Internal audit value optimization for insurance

Internal audit value
optimization for
insurance organizations
Webinar
May 13, 2015
Baker Tilly refers to Baker Tilly Virchow Krause, LLP,
an independently owned and managed member of Baker Tilly International.
Agenda and learning objectives
Review the learning objectives
Understand what we will cover today and takeaways
1
2
3
4
Understand the definition of internal audit and explore what “add value”
means. Revisit some of the common challenges of adding value.
Discuss the characteristics of an optimizing internal audit department
and review the internal audit capability maturity model
Understand the trends in the insurance industry that will transform
internal audit's value proposition
Identify how to incorporate leading practices in the short term and over
time with a summary of clear action steps.
Understanding internal
audit and adding value
Importance for insurance
organizations
Growing necessity for business
insight and value from internal
audit departments
Regulation
Emerging risks
and market
opportunities
Advancing
technology
4
Internal audit definition
The Institute of Internal Auditors
(IIA) defines internal auditing as
an independent, objective
assurance and consulting activity
that adds value to and
improves an
organization’s
operations.
Assurance
Insight
Objectivity
5
What does it mean to
“add value”
The internal audit activity adds value to
the organization (and its stakeholders),[and
there is perceived value of contribution]
when it provides objective and relative
assurance, and contributes to the
effectiveness of governance,
risk management, and control
processes.
6
Challenges to adding value
Lack of
resources
in number
and/or in
talent
SOX, MAR,
compliance
efforts
encompassing
majority of
plan
Politics,
“tail wags
the dog”
Too much
focus on
routine
audits
Reduction
in internal
audit
value
Organizational
perception as
“company
police”
7
Characteristics of an optimizing
internal audit activity
Learning
organization
• CAE and managers are key thought leaders
• Continuous learning and process improvement culture
• Defined process to evaluate skill set and training needs
• Aligns risk assessment and audit plan with current skill
sets
Use of information inside
and outside of organization
• Leverage insights and feedback from business unit
managers
• Obtains knowledge of trends and emerging risks
• Considers organizations strategic objectives and culture
• Advisory on adapting to and maximizing technology trends
Critical part of governance
and risk management
Top level professional
and specialized skills
World class
recommendations
• Appropriate visibility with management and board
• Provide appropriate recommendations to improve
governance
• Integration of performance data and feedback
• Continuous and ongoing quality assurance program
Integrated
performance measures
8
Internal audit activity
maturity model
Initial
Infrastructure Integrated
Managed
Optimizing
> Isolated audits
> Lack of
> Compliance
> Assurance on
> IA is recognized
established
practices
> Advisory
auditing
services
> Individual
> Workforce
professional
development
> Audit plan based
on management
priorities
coordination
> Risk based audit
plans
> Performance
measures
governance, risk
and controls
> Contribution to
mgmt
development
> Audit strategy
leverages ERM
> Advanced
performance
measures
as key agent of
change
> Leadership in
professional
organizations
> Strategic IA
planning
> Transparency
to organization
on IA
effectiveness
9
Insurance industry trends
and internal audit
implications
1) Predictive analytics
and consumer facing
platforms
2) Retiring baby boomers
3) Alternative and
simplified customer
distribution
Health
Life and annuity
Insurance industry trends
1) Premiums rising
2) Individual mandate
3) Risk based premiums
4) Participation in
Exchanges
4) Legacy system issues
L&A and health risks
> Reputational risks
> System transformation and impact
> Competition and market share protection / enhancement
> Three R estimation
11
> Lower CATS and
softening market
> Alternative capital
influx
> Customer experience
> Pursuit of higher
yield
P&C risks
> Increased use of alternative
investments
> Marketing and underwriting
changes
> Data integrity, modeling, and
underwriting strategy
transformation
Cross industry
Property and
casualty
Insurance industry trends
> Cybersecurity
> Regulation adding cost
and complexity
• ORSA
• Captive oversight
• Corporate governance
> Capital management
and integration of
internal and external
models
Cross industry risks
> Cyber security readiness
> Regulatory compliance and
costs
> Data integrity and model risk
12
Industry trends affecting IT
IT and business have fused together to empower
each other.
Emerging industry trends and regulatory changes
have effected IT.
1) Cybersecurity Risk and Regulation
2) Predictive Modeling and Data Analytics
3) Accessibility of information/consumer facing platforms
4) Increased competitive landscape (soft P&C market, health
exchange, etc) requiring better customer experience and faster
speed to market
13
Information technology (IT)
trends
Lack of legacy
Core system
integration
Less in tune
with customer
demands
Incompatibility
Potential
Increased
Autonomous
Technology
Increased cyber
security risk
Ever changing
end points
Automated
Decision
Engines/Tools
Advances in
algorithms
Less control
over device
management
Predictive modeling
and rating
Constant tracking of
Data and people
Connected
Home/Auto
Continual
monitoring of
trends
Context-aware
security
Wearables
14
Effects on information
technology audit plan
Sample 2010 IT IA Plan
Focused on core
IT general controls
Sample 2015 IT IA Plan
Focused on emerging risks
and integration into ERM
> Change management / system
development life cycle (SDLC)
> Vendor management
> Access administration and
authentication
> Data breach and vulnerability
management
> Disaster recovery and business
continuity planning
> Data privacy
> Computer operations and
back-up
> IT governance
> Mobile device management
and security
> End user computing
Trends in IT have lead internal audit departments to focus more on emerging
technologies as risk assessment frameworks dictate.
