Internal Audit in Solvency II Mag. Angela Witzany CIA Sparkassen Versicherung AG Vienna Insurance Group 10 Years Ago Dot com bubble explodet WorldCom bankruptsy as highest damage till 2002 : 80 billions US$ Fraudulent Top Management In fraud involved statutory auditors Disclosure by Whistleblowers Whistleblowing Internal Auditors Mag. Angela Witzany Internal Audit in Solvency II 2 Sarbanes Oxley Act Reaction to Enron, WorldCom etc. US listed companies and worldwide subsidiaries Installation of the Public Company Accounting Oversight Board (PCAOB) Internal Control Over Financial Reporting Requirements (Sec. 404) Whistleblowerprocedure under responsibility of audit committee Whistleblower protection Mag. Angela Witzany Internal Audit in Solvency II 3 SOX Today Biggest World Economic Crisis in the history Lehman Bancruptcy with accounting fraud Whistleblower was fired, statutory auditor did nothing Madoff‘s Ponzi Scheme SEC ignored the whistleblower 8 years The expenditure of SOX outweights the benefits AIG, till then largest insurance of the world: rescued by US government with 200 billions US$ AIG difficulties were not caused by its insurance operations but by its rash involvement in complex financial instruments such as credit default swaps Federal regulator: OTS (Office of Thrift Supervision) Responsible for Savings and Loans Companies Dodd – Frank Wall Street Reform and Consumer Protection Act 2010 – Three new regulators ? Mag. Angela Witzany Internal Audit in Solvency II 4 EU Directive on statutory audits EU Directive 2006/43: Not an European SOX Since public – interest entities have a higher visibility and economically more important, stricter requirements should apply in the case of a statutory audit of their annual or consolidated accounts. Directive 2006 / 43 Wheras 23 „Public – interest entities“ means entities … whose transferable securities are admitted to trading on a regulated market, credit institutions and insurance undertakings. Directive 2006 / 43 Article 2 / 13 Mag. Angela Witzany Internal Audit in Solvency II 5 Audit Committee in Public – Interest Entities Audit committees and an effective internal control system help to minimise financial, operational and compliance risks, and enhance the quality of financial reporting. Directive 2006 / 43 Whereas 24 Each public – interest entity shall have an audit committee. At least one member of the audit committee shall be independent an shall have competence in accounting and / or auditing. Member states may permit the functions assigned to the audit committee be performed by the administrative or supervisory body as whole. Directive 2006 / 43 Article 41 / 1 Mag. Angela Witzany Internal Audit in Solvency II 6 Audit Committee and IA Whithout prejudice the responsibility of the members of the administrative, management or supervisory bodies …. the audit committee shall, inter alia: monitor the financial reporting process, monitor the effectiveness of the company‘s internal control, internal audit where applicable and risk management systems, monitor the stuary audit of annual and consolidated accounts, Review and monitor the independence of the statutory auditor. Directive 2006 / 43 Article 41 / 2 Mag. Angela Witzany Internal Audit in Solvency II 7 Objectives of regulation The main objective of insurance and reinsurance regulation and supervision is the adequate protection of policy holders and beneficiaries. The term beneficiaries is intended to cover any natural or legal person who ist entitled to a right under an insurance contract. Financial stability and fair stable markets are other objectives of insurance and reinsurance regulations and supervision. Directive 2009 / 138 Whereas 16 Mag. Angela Witzany Internal Audit in Solvency II 8 Necessity of Solvency II The protection of policy holders presupposes that insurance and reinsurance undertakings are subject of effective solvency requirements that result in an efficient allocation of capital across the European Union. In light of market development the current system is no longer adequate. It is therefore necessary to introduce a new regulatory framework. Directive 2009 / 138 Whereas 14 Mag. Angela Witzany Internal Audit in Solvency II 9 Importance of Governance System Some risks may only be properly addressed through the quantitative requirements reflected in the Solvency Capital Requirements. An effective system of governance is therefore essential for the adequate management of the insurance undertaking and for the regulatory system. Directive 2009/138/EC Whereas 29 Mag. Angela Witzany Internal Audit in Solvency II 10 Key Functions The System of Governance includes the risk – management function, the compliance function, the internal audit function and the actuarial function. Directive 2009 / 138/ EC Whereas 30 The functions included in the system of governance are considered to be key functions and consequently also important and critical functions. Directive 2009 / 138 / EC Whereas 33 Mag. Angela Witzany Internal Audit in Solvency II 11 Functions A function is an administrative capacity to undertake particular governance tasks. The identification of a particular function does not prevent the undertaking from freely deciding how to organise the function in practice. It should be possible to be staffed by own staff, to rely on advice from outside experts or be outsourced. Directive 209 / 38 / EC Whereas 31 Furthermore, save as regards the internal function, in smaller and less complex undertakings it should be possible for more than one function to be carried out by a single person or organisational unit. Directive 209 / 38 / EC Whereas 32 Mag. Angela Witzany Internal Audit in Solvency II 12 Fit and Proper All persons that perform key functions should be fit and proper. Directive 2009 / 138 / EC Whereas 34 Fit: Professional qualifications, knowledge and experience are adequate to enable sound and prudent management. Proper: Good repute and integrity. Directive 2009 / 138 / EC Article 42 / 1 / a, b Mag. Angela Witzany Internal Audit in Solvency II 13 Internal Control Insurance an reinsurance undertakings shall have in place an effectice internal control system. The system shall at least include administrative and accounting procedures, an internal control framework, appropriate reporting arrangements at