For decades now, external audit firms have organized themselves with Professional Practices. Their purpose is to concentrate expertise per industry sector or technical knowledge to better serve the clients with dedicated staff and partners. It takes the audit teams to a higher competence level. I remember how impressed I was, as a young senior auditor, by the size and the expertise of the EY banking practice in London when I rotated there for a year in 1989.
When I took over IA in Allianz in 2005, my mandate was to transform and modernize the function. With 900 auditors across the globe, that was a complex task. For this revolution, one key step was to define the operating model the function. For 13 years and along my two mandates as Group CAE, I applied a clear general principle: “stick to the organization and governance of the Group” or put in a different way: “follow the business”.
Operating model – Phase 1: a clear organization and governance of the IA function
I initially identified and managed two levels of granularity in the IA function:
· The Holding level with Group Audit (45 auditors) – and the 3 lines of business, ergo 3 distinct audit functions: Insurance (510 auditors), Asset Management (25), and Banking (320 auditors: Allianz controlled Dresdner Bank and Oldenburgische LandesBank at the time),
· Two types of insurance entities:
o 3 global lines (credit insurance, commercial lines, B2B2C solutions like travel insurance and assistance) and one services company (IT, etc.): 4 teams with 50 auditors,
o Country based, with a retail and mid-corp focus: 37 teams and 460 auditors.
All IA teams were made clear that they had a double reporting line: primarily to the Group CAE, with a progressive but clear and strong integration process, and then to local CEOs or ACs to meet local legal and regulatory requirements (financial services are strictly regulated everywhere).
With a clear IA set-up and governance, we rapidly moved towards the standardization of the audit approach, methodologies, tools, and processes across the Group. We greatly improved our efficiency, and our standing and impact with the business.
Operating model – Phase 2: introduction of a 3rd level of granularity: the Practices.
Over time, I observed that a certain level of specialization was missing for the Insurance teams:
· Business is complex with various processes, risks and controls, requiring different talents and competencies. They cannot be fully covered by generalists, albeit good auditors. In addition to audit qualifications, an audit team benefits from a fair share of business know-how.
· Blending career auditors with corporate experts, I had to attract good people from the business by giving them a “home”, where they could both acquire or reinforce their audit technique, and keep their expertise recognized.
· The size of our IA community easily allowed for the creation of pools of specialists.
· Existing specialists (IT auditors, etc.) asked for formal structure to exchange and develop together.
· With new business, risk or regulatory developments, or requests, well identified communities of experts were needed to provide rapid and valid answers.
· The smaller teams missed guidance from identified specialists, mostly found in bigger teams.
· As Group CAE, I also wanted a certain level of calibration to make sure that I had no major audit coverage white spots in terms technical expertise.
I had in mind the “Big Four” model and decided to create Practices, based around our SAU:
· We had created a common taxonomy: the Standard Audit Universe (SAU), with underlying APMs, Standard Audit Programs (SAPs) and illustrative checklists.
· the SAU defines 74 audit objects. These objects are categorized in 8 major areas of processes in insurance companies.
To be well appraised, especially in terms of risks and controls, the 8 areas defined 8 IA professional practices, pooling auditors with a more specific business knowledge, qualifications, or competencies in addition to the internal audit expertise:
1. Finance: accounting, tax, actuarial reserving, corporate finance, risk, controlling, treasury …
2. Operations: claims handling, fraud management, procurement …
3. Property & Casualty (PC): underwriting, actuarial pricing, technical product design, reinsurance …
4. Life and Health (LH): underwriting, actuarial pricing, technical product design, reinsurance …
5. Investments: asset liability management, hedging strategies, valuation of assets …
6. IT: infrastructure, application development and maintenance, security, data management …
7. Distribution networks and market management: commission systems, agent recruitment …
8. Other support functions: compliance, HR, communications, legal …
It worked out very well, and there are several additional benefits that I did not fully anticipated, especially in terms of people management:
· Career management and development: the Practices help auditors to grow and reinforce their expertise, and to have mobility plans to new areas of know-how within IA,
· Practices create strong virtual teams across the function, sharing the same passion and focus, with a bigger sense of “belonging” to a global audit function, irrespective of the country or line of business they were part of.
· The quality of audit recommendations improved, increasing the credibility of the function with all stakeholders: leadership, Audit Committee, Insurance regulator, external auditor, etc. It makes internal auditors better valued by the business and HR. We achieve a “virtuous circle”: attracting talents to IA and offering auditors more career opportunities in the Group.
Allianz is today the world’s largest insurance company and the largest financial services company in Europe. I am proud that I could contribute to the Group success by building a modern, state of the art IA function: the Operating Model and the Practices have been a major achievement.