rmg200 simple steps: avoiding internal audit issues tuesday, april 17, 2012 2:15pm – 3:30m
TRANSCRIPT
RMG200Simple Steps: Avoiding Internal Audit Issues
Tuesday, April 17, 20122:15PM – 3:30M
Welcome to RIMS 2012 Annual Conference & Exhibition
• Familiarize yourself with the Emergency Exits
• Silence Cell Phone/Blackberry
• Your Feedback is very important to RIMS and to the Speaker(s). Please complete the session evaluation form and return to the door Monitor. (For (IND) industry sessions, please give the completed form to the moderator of the session.)
RMG200Simple Steps: Avoiding Internal Audit Issues
Speakers:Ted Bohlman Insurance Risk Manager MF GlobalJames Bulkowski Senior Manager Ernst & YoungKathy Sabia-Cahill Moderator Ernst & Young
Agenda
2:15-2:20 Introduction of Speakers Kathy Sabia-Cahill
2:20-2:30 What is an Internal Audit Review
Jim Bulkowski
2:30-2:50 Eight Critical Audit Survival Steps
Jim Bulkowski
2:50-3:15 Risk Manager Perspective Ted Bohlman
3:25-3:30 Closing/Question and Answers
Don’t Let This Be You!
• Fictional:– Smug– No processes/controls at all– Territorial– Blame the brokers– Fight the engagement– Discredit the consultant– Hold back/hide information
What is an Internal Audit Review?Institute of Internal Auditors (IIA) definition• Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. • It brings a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.• Internal auditing is a catalyst for improving an organization’s effectiveness and
efficiency.• The scope of internal auditing within an organization is broad and may involve topics
such as the efficacy of operations, the reliability of financial reporting, deterring and investigating fraud, safeguarding assets, and compliance with laws and regulations.
Our definition of internal audit review: “Any review of the insurance risk management department by individuals outside of that department who are engaged by senior management.”OR, someone looking at your stuff that you did not ask for and probably don’t wantand also don’t have the time for
Get to the Bottom Line
• Need to provide board level certainly that there are no areas in insurance that could have financial statement impact
• Provide a comfort level to the audit committee and senior management that insurance is being handled appropriately
• Close control gaps, if any
Outline of Terms and Concepts• COSO• Process• Control• Granular risks• Walkthrough• Testing• Gaps
Process & Controls – a Way of Life• Put in place now formal processes and controls• Call in an advisor to help• Do a self assessment• Talk to your internal audit group• Follow your own processes,
test them periodically• Try and keep an on-going regimented
process in place to organize your files, so you are not scrambling the night before the audit
Step 1
Identify ScopeStep 2
• Types of IA reviews– Traditional
• Process and Controls• Targeted review of prior audit
– Other• Coverage• Claims Administration• Premium spend (i.e. cost reduction)• Vendor procurement and usage • Accruals• Focused, post ‘red flag’ review (e.g. uninsured loss, BI claims payment delay)• Staffing• Other (that IA will pay for!)
PreparationStep 3
• Clearly identify the scope – how will the audit be conducted• Understand what the consultant is looking for (sometimes they don’t know)• Provide the consultant with any existing procedural documents or process
flows that you may have developed• Organize your files and make sure everything is clearly labeled (you should not
have to explain anything)
PreparationStep 3Con’t
• Make sure the critical documents that are part of your process flow are provided
• Certain claim files may be privileged and confidential, discuss with your legal department as to what information you can provide an external consultant
• If the consultant asks for silly things, it doesn’t mean you have to give it to them, but you should communicate and try and understand their motivation
• Compensation (pay for performance – watch out)• Format of final report and approvals / distribution
Work Through the ProcessStep 4
• The consultant most likely has had experience reviewing many other risk management departments, so take advantage of their expertise
• What should we be doing differently that will make the risk management department or organization stronger?
• How is your current insurance vendors performing and how can they enhance your internal processes?
• A recommendation from the consultant could help identify a specific area where more resources (IT or human) are required to help minimize a potential risk to the organization
• Well-documented procedures will help streamline the department and improve transparency
Work with IA/Consultant on the ReportStep 5
• Aid them in the process - constant check up• Correct any deficiencies immediately if you can• Insist on seeing the report before
it goes to the audit committee• A technique:
– write the report for them!
