Internal auditors playing greater role in insurance regulation
Insurance regulators and supervisors across Europe are increasingly looking to internal auditors to help their organisations achieve the necessary compliance requirements, according to a recent meeting of ECIIA’s insurance committee in Stockholm, Sweden.
While trends in supervision and regulation differ across Europe, many authorities are looking for insurers to strengthen their risk-based approach to compliance. Businesses are also expected to be more forward-looking in their risk analyses.
In some European jurisdictions, supervisory bodies are relying more on internal audit reports than in others. That has led to some regions considering tougher sanctions against internal audit functions if they fail to produce audit reports that are robust and accurate, and it emphasizes the need to define the relation between internal auditors and the supervisory bodies.
The committee identified emerging trends in artificial intelligence, business continuity, data science, IT security, liquid assets, money laundering and outsourcing.
“Clearly, internal auditors in the insurance sector have an increasingly important role to play in helping their organisations satisfy regulatory and supervisory requirements,” ECIIA insurance committee Hervé Gloaguen says. “Our committee is working on a publication that outlines these shifting priorities to keep our members up to date with recent developments.”
ECB internal models guide should clarify assurance responsibilities
While ECIIA welcomes the European Central Bank’s (ECB) draft guide on internal models for financial services organisations, more clarity is needed in some areas over the role of internal audit and other assurance functions.
In response to the ECB consultation on its proposed guidance, ECIIA has highlighted several areas where a more explicit focus on the difference between the roles of the second and third lines of defence are needed.
For example, ECIIA says that validation of an organisation’s ratings-based approach for calculating how much capital it holds for regulatory purposes should be performed by a second line function – rather than by internal audit, as is currently suggested by the ECB.
“We should avoid overlapping between internal audit and the internal validation activities in order to make efficient the control function activities,” Farid Aractingi, ECIIA President, says. Internal audit’s role is to provide assurance that the validation approach is robust and efficient.
ECIIA also emphasised the need for ECB to adhere to a risk-based approach to the effectiveness of internal controls around internal models. For example, ECB has suggested an audit cycle of three years for those areas that did not show signs of increased risk.
“It is inappropriate to impose a minimum frequency of three years, for models or for any other area,” ECIIA said in its submission. “Each bank should be consistent with its own approach combining audit cycle and risk assessment.”