ANNUAL REPORT

OF THE INTERNAL AUDIT DEPARTMENT

ON INTERNAL AUDITING

2017

Prepared by	Jožica Palčič
Adopted by	management board
Consent by	supervisory board
Type of document	report
Service/unit	internal audit
Confidentiality level	business secret
Report number	9-2017/POR/JP
Distribution list	management board,
	supervisory board members,
	members of the supervisory board's
	audit committee
Language versions	Slovenian, English
Date of preparation	19 February 2018
Date of adoption at the
management board meeting	27 February 2018

Ljubljana, February 2018

1	INTRODUCTION	3
2	ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF THE INTERNAL CONTROLS,
	RISK MANAGEMENT AND CORPORATE GOVERNANCE OF SAVA RE	3
3	REVIEW OF THE 2017 ANNUAL WORK PLAN IMPLEMENTATION	4
4	SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED	4
5	OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY THE
	WEAKNESSES AND IRREGULARITIES	7
6	STAFF, TRAINING AND OTHER ACTIVITIES	7
7	IAD'S QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME	8

1 INTRODUCTION

The Internal Audit Department (IAD) has prepared this annual report on internal auditing for 2017 pursuant to article 165 of the Slovenian Insurance Act (ZZavar-1), the internal audit policy of Pozavarovalnica Sava Re, d.d. (hereinafter: Sava Re) and the Medium-term work plan of the IAD for the period 2017–2019 and the 2017 IAD annual work plan (clean copy).

The report includes:

a report on the organisational independence of the IAD;
an assessment of the effectiveness and efficiency of the internal controls, risk management and corporate governance of Sava Re;
an overview of the 2017 annual work plan implementation;
a summary of the major conclusions of the internal audit engagements;
an overview of the implementation of recommendations to remedy weaknesses and irregularities;
an overview of the performance of other activities by the IAD (staff, education and training);
a summary of the IAD's quality assurance and improvement programme.

The IAD is an independent organisational part that is operationally and organisationally separate from other business parts of Sava Re and is directly subordinate to the management board of Sava Re. Such organisation guarantees the autonomy and organisational independence.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF THE INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE OF SAVA RE

On the basis of the audit engagements performed, an assessment of the effectiveness and efficiency of the internal controls, risk management and corporate governance of Sava Re is given for the period 1 January 2017 – 31 December 2017.

On the basis of all the examinations carried out and methods applied in individual audited areas, the IAD considers that the internal controls of Sava Re are adequate, and the reliability level of their operation is good, which is an improvement from the prior period. It also believes that the governance of Sava Re has been appropriate and is constantly being improved, working toward achieving the relevant objectives of the operations, and that the company successfully manages risks with a view to fulfilling its purpose of effective and economic operations. According to the IAD, there is still room for improvement regarding the operation of the system. Individual irregularities and weaknesses were detected during audit engagements that were stressed by the IAD, and recommendations were made for their elimination so that the control procedures and the company governance and risk management would be improved. The management board of the company is aware of the potential impacts of these violations, irregularities and weaknesses on the attainment of the company's objectives, which results in the adoption of measures and efforts to remedy the violations, irregularities and weaknesses. This leads to greater efficiency of the internal controls and the arrangement of operations.

Some irregularities and weaknesses were remedied before the deadlines. The recommendations made in the last quarter and those related to improving information technology require some more time.

In regular internal audit engagements, due consideration was given to potential instances of fraud and exposure and potential vulnerability of the IT support to operations. The internal control system in the areas subject to the audit has been introduced and functions such that it prevents the occurrence of fraud. Moreover, recommendations were made after the conducted audits to improve the information system.

3 REVIEW OF THE 2017 ANNUAL WORK PLAN IMPLEMENTATION

In 2017 the IAD performed internal audit engagements and other activities in line with the 2017 IAD annual work plan.

