Internal audit – six considerations for 2025 annual planning

These items are based on a range of factors, including the issues/themes that we have identified throughout our work during 2024.

Annual planning process - what to think about

1. Financial crime

Whilst insurance is generally considered to have a lower inherent risk than other areas within the financial services sector, insurance companies are nonetheless subject to regulations that require them to have adequate systems and controls in place to combat financial crime. We have found, based on the work we have performed with firms, that insurers are frequently unaware of their specific obligations and may be unable to effectively evidence how they have addressed these obligations. It is expected that (whilst a proportionate approach is likely to be appropriate) firms would have integrated consideration of financial crime within their governance and have performed an enterprise-wide financial crime risk assessment to ensure a thorough understanding of financial crime exposures.  

2. Culture & tone from the top 

Although almost universally recognised as being a crucial part of firms’ control framework, and being a common factor in most instances of regulatory intervention or other issues, culture is an area which is less frequently seen within internal audit plans, but which cuts across a range of different risk areas, including:

• Corporate governance
• Risk and control culture
• HR (or people and culture)
• Diversity and inclusion
• Whistleblowing and speaking up
• Conduct 

3. Cyber security 

Given the level of associated risk, the majority of IA functions will have already undertaken some form of activity in relation to cyber security. Typical approaches have included performing an assessment of cyber security maturity against industry benchmarks and/or a review of the cyber strategy / roadmap.  

When conducting a risk assessment, we recommend that insurance firms also consider the extent of assurance activity which their firm has undertaken in relation to the operation of the cyber security control framework through penetration tests or other exercises, as the scope of these can vary greatly between providers. In particular, we recommended that you assess the following aspects of previous testing, and consider whether this has been proportionate to your exposure, or whether further work is required in the third line: 

1. Approach – Was the work performed in collaboration with IT Management (e.g. the CISO), or covertly? This will impact on the level of comfort that can be drawn from it, particularly around detection and response, and, subsequently, the timely isolation of threats; and 
2. Scope – Was the scope limited in any way by Management (can those exclusions be justified?), and did it include both the external- and internal-facing environments. We have found that it is common for firms to review the external and exclude the internal environment such as would be completed within an “assumed compromise¹” scenario following the principle of it being ‘not if, but when’ a breach may occur.  

4. Operational resilience

The secondary deadline (March 2025) for firms to comply with the Operational Resilience regulation is fast approaching. If it has not already been considered within plans (or within second-line activity), insurance firms should consider conducting either a pre- or (at the very least) post-implementation assessment to confirm that adequate steps have been taken to implement the rules and embed related operational processes.  

Whilst we have found that the majority of insurance firms have appropriately identified their important business services (IBS), impact tolerances (IToLs) and have mapped their resources, we are finding that they have not always adequately documented the rationale for the IBS or IToLs selected, or undertaken sufficient testing to meet the expectation set out in the regulation of undertaking testing to simulate ‘severe but plausible’ scenarios, or that the scenarios have an ‘appropriate range of adverse circumstances of varying nature, severity and duration’. Whilst most have undertaken some desk-based exercises, insurance firms will need to be able to evidence they have tested the resources underpinning their IBS sufficiently, and that their arrangements will enable them to recover within their IToLs. We have found that many firms are yet to go beyond basic testing. 

5. Third-party dependencies and resilience 

The outsourcing regulations should be well established and embedded in most organisations; however, we have found that although insurance firms address the majority of aspects, they frequently do not have contingency arrangements in place, or have not tested these, to ensure they can maintain service continuity in the event of the loss or outage of a third party. 

This risk was thrown into stark relief by the recent CrowdStrike outage and the disruption caused to firms. IA functions may wish to consider revisiting aspects of the outsourcing regulations, and their wider third-party risk management frameworks and consider the impact of the loss or outage of a third party which, while potentially not ‘material’ under the regulatory definition, may nevertheless cause significant disruption.  

6. Thematic reporting

Over the last few years, we have seen a trend towards insurance IA functions reporting on (e.g.) cultural matters within each of their reports and, more commonly, in their annual reporting to audit committees. What we expect to see now is an increasing prevalence of the same approach being taken to the recent wide-ranging regulations: Operational Resilience and the Consumer Duty being foremost among them. This will require a good deal of forethought when planning and scoping audits to identify the relevant touchpoints, so that these are (a) called out and (b) reported on in a concise and user-friendly way.

Contact us

To speak to one of our Insurance Risk Consulting experts, get in touch today.

Contact us today