all levels of the undertaking and a compliance funktion. Directive 2009 / 138 Article 46 / 1 Mag. Angela Witzany Internal Audit in Solvency II 14 Compliance The compliance function shall include advising the administrative, management or supervisory body on compliance with the laws, regulations and administrative provisions adopted pursuant to this Directive. It shall also include an assessment of the possible impact of any changes in the legal environment on the operations of the undertaking concerned and the identification and assessement of compliance risk. Directive 2009 /138 Article 46 / 2 Mag. Angela Witzany Internal Audit in Solvency II 15 Risk Management Insurance and reinsurance undertakings shall have in place an effective risk – management system, comprising strategies, processes and reporting procedures necessary to identify, measure, monitor, manage and report, on continuous basis the risks, at an individual and at an aggregated level, to wich they are or could be exposed, and their independencies. The risk – management system shall be effective an well integrated into the organisationel structure and in the decision making process … with proper consideration of the persons who effectively run the undertaking or have other key functions. Directive 2009 / 138 Article 44 / 1 Mag. Angela Witzany Internal Audit in Solvency II 16 Covered Risks The risk – management system shall cover the risks to be included in the calculation of the Solvency Capital Requirement (Article 101/4) as well as the risks which are not or not fully included in the calculation thereof. The risk – management system shall cover at least the following areas: underwriting and reserving; asset – liability management; investment, in particular derivates and similar commitments; liquidity and concentration risk management; operational risk management; reinsurance and other risk – mitigation techniques. Directive 2009 / 138 Article 44 / 2 Mag. Angela Witzany Internal Audit in Solvency II 17 Internal Audit 1 Insurance and reinsurance undertakings shall provide for an effective internal audit function. The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system [ including compliance function ] and other elements of the system of governance [ including risk management and actuarial function ]. Directive 2009 / 138 / EC Article 47 / 1 Mag. Angela Witzany Internal Audit in Solvency II 18 Internal Audit 2 + 3 The internal audit function shall be objective and independent from the operational functions. Any findings and recommendations of the internal audit shall be reported to the administrative, management or supervisory body which shall determine what actions are to be taken with respect to each of the internal audit findings and recommendations and shall ensure that those actions are carried out. Directive 2009 / 138 / EC Article 47 2 / 3 Mag. Angela Witzany Internal Audit in Solvency II 19 Outsourcing Insurance and reinsurance undertakings remain fully responsible for discharging all of their obligations under this Directive when they outsource functions or any insurance or reinsurance activities. Directive 2009 / 138 Article 49 / 1 Outsourcing of critical or important operational functions or activities shall not be undertaken in such way as to lead to any as the following: materially impairing the quality of the system of governance of the untertaking concerned; unduly increasing the operational risk; impairing the ability of the supervisory authorities to monitor the compliance of the undertaking with ist obligations; undermining continuous and satisfactory service to policy holders. Directive 2009 / 138 Article 49 / 2 Mag. Angela Witzany Internal Audit in Solvency II 20 Risk Level / Audit Intensity 1 – management, 2 – actuary, 3 – asset management, 4 – sales, 5 – marketing, 6 - legal 90 80 70 60 50 risk audit 40 30 20 10 0 1 Mag. Angela Witzany 2 3 4 Internal Audit in Solvency II 5 6 21 Risk Level / Audit Intensity 1 – general administration, 2 – HR administration, 3 – underwriting, 4 – claims, 5 – controlling, 6 - accounting 80 70 60 50 Risk Audit 40 30 20 10 0 1 Mag. Angela Witzany 2 3 4 Internal Audit in Solvency II 5 6 22 Characteristics of IA 1 – correct, 2 – helpful, 3 – independent, 4 – innovative, 5 – objective 100 90 80 70 60 50 40 30 20 10 0 IA Board 1 Mag. Angela Witzany 2 3 4 Internal Audit in Solvency II 5 23 Contribution of IA to Company‘s success, growth and security 100 90 80 70 60 50 40 30 20 10 0 IA Board success Mag. Angela Witzany growth security Internal Audit in Solvency II 24 Summary I Neither the economic system nor the managers nor the internal auditors did learn anything from the dot com bubble. Ad hoc regulations like SOX are expensive and not really effective. Solvency II is a modern, wellprepared frame work for the European insurance industry. Capital requirement will depend on accepted risks. The governance reqirements are as important as the quantitative capital requirements. Mag. Angela Witzany Internal Audit in Solvency II 25 Summary II Risk Management , compliance, actuary and Internal Audit are key functions. Internal Audit is the only key function, which is not allowed to be merged with other functions. Responsible for key function as Internal Audit have to be fit and proper. Internal Audit has to evaluate the internal control system and the other key functions. As researches show, Internal Audit needs immediatly a change of image. Mag. Angela Witzany Internal Audit in Solvency II 26 Conclusion To fulfill all requirements and chances of Solvency II, Internal Audit needs a change in personal competence and in special knowledge. IA has to work more risk orientated as today. IA has to accept gaps in knowledge and have to insource missing capacities. IA is a part of internal control and therefore not a part or an assistant of the Supervisory Authority. Top Management, Internal Audit and the Supervisory Board have to agree about the goals of Internal Audit and are obliged to work together respectfully and trustingly and not because of public regulations. Mag. Angela Witzany Internal Audit in Solvency II 27 Thank you for your attention! If you need any additional information, feel free to contact me: Mag. Angela Witzany, CIA angela.witzany@s-versicherung.at Mag. Angela Witzany Internal Audit in Solvency II 28