Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.
Agenda and learning objectives Review the learning objectives Understand what we will cover today and takeaways 1 Understand the definition of internal audit and explore what add value means. Revisit some of the common challenges of adding value. 2 3 Discuss the characteristics of an optimizing internal audit department and review the internal audit capability maturity model Understand the trends in the insurance industry that will transform internal audit's value proposition 4 Identify how to incorporate leading practices in the short term and over time with a summary of clear action steps.
Understanding internal audit and adding value
Importance for insurance organizations Growing necessity for business insight and value from internal audit departments Regulation Emerging risks and market opportunities Advancing technology 4
Internal audit definition The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity that adds value to and improves an organization s operations. Insight Assurance Objectivity 5
What does it mean to add value The internal audit activity adds value to the organization (and its stakeholders),[and there is perceived value of contribution] when it provides objective and relative assurance, and contributes to the effectiveness of governance, risk management, and control processes. 6
Challenges to adding value SOX, MAR, compliance efforts encompassing majority of plan Lack of resources in number and/or in talent Too much focus on routine audits Reduction in internal audit value Politics, tail wags the dog Organizational perception as company police 7
Characteristics of an optimizing internal audit activity Learning organization CAE and managers are key thought leaders Continuous learning and process improvement culture Defined process to evaluate skill set and training needs Aligns risk assessment and audit plan with current skill sets Top level professional and specialized skills Use of information inside and outside of organization Leverage insights and feedback from business unit managers Obtains knowledge of trends and emerging risks Considers organizations strategic objectives and culture Advisory on adapting to and maximizing technology trends World class recommendations Critical part of governance and risk management Appropriate visibility with management and board Provide appropriate recommendations to improve governance Integration of performance data and feedback Continuous and ongoing quality assurance program Integrated performance measures 8
Internal audit activity maturity model Initial Infrastructure Integrated Managed Optimizing > Isolated audits > Lack of established practices > Compliance auditing > Individual professional development > Audit plan based on management priorities > Advisory services > Workforce coordination > Risk based audit plans > Performance measures > Assurance on governance, risk and controls > Contribution to mgmt development > Audit strategy leverages ERM > Advanced performance measures > IA is recognized as key agent of change > Leadership in professional organizations > Strategic IA planning > Transparency to organization on IA effectiveness 9
Insurance industry trends and internal audit implications
Insurance industry trends Life and annuity 1) Predictive analytics and consumer facing platforms 2) Retiring baby boomers 3) Alternative and simplified customer distribution 4) Legacy system issues Health 1) Premiums rising 2) Individual mandate 3) Risk based premiums 4) Participation in Exchanges L&A and health risks > Reputational risks > System transformation and impact > Competition and market share protection / enhancement > Three R estimation 11
Insurance industry trends Property and casualty > Lower CATS and softening market > Alternative capital influx > Customer experience > Pursuit of higher yield Cross industry > Cybersecurity > Regulation adding cost and complexity ORSA Captive oversight Corporate governance > Capital management and integration of internal and external models P&C risks > Increased use of alternative investments > Marketing and underwriting changes > Data integrity, modeling, and underwriting strategy transformation Cross industry risks > Cyber security readiness > Regulatory compliance and costs > Data integrity and model risk 12
Industry trends affecting IT IT and business have fused together to empower each other. Emerging industry trends and regulatory changes have effected IT. 1) Cybersecurity Risk and Regulation 2) Predictive Modeling and Data Analytics 3) Accessibility of information/consumer facing platforms 4) Increased competitive landscape (soft P&C market, health exchange, etc) requiring better customer experience and faster speed to market 13
Information technology (IT) trends Ever changing end points Increased cyber security risk Lack of legacy Core system integration Less in tune with customer demands Incompatibility Potential Increased Autonomous Technology Less control over device management Advances in algorithms Automated Decision Engines/Tools Predictive modeling and rating Constant tracking of Data and people Connected Home/Auto Wearables Continual monitoring of trends Context-aware security 14
