Audit of supervision insurance

Publication type
Audit
Date

Table of contents

    1. Background

    1.1 Overview

    As part of its mandate to contribute to a sound financial system, OSFI regulates and supervises all federally registered financial institutions (Institutions) in Canada, including banks and insurance institutions. Effective and timely supervision of financial institutions includes assessment at both the institution and the industry level to ensure that risks are identified, managed and remediated in a timely manner.

    Insurance institutions represent approximately 61% of all institutions supervised by OSFI. Our audit scope covers approximately 90% of these insurance institutions. While these insurance institutions are smaller in comparison to the larger size banks and insurance institutions, they can still impact the financial system in aggregate given their exposures to housing, climate, and liquidity risks, which are highlighted in OSFI’s 2024-25 Annual Risk Outlook to the financial industry.

    1.2 Context on Why and How We Did This Audit

    We undertook this audit to provide assurance on the effectiveness of supervisory assessments for smaller non-Internationally Active Insurance Group (non-IAIG) insurance Institutions. This area has not been audited in the past 8 years and has transitioned to the new supervision framework with newly developed tools and processes, effective April 1, 2024. (refer to Appendix C - About the Audit and Appendix D - Previous Audit Coverage).

    This audit was carried out in four sprints, and a number of recommendations were identified across the sprints, some of which have been closed during the audit. Refer to details in Appendix B – Schedule of Sprint I to IV Recommendations).

    2. Summary of Audit Results and Findings

    2.1 Overview of Results

    Overall, we found that supervisory risk assessments and oversight processes were effective and supported by methodology and tools that aligned with the new Supervisory Framework. However, we identified the findings and proposed recommendations noted below to further strengthen both supervisory capability and supervisory processes:

    • Establishing supplementary detailed guidance and tools to support supervisory risk assessments for tiered 3-5 insurance institutions, especially in areas of non-financial risks;
    • Strengthening management and oversight controls to review risk ratings, especially for those institutions assigned a rating of ‘1’;
    • Expanding oversight metrics to increase visibility on the effectiveness of institutional remediation activities; and
    • Continuing development of tools to strengthen oversight of access to protected information in Vu.

    Lastly, we assessed the quality assurance reviews (QARs) performed by the Supervision Quality Assurance Division and noted the QARs were risk-based, provided adequate challenge to supervisory work, and sufficiently documented findings. As such, we relied on their work and reduced the extent of Internal Audit (IA) work, where applicable.

    Gold Stars to Management

    Management promptly remediated a recommendation (detailed in Appendix B) raised by the audit in Sprint I by shifting from releasing guidance at a very fast pace and on an ad hoc basis to a more strategic implementation plan that highlighted the relevant operational priorities to supervisors. Also, management updated its planning tool to incorporate audit’s feedback, as feasible, during the audit to facilitate the 2025-26 planning cycle.

    Insurance supervision teams for smaller insurance institutions expended a high level of effort during the transition to the new Supervisory Framework to apply its new expectations. This included horizontal peer meetings to calibrate risk ratings for consistency across similar institutions.

    SQAD produced thematic reports which helped promote awareness of general observations to strengthen the quality of the annual supervisory letter and risk rating for institutions that were not yet selected for a QAR.

    2.2 Management Response

    Management agrees with the findings and recommendations contained within this report and has identified Management Action Plans with associated timelines for each recommendation as outlined in the relevant sections.

    3. Key Findings

    3.1 Supervisory Risk Assessments and Guidance

    Clear supervisory guidance enables effective and consistent understanding of expectations to assess risk profiles of and communicate supervision results to Institutions.

