Short-Term Insurance Act, 1998 (Act No. 53 of 1998)Board NoticesNotice on Governance and Risk Management Framework for Insurers, 2014Part 5 : Internal Control System26. Internal audit function |
(1) | The internal audit function must, at least,— |
(a) | establish, implement and maintain a risk-based audit plan; |
(b) | review and evaluate the adequacy and effectiveness of the insurer's policies and processes and the documentation and controls in respect of these; |
(c) | review levels of compliance with established policies, processes, and controls; |
(d) | evaluate the reliability and integrity of information; |
(e) | monitor that the identified risks and the agreed actions to address them are accurate, complete and current; |
(f) | evaluate the internal controls relating to governance, operations and information systems in place to verify the safeguarding of insurer and policyholder assets; |
(g) | evaluate the effectiveness of the governance framework; |
(h) | evaluate the adequacy and effectiveness of the insurer's risk management, compliance and actuarial functions; and |
(i) | conduct regular assessments of the internal audit function and audit systems and incorporate needed improvements. |
(2) | In carrying out the above tasks, the internal audit function must ensure that all material areas of risk and obligation of the insurer are subject to appropriate audit or review over a reasonable period of time, including, but not limited to— |
(a) | market, insurance, credit, liquidity, operational (including insurance fraud), and regulatory and compliance (including reputational) risk; |
(b) | accounting and financial policies and whether the associated records are complete and accurate; |
(c) | the extent of compliance by the insurer with applicable law, regulations, rules, and directives from all relevant regulatory authorities; |
(d) | intra-group transactions, including intra-group risk transfer and internal pricing; |
(e) | adherence by the insurer to the insurer's remuneration policy; |
(f) | the reliability and timeliness of escalation processes and reporting systems, including whether there are confidential means for employees to report concerns or non-compliance, and whether these are properly communicated, offer the reporting employee adequate protection from retaliation, and result in appropriate follow up; and |
(g) | the extent that any non-compliance with internal policies or external legal or regulatory obligations are documented, and appropriate corrective or disciplinary measures are taken, including in respect of individual employees involved. |
(3) | The internal audit function must have access to and, at least annually, report to the board of directors or the audit committee if the board of directors so requires on— |
(a) | the strategy of the function; |
(b) | the function's audit plan, detailing the proposed areas of audit focus; |
(c) | an assessment on the extent of achievement of the goals set out in the audit plan; |
(d) | information on its resources, including an analysis on the appropriateness of those resources; |
(e) | any factors that may impinge on the internal audit function's independence, objectivity, or effectiveness; |
(f) | material findings from audits or reviews conducted; |
(g) | material deficiencies of the internal control system, or of compliance with internal policies and procedures or external legal or regulatory obligations, and include recommendations to remedy all identified deficiencies; and |
(h) | the extent of management compliance with previously agreed upon corrective or risk mitigating measures. |