General:

Are the General Management Objectives highlighted in the PRCO files (“see Risk
analysis” worksheet) in line with the approved BalanceScoreCard ? – to be checked

IT area

1. BCP – exista? With what frequency is the BCP tested? – see BCP-DRP internal
procedure
Conclusion: BCP policy to be updated (page 3 – back-up is Euroclinic, but
Euroclinic is now in the same location as Eureko) and improved, as follows:
- (page 2 – “Like the other departments, they also should think of alternative
ways of providing their services and [...] of measures that prevent disasters to
take place”.)
- There should be a BCP responsible, and not “all departments to think of
measures to continue their activity”.
- The procedure does not specify of how the back-up is performed, frequency
and location of where the back-up is stored
2. is the back-up on a daily basis performed? Is the back-up stored on DVDs? If
yes, in what location are the DVDs stored? (in ce locatie a.i. sa asigure
continuitatea activitatii in cadrul producerii unui eveniment natural catastrofal –
eg cutremur, incendiu, inundatii?
3. is there a change management procedure? Eg: loguri in place pt fiecare
schimbare, motiv schimbare, numerotare versiuni si master files ultima versiune
in format read-only in vederea asigurarii back-up-ului
4. is tehere information classification internal procedure (eg: public, confidential)?
5. sign-off frontpage for all the approved procedures? (valabil pt toate procedurile)
6. back-up procedure?

Finance / Reporting / Budgeting area (as per the narrative described in ICS):

1. internal procedures applicable?

2. is there a guideline for the budget preparation?
3. what type of budget is used: negotiating budget, imposed budget (top-down
approach), annual budget, rolling budget…?
4. who/how is the budget holder instructed in order to prepare the budget?
5. is the budget holder experienced enough in order to produce the budget? Are there
cases when the budget holder is from the middle management category?
 6. who is summarizing the all budgets gathered from all the departments? – CFO???
Who is reviewing the budgets? Who approves the budget? What is the approval
process (cycle / procedure)?

Operational expenses

1. expenses approval list in place?

2. invoice payment procedure?
3. there is no application whereas the purchase orders / invoices to be introduced, so
that there is the certainty that all invoices are introduced and paid correctly and in
due time (there should be an automatic link between the expenses’s application
with the accounting system). The application can be used for invoices, as well as
for purchase orders and raport de decontare.

Reinsurance process

1. internal reinsurance procedure

2. ceded amounts in reinsurance against the invoiced amounts
3. how many reinsurers? (GenRe –ok-, EurekoRe, others?))
4. what rating the agreed reinsurers have?
5. are they any SLA in place with the reinsurers?
6. the reinsurance data is recorded in the policy administration system or is it
recorded in a separate system/application specially developed in this purpose (for
reinsurance)? MANUALLY input on the reinsurance data = there is no dependant
link with the accounting system and policy administration system, but there are
reconciliations performed between the reinsurance calculations and the
accounting records – TBD: ask for evidence of the reconciliation between
those two. Issue: there is no reconciliation performed with the policy
administration system as well? Because the data needed in reporting should
be taken by the Finace dept automatically from the policy administration
system reinsurance data

Investments

1. investment working procedure

2. frequency of Investment Committee meetings, attendees, minutes of meetings
3. is there any asset management software in place or is it kept in the spreadsheets?
If spreadsheets are used, check if all criteria for EUCC is met.
4. the investment limits are monitorized in order to get assurance that we are in the
investment limits and shares/ bounds imposed by the local regulator? Who is in
charge with the monitoring process? Evidence of monitoring and frequency of the
process.
 5. see process of market price calculation and if history kept. See manager box.

Claims

1. how are the complex cases of complaints solved? Is there a Complaint Committee
in place to analyze the case? If yes, who are the attendees? If no, who makes the
final decision and see evidences of investigation.
2. Are the letter of complaints bookept in a file in order to facilitate the access to the
history of complaint? Also, is there a Complaint registry book kept (history of all
the complaints, what the complaint was, who solved it, timeline of solving the
complaint (if in line with the internal procedure – check if there is any internal
procedure on complaints), as well as evidence of the investigations performed.

Commissions and clawback

1. Page 7 of the “Determinarea veniturilor cuvenite agentilor” procedure

stipulates that the agents will be imputed if the receipt books are late more
than 24 hours. Is thia referring to depositing the client’s premium to the
bank? If yes, than this means that the agents are allowed to cashed the initial,
as well as the other premiums.
2. According to page 2 of the “Plati venituri cuvenite agentilor” procedure, SSO
has several responsibilities, mainly commission payment. Is it performed,
after the effective payment process, a reconciliation between the approved
payments file and the payment file which goes to the bank? The check should
be performed by another employee just in order to avoid conflict of interests
(there is the risk of fraud if Sales Support Officer has access to modify the
bank account where the payment should be done after the DP were signed-
off by the respective agents!!).
3. Claw back internal procedure to be drafted as consequence of the annualized
commission introduction

Internal Audit

1. provide risk map of Eureko EUA

2. materiality levels
3. credit risk = Net risk exposure = green in the actual economic conditions (as per
the Revised Scorecard (D.2.3.) “Hard copy ICS” file
4. idem Market risk – on what base the Net risk exposure is “Tolerable”?
5. Policy administration and Reinsurance activities = Net risk exposure = Tolerable
in the conditions of manual input (but that depends on the local materiality levels
– to see if the tests’ results are within the “tolerable” materiality levels)
6. see why BCP has “Material” Net risk exposure? Link with the IT questions
above!!
7. Reinsurance risk = NRE = Green? – what controls are in place to mitigate the
risks above (“Reinsurance”), mostly if the controls in place are “Moderate” and
not “Sufficient”? Moreover, according to “Process Risk and Control Overview –
Reinsurance” - “Due to the use of excel documents it is hard to execute data
reconciliation” (see E.3.3.7.2.)
8. IT system = ? and operational system = ? (there are 2 differnet systems according
to PRCO New Business)
9. As per the PRCO New Business – “Import figures in the system instead of
manually introducing numbers in Excel files”. In the New Business, the policies
are impossible to be imported, they only can be manually inputed.
10. Four-eye principle is applied in the manual validation of data within the New
Business process? – as per the PRCO New Business “Manual validation of data
can mitigate the risk (partially), but this control is not efficient as it is very time
consuming”. – get assurance it is efficient through sample selected on a weekly
basis by the PA Supervisor and validation (with evidence) of the correctness of
the transactions). What is the purpose of MIS project?
11. BCP policy to be updated!!! (see above BCP IT section)
12. Agents are allowed to cashed the premiums from the clients? (section
Commissions and Clawback) – clawback procedure to be put in place as
consequence of annualized commission introduction
13. Projects running in the Company. – system replacement, etc…
14. Systems used in EUA – CM to provide the list
15. How many policies in force?
16. How many agents/ branches?
17. What is the approach to take in establishing the scoring in the control level and
net risk exposure assessment? - CM to provide (also includes risk assessment
matrix)