Norm on Internal Control and Internal Audit of Insurance, Reinsurance, and Surety Companies, and Branches of Foreign Insurance Companies

Page 1 of 20 Resolution No. CD-SIBOIF-1089-2-DIC11-2018 Dated December 11, 2018

NORM ON INTERNAL CONTROL AND INTERNAL AUDIT OF INSURANCE, REINSURANCE, AND SURETY COMPANIES, AND BRANCHES OF FOREIGN INSURANCE COMPANIES

The Board of Directors of the Superintendence of Banks and Other Financial Institutions,

CONSIDERING

I

That Article 57 of Law No. 733, General Insurance, Reinsurance, and Surety Law, published in La Gaceta, Official Gazette No. 162, 163, and 164 on August 25, 26, and 27, 2010, in its relevant parts, establishes that without prejudice to the surveillance and oversight corresponding to the Superintendent over insurance companies, such companies must have an internal auditor whose responsibilities include the inspection and oversight of the operations and accounts of the respective company. It also provides that the Board of Directors may issue general norms that internal auditors must comply with in the performance of their functions.

II

That the work carried out by internal audit units, which periodically evaluate the degree of efficiency and effectiveness of the internal control systems implemented by supervised financial institutions and verify their compliance by the members of said institutions, constitutes a fundamental mechanism of support for the supervision and control carried out by this Superintendence; therefore, it is necessary to establish and update the minimum criteria required for their exercise in accordance with international standards and best practices.

III

That in accordance with the foregoing and based on the powers established in Article 10, numerals 2) and 10), of Law No. 316, Law of the Superintendence of Banks and Other Financial Institutions, and its reforms; contained in Law No. 974, Law of the Nicaraguan Legal Digest of the Banking and Finance Matter, published in La Gaceta, Official Gazette No. 164, on August 27, 2018, and its reforms.

In exercise of its powers,

HAS ISSUED

The following:

Resolution No. CD-SIBOIF-1089-2-DIC11-2018

Page 2 of 20

NORM ON INTERNAL CONTROL AND INTERNAL AUDIT OF INSURANCE, REINSURANCE, AND SURETY COMPANIES, AND BRANCHES OF FOREIGN INSURANCE COMPANIES

CHAPTER I GENERAL PROVISIONS

Article 1. Concepts.- For the purposes of this norm, the terms indicated in this article, both in uppercase and lowercase, singular or plural, shall have the following meanings:

a) Unplanned Activities: Special examinations that are not foreseen in the annual work plan and that become necessary for the evaluation of the functioning of the internal control system and its different components;

b) Planned Activities: Activities authorized by the board of directors of the company, which must be executed promptly by the Internal Audit Unit, with the objective of examining, evaluating, and monitoring the adequacy and effectiveness of internal control systems;

c) Deputy Internal Auditor: Refers to the professional audit official, a permanent member of the Internal Audit Unit, with the necessary capacity to temporarily substitute the internal auditor in case of a temporary absence of more than 30 calendar days.

d) Audit Committee or Committee: The Audit Committee appointed by the board of directors of the company;

e) Days: Calendar days, unless it is expressly established that it refers to business days;

f) Significant Events: These are constituted by those events that may have a material impact on liquidity, solvency, image, among other aspects of the company. The materiality of an event will depend on whether it has the potential to cause an important impact, whether quantitative or qualitative, on an important business line of the company or on its operations in general. To this effect, the internal auditor must apply their best professional judgment to determine those events they consider may potentially impact the company and require reporting due to their significant nature;

g) Institute of Internal Auditors: An international association dedicated to the continuous professional development of the internal auditor and the internal audit profession, better known by its English acronym as IIA (The Institute of Internal Auditors);

h) Board of Directors: The main administrative body of the companies;

i) General Banking Law: Law 561, General Banking Law, Non-Banking Financial Institutions and Financial Groups, published in the Official Gazette No. 232, on November 30, 2005; contained in Law No. 974, Law of the Nicaraguan Legal Digest of the Banking and Finance Matter, published in La Gaceta, Official Gazette No. 164, on August 27, 2018, and its reforms.

