8 minute read 6 Feb 2020
People having discussion in the office

Internal audit in insurance

By

EY UK

Multidisciplinary professional services organisation

8 minute read 6 Feb 2020

How internal audit plays a role in helping organisations respond to industry challenges 

EY continually gathers valuable insights into the challenges facing the insurance industry. In our content series, we explain the role internal audit can play in helping organisations respond to those challenges. By carrying out discussions across the insurance industry, looking at internal audit practices across multiple sectors and interacting with regulators, we have identified five hot topics that internal audit needs to focus on: operational resilience, senior managers and certification regime (SM&CR), investment strategy, workforce-based regulations and cloud security assurance.

Each of these areas brings its own challenges, and the expectations on internal audit in providing ongoing assurance is increasing. The failure to identify and address risks associated with SM&CR, workforce-based regulations, cloud security assurance and operational resilience could lead to fines and other regulatory action, as well as reputational damage. Continued financial market instability will put stress on the investment and capital positions of non-life or general insurers (GIs). This will make decisions concerning investment allocation all the more important.

Our content aims to guide you in your future internal audit activity, as well as inform you about the scope of items reviewed, increase the value which internal audit brings to key stakeholders and aid the understanding of common challenges across the industry.

  • Operational resilience

    Operational resilience is the ability of an organisation to prevent, respond to, recover and learn from operational disruptions to survive and prosper. It is important to mitigate risks that are regulatory, reputational, financial and cyber in nature. The scope of internal audit includes governance and process.

  • Senior managers and certification regime

    Three interlinking regimes — SM, certification regime (CR) and conduct rules —aim to enforce actions against individuals reported of inappropriate behaviour. Senior individuals who perform senior management functions (SMFs) now require the preapproval of the PRA or the FCA, prior to taking up their roles. And the CR requires firms to annually certify the propriety of certain key employees who are performing a role that could cause ‘significant harm’ to consumers, markets or the firms themselves. The two tiers of conduct rules outlines the rules that all employees (excluding ancillary staff) and those in SMFs must comply with. As these affect all elements of a business, internal audit should review related documents and conduct workshops to mitigate associated risks.

  • Investment strategy

    GI firms have several challenges related to the lack of expertise in investment, profitability, risk and return. EY’s General Insurer Asset Strategy Framework highlights the key areas that should be considered within an investment framework and the typical areas of responsibility for the senior management.

  • Workforce-based regulations

    A number of recent regulations focused on the fairness agenda, as well as trends in associated HR policies, are driving up complex compliance obligations and reputational risks for financial services organisations. Compliance with these obligations typically sits across a number of functions. It is thus important for companies to act without bias, as any deviation or failure to implement the policies can incur hefty fines.

Summary

Internal audit can play a significant role in helping insurance organisations respond to modern challenges. Our latest report highlights how to identify and address risks associated with SM&CR, workforce-based regulations, cloud security assurance and operational resilience and investment allocation.  

About this article

By

EY UK

Multidisciplinary professional services organisation