Optimising the value from a small scale internal audit function. Insurance PRECISE. PROVEN. PERFORMANCE.

Transcription

1 Optimising the value from a small scale internal audit function Insurance RECISE. ROVEN. ERFORMANCE.

2

3 Contents Optimising the value from a small scale internal audit function 2 Strategically positioned 4 Enabled by talent, technology and process 6 Agile and innovative culture 8 Insightful assurance 10 Maturity model: key steps to optimising value in a small IA function 12 Insurance Optimising the value from a small scale internal audit function 1

4 Optimising the value from a small scale internal audit function Many insurers face the challenge of embedding an effective three lines of defence model that is value-adding yet remains proportionate in simple terms, that the benefit outweighs the cost. While this fine balance applies to board governance arrangements and across all control functions (risk, compliance, actuarial and internal audit), the challenge is often more acute for the internal audit (IA) function, given: the perceived one size fits all approach to compliance with IA professional standards framework and the CIIA s Guidance for IA in financial services (the FS Code ); increased regulatory scrutiny and oversight of the activities and effectiveness of IA. In addition to the raised expectations, IA has never faced a more challenging and dynamic business environment upon which to assure. Technology continues to disrupt at an unprecedented pace and scale, customer expectations are rising, and the rapid adoption of process innovation to drive efficiencies and/or embrace technology is rife. Similarly, the people agenda continues to change at all levels, with an ageing population impacting on workforce, and the behaviour patterns of millennials transforming working models. As if this list was not enough, the industry continues to face regulatory change and the uncertainties of Brexit hover over us. It is now essential that both big and small insurance IA functions seek optimal ways to provide assurance in these challenging times. To be effective, IA will need to be strategically positioned within the organisation, well-enabled by talent, technology and process and operate with an agile and innovative culture, in order to provide insightful assurance. In this brochure, we assess the particular challenges that small IA functions face, to ensure effectiveness and adapt and embrace to ensure effectiveness, as well as the ability to adapt and embrace change in order to keep match fit in a fast-changing business landscape. ositioning Enablement Reporting Technology Strategically positioned Insight Talent Agile & innovative culture rocess Foresight 2 Insurance Optimising the value from a small scale internal audit function

5 3

6 Strategically positioned For any IA function, it is imperative that it is well-positioned to ensure gravitas, impact and influence with the Audit Committee and executive management, but also to ensure that it is able to provide appropriate assurance for the key risks facing the insurer. Strategically positioning the IA function can be a particular challenge for small insurers for several reasons: ositioning and gravitas for a small team, positioning the IA function with a seat at the top table can be challenging. Buy-in from functionally expert executives can be challenging where the IA team are reasonably knowledgeable across many functions and activities, yet do not hold the same expertise as the executive manager of each functional area. Maintaining demonstrable independence being the Head of IA in a small team can be relatively lonely there are a lack of peers and colleagues to bounce ideas and thoughts off. Furthermore, challenge from the business on control findings raised by IA can make it feel a lonely place to be in. Given this, maintaining robust independence and objectivity can be a challenge. Breadth and depth of assurance small IA teams can face practical difficulties in providing the full breadth of assurance needed across the business, and at the depth of insight and technical challenge needed to provide insightful, or outcomes-based assurance. This may be due to budgetary constraints or limitations on the depth of technical skills available within a small team (without the use of a co-sourced arrangement). The FS Code set out good practice expectations, including: (i) areas of expected coverage; and (ii) the use of appropriate skills and expertise to deliver the assurance. However commercial realities can, in practice, place pressures on small IA functions on meeting these expectations. A particular example is IA s role in relation to key corporate events, which is often absent in smaller IA functions assurance activities. Detailed testing vs continuous monitoring small IA functions, and specifically Heads of IA, face a challenge in balancing their time and focus between undertaking detailed IA controls testing (necessary to provide objective assurance over core processes and risks) and demonstrating higher level interactions with executive management real time and regular interaction to keep abreast of business activity and business change. 4 Insurance Optimising the value from a small scale internal audit function

