2. Need of Risk Based Internal Audit Approach
• IIA defines Risk Based Internal Auditing (RBIA) as a methodology that links internal auditing to an
organization's overall risk management framework.
• RBIA allows internal audit to provide assurance to the board that risk management processes are managing
risks effectively, in relation to the risk appetite.
• Need of a strong and robust internal auditing and internal control systems due to increase in the trend of
frauds in the corporate sector
• Changing stakeholder expectations and a new view of risk management are prompting an important shift in
the role of internal audit in many organizations.
• Regulators have also become more vigilant towards the requirement of strong internal control system [viz.,
IRDAI, Clause 49 of Listing Agreement as per SEBI and Companies Act, 2013 and rules thereunder]
3. Advantage of Risk Based Internal Audit
Management has identified, assessed and responded to risks above and below the risk appetite
The responses to risks are effective but not excessive in managing inherent risks within the risk
appetite
Where residual risks are not in line with the risk appetite, action is being taken to remedy that
Risk management processes, including the effectiveness of responses and the completion of
actions, are being monitored by management to ensure they continue to operate effectively
Risks, responses and actions are being properly classified and reported.
4. Audit Universe
Core Insurance
Business
• New business & Underwriting
• Medical network
• Policy Servicing
• Collection operation
• Sales force (agent/broker etc.) on-
boarding process, training,
maintenance, termination etc.
• Marketing, Advertisement and Digital
• Commission, Incentive and rewards
including payout
• Customer Grievance Management
• Contact center
• Actuarial, Reinsurance
Non - Insurance
• Contract suspense, Bank
reconciliation, Suspense & transit
account
• Human Resources, payroll
including employing
reimbursement
• Procurement
• Legal & Compliance
• Anti Money Laundering (AML)
• Project Management
• C-Sat Management
• Corporate Service (including
facility management)
• Fraud Management and Reporting
IT Related area
• IT operation general controls-
Access management, Role based
access etc.
• System Development and Change
Management
• IT Asset management including
physical verification of IT Assets
5. Key Factors for Audit Universe
Organization objective
Expectation from internal audit
Organization structure and set-up
Geographic location of organization & Branches
Scalability of operation
Organic linkage between business process
Sufficiency to justify cost of control
6. Product Life cycle
• Product design,
development & IRDAI
Approval
• Product setup &
Product Launch
• Advertisement and
marketing
• Actuarial valuation
(pricing, premium
rate/top up etc.
Policyholder Lifecycle
• Sourcing and point of
sales (Branch/Online
login)
• Policy Issuance
• Renewal/Reinsurance
• Policy Holder Servicing
• Claims/Maturity
Payout
• Termination of
Relationship with
customer
Transaction/ Servicing
Lifecycle
• Sales & Distribution
• Collection
• Re-underwriting
• Servicing and Claims
• Policy closure and
payout ((Claims
payout/Maturity
payout/Surrender)
• Contract suspense and
reconciliation
Lifecycle Based Audit Methodology
7. Application
Sourcing
• De dupe and
Client ID
Creation
• New Business
Documentation
Receipting &
Data Entry
• Premium
Collection
• Compliance to
Policy & AML
Guidelines
• Data Entry,
Receipts /
Approval and
Cancellation
Policy
Issuance
• FTR (First time
right) and
Policy through
STP
• Underwriting
• Policy Schedule
and Policy
Bond Issuance
Premium
recognition &
Suspense
Reconciliation
• Premium
receipting and
recognition
• Accounting and
reconciliation
Printing &
Dispatch of
Policy Bond
• Vendor
Management
• Quality check
• Proof of
delivery of
policy bond
Post Issuance
Servicing
• Communication
with Customer
• RTO handling
• Free look
Cancellations
and refunds
Lifecycle Based Audit of New Business
8. Finalize internal audit plan
• Finalize a risk based audit plan
based on discussion with
Management & Board
• Develop & communicate audit plan
to management and the audit
committee
Co-develop expectation
• Enhance understanding of business
through discussion with key stake
holder, Risk Management.
• Meet with audit committee and
management to refine expectation
Prioritize risk
• Prioritize risk based on risk rating
methodology, and previous report
rating
• Use of Non financial Risk (NFR)
parameter
• Consider governance, operating
risk, compliance, & IT.
• External factor, regulatory changes
etc.
Design internal audit work plan
• Audit plan present to management
for concurrence
• Schedule internal audits and plan
resources
• Provide/arrange training to new
resources on key applications
Execute internal audit plan
• Preparation of Planning Documents
(RCM, data requirement etc.)
• Conduct detailed discussion and
perform walkthrough to understand
process, controls and risk
• Perform detailed testing and
analysis and identify audit issues
• Recommend process improvements,
validate results and obtain
management response
Deliver results and insights
• Conduct exit meeting with process
owner and management
• Issue audit executive summary,
detailed report with final
observation & recommendation
• Present key observation and
recommendation to audit committee
Internal Audit Methodology – Plan> Execute> Report
9. Approach for Internal Audit Execution and Reporting
Pre Planning
Engagement
Planning
Test of
Design
Effectiveness
(ToD)
Test of
Operating
Effectiveness
(T0E)
Reporting Wrap-up
Planning Fieldwork Reporting & Wrap-up
o Terms of Reference
o Data Requirement
o Walkthrough Schedule
o Opening Meeting with Business
• Risk Assessment and planning
(Interview, Documentation,
Collection, & Analysis)
• Define Audit scope and agree with
business key business specific risk,
scope and timeline
o Risk Control Matrix (RCM)
o Audit observation sheet
o Issue Log
o Interim Meeting
o Closing Meeting
• Test the design and operational
effectiveness of key controls using
scenario based data analytics and
adherence to SOP, applicable
regulatory & Statutory
requirements.
• The focus is on key risk and controls
• Discuss potential audit issues and
mitigation plan
o Draft report
o Final report
o Audit committee presentation
o Audit Feedback
o Peer Review of Work paper
• Draft report and agree with
management on risk mitigation plan
and due date for closure of audit
issue
• Issuance of final report
• Archival & Signoff of work paper
A
c
t
i
v
i
t
y
10. Analytics Embedded Approach
• Claim Profiling – By Region, branch,agent, customer,
premium, Sum assured
• Early claim analysis- for claims received within 1 year
from policy issuance
• Issuance of new policies to a customer after death,
indicating potential fraud and control failure
• Policy reinstatement just before claim submission
• Change of key details like bank details, nominee change
etc. just before claim submission indicating potential
fraud
Claim Analyzer
• Verify integrity of inforce files received and reconciling
the PY & CY policy count w.r.t policies issued/
surrendered/ claimed
• Identification of customer with low persistency
• Share of business analysis from rural & Urban area to
ensure compliance to IRDAI guidelines
• Multiple client ID creation of same individual to bypass
system and risk profiling
In-force Analyzer