Internal Audit in a Solvency II World A key function in a new governance framework · 2018-06-04 · Internal Audit in a Solvency II World A key function in a new governance framework

Internal Audit in a Solvency II World

A key function in a new governance framework

April 21st 2016

© 2016 Deloitte Tax & ConsultingInternal Audit in a Solvency II World2

The insurance sector before Solvency IITestimony of the external auditor

Not existing in the large majority of insurance and reinsurance undertakings

Few synergies between Internal Audit function (when existing) and the External Audit

Lack of technical expertise for reinsurance and regulatory knowledge

Internal Audit intervention often driven by special circumstances e.g. concerns on specific topics at parent company level, newspaper publications…

Limited regulatory obligation mainly focused on AML

The stone age of Internal Audit function


A new regulation implies new obligations

Solvency II Directive, new risk-based regulatory framework for life, non-life and reinsurance undertakings, has been transposed in the Luxembourg Law the 7th

of December 2015 and entered into force the 1st of January 2016

What are new regulatory

requirements?

Is the internal control framework properly design?

Does it work effectively?

Is the current governance structure

appropriate?

Do risk management process comply with

regulatory obligations?

How to position key control functions within

the Company?

The Internal Audit function – anindependent function to supportthe Management and the Board ofDirectors that is part of a newgovernance framework

The Internal Audit function willhave to significantly contribute tothe identification of weaknesseswithin the organisation andprovide added value throughoutrecommendation of mitigatingactions

Do we comply with regulatory obligations?


Agenda

Internal Audit vs. External Audit2

Positioning of the Internal Audit Function within the internal governance 3

Examples of internal audit methodology4

Internal Audit framework and definitions1

Q & A7

Key takeaways5

PSA License6


International Professional Practices Framework (IPPF©)

The International Professional Practices Framework (IPPF) is the conceptual framework that organizesauthoritative guidance promulgated by the Institute of Internal Auditors (hereafter, “IIA”). A trustworthy,global, guidance-setting body, the IIA provides internal audit professionals worldwide with authoritativeguidance organized in the IPPF as mandatory guidance and strongly recommended guidance.

Mandatory guidance

Strongly recommended guidance

Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal auditing

Describe practices for effective implementation of The IIA's Definition of Internal Auditing, Code of Ethics, and Standards.

1

2

• Definition of Internal Auditing;• Code of Ethics;• International Standards for the

Professional Practice of Internal Auditing (Standards).

• Position Papers;• Practice Advisories;• Practice Guides.


Definition of Internal Auditing (1/2)

It helps an organization accomplish its objectives by bringing a systematic,disciplined approach to evaluate and improve the effectiveness of riskmanagement, control, and governance processes.

Internal auditing is an independent, objective assurance and consultingactivity designed to add value and improve an organization's operations.

STRATEGIC OBJECTIVES (i.e. new markets, new products, new clients)

OPERATIONS OBJECTIVES (i.e. IT system implementation)

REPORTING OBJECTIVES (i.e. group reporting of financial statements)

COMPLIANCE OBJECTIVES (i.e. AML/CTF, disclosure to investors)

ENTITY’S OBJECTIVES


Definition of Internal Auditing (2/2)Evolution of the concept of Internal Audit

Outdated definition Current definition

Appraisal function Assurance and consulting activity

Examine and evaluate activities Add value and improve organization

Assist members of the organization in the effective discharge of their responsibilities Help an organization accomplish its objectives

Promote effective control at reasonable cost

Evaluate and improve the effectiveness of risk management, control and governance

Definition Law of 7 December 2015 Art. 78: (…) La fonction d'audit interne évaluenotamment l'adéquation et l'efficacité du système de contrôle interne et les autres éléments du systèmede gouvernance.La fonction d'audit interne est exercée d'une manière objective et indépendante des fonctionsopérationnelles.Toute conclusion et toute recommandation de l'audit interne est communiquée à l'organed'administration, de gestion ou de contrôle qui détermine quelles actions doivent être menées pourchacune de ces conclusions et recommandations de l'audit interne et qui veille à ce que ces actionssoient menées à bien.