    What We Found

    Supervision Methods, Standards, and Controls (SMSC) led the transition to the new Supervisory Framework and implemented multiple changes to standards, guidance, and tools, in a short time frame. While each risk category had an explanatory guide and planned release of supplementary guides, the following gaps were noted:

    • For 38% (5 out of 13) samples tested, we were unable to find sufficient evidence to support a rating of ‘1’ for the expanded risk categories under the new Supervisory Framework, particularly operational resilience. Also, the risk scorecard rationale, notably operational resilience risk, did not consistently include the key drivers supporting the assigned rating. However, since the end of our examination period, SMSC has begun revising rating assessment guidance in scenarios where supervisors do not have the necessary information to complete an assessment.
    • There was limited specialist support for non-financial risk assessments (e.g. technology, cyber, and third-party risks). Moreover, while a plan to release supplementary rating guides were established, including prioritization for non-financial risks, due to the timing of transition, guides were released in parallel with the refresh cycle of the scorecard.
    • While the assigned ratings were supported by materials reviewed, there were inconsistent prioritization of non-financial risks, assessment criteria applied, and assessment documentation across the LS teams. As such, we were unable to evaluate consistency of conclusions under the same or similar circumstances.
    • While most supervision content is consolidated within the Supervision portal, Intervention guidance was fragmented across multiple resource platforms such as the Supervision Institute Portal, Quality Assurance portals and various guidance documents. Moreover, intervention guidance often focused on the banking sector, limiting the relevance for the smaller insurance institutions. However, our work noted that intervention responses were timely, consistent, and commensurate with identified issues.

    Why It Matters

    Without clear guidance to assess non-financial risks and on intervention activities, the accuracy and consistency of risk assessments, assigned ratings and supervisory work may be reduced.

    Recommendation #1 (Medium Risk)

    The SMSC team should continue its update to and centralization of guidance and tools, including examples for non-financial risks and risk assessments, where needed, for the smaller insurance institutions.

    Recommendation #2 (Medium Risk)

    Through future annual supervisory letter cycles, management should perform a strategic and risk-based review of all existing ‘1’ rated institutions to ensure support and consistency of these risk assessments. In addition, management should continue to exercise risk-based oversight to ensure that rating rationales across the Tier 2-5 insurance portfolios are adequately supported and are consistent.

    3.2 Stakeholder Interaction and Inputs in Supervisory Activities

    Clearly defined and understood stakeholder interaction and input models enable timely and relevant inputs in supervisory assessments.

    What We Found

    Supervisory work considers relevant information from internal and external contributors. These can include financial and non-financial specialist groups, the Integrity and Security Risk Division (ISRD) and external organizations, such as peer regulators, the Financial Institutions Supervisory Committee (FISC), and Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). While we noted that information sharing mechanisms with specialists and supervisors existed, and regular meetings with FISC and peer regulators occurred, some of these mechanisms were not yet defined to enable effective information sharing. For instance:

    • Information sharing with FINTRAC and how to use this information for scorecard and the ASL was not defined. However, since the examination, management has made progress by establishing a working group to define terms of agreement and frequency of meetings between OSFI and FINTRAC.
    • Due to ISRD’s limited maturity, ongoing information sharing mechanisms were not yet defined and implemented in supervisory activities. However, the Integrity and Security Steering Committee coupled with an Information Session acted as a mitigant to direct the way on how initial results are to be shared and used by supervisors.

    Since the end of examination and communication of these observations, SMSC has revised and released the monitoring standard to reflect the relevant contributors and how to use their information in risk assessments.

    Why It Matters

    Without clearly defined interaction models, information sharing mechanisms and how the information will be used, the effectiveness of assessing and communicating institution related risks may be reduced.

    Recommendation #3 (Medium Risk)

    SMSC, in consultation with senior leadership, should continue to define the relevant contributors and sources of inputs and how they will be used to support supervisory assessment work, ratings, and recommendations on an ongoing basis.

    3.3 Oversight of Supervisory Activities

    3.3.1 Metrics and Results

    Monitoring of key performance and risk indicators is important to evaluate the effectiveness of supervisory operations and activities, including assessments of institutions.

    What We Found

    There are established key risk and performance indicators (i.e. KRIs and KPIs) that are aligned to OSFI risk appetites and business objectives and regularly reported to senior leadership. These include metrics to monitor progress against planned work, achievement of deliverables within established timelines, progress of remediation actions by the institutions, significant changes in institution risk ratings, and Lead Supervisor tenure.

