Skip to main content
The Actuary: The magazine of the Institute and Faculty of Actuaries - return to the homepage Logo of The Actuary website
  • Search
  • Visit The Actuary Magazine on Facebook
  • Visit The Actuary Magazine on LinkedIn
  • Visit @TheActuaryMag on Twitter
Visit the website of the Institute and Faculty of Actuaries Logo of the Institute and Faculty of Actuaries

Main navigation

  • News
  • Features
    • General Features
    • Interviews
    • Students
    • Opinion
  • Topics
  • Knowledge
    • Business Skills
    • Careers
    • Events
    • Predictions by The Actuary
    • Whitepapers
    • Moody's - Climate Risk Insurers series
    • Webinars
    • Podcasts
  • Jobs
  • IFoA
    • CEO Comment
    • IFoA News
    • People & Social News
    • President Comment
  • Archive
Quick links:
  • Home
  • The Actuary Issues
  • February 2016
02

An inside job

Open-access content Tuesday 2nd February 2016 — updated 5.50pm, Wednesday 29th April 2020

Andy Cox goes inside an internal audit department and is surprised by what he finds – a job and some tips on dealing with your internal auditor

2


I'd always been curious about how best to deal with that inevitable visit from the internal audit (IA) department. My curiosity led to some conversations with those 'on the inside' to understand what they do, and how they do it. Before I knew it I'd been persuaded that the best way to find out about IA was to get a job there.

I knew IA was known as the 'third line of defence' and usually provided an independent view to the board on how well risks within an organisation were controlled. I joined the department with little audit experience, but armed with varied actuarial expertise in pricing and financial reporting in the life industry.

I found some things surprising about how a modern IA department works. Reflecting on what I've learned has also made me realise that understanding how an IA function works can be very useful to those being audited.

Figure 1


It's not just about audits

Previously, I hadn't given much thought as to why, for example, my with-profits reporting team, or protection pricing area had or had not been picked for audit - perhaps some diabolical dice game or a more mundane three-year cycle? It was interesting to see how much work goes into deciding what to audit, rather than just executing audits.

Figure 1 shows a typical framework for the work of an IA department. A typical IA department will be continually assessing the risks involved in the business to formulate the next period's plan, as well as tweaking the current plan of audits. Gone are the days when departments waited for their turn to be audited on a predictable three-year cycle. Instead there's a risk-based audit cycle that is more attuned to the current worries and concerns of both non-execs and senior execs.

Most IA departments will now keep in touch with what's going on in the business through a series of regular liaison meetings, engaging with the various levels of management in an organisation. Good liaison should also be a two-way experience. IA finds out about the latest activities but keeps the business informed about the IA department's audit plans and concerns.

IA recognises that all business areas go through challenging periods. Where businesses have clearly flagged problems through the governance framework and have put plans in place to address them, IA will generally give them time to put actions in place before a visit to confirm that resolution is well under way.

After the audit work is complete, it's essential to track issues and actions. In the Prudential Regulation Authority's recent censoring of the Co-operative Bank, they noted that, at times, more than 30% of IA actions were outstanding. Robust incisive audit reports are worth little if their recommendations aren't actioned. Although business areas are responsible for carrying out actions, IA needs to play its part in explaining, tracking, prompting and escalating outstanding issues.

Figure 2

Someone audits the auditor

As an independent team, IA can appear to be an unaccountable function. However, this is far from the truth. In addition to a regular grilling from the audit committee, IA professional bodies require that IA functions have a formal internal quality assurance process. Regulators are now increasingly subjecting IA departments themselves to external quality assurance exercises. Many regulators see the quality of IA and its involvement in the business as good barometers of the risk management culture in the wider organisation.

Good IA departments are seeking feedback on their audit experience from business areas. Although glowing feedback from an audit with significant findings might be optimistic, good feedback on understanding the business, communication, professionalism and level of challenge should be the aim.

In my previous roles, I'd been subjected to a number of audits but really hadn't been aware of the methodology behind them. It now strikes me that this would have been useful both to make the audit more efficient and to avoid being surprised.

