Pozavarovalnica Sava

Audit Report / Information • Apr 9, 2019

ANNUAL REPORT

OF THE INTERNAL AUDIT DEPARTMENT

ON INTERNAL AUDITING

FOR 2018

Prepared by	Jožica Palčič
Adopted by	Sava Re management board
Consent by	Sava Re supervisory board
Type of document	report
Service/unit	Internal Audit
Confidentiality level	business secret
Report number	5-2018/POR/JP
Distribution list	Company's management board
	supervisory board members
	members of the supervisory board's
	audit committee
Language versions	Slovenian, English
Date of preparation	06/03/2019
Date of adoption at the
management board meeting	12/03/2019

Ljubljana, March 2019

CONTENTS

1	INTRODUCTION	3
2	ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF THE INTERNAL CONTROLS,
	RISK MANAGEMENT AND CORPORATE GOVERNANCE OF SAVA RE	3
3	REVIEW OF THE 2018 ANNUAL WORK PLAN IMPLEMENTATION	4
4	SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED	4
5	OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY THE
	WEAKNESSES AND IRREGULARITIES	7
6	STAFF, TRAINING AND OTHER ACTIVITIES	7
7	INTERNAL AUDIT DEPARTMENT'S QUALITY ASSURANCE AND IMPROVEMENT
	PROGRAMME	8

1 INTRODUCTION

Pursuant to Article 165 of the Slovenian Insurance Act (ZZavar-1), the internal audit policy of Pozavarovalnica Sava Re, d.d. (hereinafter: Sava Re) and the Medium-term work plan of the Internal Audit Department (hereinafter: the IAD) for the period 2017–2019 and the 2018 IAD annual work plan, the IAD has prepared this annual report on internal auditing for 2018.

This report includes:

• a report on the organisational independence of the Internal Audit Department;
• an assessment of the effectiveness and efficiency of the internal controls, risk management and corporate governance of Sava Re;
• an overview of the 2018 annual work plan implementation;
• a summary of the major conclusions of the internal audit engagements;
• an overview of the implementation of recommendations to remedy weaknesses and irregularities;
• an overview of the performance of other activities by the IAD (staff, education and training);
• a summary of the Internal Audit's quality assurance and improvement programme.

The IAD is an independent organisational part that is operationally and organisationally separate from other business parts of Sava Re, administratively reports to the management board of Sava Re, however functionally reports to the supervisory board and audit committee. This guarantees autonomy and organisational independence.

Pursuant to Article 171(7) of the Insurance Act (ZZavar-1; Uradni list RS/Official Gazette of the Republic of Slovenia, No. 93/15) Sava Re entered into outsourcing agreements with Zavarovalnica Sava and Sava pokojninska družba, based on which the key function of internal audit of both these companies was transferred to Sava Re for an indefinite duration, starting as at 1 February 2018.

2 ASSESSMENT OF THE EFFECTIVENESS AND EFFICIENCY OF THE INTERNAL CONTROLS, RISK MANAGEMENT AND CORPORATE GOVERNANCE OF SAVA RE

On the basis of the audit engagements performed, an assessment of the effectiveness and efficiency of the internal controls, risk management and corporate governance of Sava Re is given from 1 January 2018 to 31 December 2018.

On the basis of all the examinations carried out and methods applied in individual audited areas, the IAD considers that the internal controls of Sava Re are adequate, and the reliability level of their operation is adequate. It also believes that the governance of Sava Re has been appropriate and it is constantly being improved, working toward achieving the relevant objectives of the operations, and that the company successfully manages risks with a view to fulfilling its purpose of effective and economic operations. According to the IAD, there is still room for improvement regarding the operation of the system. Individual irregularities and weaknesses were detected during audit engagements that were stressed by the IAD, and recommendations were made for their elimination so that the control procedures and the company governance and risk management would be improved. The Company's management board is aware of the potential impacts of these violations, irregularities and weaknesses on the attainment of the Sava Re's objectives, which results in the adoption of measures and efforts to remedy the violations, irregularities and weaknesses. This leads to greater efficiency of the internal controls and the arrangement of operations.

