Financial Supervisory Authority of Norway reviews internal audit at 57 insurers and highlights wide variation in resources and risk coverage

The Financial Supervisory Authority of Norway (Finanstilsynet) has published a mapping of internal audit arrangements across almost all Norwegian insurance undertakings, covering 10 life insurers and 47 non-life insurers. The review points to substantial differences in how firms resource internal audit and sets out expectations for the internal audit function and board oversight. Internal audit is a requirement for financial undertakings and is positioned as a tool for the board to ensure the insurer is properly organised and run, provided the function has sufficient resources and competence. Finanstilsynet highlights the need for robust, firm-specific risk assessments when selecting audit projects, noting that a relatively large number of projects are assessed as “green” and often cover a narrow part of the business, which may indicate that key risk areas are not being tested or that audit functions apply overly low standards. Boards are expected to ensure they understand what internal audit has tested and not tested in each project. Finanstilsynet does not take a view on whether internal audit should be performed using in-house or outsourced resources, but notes that insurers using group internal audit appear to produce more firm-specific risk assessments and more tailored audit projects. The authority also flags potential conflicts of interest linked to outsourcing that boards should be aware of and assess regularly.