Navigating an uncertain future: Key trends for internal audit leaders in the insurance industry

Attracting, developing and retaining skilled employees remains a significant challenge for internal audit departments. High turnover rates, lack of succession planning and insufficient training programs can lead to a loss of institutional knowledge and decreased productivity. To address these issues, organizations should invest in robust talent management strategies that focus on employee engagement, continuous learning and career development.  

Internal audit considerations 

• Assess workplace planning: Internal auditors should evaluate the organization’s talent management practices, including workforce planning and succession strategies. Understanding which roles are critical and most vulnerable to turnover can help organizations protect their institutional knowledge. 
• Review training programs: Effective and relevant training programs are crucial in preparing staff to handle the unique challenges of emerging risks. Internal audit can assess whether these programs adequately address skill gaps, especially in high-priority areas such as data analytics and cybersecurity. 
• Conduct an emergency and culture audit: Employee engagement impacts retention and productivity. Internal audit can gather insights on turnover rates, employee satisfaction and the overall workplace culture, providing recommendations to enhance employee morale and retention. 

AI and ML are revolutionizing tasks that traditionally required human intelligence for action. In the insurance sector, these technologies enable organizations to automate processes, enhance decision-making and improve customer experience. However, the adoption of AI and ML also brings new risks, such as algorithmic bias, data privacy concerns and a magnitude of programmatic errors, which can be carefully managed. 

Internal audit considerations 

• Evaluate model governance: Internal audit should review AI and ML governance to ensure model integrity, fairness and transparency. This includes examining how models are designed, developed, tested, monitored and validated to avoid biases that could lead to regulatory or reputational issues. 
• Privacy and compliance: Internal audit should verify that AI and ML applications comply with data privacy regulations and align with internal policies, particularly for customer-facing functions. 
• Establish risk-based monitoring: Ongoing monitoring is essential to detect model drift and bias in AI systems, ensuring they perform as intended while remaining compliant with evolving regulations. 

Data governance frameworks are critical to maintaining data quality, security and compliance. With insurance organizations increasingly relying on data to inform strategic decisions, internal audit leaders should focus on robust data governance to mitigate risks associated with data breaches and to ensure data integrity. 

Internal audit considerations 

• Evaluate data governance frameworks: Internal audit should assess data ownership, accountability and governance policies to ensure data is well managed, protected and reliable for decision-making. 
• Test data security controls: Regular testing of data access and protection controls, particularly around sensitive information, can prevent data breaches and maintain customer trust. 
• Monitor data compliance: Compliance with data handling standards, such as the General Data Protection Regulation (GDPR) and U.S. state-based data privacy laws, is essential. Internal audit can evaluate compliance processes and recommend enhancements to support regulatory requirements. 

Third-party relationships are integral to model business operations, but they also introduce significant risks. A comprehensive TPRM framework is necessary for onboarding, monitoring and offboarding third-party vendors. Internal audit leaders can play a vital role in assessing the robustness of TPRM frameworks and ensuring continuous vendor risk monitoring. 

Internal audit considerations 

• Vendor risk assessment: Evaluating the program through which the organization assesses vendor risk, which drive the depth and frequency of vendor due diligence and review procedures. 
• Vendor due diligence reviews: Evaluating the organization’s due diligence process during vendor onboarding and the depth of ongoing assessments helps safeguard against compliance risks and operational disruptions. 
• Assess monitoring practices: Internal audit should review how the organization monitors vendor performance, especially for high-risk vendors, to ensure regulatory and contractual compliance.  
• Contract compliance audits: Contracts with third-party vendors should include clear expectations for data security, performance standards and compliance. Internal audit can help confirm that these contract provisions are enforced. 

With the increasing frequency and sophistication of cyberattacks, robust cybersecurity measures are more critical than ever. Internal audit leaders must adopt a proactive approach to cybersecurity, which includes regular risk assessments, incident response planning and employee training. 

Internal audit considerations 

• Conduct cybersecurity risk assessments: Evaluating the cybersecurity posture through regular risk assessments, access control reviews and incident response plans enables the organization to adapt to new threats. 
• Review cybersecurity training: Employees are often the first line of defense against cyber threats. Ensuring that training on phishing and other cyber threats is current and effective can help mitigate human error. 
• Monitor regulatory compliance: Internal audit should ensure that cybersecurity practices align with relevant regulations (e.g., NAIC Insurance Data Security Model Law and NYDFS Part 500) and industry standards such as the NIST Cybersecurity Framework (CSF) 2.0, bolstering both compliance and protection. 

In 2025, the property and casualty (P&C) insurance sector will need to focus on critical areas that impact operational efficiency, regulatory compliance and financial resilience. Internal audit can play a vital role in ensuring these areas are effectively managed and controlled. Below are the primary areas of focus within P&C and their associated considerations for internal audit: 

• Case reserves: Ensure reserves are set accurately by leveraging AI and data analytics while fostering a culture of consistent reserving practices. 
• Underwriting compliance and transformation: Review the accuracy of underwriting forms, regulatory oversight and the use of AI/data analytics to drive underwriting decisions effectively. 
• Rate filing and pricing: Assess workflows for rate changes and filings, with attention to surplus lines considerations and system usage to maintain pricing accuracy. 
• Reinsurance and CAT claims management: Verify the appropriate tagging and documentation of catastrophic claims, reinsurance alignment with risk appetite and monitoring of reinsurance recoverables and reinsurer solvency. 

For life insurance, key areas include reserves, AI-driven underwriting, claims management and regulatory compliance. Implementing AI-driven solutions can enhance efficiency, while robust data governance and cybersecurity measures ensure compliance and protect sensitive information. 

Internal audit considerations 

• Assess claims processing: Efficient claims processing is essential for customer satisfaction. Internal audit can evaluate processes for accuracy, timeliness and regulatory compliance. 
• Review AI-enhanced underwriting: As AI is integral to underwriting, internal audit should assess it for accuracy, lack of bias and compliance with applicable laws. 
• Monitor financial reporting and reserving compliance: Proper financial reporting and reserving practices are essential for regulatory compliance and organizational health. 

Enterprise risk management (ERM) is essential for integrating risk management into business strategy and operations. A comprehensive ERM framework supports the achievement of strategic objectives, defines consistent risk governance and promotes a risk-aware culture. Internal audit leaders must ensure that ERM practices are embedded into business planning and execution, enabling better risk identification, assessment and mitigation. 

Internal audit considerations 

• Evaluate ERM frameworks: Internal audit should assess the organization’s ERM framework, ensuring alignment with strategic goals and examining the effectiveness of risk governance. 
• Risk culture audit: Conducting surveys or focus groups to gauge employees’ understanding of and engagement with risk management helps strengthen a risk-aware culture. 
• Embed ERM in business planning: ERM practices should be integral to the organization’s planning, project initiation and decision-making, enhancing proactive risk identification and response.