Welcome to the January edition of the Insurance Market Update in which we focus on issues in the non-life insurance sector. In this edition we consider Solvency II and the third line of defence, internal audit.

Solvency II is now firmly on insurers' agenda and we have seen a step change in activity, prompted in part by the FSA articulating what they expect insurers to be doing in order to meet the 31 December 2012 deadline. Solvency II represents an opportunity for insurers to overhaul their internal risk models, reporting systems and capital requirement. Governance is an integral feature within the Solvency II landscape and embracing the opportunity to review Governance procedures could unlock cost efficiencies through improved design. Failure to embrace change could result in additional regulatory capital charges.

Many insurers have adopted the 'three lines of defence' risk governance model. The third line of defence, internal audit, provides independent assurance on the design and effectiveness of the overall system of internal control, including risk management and compliance. In this month's edition, Ben Jones and Rick Lester look at the way internal audit can assist management in gaining assurance over current Solvency II implementation projects and consider the subsequent challenges facing this critical component of the governance framework.

As always, we look forward to receiving your feedback. Your views, comments and suggestions for future themes or topics are most welcome.

Third line of defence – Effective use of internal audit within Solvency II

Solvency II is driving fundamental changes throughout insurers' businesses and the implications of the new capital and risk regime are affecting every area of the organisation. Pillar 2 deals with qualitative aspects of a company's internal controls, the risk management processes and the approach to supervisory review. It stresses the importance of corporate governance and requires an undertaking, inter alia, to ensure it has in place "an objective and independent internal audit function that evaluates the adequacy and effectiveness of the internal control system". This may appear straightforward, but the impact of implementation on internal audit is much more significant because to ensure a smooth transition, internal audit capabilities will need to be of a sufficient depth and technical standard to enable it to provide assurance whilst adding value to the insurer.

In this edition we look at how internal audit is adding value as part of its role within current Solvency II implementation projects. We then discuss some of the potential challenges it may face during the latter stages of implementation and into 'business as usual'.

Programme assurance

Currently, the internal audit effort around Solvency II is focused on programme assurance and providing comfort to management that plans are aligned to the desired outcome and progress is on track. Typical areas we have seen being captured in the scope of such work include:

  • Programme structure
  • Programme governance
  • Progress against key milestones
  • Management of programme risks and issues
  • Management information
  • Communications
  • Change management
  • Scope and change control
  • Risks, issues and interdependencies
  • Vendor and procurement management
  • Quality management

However, we believe there are a number of areas which are often overlooked, or not addressed, due to other constraints. These include:

  • Solvency II strategy
  • Financial management
  • Performance and benefits management
  • Contingency management
  • Resource management

Solvency II strategy is a particularly important area and one where internal audit needs to challenge the existence, articulation and understanding of the insurer's strategy. Without a consistent understanding of the final outcome and the means by which this is to be achieved, there may be differing views of the implementation programme, within different parts of the business, which are working independently of one another on a day to day basis.

Technical areas

We are increasingly observing internal audit effort being directed towards the detailed technical areas of Solvency II and some insurers are now at the stage of scoping individual audits as part of their three year planning cycles. At this stage, most insurers are still conducting the design and build phase of implementation. As a result, the technical areas cannot be addressed without impinging on work currently being carried out by the business. However, because of the uncertainty that still exists around some of the final requirements in certain areas, the target is moving. Notwithstanding this, technical assurance plays an important role in gaining comfort that what is being built will be fit for purpose and will satisfy the regulatory requirements.

The major focus areas for technical assurance reviews are:

  • Governance and risk management
  • Internal model
  • Technology and data
  • Own Risk and Solvency Assessment (ORSA)
  • Disclosure and reporting

For each of these areas there needs to be an assessment of the extent to which the key technical models, frameworks, tests and controls will meet regulatory requirements and stakeholder expectations. Below we set out some typical assurance reviews being planned, plus an indication of how insurers are approaching these.

Challenges

The new capital and risk regime presents multiple challenges for the business and specifically for internal audit.

Internal models

Insurers adopting an internal model will need to assess the effectiveness of controls and the requirement for model validation. Independence within this process is essential to effective validation as it enables objective challenge to the internal model.

Internal audit will have an ongoing assurance role on model validation. They must ensure the robustness and completeness of the independent review, whether performed internally or externally, and determine whether this independence is maintained over time. This is a role that many internal audit functions do not have experience of.

ORSA

Pillar 3 reporting will require disclosures on how the ORSA processes and outcomes are appropriately evidenced and internally documented, but also on how they are independently reviewed. CEIOPS (now European Insurance and Occupational Pensions Authority [EIOPA]) have stated that 'independent' does not necessarily mean external to the organisation and also that internal audit could perform the review. For many larger insurers this will be the right answer. However, smaller firms may not have the necessary expertise and will need to look externally for assistance. The implications of reviewing the ORSA could be a significant change for some insurers and particularly for those who do not routinely assess all relevant elements of their enterprise risk management framework. A key challenge when undertaking independent validation is balancing the need to manage conflicts of interest, with the need for efficient use of resources.

Risk culture

Pillar 2 requires risk management policies, risk frameworks and risk culture to be embedded in the insurer, but providing assurance in these areas is unchartered waters for many internal audit functions. Risk culture is a key enabler of Solvency II compliance, as well as a current hot topic for the FSA for a variety of reasons, but it is a particularly challenging area to audit. Making an assessment of its own risk culture is a difficult task for any organisation, not least because of the highly subjective and qualitative nature of such an exercise, and this is an area where many insurers will look for external specialist assistance.

Governance

Level 2 implementing advice states that the internal audit function should evaluate not only the effectiveness of the internal control system, but also other elements of the system of governance. This will translate into an increase in demand on senior auditor time for those insurers who have not previously addressed the totality of their governance arrangements in their audit plans.

Enhanced processes

As well as the new areas where auditors will need to provide assurance, there are processes in the internal audit function itself which the new regime specifies must be present. Issue escalation is one area captured explicitly by the new requirements. Parameters linked to risk appetite need to be defined by internal audit, with any breach of a parameter relating to a control deficiency, loss or irregularity, resulting in a requirement for internal audit to be informed by the business area affected. This is an area which has not been considered previously by all internal audit functions. Another area which may not have been considered thoroughly is being able to demonstrate "a methodical risk analysis" behind annual audit planning.

Resourcing

In most cases, resourcing is one of the biggest 'headaches' for internal audit management. The industry strain on appropriately skilled Solvency II personnel, combined with the extra assurance required, will make this even more acute. Internal audit functions need to be thinking now about the audit assurance required in the new 'business as usual' operating model and hence their required resource profile. For example, IT resource will be required to provide assurance over the systems and data requirements underpinning the delivery of Solvency II and actuarial knowledge will be required to challenge the design and operation of the internal model. The skill mix needs to be carefully considered and in many cases a cross-functional audit team may be the route to providing a robust check on controls and processes. Naturally, part of the answer is to train existing team members to develop their knowledge of Solvency II and other technical areas. However up to now, the intensity of Solvency II training for many internal audit staff has been limited, and in a lot of cases far less than has been provided to the Board and senior management.

Conclusion

There are two principal dimensions to the new challenges arising for internal audit from Solvency II. First is the pressing requirement to provide assurance over all the key elements of the programme, and second is the far more difficult assessment of planning for how 'business as usual' will look for internal audit in the Solvency II environment. Interpreting the changes to 'business as usual' as additional technical audits would be underestimating the nature of the new requirements which are also cultural and behavioural.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.