Some irregularities and weaknesses were remedied before the deadlines. The recommendations made in the last quarter and those related to improving information technology require a bit more time.

In regular internal audit engagements, due consideration was given to potential instances of fraud and exposure and potential vulnerability of the IT support to operations. The internal control system in the areas subject to the audit has been introduced and functions such that it prevents the occurrence of fraud. Moreover, recommendations were made after the conducted audits to improve the information system.

3 REVIEW OF THE 2018 ANNUAL WORK PLAN IMPLEMENTATION

In 2018, the IAD carried out internal audit engagements and other activities in accordance with the IAD 2018 annual work plan.

A total of 25 internal audit engagements were planned, namely:

• R_2018/1 Audit of the reinsurance underwriting process;
• R_2018/2 Audit of currency and market risk management
• R_2018/3 Audit of the process of integrated management of the portfolio of investment property and infrastructure projects;
• R_2018/4 Audit of tax risk;
• R_2018/5 Audit of the risk management key function
• R_2018/6 Purchase audit (cost management)
• R_2018/7 Audit of IT strategy has not been carried out;
• R_2018/8 Audit of business continuity management;
• R_2018/9 Audit of the process of acquisitions of new companies in the strategic finance;
• F_2018/1 Audit of Revolve project management and adequacy of IT support;
• ROD_2018/1 Audit of the reinsurance process in subsidiaries, particularly in terms of the accuracy and timeliness of data to be submitted;
• ROD_2018/2 Audit of motor liability business development;
• ROD_2018/3 Sales management audit;
• SOD_2018/1 Audit of completeness and accuracy of subsidiary company financial reporting data;
• SOD_2018/2 Audit of IT strategy 4 companies;
• SOD_2018/3 Audit of business continuity management;
• SOD_2018/4 Audit of corporate governance 4 companies;
• SOD_2018/5 Audit of the implementation of EU-directive and
• SV_2018/1 Informal consulting engagement participation in the IFRS 9 and IFRS 17 task force.

Audits in the framework of the IT-strategy audit were carried out in four subsidiaries, and corporate governance audits were performed in four companies. The audit of the IT strategy of Sava Re has not been carried out, since the IT strategy was not yet adopted by the management board. In total, 24 internal audit engagements were performed.

An external provider was engaged for the sales management audit.

4 SUMMARY OF THE MAJOR CONCLUSIONS OF THE AUDIT ENGAGEMENTS PERFORMED

The internal audit comprised regular and comprehensive risk assessment-based supervision over the operations of the company aimed at verifying and assessing whether the risk management processes,

control procedures and corporate governance are adequate and function so as to facilitate achievement of the following important objectives of the company:

• successful and efficient operation, including meeting the goals related to business and financial performance, and protecting assets against loss;
• reliable, timely, transparent internal and external financial, and non-financial reporting;
• compliance with the acts and other regulations, and internal rules;
• evaluation to determine whether information technology management in the company supports and contributes to its strategies and objectives;
• assessments of the fraud risk and the method of addressing this risk at the company.

The IAD regularly reported on its work to the auditees and at the same time submitted reports to the company management board for information, and conclusions and recommendations for approval. On the basis of feedback received from those responsible for the implementation of recommendations, it periodically reported on the implementation thereof to the management board, audit committee and the supervisory board.

The IAD submitted a more detailed overview of the internal audit engagements with all conclusions, irregularities and recommendations to the management board, audit committee and the supervisory board via its quarterly reports.

A brief summary of the key conclusions in the areas audited is provided below.

Audit of the reinsurance underwriting process

The audit was focused primarily on calculating and monitoring combined ratios, which is one of the key indicators of reinsurance performance. As the CR monitoring approach is not yet fully IT-supported it requires a lot of manual work with associated manual operations.

Audit of currency and market risk management

Changes in foreign exchange rates in the event of currency mismatches affect the results in the income statement. In the absence of system-supported ongoing monitoring of currency mismatch the company relies on other support files to match any currency imbalances at the monthly level. More thorough monitoring is planned once the appropriate software support has been developed.

Audit of the process of integrated management of the portfolio of investment property and infrastructure projects

We examined the internal company acts governing the organization of investment property and infrastructure project management processes and its organisational position. The proposed changes have already been implemented.

