IN THIS ISSUE
Combining the Best of Auditing and CSA
Typically, when two stock insurers merge, the larger company acquires the smaller company to increase shareholder value. The management, culture, products, procedures, and brand of the acquiring company generally dominate. In this instance, however, management of the two fraternal organizations opted for a merger of complements, determined to review every aspect of each organization's operations and select the best elements from both.
Before the merger, AAL's internal audit function primarily used control self–assessment (CSA) to examine business processes and control effectiveness. Since 1999, AAL has used CSA technology with a process-based approach focused on objectives within the organization such as product quality, revenue maximization, asset safeguarding, and regulatory compliance. Most of the engagements concentrated on operations. The few financial audits conducted were mainly in support of the annual external audit.
LB had a more traditional audit shop that used a three-year audit rotation schedule. Many of the engagements were conducted to ensure reliable financial reporting, and the department provided considerable assistance to the external auditors. Substantive testing was almost always performed, and CSA was not used.
Change is Good
Because the audit groups' philosophies were so different, Thrivent Financial originally decided to keep the auditing and CSA processes separate. However, as the new internal audit and CSA departments — called Business Risk Management (BRM) — started working together, the staff quickly began to identify areas where the processes could be combined. For example, both processes documented risks at the beginning of the engagement. The traditional audit process required creating a risk matrix, which listed the primary risks of the objective or process being reviewed along with the controls in place to mitigate those risks. The CSA process required process owners to identify and document all risks during a facilitated session. Likewise, there was common ground with respect to audit reports. Both processes included a summary of findings in their reports with a list of action plans to address concerns. Ultimately each process provided assurance to management and the audit committee regarding achievement of the organization's objectives.
During the first year after the merger, staff members completed assignments using the two methods. However, by the end of the first year, it became obvious that a single, risk-based engagement approach would be more efficient. Operating and reporting with two processes was confusing for staff, business units, and the audit committee, who all agreed that providing assurance was internal audit's primary focus, no matter what the process.
Four auditors were assigned the task of creating a new process. Designed over the course of three months, the process incorporated the best aspects of auditing and CSA, providing flexibility in approach, as well as the type of evidence required to provide assurance regarding the achievement of business objectives.
In cases where the organization needs to take a prospective look at an objective, such as the implementation of a new system, process, or product — the process now identifies all potential risks to a successful implementation and subsequently addresses any ongoing gaps. In conducting engagements where prospective assurance is required, the new process emphasizes soft controls, such as communication and commitment, as well as indicators and measures. This approach, for example, has been used in providing assurance regarding the organization's sales recruiting goals. When the audit committee asked for assurance that current year objectives could be achieved, auditing the results at the end of the year would have been too late. To provide the assurance requested by the audit committee, BRM interviewed more than 30 individuals involved in the recruiting process. The interviews allowed BRM to evaluate the soft controls such as communication, commitment, and existence of sufficient capabilities to assess the likelihood of achieving the objective.
For a retrospective review, or where a higher degree of assurance is required regarding an objective, more substantive testing is performed. For example, ensuring that life insurance premiums are accurately reconciled to the company's general ledger requires a high level of assurance and testing. This necessitates that some substantive testing still be done even if daily reconciliation reports and business unit personnel indicate that there were no problems.
Efficiency also represents a key factor in the process. There are times when it may not be necessary to gather additional evidence on the effectiveness of the controls. For example, valuable time can be spent on performing substantive testing, when only a moderate level of assurance is necessary based on positive past performance indicators or when no relevant changes to the business unit have occurred since the last review (e.g., to systems, personnel, or processes.) To obtain a moderate degree of assurance, examining reports and conducting interviews might suffice when providing assurance on the reconciliation of premiums.
Best of Both Worlds
The combined audit/CSA process is fairly straightforward. BRM develops its audit plan after extensive interviews with senior management, the external auditors, and the audit committee. The interviews identify the organization's most significant risks, and BRM assists in identifying potential controls that may help mitigate those risks. BRM works with individual process owners, prioritized by the level of risk, to determine the objective and scope of the engagement. The process owners, who are the key stakeholders in the process, are actively involved in the review. They are ultimately responsible for the successful achievement of the objective and its associated risks. During this interchange, BRM conducts the preliminary research, identifies key participants, clarifies individual roles, and develops engagement plans. Once the objective and scope of the engagement are determined, all of the threats, controls, and residual risks are gathered. This is done through interviews, facilitated CSA workshops, research, evidence validation, and testing, if necessary. The next step is to evaluate all of the information and determine if additional evidence is required to meet the desired level of assurance. Depending on the engagement, the business owner may or may not be involved in this decision. If the desired level of assurance has been reached, the business owner and BRM develop an action plan to address any unacceptable risks. If the desired level of assurance is not obtained, the group conducts further substantive testing.
The approach is a collaborative effort between BRM and business owners. It is a facilitated review in which BRM guides participants through the process in an empowering and proactive progression — allowing stakeholders to say, "Here are the risks we've identified and how we plan on handling them." Alternatively, the process can be used as an independent review, one in which an objective third party reviews the process, validates evidence, performs testing, and makes recommendations for improvement. Although BRM helps business owners formulate their own assessment, independence and objectivity is maintained. If BRM does not agree with the stakeholder's opinion, differences are discussed. Throughout the entire process, all attempts are made to seek agreement. However, if a difference of opinion persists, BRM notes its opinion in the engagement report.
Because each business unit is responsible for managing its own risk, each unit needs to take an active role in learning and practicing risk management. With every engagement, the BRM team educates business owners using a variety of tools, including a risk arena, a control portfolio, and an overview of the assurance process. The risk arena helps business owners focus on a variety of potential risks to their objectives. The control portfolio allows them to assess what controls they have in place, as well as how effective those controls are in helping them achieve their objective. The overview of the assurance process allows them to understand the steps involved in identifying and managing their risk.
Combining auditing and CSA procedures into a single process has provided numerous benefits for Thrivent Financial, resulting in a more flexible and efficient process with a single, consistent approach for business owners.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.