Code of Ethics defined by the IIA

States the principles and expectations governing behaviour of individuals and organisationsin the conduct of internal auditing

ConfidentialityInternal Auditors have the obligation not to

disclose any information without

appropriate authorisation unless

there is a legal of professional obligation

to do so

PRINCIPLES

CompetencyInternal Auditors apply the knowledge,

skills and experience needed in the performance of Internal Audit services

ObjectivityInternal Auditors make a balanced assessment of

all the relevant circumstances and are

not unduly influenced by own interests and by

others in forming judgments

IntegrityProvides the basis for reliance on

internal auditors’ professional judgment

INDEPENDENCE OF INTERNAL AUDIT

FUNCTION AND OF INTERNAL AUDITORS


Agenda





Q & A7

Key takeaways5

PSA License6


Internal Audit vs External Audit function 1/2

Internal audit differs from the external audit in many aspects as shown below:

External Audit Internal Audit• Provides and opinion on financial reporting of

statutory account under IFRS• Scope of work includes both financial and

operational areas of statutory account under IFRS and Solvency II

• Reports to shareholders • Reports to the Board of Directors

• Independence is legally defined • Independence is ensured by the Board of Directors

Even if audit procedures may be similar (e.g. observations, sample based inspections),internal and external audit differ in the scope of the analysis, in the reporting andbelong to different «lines of defence»

However synergies might be implemented between Internal and External Audit

• Predefined time line • Flexibility in the execution of engagements during the year


Internal Audit vs External Audit function 2/2

Time horizons and report issuance are not comparable between both functions

Q1Risk Assessment /Reassessment to establish the Internal Audit Plan

Q1 / Q2Submission of the IA plan for approval to ExCo and BoD

Q2 / Q3 / Q4IA fieldwork and issuance of detailed reports / follow-up of Internal Audit findings of previous interventions

Beginning Q1Presentation of the results of the past year, respect of the IA plan to BoD

Q4Interim period - few days to several weeks depending of the size of the undertaking

Q1 / Q2Fieldwork intervention for Financial statement validation

Q2BoD – Submission of the Statutory Audit report by the BoD to the AGM

Q2Issuance of the Distinct Report to be sent to the CAA before a pre-defined date

External Audit

Internal Audit

N N+1 ……


Agenda





Q & A7

Key takeaways5

PSA License6


The three lines of defense modelThe Three lines of defense model is to getting a regulatory obligation, while it was until now only a good market practice:

Where the Internal Audit function is:- Independent- Permanent (even if the outsourcing is authorized under certain conditions e.g. PSA licence for the

access to specific information / data)- Only function of the third line of defence- Support to the Executive Committee and to the Board of Director

Risk Management


The three lines of defense model

As the third line of defence, the internal audit function is uniquely positioned:• To provide with independent assessment of the governance system• To enhance the communication process among the different functions• To foster the use of a common language

A fundamental role in the assessment of the internal control and governance systems


The new regulatory frameworkLuxembourg Law of 7th of December 2015 on the insurance sector (“Loi du 7 décembre 2015 sur le secteur des assurances“) – Key articles

Art 71Governance General Requirements Establishment of an effective governance system that ensures sound and prudent management of the insurance & reinsurance activities

Risk ManagementImplementation of an effective risk management system comprising of strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on a continuous basis risks insurance and reinsurance companies face.

Internal Control System & Compliance Function Existence of an effective internal control system that includes at least the administrative and accounting procedures, the internal control framework, the appropriate provisions with regards to information flows at all levels of the company as well as the necessary responsibilities of the Compliance function.

Internal Audit FunctionEstablishment of a effective Internal Audit function that assesses the adequacy and effectiveness of the internal control system as well as all other elements of the governance system.

Actuarial FunctionEstablishment of an effective Actuarial function carried out by persons who have the required knowledge appropriate to the nature, scale and complexity of the risks inherent in the business of the insurance or reinsurance undertakings.

