Through my many years consulting with middle market insurance entities, the question I am often asked is, “why do we need an internal audit function?”
The belief is that internal audit is only required in larger, more complex entities and that the cost/benefit of an internal audit function would just not be there for them. However this can be a very short sighted conclusion, especially when you consider the high volume of transactions and the regulatory compliance issues facing entities in the insurance industry. I believe that the management of these entities needs to take a closer look at three important factors with respect to risk management and internal controls before dismissing the need for internal audit: Management’s responsibility for internal control, the role of Internal Audit in fulfilling that responsibility and the benefits of Internal Audit.
Management’s Responsibility for Internal Control
What is Internal Control?
Internal control, often referred to as management controls, in the broadest sense includes the plan of organization, methods and procedures adopted by management to meet its missions, goals and objectives. Internal controls also serve as the first line of defense in fraud and violations of laws, regulations and provisions of contracts and agreements.
Internal controls include:
- Processes for planning, organizing, directing and controlling operations
- Systems for measuring, reporting and monitoring performance
- Actions taken by management and other parties to enhance risk-management and increase the likelihood that established objectives and goals will be achieved
Some of the benefits of having a good system of internal controls are:
- Helping protect assets and reduce the possibility of fraud
- Improving efficiency in operations
- Increasing financial reliability and integrity
- Ensuring compliance with laws and statutory regulations
- Establishing monitoring procedures
Who is Responsible for Internal Control?
It is a common expectation and often an explicit requirement that entities have a system of internal controls as described above. These requirements may be in the form of regulatory guidelines, contract/grant compliance stipulations or simply fiduciary responsibility. The direct and ultimate responsibility for internal control always lies with management. However, the baseline responsibility is usually attributed to the frontline personnel, while the oversight board (Directors, Trustees, etc.) is responsible for guidance and oversight. Management must take this responsibility very seriously or run substantial risk of loss of funding, contractual penalties or regulatory scrutiny.
The Role of Internal Audit
What is Internal Auditing?
According to the Institute of Internal Auditors, “internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.” Simply said, internal audit is responsible for monitoring the effectiveness of the internal control processes that have been established by management.
How does Internal Audit monitor effectiveness of internal controls?
Internal audit serves many purposes, but the principal tasks include:
- Risk assessment – Assisting management with identifying and prioritizing areas or processes that require attention and audit focus
- Process walkthroughs and documentation – Gaining an understanding of the processes and procedures as they currently exist, especially with respect to the IT systems utilized in the processing of high volumes of policyholder/claims data
- Control assessment – Identifying gaps, also known as “trouble spots,” where procedures and controls are not properly designed
- Testing – Performing tests of controls to verify whether controls are working as designed
- Reporting – Providing observations and recommendations to improve processes and controls.
Risk is defined as the probability that an event or action may adversely affect the organization or activity under audit. Internal Audit should certainly participate in management’s entity-level Enterprise Risk Management assessment; but in addition, the more specific purpose of a risk assessment from an audit perspective is to enable the organization to:
- Prioritize audit projects by level of potential risk
- Determine the nature, timing, and extent of internal audit procedures in direct relation to the level of the risk
- Develop a plan for performing internal audit projects in risk areas to minimize the risk of loss to the Company
- Use everyone’s time in an effective and efficient manner
The risk assessment process includes the review of existing documentation such as Prior Audit Findings, the entity’s Strategic Plan, and its Financial Statements, and interviewing department heads and process owners with a focus on “what can go wrong” scenarios.
In particular, Internal Audit would be alert for organizational changes that could potentially impact the management of risk. These shifts could include organizational ethics, management reorganizations, financial demands, resource constraints, technology/internet/E-business, consolidations/alliances, and legislative/regulatory imperatives to name a few.
Benefits of Internal Audit
Having now articulated management’s responsibility for internal controls and how internal audit might play a role in assisting management to fulfill that responsibility, let’s look at some specific benefits that an Internal Audit function can provide to an organization and its management:
- The scope of the internal audit is defined by management or the Board (not an outside agency or adversarial entity)
- Internal Audit “reports” directly to management or the Board (not an outside agency or adversarial entity)
- Improves the “control environment” of the organization
- Makes the organization process-dependent instead of person-dependent
- Identifies redundancies in operational and control procedures and provides recommendations to improve the efficiency and effectiveness of procedures
- Serves as an Early Warning System, enabling deficiencies to be identified and remediated on a timely basis (i.e. prior to external, regulatory or compliance audits)
- Ultimately increases accountability within the organization.
So with a properly staffed internal audit function, management would have, at its fingertips: an advocate, a risk manager, a controls expert, an efficiency specialist, a problem-solving partner and a safety net.
Management would be well served by having an internal audit function assisting it with its risk assessment process and ensuring that the responsibility for maintaining a system of internal controls has been fulfilled.
The establishment of an internal audit function need not be a major investment. An entity does not have to jump into the deep end of the pool and hire an entire department. The function can be internal, but just as easily out-sourced or co-sourced. A very efficient option, equivalent to wading into the shallow end of the pool, would begin with a preliminary risk assessment and then prioritize the areas of need. At which time, a meaningful decision can be made as to how to efficiently staff the priority projects and get the benefit of an internal auditor on your team.
The information contained herein is not necessarily all-inclusive, does not constitute legal or any other advice, and should not be relied upon without first consulting with appropriately qualified professionals.