Internal Audit in Solvency IIInternal Audit in Solvency II

Mag. Angela Witzany CIA

Sparkassen Versicherung AG

Vienna Insurance Group

Mag. Angela Witzany Internal Audit in Solvency II 2

10 Years Ago10 Years Ago

Dot com bubble explodet WorldCom bankruptsy as highest damage

till 2002 : 80 billions US$ Fraudulent Top Management In fraud involved statutory auditors Disclosure by Whistleblowers Whistleblowing Internal Auditors

Mag. Angela Witzany Internal Audit in Solvency II 3

Sarbanes Oxley ActSarbanes Oxley Act

Reaction to Enron, WorldCom etc. US listed companies and worldwide subsidiaries Installation of the Public Company Accounting

Oversight Board (PCAOB) Internal Control Over Financial Reporting

Requirements (Sec. 404) Whistleblowerprocedure under responsibility of

audit committee Whistleblower protection

Mag. Angela Witzany Internal Audit in Solvency II 4

SOX TodaySOX Today

Biggest World Economic Crisis in the history Lehman Bancruptcy with accounting fraud

Whistleblower was fired, statutory auditor did nothing Madoff‘s Ponzi Scheme

SEC ignored the whistleblower 8 years The expenditure of SOX outweights the benefits AIG, till then largest insurance of the world:

rescued by US government with 200 billions US$ AIG difficulties were not caused by its insurance operations but by

its rash involvement in complex financial instruments such as credit default swaps

Federal regulator: OTS (Office of Thrift Supervision)Responsible for Savings and Loans Companies

Dodd – Frank Wall Street Reform and Consumer Protection Act 2010 – Three new regulators ?

Mag. Angela Witzany Internal Audit in Solvency II 5

EU Directive on statutory auditsEU Directive on statutory audits

EU Directive 2006/43: Not an European SOX Since public – interest entities have a higher

visibility and economically more important, stricter requirements should apply in the case of a statutory audit of their annual or consolidated accounts.Directive 2006 / 43 Wheras 23

„Public – interest entities“ means entities … whose transferable securities are admitted to trading on a regulated market, credit institutions and insurance undertakings.Directive 2006 / 43 Article 2 / 13

Mag. Angela Witzany Internal Audit in Solvency II 6

Audit Committee Audit Committee in Public – Interest Entitiesin Public – Interest Entities

Audit committees and an effective internal control system help to minimise financial, operational and compliance risks, and enhance the quality of financial reporting. Directive 2006 / 43 Whereas 24

Each public – interest entity shall have an audit committee. At least one member of the audit committee shall be

independent an shall have competence in accounting and / or auditing.

Member states may permit the functions assigned to the audit committee be performed by the administrative or supervisory body as whole.Directive 2006 / 43 Article 41 / 1

Mag. Angela Witzany Internal Audit in Solvency II 7

Audit Committee and IAAudit Committee and IA

Whithout prejudice the responsibility of the members of the administrative, management or supervisory bodies …. the audit committee shall, inter alia:

monitor the financial reporting process, monitor the effectiveness of the company‘s internal control,

internal audit where applicable and risk management systems,

monitor the stuary audit of annual and consolidated accounts,

Review and monitor the independence of the statutory auditor.Directive 2006 / 43 Article 41 / 2

Mag. Angela Witzany Internal Audit in Solvency II 8

Objectives of regulationObjectives of regulation

The main objective of insurance and reinsurance regulation and supervision is the adequate protection of policy holders and beneficiaries.

The term beneficiaries is intended to cover any natural or legal person who ist entitled to a right under an insurance contract.

Financial stability and fair stable markets are other objectives of insurance and reinsurance regulations and supervision.Directive 2009 / 138 Whereas 16

Mag. Angela Witzany Internal Audit in Solvency II 9

Necessity of Solvency IINecessity of Solvency II

The protection of policy holders presupposes that insurance and reinsurance undertakings are subject of effective solvency requirements that result in an efficient allocation of capital across the European Union.

In light of market development the current system is no longer adequate.

It is therefore necessary to introduce a new regulatory framework.Directive 2009 / 138 Whereas 14

Mag. Angela Witzany Internal Audit in Solvency II 10

Importance of Governance SystemImportance of Governance System

Some risks may only be properly addressed through the quantitative requirements reflected in the Solvency Capital Requirements.

An effective system of governance is therefore essential for the adequate management of the insurance undertaking and for the regulatory system.Directive 2009/138/EC Whereas 29

Mag. Angela Witzany Internal Audit in Solvency II 11

Key FunctionsKey Functions

The System of Governance includes the risk – management function, the compliance function, the internal audit function and the actuarial function.Directive 2009 / 138/ EC Whereas 30

The functions included in the system of governance are considered to be key functions and consequently also important and critical functions.Directive 2009 / 138 / EC Whereas 33

Mag. Angela Witzany Internal Audit in Solvency II 12

FunctionsFunctions

A function is an administrative capacity to undertake particular governance tasks.

The identification of a particular function does not prevent the undertaking from freely deciding how to organise the function in practice. It should be possible to be staffed by own staff, to rely on advice from outside experts or be outsourced.Directive 209 / 38 / EC Whereas 31

Furthermore, save as regards the internal function, in smaller and less complex undertakings it should be possible for more than one function to be carried out by a single person or organisational unit. Directive 209 / 38 / EC Whereas 32

Mag. Angela Witzany Internal Audit in Solvency II 13

Fit and ProperFit and Proper

All persons that perform key functions should be fit and proper.Directive 2009 / 138 / EC Whereas 34

Fit: Professional qualifications, knowledge and experience are adequate to enable sound and prudent management.