Art 74

Art 77

Art 78

Art 79


Insurance Sector vs. Banking Sector

Governance frameworks of both sectors are now extremely similar and answer to the same governance model

• Fit and proper• Lines of defence• Risk Management • Compliance • Internal Audit• ORSA

Law of 7 December 2015

CSSF Circular 12/552 as amended and 07/301

• Fit and proper• Lines of defence

• Risk Management • Compliance

• Internal Audit • ICAAP

Towards an homogenisation of the financial sector


Internal Audit Charter to establish the responsibilities of the IA function

Establishes in writing the objectives, responsibilities and authority of the IA function

Define the position of the IA function in the organization

Grant the IA function the right of initiative and the right to review all activities

Define responsibilities and reporting lines of the Chief Internal Auditor (CIA)

Establish the right for the CIA to directly and on his/her own initiative contact the Chairman of the BoD, or the members of the Audit Committee

Specify that IA missions are performed in accordance with the IIA Standards

Approved by the Authorized Management Confirmed, where appropriate, by the Audit Committee Approved by the BoD

Review and assessment of operations, regulatory compliance and internal governance arrangements

Compliance with laws, regulations, circulars and internal procedures

Efficiency/effectiveness of the internal control system

Adequacy of the administrative, accounting and IT organization

Safeguarding of securities and assets

Adequacy of segregation of duties

Accuracy and completeness of registration of transactions

Accuracy, completeness, timeliness of information to ExCo, BoD and CAA

Adequacy and effectiveness of Compliance and Risk Control

KEY R

ESPON

SIBILITIES

KEY

PR

INC

IPLE

S


Execution of Internal Audit work and reporting

• Summary of the activities performed during the year;• Main recommendations on (existing or emerging) problems;• Open issues from previous years;• Open discussion with BoD members or Audit Committee members with participation of

Executive Committee members

Internal Audit Plan1

Internal Audit Report(s)2

Internal Audit presentation3

• Written report for each mission;• Addressed to auditees, Authorized Management, BoD and Audit Committee;• Made available to Statutory Auditors.

• Established by the CIA;• Multi-year framework (3 years);• Covers all activities and functions;• Discussed with Authorized Management;• Approved by Authorized Management and BoD;• Reviewed annually;• Define objectives, scope, frequency and resources of each mission.

Key principles


Agenda





Q & A7

Key takeaways5

PSA License6


Internal Audit Timeline

PRE-AUDIT

AUDIT

POST AUDIT

Audit frequency

Risk prioritization

Risk model development

Audit Units definition

DraftIA Report

Document audit

procedures

Audit procedures(Testing)

Sampling

Follow-upReportingDebriefing

Three main phases have to be distinguished to conduct correctly internal audit tasks and takeproperly into account business of the company, its organization, its regulatory obligations andmain related risks

ApprovalAudit PlanResource allocation


Phase I: Pre-AuditDesigning 3Y Internal Audit Plan

Step 1 - Definition of audit units based on the understanding of the business objectives

Step 2 – Development of a risk model


From functional map to audit units (Life business)

Actors Distribution («front office») Common functions

Client relationship («middle office»)

Management («back office»)

Support functions

Commercial activities

Commercial and operational

marketing support

Management of client relationship

Management of client information

Workflow management

Archiving

Document management

Premium collection

Litigations management

Co-insurance

Reinsurance

Finance &Accounting

InternalAudit HR IT Risk

managementActuarialfunction

Individual insurance

Collective insurance

Clients/ policies

Prospects

Intermediaries

Management of distribution channels

Web Extranet

Development

Strategic marketing

Product and service

development

Actuarial support

Service providers

Helpdesk

Printing

Claims management

Policy management

UnderwritingKYC/AML

Intermediaries

Investment services (UL)

compliancefunction

Legalfunction

Outsourcing oversight

Legal and tax support

Designing 3Y Internal Audit PlanOverview of the Internal Audit Universe



Step 3 - Prioritize risks & Develop risk focused internal audit plan

• Risk is defined as the possibility that an event will occur,which will impact an organization's achievement ofobjectives. The risk is measured in terms of likelihood andimpact.

