How to develop an internal audit RFP for insurance organizations

Internal audit is in a state of transformation. In the insurance industry specifically, disruptions are growing bigger, developing faster, and requiring responses that are more quick and fluid. According to the Institute of Internal Audit’s 2018 North American Pulse of Internal Audit, transformation of internal audit is the only acceptable solution. To address these changes and disruptions, chief audit executives (CAE) need to act as internal disruptors who challenge the status quo, identify and focus on emerging risks, develop innovative strategies and form an agile approach that is supported by the right talent, either internally or by a third-party.

Because internal audit has continued to innovate and push the boundaries beyond the typical “check the box” exercise, several companies are beginning, or continuing, to seek outside assistance from qualified firms to supplement or fulfill their internal audit function. Some key reasons are lack of technical expertise (e.g., data analytics, regulatory compliance, information technology vulnerability, security and penetration audit expertise), the ability to attract and retain talent and the desire for sector insight that one gains by outsourcing or co-sourcing their internal audit function. Although seeking out an internal audit partner appears to be a simple task, there are many components to the selection process. Outlined below is a clear process to successfully develop a request for proposal (RFP) for internal audit services:

Step 1: Develop the scope of the RFP

The first critical step in the RFP process is to identify the needs of your organization. To get started, below are a few questions to ask yourself when beginning the process of sourcing for an internal audit firm:

  • Does your organization currently have an internal audit function? If yes, what are you looking for in the firm and in a service provider (e.g., insurance expertise, best practices, insurance state regulatory experience, information technology expertise, etc.). If no, are you looking for the retention of an outsourced internal audit department or a consultative engagement to develop an internal audit department internally?
  • Has your company breached the $500 million premium threshold requiring the company to be model audit rule (MAR) compliant? If so, do you want MAR control testing to be included in the internal audit’s overall responsibilities or will a separate group be responsible for it?
  • Are you a publically traded entity requiring Sarbanes-Oxley (SOX) compliance? If so, do you want SOX control testing to be a part of internal audit’s overall responsibilities or is that currently under a separate function?
  • How do you want internal audit to be involved from either a co-sourcing or outsourcing capacity?
  • What positions are you primarily looking the firm to fill if co-sourcing?
  • Will the firm be used for a specific skill set or to supplement all audits on the audit plan if co-sourcing?
  • Is the firm going to be utilizing your governance, risk management and compliance (GRC) software?
  • How will the firm participate in the annual risk assessment process and development of the internal audit plan?
  • What point of the year will you expect heavier and lighter usage of firm resources?
  • If outsourcing, who will act as the liaison between the engagement managers and administrative reporting executive level? Will a liaison be required?
  • If outsourcing, when will the firm be expected to start? Do you need an internal transition plan or will the firm be responsible for providing it?

These are some of the critical questions that need to be answered in order to determine the overall scope, from a company perspective, that you are looking for when receiving RFP submissions.

Step 2: Determine additional service requests

After the scope has been defined, it is critical to determine what further services you will request of the firm, which can be inclusive of the following:  

  • Firm responsibility for managing, and reporting to the audit committee, the annual risk assessment process and development of the annual internal audit plan and budget
  • Firm responsibility for developing the internal audit update for the audit committee package
  • Requirement of attendance at audit committee meetings
  • Firm availability for advice and consultative services with business owners and key management leaders on an as needed basis
  • Firm responsibility for collaboration with management when drafting reports, circulation of final reports and administration of follow-up items on audits performed
  • Expected amount of onsite time when performing fieldwork, or whether remote work is preferred or acceptable
  • If outsourcing:
  • Firm responsibility for the administration of the internal audit function, and retention of all documentation/work papers obtained during the course of the internal audit
  • Firm responsibility to provide internal audit documentation maintained, and meet with the regulatory examination team from the state (when applicable)

Services identified as significant or that are a requirement of the firm responding, in addition to the general internal audit functions, should be included in the RFP. These services should also be specifically outlined to ensure that the firm is able, and comfortable, to meet all requirements needed from your company. 

Step 3: Determine what to evaluate

Once the scope and additional required services have been outlined, it is critical to determine the information you are trying to ascertain as part of the RFP process. In general, the information that needs to be obtained revolves around the following themes:

  • Background information, including, but not limited to, the firm’s experience in the insurance industry, practice infrastructure and intended delivery of the internal audit services
  • Engagement staffing, including the identification of the core team responsible for the day-to-day work and which individuals will serve as the primary contacts
  • The service team’s experience with insurance companies that write similar lines of business
  • Internal audit methodology for providing internal audit services in a co-sourced, or outsourced, arrangement
  • The firm’s approach and investment in the development of knowledge and training of the internal audit professionals assigned to the company
  • The firm’s current technology platform including any software or analytical tools utilized
  • Overall fees including a rate per hour by staff level (or if the firm would be able to provide an option for a blended rate), expected geography of the staff on the engagement noting the expected expense budget (i.e., administrative and travel) needed to provide effective internal audit services and the expected hours needed to provide the determined services
  • The firm’s views about collaboration between management and internal audit, and how they plan to bring value to the company
  • The firm’s references and the extent those references are similar in industry and line of business.
  • Any differentiating factors the firm believes the decision makers should be aware of before the engagement

The list above provides the overarching themes often included in an RFP. Although it is not often included in the initial RFP process, management should consider scheduling, with the top three to four candidates, an in-person meeting with key members of management to ensure the firm is an appropriate fit for the company.

Step 4: Selecting firms for consideration

When determining which firms to include in the RFP process, there are a few key areas to consider:

  • The value the firm will bring to your company
  • The firm’s experience with insurance companies and regulatory bodies
  • Resources the firm has dedicated to the insurance industry practice focused on internal audit
  • Your expense budget, especially if constraints may require you to seek local firms compared to national firms that may have their talent and service teams traveling from different cities or states
  • Firms other companies have used, the feedback received, and any reference or referrals from within your network prior to starting the RFP process

The value and expertise of the chosen firm will be the key to success for your internal audit department. If outsourcing, the firm will serve as the primary point of contact throughout the company. Therefore, it is important the firm aligns with your corporate culture. Although budget is a key consideration, it is an important note that fees and travel expenses are always negotiable. Generally, it is recommended to submit the RFP to all key potential candidates that fit with the culture, expertise and value of your company.

Step 5: Establish timeline and point of contact

The final item to consider in the RFP development process is the overall timeline and who will be responsible for addressing questions, clarifications, etc. from prospective firms. The timeline should also be based on when the company expects the internal audit to be fully functional (i.e., onsite meeting with business owners for the initial risk assessment, start of fieldwork, etc.). In addition to outlining the timeline for the prospective firm, the expected start date of services should be listed within the RFP to allow a sufficient amount of time to allocate resources to your company. 

Do not under estimate the value of in-person meetings of the selected finalist, including the assigned engagement managers and experienced staff to be present. A firm’s ability to showcase a dedicated team with experience in a proposal, as well as in-person, is crucial since these individuals will serve as your firm’s day-to-day internal audit function and represent the work performed.

Please see below for an outline of an expected RFP timeframe with the expectation that the internal audit department is functional by Jan. 1, 20XX:

Wrapping up the RFP selection process

By breaking out the RFP process into smaller steps, the search for a third party internal audit firm may become a straight-forward process. The critical points to remember are to establish the services your company is looking for, requirements of the firm, criteria you are looking to evaluate, specific firms you want to include in the RFP process, and the overall RFP timeline.

For more information on this topic, or to learn how Baker Tilly’s insurance industry internal audit specialists can assist your organization, contact our team.

Advisors meet to review financial performance results
Next up

Middle market investment decisions