7 ractical suggestions Clearly define the purpose and position of IA and articulate how independence will be maintained. This should help avoid (actual or perceived) conflicts if a robust independence and objectivity framework is defined and rigorously followed. Develop a strategic plan which sets out the vision for IA as a function and how it will bring value to the insurer over the next three to five years, including its adaptability to remain current and aligned to any changes in the business strategy and related business model. Develop a range of assurance approaches encompassing a defined approach to change activities, continuous monitoring, narrow/ focussed reviews as well as more traditional, detailed full scope audits of core processes. Clearly articulate each style of audit within an assurance approach framework and embed the decision on which assurance approach is intended in the risk-based planning process. Ensure IA planning is risk based. Communicate the plan to the Audit Committee as must-haves ; nice to haves and other potential audit areas, to facilitate a debate on the appropriate assurance appetite of the insurer, rather than presenting a plan based solely on available resource/ days. Ensure that the risk-based planning processes incorporate: (i) flexibility through the year in adapting to changing business needs; (ii) a margin of resource availability for continuous monitoring and real time assurance; and (iii) an assessment of how IA can bring impact and influence in its assurance activities. Identify areas where co-sourcing can be of benefit and discuss early in the planning process with AC members and key executive stakeholders of the benefit (deeper, outcomes-based assurance delivered through a subject matter expert; benchmarking against wider market practices; wider insight and foresight of emerging trends, risks and practices). Ensure weekly/monthly workload and diary includes time dedicated to management and executive interaction, and schedule these to ensure such meetings take place. Articulate how and where IA can add value to the business, to enhance stakeholder awareness and trust in the benefit of IA. Insurance Optimising the value from a small scale internal audit function 5

8 Enabled by talent, technology and process It is imperative for an IA function to possess talented resources, deploy appropriate technology, and operate with sufficiently defined processes. However, challenges are often presented to smaller IA functions in relation to these key areas: Talent management it can be more difficult for a smaller IA function to attract and retain talent, given the salary competitiveness and, perhaps, brand perception of working for a larger insurer. Subject matter credibility smaller IA functions can lack depth of subject matter specialism in-house, often perceived by business stakeholders as a measure of the talent within IA. It is also often more difficult for the IA function to obtain a good budget for learning and development and the ongoing training of IA staff. Use of technology enabling the IA function through technology can support efficiencies in IA processes and methodology for larger teams, and provides for increased consistency in a defined, automated and methodical IA approach. Deployment of technology often lacks such tangible benefits for a smaller team for example, to automate a relatively simplistic methodology (which is typically defined through a series of standardised word templates, through which consistency/quality is achieved by all individuals in the IA team), to automate issue tracking (where a spreadsheet can typically suffice). The capability of cloud-based technology and the growth in IA software and automated tools, as off the shelf packages, can however make such technology available in a cost-efficient and proportionate way, for smaller IA teams. Data analytics a common and frequently discussed trend in IA approaches is the deployment of data analytics, with its obvious benefits of whole-population testing and continuous-assurance capability. Deployment of data analytics requires three main things: (i) an understanding of the underlying audit area (to know what questions to ask the data); (ii) appropriate tools and technology; and (iii) appropriately skilled staff to data model, mine and programme software. Whilst the skills in relation to the first point typically exist in a small IA team, the latter two can be a challenge because of the lack of such skills in-house and the cost of third party support. Formality of methodology and process IA processes can often be less structured and formalised in a smaller IA team, for example the formality of methodology and documentation standards. Quality assurance quality control over the assurance provided by IA can be difficult to achieve in a smaller IA team, where an independent quality assurance activity is not practical. 6 Insurance Optimising the value from a small scale internal audit function

9 ractical suggestions Work with HR on ways to bring a competitive edge to support recruitment and retention strategies e.g. flexible working arrangements, emphasising wider benefits of the insurer to candidates and to retain staff. Small IA teams benefit from the direct contact of all IA team members with the Head of IA. Heads of IA should take advantage of this ensuring that a good amount of time is dedicated to coaching and developing team members and encouraging collective teamworking. Conduct regular engagement surveys with the team to seek input on how to make it a better place to work. Ensure the in-house IA team benefit and learn from any subject matter experts engaged via co-source arrangements. Ensure knowledge transfer from the expert is agreed as an essential by-product of the co-sourcing. Encourage lunch & learn sessions for the IA team with business stakeholders to learn more about the business, specifically through technical and commercial insights. Identify areas where subject expertise is required and assess whether there is cost-benefit to the business from an integrated assurance approach, combining the scope for first, second and third line of defence into one externally-sourced review. As part of an annual IA strategic planning process, conduct a cost-benefit analysis of areas where IA processes can be automated. Seek input from your professional advisors and peers on how they are automating processes and applying technology to benchmark practices to wider norms and evolving trends. Identify whether there is a business intelligence centre in your business with whom you can share economies of scale in developing data analytical capability. Seek cost efficient ways to train the IA team on using data analytics. Ensure IA team recruitment includes an assessment of technology and data competency, to ensure new joiners are fit for the future in terms of technology and data analytics. Assess how best to maintain quality control over IA work. Illustrative approaches could include: (i) peer challenge on all reports (all team members quality reviewing a draft report); (ii) open challenge forum and team meetings at key points in the audit cycle; (iii) engaging a third party (co-source) firm to provide quality assurance on a sample of files during the course of the year; and (iv) whilst managing independence issues, assess whether other control functions (risk and compliance) can support the quality review of IA reports and outputs, to compare findings to their own assessments and opinions, before report issuance. Insurance Optimising the value from a small scale internal audit function 7

