As the entire insurance industry redirects and sharpens its focus on operational and strategic planning issues, insurers are more concerned than ever with achieving compliance, efficiency, and effectiveness within the internal audit arena. Below we have highlighted several hot-button areas that pose challenges to company leadership and board members alike.
Model Regulation Requiring an Internal Audit Function
In the recent revisions to the Model Audit Rule, the National Association of Insurance Commissioners established an internal audit function requirement for individual insurers with direct written and assumed premiums greater than $500 million and insurers who are members of an insurance group with direct written and assumed premiums greater than one billion dollars. These regulations require that the internal audit function must remain independent and provide objective and reasonable assurance to the audit committee regarding corporate governance, risk management, and internal controls. The head of the internal audit function is to have direct access to the audit committee and regularly report on the audit plan, material findings, and remediation plans implemented by management. As this provision becomes a reality, companies will quickly need to build world-class audit functions that are scalable to specific needs and risks.
Corporate Governance Annual Disclosure Model Act
The National Association of Insurance Commissioners issued the Corporate Governance Annual Disclosure Model Act, which requires an insurer to provide the insurance commissioner with a description of its corporate governance structure; policies and procedures for the board of directors, audit committee, and management; and a description of critical risk areas. Effective Jan. 1, 2016, insurers are required to submit to the insurance commissioner no later than June 1 of each calendar year a Corporate Governance Annual Disclosure (CGAD), which must be signed by the chief executive officer or corporate secretary attesting that the insurer has implemented the corporate governance practices and a copy of the filing has been presented to the board of directors. A well-defined internal audit team can greatly assist management in both fulfilling this requirement and monitoring risks prospectively.
Enterprise Risk Management and ORSA
Effective Jan. 1, 2015, the National Association of Insurance Commissioners Risk Management and Own Risk and Solvency Assessment Model Act requires individual insurers with direct written and assumed premiums greater than $500 million and insurers who are members of an insurance group with direct written and assumed premiums greater than $1 billion to maintain a risk management program and complete an Own Risk and Solvency Assessment (ORSA). A strong internal audit function is key to meeting the objectives of ORSA, which are to assess the risks associated with business plans and the sufficiency of capital to support organizational risks.
Adequately staffed internal audit teams can assist with ERM and ORSA initiatives by utilizing ERM programs when completing Section one of the ORSA report. This section comprises a summary of ERM framework principles, including corporate governance, appetite and tolerance for risk, risk monitoring and internal controls, and risk reporting. Section two requires management and internal audit to assess risk exposure in both normal and stressed environments, document the various outcomes of possible adverse scenarios, and consider the impact these stressed environments have on capital. Section three is a Group Risk Capital and Prospective Solvency Assessment, which requires the insurer to combine the qualitative elements of its ERM and the quantitative measures of risk exposure to determine the business’s capital needs in the near future. All elements of ERM that fall within the ORSA framework can be assessed, documented, and monitored very effectively by an outsourced or co-sourced internal audit team.
Cybersecurity and IT Audit
In April 2015, the Cybersecurity Task Force of the National Association of Insurance Commissioners adopted the Principles for Effective Cybersecurity Insurance Regulatory Guidance, which are intended to help state insurance departments identify uniform standards, promote accountability, and provide access to essential information. The expectation is that organizations with small or no internal audit departments will struggle with these principles, which will focus testing on the safeguarding of consumer information data, timely alerting of those affected in the event of a breach, and planning for incident response by insurers.
Benefits of Co/Outsourcing Internal Audit Services
Co-sourcing and outsourcing an internal audit function to an independent firm can generate several benefits that often are difficult to attain using an employee-only internal audit function. For companies without the size and necessary cash flows to support an internal audit department, these services provide the ability to control and minimize employee costs while achieving risk management and operational internal audit objectives. Outsourced internal audit professionals also bring an added element of independence, benchmarking, and objectivity that can satisfy the needs of today’s board members and executive leadership.
Discuss this option with your Plante Moran relationship manager if any of the points made above apply to your organization.