Effects on information technology audit plan Sample 2010 IT IA Plan Focused on core IT general controls > Change management / system development life cycle (SDLC) > Access administration and authentication > Disaster recovery and business continuity planning > Computer operations and back-up Sample 2015 IT IA Plan Focused on emerging risks and integration into ERM > Vendor management > IT governance > Data breach and vulnerability management > Data privacy > Mobile device management and security > End user computing Trends in IT have lead internal audit departments to focus more on emerging technologies as risk assessment frameworks dictate. 15
Actuarial implications Key actuarial risks are emerging as a result of industry trends and regulatory changes. Traditional internal audit Actuaries are a supplement Engaged to perform routine reviews Reviews are minimally performed Optimizing internal audit specialized skill-set readily available in the internal audit workforce Integrated on multiple audits Regulatory changes ORSA Solvency II Product design and transformation Data analytics Key risks Model Economic Pricing Regulatory Financial statement Process Data 16
Key risks to actuarial function Enterprise risks Model risk and control > Models must be in compliance with all Actuarial Standards of Practice (ASOPs) > Appropriateness of the assumptions made in the calculations > Defined and documented process for each periodic review > Back-test the results (actual verses expected analyses) > Transparency of assumptions and limitations to key stakeholders (communications) 17
Key risks to actuarial function Enterprise risks (cont.) Economic and pricing risk > Price monitoring system data reconciliation and frequency of review > Development of pricing assumptions > Treatment of differing characteristics of insured risks > Feedback loop on actual performance compared to pricing objectives Regulatory compliance > Preparation and analysis for new and emerging regulatory changes > Compliance 18
Key risks to actuarial function Financial statement risks Key process risk > Controls on actuarial judgment and selections > Treatment of data anomalies in the analysis Key person risk/succession planning > Over-reliance on a few key individuals > Identify, develop and retain talent for key positions and areas > Planning relating to reorganization, turnovers, or actuarial student rotations Reliance on third-party providers Data risk > Accuracy > Completeness > Controls (reconciliation) Other miscellaneous risk > Assumptions > Process around management best estimates vs. actuarial best estimate 19
Value optimization action steps
Value optimization action: Strategy alignment Align internal audit strategy with organizational strategy. Formalize an internal audit strategic plan that addresses the following: 1) Stakeholder expectations 2) Consideration of changes in the audit plan mix one, three and five years ahead 3) Insurer organization strategies and risk appetite and internal audit implications 4) Resource and talent needs 21
Value optimization action: Resource enhancement Conduct analyses: > Training analysis > Skills analysis > Mapping and gap analysis Begin the process to fill the gaps > Internal training > Certification programs > Co-sourcing / outsourcing 22
Value optimization action: Internal audit branding Create a stronger internal audit brand > Providing training to departments and business units on the purpose and value of internal audit > Provide thought leadership to business units on internal control efficiencies, emerging risks, and industry hot topics 23
Value optimization action: Risk management focus Ensure the internal audit plan reflects the current state and expected future state. Assess the strategic risks to the organization and discuss where internal audit can add value. 24
Value optimization action: Risk management focus Considerations for audits and advisory reviews 1) Cyber security threat and vulnerability management 2) Cloud strategy and governance 3) Customer interaction and experience review 4) Budget and forecasting assessment 5) Vendor governance and risk management review 6) Data analytics effectiveness review 7) Actuarial risk management assessment 8) Product development efficiency and process review 9) Enterprise regulatory and compliance efficiency assessment 25
Value optimization action: Embrace data analytics Incorporate data analytics to assist in driving the risk assessment process as part of the overall audit plan, as well as part of individual engagements. Model validation and data validation assurance is a key element to include in the overall audit plan. 26
Value optimization action: Be an ERM champion ERM champion approach allows > Linking from risk to strategy > Building risk awareness throughout the organization Be the thought leader > Conduct training to business units > Facilitate ERM workshops > Provide education to the board of directors > Provide updates on emerging risks 27
Value optimization action: Define internal audit success and monitor Develop key performance indicators (KPI s) > Best practices implemented > Business unit cost savings/revenue enhancements identified and realized > Issues monitored and closed > Audit survey results > Subject matter expert utilization and effectiveness > Training, certification and CPE s hours obtained > Emerging risks monitored and reported 28
Value optimization action step summary Develop/Update the Internal audit strategy Define success and monitor Training and Skills Analysis Be an ERM champion Create a stronger IA brand Embrace Data analytics Risk management focus 29
Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. 2015 Baker Tilly Virchow Krause, LLP 30