10 Agile and innovative culture Given the pace and scale of change in the modern business world, IA needs to ensure adaptability to evolving business needs. Adaptability can only happen where the mindset of the IA team is both inviting and accepting of change. Such a willingness to adapt and be flexible will improve business stakeholder feedback and opinions on IA and thereby further improve the gravitas of the IA function. Some of the practical issues in embedding a more agile, innovative culture are set out below: Tradition, formality and process traditionally, IA functions have been slow to change and instead tended to opt for the status quo in defined processes and practices methodology, formality and consistency being the key drivers to demonstrate clear compliance with professional standards. Feedback from the RA and FCA is often that IA is not well-aligned to the key risks as perceived by the regulators, which suggests clinging to traditional ways of doing things may not be the best overall approach. A flexible mindset and culture is required to ensure IA continually seeks ways to revise IA processes and approaches to best fit the needs of the business. Small and nimble often, change is easier to effect in a small team. Transformation in a small team can be affected with limited effort needed, given the lack of large-scale process to re-invent, the relatively few number of people to communicate any changes to, and the relative ease by which the impact of change can be validated. By comparison, a large IA team needs a more granular communication plan and co-ordination to support changes, more defined policy and procedure to ensure clarity and consistency, and more defined steps to assess the effectiveness of any implemented change. 8 Insurance Optimising the value from a small scale internal audit function

11 ractical hints Conduct an annual self-assessment on IA s effectiveness, which focusses on the impact, influence and value added to the business. Continually seek input from stakeholders on how IA can improve, as part of an annual feedback process, but also upon completion of each IA review. Ask: where could IA have given more value? Could the approach adopted have been different in its timing or approach? Encourage all IA team members to contribute ideas and innovation. Hold a quarterly innovation hour, to create a time where open thinking and challenge is actively encouraged as a team event. Define performance measurement criteria for the IA function and use these to drive an ongoing assessment of the effectiveness of the IA function. Define values for the IA team, to foster and embed an agile and innovative culture. Review the IA plan with an open mind. Seek stakeholder input to determine the most valuable assurance statement for the audit. Assess the best way to achieve the audit objective and outcome. This will drive behaviours that find the most appropriate approach, rather than defaulting to the traditional normal approach. Be open minded to assessing whether a new approach was worth it (to the business) and develop/ refine for using again. Insurance Optimising the value from a small scale internal audit function 9

12 Insightful assurance Developing robust processes and approaches for auditing does not necessarily result in effective and insightful reporting that commands the attention of business stakeholders, and which is recognised for its value add to the insurer. The value of the assurance is, to most stakeholders, best measured by their perspective on the final output: the IA report and deliverable. Typical characteristics of IA reporting are set out below. Consistency of IA reporting traditionally, IA reports adopt a consistent format, style and structure. In a small team, it is easier to maintain consistency in style compared to a larger team, where different personalities are bound to write in different styles and rate issues and findings from a wide-range of differing perspectives. Stakeholders, especially at Audit Committee level, appreciate such consistency as it maintains the focus on what really matters, from an enterprise-wide perspective. A trend to more imaginative reporting formats tradition and consistency does not, however, mean that information is presented in the best way to stakeholders, and amended to best-fit each IA review. Adaptability of the format and structure, for example using owerpoint presentations, heatmaps, dashboard reports may improve the communication of key findings to stakeholders. Wider insight and foresight is valuable IA reports often present control gaps but less-frequently provide wider insight and/or foresight, such as: (i) maturity profiling; (ii) control sustainability; (iii) emerging risk considerations; and (iv) root cause analysis and thematic trends identified through the IA work. Delivering such insight/ foresight reporting can be a particular challenge to a small IA team given that wider insights often are easier to obtain from a subject matter expert who is well placed with wider market information and data upon which to draw. Compounded reporting smaller IA functions tend to have smaller volume and breadth of assurance within a year compared to a larger function, which can inhibit the ability of the IA team to conduct meaningful analysis of trends, themes and conduct root cause analysis. However, such thematic reporting can be easily introduced to a small IA team, given that the knowledge of all issues and findings is derived from a few individuals (rather than across multiple individuals in a disparate, larger IA team). A smaller team is often more closely integrated in day to day business activity and thereby is aware of wider issues and/or control failures identified across the three lines of defence. Reporting on culture the FS Code recommends that IA provides an assessment on the culture within the organisation, although the Code also states that further guidance is needed on how best to assure on this highly subjective area. This guidance is yet to be provided by the IIA. Market practices indicate that larger IA functions are embracing approaches to assuring on culture, but smaller IA functions are not to the same extent. This may be because of: (i) a lack of clear guidance on how to best audit and report on culture; (ii) a lack of the wide range of assurance needed to provide an objective assurance statement on a fairly subjective topic; or (iii) fear of relationship trauma with key stakeholders where assessments may be adverse in relation to a specific functional area. 10 Insurance Optimising the value from a small scale internal audit function

