Insurance sector risks and priorities for 2025

Introduction

We’re delighted to share our insights and views on the key risks and issues facing insurance sector firms and their internal audit functions in 2025.

As we look ahead, we’re mindful of the challenging backdrop that has continued to feature in 2024 due to economic, political, regulatory and technological developments. We expect this challenging environment to continue in 2025 and this, alongside developments within the internal audit profession including the new Global Internal Audit Standards and the new Internal Audit Code of Practice (IA Code), both effective from January 2025, is going to make it an interesting and busy year for internal audit functions.

As ever, internal audit functions play a key role in helping their firms to assess and enhance their governance, risk management and internal controls to manage the risks they face. The new Global Internal Audit Standards also highlight the need for internal audit functions to not only provide assurance but also provide advice, insight and foresight. So, it’s even more important for internal audit functions to look ahead at the risk landscape and make sure they’re well informed and “on top” of the risks their firms face, both now and in the future. We hope PKF’s insights into the following key risks helps you to achieve this:

  • Financial management
  • Governance and culture
  • Operations and IT
  • Regulation
  • Sustainability.

As always, PKF is here to help internal audit functions and Heads of Internal Audit to assess how these risks impact your firm and how you can incorporate them into your internal audit plans for 2025 and beyond.

Financial management

Both the FCA and PRA continue to highlight the challenging economic environment for insurance sector firms. For insurers, the PRA is particularly focussed on credit and liquidity risks, as well as ensuring that firms can make an orderly, solvent exit from the market should they need to. For intermediaries, the FCA continues its focus on the risks of firm failure on consumers and markets, particularly through its new financial resilience return. Connected to this, we are seeing intermediaries paying closer attention to their wind-down plans.

What does this mean for you?

In accordance with the new IA Code, internal audit functions should be considering financial risks, such as capital and liquidity risks, within their scope of work and this hasn’t changed. However, given the continuing challenging environment, you may want to consider the following areas afresh:

  • How financial risks, including credit and liquidity risks, are managed holistically by the firm. Is there a clear and well-understood capital, credit and liquidity risk management framework?
  • The models used by the firm to manage capital, credit and liquidity risks. Are these subject to robust governance and controls?
  • Is there an appropriate programme of scenario and stress testing to identify weaknesses and vulnerabilities in financial resilience?
  • Has the firm established an exit / wind-down plan? What is the governance process around this – has it been subject to suitable review and challenge and is there an opportunity / need for internal audit assurance around it?

Financial crime is a top priority for financial services and the regulators, particularly the FCA which has “reduction and prevention of financial crime” as one of its 13 public commitments. The landscape and risks are becoming increasingly complex with issues such as fraud (internal and external), anti-money laundering, sanctions, market abuse, bribery and corruption and facilitation of tax evasion. As part of its supervisory activities in 2024/5, the FCA is focussing on proactive assessments of financial crime systems and controls for firms. It is also consulting on updates to its Financial Crime Guide which is a very useful guidance tool for firms.

What does this mean for you?

The new IA Code now requires internal audit functions to include financial crime, economic crime and fraud within its scope of work. This should include the adequacy and effectiveness of governance, risk management and controls to prevent, identify, monitor and report on illegal acts including money laundering, bribery and corruption, accounting fraud, and other forms of financial and economic crime. Internal audit functions will need to determine how to cover this topic within their internal audit plans – whether as a standalone audit or as a cross-cutting theme across audits. We have previously published a useful report on “Keeping on Top of Fraud Risks: The Role of Internal Auditors” and suggest you revisit this for guidance on your internal audit approach.

