Skip to content

It Figures Podcast: S4:E1 – Adding Value To Your Internal Audit

An internal audit should be your first line of defense in the battle against poor processes and controls.  Listen in to this episode from CRI insurance partners Scott Bailey and Joe May as they discuss how to leverage the internal audit function to improve your organization’s risk management, control environment, operational efficiency, and overall strategic decision-making.

From Carr Riggs & Ingram, this is It Figures: The CRI Podcast, an accounting, advisory and industry-focused podcast for business and organization leaders, entrepreneurs, and anyone who is looking to go beyond the status quo.

Scott Bailey:

Hello and welcome to the It Figures Podcast with CRI. My name is Scott Bailey, and I’m here today with Joe May. How are you, Joe?

Joseph May:

Doing well. How are you doing, Scott?

Scott Bailey:

I’m doing great. Thanks for asking. And our topic today, we’re here to discuss matters of internal audit and how they affect insurance companies. So before we really get into it, Joe, would you take a minute and just describe your involvement in insurance and just tell us a little bit about you?

Joseph May:

Well, that goes back quite a ways, and I even hate to mention the number, but we’ll say about 30 years in the insurance industry, starting actually with one of the big international firms and starting on the audit side. And then at one point in my career, I was working with the regulator, so I’ve been on the state regulatory side of it. We still do consulting in that space. Been with Carr, Riggs & Ingram about 16, 17 years, somewhere in that range, in the insurance line. Helped lead that line with you, of course, as one of our insurance line leaders. So we get to have the joy of working together in this space a lot. But been in and around insurance for a very long time in different aspects of it, and some of the history we’ll talk about today a little bit, I think, in this podcast.

Scott Bailey:

Fantastic, and thanks. As I said at the start, my name is Scott Bailey. I’m a partner in the Raleigh, North Carolina office, and I’m actually a former internal auditor. So I was an internal auditor for about five or six years with a couple of publicly-traded companies. So this is a topic that, to me, is pretty important, dare I say, special. And before we get into the material, Joe, one of the things for the listeners to think about as we’re going through this, you can find us on all the major social media networks. Our handle is @cricpa on pretty much all of those. And if you navigate to our website, cricpa.com, you can find some more interesting stuff. A lot of good content there, some articles. You can read about Joe and how awesome he is as well. And with that-

Joseph May:

I wrote it all myself, Scott.

Scott Bailey:

And how beautiful it is.

Joseph May:

That’s right.

Scott Bailey:

So Joe, we’re here today to talk about internal audit, and I think it’s worth mentioning how things got to where they are today. Because with some of the things we want to talk about that are insurance specific, there’s so much of this that’s tied to things that have occurred over the last basically 25 years or so. So if we take it back to 1998, 1999, that’s when the Statement on Auditing Standards ’99 was released. And this was the first time when external auditors were required to consider matters of fraud as part of the audit process.

And it was well-timed as well because not very much later, in 2000 and 2001, the American economy was hit with a raft of very, very significant matters of fraud in household names that everyone knows, these multimillion dollar, many of them billion dollar frauds that brought down some significant companies and even took an accounting firm with them, a public accounting firm. All this led to the development of the Sarbanes-Oxley Act, which passed Congress, if I recall correctly, in 2002, and required public companies to do a whole bunch of things that were somewhat new, and many of them very much related to internal audit. In fact, when I was internal audit, we lovingly referred to Sarbanes-Oxley, or SOX, as the internal audit full employment enactment.

So some of the things that this required is it required management sign-offs, that the financial statements they were releasing were accurate to the best of their knowledge, that they were unaware of matters of fraud or things like that affecting the financial statements. But there was a whole lot else in there, baked into there, Regulation 404 and Regulation 302. And this was a major booster of what the expectations and needs were from these organizations’ internal audit department.

And so since that time, in the short time afterwards, we saw a whole lot of, almost like a micro economy spring up around internal audit as companies were implementing, as companies were trying to get on board with what was required, in some cases, trying to understand what the regulations and regulators were looking for. And so there was just this very, very rapid development of internal audit basically from being mostly, for fear of simplifying it, an almost operational measure, a limited compliance role to a function that was very much embedded in these organizations from a compliance operational and, in the best cases, strategic role with these organizations.

