Internal audit value optimization for insurance organizations

The demands on the internal audit departments of insurance organizations have increased significantly in recent years as technology advances, regulation becomes more rigorous, new risks emerge, and companies seek more business insights. Internal audit plays a crucial role in providing assurance on an organization’s governance, risk management, and control processes to help achieve strategic, operational, and financial objectives while balancing compliance objectives and expectations from regulators. Internal audit departments need to leverage an understanding of insurance industry trends, feedback from leadership, regulatory compliance requirements, and available public information to add value to the organization – to optimize internal audit value.

Characteristics of value optimization

The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity that adds value to and improves an organization’s operations. There is no easy way to assess the value internal audit adds to its organization. The function’s worth can be different from business to business, and the expectations placed on internal audit change rapidly. However, there are key optimization characteristics defined by the IIA that organizations can focus on.

Key optimization characteristics for an internal audit department

  1. A learning organization with continuous process improvements and innovation
    1. Insurance organizations need their internal auditors to be thought leaders. A continuous learning and process improvement culture within the internal audit department needs to be developed and nurtured. The leadership team within the internal audit department should strive to be leaders within relevant professional industry groups.
  2. Top-level professional and specialized skills that include actuarial, IT, investment, and insurance operations background
    1. To add value, internal audit departments should have a defined process to evaluate skill set and training needs, and align risk assessment and audit plan results with an analysis of gaps in ability to deliver best in class assurance and recommendations. Internal audit departments should seriously consider investing in training on insurance operations as many executives and operational managers at insurance organizations consistently state that internal audit knows how to audit, but does not understand the insurance business resulting in misaligned or poor recommendations.
  3. Information used from inside and outside the organization to contribute to achieving strategic objectives
    1. The internal audit department must look at the organization’s strategies to achieve those goals in concert with industry trends and evolving regulations while providing insightful recommendations for achieving objectives.
  4. World-class recommendations and best practice performance in line with the entity’s strategic objectives and consideration of company demographics and structure
    1. Internal audit departments that provide the most value provide “better practice” recommendations, understanding that there is not one “best practice” as each organization is unique.
  5. A critical part of the organization’s governance and risk management structure
    1. Internal audit should have appropriate visibility and alignment with key stakeholders, management, and the audit committee. There should be a direct functional reporting line of the chief audit executive (CAE) to the audit committee. The CAE should report to executive management for establishing direction, support, and administrative interface; and to the audit committee for validation, reinforcement, and accountability. The internal audit activity must assess and make appropriate recommendations for improving the governance process in accomplishment of the following objectives:
      1. Promoting appropriate ethics and values within the organization
      2. Ensuring effective organizational performance management and accountability
      3. Communicating risk and control information to appropriate areas of the organization
      4. Coordinating the activities of and communicating information among the board, external and internal auditors, and management
    2. Internal audit should have a seat at the table on enterprise risk management discussions and act as champion of enterprise risk management, not just an administrator.
  6. Individual, unit, and organizational performance measures are fully integrated to drive performance improvements
    1. An optimized internal audit function integrates performance data, leading practices, and feedback received from an ongoing quality assurance and improvement program to continually strengthen and develop internal audit’s ability to provide value.

A note on increasing use of technology

Information technology trends are transforming insurance company strategy, operations, and ultimately internal audit’s value proposition. Increased cybersecurity risk, lack of legacy core system integration, and less control over device management continue to add new elements of risk. This also adds areas for internal audit to add value. Previously, IT auditors were viewed as a supplement to the internal audit team and function; however, to optimize value an internal audit department should assess its team and the number of auditors with experience, background, and certification in information technology.

Steps to enhance the value of your internal audit function

Internal audit’s ability to add value is unique and an ongoing dynamic process dependent on the size of the internal audit department, type of insurer, company culture, and demographics. However, there are action steps all insurers can take in the short-term with a view to the long-term.

  1. Align internal audit strategy with organizational strategy
    Have an internal audit strategy that aligns with the company’s strategy and objectives. Many internal audit departments have an informal alignment plan and can communicate the plan if questioned; however, a formal, concise, and easy to understand plan often does not exist. Formalize an internal audit strategic plan that addresses:
    1. Stakeholder expectations
    2. Consideration of changes in the audit plan mix one, three, and five years ahead
    3. Insurer organization strategies and risk appetite and internal audit implications
    4. Resource and talent needs
       
  2. Conduct a training and skill analysis
    Conduct a mapping and gap analysis exercise comparing the risk assessment and audit plan to your department skill sets, both soft skills and technical skills. Begin the process to fill the gaps through internal training, certification programs, and co-sourcing or outsourcing.
     
  3. Create a stronger internal audit brand
    Internal audit should also be providing training to departments and business units on the purpose and value of internal audit. Internal audit should collaborate with management during the planning process to ensure that areas of concern are addressed appropriately. Provide thought leadership to your business units on a periodic basis on internal control efficiencies, emerging risks, and industry hot topics for management attention.
     
  4. Focus on risk management over control effectiveness
    Many internal audit departments spend more than 80% of their time providing assurance on control effectiveness.1 Start by taking a deeper look at the risk assessment process and consideration for emerging trends, feedback from management, and industry data. Ensure the internal audit plan reflects the current state, expected future state, and avoids duplication of efforts from external audit. Assess the strategic risks to the organization and discuss with management opportunities where internal audit can add value. Considerations for audits and advisory reviews that would apply across the property and casualty and life and health industries are as follows:
    1. Cybersecurity threat and vulnerability management
    2. Cloud strategy and governance
    3. Customer interaction and experience review
    4. Budget and forecasting assessment
    5. Data analytics effectiveness
    6. Actuarial risk management
    7. Product development efficiency and process
    8. Enterprise regulatory and compliance efficiency assessment
       
  5. Embrace data analytics
    Insurance organizations continue to focus on the use of big data and predictive modeling. The increases in technologies and data analysis are transforming how insurers write and manage their business. Internal audit should incorporate data analytics to assist in driving the risk assessment process as part of the overall audit plan, as well as part of individual engagements. In addition, model validation and data validation assurance is a key element internal audit should be including as part of the overall audit plan.
     
  6. Be an ERM champion versus ERM administrator
    With the increasing pressure from regulators on developing robust enterprise risk management (ERM) programs, Own Risk and Solvency Assessments (ORSA), Solvency II requirements, NAIC risk focused examinations, and state specific requirements, internal audit is increasingly taking on the role of ERM administrator. Transform the role from administrator to ERM champion. The ERM champion approach can allow internal audit to facilitate the linking from risk to strategy and build risk awareness throughout the culture of the organization.
     
  7. Define internal audit success and constantly monitor value
    Develop key performance indicators (KPIs) that focus on the value internal audit provides to the organization. KPIs can include measurements such as:
    1. Best practices implemented
    2. Business unit cost savings/revenue enhancements identified and realized
    3. Issues monitored and closed
    4. Audit survey results
    5. Subject matter expert utilization and effectiveness
    6. Training, certification, and continuing professional education (CPE) hours obtained
    7. Emerging risks monitored and reported 

Insurance organizations’ internal audit departments have more demands than many other organizations, namely because they are providing assurance insight and consultation on risk management to an industry that executes risk management as its business. However, because insurance organizations are operating in an environment of ever-increasing change and regulation, internal audit has vast opportunities to improve and provide value optimization.

For more information on this topic, or to learn how Baker Tilly insurance industry specialists can help, contact our team.

 

1. Internal auditor magazine “Internal audit in 2020” December 1, 2013. https://iaonline.theiia.org/internal-audit-in-2020