Tax

During 2024, HMRC has been conducting business risk reviews across the Lloyd’s and London market. They have been particularly interested in the following areas:

  • Maintenance of a strong tax risk and control framework
  • Presence of a sufficiently resourced tax, finance, and human resources team
  • Documentation of firms’ processes and controls, tax policies and tax register. Ensuring that these are suitable for the size and complexity of the firm. Furthermore, HMRC is looking for regular review of these systems. Some of the tax areas that HMRC has been reviewing include:
    • Transfer pricing – compliance with master file and local file requirements and review of process notes and calculations
    • Robust accounting systems to operate and maintain firms’ VAT partial exemption special method
    • Off payroll rules – if large firms are engaging contractors, HMRC is likely to review whether there is regular audit and review of compliance processes to ensure correct operation of the PAYE system
  • Understanding how firms comply with their obligations under the Corporate Criminal Offence legislation. HMRC is likely to review whether firms have undertaken an assessment to appropriately manage the risk of failing to prevent the facilitation of tax evasion. 

As insurance firms and groups become increasingly complex through acquisitions and/or international expansion, it is important to keep on top of tax risks and establish suitable controls. For firms captured by the Senior Accounting Officer (SAO) regime (ie, firms with £200m aggregate UK turnover or £2bm aggregate balance sheet total), the SAO (usually the CFO) is required to annually certify to HMRC whether the firm has appropriate tax accounting arrangements.

What does this mean for you?

As we have highlighted before, tax is a topic that is often ‘put to one side’ by internal audit functions on the basis that firms typically have external tax advisors, but also because internal audit functions rarely have the necessary skills in-house. In our view, firms and their internal audit functions should perform a comprehensive assessment of tax risks across corporate, overseas, VAT, IPT and employment taxes. A starting point for this may be to review your firm’s tax strategy, talk to your finance/tax teams and external tax advisors and review the latest correspondence with HMRC to understand its specific concerns and focus areas for your firm.

Governance and culture

Earlier this year, the FRC published the UK Corporate Governance Code 2024 (CG Code) which is effective for listed firms for financial years beginning on or after 1 January 2025. Whilst the updates to the CG Code were less than previously anticipated, there were some important changes relating to risk management and internal controls (covering not only financial but also operational, reporting and compliance controls). Specifically, the CG Code requires Boards to provide:

  • A description of how they have monitored and reviewed the effectiveness of the risk management and internal control framework
  • A declaration of effectiveness of material controls at the balance sheet date
  • A description of any material controls that have not operated effectively at the balance sheet date, the action taken / proposed to improve them and any previously reported issues.

What does this mean for you?

There has been a lot of discussion and debate around whether the Board declaration requires firms to introduce a SOX-style internal control framework. We don’t believe this is necessary. Whilst some better documentation or formalisation of the internal control framework may be needed, internal audit functions are well placed to provide assurance to their Boards on the effectiveness of material financial, operational, reporting and compliance controls. Internal audit functions should talk to their Boards to determine if / how their activities should be enhanced or expanded to meet the Board’s assurance needs.

The insurance sector hasn’t had the best reputation when it comes to culture and behaviours with some notable headlines in the insurance press on this topic in recent years. However, the sector as a whole, and many individual firms, are making efforts in this area. Specifically, the Lloyd’s market has established and is working towards its five year Culture Strategy and the results of its latest Culture Survey & Market Policies & Practices Return published in March 2024 show improvements in behaviours and inclusion. Lloyd’s is currently consulting on a modernised framework for dealing with poor conduct and behaviours in the market which will likely have a knock-on impact on managing agents.

What does this mean for you?

The approach to assessing culture has been a topic of debate among internal audit functions. Whilst the IA Code previously required internal audit functions to consider the risk and control culture of the firm, this has been widened in the new IA Code to cover organisational culture, including but not limited to risk and control culture. Internal audit functions will therefore need to think afresh about how to approach this and should consider:

  • The extent to which desired culture and behaviours have been articulated by the firm
  • How culture and behaviours are already assessed and measured within the firm – eg, through firm surveys or the Lloyd’s Culture Survey. The results of these assessments should inform the focus areas for internal audit
  • How “tone from the top” is demonstrated – eg, through the governance process and firm-wide communications
  • Processes that support the embedding of culture, values, ethics, etc. Some of this is likely to crossover with ESG strategies / initiatives.

