Internal audit value optimization for insurance organizations Webinar May 13, 2015 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Agenda and learning objectives Review the learning objectives Understand what we will cover today and takeaways 1 2 3 4 Understand the definition of internal audit and explore what “add value” means. Revisit some of the common challenges of adding value. Discuss the characteristics of an optimizing internal audit department and review the internal audit capability maturity model Understand the trends in the insurance industry that will transform internal audit's value proposition Identify how to incorporate leading practices in the short term and over time with a summary of clear action steps. Understanding internal audit and adding value Importance for insurance organizations Growing necessity for business insight and value from internal audit departments Regulation Emerging risks and market opportunities Advancing technology 4 Internal audit definition The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity that adds value to and improves an organization’s operations. Assurance Insight Objectivity 5 What does it mean to “add value” The internal audit activity adds value to the organization (and its stakeholders),[and there is perceived value of contribution] when it provides objective and relative assurance, and contributes to the effectiveness of governance, risk management, and control processes. 6 Challenges to adding value Lack of resources in number and/or in talent SOX, MAR, compliance efforts encompassing majority of plan Politics, “tail wags the dog” Too much focus on routine audits Reduction in internal audit value Organizational perception as “company police” 7 Characteristics of an optimizing internal audit activity Learning organization • CAE and managers are key thought leaders • Continuous learning and process improvement culture • Defined process to evaluate skill set and training needs • Aligns risk assessment and audit plan with current skill sets Use of information inside and outside of organization • Leverage insights and feedback from business unit managers • Obtains knowledge of trends and emerging risks • Considers organizations strategic objectives and culture • Advisory on adapting to and maximizing technology trends Critical part of governance and risk management Top level professional and specialized skills World class recommendations • Appropriate visibility with management and board • Provide appropriate recommendations to improve governance • Integration of performance data and feedback • Continuous and ongoing quality assurance program Integrated performance measures 8 Internal audit activity maturity model Initial Infrastructure Integrated Managed Optimizing > Isolated audits > Lack of > Compliance > Assurance on > IA is recognized established practices > Advisory auditing services > Individual > Workforce professional development > Audit plan based on management priorities coordination > Risk based audit plans > Performance measures governance, risk and controls > Contribution to mgmt development > Audit strategy leverages ERM > Advanced performance measures as key agent of change > Leadership in professional organizations > Strategic IA planning > Transparency to organization on IA effectiveness 9 Insurance industry trends and internal audit implications 1) Predictive analytics and consumer facing platforms 2) Retiring baby boomers 3) Alternative and simplified customer distribution Health Life and annuity Insurance industry trends 1) Premiums rising 2) Individual mandate 3) Risk based premiums 4) Participation in Exchanges 4) Legacy system issues L&A and health risks > Reputational risks > System transformation and impact > Competition and market share protection / enhancement > Three R estimation 11 > Lower CATS and softening market > Alternative capital influx > Customer experience > Pursuit of higher yield P&C risks > Increased use of alternative investments > Marketing and underwriting changes > Data integrity, modeling, and underwriting strategy transformation Cross industry Property and casualty Insurance industry trends > Cybersecurity > Regulation adding cost and complexity • ORSA • Captive oversight • Corporate governance > Capital management and integration of internal and external models Cross industry risks > Cyber security readiness > Regulatory compliance and costs > Data integrity and model risk 12 Industry trends affecting IT IT and business have fused together to empower each other. Emerging industry trends and regulatory changes have effected IT. 1) Cybersecurity Risk and Regulation 2) Predictive Modeling and Data Analytics 3) Accessibility of information/consumer facing platforms 4) Increased competitive landscape (soft P&C market, health exchange, etc) requiring better customer experience and faster speed to market 13 Information technology (IT) trends Lack of legacy Core system integration Less in tune with customer demands Incompatibility Potential Increased Autonomous Technology Increased cyber security risk Ever changing end points Automated Decision Engines/Tools Advances in algorithms Less control over device management Predictive modeling and rating Constant tracking of Data and people Connected Home/Auto Continual monitoring of trends Context-aware security Wearables 14 Effects on information technology audit plan Sample 2010 IT IA Plan Focused on core IT general controls Sample 2015 IT IA Plan Focused on emerging risks and integration into ERM > Change management / system development life cycle (SDLC) > Vendor management > Access administration and authentication > Data breach and vulnerability management > Disaster recovery and business continuity planning > Data privacy > Computer operations and back-up > IT governance > Mobile device management and security > End user computing Trends in IT have lead internal audit departments to focus more on emerging technologies as risk assessment frameworks dictate. 