• An assessment of the probability and impact level isperformed for the respective audit units forming the audituniverse

Step 4 - Audit frequency / depth andResources Requirements

Risk Category Audit cycles depth and frequency

H A standard audit and two limited reviews during the 3-year period

M A standard audit and a limited review during the 3-year period

L A limited review during the 3-year period

• The rating attributed to each internal audit unit will enableto define the depth and frequency to be performed for eachone on a three year basis

• Ratings have to be reassessed on an annual basis by theinternal auditor and submitted for approval



Example of Internal Audit units

Insurance type Risk category

Risk description

Risk Rating Frequency

Life Insurance Compliance Deficiency of the AML controlframework

Medium Twice during IA plan but yearly due to regulatory

constraint

Life Insurance Reporting Technical provision controls not

correctly designed

Medium Twice during IA plan

Life / Non Life Insurance

Strategic IT system migration not

correctly managed

High Every year of the plan

Life / Non Life / Reinsurance

Compliance ORSA review High to Medium Every year of the plan


3-Year Internal Audit Strategic Plan

Extremely important step for ensuring a proper execution of the audit work.

It specifically outlines the audit procedures required to accomplish the engagement objectives : keys processes to review, applicable laws and regulations to consider.

The IA Plan needs to be communicated to Management and the Board for review and approval

before the start of the field work

the CIA has to present the staffing plan and financial budget

Phase I: Pre-AuditDesigning 3Y Audit Plan

Step 5 – Development of the plan, reporting and approval


Phase II: Audit

Sampling

Testing Structure of the Working Papers


Phase II: AuditDraft Internal Audit Report

Weaknesses are classified in 3 categoriesLEVEL 1 - Important weaknesses requiring immediate action fromManagementDeadline: Immediate / ASAPE.g.: AML/CTF requirement not fulfilled

LEVEL 2 - Matters requiring action from ManagementDeadline: ideally within 6 monthsE.g.: missing procedure / missing 4 eyes principle

LEVEL 3 - Other possible improvementsDeadline: to be defined by ManagementE.g.: Something «nice to have» and whose absence does not prevent the organization to pursue its objectives

Observation:

Cause:

Risk(s) / Impact:

Recommendations:

Management response:

Deadline:

Synthetize all the evidences gathered during the engagement

Addressing a recommendation

Follow up of recommendations of previous years’ audit reports

Internal Audit Report including…

Executive SummaryObjectives, Approach and ScopeWork ProgrammeFindings and RecommendationsFollow up of previous years’ recommendationsAppendix - Limitations


Phase III: Post-Audit

Activity

Reporting

Description

• Discuss informally with process owners during the fieldwork (and before the end-of-mission debriefing with Management) about potential issues and recommendations;

• Perform a debriefing with Management at the end of the fieldwork.

Debriefing

Follow-up

• Issue detailed internal audit report (mentioning any relevant scope limitations);

• Issue Summary Report at the end of the year (summarizing all engagements performed during the year).

• Follow up of previous recommendations.


Agenda




International Professional Practices Framework 1

Key takeaways5

Q & A7

PSA License6


Key points for the set-up of the function

Formal presentation to the BoDof the outcome of the works

Obligation to escalate to the BoD(with no undue delays) any important weakness not adequately or timely addressed by the Executive Committee

Critical review of the Organizational Chart so as to ensure the segregation of duties

Ensure that second level control functions rely on data provided by a totally independent source when performing their second level controls

Regular contact with the BoD (at least annually)

Reporting to the BoD

Governance


Key points for operational aspects of the function

Systematically remind the Authorized Management

and the auditees about the importance to establish a feasible deadline (i.e. that

can be met)

Preparation and ongoing update of a follow-up

dashboard for the tracking of the pending

recommendations.

Ensure that the full scope of activities and processes is covered during the 3 year

period

Regular contact and collaboration with the

Statutory Auditor (at least annually), especially before the engagement, in order to pursue synergies, enhance the effectiveness of controls

and avoid useless double testing.

Ensure the timely respect of the

established deadlines; systematically challenge

the Authorized Management and the auditees in case of deadline overrun.

Systematically perform the follow-up of all pending recommendations on an annual basis (i.e. also for audit units not reviewed

during the current period).


Agenda





Key takeaways5

PSA License6

Q & A7


PSA for Professional of the Insurance Sector

• PSA stands for Professionnels du Secteur de l’Assurance or professionals of the insurance sector, and is an official license given to firms meeting a set of qualitative and professional criteria

• A PSA license allows a firm to perform a set of defined and regulated services within seven defined field of activities:

Modified Law of 6 December 1991 on the Insurance Sector introduced the PSA status

103-7 Managers of reinsurance Captive or

Undertaking insurance in run-off

103-8 Managers of Reinsurance Undertakings

103-9 Managers of Pension Funds

103-12 Loss Adjusters

103-12 Insurance and Reinsurance Governance

Service providers

103-10 Actuarial Service providers

103-11 Managers of Insurance Portfolios


Two licenses to guarantee a high level of Internal Audit services delivery for Deloitte’s clients

• No scope limitation for the service provider which benefits from both licenses• Combined expertise of internal audit methodology and actuarial technics

Since December 2015, Deloitte Tax & Consulting is the only BIG 4 inLuxembourg which became a Professional of the Insurance Sector

Art. 103-10. Les prestataires agréés de services actuariels i.e. actuarial competences

Art. 103-12. Les prestataires agréés de services liés à la gouvernance d’entreprises d’assurance et de réassurance i.e. Compliance , Risk Management and Internal Audit

12


Agenda





Q & A7

Key takeaways5

PSA License6


Q&A


Contact

Thierry FlamandPartner / Authorized Director of Deloitte PSADeloitte Tax & [email protected]

Jérôme Lecoq Partner / Insurance LeaderDeloitte [email protected]

Laurent BerlinerLuxembourg Governance, Risk & Compliance LeaderEMEA FSI ERS LeaderDeloitte Tax & [email protected]

Jérôme SosnowskiDirectorGovernance, Risk & [email protected]

mailto:[email protected]




© 2016 Deloitte Tax & Consulting

Appendix – About Deloitte


AppendixAbout Deloitte

Our shared values• Integrity• Outstanding value to

markets and clients• Commitment to each

other• Strength from cultural

diversity

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's 210,000 professionals are committed to becoming the standard of excellence.Deloitte's professionals are unified by a collaborative culture that fosters integrity, outstanding value to markets and clients, commitment to each other, and strength from cultural diversity. They enjoy an environment of continuous learning, challenging experiences, and enriching career opportunities. Deloitte's professionals are dedicated to strengthening corporate responsibility, building public trust, and making a positive impact in their communities.Growth in a fiercely competitive and increasingly global market place is a challenging prospect. Successful companies are those with a clear vision and the ability to enact that vision through their people, partners and systems.We enable our clients to thrive in this environment – adding value by working with them as a team and building a shared commitment to success to generate strategies that realize real and sustainable results.Our approach sets us apart from other consultancies and is encapsulated in our core values:A Very Different Approach – Highly respectful, flexible, and collaborative working style that gives us an unmatched ability to generate employee buy-in and transfer knowledge and skills. Focus on the realization that changing business processes is necessary to achieve the promised returns of strategy and technology.For Very Different Results – Delivering results you can count on because you can trust performance improvements will not unravel once we leave. Delivering results you can build on because we leave your organization more robust and able to adapt to shifts in the environment.

World map – our locations:


Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-qualityservice to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 210,000 professionals, all committed to becoming the standard of excellence.

This document is confidential and prepared solely for your information. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party.

This document contains general information only and Deloitte is not, by means of this document, rendering any professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any action that may affect your business your should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.

Documents

Internal Audit in a Solvency II World A key function in a new governance framework · 2018-06-04 · Internal Audit in a Solvency II World A key function in a new governance framework