An inside job

I'd always been curious about how best to deal with that inevitable visit from the internal audit (IA) department. My curiosity led to some conversations with those 'on the inside' to understand what they do, and how they do it. Before I knew it I'd been persuaded that the best way to find out about IA was to get a job there.

I knew IA was known as the 'third line of defence' and usually provided an independent view to the board on how well risks within an organisation were controlled. I joined the department with little audit experience, but armed with varied actuarial expertise in pricing and financial reporting in the life industry.

I found some things surprising about how a modern IA department works. Reflecting on what I've learned has also made me realise that understanding how an IA function works can be very useful to those being audited.

It's not just about audits

Previously, I hadn't given much thought as to why, for example, my with-profits reporting team, or protection pricing area had or had not been picked for audit - perhaps some diabolical dice game or a more mundane three-year cycle? It was interesting to see how much work goes into deciding what to audit, rather than just executing audits.

Figure 1 shows a typical framework for the work of an IA department. A typical IA department will be continually assessing the risks involved in the business to formulate the next period's plan, as well as tweaking the current plan of audits. Gone are the days when departments waited for their turn to be audited on a predictable three-year cycle. Instead there's a risk-based audit cycle that is more attuned to the current worries and concerns of both non-execs and senior execs.

Most IA departments will now keep in touch with what's going on in the business through a series of regular liaison meetings, engaging with the various levels of management in an organisation. Good liaison should also be a two-way experience. IA finds out about the latest activities but keeps the business informed about the IA department's audit plans and concerns.

IA recognises that all business areas go through challenging periods. Where businesses have clearly flagged problems through the governance framework and have put plans in place to address them, IA will generally give them time to put actions in place before a visit to confirm that resolution is well under way.

After the audit work is complete, it's essential to track issues and actions. In the Prudential Regulation Authority's recent censoring of the Co-operative Bank, they noted that, at times, more than 30% of IA actions were outstanding. Robust incisive audit reports are worth little if their recommendations aren't actioned. Although business areas are responsible for carrying out actions, IA needs to play its part in explaining, tracking, prompting and escalating outstanding issues.

Someone audits the auditor

As an independent team, IA can appear to be an unaccountable function. However, this is far from the truth. In addition to a regular grilling from the audit committee, IA professional bodies require that IA functions have a formal internal quality assurance process. Regulators are now increasingly subjecting IA departments themselves to external quality assurance exercises. Many regulators see the quality of IA and its involvement in the business as good barometers of the risk management culture in the wider organisation.

Good IA departments are seeking feedback on their audit experience from business areas. Although glowing feedback from an audit with significant findings might be optimistic, good feedback on understanding the business, communication, professionalism and level of challenge should be the aim.

In my previous roles, I'd been subjected to a number of audits but really hadn't been aware of the methodology behind them. It now strikes me that this would have been useful both to make the audit more efficient and to avoid being surprised.

IA functions' methodologies will of course all vary at a detailed level. However, most will have similar steps to those shown in the sample internal audit methodology in Figure 2. The IA will usually kick off with a few weeks' planning, where it will aim to agree the timescales, processes and people involved in the audit. At the end of the planning phase there should also be agreement of the scope and risks being assessed.

The reporting part of the process is usually the more familiar part of the methodology to auditees, particularly if auditors follow the good practice of involving auditees in drafting the reports. A balance does of course need to be struck between taking feedback on board and standing firm on findings.

IA functions are increasingly employing experts from other fields. Gone are the days when your average IA function comprised only career auditors with accountancy qualifications. This more traditional career profile is of course still very valuable, but most life office functions have supplemented their skill sets by employing professionals from the worlds of IT, change, investments and actuarial. There are a number of different operating models to using such experts, but I think deploying mixed audit teams is most powerful.

That way, career auditors can support those less experienced in the audit world, and business experts can support experienced auditors in understanding the business. Many life office functions will also employ external consultants on an ad-hoc basis, where they need to fill skill gaps in more specialist, less frequently used expert areas.

A number of IA functions are also using actuaries to build their capabilities in analysing data during audits to provide more in-depth insight. Actuaries have also proved useful in considering the hot topic of model risk.

I did think that nobody in their right mind would voluntarily open their door to an IA.
I was, however, wrong. I've seen senior managers with 'near misses' request IA to come in to investigate further. I've also seen some business areas that want to use IA to gain assurance that their house is in order in advance of a regulatory visit.

Actuarial skills are useful

It was fairly obvious to me that my actuarial skills would be useful in auditing actuarial areas. Non-actuarial auditors can of course do a very good job in auditing these areas, but having the technical knowledge can give that edge. But I hadn't realised that the wide knowledge and naturally inquisitive nature of actuaries can be a real asset to an IA department. Having a good grasp of risk management and risk-based capital can also make the actuary useful in the yearly planning process to decide what to audit.

Internal audit can also be outspoken, commercial, topical and interesting - so what's not to like? Effective IA functions get involved in the most current company change and activity right across the organisation. Best practice also means IA usually reports in to the chief executive. Both of these factors can mean it gives independent views on the risks that might hamper the organisation in meeting its goals in the areas subject to the fastest change.

IA can also call out the risks others might hold back on. It does, of course, need to do this in a constructive, acceptable way. All of this makes for a fascinating job for an actuary - for short or longer periods.

Top tips for your internal audit

• Understand your organisation's IA framework

• Gather documents together which describe your responsibilities and processes

• Remind yourself of your area's risks and how you're controlling them

• Invest time in the audit process - particularly if you are disputing findings

• If you're in a position to do so, invest time outside audits to liaise with IA contacts

• Particularly as an actuary, consider how you've justified and documented judgments.
  
  

Andy Cox is an audit manager in internal audit at Legal & General Group.