Internal Audit Report
Form Number (1)
Internal Audit report for “name of insurance company “
Period of review: Timeframe of the review
Date of Final Report: Date of submission to the Mgt.
Name of Auditors Names of auditors involved
1- Executive Summary This section should contain the following
- A brief background;
- Objective and the scope of audit engagement;
- Methodology;
- Key findings;
- Opinion;
- Recommendations;
- Limitations
2- Background This section should contain the following;
- A brief background on the auditee;
- Brief description of duties/functions of auditee;
3- Objective and Scope
- Elaborate on the objective and scope of audit engagement and period covered by the current audit.
4- Methodology
- This section should explain the methodology adopted to conduct internal audit vis-à-vis interview, observation, sampling, sample size and others used for test checking records, number of records checked, type of records checked.
5- Recommendations
- This section will contain general recommendations if any that could not be covered as part of recommendations in the specific audit observations.
6- Conclusion
- This section should constitute the auditors’ overall opinion about the functioning of the auditee unit with respect the overall objective of the audit engagement.
- The strength of the auditee agency may be highlighted in this section along the areas needing attention and corrective action.
7- References
- This section should list all publish or unpublished materials used and referred in coming with the Internal Audit Report.
8- Limitations
- Describe all your limitations in here. The limitations can be related to scope of the audit, methodology adopted, adequacy of the samples and adaptation of standards.
Form Number (2)
Internal Audit Report
FINDING POTENTIAL EFFECT RECOMMENDATION PRIORITY * MANAGEMENT RESPONSE TARGET DATE
Priority ratings have been assigned to issues raised in this report as follows:*PRIORITY OF INDIVIDUAL RECOMMENDATIONS Extreme Priority. Internal Audit considers the implementation of this recommendation to be fundamental to the proper working of the system. It should normally be carried out within 1 month of the report’s issue HIGH Internal Audit considers the implementation of this recommendation to be important to the proper functioning of the system. It should be carried out normally within 3 months of the report’s issue. MEDIUM Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally within 6 months of the report’s issue. LOW The system’s effective operation may not depend upon this recommendation, but Internal Audit considers that it would be aided or improved by its implementation. It should normally be carried out normally more than 6 months of the report’s issue. Form Number (3)
Risk Assessment as of [DATE] Identified Risks and Schemes Likelihood Significance Risk Rating Controls Effectiveness Assessment Residual Risks Risk Response (List an action plan on how each residual risk will be mitigated) Insurance risk Credit risk Market risk Operational risk Regulatory risk Contagion and related party risk Financial crime risk Cyber risk Strategic risk Regulatory Risk Likelihood Rating Based on Annual Frequency Based on Annual Probability of Occurrence Descriptor Definition Descriptor Definition 5 Very frequent More than twenty times per year Almost certain >90% chance of occurrence 4 Frequent Six to twenty times per year Likely 65% to 90% chance of occurrence 3 Reasonably frequent Two to five times per year Reasonably possible 35% to 65% chance of occurrence 2 Occasional Once per year Unlikely 10% to 35% chance of occurrence 1 Rare Less than once per year Remote < 10% chance of occurrence Significance Rating Descriptor 5 Catastrophic 4 Major 3 Moderate 2 Minor 1 Incidental Control Effectiveness Control Risk Rating Description 5 Very effective (reduces 81-100% of the risk) 4 Effective (reduces 61-80% of the risk) 3 Moderately effective (reduces 41-60% of the risk) 2 Marginally effective (reduces 21-40% of the risk) 1 Not effective (reduces 0-20% of the risk) OVERALL ASSURANCE FULL " Very effective" Full assurance that the system of internal control is designed to meet the organisation's objectives and controls are consistently applied in all the areas reviewed SIGNIFICANT " Effective" Significant assurance that there is a generally sound system of control designed to meet the organisation's objectives. However, some weakness in the design or inconsistent application of controls put the achievement of particular objectives at risk. LIMITED " Moderately effective" Limited assurance as generally moderate sound system in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed. Very LIMITED " Marginally effective" Limited assurance as weaknesses in the design or inconsistent application of controls put the achievement of the organisation's objectives at risk in the areas reviewed. NO ASSURANCE No assurance as weaknesses in control or consistent non-compliance with key controls could result (have resulted) in failure to achieve the organisation's objectives in the areas reviewed. Residual Risks for individual findings
High Active management attention required as a high priority. Controls are not adequate to address the associated risk. Medium Active management attention required as a moderate priority. Controls are not adequate to address the associated risk. Low Active management attention not required on priority. Controls are more or less adequate to address the associated risk. Form Number (4)
Internal Audit Report Controls Finding Potential effect Recommendation Priority Management response Target date Effectiveness From (1-5) AML/CFT systems Policies and procedures Risk-Based Approach ("RBA") Customer Due Diligence – CDD Suspicious Transaction reports Record Keeping Training AML Officer, Compliance Officer Ongoing monitoring Enhanced Due Diligence ("EDD") ETC…. Form Number (5)
External Audit Report
Procedures FINDING Effectiveness From (1-5) Risk-Based Approach ("RBA") Customer Due Diligence - CDD Suspicious Transaction reports Record Keeping Training AML Officer , Compliance Officer Ongoing monitoring Enhanced Due Diligence ("EDD") ETC….