Skip to main content
  • Internal Audit Report

    • Form Number (1)

      Internal Audit report for “name of insurance company “

      Period of review: Timeframe of the review

      Date of Final Report: Date of submission to the Mgt.

      Name of Auditors Names of auditors involved

       

      1- Executive Summary This section should contain the following

      • A brief background;
      • Objective and the scope of audit engagement;
      • Methodology;
      • Key findings;
      • Opinion;
      • Recommendations;
      • Limitations

      2- Background This section should contain the following;

      • A brief background on the auditee;
      • Brief description of duties/functions of auditee;

      3- Objective and Scope

      • Elaborate on the objective and scope of audit engagement and period covered by the current audit.

      4- Methodology

      • This section should explain the methodology adopted to conduct internal audit vis-à-vis interview, observation, sampling, sample size and others used for test checking records, number of records checked, type of records checked.

      5- Recommendations

      • This section will contain general recommendations if any that could not be covered as part of recommendations in the specific audit observations.

      6- Conclusion

      • This section should constitute the auditors’ overall opinion about the functioning of the auditee unit with respect the overall objective of the audit engagement.
      • The strength of the auditee agency may be highlighted in this section along the areas needing attention and corrective action.

      7- References

      1. This section should list all publish or unpublished materials used and referred in coming with the Internal Audit Report.

      8- Limitations

      • Describe all your limitations in here. The limitations can be related to scope of the audit, methodology adopted, adequacy of the samples and adaptation of standards.
    • Form Number (2)

      Internal Audit Report

      FINDING

      POTENTIAL EFFECT

      RECOMMENDATION

      PRIORITY *

      MANAGEMENT RESPONSE

      TARGET DATE

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       


      Priority ratings have been assigned to issues raised in this report as follows:

                                   *PRIORITY OF INDIVIDUAL RECOMMENDATIONS

      Extreme Priority.

      Internal Audit considers the implementation of this recommendation to be fundamental to the proper working of the system. It should normally be carried out within 1 month of the report’s issue

      HIGH

      Internal Audit considers the implementation of this recommendation to be important to the proper functioning of the system. It should be carried out normally within 3 months of the report’s issue.

      MEDIUM

      Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally within 6 months of the report’s issue.

      LOW

      The system’s effective operation may not depend upon this recommendation, but Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally more than 6 months of the report’s issue.

       

    • Form Number (3)

       

      Risk Assessment as of [DATE]

      Identified Risks and Schemes

      Likelihood

      Significance

      Risk Rating

      Controls Effectiveness Assessment

      Residual Risks

      Risk Response (List an action plan on how each residual risk will be mitigated)

      Insurance risk

       

       

       

       

       

       

      Credit risk

       

       

       

       

       

       

      Market risk

       

       

       

       

       

       

      Operational risk

       

       

       

       

       

       

      Regulatory risk

       

       

       

       

       

       

      Contagion and related party risk

       

       

       

       

       

       

      Financial crime risk

       

       

       

       

       

       

      Cyber risk

       

       

       

       

       

       

      Strategic risk

       

       

       

       

       

       

      Regulatory Risk

       

       

       

       

       

       

       

      Likelihood

      Rating

      Based on Annual Frequency

      Based on Annual Probability of Occurrence

      Descriptor

      Definition

      Descriptor

      Definition

      5

      Very frequent

      More than twenty times per year

      Almost certain

      >90% chance of occurrence

      4

      Frequent

      Six to twenty times per year

      Likely

      65% to 90% chance of occurrence

      3

      Reasonably frequent

      Two to five times per year

      Reasonably possible

      35% to 65% chance of occurrence

      2

      Occasional

      Once per year

      Unlikely

      10% to 35% chance of occurrence

      1

      Rare

      Less than once per year

      Remote

      < 10% chance of occurrence

       

      Significance

      Rating

      Descriptor

      5

      Catastrophic

      4

      Major

      3

      Moderate

      2

      Minor

      1

      Incidental

       

      Control Effectiveness

      Control Risk Rating

      Description

      5

      Very effective (reduces 81-100% of the risk)

      4

      Effective (reduces 61-80% of the risk)

      3

      Moderately effective (reduces 41-60% of the risk)

      2

      Marginally effective (reduces 21-40% of the risk)

      1

      Not effective (reduces 0-20% of the risk)

       

      OVERALL ASSURANCE

      FULL " Very effective"

      Full assurance that the system of internal control is designed to meet the organisation's objectives and controls are consistently applied in all the areas reviewed

      SIGNIFICANT " Effective"

      Significant assurance that there is a generally sound system of control designed to meet the organisation's objectives. However, some weakness in the design or inconsistent application of controls put the achievement of particular objectives at risk.

      LIMITED " Moderately effective"

      Limited assurance as generally moderate sound system in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed.

      Very LIMITED " Marginally effective"

      Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed.

      NO ASSURANCE

      No assurance as weaknesses in control or consistent non-compliance with key controls could result (have resulted) in failure to achieve the organisation's objectives in the areas reviewed.

       

      Residual Risks for individual findings

      High

      Active management attention required as a high priority. Controls are not adequate to address the associated risk.

      Medium

      Active management attention required as a moderate priority. Controls are not adequate to address the associated risk.

      Low

      Active management attention not required on priority. Controls are more or less adequate to address the associated risk.

    • Form Number (4)

      Internal Audit Report

      Controls

      Finding

      Potential effect

      Recommendation

      Priority

      Management response

      Target date

      Effectiveness From (1-5)

      AML/CFT systems

       

       

       

       

       

       

       

      Policies and procedures

       

       

       

       

       

       

       

      Risk-Based Approach ("RBA")

       

       

       

       

       

       

       

      Customer Due Diligence – CDD

       

       

       

       

       

       

       

      Suspicious Transaction reports

       

       

       

       

       

       

       

      Record Keeping

       

       

       

       

       

       

       

      Training

       

       

       

       

       

       

       

      AML Officer, Compliance Officer

       

       

       

       

       

       

       

      Ongoing monitoring

       

       

       

       

       

       

       

      Enhanced Due Diligence ("EDD")

       

       

       

       

       

       

       

      ETC….

       

       

       

       

       

       

       

    • Form Number (5)

       

      External Audit Report

       

      Procedures

      FINDING

      Effectiveness From (1-5)

      Risk-Based Approach ("RBA")

       

       

      Customer Due Diligence - CDD

       

       

      Suspicious Transaction reports

       

       

      Record Keeping

       

       

      Training

       

       

      AML Officer , Compliance Officer

       

       

      Ongoing monitoring

       

       

      Enhanced Due Diligence ("EDD")

       

       

      ETC….