The belief is that internal audit is only required in larger, more complex entities and that the cost/benefit of an internal audit function would just not be there for them. However this can be a very short sighted conclusion, especially when you consider the high volume of transactions and the regulatory compliance issues facing entities in the insurance industry. I believe that the management of these entities needs to take a closer look at three important factors with respect to risk management and internal controls before dismissing the need for internal audit: Management’s responsibility for internal control, the role of Internal Audit in fulfilling that responsibility and the benefits of Internal Audit.
First of all let’s answer the question – What is Internal Control?
Internal control, often referred to as management controls, in the broadest sense includes the plan of organization, methods and procedures adopted by management to meet its missions, goals and objectives. Internal controls also serve as the first line of defense in fraud and violations of laws, regulations and provisions of contracts and agreements.
Processes for planning, organizing, directing and controlling operations
Systems for measuring, reporting and monitoring performance
Actions taken by management and other parties to enhance risk-management and increase the likelihood that established objectives and goals will be achieved
Some of the benefits of having a good system of internal controls are:
Who is Responsible for Internal Control?
It is a common expectation and often an explicit requirement that entities have a system of internal controls as described above. These requirements may be in the form of regulatory guidelines, contract/grant compliance stipulations or simply fiduciary responsibility. The direct and ultimate responsibility for internal control always lies with management. However, the baseline responsibility is usually attributed to the frontline personnel, while the oversight board (Directors, Trustees, etc.) is responsible for guidance and oversight. Management must take this responsibility very seriously or run substantial risk of loss of funding, contractual penalties or regulatory scrutiny.
What is Internal Auditing?
According to the Institute of Internal Auditors, “internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” Simply said, internal audit is responsible for monitoring the effectiveness of the internal control processes that have been established by management.
How does Internal Audit monitor effectiveness of internal controls?
Internal audit serves many purposes, but the principal tasks include:
Risk is defined as the probability that an event or action may adversely affect the organization or activity under audit. Internal Audit should certainly participate in management’s entity-level Enterprise Risk Management assessment; but in addition, the more specific purpose of a risk assessment from an audit perspective is to enable the organization to:
The risk assessment process includes the review of existing documentation such as Prior Audit Findings, the entity’s Strategic Plan, and its Financial Statements, and interviewing department heads and process owners with a focus on “what can go wrong” scenarios.
In particular, Internal Audit would be alert for organizational changes that could potentially impact the management of risk. These shifts could include organizational ethics, management reorganizations, financial demands, resource constraints, technology/internet/E-business, consolidations/alliances, and legislative/regulatory imperatives to name a few.
Having now articulated management’s responsibility for internal controls and how internal audit might play a role in assisting management to fulfill that responsibility, let’s look at some specific benefits that an Internal Audit function can provide to an organization and its management:
So with a properly staffed internal audit function, management would have, at its fingertips: an advocate, a risk manager, a controls expert, an efficiency specialist, a problem-solving partner and a safety net.
Management would be well served by having an internal audit function assisting it with its risk assessment process and ensuring that the responsibility for maintaining a system of internal controls has been fulfilled.
The establishment of an internal audit function need not be a major investment. An entity does not have to jump into the deep end of the pool and hire an entire department. The function can be internal, but just as easily out-sourced or co-sourced. A very efficient option, equivalent to wading into the shallow end of the pool, would begin with a preliminary risk assessment and then prioritize the areas of need. At which time, a meaningful decision can be made as to how to efficiently staff the priority projects and get the benefit of an internal auditor on your team.
The information contained herein is not necessarily all-inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriately qualified professionals.
For questions or to speak with a member of Withum’s Insurance Services Group, please contact us by filling out the form below.