j) General Insurance Law: Law No. 733, General Insurance, Reinsurance, and Surety Law,

Page 3 of 20

published in La Gaceta, Official Gazette No. 162, 163, and 164, on August 25, 26, and 27, 2010; contained in Law No. 974, Law of the Nicaraguan Legal Digest of the Banking and Finance Matter, published in La Gaceta, Official Gazette No. 164, on August 27, 2018, and its reforms.

k) Manual: Internal Audit Manual that contains the policies, procedures, and audit techniques to be used to evaluate the functioning of the internal control system of the supervised company;

l) Accounting Framework: Refers to the Accounting Framework for Insurance, Reinsurance, and Surety Companies;

m) IFRS: International Financial Reporting Standards issued by the International Accounting Standards Board, better known by its English acronym as “IASB”;

n) International Standards for the Professional Practice of Internal Auditing: Standards issued by the Institute of Internal Auditors that serve as an international reference in the matter;

o) Plan: Annual work plan that contains the general guidelines, objectives, scope, and planned activities developed by the internal audit unit during each fiscal year;

p) Internal Control System: Set of policies, procedures, and control techniques established by the company to provide reasonable assurance in achieving adequate administrative organization and operational efficiency, reliability of reports flowing from its information systems, appropriate identification and management of the risks it faces in its operations and activities, and compliance with the legal provisions applicable to it;

q) Insurance Company or Company: Entity that operates in insurance, reinsurance, and surety, national or foreign, privately owned, state-owned, or mixed, in accordance with what is established in the General Insurance Law;

r) Superintendence: Superintendence of Banks and Other Financial Institutions;

s) Superintendent: Superintendent of Banks and Other Financial Institutions;

t) UAI or Internal Audit Unit: Refers to the internal audit unit, an area of the company with total operational independence and under the responsibility of an internal auditor.

Article 2. Object.- The object of this norm is to regulate the scope of internal audits and establish guidelines so that the board of directors of the insurance company, through its UAI, permanently oversees the efficiency and effectiveness of internal control systems and compliance with its regulations with the aim of minimizing risks, using the principles established in this norm and in generally accepted audit techniques and procedures.

Article 3. Scope.- The provisions of this norm are applicable to insurance, reinsurance, and surety companies, and branches of foreign insurance companies supervised.

Page 4 of 20

CHAPTER II INTERNAL CONTROL

Article 4. Mandatory Nature of Internal Control.- Insurance companies are obligated to have an internal control system that, at a minimum, contains a set of control policies, procedures, and techniques established and implemented by the administration of the insurance company to provide reasonable assurance in the safeguarding of assets and to achieve adequate administrative organization and operational efficiency, reliability of reports flowing from its information systems, appropriate identification and management of the risks it faces, and compliance with the legal provisions applicable to it.

CHAPTER III BOARD OF DIRECTORS

Article 5. Responsibilities of the Board of Directors.- Regarding internal control, the board of directors of the insurance company is responsible for adopting, at a minimum, the following measures:

a) Establish mechanisms, guidelines, procedures, and policies oriented towards establishing an adequate internal control system. These measures must include the way to keep board members permanently informed;

b) Meet once a month, without prejudice to extraordinary meetings, to address matters that require prompt attention;

c) Record in the Minutes Book the agreements and resolutions adopted on the topics addressed, so that the analysis, discussion, and decision-making on said topics can be verified, as well as an exercise of follow-up on the implementation of decisions and measures adopted. Such minutes must be signed by the president and secretary of the board of directors in accordance with what is provided in Article 42 of the General Insurance Law;

d) Establish the audit committee and approve the regulations for its functioning;

e) Form a UAI under the responsibility of an internal auditor who complies with what is established in Article 57 of the General Insurance Law and the requirements established in this norm and in the regulations governing the matter on requirements to be a director, general manager, and/or principal executive and internal auditor of financial institutions;

f) Delimit the functions and responsibilities of the administration, control, and audit bodies;

g) Ensure that the UAI develops its functions with absolute technical independence in accordance with the provisions established in the General Insurance Law and this norm;