IA functions' methodologies will of course all vary at a detailed level. However, most will have similar steps to those shown in the sample internal audit methodology in Figure 2. The IA will usually kick off with a few weeks' planning, where it will aim to agree the timescales, processes and people involved in the audit. At the end of the planning phase there should also be agreement of the scope and risks being assessed.

The reporting part of the process is usually the more familiar part of the methodology to auditees, particularly if auditors follow the good practice of involving auditees in drafting the reports. A balance does of course need to be struck between taking feedback on board and standing firm on findings.

IA functions are increasingly employing experts from other fields. Gone are the days when your average IA function comprised only career auditors with accountancy qualifications. This more traditional career profile is of course still very valuable, but most life office functions have supplemented their skill sets by employing professionals from the worlds of IT, change, investments and actuarial. There are a number of different operating models to using such experts, but I think deploying mixed audit teams is most powerful.

That way, career auditors can support those less experienced in the audit world, and business experts can support experienced auditors in understanding the business. Many life office functions will also employ external consultants on an ad-hoc basis, where they need to fill skill gaps in more specialist, less frequently used expert areas.

A number of IA functions are also using actuaries to build their capabilities in analysing data during audits to provide more in-depth insight. Actuaries have also proved useful in considering the hot topic of model risk.

I did think that nobody in their right mind would voluntarily open their door to an IA.
I was, however, wrong. I've seen senior managers with 'near misses' request IA to come in to investigate further. I've also seen some business areas that want to use IA to gain assurance that their house is in order in advance of a regulatory visit.

Actuarial skills are useful

It was fairly obvious to me that my actuarial skills would be useful in auditing actuarial areas. Non-actuarial auditors can of course do a very good job in auditing these areas, but having the technical knowledge can give that edge. But I hadn't realised that the wide knowledge and naturally inquisitive nature of actuaries can be a real asset to an IA department. Having a good grasp of risk management and risk-based capital can also make the actuary useful in the yearly planning process to decide what to audit.

Internal audit can also be outspoken, commercial, topical and interesting - so what's not to like? Effective IA functions get involved in the most current company change and activity right across the organisation. Best practice also means IA usually reports in to the chief executive. Both of these factors can mean it gives independent views on the risks that might hamper the organisation in meeting its goals in the areas subject to the fastest change.

IA can also call out the risks others might hold back on. It does, of course, need to do this in a constructive, acceptable way. All of this makes for a fascinating job for an actuary - for short or longer periods.

Top tips for your internal audit

  • Understand your organisation's IA framework
  • Gather documents together which describe your responsibilities and processes
  • Remind yourself of your area's risks and how you're controlling them
  • Invest time in the audit process - particularly if you are disputing findings
  • If you're in a position to do so, invest time outside audits to liaise with IA contacts
  • Particularly as an actuary, consider how you've justified and documented judgments.

Andy Cox is an audit manager in internal audit at Legal & General Group.
This article appeared in our February 2016 issue of The Actuary.
Click here to view this issue
Filed in
02
Topics
Life insurance

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Latest Jobs

Catastrophe Modelling Analyst - London Market Broker

London, England
£40000 - £50000 per annum
Reference
145925

Senior Catastrophe Analyst

England, London
£65000 - £75000 per annum
Reference
145924

Life Actuary - Financial Reporting - Day Rate contract

Negotiable
Reference
145923
See all jobs »
 
 

Today's top reads

 
 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to The Actuary

Receive the print edition straight to your door

Subscribe
Spread-iPad-slantB-june.png

Topics

  • Data Science
  • Investment
  • Risk & ERM
  • Pensions
  • Environment
  • Soft skills
  • General Insurance
  • Regulation Standards
  • Health care
  • Technology
  • Reinsurance
  • Global
  • Life insurance
​
FOLLOW US
The Actuary on LinkedIn
@TheActuaryMag on Twitter
Facebook: The Actuary Magazine
CONTACT US
The Actuary
Tel: (+44) 020 7880 6200
​

IFoA

About IFoA
Become an actuary
IFoA Events
About membership

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to The Actuary Magazine
Contribute

The Actuary Jobs

Actuarial job search
Pensions jobs
General insurance jobs
Solvency II jobs

© 2023 The Actuary. The Actuary is published on behalf of the Institute and Faculty of Actuaries by Redactive Publishing Limited. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