(a) An insurer or group of insurers doing business in this state shall establish an internal audit function to provide independent, objective, and reasonable assurance to the insurer’s audit committee and management regarding the insurer’s governance, risk management, and internal controls. This assurance shall be provided by performing general and specific audits, reviews, and tests, and by employing other techniques deemed necessary to protect assets, evaluate control effectiveness and efficiency, and evaluate compliance with policies and regulations.
(b) The audit committee of an insurer or group of insurers shall be responsible for overseeing the insurer’s internal audit function and granting the person or persons performing the internal audit function suitable authority and resources to fulfill the responsibilities required by this section.
(c) To ensure that an internal auditor remains objective, the internal audit function shall be organizationally independent. Organizational independence does not preclude dual-reporting relationships. The internal audit function shall not defer ultimate judgment on audit matters to others.
(d) (1) An individual shall be appointed to head the internal audit function, and shall have direct and unrestricted access to the insurer’s board of directors or audit committee.
(2) The head of the internal audit function shall report to the insurer’s audit committee regularly, but not less than annually, regarding all of the following:
(A) The periodic audit plan.
(B) Factors that may adversely impact the internal audit function’s independence or effectiveness.
(C) Material findings from completed audits.
(D) The appropriateness of corrective actions implemented by management as a result of audit findings.
(e) If an insurer is a member of an insurance holding company system or a group of insurers, the insurer may comply with this section at the ultimate controlling parent level, an intermediate holding company level, or the individual legal entity level.
(f) This section shall not apply to an insurer if either of the following apply:
(1) The insurer has annual direct written and unaffiliated assumed premium of less than five hundred million dollars ($500,000,000), including international direct and assumed premium, but excluding premiums reinsured with the Federal Crop Insurance Corporation and National Flood Insurance Program.
(2) The insurer is a member of a group of insurers, and the group of insurers has annual direct written and unaffiliated assumed premium of less than one billion dollars ($1,000,000,000), including international direct and assumed premium, but excluding premiums reinsured with the Federal Crop Insurance Corporation and National Flood Insurance Program.
(g) For purposes of this section, “internal audit function” means a person or persons that provide independent, objective, and reasonable assurance designed to add value, improve an organization’s operations, and accomplish an organization’s objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
(Added by Stats. 2019, Ch. 201, Sec. 3. (AB 1813) Effective January 1, 2020.)