WLI Internal Control Framework Awarness Presentation 12-09-2024 (2).pptx

Full Transcript

Wafa Life Insurance Egypt
Internal Control Framework Awareness

For strictly internal or confidential use DIRECTION AUDIT AND CONTROLINTERNAL GROUP 1
 Summary

Introduction

Definition of internal control

Internal control framework and its components and actors

Zoom on the Internal Control Function at the Group Level

Process management of internal control 2nd Level

Concept and definitions related to the internal control

o Control specifications

o Sampling methodology

Limit of the Internal Control

What is the difference between internal audit and internal control?

Incident management

For strictly internal or confidential use 2
 Introduction

What is the internal control ?

Quality of Verification/
operations follow-up

Risk control

Supervision

Compliance with Reliability of
laws financial
statements

Multiple sectoral definitions (banking, insurance, social organization, listed company) of
Internal Control exist.
For strictly internal or confidential use 3
 Introduction

Management
Objectives

Internal control is defined as all the measures
which, under the responsibility of the general Ensure compliance of
management or the board of directors of the the internal control
insurance company, must ensure with framework
reasonable assurance:
- Orderly and prudent conduct of business Strengthen efficiency of
the internal control
Definition

following clearly defined objectives;
- Economical and efficient use of the
framework
resources involved; - sufficient knowledge of Give assurance on good
risks, as well as their control, with a view on control of activities and
protecting assets; coverage of major risks
- Integrity and the reliability of financial
To alert Management on
information and that relating to management;
any incident or
- The compliance with laws and regulations as malfunction to affect the
well as general policies, plans and internal situation of the Company.
procedures.

For strictly internal or confidential use 4
 Definition of internal control

To sum it up
The Internal Control is :
A system or procedures of how to control the risk to meet the objectives and reduce risks
Implemented by the board of directors, management and staff of an organization
Designed to provide reasonable assurance regarding the achievement of objectives
Finally : internal control is not an end itself
& the control activities are :
The organization selects and develops control activities which aim to control and reduce to an
acceptable level the risks that are likely to affect the achievement of objectives,
Actions to ensure that risk treatment measures and management instructions are implemented
appropriately and in a timely manner,
Importance the link between the organization's objectives and level of mastery desired.

For strictly internal or confidential use 5
 Internal control Framework
The internal control framework is based on the principle of 3 lines of defense. It is
governed by an internal control charter

Group audit 3rd level B: Periodic control carried

Supervisory
Supervisory
out by the group's auditors.

authority
authority
5
Periodic
Periodic

Subsidiary audit 4
3rd level A: Periodic control carried
out by local auditors.

2nd level control
functions 2nd level: Permanent control carried
out by dedicated control functions.
3

Executive
Executive
authority
authority
Permanent
Permanent

Hierarchical Lorem Ipsum is simply dummy
1st level B: Permanent control carried
control 2 text of the
out by managers.
printing and
typesetting industry.

Operational 1
1st level A: Self-monitoring by
employees.
control

Outsourced audit External audit External audit: Control carried out by
(Provider)
external firms.

For strictly internal or confidential use 6
 Components of the Internal Control Framework
1st level of control: The operational professionals

1st level of internal control is the responsibility of the business lines
“operational” which constitutes of the first line of defense , who are
responsible for the risks they address in their perimeter of
management.
It's about daily, routine controls, which are generally exhaustive and which aim to make operations and
administrative actions are more reliable and secure (e.g.: Validation of premiums, entry of endorsements,
check signing,…)
Based on management procedures, internal memoranda, circulars and Group directives,
Manual or automated controls,
Validation or monitoring and management checks.
The First-level controls may have the following vulnerabilities:
Non-formalized, poorly defined or poorly detailed controls,
Non-updated controls to monitor the evolution of processes and risks,
Lack of commitment and validation in the execution of first level controls by.

For strictly internal or confidential use 7
 Components of the Internal Control Framework
2nd line of defense :The Internal Control

Internal Controller Professions, resources are dedicated exclusively to the
activities of control, carry out substantive and formal controls to validate
the conformity of the process and processing methods relating to an
operation or file, and to specifically monitor the various risks associated
with it.
The objectives of the second line of defense are :

Verify that risk management of all activities is implemented

Develop a risk/transversal culture in the company

Validate the quality of the L1 framework with company managers

Detect possible dysfunctions

Challenge the L1 on the controls carried out and Suggest improvements

2nd Level controls are carried out a posterior or a prior, at a predefined frequency set in the control plan.

Internal controllers must have business expertise and proven experience in their area of ​intervention.

