AI Terminal
Pozavarovalnica Sava
Audit Report / Information • Apr 18, 2017
1987_rns_2017-04-18_e84322c7-0c17-45f7-aa19-dc87b5f5365b.pdf
Audit Report / Information
Open in ViewerOpens in native device viewer
ANNUAL REPORT OF THE INTERNAL AUDIT SERVICE ON INTERNAL AUDITING FOR 2016
| Prepared by | Danijela Pavlič |
|---|---|
| Adopted by | Management board |
| Consented by | Supervisory board |
| Type of document | Report |
| Service | Internal audit |
| Confidentiality level | Business secret |
| Report number | 6-2016/POR/DP |
| Distribution list | Management board |
| Supervisory board members | |
| Members of the audit committee of | |
| the supervisory board: | |
| Language version | Slovenian, English |
| Prepared on | 27/02/2017 |
| Date adopted at the | |
| management board session | 27/02/2017 |
| Date amended | 16/03/2017 |
Ljubljana, March 2017
CONTENTS
| 1 | INTRODUCTION 3 | |
|---|---|---|
| 2 | ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S SYSTEM OF INTERNAL | |
| CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE 3 | ||
| 4 | SUMMARY OF MAJOR FINDINGS ESTABLISHED IN INTERNAL AUDIT ENGAGEMENTS 4 | |
| 5 | IMPLEMENTATION OF RECOMMENDATIONS FOR ELIMINATION OF WEAKNESSES AND | |
| IRREGULARITIES 6 | ||
| 6 | OTHER ACTIVITIES 6 | |
| 7 | IAS QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME 7 |
1 INTRODUCTION
This annual report on internal auditing for 2016 has been prepared by the Internal Audit Service (IAS) of Pozavarovalnica Sava, d.d. (hereinafter: "Sava Re" or "the Company") in accordance with Article 165 of the Slovenian Insurance Act (ZZavar-1), the Company's internal audit policy and the International Standards for the Professional Practice of Internal Auditing (Standards).
This report includes:
- an assessment of the effectiveness and efficiency of the system of internal controls, risk management and corporate governance of Sava Re,
- a review of the implementation of the 2016 annual work plan, including any departures therefrom,
- summary of the major findings established in internal audit engagements,
- overview of progress on internal audit recommendations,
- overview of other activities of the IAS (personnel, training and education),
- summary of the quality assurance and improvement programme.
The IAS is an autonomous organisational part, functionally and organisationally separate from other parts of Sava Re, reporting directly to the Sava Re management board. Its position in the Company ensures autonomy and independence of operation.
2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF SAVA RE'S SYSTEM OF INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE
The assessment of the effectiveness and efficiency of control procedures, risk management and corporate governance is given for the period from 1 January 2016 to 31 December 2016 on the basis of audit engagements performed in Sava Re.
Based on all tests and methods used in individual areas of auditing, it is the opinion of the IAS that the internal controls at Sava Re are largely adequate and that the degree of their reliability is satisfactory. The IAS is also of the opinion that the governance of Sava Re was appropriate and undergoing ongoing improvement in order to achieve major business goals, and risks are effectively managed while striving for efficient and economical operations. Still there is still room for improvement in the functioning of the system as set out below. In the performance of audit engagements, individual irregularities and weaknesses have been identified to which the IAS drew attention and relating to which it made recommendations to remedy aimed at improving control procedures, corporate governance and risk management. The Company's management board is aware of the potential impacts that the identified breaches, irregularities and shortcomings may have on the achievement of its key goals and is therefore taking remedial action. This is to improve the efficiency of internal controls and regularity of operations. Some irregularities and weaknesses have been eliminated within the deadlines. The implementation of recommendations made in the last quarter and those relating to the improvement of information technology require more time.
Audit engagements also focused on the probability of fraud, and exposure and vulnerability to IT risks. In areas covered by audit engagements, internal control systems have been set up and are operating so as to prevent fraud. As part of audit reviews, recommendations were issued to improve the information system.
3 REVIEW OF IMPLEMENTATION OF THE 2016 ANNUAL PLAN AND DEPARTURES THEREFROM
In 2016, the IAS carried out audit reviews and other activities in accordance with its 2016 work plan, which included 13 audit engagements, of which 12 were completed. One audit review (audit of the compliance function) was completed with an interim report and is scheduled to be continued in 2017.
The internal audit reviews carried out at Sava Re covered, as follows:
- the reinsurance process and the REvolve application supporting reinsurance operations,
- the purchasing process,
- corporate governance (external contractor KPMG),
- the implementation of the market risk policy (investing process),
- co-operation with contractor and operation of the ASP application,
- the process of reporting to external institutions.
