An insurer is
exempt from the requirements of this section if both of the following
conditions are true:
(a) The insurer has
total annual direct written and unaffiliated assumed premiums, including
international direct and assumed premiums but excluding premiums reinsured with
the Federal Crop Insurance Corporation and Federal Flood Program, less than
(b) The insurer is a
member of a group of insurers and the group has total annual direct written and
unaffiliated assumed premiums, including international direct and assumed
premiums but excluding premiums reinsured with the Federal Crop Insurance
Corporation and Federal Flood Program, less than $1,000,000,000.
(2) An insurer or group of
insurers shall establish an internal audit function providing independent,
objective, and reasonable assurance to the audit committee and insurer
management regarding the insurer's governance, risk management, and internal
controls. This assurance shall be provided by performing general and specific
audits, reviews, and tests and by employing other techniques deemed necessary
to protect assets, evaluate control effectiveness and efficiency, and evaluate
compliance with policies and regulations.
(3) In order to ensure that internal auditors
remain objective, the internal audit function must be organizationally
independent. Specifically, the internal audit function will not defer ultimate
judgment on audit matters to others, and the insurer or group of insurers shall
appoint an individual to head the internal audit function who will have direct
and unrestricted access to the board of directors. Organizational independence
does not preclude dual-reporting relationships.
(4) The head of the internal audit function
shall report to the audit committee regularly, but no less than annually, on
the periodic audit plan, factors that may adversely impact the internal audit
function's independence or effectiveness, material findings from completed
audits, and the appropriateness of corrective actions implemented by management
as a result of audit findings.
If an insurer is a member of an insurance holding company system, as defined in
, or included in a group of
insurers, the insurer may satisfy the internal audit function requirements set
forth in this section at the ultimate controlling parent level, an intermediate
holding company level, or the individual legal entity level.