Internal audit function

1. The persons carrying out the internal audit function shall not assume any responsibility for any other function.

2. Notwithstanding paragraph 1, and in particular by respecting the principle of proportionality laid down in paragraphs 3 and 4 of Article 29 of Directive 2009/138/EC, the persons carrying out the internal audit function may also carry out other key functions, where all of the following conditions are met:

(a) this is appropriate with respect to the nature, scale and complexity of the risks inherent in the undertaking's business;

(b) no conflict of interest arises for the persons carrying out the internal audit function;

(c) the costs of maintaining persons for the internal audit function that do not carry out other key functions would impose costs on the undertaking that would be disproportionate with respect to the total administrative expenses.

3. The internal audit function shall include all of the following tasks:

(a) establish, implement and maintain an audit plan setting out the audit work to be undertaken in the upcoming years, taking into account all activities and the complete system of governance of the insurance or reinsurance undertaking;

(b) take a risk-based approach in deciding its priorities;

(c) report the audit plan to the administrative, management or supervisory body;

(d) issue recommendations based on the result of work carried out in accordance with point (a) and submit a written report on its findings and recommendations to the administrative, management or supervisory body on at least an annual basis;

(e) verifying compliance with the decisions taken by the administrative, management or supervisory body on the basis of those recommendations referred to in point (d).

Where necessary, the internal audit function may carry out audits which are not included in the audit plan.