An external contractor was engaged (upon the management board's proposal) to carry out an extraordinary audit of the general state of protection of confidential information (conducted by the company SIQ).
At the subsidiaries Sava neživotno osiguranje, Sava životno osiguranje, Illyria and Illyria Life, we audited the process of reporting to the controlling company and the regulator.
We participated in the IT audit of the application supporting pension business at Moja naložba.
We carried out the following formal consulting engagements: setting up the risk management process, participation in the insurer merger project (EU project) and setting up IT support in the new insurer (EU project).
The IAS was primarily involved in the following informal consulting: risk management and preparation of the risk register; cooperation with the compliance service and corporate legal department; participation in the S II project; providing proposals for strategic documents, policies and rules; and verification of information security because of suspected information leakage.
4 SUMMARY OF MAJOR FINDINGS ESTABLISHED IN INTERNAL AUDIT ENGAGEMENTS
In carrying out internal audit and consulting engagements, the internal audit service was primarily focused on providing a risk-based, permanent and comprehensive oversight of the Company's operations aimed at verifying and assessing of whether the processes of risk management, control procedures and corporate governance are appropriate and function in a manner that ensures the achievement of the Company's following major goals:
- effective and efficient operation of the Company, including the achievement of the Company's goals,
- business and financial efficiency, including the safeguarding of assets against loss,
- reliable, timely and transparent internal and external accounting and non-financial reporting,
- compliance with laws, other regulations and internal rules,
- whether information technology supported and contributed to the Company's strategies and goals,
- assessment of fraud risk and its management by the Company.
The IAS promptly prepared written reports for auditees, submitting to the Company's management board reports for their information and recommendations for adoption. Based on feedback from the persons responsible for the implementation of recommendations issued, the IAS periodically reported on progress in the implementation of the recommendations to the management board, the audit committee and supervisory board.
A detailed overview of engagements with all the findings, irregularities and recommendations was reported by the IAS in quarterly reports for the management board, the audit committee and the supervisory board.
Following is a brief summary of the key findings in the audited areas.
In reinsurance operations, it is necessary to (i) ensure adequate human resources to set down the specifications required to finalise the REvolve application; (ii) harmonise the instructions and rules with the work process; (iii) set up additional controls in the offer input process; (vi) impose strict implementation of the process of verifying reinsurance accounts; and (v) upgrade the application with a reliable, efficient and responsive user interface that is friendly to the user.
In purchasing, it is necessary to (i) efficiently establish the process and adopt formal rules; (ii) continue setting up the purchasing service; (iii) ensure the systematic monitoring of contracts and the setting of detailed rules for all parties involved in making contracts; (iv) improve and strictly implement instructions for invoice approval; and (v) examine potential conflicts of interest in cases where activities are performed outside work hours.
In corporate governance, it is necessary to (i) define corporate governance bodies in internal regulations; (ii) align internal policies of the Group and Sava Re with the legal framework; (iii) ensure the independence of audit committees and their appropriate composition; (iv) improve formal communication and reporting within the Group; and (v) ensure an effective information transfer system.
In asset management, it is necessary to examine options for upgrading the existing application supporting asset management and for the acquisition of a payment transactions module.
In parent and regulator reporting, it is necessary to (i) align internal rules of operation with the legal framework as well as with the Group's guidelines, (ii) regularly report to the parent, including on deviations from the plan, (iii) adequately regulate substitutions in the reporting process; and (iv) set up follow-up rules of requests for upgrading applications.
In co-operation with contractor and operation of the ASP application, it is necessary to (i) examine the efficiency of the existing process of preparing, concluding and implementing contracts; (ii) carry out periodic inspection of Group costs incurred in contracts with external suppliers; (iii) adequately implement the ordering of additional services with contractors; and (iv) set up a periodic process of revising the production environment.
In external reporting, it is necessary to ensure integrated administration of the reporting process at the Group level with a suitable tool and to build a data warehouse containing all data for import into the reporting application.
Regarding information structure, it is necessary to (i) raise the level of information security that affects the confidentiality, availability and integrity of information; (ii) eliminate identified safety deficiencies at the network and server level by changing configurations, installing necessary corrections and taking organisational measures; (iii) adequately regulate access restriction among devices within the network; and (iv) carry out an independent audit after a certain time.
In formal consulting for the project to merge the Group's EU insurers and risk management, we participated in the selection of IT support for underwriting, in the definition of risks, in setting up the risk register and register of internal controls, particularly relating to risk.
5 IMPLEMENTATION OF RECOMMENDATIONS FOR ELIMINATION OF WEAKNESSES AND IRREGULARITIES
The IAS is required to report periodically on the implementation of recommendations made and proposals given based on irregularities and weaknesses identified. Based on the engagements carried out, the IAS issued 97 recommendations in 2017.