• Correct their mistakes
Attend ClosingStep 6
• “High” or critical level findings go immediately to the board, audit committee, as well as senior management
• Discussed in depth with IA, the process owner, Risk Manager, and others that have a vested interest
• Maintained as actions items (with deadlines) for RM group to follow up on
• Is the basis of the action plan to close gaps• Feel free to defend yourself – but not overly aggressive
Follow Through on Action ItemsStep 7
• Craft a plan to fix discrepancies• Stick to the plan!• Ask for more resources (staff, $, etc. if needed)• Try to weave in a project
What Not To Do
• Fight the process• Come across to management as defensive or
having something to hide• “Blow off”the process
Step 8 (ish)
Case Study – MF Global Insurance Risk Management Department
Agenda
• The Enterprise Risk Management Framework & Role of Internal Audit
• Internal Audit Approach• Insurance Processes & Controls• My Approach to an Audit
Enterprise Risk Management Framework
• ERM Framework • Risk Appetite• Risk Tolerances• Delegations of Authority and Risk Limits• Risk policies and procedures
• Risk Management Process• Identification, Assessment, Mitigation, Monitoring,
Reporting
• Internal Audit and Independent Assurance
Roles & Responsibilities
• 1st Line of Defense – Front, Middle & Back Office• Front line of risk management• Day-to-day risk taking and risk processing activities• “Eyes and ears” for client activity
• 2nd Line of Defense – Risk and Assurance• Advise, monitor and report on 1st line activities• Include Risk, Finance, Compliance, Legal, HR
• 3rd Line of Defense – Internal Audit
Risk Assessment– Qualitative & Quantitative– “Heat maps” to AssessInherent & Residual risks– Likelihood & Impact– Common Risk RatingScale
Internal Audit Approach
• Internal Audit Department vs. Consultant• Frequency of audit• Identification of issues and sharing of
information with other assurance functions• Scope of audit• Common risk rating across all assurance
functions
Types of Insurance Processes• Risk Identification and quantification• Insurance Procurement• Captive Management• Claims Management• Broker Selection• Cost allocation / Transfer Pricing• Mergers & Acquisitions• Safety and Loss Control
Notes 1
Prepared by: Regina Piscazzi/Vanessa RyanReviewed by: E&Y (Jim Bulkowski & Mark MillardProcess Owner Review by: Ted Bohlman (10/02/08)
At the time of the IPO, a broker selection process was done and it was determined that Willis Group Holdings would be selected as the exclusive broker and Ira Polk, CAO, signed off on a two year deal with them. It is expected that a full broker selection process will be conducted every three to five years.
MF GLOBAL GENERAL INSURANCE PROCESSPROCESS LEVEL 1 – INSURANCEPROCESS LEVEL 2 – POLICY RENEWAL AND PROCUREMENT
All insurance policies are subject to an annual renewal in which case the process would start over again. (e.g. There would be a new strategy planning document)
Start
Insurance Process
Risk Identification & Mapping Process
Insu
ranc
e
1
2
Exposure information is collected by IRM team and consolidated into
underwriting presentation/application/submission
Strategy planning done by the IRM team in
conjunction with the broker to determine
insurance policy needs
Broker sends invoices to the IRM team
The IRM team reviews the invoices and compares them to the binders provided by
Willis for consistency
Signed invoices are sent to accounting in Chicago for payment
Payments are sent to the insurance carriers
by the broker
As part of the SLA, the broker is responsible for paying the individual insurance carriers.
End
Insurance quotes are provided by insurers
Upon Board acceptance of proposals, IRM team
provides broker with order via email to bind coverage
3
Applications are only submitted to firms that meet minimum financial standards.
Notice of cancellation is sent from the individual carriers to MF IRM in the event a broker fails to make payments on individual policies.
Legend
Data Process Flow
Notes1 Key Control
Secondary Control1
Process
Database
Terminator(Start/End)
On Page Reference
Decision Box
Gaps
Off Page Connector
Predefined Process
Document / Report
Stored Data
Broker Selection Process
Insurance Policy Review to determine proposed coverage
enhancements
IRM-1
With respect to risks insured by insurance policies, each insurance policy is reviewed by the Insurance Risk Manager, the insurance broker and outside counsel (only with respect to the financial lines policies). A renewal strategy is presented to Willis. The results of such reviews and renewals are presented to the Global Risk Committee.
The final renewal strategy plan is approved by the CAO and presented to the Global Risk Committee.
1
C1
C1
Insurance program proposals prepared by
IRM team in conjunction with the broker
Controls
Insurance program proposals are reviewed and approved by the CAO and the Board.
Broker secures copies of binders from
insurers
C2
Yes
Corrections sent back to the broker to amend
No
Policies are issued by the insurers
C3
C3
IRM team and the broker compare the policies to the binders for consistency.
Final copies of primary policies, executive summary, and risk review are presented to the Board with key highlights
presented to business management
3
Copies of the policies are maintained on a shared drive with access restricted to certain individuals
Control Gaps
1
IRM-1
2
Last year, Beiderman, an external consulting firm was used to perform the Insurance Policy Review.
4
4
List of proposed coverage
enhancements
IRM-2
IRM-2 IRM-3
IRM-4
IRM-5
IRM-3All exposure information is collected from business units on a worldwide basis and consolidated onto an application. The Chief Administrative Officer or CFO (depending upon requirement in application) reviews and signs the application.
IRM-4
Once the copies of the binders are received, the IRM in conjunction with the Broker, compares the binders to the proposals for consistency. Evidence is represented by the signature of the IRM and CAO on the invoices as these are only approved for payment if all documents agree.
IRM-5
Do the terms in the binder agree to
the proposal?
IRM-5
Do the terms in the policy agree to
the binder and proposal?
Yes
Corrections sent back to the broker to amend
No
IRM-6
IRM-6
2
Sample Process and Control Flowchart
Sample Risk and Control Matrix
My Approach to the Audit
• Identify all processes & controls prior to audit• Understand timing & scope of audit• Keep organized, labeled files that follow
documented processes• Communicate with IA / Consultant to help
them better understand process• Be open-minded
Audit Recommendations & Resolution
• Likely going to be recommendations (no one is perfect)
• Work with IA / Consultant on language• Understand risk rating, timing of implementation and
potential resource allocation• Escalation of issue / recommendation to senior
management and Audit Committee
Sample Recommendations
• Insurance function participation in New Product Committee / M&A due diligence
• Documentation of insurance function notification within escalation procedures
• Frequency and timing of captive loss reserve calculation and reporting to finance
• Clearly documented and communicated cost allocation methodology
Questions?