Internal Audit Report
Form Number (1)
Internal Audit report for “name of insurance company “
Period of review: Timeframe of the review
Date of Final Report: Date of submission to the Mgt.
Name of Auditors Names of auditors involved
1- Executive Summary This section should contain the following
- A brief background;
- Objective and the scope of audit engagement;
- Methodology;
- Key findings;
- Opinion;
- Recommendations;
- Limitations
2- Background This section should contain the following;
- A brief background on the auditee;
- Brief description of duties/functions of auditee;
3- Objective and Scope
- Elaborate on the objective and scope of audit engagement and period covered by the current audit.
4- Methodology
- This section should explain the methodology adopted to conduct internal audit vis-à-vis interview, observation, sampling, sample size and others used for test checking records, number of records checked, type of records checked.
5- Recommendations
- This section will contain general recommendations if any that could not be covered as part of recommendations in the specific audit observations.
6- Conclusion
- This section should constitute the auditors’ overall opinion about the functioning of the auditee unit with respect the overall objective of the audit engagement.
- The strength of the auditee agency may be highlighted in this section along the areas needing attention and corrective action.
7- References
- This section should list all publish or unpublished materials used and referred in coming with the Internal Audit Report.
8- Limitations
- Describe all your limitations in here. The limitations can be related to scope of the audit, methodology adopted, adequacy of the samples and adaptation of standards.
Form Number (2)
Internal Audit Report
FINDING
POTENTIAL EFFECT
RECOMMENDATION
PRIORITY *
MANAGEMENT RESPONSE
TARGET DATE
Priority ratings have been assigned to issues raised in this report as follows:*PRIORITY OF INDIVIDUAL RECOMMENDATIONS
Extreme Priority.
Internal Audit considers the implementation of this recommendation to be fundamental to the proper working of the system. It should normally be carried out within 1 month of the report’s issue
HIGH
Internal Audit considers the implementation of this recommendation to be important to the proper functioning of the system. It should be carried out normally within 3 months of the report’s issue.
MEDIUM
Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally within 6 months of the report’s issue.
LOW
The system’s effective operation may not depend upon this recommendation, but Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally more than 6 months of the report’s issue.
Form Number (3)
Risk Assessment as of [DATE]
Identified Risks and Schemes
Likelihood
Significance
Risk Rating
Controls Effectiveness Assessment
Residual Risks
Risk Response (List an action plan on how each residual risk will be mitigated)
Insurance risk
Credit risk
Market risk
Operational risk
Regulatory risk
Contagion and related party risk
Financial crime risk
Cyber risk
Strategic risk
Regulatory Risk
Likelihood
Rating
Based on Annual Frequency
Based on Annual Probability of Occurrence
Descriptor
Definition
Descriptor
Definition
5
Very frequent
More than twenty times per year
Almost certain
>90% chance of occurrence
4
Frequent
Six to twenty times per year
Likely
65% to 90% chance of occurrence
3
Reasonably frequent
Two to five times per year
Reasonably possible
35% to 65% chance of occurrence
2
Occasional
Once per year
Unlikely
10% to 35% chance of occurrence
1
Rare
Less than once per year
Remote
< 10% chance of occurrence
Significance
Rating
Descriptor
5
Catastrophic
4
Major
3
Moderate
2
Minor
1
Incidental
Control Effectiveness
Control Risk Rating
Description
5
Very effective (reduces 81-100% of the risk)
4
Effective (reduces 61-80% of the risk)
3
Moderately effective (reduces 41-60% of the risk)
2
Marginally effective (reduces 21-40% of the risk)
1
Not effective (reduces 0-20% of the risk)
OVERALL ASSURANCE
FULL " Very effective"
Full assurance that the system of internal control is designed to meet the organisation's objectives and controls are consistently applied in all the areas reviewed
SIGNIFICANT " Effective"
Significant assurance that there is a generally sound system of control designed to meet the organisation's objectives. However, some weakness in the design or inconsistent application of controls put the achievement of particular objectives at risk.
LIMITED " Moderately effective"
Limited assurance as generally moderate sound system in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed.
Very LIMITED " Marginally effective"
Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed.
NO ASSURANCE
No assurance as weaknesses in control or consistent non-compliance with key controls could result (have resulted) in failure to achieve the organisation's objectives in the areas reviewed.
Residual Risks for individual findings
High
Active management attention required as a high priority. Controls are not adequate to address the associated risk.
Medium
Active management attention required as a moderate priority. Controls are not adequate to address the associated risk.
Low
Active management attention not required on priority. Controls are more or less adequate to address the associated risk.
Form Number (4)
Internal Audit Report
Controls
Finding
Potential effect
Recommendation
Priority
Management response
Target date
Effectiveness From (1-5)
AML/CFT systems
Policies and procedures
Risk-Based Approach ("RBA")
Customer Due Diligence – CDD
Suspicious Transaction reports
Record Keeping
Training
AML Officer, Compliance Officer
Ongoing monitoring
Enhanced Due Diligence ("EDD")
ETC….
Form Number (5)
External Audit Report
Procedures
FINDING
Effectiveness From (1-5)
Risk-Based Approach ("RBA")
Customer Due Diligence - CDD
Suspicious Transaction reports
Record Keeping
Training
AML Officer , Compliance Officer
Ongoing monitoring
Enhanced Due Diligence ("EDD")
ETC….