In the year to 31 December 2016, 140 recommendations were issued: 73 relating to Sava Re, 67 relating to subsidiaries, in which joint audit reviews were carried out.
Of the 73 recommendations relating to Sava Re, 17 were implemented, 9 were partly implemented and 47 were not past due.
Of the 67 recommendations issued to subsidiaries, there were 41 implemented, 20 were not past due, 3 recommendations were partly implemented and 3 were not implemented.
Altogether 79 % of the Group's recommendations were implemented.
The bulk of the not past due recommendations relate to audits that were completed in the last quarter. The subsidiaries made better progress in implementing recommendations issued in previous periods. As director of IAS, I assess the implementation of the recommendations as active.
6 OTHER ACTIVITIES
I regularly participated in meetings of the management and supervisory boards, and audit committee, and monitored the operations of Sava Re and the Group, and managed the IAS.
In accordance with the ISA methodological bases and criteria, the IAS prepared an annual work plan for 2016, a report of the IAS for 2015 and four quarterly reports on internal auditing. All reports have been prepared in compliance with statutory regulations and internal rules of the IAS and submitted to the management board, the audit committee and the supervisory board.
We prepared the annual work plan for 2017 on the basis of our risk assessment. We conducted annual interviews with the Sava Re management board regarding key risks and obtained their opinion on the satisfaction with the work of the IAS.
In the observed period, the IAS coordinated work on the preparation of contracts for external auditors, and during the preliminary audit and the final audit coordinated the arrangements between the external auditor and Sava Re.
We had several monthly meetings with the Slovenian part of the Group mainly on upgrading the methodology of internal auditing, understanding the role of internal auditor in the Solvency II regime, and the operation of IAS in the combined insurer.
As part of the cooperation with the IAS of subsidiaries, we performed peer reviews in two subsidiaries. The IAS provided professional assistance to auditors of subsidiaries primarily to transfer the methodology in written or telephone communications, but mostly during the conduct of audits in subsidiaries.
We successfully carried out a meeting of the Group's internal auditors covering amendments to the methodology, the new IAS policy and the new role of the IAS in the Solvency II regime.
Personnel, training
In 2016, the IAS was staffed by 3 persons: the director (professional designation: certified internal audit) and one internal auditor – senior auditor, both full-time, one internal auditor – senior auditor with split employment (1 hour Sava Re, 7 hours Zavarovalnica Maribor – professional designation: certified internal auditor).
As the director of the IAS, I estimate that the number and structure of IAS staff generally allows for proper fulfilment of the planned activities, assuming that the service is not faced with prolonged unplanned absences and/or the need for implementation of major unplanned tasks.
IAS staff attended the training events planned in the 2016 annual work plan. We also attended internal Serbian and English language courses. Furthermore, the IAS contributes to activities of the Slovenian Insurance Association, Internal Audit Section.
Expenses were planned at € 150,104, while € 158,893 were spent. Actual expenses exceeded the planned figure because of significantly higher costs incurred by external experts than planned.
7 IAS QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME
In accordance with the requirements of the Standards, the IAS conducted a quality assessment of the IAS. The assessment was carried out on the basis of a programme for quality assurance and improvement, covering all aspects of the IAS in every respect and continually monitoring its effectiveness. The programme results are reported to the management board and the audit committee.
External quality assessment was last carried out in 2014. It established that the operation of the IAS was consistent with the Standards.
In accordance with applicable standards, IAS carried out its annual self-assessment. The results showed that the operations of the IAS complied with the definition of internal auditing, the Standards and the IAS's code of ethics. However, for individual substandards regarding which full compliance was not achieved, the IAS prepared an action plan for improvement, seeking to follow it in its day-to-day dealings (especially relating to compliance with audit due dates).
For the purpose of obtaining feedback on their satisfaction with the work of the internal audit, the IAS sent a questionnaire on the satisfaction with the work of the IAS to all stakeholders (supervisory board, audit committee, management board, auditees). Assessors generally expressed satisfaction with the work of the internal audit and made some suggestions for improvements.
In line with internal audit guidelines, we amended the programme with a statement of compliance with the Standards, the IAS's code of ethics and declaration on disclosure and avoidance of conflicts of interest for 2016, as appended.
The IAS also planned performance assessment of the internal audit in the annual work plan. The IAS monitors the realisation of the recommendations proposed by the IAS to the management board. In 2016, all the recommendations were adopted by resolutions. Of the 13 planned audits, 12 were completed, equivalent to a 92 % implementation of the plan.
We prepared IT supported reports intended for post-audit reporting. In 2016, we tested applications for internal auditing so that a contractor can be selected next year (an analysis is being prepared).
