Your Risk Management Magazine
Building internal audit from the ground up

Font size : + -

email print

The Hollard Insurance Company has taken a whole-of-business approach in building a strong internal audit program, writes Craig Donaldson

The Hollard Insurance Company is a multinational with businesses in Australia, Africa, the United States, United Kingdom and South East Asia. It provides a wide range of insurance products and services to more than 6.5 million policyholders worldwide, and it employs more than 1500 people and holds assets in excess of $1.7 billion. In Australia, the company directly covers more than 150,000 policyholders with its home and contents, motor, landlord and life products, while many more are covered through its wholesale umbrella products.

Hollard Australia has built its internal audit approach from the ground up over the past year. It has undertaken a program to completely integrate risk management practices with internal audit while maintaining independence of the functions, according to David Hall, the company’s head of internal audit. “This has started at the top where we articulate our risk appetite under each of the categories of risk that we have defined. Our appetite for risk then drives the ratings through our risk registers, which are the responsibility of the general manager of each of our businesses,” he explains.

“Our internal audit programs are then developed from the risk registers and this then flows through to our internal audit reporting. Through this mechanism, our internal audit team is able to focus its work on the controls in place to mitigate risks where current levels of exposure are inconsistent with our board’s appetite.” Hall says this ensures maximum value is gained from the efforts of the internal audit team and ensures some real value add from the function.

Benefits and lessons

The process has highlighted the importance of a top-down approach to risk management and the involvement of stakeholders from the board down, Hall explains. As a result, the internal audit function is more efficient as it is able to focus on relevant risks rather than needlessly spending time looking at processes which add little value, he says.

This methodology has required a whole-of-business approach, Hall says. “We needed to ensure that we had the necessary ‘buy in’ from every part of our business as the effectiveness of the internal audit program is entirely reliant on the ability of the business to properly articulate its risks,” he explains.

“In hindsight, we should have perhaps engaged with the business earlier to ensure that we were able to fully capture all relevant risks across the organisation. Leaving this until the audit plan was underway meant that the appropriate attention had not really been paid to the management of risk registers. I think the key to these sorts of initiatives is that all stakeholders see the value,” says Hall, who adds that certain governance committees were formed once the plan was already underway, rather than getting them in place upfront.

A broad business approach

While internal audit at Hollard is independent of the risk function, it is entirely dependent on its output to guide its programs of work. “Our audit program is very much operational in nature so while we have a close relationship with finance functions, we are more engaged in the questions of ‘how do you ensure risks are mitigated and controls are effective’ rather than a detailed assessment at a micro-level of all activities of the finance function,” Hall explains.

“It is often the case that experienced finance personnel also understand the importance of risk management and internal audit; we have therefore been able to create an almost collegiate approach to the auditing of key finance functions.”

On a broader level, Hall says building a culture around this and engaging employees to encourage reporting of internal fraud and related issues is a “real challenge” in Australia. “I believe that there is still very much an attitude of not reporting some of the inappropriate behaviours that go on in the workplace,” Hall says.

“No-one wants to be the person that blows the whistle for fear of reprisal. Here is where effective whistleblower programs with adequate protection for those who are willing to come forward. These are often best provided externally to provide that extra layer of comfort to employees.”

Hollard manages its whistleblower program internally through internal audit, which Hall says is an appropriate approach for a business of its size. “I also find that the message from the top is critical. Management must be seen to act with integrity and with a zero tolerance to misconduct (fraud and otherwise) and this ensures that employees also grow within the business with these views,” Hall states.

Making the most of internal audit

All too often internal audit programs are still driven by process, even when they claim to be risk-driven, according to David Hall, head of internal audit for The Hollard Insurance Company in Australia.

“I think the best way to approach this is to step back before you perform any internal audit work and ask yourself what the real risks are in the area/business unit or process that you are about to review,” he says.

“The internal auditor can no longer be limited to just being an accountant. A sound knowledge of the business and business practices is absolutely essential to ensure that they can fully understand what the risks are, how they are mitigated, and then to be able to devise audit tests to ensure that the mitigation steps are appropriate.”

  • Bookmark & Share
go back
Your comment
Risk management is the place for positive industry interaction and welcomes your professional and informed opinion.
eNewsletter

Breaking news, video interviews, opinion and analysis delivered straight to your inbox. Subscribe now
Categories

Home   |    Terms & Conditions   |   Advertising   |    About Us   |    Contact Us   |    Privacy Policy  

© 2012 Key Media Pty Ltd.