    Oversight of the progress and effectiveness of the institution’s remediation activities for supervisory recommendations exists, including a trail of date changes in Vu that is logged at an action item level. There are metrics on both the total and distribution of open and overdue remediation actions for all in scope institutions. However, there was no systematic process or regular reporting to monitor changes to the target dates for completion of remediation actions at the individual institution level. There were instances where the target date for completion was revised more than twice, indicating longer unresolved institution risks.

    Why It Matters

    Without adequate metrics to measure progress and changes of open and overdue active items, the ability of supervisors and senior management to understand delays in issues closures and respond appropriately may be impaired.

    Recommendation #4 (Medium Risk)

    Supervision Central Office (SCO), in collaboration with SMSC and management, should develop supplementary metrics to monitor changes to target dates for completion of an institution’s action items.

    3.3.2 Sensitive Data and Access Management

    Having effective oversight of system access is critical to ensure sensitive information is appropriately protected.

    What We Found

    Vu is an in-house built system that operates as a book of record system to support supervisors in their work. In general, access to Vu is role based and there are adequate controls by both SMSC and Lead Supervisors to manage access to confidential and sensitive data (i.e. isolation pods for staged institutional data). We verified that ad-hoc access management controls existed, worked as intended, and noted that access reporting enhancements in Vu are underway. However, there was not yet a tool available to support Lead Supervisors in systematically monitoring the continued appropriateness of user access.

    Why It Matters

    Inadequate access oversight controls may lead to untimely removal of unauthorized and unnecessary access to confidential and sensitive data.

    Recommendation #5 (Medium Risk)

    SMSC should develop and implement a tool to support the oversight and monitoring of user access to confidential and sensitive data in Vu.

    3.4 Other Matters

    Insurance Risk Register

    The Insurance Risk Register is one of the key inputs used in the PASS planning tool for supervisors to map supervisory activities to risks. The register requires periodic refreshes to ensure it is reflective of the current risk environment.

    What We Found & Why It Matters

    During Sprint I, we raised a recommendation related to ensuring that the insurance specific risk register is reflected within the PASS planning tool’s risks inventory used by Supervisors for planning activities. While management has agreed and began work to clarify accountabilities and establish a process for incorporating these risks, it has not yet been implemented. Appropriate inclusion of insurance risks and mapping of supervisory activities to them will provide senior management with the necessary insights to confirm if top insurance risks are adequately covered by planned supervisory activities.

    Recommendation #6 (Low Risk)

    SMSC should continue to coordinate the relevant risk register inputs to the PASS planning tool.

    Appendix A – Recommendation Ratings

    Recommendations are ranked to assist management in allocating resources to address identified weaknesses and/or improve internal controls and/or operating efficiencies. These ratings are for guidance purposes only. Management must evaluate ratings in light of their own experience and risk appetite.

    Recommendations are ranked according to the following definitions:

    • High Risk: should be given immediate attention due to the existence of either a significant control weakness (i.e. control does not exist or is not adequately designed or not operating effectively) or a significant operational improvement opportunity.
    • Medium Risk: a control weakness or operational improvement that should be addressed in the near term.
    • Low Risk: non-critical recommendation that could be addressed to either strengthen internal control or enhance efficiency, normally with minimal cost and effort. Individual ratings should not be considered in isolation; and their effect on other objectives should be considered.

    Appendix B – Schedule of Sprint I to IV Recommendations

    The following recommendations were identified during the audit, some of which were remediated by management and validated by IA prior to final reporting.

