27.09.2023

VAIT-Readiness Assessment

Your key to a secure IT organisation

Regulatory challenges of VAIT for insurance companies

BaFin audits involve considerable effort for insurance companies and therefore harbour a high regulatory risk. They often end with extensive change requests that have to be implemented under time pressure and with intensive use of resources. Penalties have already been imposed in the form of capital surcharges to cover risks that are attributable to deficiencies in the business organisation. BaFin can take these measures against Solvency II-supervised insurers if the implementation of the supervisory requirements is deemed inadequate.

Since the Wirecard scandal in particular, BaFin has increased its audit resources and now also audits IT organisations more intensively and more frequently. Proactive measures such as mock audits can considerably reduce the burden during a BaFin audit and significantly improve the result. The focus here should be on the implementation of the Insurance Supervisory Requirements for IT (VAIT).

The main aspects of VAIT

The current VAIT amendment, in force since 3 March 2022, specifies the legal requirements of the Insurance Supervision Act (VAG), Sections 23-32. With the aim of reliably structuring the IT organisation, it defines the framework for the technical and organisational equipment of companies. The VAIT comprises eleven chapters, as shown in the following diagram:

Challenges for insurance companies

Checking your own IT organisation for VAIT compliance and implementing change requests following an audit usually involves considerable additional work. VAIT is not always clearly defined at an operational level and leaves room for interpretation. Many companies lack experience with VAIT audits, which increases the risk of incorrect interpretation of the often vaguely formulated requirements. Even with careful planning, appropriate resource allocation and a proactive approach, comprehensive implementation cannot be guaranteed.

In order to make the performance of an audit and the subsequent implementation of the requirements as smooth and controlled as possible, it is advisable to conduct an internal investigation at an early stage. This clarifies whether the IT organisation complies with the VAIT requirements. Intero Consulting has already successfully carried out such assessments for various clients.

Our team of experts is at your side to uncover discrepancies between your organisation and the legal requirements. Together with your team, we analyse compliance with the requirements and are available to you as a sparring partner.

Our assessment comprises five successive phases:

Setup: The first step is to define responsibilities, set up the project organisation and conduct a joint kick-off with all parties involved.
Self-assessment: Your compliance experts assess the current status using a clearly defined catalogue of questions on VAIT requirements in order to generate an initial assessment of the actual/target discrepancies. The results are documented in the Intero Consulting VAIT tool.
Interview phase: The initial assessment (phase 2) is validated by our team through consultations and discussions with your compliance experts. In this way, we can also help to spread understanding and awareness of the content and importance of the regulatory requirements within your organisation.
Results phase: The assessment results are finalised and presented. A mitigation plan with the necessary steps for implementation is also developed.
Implementation phase (optional): In this phase, we support you in the implementation of the mitigation plan to ensure that the necessary adjustments are successfully implemented.

This structured assessment allows you to benefit from our experience in accompanying various mock and Bafin VAIT audits on the insurance side and the associated changes. We have summarised the key benefits of the Intero Consulting VAIT Readiness Assessment for you here:

Structured VAIT fulfilment analysis
- Detailed evaluation of the differences between the actual and target status and identification of weak points.
- Checking the availability of evidence by evaluating existing guidelines, guidelines, documentation etc. to identify gaps and setting up a repository.
Professional audit preparation
- Training for effective internal and external communication for clear, precise and timely provision of information, e.g. in the event of an audit.
- Development of a process including definition of responsibilities for the provision of information for regulatory audits of any kind.
Raising the organisation's awareness of supervisory requirements
- Creating an understanding of the requirements by providing information on all applicable and relevant rules and regulations relating to day-to-day operations.
- Communicating the requirements to employees through workshops and training sessions.
Deriving measures and structuring a mitigation plan based on fulfilment analysis
- Derivation of a concrete catalogue of measures
- Prioritisation of the necessary changes and development of a mitigation plan in terms of time and content