What internal audit should look like in the captive insurance sector

Over the past year, a number of our clients have been subjected to routine inspections by the Cayman Islands Monetary Authority (CIMA). A recurring theme within the findings is the need for the captive insurance company to incorporate an internal audit function into their corporate governance framework. This is particularly the case for B(iii) insurers.

While many insurance managers, especially those with links to the major insurance broking firms, are subject to internal audit from their group perspective, we do not see the internal audit function getting involved in the operations of the insurance managers’ clients. Accordingly, on establishing their own internal audit function, captive insurers need to start from scratch.

The fundamental question is the internal audit function’s role. The Chartered Institute of Internal Auditors in the UK has some useful guidance: it states that “the role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.”

To be able to provide independent assurance, it is necessary for there to be no restrictions on the scope of the internal audit function. Accordingly, there is no aspect of the captive insurance company’s operations which internal audit is restricted from looking at as it delivers on its mandate.

Internal audit’s role is not to second guess the decisions made by the senior management team, including the board of directors—rather, its scope should be to consider the appropriateness of information presented as part of the decision-making process.

The three lines of defence

The “three lines of defence” model was developed by the US Institute of Internal Auditors and is commonly used within risk management. It is a risk governance framework that splits responsibility for operational risk management across three distinct areas: (i) management and control; (ii) compliance and risk management; and (iii) oversight of the operation of the first two lines of defence, a role which is often undertaken by internal audit.

In the context of a captive insurer, the three lines of defence model may be viewed as shown in Figure 1.

Figure 1: The three lines of defence model

In the model, the first line of defence are the operational policies and procedures that the captive has put in place and their operation by management. The second line of defence is the role played by senior management in reviewing the work performed by staff operating in the first line. The internal audit function should act as the third “line of defence” in the risk management and governance framework.

However, most of our clients do not have a formal third line of defence, and oversight is assumed directly by the board or, for the operation of the financial controls, inappropriately outsourced to the external auditors—whose remit is to report on the financial statements and not to formally assess the design and operation of the captive insurer’s system of internal control.

Effectiveness and independence

To be effective, the internal audit function needs to be independent. In the Cayman Islands, captive insurers tend to delegate most of the operational management functions to the insurance manager; this often includes the oversight of third-party suppliers who operate under outsourced contract arrangements.

In the case of internal audit, it is not appropriate for the insurance manager to manage or oversee the internal audit relationship. This is because the scope of most of the reviews carried out by the internal audit function will normally consider the effective operation of the control processes operated by the insurance manager and, should there be any adverse findings, there is scope for there to be conflicts of interest.

Internal audit should therefore be engaged by the sponsoring company, and it should be responsible to the audit committee or, in the absence of this, the full board. The internal auditor’s direct line of reporting should be to the chair of the board of directors, and the holder of the internal audit position should have the experience, authority, and standing to challenge senior management and engage in high level discussions about risk issues, and the risk mitigation strategies that have been put in place.

Internal audit should have the right to attend and observe all or part of executive committee meetings and any other key management decision making fora. This enables them to understand better the strategy of the business, key business issues and decisions and, where appropriate, to adjust internal audit priorities. It also facilitates a better working relationship with executive committee members.

The operations of simple captive insurers are generally not complex, however, the risks they manage may be and the primary responsibility for managing these will often rest with the sponsoring company. Accordingly, in considering the risk insured by the captive, it will be necessary for the internal audit to understand the risk management strategies being adopted by the sponsor.

For example, in the case of a health insurer, there may be an increased incidence of high value claims which impact the captive. In these circumstances, it is the health system that will introduce mitigation strategies to address the claim performance, but the captive will indirectly benefit because of these.

Accordingly, the internal auditor will need to be au fait with the risk management practices at the sponsor. In view of this, captive insurers should consider whether it is appropriate to extend the remit of the sponsoring organisation’s internal audit function to cover the captive or whether some other solution, perhaps an outsourced arrangement, is more appropriate.

