A strong audit function drives a smoother regulatory examination process

An efficient risk-focused financial examination has typically been achieved through the effective leveraging of the work performed by both internal and external auditors, herein referred to as the “audit function.” In past iterations of the risk-focused exam process, the leveraging of the audit function work would include re-performance of the control and/or substantive testing available related to each risk identified by the examination team. Currently, the National Association of Insurance Commissioners (NAIC) Financial Condition Examiners Handbook (FCEH) includes guidance for examiners to apply additional judgment to not only leverage audit function work, but also to reduce the number of  financial reporting risks reviewed by the examination team as a result of the audit function work performed.

The purpose of this article is to provide the company with an understanding of an effective audit function and how the examiner’s reliance leads to a smoother and more efficient examination of your insurance company. The article also aims to provide the examiners with a high-level understanding of the reliance process and practices utilized during the examination.

Insurance organizations: leverage your audit function for examination success

Internal audit is known as the third line of defense and, based on the Institute of Internal Auditors, it can be defined as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Its primary purpose is to enhance and protect organizational value by providing risk-based and objective assurance, advice and insight.

Internal audit achieves this goal through the identification and verification that the company has strong risk mitigation strategies (controls) in place that are operating consistently to mitigate risks. This value provided to your company extends to the examination team as well. How does this occur? As part of the NAIC risk-focused examination, specifically Phase 3  (control identification and risk mitigation strategies), the examiners may place reliance on internal audit for the controls identified during previous engagements, and how those controls can be utilized to mitigate the risks identified by the examiners.

In most cases, companies that have strong internal audit functions will have smoother examination (and potential cost savings) than companies that have not invested in a strong internal audit function. This concept is especially true if your company is required to comply with the Internal Control over Financial Reporting requirement of the Model Audit Rule, or your related state regulation. Please refer to our article for more information:

The Model Audit Rule: best practices and recommendations to improve your organization’s program

There are critical attributes that we have identified through our experience working with examiners that will ensure internal audit is providing value to your company while undergoing an examination:

Appropriate structure and methodology

• The internal audit function is independent and reports functionally to the CFO or CEO (or other appropriate level of management) and directly to the audit committee
• Methodology is supported by policies and procedures and follows appropriate standards
• Internal audit staff (internal, co-sourced or outsourced) should be qualified and progression shown towards relevant experience and designations
  Be prepared for examination requests:
  -Internal audit charter
  -Internal audit policies and procedures
  -Interview with chief auditor or equivalent
  -Audit committee reports and supporting materials

Activities help maintain and improve the effectiveness of risk management processes

• Risk assessments are conducted at least annually and include processes for ongoing risk consideration and adaption, and include consideration of inherent and residual risk
• Depending on the role of the internal audit function in your organization, there is clear documentation for consideration of enterprise risks and impact on internal audit activities
• Internal audit reports include actionable recommendations and associated management responses with clear identification of responsibility and timeline for remediation for observations
• Internal audit testing and associated documentation is appropriate for the nature, timing and extent of procedures performed; well-documented and retention of supporting work papers will vastly improve the efficiency of the examination and reduce the extent of requests on your company’s business owners
  Be prepared for examination requests:
  -Copies of risk assessments and supporting methodology during the examination period
  -Interview requests to discuss risk assessment results
  -Listing of internal audit reports
  -Specific selection of internal audit reports and supporting work papers for higher risk areas and areas of interest
  -Internal audit assessment of enterprise risk management activities (if applicable)

Activities provide reasonable assurance about the accuracy and timeliness of recorded transactions and the accuracy and completeness of financial reports

• Internal audit (or a separate division such as internal control, Model Audit Rule or Sarbanes-Oxley compliance if applicable) is expected to provide assurance but not necessarily duplicate activities of the external auditor; if you are not Model Audit Rule or Sarbanes-Oxley compliant, the examination team will be looking to primarily leverage the external auditors work papers as discussed below
• For Model Audit Rule or Sarbanes-Oxley compliant entities, your methodology, assumptions, timeline and supporting documentation should be retained and readily available
• As mentioned above, well-documented work papers and retention of supporting work papers will vastly improve the efficiency of the examination and reduce the extent of requests on your company’s business owners
• Materiality and supporting assumptions are very important; if your materiality is too high, the examination team may not be able to rely on your work papers. If you consider and align with your external auditor’s materiality expectations, more often than not, you should be within the ballpark of examiner expectations
  Be prepared for examination requests:
  -Model Audit Rule and/or Sarbanes-Oxley methodology documentation for the examination scope period, usually focused on the latest year
  -Risk matrices and risk assessment support where applicable
  -Control testing documentation and support
  -Relevant report of findings, recommendations and remediation plans
  -Evidence of remediation readily available

By ensuring your internal audit department is well-aligned to these critical attributes, you are more than likely to achieve efficiency during the examination as a result of the examiners being able to clearly and concisely identify controls, and/or identify controls that are not operating consistently. If you have any further questions regarding what we have seen to be a strong internal audit function, please find further information here.