h) Ensure that the members of the UAI are effectively separated from administrative and/or operational functions, which are inappropriate for the independent function of auditing;

i) Ensure that the administration and control bodies implement and execute the

Page 5 of 20

provisions established in guidelines and procedures emanating from the board of directors;

j) Ensure the effectiveness of the design and functioning of the internal control structure and environment, to determine if it is functioning according to its objectives, and modify it when necessary;

k) Take immediate action and adopt the necessary corrective measures on any significant situation or finding detected that requires its prevention or correction;

l) Ensure that the recommendations derived from internal audit reports, external audit, money laundering prevention administrator, as well as instructions from the Superintendent, are implemented.

CHAPTER IV INTERNAL AUDIT UNIT

Article 6. Characteristics of the Audit Unit.- Insurance companies must have a UAI, which shall have the following characteristics:

a) It will be in charge of an internal auditor appointed in accordance with what is ordered in Article 57 of the General Insurance Law, and with the requirements established in this norm and in the regulations governing the matter on requirements to be a director, general manager, and/or principal executive and internal auditor of financial institutions;

b) It must have an official with the necessary capacity to perform the functions of the internal auditor in case of temporary absence of the latter, for which the board of directors of the company will appoint a deputy internal auditor who complies with the same requirements of this norm to temporarily substitute the internal auditor. The deputy internal auditor will assume the functions of the internal auditor for a temporary absence of more than 30 days and less than 60 days. In case of removal of the internal auditor or when the period of absence exceeds 60 days, the deputy internal auditor may be appointed interim internal auditor in accordance with what is established in Article 15 of this norm.

c) Its members must be effectively separated from the administrative and operational functions of the company;

d) It will depend organically, functionally, and administratively on the board of directors of the insurance company;

e) It will fulfill its functions and objectives in a timely, independent, effective, and efficient manner;

f) It will have direct, free, and unrestricted access to all corporate books, among others: those of a accounting nature, share register, board of directors, general shareholders' meetings, credit committee, surety committee, investment committee, claims committee, strategic direction committee, and any other committee or working group existing or created in the company; as well as to the records, files, documents stored in any medium, and information on the operations it considers necessary for the exercise of its audit functions;

g) It must have appropriate infrastructure and adequate human, technical, and logistical resources commensurate with the magnitude and complexity of the insurance company's operations, as well as the risks it faces; The board of directors of the insurance company is responsible for ensuring the appropriate conditions for the development of the internal audit function; The internal auditor, the deputy internal auditor, and other auditors who make up the UAI must receive permanent, continuous, and updated training in matters related to their functions, for which it corresponds to the internal auditor to present the training needs regarding the members of the UAI, indicating the main areas of training and the number of hours required annually, a request that must be presented and discussed in the audit committee and authorized by the board of directors. All information obtained by the UAI is subject to the restrictions established in Article 91 of the General Insurance Law.

Article 7. Functions of the Audit Unit.- The UAI will have the following minimum functions:

a) Evaluate the design, execution, effectiveness, and sufficiency of the internal control system;

b) Evaluate compliance with the legal and regulatory provisions governing the insurance company;

c) Evaluate the reliability, confidentiality, availability, effectiveness, integrity, and functionality of information technology and the control mechanisms and usage established by the insurance company to guarantee its security and protection;

d) Carry out permanent follow-up on the implementation and compliance with orders, instructions, and/or recommendations formulated by the Superintendent, by external auditors, and by the UAI itself;

e) In accordance with the audit standards referred to in this norm and based on the Insurance Company's Audit Risk Matrix, design the annual work plan, comply with the planned activities in it, and prepare the respective reports;

f) Verify the effectiveness of the internal controls proposed and designed for an operation, service, or product in the pre-launch stage;

g) Verify the organizational structure authorized by the board of directors of the company, in relation to the effective segregation of functions and exercise of powers attributed to each of its officials;

h) Evaluate the sufficiency, effectiveness, and compliance of the integrated system for the management and prevention of money laundering, terrorism financing, and financing of the proliferation of weapons of mass destruction risks, for which they must consider the regulations issued by the Superintendence and international best practices in the matter;

Page 7 of 20

i) Evaluate the compliance of the insurance company with the application of IFRS in the preparation of its financial reports;

j) Evaluate compliance with other aspects determined by the board of directors, the audit committee, and the Superintendent.