15 Actuarial implications Key actuarial risks are emerging as a result of industry trends and regulatory changes. Traditional internal audit Optimizing internal audit • Actuaries are a supplement’ • Engaged to perform routine reviews • Reviews are minimally performed • specialized skill-set readily available in the internal audit workforce • Integrated on multiple audits Regulatory changes Key risks • • • • • • • • ORSA Solvency II Product design and transformation Data analytics Model Economic Pricing Regulatory • Financial statement • Process • Data 16 Key risks to actuarial function Enterprise risks Model risk and control > Models must be in compliance with all Actuarial Standards of Practice (ASOPs) > Appropriateness of the assumptions made in the calculations > Defined and documented process for each periodic review > Back-test the results (actual verses expected analyses) > Transparency of assumptions and limitations to key stakeholders (communications) 17 Key risks to actuarial function Enterprise risks (cont.) Economic and pricing risk > Price monitoring system – data reconciliation and frequency of review > Development of pricing assumptions > Treatment of differing characteristics of insured risks > Feedback loop on actual performance compared to pricing objectives Regulatory compliance > Preparation and analysis for new and emerging regulatory changes > Compliance 18 Key risks to actuarial function Financial statement risks Key process risk Reliance on third-party providers > Controls on actuarial judgment and selections > Treatment of data anomalies in the analysis Key person risk/succession planning > Over-reliance on a few key individuals > Identify, develop and retain talent for key positions and areas > Planning relating to reorganization, turnovers, or actuarial student rotations Data risk > Accuracy > Completeness > Controls (reconciliation) Other miscellaneous risk > Assumptions > Process around management best estimates vs. actuarial best estimate 19 Value optimization action steps Value optimization action: Strategy alignment Align internal audit strategy with organizational strategy. Formalize an internal audit strategic plan that addresses the following: 1) Stakeholder expectations 2) Consideration of changes in the audit plan mix one, three and five years ahead 3) Insurer organization strategies and risk appetite and internal audit implications 4) Resource and talent needs 21 Value optimization action: Resource enhancement Conduct analyses: > Training analysis > Skills analysis > Mapping and gap analysis Begin the process to fill the gaps > Internal training > Certification programs > Co-sourcing / outsourcing 22 Value optimization action: Internal audit branding Create a stronger internal audit brand > Providing training to departments and business units on the purpose and value of internal audit > Provide thought leadership to business units on internal control efficiencies, emerging risks, and industry hot topics 23 Value optimization action: Risk management focus Ensure the internal audit plan reflects the current state and expected future state. Assess the strategic risks to the organization and discuss where internal audit can add value. 24 Value optimization action: Risk management focus Considerations for audits and advisory reviews 1) Cyber security –threat and vulnerability management 2) Cloud strategy and governance 3) Customer interaction and experience review 4) Budget and forecasting assessment 5) Vendor governance and risk management review 6) Data analytics effectiveness review 7) Actuarial risk management assessment 8) Product development efficiency and process review 9) Enterprise regulatory and compliance efficiency assessment 25 Value optimization action: Embrace data analytics Incorporate data analytics to assist in driving the risk assessment process as part of the overall audit plan, as well as part of individual engagements. Model validation and data validation assurance is a key element to include in the overall audit plan. 26 Value optimization action: Be an ERM champion ERM champion approach allows > Linking from risk to strategy > Building risk awareness throughout the organization Be the thought leader > Conduct training to business units > Facilitate ERM workshops > Provide education to the board of directors > Provide updates on emerging risks 27 Value optimization action: Define internal audit success and monitor Develop key performance indicators (KPI’s) > Best practices implemented > Business unit cost savings/revenue enhancements identified and realized > Issues monitored and closed > Audit survey results > Subject matter expert utilization and effectiveness > Training, certification and CPE’s hours obtained > Emerging risks monitored and reported 28 Value optimization action step summary Develop/Update the Internal audit strategy Define success and monitor Be an ERM champion Training and Skills Analysis Create a stronger IA brand Embrace Data analytics Risk management focus 29 Disclosure The information provided here is of a general nature and is not intended to address the specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. © 2015 Baker Tilly Virchow Krause, LLP 30
© Copyright 2024