Skip to main content

Article (11): Internal Audit Function

C 25/2022 Effective from 30/12/2022
1.A Company must have an effective internal audit function that provides the Board/Board audit committee and Senior Management with independent evaluation and assurance of the adequacy and effectiveness of the Internal Controls system, Risk Management, compliance and other elements of the corporate governance framework.
 
2.Internal audit must also use general and specific audits, reviews and testing, in respect of:
 
a.Preserving the assets of the Company and policyholders, preventing fraud and misappropriation of assets, and assessing the effectiveness of the controls in place in this regard;
 
b.Assessing the reliability and efficiency of the accounting, financial, risk and compliance reporting information and the effectiveness of the controls in place; and
 
c.Other matters requested by the Board.
 
3.The internal audit function must be independent from management or any other Control Functions, and report directly to the Board or the Board audit committee, and must be able to meet with them without the presence of Senior Management, as needed.
 
4.The internal audit function must be independent of the audited activities and have sufficient standing and authority within the Company, thereby enabling the internal audit function to carry out its responsibilities and main activities as specified in the accompanying Standards, in an independent manner.
 
5.The Board must ensure that the internal audit function has the authority to:
 
a.Communicate with all members of Staff and obtain all records, files or data of the Company, and if applicable Group and Affiliates, whenever relevant to the performance of its duties.
 
b.Initiate a review of any area consistent with its mission; and
 
c.Require management's response to any audit report, and details on the remedial action taken.
 
6.The internal audit function must cover within its scope of work, all material areas of risk, including underwriting, reserving, asset-liability management, investments, liquidity, reinsurance, concentration of risk, operational risk, risk-mitigation techniques and conduct of business, intra-group transaction(if any), compensation and timeliness of reporting. The Internal audit function must have full access to and communication with any member of Staff, as well as full access to records, files or data of the Company, and if applicable, the Group and Affiliates, whenever relevant to the performance of its duties.
 
7.The Internal Controls within a Company must address the following:
 
a.Outsourced activities must remain fully in scope of the Company's internal audit responsibilities.
 
b.The internal audit function must regularly review and report to the Board, or the Board audit committee, on compliance with and the ffectiveness of the Company's outsourcing policies and procedures.
 
8.Any findings and recommendations of the internal audit function must be reported to the Board and/or audit committee, which shall review what actions are to be taken with respect to each of the internal audit findings and recommendations and must ensure that those actions are carried out.
 
9.The Staff within the internal audit function must be adequate, competent and collectively have the appropriate experience to understand and evaluate all of the business activities, support and Control Functions of the Company, and if applicable, the Group.
 
10.The head of internal audit must ensure that the function complies with the Institute of Internal Auditors' (IIA) international Standards for the Professional Practice of Internal Auditing.
 
11.Companies must have an internal audit charter approved by the Board audit committee, that articulates the purpose, standing and authority of the internal audit function within the Company, and if applicable, the Group.
 
12.Senior Management must inform the internal audit function, on a timely basis, of any changes to the Company's, or if applicable, the Group's, Risk Governance System.
 
13.Senior Management must ensure that timely and appropriate actions are taken on all internal audit findings and recommendations.