review, applicable laws and regulations to consider.
The IA Plan needs to be communicated to Management and the Board for review and approval
before the start of the field work
the CIA has to present the staffing plan and financial budget
Phase I: Pre-AuditDesigning 3Y Audit Plan
Step 5 – Development of the plan, reporting and approval
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World26
Phase II: Audit
Sampling
Testing Structure of the Working Papers
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World27
Phase II: AuditDraft Internal Audit Report
Weaknesses are classified in 3 categoriesLEVEL 1 - Important weaknesses requiring immediate action fromManagementDeadline: Immediate / ASAPE.g.: AML/CTF requirement not fulfilled
LEVEL 2 - Matters requiring action from ManagementDeadline: ideally within 6 monthsE.g.: missing procedure / missing 4 eyes principle
LEVEL 3 - Other possible improvementsDeadline: to be defined by ManagementE.g.: Something «nice to have» and whose absence does not prevent the organization to pursue its objectives
Observation:
Cause:
Risk(s) / Impact:
Recommendations:
Management response:
Deadline:
Synthetize all the evidences gathered during the engagement
Addressing a recommendation
Follow up of recommendations of previous years’ audit reports
Internal Audit Report including…
Executive SummaryObjectives, Approach and ScopeWork ProgrammeFindings and RecommendationsFollow up of previous years’ recommendationsAppendix - Limitations
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World28
Phase III: Post-Audit
Activity
Reporting
Description
• Discuss informally with process owners during the fieldwork (and before the end-of-mission debriefing with Management) about potential issues and recommendations;
• Perform a debriefing with Management at the end of the fieldwork.
Debriefing
Follow-up
• Issue detailed internal audit report (mentioning any relevant scope limitations);
• Issue Summary Report at the end of the year (summarizing all engagements performed during the year).
• Follow up of previous recommendations.
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World29
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
International Professional Practices Framework 1
Key takeaways5
Q & A7
PSA License6
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World30
Key points for the set-up of the function
Formal presentation to the BoDof the outcome of the works
Obligation to escalate to the BoD(with no undue delays) any important weakness not adequately or timely addressed by the Executive Committee
Critical review of the Organizational Chart so as to ensure the segregation of duties
Ensure that second level control functions rely on data provided by a totally independent source when performing their second level controls
Regular contact with the BoD (at least annually)
Reporting to the BoD
Governance
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World31
Key points for operational aspects of the function
Systematically remind the Authorized Management
and the auditees about the importance to establish a feasible deadline (i.e. that
can be met)
Preparation and ongoing update of a follow-up
dashboard for the tracking of the pending
recommendations.
Ensure that the full scope of activities and processes is covered during the 3 year
period
Regular contact and collaboration with the
Statutory Auditor (at least annually), especially before the engagement, in order to pursue synergies, enhance the effectiveness of controls
and avoid useless double testing.
Ensure the timely respect of the
established deadlines; systematically challenge
the Authorized Management and the auditees in case of deadline overrun.
Systematically perform the follow-up of all pending recommendations on an annual basis (i.e. also for audit units not reviewed
during the current period).
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World32
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
International Professional Practices Framework 1
Key takeaways5
PSA License6
Q & A7
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World33
PSA for Professional of the Insurance Sector
• PSA stands for Professionnels du Secteur de l’Assurance or professionals of the insurance sector, and is an official license given to firms meeting a set of qualitative and professional criteria
• A PSA license allows a firm to perform a set of defined and regulated services within seven defined field of activities:
Modified Law of 6 December 1991 on the Insurance Sector introduced the PSA status
103-7 Managers of reinsurance Captive or
Undertaking insurance in run-off
103-8 Managers of Reinsurance Undertakings
103-9 Managers of Pension Funds
103-12 Loss Adjusters
103-12 Insurance and Reinsurance Governance
Service providers
103-10 Actuarial Service providers
103-11 Managers of Insurance Portfolios
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World34
Two licenses to guarantee a high level of Internal Audit services delivery for Deloitte’s clients
• No scope limitation for the service provider which benefits from both licenses• Combined expertise of internal audit methodology and actuarial technics
Since December 2015, Deloitte Tax & Consulting is the only BIG 4 inLuxembourg which became a Professional of the Insurance Sector
Art. 103-10. Les prestataires agréés de services actuariels i.e. actuarial competences
Art. 103-12. Les prestataires agréés de services liés à la gouvernance d’entreprises d’assurance et de réassurance i.e. Compliance , Risk Management and Internal Audit
12
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World35
Agenda
Internal Audit vs. External Audit2
Positioning of the Internal Audit Function within the internal governance 3
Examples of internal audit methodology4
International Professional Practices Framework 1
Q & A7
Key takeaways5
PSA License6
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World36
Q&A
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World37
Contact
Thierry FlamandPartner / Authorized Director of Deloitte PSADeloitte Tax & [email protected]
Jérôme Lecoq Partner / Insurance LeaderDeloitte [email protected]
Laurent BerlinerLuxembourg Governance, Risk & Compliance LeaderEMEA FSI ERS LeaderDeloitte Tax & [email protected]
Jérôme SosnowskiDirectorGovernance, Risk & [email protected]
© 2016 Deloitte Tax & Consulting
Appendix – About Deloitte
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World39
AppendixAbout Deloitte
Our shared values• Integrity• Outstanding value to
markets and clients• Commitment to each
other• Strength from cultural
diversity
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's 210,000 professionals are committed to becoming the standard of excellence.Deloitte's professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an environment of continuous learning, challenging experiences, and enriching career opportunities. Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities.Growth in a fiercely competitive and increasingly global market place is a challenging prospect. Successful companies are those with a clear vision and the ability to enact that vision through their people, partners and systems.We enable our clients to thrive in this environment – adding value by working with them as a team and building a shared commitment to success to generate strategies that realize real and sustainable results.Our approach sets us apart from other consultancies and is encapsulated in our core values:A Very Different Approach – Highly respectful, flexible, and collaborative working style that gives us an unmatched ability to generate employee buy-in and transfer knowledge and skills. Focus on the realization that changing business processes is necessary to achieve the promised returns of strategy and technology.For Very Different Results – Delivering results you can count on because you can trust performance improvements will not unravel once we leave. Delivering results you can build on because we leave your organization more robust and able to adapt to shifts in the environment.
World map – our locations:
© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World40
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-qualityservice to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 210,000 professionals, all committed to becoming the standard of excellence.
This document is confidential and prepared solely for your information. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party.
This document contains general information only and Deloitte is not, by means of this document, rendering any professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any action that may affect your business your should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.