15
Actuarial implications
Key actuarial risks are emerging as a result of
industry trends and regulatory changes.
Traditional internal audit
Optimizing internal audit
• Actuaries are a supplement’
• Engaged to perform routine reviews
• Reviews are minimally performed
• specialized skill-set readily available
in the internal audit workforce
• Integrated on multiple audits
Regulatory changes
Key risks
•
•
•
•
•
•
•
•
ORSA
Solvency II
Product design and transformation
Data analytics
Model
Economic
Pricing
Regulatory
• Financial
statement
• Process
• Data
16
Key risks to actuarial function
Enterprise risks
Model risk and control
> Models must be in compliance with all Actuarial Standards of Practice
(ASOPs)
> Appropriateness of the assumptions made in the calculations
> Defined and documented process for each periodic review
> Back-test the results (actual verses expected analyses)
> Transparency of assumptions and limitations to key stakeholders
(communications)
17
Key risks to actuarial function
Enterprise risks (cont.)
Economic and pricing risk
> Price monitoring system – data reconciliation and frequency of review
> Development of pricing assumptions
> Treatment of differing characteristics of insured risks
> Feedback loop on actual performance compared to pricing objectives
Regulatory compliance
> Preparation and analysis for new and emerging regulatory changes
> Compliance
18
Key risks to actuarial function
Financial statement risks
Key process risk
Reliance on third-party providers
> Controls on actuarial judgment and
selections
> Treatment of data anomalies in the
analysis
Key person risk/succession planning
> Over-reliance on a few key individuals
> Identify, develop and retain talent for key
positions and areas
> Planning relating to reorganization,
turnovers, or actuarial student rotations
Data risk
> Accuracy
> Completeness
> Controls (reconciliation)
Other miscellaneous risk
> Assumptions
> Process around management best
estimates vs. actuarial best estimate
19
Value optimization
action steps
Value optimization action:
Strategy alignment
Align internal audit strategy with organizational
strategy.
Formalize an internal audit strategic plan that
addresses the following:
1) Stakeholder expectations
2) Consideration of changes in the audit plan mix one, three and
five years ahead
3) Insurer organization strategies and risk appetite and internal
audit implications
4) Resource and talent needs
21
Value optimization action:
Resource enhancement
Conduct analyses:
> Training analysis
> Skills analysis
> Mapping and gap analysis
Begin the process to fill the gaps
> Internal training
> Certification programs
> Co-sourcing / outsourcing
22
Value optimization action:
Internal audit branding
Create a stronger internal audit brand
> Providing training to departments and business units on the
purpose and value of internal audit
> Provide thought leadership to business units on internal control
efficiencies, emerging risks, and industry hot topics
23
Value optimization action: Risk
management focus
Ensure the internal audit plan reflects the
current state and expected future state.
Assess the strategic risks to the organization
and discuss where internal audit can add
value.
24
Value optimization action: Risk
management focus
Considerations for audits and advisory reviews
1) Cyber security –threat and vulnerability management
2) Cloud strategy and governance
3) Customer interaction and experience review
4) Budget and forecasting assessment
5) Vendor governance and risk management review
6) Data analytics effectiveness review
7) Actuarial risk management assessment
8) Product development efficiency and process review
9) Enterprise regulatory and compliance efficiency assessment
25
Value optimization action:
Embrace data analytics
Incorporate data analytics to assist in driving
the risk assessment process as part of the
overall audit plan, as well as part of individual
engagements.
Model validation and data validation assurance
is a key element to include in the overall audit
plan.
26
Value optimization action:
Be an ERM champion
ERM champion approach allows
> Linking from risk to strategy
> Building risk awareness throughout the organization
Be the thought leader
> Conduct training to business units
> Facilitate ERM workshops
> Provide education to the board of directors
> Provide updates on emerging risks
27
Value optimization action:
Define internal audit success
and monitor
Develop key performance indicators (KPI’s)
> Best practices implemented
> Business unit cost savings/revenue enhancements identified
and realized
> Issues monitored and closed
> Audit survey results
> Subject matter expert utilization and effectiveness
> Training, certification and CPE’s hours obtained
> Emerging risks monitored and reported
28
Value optimization action step
summary
Develop/Update
the Internal audit
strategy
Define success
and monitor
Be an ERM
champion
Training and
Skills Analysis
Create a stronger
IA brand
Embrace Data
analytics
Risk management
focus
29
Disclosure
The information provided here is of a general
nature and is not intended to address the
specific circumstances of any individual or
entity. In specific circumstances, the services
of a professional should be sought.
Baker Tilly refers to Baker Tilly Virchow
Krause, LLP, an independently owned and
managed member of Baker Tilly International.
© 2015 Baker Tilly Virchow Krause, LLP
30