Proper: Good repute and integrity.Directive 2009 / 138 / EC Article 42 / 1 / a, b

Mag. Angela Witzany Internal Audit in Solvency II 14

Internal ControlInternal Control

Insurance an reinsurance undertakings shall have in place an effectice internal control system.

The system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking and a compliance funktion.Directive 2009 / 138 Article 46 / 1

Mag. Angela Witzany Internal Audit in Solvency II 15

ComplianceCompliance

The compliance function shall include advising the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive.

It shall also include an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessement of compliance risk.Directive 2009 /138 Article 46 / 2

Mag. Angela Witzany Internal Audit in Solvency II 16

Risk ManagementRisk Management

Insurance and reinsurance undertakings shall have in place an effective risk – management system, comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on continuous basis the risks, at an individual and at an aggregated level, to wich they are or could be exposed, and their independencies.

The risk – management system shall be effective an well integrated into the organisationel structure and in the decision making process … with proper consideration of the persons who effectively run the undertaking or have other key functions.Directive 2009 / 138 Article 44 / 1

Mag. Angela Witzany Internal Audit in Solvency II 17

Covered RisksCovered Risks

The risk – management system shall cover the risks to be included in the calculation of the Solvency Capital Requirement (Article 101/4) as well as the risks which are not or not fully included in the calculation thereof.

The risk – management system shall cover at least the following areas: underwriting and reserving; asset – liability management; investment, in particular derivates and similar commitments; liquidity and concentration risk management; operational risk management; reinsurance and other risk – mitigation techniques.Directive 2009 / 138 Article 44 / 2

Mag. Angela Witzany Internal Audit in Solvency II 18

Internal Audit 1Internal Audit 1

Insurance and reinsurance undertakings shall provide for an effective internal audit function.

The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system [ including compliance function ] and other elements of the system of governance [ including risk management and actuarial function ].Directive 2009 / 138 / EC Article 47 / 1

Mag. Angela Witzany Internal Audit in Solvency II 19

Internal Audit 2 + 3Internal Audit 2 + 3

The internal audit function shall be objective and independent from the operational functions.

Any findings and recommendations of the internal audit shall be reported to the administrative, management or supervisory body which shall determine what actions are to be taken with respect to each of the internal audit findings and recommendations and shall ensure that those actions are carried out.Directive 2009 / 138 / EC Article 47 2 / 3

Mag. Angela Witzany Internal Audit in Solvency II 20

OutsourcingOutsourcing

Insurance and reinsurance undertakings remain fully responsible for discharging all of their obligations under this Directive when they outsource functions or any insurance or reinsurance activities.Directive 2009 / 138 Article 49 / 1

Outsourcing of critical or important operational functions or activities shall not be undertaken in such way as to lead to any as the following: materially impairing the quality of the system of governance of the untertaking concerned; unduly increasing the operational risk; impairing the ability of the supervisory authorities to monitor the compliance of the undertaking with ist obligations; undermining continuous and satisfactory service to policy holders.Directive 2009 / 138 Article 49 / 2

Mag. Angela Witzany Internal Audit in Solvency II 21

Risk Level / Audit IntensityRisk Level / Audit Intensity

1 – management, 2 – actuary, 3 – asset management, 4 – sales, 5 – marketing, 6 - legal

0

10

20

30

40

50

60

70

80

90

1 2 3 4 5 6

risk

audit

Mag. Angela Witzany Internal Audit in Solvency II 22

Risk Level / Audit IntensityRisk Level / Audit Intensity

1 – general administration, 2 – HR administration, 3 – underwriting, 4 – claims, 5 – controlling, 6 - accounting

0

10

20

30

40

50

60

70

80

1 2 3 4 5 6

Risk

Audit

Mag. Angela Witzany Internal Audit in Solvency II 23

Characteristics of IACharacteristics of IA

1 – correct, 2 – helpful, 3 – independent,4 – innovative, 5 – objective

0102030405060708090

100

1 2 3 4 5

IA

Board

Mag. Angela Witzany Internal Audit in Solvency II 24

Contribution of IA to Company‘s Contribution of IA to Company‘s success, growth and securitysuccess, growth and security

0102030405060708090

100

success growth security

IA

Board

Mag. Angela Witzany Internal Audit in Solvency II 25

Summary ISummary I

Neither the economic system nor the managers nor the internal auditors did learn anything from the dot com bubble.

Ad hoc regulations like SOX are expensive and not really effective.

Solvency II is a modern, wellprepared frame work for the European insurance industry.

Capital requirement will depend on accepted risks. The governance reqirements are as important as

the quantitative capital requirements.

Mag. Angela Witzany Internal Audit in Solvency II 26

Summary IISummary II

Risk Management , compliance, actuary and Internal Audit are key functions.

Internal Audit is the only key function, which is not allowed to be merged with other functions.

Responsible for key function as Internal Audit have to be fit and proper.

Internal Audit has to evaluate the internal control system and the other key functions.

As researches show, Internal Audit needs immediatly a change of image.

Mag. Angela Witzany Internal Audit in Solvency II 27

ConclusionConclusion

To fulfill all requirements and chances of Solvency II, Internal Audit needs a change in personal competence and in special knowledge.

IA has to work more risk orientated as today. IA has to accept gaps in knowledge and have to insource

missing capacities. IA is a part of internal control and therefore not a part or an

assistant of the Supervisory Authority. Top Management, Internal Audit and the Supervisory Board

have to agree about the goals of Internal Audit and are obliged to work together respectfully and trustingly and not because of public regulations.

Mag. Angela Witzany Internal Audit in Solvency II 28

Thank you for your attention!

If you need any additional information, feel free to contact me:

Mag. Angela Witzany, CIAangela.witzany@s-versicherung.at