Main messages from ECIIA Insurance Committee
Impact of COVID-19 on the way audits are performed (HOW)
Productivity of the internal audit department:
- care for people: empowerment
- give flexibility to people, do not put too much pressure and be „results-oriented“
- use different indicators to measure productivity (efficiency & quality & impact of the COVID-19 on productivity)
Audits performed remotely:
- use COVID-19 a catalyst for change in this sense in the future
- Take into account the challenges from Remote working and technology in countries in some countries (Africa of Asia for example) due to lower quality WiFi and other issues (logistic issues, housing issues,…)
- take care of employees and organise virtual meetings with each country regularly and with everyone in your team
- change hierarchy: all auditors may come with solutions and are involved (not just leaders)
- take the best resource wherever she/he seats…use the advantage of no geographical boundary anymore and go for a fully integrated audit team
Audit report:
- mention if the mission has been performed before or during COVID-19
Audit plan:
- add a special COVID-19 impact on the different risks categories
- prioritise audits in the plan and rearrange and potentially postpone (changes up to 15% on average so far)
- strike for the balance between putting pressure on stakeholders to stick to the plan and not going too far. there will be some impact but so far, nothing dramatic. – audits will be delayed for a few weeks
- focus on group risks
- use a contingency plan to prioritise the work included in the audit plan. (mandatory & relevant audits that need to be performed – but some cannot be carried out due to those countries not having WiFi for example).
- transfer internal auditors to other departments as long as independence is preserved: few transfers to Risk Management and First line (payments, regulation processes,…)
Findings:
- grant relief for medium-risk findings. (relief of up to 3 months)
- ask Management to defend their position in postponement by assessing
- key risks.
- remediate on low/medium risks findings with a good business case to postpone the deadline
- accept delays for some complex issues with difficult actions plan to implement à no pressure on the overdue in this case: more flexibility and case by case resolution
New emerging risks with COVID-19 (WHAT)
- reassess the external risks: market, credit, insurance in the new context of COVID-19
- reassess the operational risks: the remote work creates a new design of internal controls
- pay attention to the increase of some risks and new risks:
*Data loss prevention
*Credit ratings
*Business continuity.
*Data privacy issues & Data security & Data losses issues
*Security of people & information
*Cyber-attacks
* Compliance risks and regulatory changes
*Financial risks: asset (impairment), financial investment risks (technical provisions).
*Fraud (claims management)
*Life insurance underwriting
Communication to stakeholders on the impact of audit activities and plans (WHO)
- Provide transparency to the stakeholder and avoid surprises
- Communicate each new measure to the audit committees and Management.
- Organise regular meetings with Management Board to assess audit plan vs business capacity
- Assist the audit committees with new issues: Evaluation of COVID-19 impact on fragile areas (big risks): vulnerability exercise, Risk of COVID-19 on employees back to the office