For strictly internal or confidential use 8
 Components of the Internal Control Framework
3rd line of defense:internal audit

The Internal Audit Department carries out the following tasks through its cyclical interventions,
within the framework of periodic controls:
Verify the effectiveness of governance frameworks and processes within the Group and its
subsidiaries as well as the effective implementation of the decisions of governance bodies,
instructions from the Group's general management, and the Group's contractual obligations
and commitments;
Ensure the proper functioning of overall risk management and internal control frameworks;
Verify compliance of the Group's activities with regulations in force and the general legislative
framework applicable, as well as compliance with internal procedures and instructions;
Ensure the reliability of financial information, management and regulatory reporting, and
significant operations;
Recommend actions to bring about improvements in the above areas, monitor the
achievements of the action plans and evaluate their implementation.

For strictly internal or confidential use 9
 Zoom on the Internal Control Function at the Group Level

The Group Internal Control Function is in charge of the Internal Control framework.
Their main missions are as follows :
Ensure the consistency of the entire Internal Control framework as required by the Group's guidelines,
Set up the 2nd level control, deploy it at the level of entities (Sector, BU, Management) and subsidiaries ,
oversee and monitor the work of the Internal Controllers,
Centralize, manage and consolidate the results of permanent 1st and 2nd level controls at company level,
Maintain and update the device internal control.

Hierarchical and functional attachement of the Internal Controllers

The internal Controller is hierarchically attached to the Director of Pole and member of the Comex” for Wafa
Morocco and the General Director for the subsidiaries in order to ensure the independence and support
necessary for the exercise of its mission.

To monitor the work of internal control, a monthly meeting between the Division Director/General Manager and
the internal controller takes place in order to examine and validate the work of the internal controller and
monitor the progress of the actions set.

The internal controller is functionally attached to the Group Internal Control Department.

This functional connection aims to provide the normative framework of the Internal Control framework and the
necessary technical support.
For strictly internal or confidential use 10
 2nd Level internal control process

Deployment Work of control
Creation, reviewing and
2nd level:
strengthening the internal Conduct of checks and
control framework:
Updating the operational completion of test forms
Development of the weekly
risk map by the risk
validation reporting of
management
Identification, formalization anomalies and findings with
Sharing the
the business and operational
of 2nd level controls and results of the
staff
definition of the control plan Construction work
and Validation progressively
of the control for review,
plan supplementatio
n and
validation

Sharing the finalized Validation by
report (monthly) with
the CEO of the Monthly
Preparation and holding of
monthly monthly meetings with the
presentation
the General
report and the Band:
of the Group's
Managerfor validation Consolidation of results and
and support on internal presentation internal
of the Audit preparation of support for
control work
control work and
monthly presentations:
actions/corrections to be Committee Monitoring of corrective
defined by the business
actions and reporting on the
teams.
The CEO's validation is progress of structuring action
plans (presented during
shared with the group CI
monthly meetings and bi
management.
The interactions noted above do not exclude all alerts, blockages, incidents which
annual audit must be
committees)
systematically reported
For strictly internal or confidential use 11
 2nd Level internal control process

The control plans are designed by the Internal Control Department based on the established risk map.

These control plans specify the controls to be carried out, the sampling, their frequency as well as the expected
deliverables.

Each Internal Controller rolls out the control plan in compliance with the set schedule, formalizes its work in
test sheets and keeps all the supporting documents for the anomalies reported.

These test sheets are validated with operational staff. The Internal Controller then ensures that the
anomalies are corrected.

The internal controller holds his monthly meeting with the Division Director or General Director of the
Subsidiary and presents all of his work.

He informs him of the progress of corrections and possible action plans.

The Director ensures that anomalies and action plans are correctly handled by his teams.

The Group Internal Control Department receives the test forms and supporting documents after their validation.
She reviews and analyzes the results and consolidates them at her level.

A point on internal control is presented every six months to the Company's Audit Committee.

For strictly internal or confidential use 12
 2nd Level internal control process

For strictly internal or confidential use
13
 Concept and definitions related to the internal control

Control Specification
Nature of Control:
o Preventive: Designed to prevent errors or unwanted incidents from occurring before they occur.
o Detective: Aims to identify errors or incidents when they occur.
o Corrective: Aims to rectify errors or problems detected by preventive controls and detectives.
Type of control:
o Manual: Requires human intervention for execution, such as physical checks or manual reconciliations.
o Automatic: Executed by computer systems , without ongoing human intervention, for example automatic locks
of inactive sessions.
Controls Complementary and Compensatory:
o Complementary: Controls that, when combined, provide broader or stronger control coverage than each
individually.
o Offsetting: Put in place to offset risks that are not fully mitigated by primary controls.
Documentation and Procedures: Controls must be clearly documented, with detailed procedures on their
implementation, monitoring and corrective actions to be taken.
Monitoring and Continuous Evaluation: Controls require continuous monitoring and periodic evaluation to ensure
they remain relevant and effective in a changing environment.
Training and Awareness: Continuing education and employee awareness of internal controls is essential to
ensure efficiency and staff buy-in.