Operations and IT

The latest Risk in Focus: Hot Topics for Internal Auditors report shows that cyber security has retained its position as being viewed as the top risk for firms. Cyber threats remain high and are evolving with increasing geopolitical uncertainty and state-sponsored attacks. Among the different types of cyber threats, ransomware is prevalent and particularly problematic for firms in terms of response.

What does this mean for you?

Given cyber security has been a hot topic for a number of years, most internal audit functions should have an established approach. However, it is important for internal audit functions to remain alert to and understand the evolving risks and, where appropriate, adapt or innovate their audit approach. For example, as firms move from undertaking desk-based testing of cyber-attack / response to more “real-life” scenarios, internal audit functions could consider participating in these – observing the scenario in practice, assessing the effectiveness of management response and understanding the lessons learned and how they’re being actioned.

In assessing cyber risks, internal audit functions should also consider what meaningful metrics are available to help monitor and measure the effectiveness of the key cyber security controls in place. The metrics to monitor and measure will depend on the specifics of each firm. However, given our understanding of typical root causes of cyber incidents, internal audit functions might consider the following metrics: completion of mandated cyber training; timelines of patching for devices; effectiveness of leaver controls, review of key application permissions, updating of data maps and governance of third-party vendors.

The potential for operational disruption came to light again in July 2024 with the Crowdstrike outage affecting many firms across the globe and different sectors. It caused huge operational disruption and financial damage.

Operational resilience is a key regulatory priority and firms must be able to operate within impact tolerances for each important business service by 31 March 2025. This will mark the end of a three year transition period, during which time firms were expected to have refined and tested their operational resilience frameworks. With firms potentially being “distracted” with other regulatory priorities in recent times, such as Consumer Duty, there is a chance that firms may not be as advanced as they should be.

What does this mean for you?

As part of annual planning for 2025, internal audit functions should promptly assess the current state of their firm’s operational resilience arrangements and prioritise any audit work for early Q1 2025. As part of this, internal audit functions should consider the recent insights and observations shared by the FCA and focus on these areas including:

  • Whether the firm has kept its important business services and impact tolerances under regular review
  • Whether the mapping to resources has matured over time and incorporates relationships with third parties
  • Whether scenario testing has evolved in sophistication and results of testing and identified vulnerabilities have been properly considered and actioned
  • Adequacy of response and recovery plans.

Regulation

The UK regulators, particularly the FCA, are adopting a much more assertive approach. This has been evident from market-wide thematic reviews, Dear CEO letters, and s166 activity. We are also seeing other regulators, such as the Gibraltar FSC, taking a more robust approach and this is impacting a number of insurance groups.

Consumer Duty is now “business as usual” and firms should have produced their first annual Board report by July 2024. The FCA recognises that many firms have embraced the Consumer Duty and used it as a driver to shift firm culture and improve customer outcomes. However, based on our own observations, as well as those of the FCA, many firms have further work to do, particularly in relation to product governance, fair value, outcomes monitoring and MI.

What does this mean for you?

We anticipate that many internal audit functions will have considered Consumer Duty in 2024 and developed a good understanding of the overall approach and success to implementation. However, internal audit functions should keep a close eye on FCA insights and publications, such as the recent thematic review of product governance and insights on the price and value outcome, and challenge their firms to ensure they are continually improving. As well as considering the Consumer Duty and outcomes as a cross-cutting theme across the internal audit plan, internal audit functions would be wise to include some deep dives into key areas such as fair value assessments, consumer understanding or MI. In carrying out these reviews, internal audit functions will need to consider whether they have the right skills or depth of knowledge of Consumer Duty requirements and best practices or whether external support is required.

The transition to Solvency UK has been lengthy but the PRA has recently announced plans to release its final rules by mid-November 2024. These will take effect on 31 December 2024 but are expected to include minor changes. Previous consultations and policy statements have already introduced changes to the risk margin, matching adjustment, and internal model review processes as well as reducing the administrative and reporting burden on firms. Some of these changes impact life firms more than general insurance firms. There will also be benefits for smaller insurers as a result of revised Solvency II thresholds meaning they have the option to become non-directive firms.

