Whether through regulatory pressure, for commercial gain or because of changes to working practices, there are many reasons why internal audit can benefit all insurance intermediaries.
It is important for insurance intermediaries to demonstrate to internal and external stakeholders that risk and control frameworks are robust and operate effectively. The core benefit of an independent internal audit function is its provision of assurance that these frameworks are fit for purpose and safeguard the organisation.
What exactly is internal audit?
The Institute of Internal Auditors defines the role as “to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively”.
Internal audit is usually an individual or team of professionals who sit outside operational management. They are primarily concerned with assessing the design and operation of risk management, governance and internal control processes and activities across an organisation.
Where are they in the organisation?
If we consider brokers / client facing and technical staff to be the first line, and compliance and risk management to be the second line in an organisation, then internal audit makes up the third line.
In its position, internal audit has the privilege of looking across both the first and second line processes to provides direct and independent reporting to independent committees (Audit and Risk Committee) or senior directors (CFO/CEO) on the board responsible for risk and control (SMF5 under the SM&CR).
Why consider an internal audit function?
Insurance intermediaries operate in a complex market, and face increasing regulatory interest and stakeholder expectations. Commercial relationships between markets, businesses and clients are built on trust and there must be confidence that firms operate effectively and that their systems protect the interests of their clients and underpin successful market operations.
We have identified three key drivers for internal audit in insurance intermediaries.
The list of regulations that affect insurance intermediaries keeps growing. IDD, SM&CR, GI Pricing Practice, Product Value Measures, Operational Resilience, and Consumer Duty are all increasing the requirements on firms’ operating models and existing compliance resource. The volume of regulation is expected to grow further with the FCA showing no sign of slowing its expectations in the short term including new focus areas around Environment and Social Governance (ESG) reporting requirements.
We have observed an increased trend for intermediary firms to verticalise their operations and establish insurance carriers. As part of the application process, these firms need to consider their sources of assurance and how they will align them to meet regulatory (FCA and PRA) requirements.
Specifically, the implementation of the SM&CR defined Risk and Internal Audit role holder requirements for ‘Enhanced firms’, where they must clearly explain and record the roles and responsibilities of these Senior Management Function (SMF 5) individuals.
Although most intermediary firms are defined as ‘Limited Scope’ or ‘Core’ firms (with reduced SM&CR requirements), the overall expectations concerning effective risk management and control processes remain. A dedicated internal audit function can benefit firms of all sizes through meeting regulator expectations within a dedicated function.
Commercial benefits and success
Building a commercially successful intermediary can be the realisation of a dream and the culmination of years of hard work. As firms grow they generate increased business volumes and values. Risk management and control processes need to keep pace to ensure consistent success and ensuring that demonstrable and effective control frameworks can also help firms be ‘ready for sale’ and provide a level of comfort for future investors and owners.
An effective internal audit function is flexible and adaptable enough to provide pragmatic and proportionate services regardless of firm size or complexity, however significant growth in revenues, transaction volumes or geographic footprint should be considered as any of these will increase the pressure on existing processes and controls and expand business operations beyond current oversight activities.
Internal audit can add value in maintaining a firm’s competitive advantage. It identifies operational inefficiencies and process improvements by reviewing their design. It makes sure controls and process align to and support efficient business operations and activities, and considers whether processes are operating effectively, consistently and as intended across the business.
Changes to operating models
Although the direct impact of the pandemic is waning, many firms are adopting decentralised and more digital ways of working, with staff and clients adopting different operating and communication models. Changes to firms’ operating models may affect the risks and controls needed to manage those new ways of working.
The greatest change has been the migration from manual (paper based) to automated (system based) processes and controls. This transition has impacted the generation and review of placement documents, communication to and from underwriters and clients, and the review and authorisation of cash management activities.
The changes to their operating models have meant many firms have benefited from cost savings and can offer enhanced services to both clients and staff. But stakeholders may still need additional assurance that these new models are operating effectively and maintaining reliable risk and control oversight.
So we’ve looked at some of the overarching reasons for the increased need for assurance. But you may be thinking that none of this applies to you. Below we’ve outlined some key trigger events that could indicate underlying control weaknesses and need for greater control in these areas:
Operational resilience – Covid provided perhaps the greatest operational resilience test. But firms are now expected to be resilient to large-scale thematic events (like other pandemics, infrastructure, environmental disasters) that impact their sectors or markets, and smaller scale or discrete-level threats (like loss of office, IT services or personnel).
Regulatory breaches – depending on your firm this could include client money breaches or conduct, reporting, product or financial promotion breaches.
Fraud or attempted fraud – inflationary pressures and cost of living increases often lead to more fraud. This could be internal or external, and from a number of sources, designed to extract money from your firm.
Complaints – more complaints can indicate that elements of your client engagement are not working as intended. They may also uncover resourcing or servicing issues, or poor training.
Errors and Omissions (E&O) claims – an E&O claim against your firm, whether successful or not, can be a challenging period and involve significant elements of management time.
Adverse delegated underwriting audits – carrier audits on delegated underwriting processes may identify thematic control weaknesses. An assurance review can help to address these issues before a carrier audit, and so improve relationships with your carriers.
Changes to risk and control oversight – as firms grow and people’s roles change, responsibility for risk and control oversight can be diluted, misunderstood or fall outside the natural skill set of business leaders.
What you should do next
The regulatory burden and expectations on solo-regulated firms are increasing. So you need to demonstrate effective and proportionate risk and control oversight and accountability across your firm.
There is no one-size-fits-all solution when establishing an internal audit function. Nor should there be. As with any specialist insurance, compliance or financial resource, it’s important to be proactive. Appoint an experienced and knowledgeable partner to navigate, assess and give their opinion on risk and control activities in your firm.
Some intermediary firms are still working out what internal audit looks like. Many already have some degree of first or second line file audits or review processes for placement procedures and activities.
PKF works with insurance intermediaries with revenues ranging from £10m to £200m to deliver ‘right-sized’ outsourced and co-sourced internal audit and assurance services. We draw on our market knowledge and experience to provide an expert team of dedicated internal audit professionals. If you would like to discuss your assurance needs and find out how PKF can help you, please contact us.
The FCA has published the findings of its Thematic Review on wind-down planning in TR 22/1 – observations on wind-down planning: liquidity, triggers and intra-group dependencies. Paul Goldwin helps you navigate the key points.