As director of IAS, I believe that the operations of the IAS in 2016 were consistent with the Standards and that the annual work plan was carried out effectively and efficiently.
Director of IAS Danijela Pavlič
DECLARATION
I hereby confirm that I have acted in accordance with the IAS's code of ethics, and that I did not experience any conflict of interest in the period 1 January 2016 to 31 December 2016. Should I experience a difficulty relating to my professional expertise that is not in the spirit of the code of ethics, or should I experience any conflict of interest in the coming year from 1 January 2017 to 31 December 2017, I shall immediately report thereon to the audit committee of the supervisory board.
Danijela Pavlič
Appendix 1: Annual Code of Ethics and Conflict of Interest Declaration for 2017
Annual Code of Ethics and Conflict of
Interest Declaration for 2017
Code of Ethics of the Internal Audit Service of Sava Re
(Based on the Code of Ethics of Internal Auditors adopted by the Institute of Internal Auditors)
PRINCIPLES
Internal auditors are expected to apply and uphold the following principles:
1. INTEGRITY
The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.
2. OBJECTIVITY
Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
3. CONFIDENTIALITY
Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
4. COMPETENCY
Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services.
RULES OF CONDUCT
1. INTEGRITY
Internal auditors:
1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession of internal auditing or to the organisation.
1.4. Shall respect and contribute to the legitimate objectives of the organisation.
2. OBJECTIVITY
Internal auditors:
2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may be in conflict with the interests of the organisation.
2.2. Shall not approve anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
3. CONFIDENTIALITY
Internal auditors:
3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organisation.
4. COMPETENCY
Internal auditors:
4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
4.2. Shall perform internal audit services in accordance with the International Standards for the Professional Practice of Internal Auditing (Standards).
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
CONFLICT OF INTEREST
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfil his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. Conflicts of interest may create the appearance of inadmissibility, which may undermine confidence in the work of the internal auditor, internal audit and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively.
Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. Impairment is assumed over a period of 1 year, but it is necessary to assess each situation individually.
In the case of the use of and reliance on the work of an external internal audit provider, the head of internal audit must take steps to identifying, assessing the importance of conflicts of interest and manage any perceived or actual conflict of interest which may adversely affect the internal audit engagement.
Cases of perceived or actual conflicts of interest noticed by the internal auditor or outsourced internal audit provider shall immediately be reported to the audit committee of the supervisory board.
OPINION OF THE SUPERVISORY BOARD TO THE ANNUAL REPORT OF THE INTERNAL AUDIT SERVICE ON INTERNAL AUDITING IN 2016
In 2016, the Internal Audit Service of Sava Re, d.d ("IAS") carried out audits in the areas set out in its annual work plan adopted by the Sava Re management board in its session of 11 January 2016 and consented by the supervisory board in its session of 21 January 2016.
The audit goals pursued by the IAS were geared towards verifying whether risk management procedures were adequate and efficient and whether internal controls and governance processes in the most important operating segments were effective and efficient. The IAS assessed the adequacy of internal controls for the prevention of fraud and potential threats to information technology supporting operations.
A total of 12 internal audit reviews were carried out in subsidiaries and in Sava Re in 2016, with certain processes having been audited in several companies. Based on these engagements, the IAS issued 97 recommendations. The supervisory board is of the opinion that the IAS operated in line with the guidelines set by the supervisory and management boards, thereby contributing significantly to risk management and the functioning of Sava Re and the Group.
Based on all tests and methods used in individual areas of auditing, it is the opinion of the IAS that the internal controls at Sava Re are largely adequate and that the degree of their reliability is satisfactory. The IAS is also of the opinion that the governance of Sava Re was appropriate and undergoing ongoing improvement in order to achieve major business goals, and risks are effectively managed while striving for efficient and economical operations. The IAS assesses that there remain opportunities to improve the functioning of the internal control system. The audit engagements revealed individual irregularities and weaknesses to which the IAS drew attention, recommending their remedy aimed at improving control procedures, corporate governance and risk management. The Company's management board is aware of the potential impacts that the identified breaches, irregularities and shortcomings may have on the achievement of its key goals and is therefore taking remedial action. This is to improve the efficiency of internal controls and regularity of operations.
Supervisory board members monitored the effectiveness and efficiency of the IAS through quarterly reports and the annual report of the IAS. The supervisory board was submitted a summary of the selfassessment carried out by the IAS. The results of the internal assessment showed that the operation of the IAS complies in all material respects with the law and the International Standards for the Professional Practice of Internal Auditing.
Based on the above, the supervisory board hereby gives its positive opinion to the annual report of the IAS on internal auditing in 2016.
Ljubljana, 5 April 2017
Chair of the Supervisory board of Sava Re, d.d. Mateja Herič Lovšin