What does this mean for you?

Internal audit functions should continue to talk to their actuarial, capital and/or risk functions to understand and assess the impact of Solvency UK reforms on their firms. Where there are changes to key processes, assumptions, models and reporting, the internal audit function should consider how these changes have been implemented – the governance and controls around this – and the extent to which independent assurance from the internal audit function is needed. Given the technical nature of this area, strong engagement with the actuarial, capital, and/or risk functions is likely to be needed as well as consideration of external support.

Sustainability

Developments and stakeholder interest in ESG and sustainability topics continues unabated. Key developments include:

  • The UK Government announced in May 2024 that it expects to endorse sustainability standards (IFRS S1 and S2) for use in the first quarter of 2025. This is an important step towards enhancing the consistency and quality of sustainability reporting across the globe. The specific entities subject to mandatory reporting in accordance with these standards is yet to be confirmed but expected to include large entities, public entities and those which prepare their financial statements under IFRS.
  • In Europe, new sustainability reporting requirements have been introduced through the Corporate Sustainability Reporting Directive (CSRD). It is being implemented in stages, with the first set of firms required to report for the 2024 financial year. CSRD is notable for a number of reasons:
    • It impacts a larger number / scope of firms, including non-EU firms / groups who meet certain criteria including non-EU firms listed on an EU regulated market
    • The increased scope of the reporting requirements in accordance with the European Sustainability Reporting Standards (ESRS) covers environmental, social and governance topics totalling approximately 1,100 data points
    • The introduction of the double materiality concept will require firms to consider the effects of both sustainability matters on the firm and the effects of the firm on society and the environment
    • Mandatory requirement for limited assurance.
  • It is the PRA’s ongoing expectation that firms embed and improve their management of the financial risks from climate change. In particular, the Dear CEO letter at the start of 2024 highlighted the need for firms to improve their scenario analysis capabilities and further embed climate risk into risk management. An update to the PRA’s SS3/19 is expected soon and will provide clarity to firms and build on the SS3/19 approach.
  • Within the Lloyd’s market, Lloyd’s has published its roadmap on insuring the transition and focus areas for sustainability across underwriting, investments, exposure management and capital and reserving. Managing agents should be reviewing this and aligning their ESG and sustainability strategies.

What does this mean for you?

Given the pace of developments in relation to ESG and sustainability, internal audit functions need to keep a close eye on this topic. As a starting point, internal audit functions should be developing their understanding of the ESG and sustainability strategy and key activities / initiatives within their firms. Each firm is likely to be at a very different stage of maturity so the extent and nature of internal audit work in this area won’t be a one size fits all. However, the new IA Code says the scope of internal audit work should include matters relating to environmental sustainability, climate change risks and social issues, such as diversity, equity and inclusion. Furthermore, they should consider evaluating the processes to support, and the accuracy of, sustainability reporting and disclosures. Given the sustainability reporting developments highlighted above (in both the UK and Europe), assurance over reporting is likely to become increasingly relevant and important.

Internal audit functions should:

  • Talk to their finance / sustainability teams to understand what sustainability reporting standards are going to “bite” in the coming years and the firm’s plans to get ready for this
  • For Lloyd’s managing agents, assess the extent to which the Lloyd’s roadmap for insuring the transition has been considered and any gap analysis that has been performed
  • Consider the ESG and sustainability expertise and skills within the internal audit function. Where needed, identify any training needs and allocate individuals within the team to monitor and assess ESG and sustainability developments
  • Discuss with Audit Committee Chairs the appetite for assurance around ESG and sustainability strategy and reporting
  • Given the increasing interaction of financial and non-financial reporting, liaise with external auditors to understand their scope of work around ESG and sustainability reporting and any opportunities for co-ordination / support.

For more information on any of these topics, please contact Jessica Wills.

Contact our experts