An efficient risk-focused financial examination has typically been achieved through the effective leveraging of the work performed by both internal and external auditors, herein referred to as the “audit function.” In past iterations of the risk-focused exam process, the leveraging of the audit function work would include re-performance of the control and/or substantive testing available related to each risk identified by the examination team. Currently, the National Association of Insurance Commissioners (NAIC) Financial Condition Examiners Handbook (FCEH) includes guidance for examiners to apply additional judgment to not only leverage audit function work, but also to reduce the number of financial reporting risks reviewed by the examination team as a result of the audit function work performed.
The purpose of this article is to provide the company with an understanding of an effective audit function and how the examiner’s reliance leads to a smoother and more efficient examination of your insurance company. The article also aims to provide the examiners with a high-level understanding of the reliance process and practices utilized during the examination.
Internal audit is known as the third line of defense and, based on the Institute of Internal Auditors, it can be defined as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.” Its primary purpose is to enhance and protect organizational value by providing risk-based and objective assurance, advice and insight.
Internal audit achieves this goal through the identification and verification that the company has strong risk mitigation strategies (controls) in place that are operating consistently to mitigate risks. This value provided to your company extends to the examination team as well. How does this occur? As part of the NAIC risk-focused examination, specifically Phase 3 (control identification and risk mitigation strategies), the examiners may place reliance on internal audit for the controls identified during previous engagements, and how those controls can be utilized to mitigate the risks identified by the examiners.
In most cases, companies that have strong internal audit functions will have smoother examination (and potential cost savings) than companies that have not invested in a strong internal audit function. This concept is especially true if your company is required to comply with the Internal Control over Financial Reporting requirement of the Model Audit Rule, or your related state regulation. Please refer to our articles for more information:
There are critical attributes that we have identified through our experience working with examiners that will ensure internal audit is providing value to your company while undergoing an examination:
Appropriate structure and methodology
Activities help maintain and improve the effectiveness of risk management processes
Activities provide reasonable assurance about the accuracy and timeliness of recorded transactions and the accuracy and completeness of financial reports
By ensuring your internal audit department is well-aligned to these critical attributes, you are more than likely to achieve efficiency during the examination as a result of the examiners being able to clearly and concisely identify controls, and/or identify controls that are not operating consistently. If you have any further questions regarding what we have seen to be a strong internal audit function, please find further information here.
In addition, it is important to ensure that your external audit function is a reputable firm in the insurance industry. The examination team, in addition to placing reliance on internal audit, will first look to place reliance on the external audit work completed including any control testing performed, and any substantive procedures completed. There are some common issues that may limit an examiners reliance on external audit work. The issues can include, but are not limited to: external auditor’s failure to retain control narratives and control documentation, a substantive approach that does not include appropriate sample sizes, or an unwillingness to provide all access to their work completed in appropriate and usable formats. It is important that when you know your examination is upcoming, that you have a conversation with the external audit team and make them aware that your examination will be as of year-end 20XX, and therefore they should be prepared to provide all work papers for that last year under review. The quicker they provide the work papers to the examiners, the earlier the examination may be completed.
The ability to leverage the audit work requires an effective audit function. The examination team will assess the adequacy of the audit function through the completion of the NAIC FCEH, Exhibit E.
Exhibit E requires the examiners to obtain and review documentation supporting the audit approach and performance of both internal and external audit. The examiners will conduct a meeting or interview with the external audit partner and/or manager, as well as the chief audit executive of the company to understand their roles and performance of the audits. The supporting documentation obtained supports what is described and provides the examiners with a basis for assessing the audit function against industry best practices.
Assessing the audit function provides the examiner with an understanding of the risks identified by the audit function, how those risks are addressed and the overall audit conclusion reached. An overall audit function assessment will be determined as “effective” or “ineffective.” An effective audit function not only allows the examiner’s to leverage the testing in addressing significant risks, it also allows the examination team to apply judgment in reducing less significant financial reporting risks from the scope of the review. This increased efficiency provides the examiners the ability to focus efforts on non-financial reporting risks and complete examination activities more quickly.
Once it has been determined that the audit function is effective, the examiners now need to determine which less-significant financial reporting risks are appropriately addressed by the audit function and thus can be removed from the Key Functional Activity Matrix.
To do so, the examiners should be following the left-hand side of the “Decision tree for usage of CPA work,” included to the right. Firs, the examiners need to identify the significance of the financial reporting inherent risks. Next, the examiners need to understand and evaluate the work performed by the audit function in addressing the risks. Finally, depending on the level of significance and the work available, the examiners will apply judgment to determine the appropriate leveraging of this work – whether removing the inherent financial reporting risk(s) from the Key Functional Activity Matrix, or reviewing and re-performing to address risks on the matrix through Phase 3 or Phase 5.
While the guidance for evaluating the audit work is documented and available to the examination team, what is left up to examiner judgment is the evaluation of risks and the manner in which the judgment is documented.
Baker Tilly has implemented a process to follow the above decision tree efficiently and effectively, demonstrating our understanding of the financial reporting inherent risks and the audit function work prepared. This process results in a Baker Tilly developed templated memo (template available upon request) prepared for Key Functional Activity documenting:
We consider significant risks being those addressing a Critical Risk Category of the Exhibit DD of the NAIC FCEH, risks communicated by the State insurance department financial analyst as significant and requiring detailed review by the examination team, and risks identified by examiners and/or communicated by the company as potentially having a significant impact on solvency during Phase 1 (understanding the company procedures).
Once you have established that the audit function is effective it is equally important to understand the financial reporting risks relevant to the organization and the audit work performed to address these risks, whether control testing, substantive testing or a combination of the two.
For more information on this topic or to learn how Baker Tilly specialists can help, contact our team.