Did they sign on the line?
Insurance companies face many risks. So, their internal controls are critical – to ensure their risks are managed and their stakeholders sign off.
But ultimately, physical signatures don’t keep them safe.
form a turbulent rush that constantly shifts the list of risks they must manage. It’s burdensome for internal auditors to track all of these risks with manual controls where they must review samples, identify attributes, validate populations and test a range of other factors, completing each control assessment by validating a signature. And it’s increasingly possible that these burdensome controls could become a risk in themselves.
“When I first started doing SOX control testing, the most important thing was a signature on a page – if there wasn’t a signature, we would fail the control,” said Grant Thornton Controls Advisory Senior Manager Matt Cassidy. “Many internal and external auditors are still guilty of that limited assessment today.”
“What we’ve learned is that the real risk is that somebody didn’t review it. And we can’t just rely on a signature – we don’t know if that person actually did a proper and precise review. People need to forget about rituals that don’t really address the risks,” Cassidy said. “They need to start looking at these things with an eye to the future.”
A new perspective
To improve both the accuracy and efficiency of risk controls, many insurance companies are turning to automation.
There are now a range of technology solutions that can be tailored to form adaptable risk control solutions. These solutions can call upon a library of proven automation use cases for SOX, MAR, IA and other public and insurance company requirements.
Automated controls are more consistent than manual controls, and a layer of analytics can make them more comprehensive. Cassidy recalls that, “a few years ago, when everybody was talking about big data, people really didn’t know what to do with it. Well, this is one thing you can do with it. Just a quick example with underwriting or claims reconciliations: If auditors note a variance that’s below a threshold, like $50,000, they may not have to investigate it. But, what if they could test and trend the fact that the variance was consistently $49,000.00 each month? You could say that they’re not investigating an important part of that bank reconciliation.” Trend analysis goes beyond simple pass/fail indications, to help mitigate risks and even detect fraud. With these capabilities, internal audit departments can move beyond compliance to help inform a new perspective on risk management.
But that change of perspective can be challenging for internal audit teams. “It’s not only a change for management, but it’s a change for how internal audit works. I think people can have a hard time framing it in their minds, in terms of how risk management can actually look,” Cassidy said. To understand and achieve the potential of this change, insurance companies need a comprehensive and systematic approach.
A new approach
To start a comprehensive and systematic approach to control automation, companies need to evaluate four factors in their current controls: the control process, data, people and value.
As insurance companies look at individual controls, and across controls, they need to consider:
- How much human judgement is required in this process?
- Is this a stable process, or one that is subject to change?
Cassidy explained, “First and foremost, you look for a stable entity and a stable process. Sometimes, large insurance companies start out trying to boil the ocean, including processes that cut across operations, businesses and jurisdictions. The best thing to do is to look at a specific country or entity and then pick a process that’s stable, with stakeholders and testers who know that process inside and out.” Cassidy suggested that controls within underwriting or claims can make good candidates, where automation can substantively test certain features within a claim or an underwriting file.
Data sets the foundation for automation, so companies need to understand and consider the data sources for the controls they want to automate:
- Where is the data – how is it stored, and who owns it?
- What does it look like – is it structured or unstructured, and what processing might be required?
Data is a central topic in many of today’s enterprise initiatives. “When auditors are meeting about an ERP implementation or data strategy, that’s a very good place to start the conversation about clean sources for data. Then, there’s still work to be done on data access, data cleansing and data prep.” Cassidy said that, apart from choosing the right process, data preparation is the biggest struggle that clients face. “It’s probably where we spend more than 50 percent of our time when we’re automating controls –making sure that the data is clean and it’s repeatable every time we run a control test.”
Multi-national companies also need to be aware of various restrictions, as Cassidy recalled a client in Europe that could not automate controls because its data could not leave the country, due to various EU and country-specific regulations.
The owners and stakeholders for a control are the ultimate enablers for automation. Be sure to ask:
- Who currently tests this control, or this group of controls?
- Who is sponsoring the effort to automate this control, or this group of controls?
The reality is that personal expertise and sponsorship often plays an important role in compliance and risk management. An organization’s institutional knowledge might help bridge process gaps, provide a sounding board for ideas and otherwise ensure that compliance is achieved and risks are managed. But, that means compliance and risk management have an uncertain dependency. “One thing we are seeing in insurance is that it’s hard to keep internal auditors engaged long-term,” Cassidy said. “Automation can help in two ways: First, it lets auditors shift to a more engaging role as business advisor rather than just enforcers. Second, it captures institutional knowledge so that it isn’t lost, or the testing doesn’t stop the second someone leaves. The documentation we build for automation is also a great tool to retain process-specific knowledge for the organization.”
Successful automation initiatives require a team of invested people and executive support. “You can’t just tackle this alone, and figure it out on nights and weekends. You have to have a dedicated team with sponsorship,” Cassidy said. Sponsorship and funding for control automation efforts can come both from control owners, and from larger enterprise initiatives that have a shared goal in standardizing data and driving efficiency.
Apply the four factors
The real fuel to power your control automation initiative is the potential value of your results. You need to be able to show:
- How and where does this reduce risk for the enterprise?
- What will this save us – time, money or other resources?
“It’s a reduction in the time and cost for a higher compliance, but it’s also taking your existing staff and giving them the tools that they need to get insight into the business and deliver value,” Cassidy said. “That usually aligns with the corporate strategy.”
It’s important to demonstrate some value early in the automation initiative. “You’ll want to take this in bite-size chunks and really evaluate what value means to the organization on the front end. Sponsors are going to want some quick wins, and quick ROI – because it may not always be an easy journey, for an internal audit department, an operations department, IT or whoever’s taking it on,” Cassidy said. Integrated risk management can be one source of value, but third-line internal audit teams must collaborate with second-line compliance and legal teams to achieve that integration. “We’ve seen management become the biggest champions of this when they can actually see the value or the potential starting to appear in the first and second lines, not just from internal audit,” Cassidy said.
By evaluating the process, data, people and value behind your current controls, you complete an approach that feeds into an evaluation and plan:
Evaluate and rank all of your controls for automation, based on our four factors:
- Control test process
Assign each control (and its associated process) to one of four categories:
- Automation ready
- Partial Automation (might need to change to achieve automation)
- Change needed (will need change for automation)
- Parking lot (significant judgement is required, or there would be little value from automation)
The biggest risk is nothing at all
Develop a plan that contains four elements:
- Proposed automation per control
- Timing of automation
- Potential value
- Final cost per automation
Long-term planning is critical to help ensure that you avoid the biggest risk of control automation.
“The biggest, most common risk is building something that doesn’t yield any value and that nobody’s going to use,” Cassidy said. “If you don’t evaluate and plan this properly and get buy-in from your external auditor and management, it could just be another tool that sits there and nobody uses.”
“The most common reason we’re seeing people not buy into this is that they’re not really looking toward the future of our profession. They’re letting old habits and rituals dictate where they think they need to be compliant.”
Traditional risk managers and internal auditors can be hesitant to change, especially if technology streamlines part of their job. “Their jobs are going to change. The internal audit and risk management profession is going to go through lots of changes over the next ten years. But if they can understand the possibilities and get ahead of the change, then they shouldn’t be scared at all,” Cassidy said.
Senior Manager, Controls Advisory
+1 215 814 4073