Short-Term Insurance Act, 1998 (Act No. 53 of 1998)

Board Notices

Notice on Governance and Risk Management Framework for Insurers, 2014

Part 5 : Internal Control System

26. Internal audit function

Purchase cart Previous page Return to chapter overview Next page

 

(1)The internal audit function must, at least,—
(a)establish, implement and maintain a risk-based audit plan;
(b)review and evaluate the adequacy and effectiveness of the insurer's policies and processes and the documentation and controls in respect of these;
(c)review levels of compliance with established policies, processes, and controls;
(d)evaluate the reliability and integrity of information;
(e)monitor that the identified risks and the agreed actions to address them are accurate, complete and current;
(f)evaluate the internal controls relating to governance, operations and information systems in place to verify the safeguarding of insurer and policyholder assets;
(g)evaluate the effectiveness of the governance framework;
(h)evaluate the adequacy and effectiveness of the insurer's risk management, compliance and actuarial functions; and
(i)conduct regular assessments of the internal audit function and audit systems and incorporate needed improvements.

 

(2)In carrying out the above tasks, the internal audit function must ensure that all material areas of risk and obligation of the insurer are subject to appropriate audit or review over a reasonable period of time, including, but not limited to—
(a)market, insurance, credit, liquidity, operational (including insurance fraud), and regulatory and compliance (including reputational) risk;
(b)accounting and financial policies and whether the associated records are complete and accurate;
(c)the extent of compliance by the insurer with applicable law, regulations, rules, and directives from all relevant regulatory authorities;
(d)intra-group transactions, including intra-group risk transfer and internal pricing;
(e)adherence by the insurer to the insurer's remuneration policy;
(f)the reliability and timeliness of escalation processes and reporting systems, including whether there are confidential means for employees to report concerns or non-compliance, and whether these are properly communicated, offer the reporting employee adequate protection from retaliation, and result in appropriate follow up; and
(g)the extent that any non-compliance with internal policies or external legal or regulatory obligations are documented, and appropriate corrective or disciplinary measures are taken, including in respect of individual employees involved.

 

(3)The internal audit function must have access to and, at least annually, report to the board of directors or the audit committee if the board of directors so requires on—
(a)the strategy of the function;
(b)the function's audit plan, detailing the proposed areas of audit focus;
(c)an assessment on the extent of achievement of the goals set out in the audit plan;
(d)information on its resources, including an analysis on the appropriateness of those resources;
(e)any factors that may impinge on the internal audit function's independence, objectivity, or effectiveness;
(f)material findings from audits or reviews conducted;
(g)material deficiencies of the internal control system, or of compliance with internal policies and procedures or external legal or regulatory obligations, and include recommendations to remedy all identified deficiencies; and
(h)the extent of management compliance with previously agreed upon corrective or risk mitigating measures.