So since then, that’s been the model for a lot of changes in a lot of industries as it relates to internal control. We’ve seen a lot of auditing standards change as a result. We’ve seen a lot of expectations for the information that companies are providing to third parties change as a result of this. So while this was happening, Joe, the NAIC was seeing what was happening with SOX and what was being implemented with a lot of these publicly-traded companies, and they weren’t just sitting by watching it happen. So what was their course of action as a follow-up to that?

Joseph May:

A great question. Almost immediately following that, what we saw is implementation of the Model Audit Rule, we all know as MAR and formally known as the Annual Financial Reporting Model Regulation. That was jointly worked on by the AICPA and the NAIC during that time period, just post that time period. Rolled out from the NAIC first in 2006, fully implemented, adopted in 2010. And the model is just what it sounds like. It’s focused on annual reporting, annual financial reporting, but has a lot of focus on internal controls, reporting of those controls and all of those sorts of things that we’ll be talking about and how internal audit department interacts with that.

It also just happened to correspond with a new process that the NAIC rolled out for examination standards for insurance department examinations. So it’s a risk-focused approach that was driven really from the genesis of all the issues, Scott, that you were talking about early on in corporate America. But the process that is even used today by insurance regulators to examine insurance companies came out of that timeframe, and it was required to be implemented through what’s called accreditation process.

So the NAIC goes out to different states, and they actually accredit those states, which means that they’re operating on a certain level, minimum level of standard. So in order to roll things out and mandate those things occur at the state level, they get accredited, and they push it through that process. So in 2010, they implemented that and required it as a part of that accreditation process. So we saw this new examination approach from the insurance departments. And if you’re an insurance company and you’ve ever been through one, it’s at least once every five years. Could be more frequently, depending on a number of things.

But it’s really a top-down approach. If you’re in a key position, internal audit department head, a CFO, CEO, certain board members, you’ve gone through an interview process early in that exam. And it’ll ask you all sorts of questions about the processes, the controls in place, how do you ensure these things happen, what reports are you looking at. All the things that we would be interested in, in looking at to make sure that we’ve got a good control structure. There’s good processes, there’s good controls, and how are you making sure that they’re working?

So that whole examination process is really designed around that model, and we’ve seen that continue to roll out as things have occurred and pushed out in later more recent years, but still the focus on processing, on controls, on governance, all of those sort of things. So those two things, Scott, is probably the biggest things that we saw that came right off the heels of SOX.

Scott Bailey:

And what would you say were the significant changes that you saw in insurance internal audit departments? Because I know we saw a really interesting development at the publicly-traded level and a very rapid increase in scope and sophistication. Did we see the same thing happen with a lot of insurance companies?

Joseph May:

We saw ramping up at that point, but really what’s happened even since then, there’s been a couple of other things I want to talk about. I don’t want to get buried in history, but I do want to talk about a couple of other things that the NAIC pushed out since that time period that’ll bring us to current. But what’s happening is more of a focus on those processes and controls. We’re seeing companies beef up internal audit departments to be able to check. It’s a great control to see if your other controls are working right.

So we’ve seen a heavy investment in that. But really right after that, we talked about MAR. One of the next things that we saw, and think about what’s happening during that time period. 2008, anything come to mind? Maybe a financial crisis. So out of that, what we saw was the NAIC focus on really acknowledging that there needed to be a way to assess the holding companies’ financial system and their impact on the insurer.

So they came out with ORSA. ORSA is Own Risk and Solvency Assessment, and that’s the report that insurance companies have to file. It really started back in November of 2011 when we saw the NAIC roll that out as a part of a Solvency Modernization Initiative. But ORSA requires insurance companies to issue their own assessment of their current and future risk through an internal self-assessment process, and it allows the regulators to inform a more enhanced view of that process. So ORSA went into effect in 2015 ultimately. It rolled out in ’11, went into effect in ’15. And really every insurance company has to file an ORSA, a summary report of that, with the regulator.

So even the model itself, ORSA model, provides the requirements for completing the report and the instructions for filing it. So we saw that happen. And right on the heels of that, now think about the internal control implementation of ORSA because you’re talking about risk assessment and your own assessment of your risk and those sort of things. Then we roll into, during that time, on the tails of that, the NAIC adopted the Corporate Governance Annual Disclosure Model Act, and we love acronyms in our space. That’s CGAD. So if you’re talking with insurance people, they’ll talk about CGAD.

Scott Bailey:

It’s alphabet soup.