Audit of tax risk

Our audit of tax risk involved reviewing the organisation of the tax area, with the focus on value added tax, corporate income tax with deferred taxes, and transfer pricing. Most of the findings and corresponding recommendations have already been implemented.

Audit of the risk management key function

The audit of the risk management key function looked into the organisation of this area, the roles and responsibilities in the risk management system, internal acts governing this area, and risk management regulation at the group level, as the risk management system is implemented differently in companies that are not subject to the SII system.

Audit of purchasing (cost management)

The purchase and cost management audit verified the adequacy of internal controls in the purchasing of goods and services in terms of cost-effectiveness, purchasing needs, organisation of this area, record-keeping of business transactions, the purchasing process, the maintaining of prescribed records and implementation of control. The auditors' recommendations have been fully implemented.

Audit of business continuity management

The company has appointed a business continuity system administrator, whose task is to ensure continuous and comprehensive control over the business continuity system. The company is currently updating its business continuity plan, an integral part of which is the disaster recovery plan, which is carried out by a contractor.

Audit of the process of acquiring new companies in the strategic finance functional area

The subject of the audit was the organisation of the functional area of strategic finances, the purchase of strategic investments, the monitoring and reporting of such, and the management of data from nondisclosure agreements.

Audit of Revolve project management and adequacy of IT support

Based on the procedures already carried out, the launch of the RE2 project was assessed as having greatly contributed to improving project management organisation; nevertheless, it is still possible that in view of the actual situation the project will not be completed within the envisaged scope and time.

Audit of the reinsurance process in subsidiaries, particularly in terms of the accuracy and timeliness of data to be submitted

The reinsurance process in the subsidiary is still under way, in the same manner as before the merger of the four insurers. The reinsurance data is sent to the reinsurer via three different channels, and reinsurance risks are reported via several non-integrated applications.

Audit of motor liability business development

The subsidiary is currently recasting its motor liability insurance so as to incorporate the best solutions from both existing products and targeted sales. This development area, however, requires more staff in order to achieve this goal.

Sales management audit

In accordance with the Law on Compulsory Transport Insurance (Zakon o obaveznom osiguranju u saobraćaju, Montenegro) a new obligation came into effect as of August 2017, requiring insurance terms and conditions and premium tariffs for compulsory motor third party liability insurance be adopted at the level of each insurer, with the prior consent of the regulatory authority. Prior to this law, uniform insurance terms and conditions and premium tariffs applied for all insurance undertakings. In the past period, the subsidiary's management body started to work towards reducing the internal risks related to the liberalisation of the MTPL market by introducing additional products.

5 OVERVIEW OF THE IMPLEMENTATION OF RECOMMENDATIONS TO REMEDY THE WEAKNESSES AND IRREGULARITIES

The IAD periodically reports on the implementation of recommendations made and proposals given based on identified irregularities and weaknesses. In the period 1 January 2018 – 31 December 2018 we monitored the implementation of 188 recommendations, of which 159 referred to Sava Re and 29 to the audited subsidiaries. Based on the internal audits performed, we made 104 recommendations in 2018.

Of the 159 recommendations made to Sava Re, 120 have been implemented, 22 recommendations were withdraw following the decision by the management board, 17 are pending. Of the 29 recommendations made to subsidiaries, 10 have been implemented and 19 are pending.

As at 31 December 2018, 100% of overdue recommendations made at the Sava Re Group level were implemented. The percentage includes also recommendations withdrawn. 11 auditor days were spent monitoring the implementation of recommendations in 2018.

6 STAFF, TRAINING AND OTHER ACTIVITIES

The IAD had four employees in the period 1 January 2018 to 31 January 2018: the director and one specialist with a full time contract and two specialists with their working time divided (1/8 of employment in Sava Re and 5/8 of employment in Sava Re respectively). After the introduction of an outsourced engagement as at 1 February 2018 the IAD had nine employees.

7 employees in the IAD have obtained the title of certified internal auditor and 1 employee is a CISAand CRISC-certificate holder.

