HC-6.5 HC-6.5 Internal Audit
HC-6.5.1
Bahraini insurance licensees must establish an internal audit function to monitor the adequacy of their systems and controls.Amended: October 2014
January 2011HC-6.5.2
The internal audit function should be independent of the
senior management , reporting to the Audit committee.January 2011HC-6.5.3
The CBB considers it best practice for
captive insurers to fall within the remit of the internal audit functions of their groups and be subject to periodic review, although no formal arrangements for internal audit covercaptive insurers .January 2011HC-6.5.4
Part or all of the internal audit function may be
outsourced , or provided at group level, subject to the requirements of Section RM-7.6. Amongst other things, these require licensees to retain responsibility for their internal audit programme, and that appropriate safeguards are built into the outsourcing contract. Furthermore, a licensee cannotoutsource its internal audit function to its externalauditor (with limited exceptions). Prior approval from the CBB is required for significantoutsourcing arrangements, including alloutsourcing of internal audit. A licensee's head of internal audit is acontrolled function and requires CBB approval prior to being appointed (see Section AU-1.2).January 2011HC-6.5.5
Internal audit functions must have terms of reference that clearly indicate:
(a) The scope and frequency of audits;(b) Reporting lines; and(c) The review and approval process applied to audits.January 2011HC-6.5.6
Paragraph HC-6.5.5 applies irrespective of whether the internal audit function is outsourced. Where it is
outsourced , the CBB would expect to see these matters addressed in the contract with theoutsourcing provider .January 2011HC-6.5.7
Internal audit functions must report directly to the Audit committee or, where none exists, to the Board. They must have unrestricted access to all the appropriate records of the
insurance licensee . They must have open and regular access to the Audit Committee, the Board, theChief Executive , and the licensee's externalauditor .January 2011HC-6.5.8
Internal audit functions must have adequate staff levels with appropriate skills and knowledge, such that they can act as an effective challenge to the business. Where the function is not outsourced, the
head of the function should be a senior and experiencedemployee . Internal audit functions must not perform other activities that compromise their independence.January 2011HC-6.5.9
The CBB would expect to see in place a formal audit plan that:
(a) Is reviewed and approved at least annually by the Audit Committee or, where none exists, the Board;(b) Is risk-based, with an appropriate scoring system; and(c) Covers all material areas of a licensee's operations over a reasonable timescale, including (where relevant) the process by which a licensee obtains professional actuarial expertise to develop and verify its pricing and reserving policies.January 2011HC-6.5.10
Internal Audit reports should also be:
(a) Clear and prioritised, with action points directed towards identified individuals;(b) Timely; and(c) Distributed to the Audit Committee or Board and appropriatesenior management .January 2011HC-6.5.11
Insurance licensees should also have processes in place to deal with recommendations raised by internal audit to ensure that they are:(a) Dealt with in a timely fashion;(b) Monitored until they are settled; and(c) Raised with senior management if they have not been adequately dealt with.January 2011