    Sprint Name Recommendation Risk Rating Status
    I – Supervisory Planning The Supervision Methods, Standards, and Controls (SMSC) team should enhance the process to strategically communicate the implemented changes that align with strategic and operational priorities. Also, SMSC should continue to coordinate timing for relevant stakeholders’ inputs for proposed changes, where appropriate and feasible. Medium Closed
    II – Supervisory Activities The SMSC team should re-visit and update existing guidance and tools to clarify expectations, including proportionality, to support the supervision of smaller institutions. Also, SMSC team should centralize guidance, where necessary. Medium See Recommendation #1 in this report
    II – Supervisory Activities The SMSC team, in collaboration with the Supervision Leadership team, should continue its planned efforts on strengthening guidance and tools on how to monitor and manage outcome statements. Low Closed
    III – Scorecard Rating and Annual Supervisory Letters The SMSC team, in consultation with senior leadership, should continue work underway to define the relevant partners and sources of inputs and how they will be used to support supervisory assessment work, ratings, and recommendations. Medium See Recommendation #3 in this report
    III – Scorecard Rating and Annual Supervisory Letters Through future annual supervisory letter cycles, management should perform strategic and risk-based review of all existing “1” rated FRFI to confirm the reasonability of these risk assessments. In addition, management should continue to exercise risk-based oversight to ensure that rating rationales across the Tier 2-5 insurance portfolios are adequately supported. Medium See Recommendation #2 in this report
    III – Scorecard Rating and Annual Supervisory Letters The SMSC team should continue to develop and communicate rating assessment guidance, with a heightened focus on providing (Tier 2-5) examples for non-financial risks, and guidance when information is not yet available to make a rating assessment. Medium See Recommendation #1 in this report
    IV – Supervisory Operations Oversight SCO, in collaboration with TTT and management, should develop supplementary metrics to monitor changes to target date for completion of FRFI action items. Medium See Recommendation #4 in this report
    IV – Supervisory Operations Oversight TTT should develop and implement a tool to support the oversight and monitoring of user access to confidential and sensitive data in Vu. Medium See Recommendation #5 in this report

    Appendix C - About the Audit

    C.1 Objective

    The objective of this audit is to assess whether controls over supervisory activities support effective and timely supervisory response.

    C.2 Scope & Coverage

    The audit scope period was between April 1, 2023 and June 30, 2024. The audit assessed the effectiveness and efficiency of supervisory processes. Samples testing was conducted to assess operating effectiveness and adherence to the New Supervisory Framework.

    The insurance institutions within the non-IAIG group covered the below in-scope insurance portfolios:

    • Personal Lines, Commercial Insurance, Multi-line Insurance (formerly referred to as Property and Casualty Group)
    • Reinsurance
    • Mortgage Insurance Group (MIG)
    • Life Insurance Non-Conglomerates

    C.3 Approach and Methodology

    This audit was conducted using a sprint-based approach, with each sprint functioning as a mini-audit with findings delivered to management at its conclusion. The audit was composed of four sprints:

    • Sprint I: Supervisory Planning
    • Sprint II: Supervisory Activities
    • Sprint III: Scorecard Rating and Annual Supervisory Letter
    • Sprint IV: Supervision Operations Oversight

    To provide more timely results to management and DAC, IA delivered an interim management memo after each of the first three sprints along with interim verbal updates to Departmental Audit Committee.

    The Supervision Quality Assurance Division (SQAD) completed assessment on the scorecard rating for in-scope insurance portfolios. As a result, IA coordinated testing on the effectiveness of scorecard and supervisory letter testing separately in Sprint III to align timing with SQAD’s work. Through Sprint III, IA assessed the effectiveness of SQAD’s assessment for the in-scope portfolios. Results demonstrated that IA was able to place reliance on SQAD’s work to reduce the audit sample size and duplication of efforts.

    Sprint IV assessment results was communicated verbally to management and consolidated in the final report.

    The audit was conducted through document reviews, interviews, process walkthroughs and sample testing to evaluate the design and operating effectiveness of the internal controls over supervisory processes within the non-IAIG group.

    C.4 Audit Criteria

    The following table outlines the audit criteria that have been established for this audit, both overarching and sprint specific.