I believe that the number and structure of the IAD employees enable the proper fulfilment of planned activities, provided there are no extended unplanned absences and/or increased unplanned dimensions to the work.

In 2018, IAD employees received training in various areas. In addition to training sessions organized by the Slovenian Institute of Auditors, the Slovenian Insurance Association, Croatian Institute of Internal Auditors, in-house training sessions in ERM and international web-based seminars, we regularly follow articles on current topics related to internal audit. We presented the audit software support at our successful workshop for internal auditors of the Sava Re Group and attended a soft skills course.

In 2018, the IAD prepared the 2019 IAD annual work plan and 4 quarterly internal audit reports for the periods October–December 2017, January–March 2018, April–June 2018 and July–September 2018, and the 2017 annual report.

The director of the IAD regularly took part in the meetings of the management board, audit committee, supervisory board, risk management committee, and executive meetings. The operations were also monitored through the review of the documents prepared for the meetings of the management board, risk management committee and the executive meetings. Other activities also comprise the managing of the department.

In 2018 we recast the IAD policy at the Sava Re and Sava Re Group companies levels. The IAD was engaged in renewing the risk register and regular quarterly risk assessments at the Sava Re Group level and at the Sava Re level; it also prepared the contribution of the internal audit in the framework of the SFCR and RSR reporting. It also took part in those parts of the 2019 planning process that related to the IAD, and in the preparation of the annual report of the Sava Re Group in the segment relating to the IAD.

Cooperation with the external auditor was linked to the drafting of a contract on the audit of consolidated and separate financial statements and SFCR reporting, and also to the coordination of the work of external auditors and the monitoring of the conclusions after the pre-audit and final audit, and to active engagement at joint meetings. The selection process for the external auditor at the Sava Re Group level for the period 2019–2021 was concluded in 2018.

An important step forward was made in 2018 with the introduction of new software support for a comprehensive auditing process at the Sava Re Group level.

The IAD offered technical assistance to internal auditors in subsidiaries related to methodology and the induction of new employees in subsidiaries, and the key function holders also actively collaborate with each other.

In January 2018, a considerable amount of time was devoted to the introduction of outsourced internal audit engagements at the Sava Re Group level.

7 INTERNAL AUDIT DEPARTMENT'S QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

The IAD performed a quality assessment of its operations in accordance with the requirements of the relevant standards. The assessment is conducted on the basis of the Quality assurance and improvement programme covering all aspects of the IAD's operation. The IAD director reports on the results of this programme to the management board and the audit committee of the supervisory board.

The most recent external quality assessment of the operation of the internal audit function of Sava Re took place in 2014, when the company was provided with an independent expert opinion by the auditor indicating that the operation of the IAD was broadly consistent with the International Standards for the Professional Practice of Internal Auditing.

The IAD conducted a self-assessment of its operation in accordance with the standards in 2018. The results confirmed that the operation of the IAD is in accordance with the definition of internal auditing, standards and the code of ethics. As regards those standards with which the company is not fully compliant, the IAD drew up an action plan to improve the situation and seeks to observe such in its daily work. External assessment is planned for 2019.

In accordance with the internal audit guidelines the Quality assurance and improvement programme was supplemented by a declaration of compliance with the standards, the Code of ethics and of disclosure and avoidance of conflicts of interest.

The IAD sent a questionnaire to all stakeholders (audit committee, management board, auditees) in order to obtain feedback regarding satisfaction with its work. In general, the assessors were satisfied with the IAD's work, but they provided some suggestions for the future.

For the second quarter of 2019 we are planning, in parallel with the transition to the IT-supported comprehensive auditing system, to update the internal audit methodology pursuant to the International Standards for the Professional Practice of Internal Auditing.

In the annual work plan, the IAD also envisaged evaluating the performance of the Internal Audit. The IAD also monitors the implementation of recommendations proposed to the management board. Most of the recommendations proposed in 2018 were adopted with the resolutions of the management board, and some were withdrawn based on the resolution of the management board; the audits foreseen for 2018, except for one, were carried out for all areas.

I believe as a director that the operation of the IAD in 2018 was in compliance with the relevant standards, and that the annual work plan was executed successfully.

IAD director

Jožica Palčič