Article 8. Qualities of the Audit Unit.- The persons who make up the UAI must possess the knowledge, technical aptitudes, experience, and other qualities required for the fulfillment of their responsibilities.

Without prejudice to the foregoing, every UAI must have an information systems auditor, who collaborates in achieving its functions and objectives. This auditor must have technical aptitudes, knowledge, and specific experience in systems auditing. Said auditor may also be subcontracted.

Article 9. Subcontracting.- Insurance companies may subcontract functions assigned to the UAI in order to access advantages of a technical, resource, methodology, among other nature. This type of subcontracting must comply with what is established in Article 130 of the General Banking Law, with the requirements indicated in this norm, and with what is provided in the regulations governing the matter on contracting service providers for the performance of operations or services in favor of financial institutions.

Regardless of the level of subcontracting, the internal auditor remains responsible for ensuring that internal audit functions adequately and effectively, and in accordance with what is provided in this norm and according to the service agreement or contract signed with the provider. The internal auditor is responsible for supervising compliance with the service contract, ensuring the general quality of activities, reporting to the audit committee, as well as carrying out follow-up on the results of the contracted work.

Article 10. Audit Procedures and Techniques.- The audit procedures and techniques employed by the UAI must adhere to the provisions established in this norm and to what is established in the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors. Likewise, said audit procedures and techniques must be contained in the respective manual of internal audit procedures and techniques.

CHAPTER V INTERNAL AUDITOR

Article 11. Appointment of the Internal Auditor.- The UAI will be in charge of the Internal Auditor, a full-time official with exclusive dedication, whose appointment corresponds to the General Shareholders' Meeting or the highest body of direction and administration equivalent, in the case of state-owned or mixed entities, in accordance with Article 57 of the General Insurance Law.

In order to avoid possible conflicts of interest, insurance companies cannot appoint as internal auditor persons who in the last twelve (12) months have held positions in

Page 8 of 20

the accounting area or managerial positions in operational areas or business units, in the same company.

Article 12. Requirements of the Internal Auditor.- The interested party who wishes to provide their services to an insurance company as an internal auditor must meet the following requirements:

a) Be an authorized public accountant;

b) Have a minimum experience of three years in financial system institutions in the audit area, or in other related areas or activities, or in external audit firms, in which they have performed audit work in financial system institutions, which has allowed them to accumulate the knowledge to perform such a position; and

c) Meet the qualification criteria and information requirements established in the regulations governing the matter on requirements to be a director, general manager, and/or principal executive and internal auditor of financial institutions.

To prove compliance with the aforementioned requirements, the insurance company must present the documentation required by the regulation referred to in subsection c) of this article.

Article 13. Responsibilities of the Internal Auditor.- The internal auditor is responsible for complying, at a minimum, with the following:

a) Inform in writing to the Superintendent in case of temporary absence from their position for more than thirty (30) days and on any other modification in the composition of the UAI that significantly affects its functioning and independence;

b) Verify that practices favoring partners, directors, or administrators of the company do not occur, which could constitute a detriment to the interest of clients. If the existence of any practice of this nature is verified, they must inform it in writing, immediately and simultaneously to the Audit Committee and the Superintendent;

c) Communicate the occurrence of significant events immediately, directly, and simultaneously, to the supervisor elected by the general shareholders' meeting, to the Superintendent, to the audit committee, and to the board of directors of the company. Such communication must be made no later than within three (3) days following the knowledge of the events;

d) Perform the task of coordinator of the supervision and reviews that the Superintendence and external audit carry out on the company.