    Criteria Sub-Criteria
    All Sprints
    1. Supervisory expectations, accountabilities, methodologies, and guidance support achievement of supervisory activities and objectives. 1.1 Policies, standards, guidance, and templates are formalized, accessible, and regularly updated.
    1.2 Roles and responsibilities are clearly articulated and understood.
    1.3 Change Management processes are in place and well communicated to support effective transition to the new Supervisory Framework.
    1.4 Objectives of the new Supervisory Framework renewal have been identified and achievement of those objectives is being measured and monitored.
    2. Supervisory oversight and reporting processes are adequate to support effective and timely escalation and response 2.1 Supervisory activities, including staged and watch listed Institutions, are monitored for appropriate and timely decision making.
    2.2 Appropriate performance metrics are used for monitoring supervisory activities, and are adequate, reliable, and reported in a timely manner.
    3. Supervisory tools and systems support key supervisory activities and achievement of their objectives. 3.1 Supervisory tools and systems are established and enable timely, risk-based, and effective supervision of Institutions.
    3.2 Tools and systems have adequate testing, validation, and change management.
    3.3 Critical data points, sensitive and confidential information within supervisory tools and systems are identified and protected.
    Sprint I & II – Supervisory Planning and Activities
    4. Supervisory planning is risk-based, aligned with the supervisory framework that is applicable for the period. 4.1 Supervisory strategies and plans are supported by clear and documented rationale, approved, and communicated on a timely basis.
    4.2 Supervisory strategies and plans align with the Supervisory Framework, are risk-based, and adequately consider resource availability.
    4.3 Adjustments to supervisory strategies and plans are adequately supported by changes to institution and industry level risks.
    4.4 Materials assessed by supervisory teams, including any compliance reporting, are considered in the planning process
    Sprint II & III – Supervisory Activities & Scorecard Ratings and ASL
    5. Supervisory activities are conducted in accordance with Supervisory Framework to support accurate and timely risk identification, assessments, monitoring, and communication of concerns. 5.1 Supervisory activities are conducted in accordance with Supervisory Framework and related guidance to support accurate and timely risk identification, assessments, and communication of concerns.
    5.2 Supervisory activities are effective to support timely response to risks identified.
    5.3 Supervisory conclusions on the institutions’ risk ratings, findings, and actions are adequately supported, appropriately approved, and communicated in a timely manner.
    5.4 Issues management processes are effective to monitor remediation activities by the Institutions.

    C.5 Statement of Conformance

    This audit was conducted in conformance with the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing, consistent with the TB’s Policy on Internal Audit, and as supported by the results of the Quality Assurance and Improvement Program.

    Appendix D - Previous Audit Coverage

    Prior audit coverage of insurance supervision portfolios include:

    • 2016: Audit of Insurance Supervision Sector Mortgage Insurance Group
    • 2017: Audit of Supervision of Life Insurance Non-Conglomerates Institutions
    • 2018: Audit of Insurance Supervision Sector Securities Administration Unit
    • 2023: Audit of Supervisory Processes Internationally Active Insurance Groups, Canada Mortgage and Housing Corporation

    All recommendations from these projects have been closed.

    Appendix E - Supervisory Activities and Tools

    The Supervisory FrameworkFootnote 1 guides the risk-based oversight of supervisory activities over federally regulated financial institutions and pension plans. Overall, there are four supervisory activities consisting of: (i) Planning supervisory strategies and plan; (ii) Monitoring and Review to develop risk assessments, (iii) Reporting and Intervention to communicate results, and (iv) Issues Management to follow up on recommendations. While supervisory planning is the first of the four activities of the Supervisory lifecycle, the overall supervisory process is dynamic, continuous, and iterative as outputs from any of these areas support insights or inputs to the previous or next process.

    As of December 2023, Vu was refreshed to align with the new Supervisory Framework and remains as the key system of record for supervisory work. In addition, throughout in 2024, new tools were developed and implemented to support supervisory activities (e.g. Planning and Supervisory Strategy (PASS) Tool, Findings and Action Standardization (FAST) Tool, etc.).