Joseph May:

It really is. But that CGAD model was essentially a disclosure-only model, so no specific governance requirements necessarily in it, but it included a common assessment scoring methodology, and it scaled for companies of all sizes and structure, so it’s a very confidential document. That actually rolled out and was required for all states in 2020. So that really brings us up to current, and it was really intended so that regulators would understand the governance framework. The CGAD requirement applies to companies that are groups as well as individual companies.

So we’ve seen through the years the focus initially more on maybe financial reporting controls, on broader controls and then on the governance structure. But the one consistent thing in all of this, and even what we see happening today, is that focus on processes, controls, governance, understanding what’s happening in that space. And we’ve seen internal audit departments have to evolve quickly to be able to address the concerns and the new focus, I guess. Maybe not new focus, but the evolution of the focus, that really the genesis of it is back what you originally started the conversation with, and that SOX. So it’s been an interesting path so far.

Scott Bailey:

For sure, for sure. So it’s almost sort of like over time, the NAIC almost built its own form of SOX a little bit through these three major implementations, the MAR, ORSA and CGAD, again, for fear of getting into the alphabet soup. And I guess what we’ve also seen is that’s required insurance companies to evaluate the people, processes, systems that they have in place for supporting their internal audit departments, if I’m not too far wide of the mark, and I don’t think we are. Just because with that increase in scope and that increasing need for additional competencies, it’s forced an evolution in internal audit.

Joseph May:

I think you couldn’t have said it any better. It has, and you started going in this path. But one of the things we’ve seen obviously in the marketplace, if you haven’t noticed, it’s a tight labor market. So when we’re talking about staffing up, we’ve seen a lot of creative ways for internal audit departments and insurance companies to staff up and make sure they’ve got the expertise, they have the expertise that they need to do the work that they have to do and they need to do to keep up with this focus. But we’ve seen everything from just hybrid models, where part of the IA department is outsourced to help with staffing concerns and that sort of thing. Sometimes it’s just more economical in itself, regardless of your ability to hire, to roll out certain parts in that audit plan.

We’ve seen where the entire internal audit department was outsourced and maybe some certainly oversight in the company’s eyes, but pretty much all the work outsourced in the IA department. We’ve seen where expertise was needed, we might have one person to support a company’s internal audit department when it comes to a very specific item because of expertise. So we’ve seen a lot of different ways that companies are able to make sure that they’re meeting the needs with their internal audit department, and it’s really been all over the board with how they get there.

Scott Bailey:

And I imagine that should someone find themselves in need, this is an area where we could provide some support and provide some expertise as well. As a firm, we are involved with a lot of internal audit engagements as well as at a broader level, enterprise risk management, some of those ERM activities and things of that nature of which internal audit is a part.

Joseph May:

A whole nother area, Scott, that we didn’t even talk about because of time today, but you’re spot on. And another interesting note, the NAIC is actually meeting in Tampa right now as we speak, so I’ll be anxious. I usually try to attend as many of those as we can. I did not get to go to this particular one, but as soon as the meeting’s over, we’ll be able to get the notes and see what the latest news is and what’s going on with the NAIC. But I’m confident to say we’ll see a continued focus on the things that we’re talking about.

Scott Bailey:

So should we tell the listeners to stay tuned for a discussion from us on ERM in the future too?

Joseph May:

It would be an easy conversation because we certainly have a lot of information on it.

Scott Bailey:

Absolutely. Absolutely. Well, Joe, thanks for taking a few minutes today and chatting about internal audit and what’s going on with insurance companies. Thanks to the listeners. Thank you for tuning in. We appreciate your time. We know you have a lot of other options and things that you could be listening to, and we appreciate you choosing us. Once again, you can find us on all the major social media networks. That’s @cricpa. You can also check in with us on our website. That’s cricpa.com. Once again, thanks a lot to Joe May for being a part of this. Again, I’m Scott Bailey. Thank you for tuning in to the It Figures Podcast.

 

If you want more CRI insights or are interested in learning about our firm, please visit our website at cricpa.com. Thanks for listening to this episode of It Figures: The CRI Podcast. You can subscribe to It Figures on iTunes, Spotify, or wherever you prefer to listen to your podcasts. If you liked what you heard today, please leave us a review.

Previous Episodes

Join Our Conversation

Subscribe to our e-communications to receive the latest accounting and advisory news and updates impacting you and your business.

This field is for validation purposes and should be left unchanged.