The scope of internal audit

In setting its scope, internal audit should independently assess what it believes the key risks within the organisation to be, and whether these have been appropriately addressed by senior management. The risk assessment process should include emerging and systemic risks.

Internal audit coverage, and the related Internal audit plans, should be approved by the board. Plans should be flexible to deal with unplanned events to allow internal audit to prioritise emerging risks. Changes to the audit plan should be considered in light of internal audit’s ongoing assessment of risk.

In this respect, all captive insurers are required to have put in place a formal risk assessment. These are often boilerplate in nature and have not been changed to cater for emerging risks. In March 2020, the world was immobilised by the COVID-19 pandemic, and this introduced a myriad of new risks for sponsoring companies, many of which directly impact on their captives. Despite this, our experience is that very few risks assessments explicitly address the new risks.

We would expect internal audit to have considered COVID-19 as an emerging risk and to have reported to the Board where the new risks associated with this have not been fully and adequately assessed within the captive.

In setting its scope, internal audit should form its own judgement on how best to segment the audit universe given the structure and risk profile of the captive insurer.

Internal audit planning

In setting out its priorities and deciding where to carry its work, internal audit should focus on the areas where it considers risks to be higher. In the case of a captive insurer, the nature of the operations and its structure will define the scope of the internal audit function. A simple captive is structured as set out in the Figure 2.

Figure 2: Simple structure of a captive insurance company

We consider the key areas where internal audit should focus its work are:

• Governance and risk management: Internal audit should consider the effectiveness of the governance and risk management process. Particularly, it should consider the interplay between the risk mitigation strategies put in place at both the captive insurer and sponsoring company level and the role the insurance manager plays in ensuring that the internal control infrastructure addresses these.
• Outsourcing: The majority of a captive insurer’s functions are outsourced. All captive insurers have outsourcing policies and our experience is that, as with the risk management frameworks, these tend to be boilerplate. Internal audit needs to consider not only whether the outsourcing policy and the arrangements it governs are in place, but whether the policy is fit for purpose.
• Data: Only the most complex captive insurers have complex data feeds. Smaller captives take data directly from investment managers, loss adjustors third-party administrators, and the actuarial function. Our experience is that for a surprisingly large number of our clients, data has not been reconciled to underlying sources and is insufficiently reviewed such that anomalies go undetected. We would expect internal audit to comment on data handling within the captive insurer.
• Underwriting and claims handling: Although these are the key functions of the captive insurer, they are usually outsourced and depth reviews of the oversight of the outsourcing arrangements. It is not sufficient for internal audit to conclude that, as an example, because the captive insurer engages a reputable actuarial firm, the premium setting or loss reserving process is adequate and appropriate. The internal auditor should drill down into the report, considering the caveats and how these are explicitly addressed by the senior management team.
• Compliance: Over the past few years the Cayman Islands authorities have become increasingly concerned about financial crime, including anti-money laundering and sanctions. Accordingly, the captive insurer’s policies for dealing with this and compliance therewith, is an area internal audit might prioritise.

Internal audit should make a risk-based decision as to which topics should be included in the audit plan. It is not necessary for the plan to address each risk area on an annual basis, rather, a rolling plan of reviews which would be conducted over a two- or three-year period should be established. However, high-risk areas may be looked at more than once over the cycle.

Reporting

Internal audit should be present at meetings of, and issue its reports to, the board of directors. The reports should focus on significant control weaknesses and breakdowns together with the root cause analysis. Internal audit’s reporting should also address any thematic issues which impinge on the organisation as a whole and consider the effectiveness of the high-level risk management and governance framework.

Conclusion

The aim of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively as intended by management. This can only be achieved if a captive insurer has put in place an internal audit function that has the relevant experience, authority and standing to develop a comprehensive risk-focused internal audit plan and can bring challenge to the senior management team, such that it can add value to the organisation .

Philip Alexander is the head of RSM Cayman’s insurance practice. He can be contacted at: philip.alexander@rsm.ky