Article 14. Removal of the Internal Auditor.- The removal of the internal auditor before the expiration of their term must have the vote of the majority of two-thirds of shareholders present in the General Assembly or of the highest body of direction and administration equivalent, in the case of state-owned or mixed entities. In all cases, said removal must be submitted to the consideration of the Superintendent for non-objection, indicating the reasons that justify such a measure, in accordance with what is established in Article 57 of the General Insurance Law. The Superintendent may request a report from the internal auditor, who must present it no later than on the date indicated to them. Once the aforementioned term has passed,

Page 9 of 20

the Superintendent within eight (8) business days thereafter, by reasoned resolution, will determine what they consider pertinent. In this case, the lack of an internal auditor cannot last more than sixty (60) days.

Article 15. Interim Internal Auditor.- With prior authorization from the Superintendent, the UAI may be in charge of an interim internal auditor appointed by the general shareholders' meeting or the highest body of direction and administration equivalent, for a period of up to six (6) months, except in case of removal of the internal auditor, in which case, the UAI may be in charge of it for up to sixty (60) days as provided in the preceding article. The interim internal auditor must meet the same requirements established in this norm for the case of the internal auditor.

CHAPTER VI ANNUAL WORK PLAN

Article 16. Minimum Content of the Annual Work Plan.- The preparation of the annual work plan will be the responsibility of the UAI. The plan must be presented to the audit committee and approved by the board of directors within the last quarter of the immediate previous year to

Page 10 of 20

the fiscal year in which it will be executed. The plan must include, at a minimum:

a) The general guidelines, objectives, and scope of the audit activities to be carried out during the fiscal year;

b) The planned activities, including the frequency, duration, and resources required for each activity;

c) The audit risk matrix, which must be updated annually and reflect the risks identified in the company's operations;

d) The allocation of resources, including human, technical, and logistical resources, necessary for the execution of the plan;

e) The schedule for the execution of the planned activities;

f) The criteria for the selection of audit areas and the determination of the frequency of audits;

g) The procedures for the evaluation of the effectiveness of the internal control system;

h) The procedures for the follow-up on the implementation of recommendations derived from audit reports;

i) The procedures for the communication of significant events;

j) The procedures for the coordination with external auditors and the Superintendence.

Article 17. Modification of the Annual Work Plan.- The annual work plan may be modified during the fiscal year in which it is executed, due to changes in the risk profile of the company, new regulatory requirements, or other relevant factors. The modification must be approved by the board of directors.

Article 18. Reporting on the Annual Work Plan.- The UAI must report to the board of directors and the audit committee on the progress of the execution of the annual work plan at least once a quarter. The report must include, at a minimum:

a) The activities executed and those pending execution;

b) The findings and recommendations derived from the executed activities;

c) The status of the implementation of recommendations from previous audits;

d) The changes in the risk profile of the company;

e) The resources used and the resources required for the execution of the plan.

CHAPTER VII AUDIT REPORTS

Article 19. Content of Audit Reports.- The audit reports must contain, at a minimum:

a) The objective of the audit;

b) The scope of the audit;

c) The methodology used;

d) The findings and recommendations;

e) The management's response to the findings and recommendations;

f) The follow-up plan for the implementation of recommendations.

Article 20. Distribution of Audit Reports.- The audit reports must be distributed to the board of directors, the audit committee, the general manager, and the Superintendent, as applicable.

Article 21. Confidentiality of Audit Reports.- The audit reports are confidential and must be handled in accordance with the provisions of the General Insurance Law and other applicable regulations.

CHAPTER VIII FINAL PROVISIONS

Article 22. Entry into Force.- This norm will enter into force on the date of its publication in La Gaceta.

Article 23. Repeal.- The following norms are repealed:

a) Resolution No. CD-SIBOIF-001-2005, Norm on Internal Control and Internal Audit of Insurance Companies;

b) Any other provision that contradicts this norm.

Article 24. Interpretation.- In case of doubt regarding the interpretation of this norm, the Superintendent's interpretation will prevail.

Article 25. Publication.- This norm will be published in La Gaceta.

Given in the city of Managua, on December 11, 2018.

[Signature] President of the Board of Directors Superintendence of Banks and Other Financial Institutions

[Signature] Secretary of the Board of Directors Superintendence of Banks and Other Financial Institutions