A total of 14 internal audit engagements were planned, namely:

IT audit of the functioning of the Revolve computer programme;
corporate governance audit;
IT audit;
SII project audit;
SFCR and ORSA audit;
audit of the reinsurance underwriting process and software support;
audit of the technical accounting process for reinsurance;
audit of the actuarial function;
audit of the human resources area;
audit of the planning process;
audit of the planning process in subsidiaries (three internal audit engagements);
participation in the corporate governance audit of Zavarovalnica Sava;
participation in the audit of SPS software adequacy and IT accesses;
participation in the actuarial function audit.

The audit of the planning process in subsidiaries covered three companies and in addition, a nonstandard audit of the compliance function was carried out. In total, 17 internal audit engagements were performed.

A contractor was engaged in the audit of the actuarial function and in the IT audit.

The IAD was involved in informal consultancy engagements by providing proposals to strategic documents, policies and rules in the field of compliance, legal service and accounting.

4 SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED

Internal auditing is regular and comprehensive risk assessment-based supervision of the operations of the company, which verifies and assesses whether the risk management processes, control procedures and company governance are adequate and function to facilitate achieving the following important objectives of the company:

efficient and effective operations of the company, including the attainment of the objectives of business and financial performance, and the protection of assets against loss;
reliable, prompt and transparent internal and external financial and non-financial reporting;
compliance with the acts and other regulations, and internal rules;
evaluation to determine whether information technology management in the company supports and contributes to its strategies and objectives;

assessments of the fraud risk and the method of addressing this risk at the company.

The IAD regularly reported on its work to the auditees, while also submitting reports to the company management board for information, and conclusions and recommendations for approval. On the basis of feedback received from those responsible for the implementation of recommendations, it periodically reported on the implementation of these recommendations to the management board, audit committee and the supervisory board.

The IAD submitted a more detailed overview of the internal audit engagements with all conclusions, irregularities and recommendations to the management board, audit committee and the supervisory board via its quarterly reports.

A brief summary of the key conclusions in the areas audited are provided below.

Functioning of the Revolve computer programme

Individual functionalities of the Revolve computer programme that the solution is intended to support need to be agreed upon in subsequent activities. The task of the technology and innovations department is to regularly monitor the tasks set and the deadlines defined, and to communicate to all stakeholders involved in the process and ensure sufficient resources are provided by the supplier.

Information technology

Compared with the previous year, considerable progress has been made in the field of information infrastructure security, but it is necessary to continue to raise the level of information protection that affects its confidentiality, availability and integrity; detected shortcomings and vulnerability related to security on the network and server levels are to be eliminated by changing configurations, installing patches, and through organisational measures, and adequately arranging the restriction of access between devices in the network.

Corporate governance

The corporate governance system in the scope of the audit is compliant with the ZGD-1, ZZavar-1, subordinate acts and other Solvency II requirements. The system clearly segregates the duties in all areas of governance of the Group and individual companies. Individual internal corporate governance acts should be reasonably conducted also at the Group level.

SII project

On 1 January 2016 insurance companies within the European Union formally entered the Solvency II system. This represented the completion of the preparatory phase and at the same time the first part of the programme of adjustment to the requirements of the Directive. Due to time and staff constraints, the company implemented the requisite adjustments. Over the next few years, they will work to optimise the processes in individual areas as is necessary to upgrade data preparation and reporting automation, edit the data in the data warehouse and improve administration of the internal control system.

SFCR and ORSA

The SFCR and ORSA process, including data preparation and capture, and calculation, is still undergoing development and improvement, with responsibilities for the implementation of individual works being assigned. Those responsible for the implementation of individual procedures within the process work

appropriately, and the supervision of the control procedures in place is good. Additional tasks have been proposed to prepare scenarios related to strategic risks, taking into account the complexity of the definition of quantitative assessments and adequate file protection to prevent subsequent changes.