In addition, it is important to ensure that your external audit function is a reputable firm in the insurance industry. The examination team, in addition to placing reliance on internal audit, will first look to place reliance on the external audit work completed including any control testing performed, and any substantive procedures completed. There are some common issues that may limit an examiners reliance on external audit work. The issues can include, but are not limited to: external auditor’s failure to  retain control narratives and control documentation, a substantive approach that does not include appropriate sample sizes, or an unwillingness to provide all access to their  work completed in appropriate and usable formats. It is important that when you know your examination is upcoming, that you have a conversation with the external audit team and make them aware that your examination will be as of year-end 20XX, and therefore they should be prepared to provide all work papers for that last year under review. The quicker they provide the work papers to the examiners, the earlier the examination may be completed.

Regulators: Utilize audit function work papers for examination efficiency

The ability to leverage the audit work requires an effective audit function. The examination team will assess the adequacy of the audit function through the completion of the NAIC FCEH, Exhibit E.

Exhibit E requires the examiners to obtain and review documentation supporting the audit approach and performance of both internal and external audit. The examiners will conduct a meeting or interview with the external audit partner and/or manager, as well as the chief audit executive of the company to understand their roles and performance of the audits. The supporting documentation obtained supports what is described and provides the examiners with a basis for assessing the audit function against industry best practices.

Assessing the audit function provides the examiner with an understanding of the risks identified by the audit function, how those risks are addressed and the overall audit conclusion reached. An overall audit function assessment will be determined as “effective” or “ineffective.” An effective audit function not only allows the examiner’s to leverage the testing in addressing significant risks, it also allows the examination team to apply judgment in reducing less significant financial reporting risks from the scope of the review. This increased efficiency provides the examiners the ability to focus efforts on nonfinancial reporting risks and complete examination activities more quickly.

Once it has been determined that the audit function is effective, the examiners now need to determine which less-significant financial reporting risks are appropriately addressed by the audit function and thus can be removed from the Key Functional Activity Matrix.

To do so, the examiners should be following the left-hand side of the “Decision tree for usage of CPA work,” included to the right. Firs, the examiners need to identify the significance of the financial reporting inherent risks. Next, the examiners need to understand and evaluate the work performed by the audit function in addressing the risks. Finally, depending on the level of significance and the work available, the examiners will apply judgment to determine the appropriate leveraging of this work – whether removing the inherent financial reporting risk(s) from the Key Functional Activity Matrix, or reviewing and re-performing to address risks on the matrix through Phase 3 or Phase 5.

While the guidance for evaluating the audit work is documented and available to the examination team, what is left up to examiner judgment is the evaluation of risks and the manner in which the judgment is documented.

Baker Tilly has implemented a process to follow the above decision tree efficiently and effectively, demonstrating our understanding of the financial reporting inherent risks and the audit function work prepared. This process results in a Baker Tilly developed templated memo (template available upon request) prepared for Key Functional Activity documenting:

1. The material accounts associated with the activity
2. The inherent risks and financial statement assertions identified for each material account
3. A summary of the audit work available related to that key functional activity (whether Model Audit Rule, Sarbanes-Oxley, external audit or internal audit)
4. A table mapping the examiners consideration of the significance of the financial reporting inherent risk identified and the testing considered to address the risk

We consider significant risks being those addressing a Critical Risk Category of the Exhibit DD of the NAIC FCEH, risks communicated by the State insurance department  financial analyst as significant and requiring detailed review by the examination team, and risks identified by examiners and/or communicated by the company as potentially having a significant impact on solvency during Phase 1 (understanding the company procedures).

Once you have established that the audit function is effective it is equally important to understand the financial reporting risks relevant to the organization and the audit work performed to address these risks, whether control testing, substantive testing or a combination of the two.

Key takeaways:

• Examiners and insurance organization’s both want to have an efficient examination that does not require unnecessary work or time.
• An insurance organization’s audit function (combination of internal and external) provides comfort to the examiners that financial reporting risks are addressed.
• The ability of the examiners to adequately assess the overall audit function, the inherent financial reporting risks of each activity, and the specific work completed in relation to these financial reporting risks is critical to an efficient exam.
• The insurance organization’s understanding of the examiners ability to leverage audit work and the criteria utilized improves the likelihood of an efficient exam.
• For more general insurance information, please click here.

For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.