RISCS CWC’s Malcolm Cutts-Watson and Jo Honigmann look at why internal audit might have been neglected by the captive community up until now, and why this has to change if captive boards want to remain on the good side of regulators and shareholders
The announcement “I’m from internal audit and I’m here to help” often fills captive managers or in-house management with dread.
But the role of internal audit, the third line of defence of the most common risk management model adopted by most businesses, including captives, is often misunderstood and, in some cases, misrepresented.
This has led to an attitude of sweeping under the carpet any discussion that raises the subject or suggests the internal audit function could be improved – or even introduced.
To go back to basics, internal audit is the third line of defence behind the first two lines (operated by management) and provides independent assurance of risk through a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control and governance processes.
When horizon scanning, captive boards will have noticed a growing attention to the role of internal audit by internal and external stakeholders given recent high-profile failures in governance and risk management.
The Solvency II Directive recognises internal audit as one of the four key control functions and requires the establishment of an internal audit policy/charter, allocation of sufficient resources, adoption of procedures commensurate with the nature of the risks, reporting to the board at least annually and creation of an internal audit plan.
Outside the Solvency II ecosystem, regulators have acknowledged the role of internal audit. For example, Guernsey Financial Service Commission’s Code of Corporate Governance for Licensed Insurers contains a principle that an insurer is required to have, or have access to, an appropriate and effective internal audit function capable of providing the board with independent assurance in respect of the insurer’s governance, including risk management and internal controls.
So why, within the captive community, is internal audit the poor relation compared to the first two lines of defence? We think there are a number of reasons for this:
- Low priority: An assessment by the parent company of the risks posed by a captive may rank well below other group risks and so an internal audit of the captive may receive a low priority.
- Narrow focus: While many parent companies of captives will operate an internal audit function, it will primarily be applied to the core risks of the parent, which typically will not include risk financing/(re)insurance.
- Lack of regulatory experience: In many cases, the parent’s business is unregulated so the regulatory framework in which a captive operates creates a further challenge.
- Lack of resources: Captive managers typically do not have the resources to establish an independent internal audit function.
Some global captive managers claim their group’s internal audit resource inspects domicile operations, but the results of such reviews are often not visible to captive boards and such internal audits focus on the manager’s risk management framework and not the captives under management. So, if a captive has adopted any policies, procedures and internal controls that are different to those operated by the captive manager, then there is potential for lack of scrutiny.
- Lack of understanding: It should be remembered that internal audit acts as the third line of defence and provides independent risk assurance. There is a tendency for captive managers and boards to confuse this function with that of the second line of overseeing risk, risk control and compliance. This can lead to conflicts and an ineffective risk management model with the captive manager (or in-house management) wearing two or more hats.
Setting up an internal audit
So how can a captive board put in place an effective – and cost efficient – internal audit function? As discussed previously, most parent company internal auditors are reluctant to take on an inspection of the captive.
Captive managers are unable to offer internal audit services to their clients; even if they were willing, staff would be conflicted. Internal audit services can be outsourced to an accounting firm not engaged to perform the external audit of the parent.
The risk here is that a rigid audit programme may be implemented but not necessarily aligned with the needs of the captive board and, while the accounting staff may have experience in auditing captives, their knowledge as insurance management practitioners is limited and so their value is reduced.
As an independent captive consulting business not aligned to any particular captive manager, we offer independent, objective assurance to our clients.
Many of our team of highly experienced consultants have spent a lifetime in insurance management with deep knowledge of the captive model.
We also offer a ‘pay and play’ engagement model so cost is predictable and controlled. Captive boards can appoint us as internal auditor for a specific exercise, an assessment of the top risks to be reviewed as determined by the board or an ongoing programme of internal audit.
Please contact any of our risk assurance specialists – Malcolm Cutts-Watson, Jo Honigmann, Dominic Wheatley, Graham Powell, Kevin Poole, James Portelli, David Rose-Innes and Paul Wakefield – for more information about this offering.
We can provide testimonials from satisfied clients. In conclusion, it is somewhat ironic that in the captive world which seeks to mitigate risk in the most cost-efficient way, an internal audit of risk to provide assurance to the captive board has traditionally been given such a low priority.
Given that the old laissez-faire approach is now coming under greater scrutiny and challenge, captive boards need to respond urgently by putting in place an effective internal audit function or be prepared to face regulatory and shareholder criticism.