13 ractical hints eriodically seek stakeholder feedback on the IA report template: which bits are superfluous, which bits are most valuable. Amend templates in line with this feedback. Identify ways to bring owerpoint/presentation style reporting into the reporting style, to complement the more traditional IA reporting format. Challenge how best to structure the audit s findings in a report and be courageous in presenting in this way rather than defaulting to the usual format. Insert image Ensure the reporting format is properly considered, at an early stage, where IA is providing assurance on change and business transformation or through data analytical or continuous monitoring/assurance approaches. Agree the best way of reporting with stakeholders at an early stage of the audit process. Adopt a summary on a page concept, to ensure, for all reports, key findings and messages are communicated in an executive dashboard or one-page summary. Discuss with the Audit Committee, executive management and the second line of defence, the ways in which the business can develop organisational, risk and control culture throughout the organisation, and how processes can be implemented to define, measure and assess cultural expectations. Clarify the role of IA in relation to this and ensure IA s role and approach is reported through, and approved by, the Audit Committee. Insurance Optimising the value from a small scale internal audit function 11

14 Maturity model: key steps to optimising value in a small IA function Defined Managed Strategic positioning Role of IA understood by the business; risk-based plan approved by AC; budget and in-house resource are key drivers in approving the plan; clear assurance approach but limited flexibility in this; some interaction with risk function but tangible benefits of the interaction are limited. IA respectfully positioned in the insurer and has good access to key stakeholders on an ad-hoc basis. IA plan and activities are risk-based and provide relatively good coverage of key risks facing the business; days allocated to each review align well to the risk of each subject matter; effective co-ordination of IA and other control functions (especially Risk function). Subject matter experts are engaged to optimise value of assurance and provide wider insight and outcomes-based assurance. Well-enabled Agile & innovative culture IA team consists of capable internal auditors; some use of co-source or guest auditors to bring subject matter expertise into the team. rocesses are largely manual/ spreadsheet based with the use of standardised word templates for key deliverables. Assurance approaches are based on relatively traditional control-testing. Limited evidence of embedded quality assurance practices. IA adopts more traditional assurance approaches and assesses performance periodically via an internal or external quality assessment. IA team resource builds capability in key areas (e.g. regulatory, technology, underwriting and conduct) and uses co-source to support assurance quality. rocesses are subject to annual review/ refresh to ensure they remain current. Quality control measures are in place. IA team adapts assurance approaches but with suitable safeguards in place, before work starts, to ensure IIA standards are fully met and process/ approach is fully defined. Change tends to be led by the Head of IA. Key performance indicators monitor IA performance to measure effectiveness and efficiency. Insightful assurance IA reporting follows a consistent template, highlighting control issues identified from the audit work performed. IA reports are consistent in structure and are rated according to pre-defined criteria (for example on the overall control environment and rating individual control issues). IA reporting includes a dashboard or one-page summary to allow the reader to assimilate key information easily. 12 Insurance Optimising the value from a small scale internal audit function