Compliance

It is necessary to examine whether in terms of ensuring compliance at the company and Group levels the location of the compliance function in the office of the management board of the company is adequate also to ensure the efficient performance of the key compliance function at the Group level. Those measures and mechanisms intended to avoid potential conflicts of interest in the performance of the tasks of the key compliance function holder and the director of the office of the management board need to be defined, and compliance monitoring has to be arranged in the same way as the key functions of the internal audit and risk management are arranged.

Reinsurance underwriting

As regards reinsurance underwriting, the adequacy of the organisation of this area and the placement of facultative reinsurance underwriting need to be examined, individual procedures and software support to the process are to be upgraded, and powers and responsibilities are to be further specified.

Technical reinsurance accounting

Technical reinsurance accounting requires the introduction of system support to data transfer for active and passive reinsurance accounts, improvement of procedures for the protection of user passwords, the arrangement of system support to standard reports in the computer programme, and the completion of planned functionalities.

Actuarial function

The area of activity of this function is assessed as very good. The recommendations made relate to the way of submitting an opinion to the business plan and the insurance risk management policy, the reporting of the actuarial function holders in Group companies and redistribution of individual insurance classes to calculate the best estimate of claims provisions and premium provisions.

Human resources

The audit of human resources verified the adequacy of internal controls in the staff planning, recruitment, education and employment termination procedures and compliance with internal rules. The recommendations made relate to the upgrading of rules and instructions and the upgrading of the working time registration system.

Planning in Sava Re and in the Sava Re group

The rationale behind the guidelines contained in the Sava Re Group financial control rules is to be assessed, and brief internal operational instructions for annual planning are to be drafted. It is necessary to update the way adoption of the annual plan and software support is communicated to the planning process, which would allow individual parts of the process to be better automated.

The planning process was reviewed in three companies of the Sava Re Group, namely: Sava osiguruvanje (MKD), Sava neživotno osiguranje (SRB) and Sava životno osiguranje (SRB). Major conclusions relate to the way information is presented in compliance with the planning document.

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY THE WEAKNESSES AND IRREGULARITIES

The IAD periodically reports on the implementation of recommendations made and proposals given based on identified irregularities and weaknesses. In the period 1 January – 31 December 2017, we monitored the implementation of 174 recommendations, of which 144 referred to Sava Re and 30 to the audited subsidiaries. Based on the internal audits performed, we made 97 recommendations in 2017.

Of the 144 recommendations made to Sava Re, 69 have been implemented, one has been partly implemented, and 74 are pending. Of the 30 recommendations made to subsidiaries, 21 have been implemented, two have been partly implemented, and seven remain pending.

The implementation of overdue recommendations at the Sava Re Group as at 31 December 2017 accounted for 97%. This high rate of implementation can be attributed to the accelerated efforts of both the IAD and the auditees. 25 auditor days were spent monitoring the implementation of recommendations in 2017.

6 STAFF, TRAINING AND OTHER ACTIVITIES

The IAD employed four persons in 2017: a director and specialist with a full-time employment relationship and two specialists with their working time divided (1/8 of employment in Sava Re and 5/8 of employment in Sava Re, respectively).

A total of three employees in the IAD have obtained the title of certified internal auditor and one employee is a CISA certificate holder.

I believe that the number and structure of the IAD employees enable the fulfilment of planned activities, provided there are no longer unplanned absences and/or increased and unplanned scopes of work.

The employees in the IAD attended fewer training sessions in 2017 than planned. In addition to engagement in training sessions organised by the Slovenian Institute of Auditors, the Slovenian Insurance Association, in-house training sessions on ERM and international web-based seminars, the employees regularly follow articles on current topics related to internal audit. Moreover, a successful workshop for the Sava Re Group internal auditors was held that primarily addressed the impact of the amendments to the IFRS and SII standards on the work of the Sava Re Group and related changes that will also affect the work of internal auditors.

In 2017, the IAD prepared the 2018 IAD annual work plan and four quarterly internal audit reports for the periods October–December 2016, January–March 2017, April–June 2017, July–September 2017, and the 2016 annual report.