For strictly internal or confidential use 14
 Concept and definitions related to the internal control
Sampling Methodology
Orientation of the sample in order to target a relevant representation of the population and
anomalies. This method allows to make a preliminary analysis of the population, save time and go
directly to the points of anomalies. Define
criteria that CLAIMS
PRODUCTION
- The highest amounts, can reveal
- Status of the file (opened,
- Specific conditions anomalies closed, rejected,…),
- Files not moved for a
(additional guarantees, and get a
agreements, etc.), representat defined period,
- Very high movements in a
- The most important ive
sampling , defined period,
cancellations,
- Terminations with examples:
- Zero reservations and
significant discounts. unclosed files,
- Negative Reserves

Sample








For strictly internal or confidential use 15
 Limitations of Internal Control

Changing Conditions: The effectiveness of internal controls can be impacted by changes in the organization's
environment, such as new regulations, business processes, or technologies. Controls may need to be updated or
adapted to remain effective in the face of these changes.

Compliance Fatigue: Over time, individuals may become complacent or fatigued with compliance requirements,
leading to lapses in adherence to internal controls.

Technology Limitations: Automated controls and systems can be vulnerable to technical issues, software bugs,
or cyber threats. These technological limitations can impact the reliability of automated internal controls.

Limited Scope: Internal controls can only address risks within their defined scope. They may not cover all
potential risks or areas of an organization, leaving some risks unaddressed.

While internal controls are crucial for managing risk and ensuring the integrity of an organization’s operations,
these limitations highlight the importance of regularly reviewing and updating controls to ensure they remain
effective and relevant.

Cost-Benefit Considerations: Implementing and maintaining internal controls involves costs. Organizations must
balance the cost of controls with the benefits they provide. Sometimes, controls may be reduced or eliminated due
to cost constraints, potentially increasing risk.

For strictly internal or confidential use 16
 What is the difference between internal audit and internal control?

Common points:
Common Objective : Improve company operations by ensuring effective risk management, good governance, and
efficiency of operational processes.
Complementarity: The two functions work in a complementary manner to strengthen the company's governance
and risk management framework.
Focus on Control: Despite their differences, both aim to control and monitor operations to ensure compliance and
efficiency.

For strictly internal or confidential use 17
 What is the difference between internal audit and internal control?

Differences between Internal Control and Internal Audit
Find the 3 differences
Nature and Scope:
Internal Control: Permanent procedures for risk management.
Internal Audit: Periodic assessment of the effectiveness of controls and
risk management.
Role and Responsibilities:
Internal Control: Involves all employees and is integrated into daily
operations.
Internal Audit: Independent, objectively evaluates and reports on controls.
Frequency and Timing:
Internal Control: Continuously integrated into daily life.
Internal Audit: Cyclic survey based on needs.
History and Evolution:
Internal Control: More recent, formalized by Moroccan regulation in 2008.
Internal Audit: Older, essential for the independence of the evaluation.
Results and Actions:
Internal Control: Prevents risks and continually improves operations by
detecting anomalies for rapid correction.
Internal Audit: Identifies defects and guides control and risk management
strategies.

For strictly internal or confidential use 18
 Incident management
Roles and Responsibilities

Operational Departments:
 Proactively identify operational incidents within their scope of activity and ensure their immediate
escalation according to established procedures, paying particular attention to the duty to alert in the
event of an abnormal situation.
 Work closely with the internal control function to analyze incidents, determine the underlying causes
and implement appropriate corrective actions to prevent their reoccurrence.

Internal Control Function:
 Coordinates the collection and consolidation of information relating to operational incidents reported by
the different departments, ensuring fluid and transparent communication at all levels of the organization.
 Ensures that corrective actions recommended following incident analysis are implemented quickly and
effectively, in accordance with internal and external standards.

Risk Management Function:
 Updates the risk management framework and assesses the impact of incidents to propose mitigation
measures.

Information systems Security Manager (CISO):
 Manages IT security incidents and reinforces preventive measures.

Internal Audit :
 Evaluates the effectiveness of incident management and recommends improvements to the process.

For strictly internal or confidential use 19
 Incident management
Incident escalation process

o Criteria for Classification and Typology of Operational Incidents:

Nature of the Incident: Operational incidents can be classified into different categories depending on their nature.
This may include processing errors, IT security incidents, fraud, human errors, service interruptions, etc.

Impact on Operations : Incidents can also be categorized based on their impact on business operations. This can
range from minor incidents with only a limited impact on operations to major incidents with a significant impact on
business continuity, company reputation and customer satisfaction.

Source of the Incident: It is important to understand the source or origin of the incident, whether it is an internal
error, process defect, technical failure, cyber attack or external factors such as climatic events or regulatory
changes.

Frequency and Repetition : It is also useful to classify incidents based on their frequency and repetition. This helps
identify recurring trends and issues that require attention and ongoing corrective action.

For strictly internal or confidential use 20
 Incident management
Incident sheet

The completeness of the incident
reporting form is the responsibility of
the entity that identified the incident
(whether internal control or
operational entities), and it must then
be validated by the hierarchy of the
entity.

For strictly internal or confidential use 21
 THANKS

For strictly internal or confidential use 22