OIC IT Compliance Audit

Regulatory Compliance Audit Based on IT Audit Manual – Risk Based Supervision, Office of Insurance Commission - Manual v.1.0 dated 16 Nov 2021

(การตรวจประเมิน อ้างอิงตามคู่มือการตรวจสอบด้านเทคโนโลยีสารสนเทศตามแนวทางการกำกับดูแลตามความเสี่ยง สำนักงานคณะกรรมการกำกับและส่งเสริมการประกอบธุรกิจประกันภัย หรือ คปภ.)

The Office of Insurance Commission (OIC) had developed an OIC announcement entitled "Governance and Management of IT Risks of Life Insurance Companies, B.E. 2563" and "Governance and Management of IT Risks of Non-life Insurance Companies, B.E. 2563" to enforce insurance companies to govern and manage IT risks and cyber threats appropriately and systematically according to international standards. In addition, this announcement recommends life and non-life insurance companies to effectively implement 96 risk controls in the areas of IT project management, IT governance and planning, IT laws and regulatory compliance and IT audit.

This manual "IT Audit Manual – Risk Based Supervision" is developed based on the above announcements for the wider benefits and confidence building for insurance companies, their clients and the people.

• Audit Scope

TUV NORD Thailand Limited was established in 1989 as part of the TÜV NORD Group. During the past decades, TUV NORD Thailand has accumulated extensive experience in information securities, IT risks and IT related certification to ensure ability to provide suggestions to our customers on the full range of information securities and IT related services provisioning, and be expert in information securities, IT risks and IT related audit.

1. Understanding the requirements of OIC 'IT Audit Manual – Risk Based Supervision', Manual v.1.0 dated 16 Nov 2021.

2. Establish the scope, objectives and context of the organization in accordance with OIC 'IT Audit Manual – Risk Based Supervision', Manual v.1.0 dated 16 Nov 2021.

3. Get Management Buy-in.

4. Perform IT risk assessment activities.

5. Implement controls to mitigate information technology risks.

6. Organize information technology risks training for all relevant parties.

7. Review and update mandatory documentation according to OIC 'IT Audit Manual – Risk Based Supervision', Manual v.1.0 dated 16 Nov 2021.

8. Choose a non-accredited certification body, e.g., TUV NORD Thailand to conduct a regulatory compliance audit against OIC Announcement - Governance and Management of IT Risks of Life Insurance Companies, B.E. 2563 and/or Governance and Management of IT Risks of Non-life Insurance Companies, B.E. 2563.

1. OIC Announcement - Governance and Management of IT Risks of Life Insurance Companies, B.E. 2563

2. OIC Announcement - Governance and Management of IT Risks of Non-life Insurance Companies, B.E. 2563