![Need of Risk Based Internal Audit Approach
• IIA defines Risk Based Internal Auditing (RBIA) as a methodology that links internal auditing to an
organization's overall risk management framework.
• RBIA allows internal audit to provide assurance to the board that risk management processes are managing
risks effectively, in relation to the risk appetite.
• Need of a strong and robust internal auditing and internal control systems due to increase in the trend of
frauds in the corporate sector
• Changing stakeholder expectations and a new view of risk management are prompting an important shift in
the role of internal audit in many organizations.
• Regulators have also become more vigilant towards the requirement of strong internal control system [viz.,
IRDAI, Clause 49 of Listing Agreement as per SEBI and Companies Act, 2013 and rules thereunder]](https://image.slidesharecdn.com/internalaudit-rbiaandlifecyleapproach-210919062310/85/Internal-audit-RBIA-and-Lifecyle-approach-2-320.jpg)
Internal audit RBIA and Lifecyle approach
- 1. Internal Audit Methodology of Insurance Company
- 2. Need of Risk Based Internal Audit Approach • IIA defines Risk Based Internal Auditing (RBIA) as a methodology that links internal auditing to an organization's overall risk management framework. • RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. • Need of a strong and robust internal auditing and internal control systems due to increase in the trend of frauds in the corporate sector • Changing stakeholder expectations and a new view of risk management are prompting an important shift in the role of internal audit in many organizations. • Regulators have also become more vigilant towards the requirement of strong internal control system [viz., IRDAI, Clause 49 of Listing Agreement as per SEBI and Companies Act, 2013 and rules thereunder]
- 3. Advantage of Risk Based Internal Audit Management has identified, assessed and responded to risks above and below the risk appetite The responses to risks are effective but not excessive in managing inherent risks within the risk appetite Where residual risks are not in line with the risk appetite, action is being taken to remedy that Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively Risks, responses and actions are being properly classified and reported.
- 4. Audit Universe Core Insurance Business • New business & Underwriting • Medical network • Policy Servicing • Collection operation • Sales force (agent/broker etc.) on- boarding process, training, maintenance, termination etc. • Marketing, Advertisement and Digital • Commission, Incentive and rewards including payout • Customer Grievance Management • Contact center • Actuarial, Reinsurance Non - Insurance • Contract suspense, Bank reconciliation, Suspense & transit account • Human Resources, payroll including employing reimbursement • Procurement • Legal & Compliance • Anti Money Laundering (AML) • Project Management • C-Sat Management • Corporate Service (including facility management) • Fraud Management and Reporting IT Related area • IT operation general controls- Access management, Role based access etc. • System Development and Change Management • IT Asset management including physical verification of IT Assets
- 5. Key Factors for Audit Universe Organization objective Expectation from internal audit Organization structure and set-up Geographic location of organization & Branches Scalability of operation Organic linkage between business process Sufficiency to justify cost of control
- 6. Product Life cycle • Product design, development & IRDAI Approval • Product setup & Product Launch • Advertisement and marketing • Actuarial valuation (pricing, premium rate/top up etc. Policyholder Lifecycle • Sourcing and point of sales (Branch/Online login) • Policy Issuance • Renewal/Reinsurance • Policy Holder Servicing • Claims/Maturity Payout • Termination of Relationship with customer Transaction/ Servicing Lifecycle • Sales & Distribution • Collection • Re-underwriting • Servicing and Claims • Policy closure and payout ((Claims payout/Maturity payout/Surrender) • Contract suspense and reconciliation Lifecycle Based Audit Methodology
- 7. Application Sourcing • De dupe and Client ID Creation • New Business Documentation Receipting & Data Entry • Premium Collection • Compliance to Policy & AML Guidelines • Data Entry, Receipts / Approval and Cancellation Policy Issuance • FTR (First time right) and Policy through STP • Underwriting • Policy Schedule and Policy Bond Issuance Premium recognition & Suspense Reconciliation • Premium receipting and recognition • Accounting and reconciliation Printing & Dispatch of Policy Bond • Vendor Management • Quality check • Proof of delivery of policy bond Post Issuance Servicing • Communication with Customer • RTO handling • Free look Cancellations and refunds Lifecycle Based Audit of New Business
- 8. Finalize internal audit plan • Finalize a risk based audit plan based on discussion with Management & Board • Develop & communicate audit plan to management and the audit committee Co-develop expectation • Enhance understanding of business through discussion with key stake holder, Risk Management. • Meet with audit committee and management to refine expectation Prioritize risk • Prioritize risk based on risk rating methodology, and previous report rating • Use of Non financial Risk (NFR) parameter • Consider governance, operating risk, compliance, & IT. • External factor, regulatory changes etc. Design internal audit work plan • Audit plan present to management for concurrence • Schedule internal audits and plan resources • Provide/arrange training to new resources on key applications Execute internal audit plan • Preparation of Planning Documents (RCM, data requirement etc.) • Conduct detailed discussion and perform walkthrough to understand process, controls and risk • Perform detailed testing and analysis and identify audit issues • Recommend process improvements, validate results and obtain management response Deliver results and insights • Conduct exit meeting with process owner and management • Issue audit executive summary, detailed report with final observation & recommendation • Present key observation and recommendation to audit committee Internal Audit Methodology – Plan> Execute> Report
- 9. Approach for Internal Audit Execution and Reporting Pre Planning Engagement Planning Test of Design Effectiveness (ToD) Test of Operating Effectiveness (T0E) Reporting Wrap-up Planning Fieldwork Reporting & Wrap-up o Terms of Reference o Data Requirement o Walkthrough Schedule o Opening Meeting with Business • Risk Assessment and planning (Interview, Documentation, Collection, & Analysis) • Define Audit scope and agree with business key business specific risk, scope and timeline o Risk Control Matrix (RCM) o Audit observation sheet o Issue Log o Interim Meeting o Closing Meeting • Test the design and operational effectiveness of key controls using scenario based data analytics and adherence to SOP, applicable regulatory & Statutory requirements. • The focus is on key risk and controls • Discuss potential audit issues and mitigation plan o Draft report o Final report o Audit committee presentation o Audit Feedback o Peer Review of Work paper • Draft report and agree with management on risk mitigation plan and due date for closure of audit issue • Issuance of final report • Archival & Signoff of work paper A c t i v i t y
- 10. Analytics Embedded Approach • Claim Profiling – By Region, branch,agent, customer, premium, Sum assured • Early claim analysis- for claims received within 1 year from policy issuance • Issuance of new policies to a customer after death, indicating potential fraud and control failure • Policy reinstatement just before claim submission • Change of key details like bank details, nominee change etc. just before claim submission indicating potential fraud Claim Analyzer • Verify integrity of inforce files received and reconciling the PY & CY policy count w.r.t policies issued/ surrendered/ claimed • Identification of customer with low persistency • Share of business analysis from rural & Urban area to ensure compliance to IRDAI guidelines • Multiple client ID creation of same individual to bypass system and risk profiling In-force Analyzer