15 Integrated Innovation Innovative IA has strong position with stakeholders and effectively interacts and shares information with second line of defence. IA is engaged in change activities and provides real time contribution to the assurance needs of business transformation. Subject matter expertise is engaged to optimise the value of assurance. IA plan includes an allowance for continuous monitoring and maintains appropriate flexibility over a calendar year, to adapt assurance areas and approaches as business needs change. IA provides effective challenge on governance and risk management frameworks. IA draws on appropriate expertise to support assurance and has an appropriately safeguarded integrated assurance framework to drive efficiencies in assurance across the three lines of defence. IA team has a defined strategy for incorporating technology where businessbeneficial and has some capability for data analytical auditing. Quality assurance embedded. All IA team members are encouraged to identify new ways to do things. Continual improvement is a cultural way of thinking and stakeholder feedback is sought as a key input to this. Change is embraced by the team. Key erformance Indicators include effectiveness, efficiency measures and also include value driven measurement. IA reports include wider insight and foresight reporting where possible, for example, where subject matter or co-source expertise has been used, or where external benchmarks are available. IA has a clear approach to assuring and reporting on culture. Reports receive positive feedback from stakeholders on their value and business-benefit. Reports are frequently reflected upon by stakeholders as contributing to effective risk management and controllership and to ensure insightful and foresightul recommendations. IA is a valued business partner to executive stakeholders. IA maintains an agile planning approach, with frequent review and adaptability to ensure optimal alignment to business needs. Assurance approach varies to ensure the best fit for each assignment and deployment of the right skills at the right time to support the business and provide timely, relevant assurance on the key risks and strategic priorities of the insurer. IA strategy includes forethought on assurance needs and a medium/ longer term resourcing technology strategy to provide the required assurance. rocesses are adaptable and agile to business needs, quality assured and optimise the value obtained from the assurance, including the use of continuous monitoring, defined approaches for change assurance and for using data analytics. IA team members are encouraged to think in an agile way. Short timeline from innovative thinking to acting and embedding. Assurance approaches adapt to meet business needs, ensure the outcome of the assurance need is best met; IA team members are empowered to determine this to support speedy decision making and agile auditing processes. Key performance measurements are embedded in IA behaviour, in a culture that supports continual improvement and driving business benefit and value. IA reports are salient, focussed and modified to best suit the needs of each report. Dashboards, maturity profiles, heat-maps and bubble-charts are frequently used in reporting. Strategic positioning Well-enabled Agile & innovative culture Insightful assurance Insurance Optimising the value from a small scale internal audit function 13

16 About Moore Stephens We help you thrive in a changing world. We provide all the support and guidance you need to deal with new risks and opportunities. We ensure easy access to the right people, so decisions can be made quickly and confidently. A consistent team will partner with you to support your aspirations and contribute to your success. You ll have access to a range of core services, services, including including audit, accounting, audit, accounting, tax, risk and tax, risk systems and assurance, systems assurance, corporate corporate finance, finance, restructuring restructuring and insolvency, and insolvency, wealth wealth management and disputes analysis. As a Top 10 accounting and advisory network we support a broad range of individuals and entrepreneurs, large organisations and complex international businesses. Contact information If you would like further information on any item within this brochure, or information on our services please contact: Ian Gardner artner Governance, Risk & Assurance ian.gardner@moorestephens.com If your business and personal interactions need to expand, we ll help make it happen coordinating advice from a network of offices offices throughout throughout the UK the and UK in more and in than more 100 than 100 countries. countries. Moore Stephens globally Moore Stephens globally Moore Stephens International is the 11 th largest global Moore accountancy Stephens International and consulting is the network, 11 th largest headquartered global accountancy in London. and consulting With fees network, of over US$2.9 headquartered billion and in London. offices in With 112 fees countries, of over clients US$2.9 have billion access and offices to the resources in 112 countries, and capabilities clients have to access meet to their the global resources needs. and capabilities to meet their global needs. By combining local expertise and experience with By combining the breadth local of expertise our UK and and worldwide experience networks, with the breadth clients of can our be UK confident and worldwide that, whatever networks, their clients requirement, can be confident Moore that, Stephens provides whatever the their right requirement, solution to Moore their local, Stephens national provides and the right international solution needs. to their local, national and international needs. Moore Stephens LL, 150 Aldersgate Street, London EC1A 4AB T +44 (0) We believe the information contained herein to be correct at the time of going to press, but we cannot accept any responsibility for any loss occasioned to any person as a result of action or refraining from action as a result of any item herein. rinted and published by Moore Stephens LL, a member firm of Moore Stephens International Limited, a worldwide network of independent firms. Moore Stephens LL is registered to carry on audit work in the UK and Ireland by the Institute of Chartered Accountants in England and Wales. Authorised and regulated by the Financial Conduct Authority for investment business. DS40375 October 2018