When we talk about an internal control framework, we often relate it to a house. This house is built on a foundation of people, process, and technology. The roof is held up by a structure that comes from policies, internal controls, a tone at the top, quality information, and communication. (If you’re familiar with the COSO framework, this probably sounds familiar.) Continuing the metaphor, COVID-19 is a big bad wolf shaking the house, and insurance organizations are struggling to cope with these challenges to their internal controls structure.
Below are a few internal controls challenges we’re seeing today — and how to address them.
Beware of increased cybersecurity risk
The hackers are at our door. Over the last 10 years, we’ve seen heightened activity around cybersecurity breaches, with attacks becoming significantly more sophisticated and effective. Long gone are the days of a faraway prince, needing your banking information so he could park tens of millions of dollars for a couple of days. Hackers are attacking by any route possible, from connected devices to home routers and the like. Further, the attack may be happening at a vendor and could make its way upstream to your organization.
Risk capital is more vulnerable
In 2020, as organizations evaluated their ORSA report and MAR controls framework, how much did they test their scenarios? Did they consider changing weightings to account for greater volatility? To think back to the foundation of internal controls, are the people in the organization pushing harder and considering potentially worse outcomes than during the stable and growing economy of the 2010s? Whether or not an organization does this speaks to the tone at the top — leadership’s comfort with delivering less than favorable news — and the quality of information.
Business processes have changed
Whether or not you’re comfortable with the dramatic increase in remote work over the last several months, it’s just a fact of life amid COVID-19, and doesn’t it seem to be going anywhere anytime soon. By and large, internal controls are operating differently — we’ve noticed clients are more regularly documenting the execution of controls as they’re no longer resolving issues round the watercooler — and actually improves how an internal auditor and external auditor tests controls but creates different issues all together.
Take, for example, issuing claims via check. While that may be what you’ve historically done, and it may be difficult to issue claims without a check as claimants can be hesitant to give up banking information, you might have to change course to fit the needs of a new normal. That could mean bringing in third-party vendors to process organizational information, which means better meeting some needs but more stress on your internal controls.
How can we address additional stress on our internal controls?
Many of the things that gave us structure are now gone — so how do we regain that structure and serve at the same level our stakeholders are used to? As discussed routinely among internal audit and internal control professionals, the tone at the top is critical to having a secure system of control, especially in these times — and a shift in this tone is essential. Historically, the tone at the top focused on doing the right thing, being ethical, and transparent across the organization. Now, the tone should shift to include an element of patience and resilience. Not just doing the right thing with precision but giving the time and attention necessary to do the right thing consistently.
Because of the pandemic, our calendars are packed sunrise to sunset and feel considerably heavier. We’re no longer just professionals, but full-time educators, along with the regular demands of daily life. It’s easy to assume something is accurate because it has been for months on end. We move these items along to get them off our plate, giving ourselves much-needed time to tackle whatever’s next, bigger, or more pressing, at home or at work. But this is exactly where internal controls break down.
When speed starts to take precedence over quality, risk begins to increase. There’s risk in moving too slowly as well, but compare that to the risk of broken down internal controls, which could mean anything from having to redo low-quality work to experiencing a devastating data breach. What little time is saved moving through work quickly is hardly worth the extra time that will need to be spent fixing the issues that a breakdown of controls can lead to.
We believe that leadership must set the tone for patience to allow staff the time and breathing room to pause, truly consider what they’re looking at and ensure the control steps are followed faithfully. This means less calendar packing and more focused time to address the big — the mundane — issues as well.
Focus on the foundation
When we evaluate the system of internal controls for an organization, we find it’s rooted in a simple foundation of people, processes, and technology. The pandemic has exposed the weaknesses in those foundations, and to make it through, leadership will need to focus on patching them up.
This is especially true for the companies contemplating a permanent work-from-home arrangement. Results from our insurance industry benchmarking survey indicated that many are considering this, and while this may be the right choice for your organization, management should consider if the systems and processes in place are still adequate. Insurance companies that lean heavily on outsourcing should continue to ensure their agreements are operating as intended, service levels haven’t slipped during the pandemic, and vendors have the proper data security controls in place and are tested regularly.
While we don’t know what the “next normal” will look like, we do know one thing is certain: to be successful, it’s critical to evolve your models of internal control, as well as the tone at the top, to ensure you’re growing with the evolving needs of your organizations. If you have any questions, give us a call.