The demands on the internal audit departments of insurance organizations have increased significantly in recent years as technology advances, regulation becomes more rigorous, new risks emerge, and companies seek more business insights. Internal audit plays a crucial role in providing assurance on an organization’s governance, risk management, and control processes to help achieve strategic, operational, and financial objectives while balancing compliance objectives and expectations from regulators. Internal audit departments need to leverage an understanding of insurance industry trends, feedback from leadership, regulatory compliance requirements, and available public information to add value to the organization – to optimize internal audit value.
The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity that adds value to and improves an organization’s operations. There is no easy way to assess the value internal audit adds to its organization. The function’s worth can be different from business to business, and the expectations placed on internal audit change rapidly. However, there are key optimization characteristics defined by the IIA that organizations can focus on.
Insurance organizations need their internal auditors to be thought leaders. A continuous learning and process improvement culture within the internal audit department needs to be developed and nurtured. The leadership team within the internal audit department should strive to be leaders within relevant professional industry groups.
To add value, internal audit departments should have a defined process to evaluate skill set and training needs, and align risk assessment and audit plan results with an analysis of gaps in ability to deliver best in class assurance and recommendations. Internal audit departments should seriously consider investing in training on insurance operations as many executives and operational managers at insurance organizations consistently state that internal audit knows how to audit, but does not understand the insurance business resulting in misaligned or poor recommendations.
The internal audit department must look at the organization’s strategies to achieve those goals in concert with industry trends and evolving regulations while providing insightful recommendations for achieving objectives.
Internal audit departments that provide the most value provide “better practice” recommendations, understanding that there is not one “best practice” as each organization is unique.
Internal audit should have appropriate visibility and alignment with key stakeholders, management, and the audit committee. There should be a direct functional reporting line of the chief audit executive (CAE) to the audit committee. The CAE should report to executive management for establishing direction, support, and administrative interface; and to the audit committee for validation, reinforcement, and accountability. The internal audit activity must assess and make appropriate recommendations for improving the governance process in accomplishment of the following objectives:
Internal audit should have a seat at the table on enterprise risk management discussions and act as champion of enterprise risk management, not just an administrator.
An optimized internal audit function integrates performance data, leading practices, and feedback received from an ongoing quality assurance and improvement program to continually strengthen and develop internal audit’s ability to provide value.
Information technology trends are transforming insurance company strategy, operations, and ultimately internal audit’s value proposition. Increased cybersecurity risk, lack of legacy core system integration, and less control over device management continue to add new elements of risk. This also adds areas for internal audit to add value. Previously, IT auditors were viewed as a supplement to the internal audit team and function; however, to optimize value an internal audit department should assess its team and the number of auditors with experience, background, and certification in information technology.
Internal audit’s ability to add value is unique and an ongoing dynamic process dependent on the size of the internal audit department, type of insurer, company culture, and demographics. However, there are action steps all insurers can take in the short-term with a view to the long-term.
Have an internal audit strategy that aligns with the company’s strategy and objectives. Many internal audit departments have an informal alignment plan and can communicate the plan if questioned; however, a formal, concise, and easy to understand plan often does not exist. Formalize an internal audit strategic plan that addresses:
Conduct a mapping and gap analysis exercise comparing the risk assessment and audit plan to your department skill sets, both soft skills and technical skills. Begin the process to fill the gaps through internal training, certification programs, and co-sourcing or outsourcing.
Internal audit should also be providing training to departments and business units on the purpose and value of internal audit. Internal audit should collaborate with management during the planning process to ensure that areas of concern are addressed appropriately. Provide thought leadership to your business units on a periodic basis on internal control efficiencies, emerging risks, and industry hot topics for management attention.
Many internal audit departments spend more than 80% of their time providing assurance on control effectiveness.[1] Start by taking a deeper look at the risk assessment process and consideration for emerging trends, feedback from management, and industry data. Ensure the internal audit plan reflects the current state, expected future state, and avoids duplication of efforts from external audit. Assess the strategic risks to the organization and discuss with management opportunities where internal audit can add value. Considerations for audits and advisory reviews that would apply across the property and casualty and life and health industries are as follows:
Insurance organizations continue to focus on the use of big data and predictive modeling. The increases in technologies and data analysis are transforming how insurers write and manage their business. Internal audit should incorporate data analytics to assist in driving the risk assessment process as part of the overall audit plan, as well as part of individual engagements. In addition, model validation and data validation assurance is a key
With the increasing pressure from regulators on developing robust enterprise risk management (ERM) programs, Own Risk and Solvency Assessments (ORSA), Solvency II requirements, NAIC risk focused examinations, and state specific requirements, internal audit is increasingly taking on the role of ERM administrator. Transform the role from administrator to ERM champion. The ERM champion approach can allow internal audit to facilitate the linking from risk to strategy and build risk awareness throughout the culture of the organization.
Develop key performance indicators (KPIs) that focus on the value internal audit provides to the organization. KPIs can include measurements such as:
Insurance organizations’ internal audit departments have more demands than many other organizations, namely because they are providing assurance insight and consultation on risk management to an industry that executes risk management as its business. However, because insurance organizations are operating in an environment of ever-increasing change and regulation, internal audit has vast opportunities to improve and provide value optimization.
For more information on this topic, or to learn how Baker Tilly insurance industry specialists can help, contact our team.
[1] Internal auditor magazine “Internal audit in 2020” December 1, 2013.