    Appendix F – Key Terms & Acronyms

    Acronym Description
    ASL Annual Supervisory Letter – a type of supervisory letters to communicate the current supervisory ratings, summarize key themes influencing OSFI supervisory work, and articulate expectations related to these themes. It can also be used to summarize key findings from supervisory reviews and other activities conducted since the prior year’s ASL and present current plans for the upcoming year.
    FINTRAC Financial Transactions and Reports Analysis Centre of Canada - Canada's financial intelligence unit and anti-money laundering and anti-terrorist financing supervisor.
    FISC Financial Institutions Supervisory Committee - a committee whose members include OSFI, the Department of Finance, the Bank of Canada, the Canada Deposit Insurance Corporation, and the Financial Consumer Agency of Canada. It meets at least quarterly to share information on matters relating to supervising federally regulated financial institutions.
    Institution(s) Federally Regulated Financial Institution(s) – OSFI regulates and supervises all federally registered financial institutions in Canada, including banks and insurance companies.
    IAIG

    Internationally Active Insurance Group - Defined by the International Association of Insurance Supervisors (IAIS) as large insurers with a significant global presence, IAIGs are subject to OSFI’s own supervisory standards, as well as the IAIS’ Common Framework. OSFI currently categorizes four institutions as IAIGs, composed of three life and one property & casualty insurance group:

    • Canada Life Assurance Company (‘Canada Life’),
    • Manufacturers Life Insurance Company (‘ManuLife’),
    • Sun Life Assurance Company of Canada (‘SunLife’), and
    • Intact Financial Corporation (‘Intact’).
    ISRD Integrity and Security Risk Division - provides insights into the existence and adequacy of integrity and security policies and procedures to OSFI, and also collaborates heavily with the National Security Sector to support our strategies, decision-making, and actions related to integrity or security, including national security and foreign interference.
    KRIs/KPIs Key Risk Indicators/ Key Performance Indicators – monitored on the Risks, Ratings, and Operations (RRO) dashboard to offer a holistic perspective on supervisors’ and specialists’ performances.
    OSFI Office of the Superintendent of Financial Institutions - supervising federally regulated financial institutions and pension plans to contribute to public confidence in the financial system.
    PASS Planning and Supervisory Strategies – a tool designed to facilitate the identification and prioritization of supervisory review and monitoring activities, and Cross-sector/Thematic review activities per the Supervisory Strategy and Planning Standard.
    QARs Quality Assurance Reviews - one of the types of quality assurance (QA) assessment approaches that will be performed by the Supervision Quality Assurance Division (SQAD) to contribute to excellence in Supervision Sector by supporting supervisors through continuous improvement.
    SCO Supervision Central Office – part of the supervision sector and provides operational support to all supervision teams centrally.
    SMSC Supervision Methods, Standards, and Controls – part of the Supervisory Institute (SI) group, which as a whole equip staff with the supervision-specific tools, training, and resources needed to effectively perform supervisory work.
    TTT Tools and Technology Team – part of the Supervision Methods, Standards and Control team and provide tools and technology support to all supervision teams.

    Addendum

    This document is an addendum to provide additional contextual information on the Audit of Supervision Insurance for the DAC members.

    Population Universe

    Insurance institutions provide property and casualty, life, reinsurance, and mortgage insurance coverage to individuals and businesses. At OSFI, insurance institutions are classified in two sub-categories, either (i) Internationally Active Insurance Groups (IAIGs), which are large insurers with a significant global presence and are tier rated as 1; or (ii) non-IAIGs are tier rated between 2 and 5. This includes the three mortgage institutions which are rated as tier 2 (formerly tier 1) institutions. Each institution is then further assigned an overall risk rating (range of 1 to 8), and intervention rating (range of 1 to 4) that is continuously monitored for business risk, financial resilience, operational resilience, and risk governance, through supervisory work and adjusted where required.

    At the time of planning our audit, insurance institutions represent approximately 61% of all institutions supervised by OSFI (210 out of 340). The population universe of insurance institutions covered in our audit was approximately 90% (190 out of 210). The audit tested 10% of this population using a risk-based approach using criteria such as the institution’s tier level, risk assessment ratings, etc.

    Report a problem or mistake on this page
    Please select all that apply:
    Date modified: