Internal Audit s role within Solvency II. 14 May 2010

Transcription

1 Internal Audit s role within Solvency II 14 May 2010

2 Internal Audit s role within Solvency II Programme Solvency II requirements regarding Internal Audit How Internal Audit can support preparation for Solvency II How the approach to Internal Audit may change under Solvency II

3 Internal Audit requirements under Solvency II Existing Requirement = FSA Handbook (SYSC ) Depending on nature, scale & complexity of business; it may be appropriate to delegate monitoring of systems and controls to an internal audit function Should have clear responsibilities, reporting lines to audit committee/senior management, adequately resourced, competent staff, independent of day to day activity and appropriate access to records Solvency II - Level 1 requirements Directive Article 41 System of governance shall be proportionate to nature, scale & complexity of operations Directive Article 47 Effective internal audit - evaluate adequacy/effectiveness of internal controls & governance Objective & independent from operational functions Findings & recommendations to management who will determine actions and ensure they are carried out

4 Internal Audit requirements under Solvency II Level 2 requirements - CEIOPS Advice (DOC 29/09 former CP33) ( Paragraphs to To ensure independence: Impartiality, exercise own initiative in all areas, free to express opinions & findings to whole management/supervisory body Complete & unrestricted right to prompt information, availability of information and direct communication with staff Draw up a risk based audit plan All activities and units shall fall in scope At least annual written report of findings to management/supervisory body Cover deficiency with regard to suitability/efficiency of internal control as well as major shortcomings of internal policies, procedures & processes Include recommendations on remedies for past inadequacies and address how past criticisms/recommendations have been implemented

5 Internal Audit requirements under Solvency II Additional CEIOPS Guidance (within DOC 29/09 former CP33) Paragraphs to include: IA strategy document Objective & scope, status, competences/tasks & responsibilities IA plan of work for several years, based on risk analysis of scale, complexity, developments Realistic, budgeted, approved by management/supervisory body Management regularly communicate with IA Prompt written reports to audited units also to management/supervisory body if deficiencies identified Documentation of IA work to allow findings to be retraced Sufficient IA resources to meet plan Business units have obligation to notify IA of control deficiencies IA should define triggers Audit committee appropriate in large/complex organisations

6 Lloyd s Internal Audit guidance for Solvency II ( Solvency II Detailed Guidance Governance) Internal audit terms of reference/charter Define purpose, approach, authority & responsibility Establish role, status & authority within organisation Reporting lines Report directly to audit committee to ensure independence Internal audit should not be responsible for: Delivery of business projects but may sit on teams to advise Implementation of recommendations (OK to monitor) Acceptable to outsource if subject to in-house oversight & challenge Senior individual responsible for liaison Adequate reporting & oversight to audit committee/board

7 Lloyd s Internal Audit guidance for Solvency II Clear rationale for internal audit work scheduled Development of internal audit plan should: Include discussion with management, but not be dictated by management Risk based and linked to risk register, but assess risk independently Should include an audit of risk management & risk register at some stage Should cover three years - (NB: This will need to include Solvency II projects) Explain prioritisation of areas including frequency of testing cycles Timetable for delivery of audits Approved by audit committee Progress reported to audit committee

8 Lloyd s Internal Audit guidance for Solvency II Audit fieldwork Scope based on risks to business and concerns about effectiveness of controls Work performed clearly linked to show scope met Records should show objective, sample selection, testing & results Audit trail from work performed to audit report Audit findings Clear & concise report Include actions agreed by management Summary of work performed linked to scope Overall conclusion / rating & summary of key findings Detailed findings with recommendations with timescales & responsibilities Report to audit committee who may question Circulate reports also to senior management of audited area, external audit & risk management function

9 Lloyd s Internal Audit guidance for Solvency II Issue tracking Ensure recommendations are implemented Maintain record of status of issues raised implemented, outstanding, progress Internal audit regularly verify implementation through testing or discussion with management - e.g. quarterly Keep audit committee informed of status of recommendations Link regular formal reviews of the risk register to progress on implementing recommendations Sarbanes Oxley (If applicable e.g. to US owned groups) Not a Solvency II requirement SOX testing focuses on controls over inputs to financial statements not operational controls SOX testing therefore will not cover entire control environment as required by Solvency II Should not divert internal audit effort Internal audit may place reliance on SOX compliance work - if carried out independently of management

10 Internal Audit s role in preparation for Solvency II

11 Internal Audit s role in Solvency II Model approval VITAL FOR INTERNAL AUDIT TO UNDERSTAND INTERNAL MODELS Statistical quality standard - (Article 121) Adequate actuarial techniques, justified assumptions, appropriate, expert judgement documented, justify diversification effect, risk mitigation Current credible information, data up to date Consistency of calculation, accurate, complete, use required Solvency II factors Data policy, data quality control & monitoring Independently test that the above standards for internal model approval will be complied with (Doc 48/09 - former CP56)

12 Internal Audit s role in Solvency II Model approval Calibration (Article 122) Appropriate time period for risk measurement Reconcile model to SCR & explain items Benchmarking including any required by Supervisor Independently test that the above standards for internal model approval will be complied with

13 Internal Audit s role in Solvency II Model approval Validation standard (Article 124) Supporting data Methods, assumptions, expert judgement Test results against experience, sensitivity analysis, stress & scenario test Validation policy, documentation, systems/it controls, model governance, application of use test, independent review Independently test that the above standards for internal model approval will be complied with

14 Internal Audit s role in Solvency II Model approval Profit & loss attribution (Article 123) Transparent, explain profit/loss, cover all risks Validate model Manage the business Independently test that the above standards for internal model approval will be complied with

15 Internal Audit s role in Solvency II Model approval Documentation standard (Article 125) Such that an: independent knowledgeable third party could form a sound judgement as to the reliability of the internal model and the compliance with Articles 120 to 126 and could understand the reasoning and underlying design and operational details of the internal model. Documentation is up to date Independently test that the above standards for internal model approval will be complied with

16 Internal Audit s role in preparation for Solvency II Use test (Article 120) Understand model Fit the business, support decision making, integrated into risk management systems, improve risk management Cover sufficient risks, consistent for all uses, facilitate analysis of decisions Independently test that the above standards for internal model approval will be complied with

17 Internal Audit s role in preparation for Solvency II -QIS 5 Adequate preparation for QIS5 (more than best effort) Mandatory for Lloyd s or FSA model approval Supervisor thematic review questionnaires Valuation of assets & liabilities on Solvency II basis Approval of adoption of full or partial model and simplifications Decide what entities to include in group models Cost benefit analysis of alternatives Capital requirement contingency planning - alternatives Model approval Implementation & approval process for changes to model

18 Internal Audit s role in preparation for Solvency II - other areas Compliance with Solvency II requirements Project plan, governance of project Compliance with FSA/Lloyd s requirements (if applicable) Gap analysis and implementation plan prepared & monitored Reporting to board on Solvency II Briefing of staff on solvency II Preparation of new reports ORSA (Own Risk Self Assessment) SFCR (Solvency & Financial Condition Report) In the public domain RTS (Report to Supervisors) Quantitative & qualitative returns may not be audited

19 Internal Audit in a Solvency II World

20 Key Solvency II objective Improving the management of risk/return Through better systems and controls Through the use of internal models Capital adequacy is just one output improved management

21 Management cycle Management define strategy s and plans Plans are s implemented Results are s analysed Implementation s is monitored

22 Systems and controls Purpose is to ensure that the management cycle is working properly Are business plans aligned with strategy? Do people understand their role in implementing the business plans? Are they doing what they are meant to do? Do the tools that they have work properly? Does the feedback system work?

23 Internal model Should help management of risk/return Strategy and Planning Monitoring Analysis Feedback

24 Higher priorities for Internal Audit Risk Management Process as a whole Risk identification and evaluation Monitoring change Linkage with business management Feedback Internal model as a key management tool

25 Internal model Primarily a tool of management Management processes for: Validating the model itself Validating inputs to the model Validating the use of the model Internal Audit needs to cover those processes

26 Validating the model Documentation of data processes, analytical methodologies, assumptions, judgments covering all key areas in terms that management understand Testing does it do what is says on the tin? Adequate resources?

27 Validating inputs Clear specification of: Nature of inputs Sources of inputs Data structures Testing Provenance Reconciliation Verification

28 Validating use Understood at the level at which strategy and planning are determined Linked with other Risk Management systems Used in decision making Used in analysis of performance Part of feedback process

29 Summary Market moving on from actuarially driven model construction Business process issues around actually living with and using the models Management systems and controls are key element of all this Internal Audit will need to operate in accordance with best practice set out in the Directives and relevant guidance Internal Audit needs to focus on the key systems and controls, including those around the internal model

30 This guide is prepared as a general guide. No responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication can be accepted by the author or publisher. Always seek professional advice before acting. Littlejohn