The director of the IAD regularly took part in the meetings of the management board, audit committee, supervisory board, risk management committee, and executive meetings. The operations were also monitored through the review of the documents prepared for the meetings of the management board, risk management committee and the executive meetings. Other activities also comprise the managing of the department.

The IAD was engaged in renewing the risk register and regular quarterly assessments at the Sava Re Group level and at the Sava Re level; it also prepared the contribution of the internal audit within the SFCR and RSR reporting. It also contributed to those parts of the 2018 planning process that related to the IAD, and to the preparation of internal-audit-related parts of the annual report of Sava Re.

Cooperation with the external auditor was linked to the drafting of a contract on the audit of consolidated and separate financial statements and SFCR reporting, and also to the coordination of the work of external auditors and the monitoring of the conclusions after the pre-audit and final audit, and to active engagement at joint meetings.

With regard to the development of the IAD, a process of monitoring recommendations was improved, and the work related to selecting the provider of software support to internal auditing at the Sava Re Group level were completed.

The IAD offered technical assistance to internal auditors in subsidiaries related to methodology and the induction of new employees.

A considerable amount of time was devoted to activities in connection with the outsourced internal audit engagement at the level of the Sava Re Group. In accordance with paragraph 7 of article 171 of the Insurance Act (ZZavar-1; Off. Gazette of the Republic of Slovenia, no. 93/15), Sava Re, d.d. signed a contract with Zavarovalnica Sava, d.d. and Sava pokojninska družba, d.d., on outsourcing, based on which, as of 1 February 2018, Zavarovalnica Sava, d.d. and Sava pokojninska družba, d.d. transferred the performance of the internal audit key function to Sava Re, d.d. for an indefinite period of time.

7 IAD'S QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

The IAD performed a quality assessment of its operations in accordance with the requirements of the relevant standards. The assessment is conducted on the basis of the Quality assurance and improvement programme covering all aspects of the IAD's operation. The IAD director reports on the results of this programme to the management board and the audit committee of the supervisory board.

The most recent external quality assessment of the operation of the internal audit function of Sava Re took place in 2014, when the company was provided with an independent expert opinion by the auditor indicating that the operation of the IAD was broadly consistent with the International Standards for the Professional Practice of Internal Auditing. In 2017 external assessments were conducted in two subsidiaries, and the selected internal audit engagements also included an internal work quality assessment.

The IAD conducted a self-assessment of its operation in accordance with the standards in 2017. The results confirmed that the operation of the IAD is in accordance with the definition of internal auditing, standards and the code of ethics. As regards those standards with which the company is not fully compliant, the IAD drew up an action plan to improve the situation and seeks to observe such in its daily work.

In accordance with the internal audit guidelines, the Quality assurance and improvement programme was supplemented by a declaration of compliance with the standards, the Code of ethics and of disclosure and avoidance of conflicts of interest.

The IAD sent a questionnaire to all stakeholders (supervisory board, audit committee, management board, auditees) in order to obtain feedback regarding satisfaction with its work. In general, the

assessors were satisfied with the IAD's work, but they also provided some suggestions for improvement.

There is a plan in place to update the internal audit policy in the second quarter of 2018, while the internal audit methodology will be updated in the first quarter of 2018 pursuant to the International Standards for the Professional Practice of Internal Auditing in parallel with the shift to an IT-supported comprehensive system of auditing.

In the annual work plan, the IAD also envisaged evaluating the performance of the IAD. The IAD monitors the implementation of recommendations proposed to the management board. In 2017 all proposed recommendations were adopted as resolutions by the management board, and the audits planned for 2017 were conducted in full.

As director of the IAD, I believe that the operation of the IAD in 2017 was in compliance with the relevant standards, and that the annual work plan was carried out successfully.

Jožica Palčič

Director of Internal Audit

AI Terminal

Pozavarovalnica Sava

1987_rns_2018-04-13_ecd1737e-d77d-4710-8128-a8efaac9e5cc.pdf