1 / 30

RMG200 Simple Steps: Avoiding Internal Audit Issues

RMG200 Simple Steps: Avoiding Internal Audit Issues. WELCOME. Tuesday, April 17, 2012 2:15PM – 3:30M. Welcome to RIMS 2012 Annual Conference & Exhibition. Familiarize yourself with the Emergency Exits Silence Cell Phone/Blackberry

Download Presentation

RMG200 Simple Steps: Avoiding Internal Audit Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. RMG200Simple Steps: Avoiding Internal Audit Issues WELCOME Tuesday, April 17, 2012 2:15PM – 3:30M

  2. Welcome to RIMS 2012 Annual Conference & Exhibition • Familiarize yourself with the Emergency Exits • Silence Cell Phone/Blackberry • Your Feedback is very important to RIMS and to the Speaker(s). Please complete the session evaluation form and return to the door Monitor. (For (IND) industry sessions, please give the completed form to the moderator of the session.)

  3. RMG200Simple Steps: Avoiding Internal Audit Issues Speakers: Ted Bohlman Insurance Risk Manager MF Global James Bulkowski Senior Manager Ernst & Young Kathy Sabia-Cahill Moderator Ernst & Young

  4. Agenda

  5. Don’t Let This Be You! • Fictional: • Smug • No processes/controls at all • Territorial • Blame the brokers • Fight the engagement • Discredit the consultant • Hold back/hide information

  6. What is an Internal Audit Review? Institute of Internal Auditors (IIA) definition • Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. • It brings a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. • Internal auditing is a catalyst for improving an organization’s effectiveness and efficiency. • The scope of internal auditing within an organization is broad and may involve topics such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations. • Our definition of internal audit review: “Any review of the insurance risk • management department by individuals outside of that department who are • engaged by senior management.” • OR, someone looking at your stuff that you did not ask for and probably don’t want • and also don’t have the time for

  7. Get to the Bottom Line • Need to provide board level certainly that there are no areas in insurance that could have financial statement impact • Provide a comfort level to the audit committee and senior management that insurance is being handled appropriately • Close control gaps, if any

  8. Outline of Terms and Concepts • COSO • Process • Control • Granular risks • Walkthrough • Testing • Gaps

  9. Step 1 Process & Controls – a Way of Life • Put in place now formal processes and controls • Call in an advisor to help • Do a self assessment • Talk to your internal audit group • Follow your own processes, test them periodically • Try and keep an on-going regimented process in place to organize your files, so you are not scrambling the night before the audit

  10. Step 2 Identify Scope • Types of IA reviews • Traditional • Process and Controls • Targeted review of prior audit • Other • Coverage • Claims Administration • Premium spend (i.e. cost reduction) • Vendor procurement and usage • Accruals • Focused, post ‘red flag’ review (e.g. uninsured loss, BI claims payment delay) • Staffing • Other (that IA will pay for!)

  11. Step 3 Preparation • Clearly identify the scope – how will the audit be conducted • Understand what the consultant is looking for (sometimes they don’t know) • Provide the consultant with any existing procedural documents or process flows that you may have developed • Organize your files and make sure everything is clearly labeled (you should not have to explain anything)

  12. Step 3 Con’t Preparation • Make sure the critical documents that are part of your process flow are provided • Certain claim files may be privileged and confidential, discuss with your legal department as to what information you can provide an external consultant • If the consultant asks for silly things, it doesn’t mean you have to give it to them, but you should communicate and try and understand their motivation • Compensation (pay for performance – watch out) • Format of final report and approvals / distribution

  13. Step 4 Work Through the Process • The consultant most likely has had experience reviewing many other risk management departments, so take advantage of their expertise • What should we be doing differently that will make the risk management department or organization stronger? • How is your current insurance vendors performing and how can they enhance your internal processes? • A recommendation from the consultant could help identify a specific area where more resources (IT or human) are required to help minimize a potential risk to the organization • Well-documented procedures will help streamline the department and improve transparency

  14. Step 5 Work with IA/Consultant on the Report • Aid them in the process - constant check up • Correct any deficiencies immediately if you can • Insist on seeing the report before it goes to the audit committee • A technique: • write the report for them! • Correct their mistakes

  15. Step 6 Attend Closing • “High” or critical level findings go immediately to the board, audit committee, as well as senior management • Discussed in depth with IA, the process owner, Risk Manager, and others that have a vested interest • Maintained as actions items (with deadlines) for RM group to follow up on • Is the basis of the action plan to close gaps • Feel free to defend yourself – but not overly aggressive

  16. Step 7 Follow Through on Action Items • Craft a plan to fix discrepancies • Stick to the plan! • Ask for more resources (staff, $, etc. if needed) • Try to weave in a project

  17. Step 8 (ish) What Not To Do • Fight the process • Come across to management as defensive or having something to hide • “Blow off”the process

  18. Case Study – MF Global Insurance Risk Management Department

  19. Agenda • The Enterprise Risk Management Framework & Role of Internal Audit • Internal Audit Approach • Insurance Processes & Controls • My Approach to an Audit

  20. Enterprise Risk Management Framework • ERM Framework • Risk Appetite • Risk Tolerances • Delegations of Authority and Risk Limits • Risk policies and procedures • Risk Management Process • Identification, Assessment, Mitigation, Monitoring, Reporting • Internal Audit and Independent Assurance

  21. Roles & Responsibilities • 1st Line of Defense – Front, Middle & Back Office • Front line of risk management • Day-to-day risk taking and risk processing activities • “Eyes and ears” for client activity • 2nd Line of Defense – Risk and Assurance • Advise, monitor and report on 1st line activities • Include Risk, Finance, Compliance, Legal, HR • 3rd Line of Defense – Internal Audit

  22. Risk Assessment • Qualitative & Quantitative • “Heat maps” to Assess Inherent & Residual risks • Likelihood & Impact • Common Risk Rating Scale

  23. Internal Audit Approach • Internal Audit Department vs. Consultant • Frequency of audit • Identification of issues and sharing of information with other assurance functions • Scope of audit • Common risk rating across all assurance functions

  24. Types of Insurance Processes • Risk Identification and quantification • Insurance Procurement • Captive Management • Claims Management • Broker Selection • Cost allocation / Transfer Pricing • Mergers & Acquisitions • Safety and Loss Control

  25. Sample Process and Control Flowchart

  26. Sample Risk and Control Matrix

  27. My Approach to the Audit • Identify all processes & controls prior to audit • Understand timing & scope of audit • Keep organized, labeled files that follow documented processes • Communicate with IA / Consultant to help them better understand process • Be open-minded

  28. Audit Recommendations & Resolution • Likely going to be recommendations (no one is perfect) • Work with IA / Consultant on language • Understand risk rating, timing of implementation and potential resource allocation • Escalation of issue / recommendation to senior management and Audit Committee

  29. Sample Recommendations • Insurance function participation in New Product Committee / M&A due diligence • Documentation of insurance function notification within escalation procedures • Frequency and timing of captive loss reserve calculation and reporting to finance • Clearly documented and communicated cost allocation methodology

  30. Questions?

More Related