Process Audit

By CA Vijay Pandit

1
Agenda

▸ Internal Audit Background

▸ Process Audit – Theory

▸ Process Audit – Practical workshop

▸ Q&A

2
 Internal Audit Background

3
What is Internal Auditing?

“Internal audit is an independent management function, which involves a continuous

and critical appraisal of the functioning of an entity with a view to suggest improvements
thereto and add value to and strengthen the overall governance mechanism of the entity,
including the entity's strategic risk management and internal control system.”
The Institute of Chartered Accountants of India

“Internal auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization's operations. It helps an organization
accomplish its objectives by to evaluate
bringing a systematic, disciplined approach
and improve the effectiveness of risk management, control, and governance processes. ”
The Institute of Internal Auditors

4
Audit Framework & Guidance

Institute of
Institute of Internal Chartered
Audit (IIA) Accountants of
India (ICAI)

§
Audit Charter

§
Audit
Universe

§
Audit Process

Regulations Audit Committee

5
Internal Auditing- Area of focus and method of working

Particulars Internal Auditing

Area of Focus • Risks
• Controls
• Effectiveness and efficiency of
operations
• Compliance
• Risk management
• Governance structure

Method of working • Risk based Audits / Process Audits

• Ongoing risk assessments
• Regulatory Audits

6
AuditProcess
Universe
Name
and Plan Coverage – Process Level
Name of the Process and Sub-process

Marketing Capture Customer Insights and Develop Marketing Strategies

Manage Brand, Advertising, and Sponsorship Agreements

Manage Subsidies/Upgrades and Promotions

Manage Customer Loyalty and Churn Prevention

Customer Relations
Provision Services and process Customer Orders
Management
Implement and Update Customer Master Data including Customer Privacy

Adjustments and Issue Credits

Customer Complaint Management

Sales Management Manage Individual Customer Contracts and Conditions

Manage Distributors and Other Channels

Manage Retail Outlets including Sales

Manage Enterprise Sales

Commission and Incentive

7
Supply Chain Management Procurement - Planning, Demand Management and Sourcing
Annual Audit Planning

8
Types of Audits

1. Process Audit: Examination of significant Processes i.e. business and operational key risks
and the controls established to mitigate those risks, including compliance with laws, regulations and
established policy, procedures and processes.

2. Thematic Audit: An evaluation of a thematic aspect of current or emerging risks impacting

more than one group, department, line of business, or business segment to assess the effectiveness of
the process or activity as performed by the different groups.

3. Targeted Audit: A focused limited scope audit of one or more key risks associated with a
specific product, process and/or function. It is used to obtain the design and current effectiveness of
selected key controls.

4. Regulatory Audit: Substantive testing performed to assess compliance with regulatory

requirements and company policies.

5. Change Activity: An on-going and proactive evaluation of significant projects and large
scale business initiatives during the life cycle or term of those projects/initiatives for the purpose of
identifying possible unmitigated risks and highlighting other project management issues.

6. Continuous Risk Assessment (CRA): The objective of CRA is to facilitate a dynamic risk
assessment process through ongoing evaluation of business and to adapt to audit plan in response to
the businesses’ evolving risk profiles.

7. Follow-Up Audit: Detail inquiries, observation and testing to verify the clearance status of reported
audit issues.
9
What is a Process?

Input Outpu
Process t Product
Set of interrelated or interacting activities Result of the process

Monitoring and Measurement

of Effectiveness

10
Risks in relation to process audit.

Inherent risk is the risk involved in the nature of

Ø Inherent
Risk: business or transaction. - (Process)

Ø Control Control failure due to design and operating

Risk: effectiveness.

Ø Detection Detection risk is the probability that the audit

Risk: procedures may fail to detect existence of a
material error or fraud- (Process)

11
Process Controls

Preventive Controls Detective Controls

Segregation of duties Exception reports

Reconciliations

Maker/Checker
Performance reviews & Peer
reviews

Manual / Automated

12
Common Challenges faced

13
 Process Audit – Theory

14
What is Process Audit ?

Ø Process Audit: Examination of significant Processes i.e. business

and operational key risks and the controls established to mitigate those risks,
including compliance with laws, regulations and established policy,
procedures and processes. The audit is conducted to provide an opinion on
both the design and effectiveness of the system of internal control for a
process.

Ø Process Audit is an audit that focuses on processes and not a specific

person or product.

Ø A Process Audit is where the organization's procedures are validated.

Ø A Process Audit examines the effectiveness and efficiency of

organization procedures.
15
ü Effectiveness of process = ability to achieve desired result.
Objective of Process audit

Ø To check the adequacy and effectiveness of the process controls established by

procedures, work instructions and process specifications.

Ø To provide added value by providing various new insights to process for

improvement. For e.g. Training requirement, automation.

Ø To give assurance on process, i.e. If the process is operating as intended

and risks in the process is monitored and managed effectively.

16
Process audit stages and deliverables at each stage

Pre-Planning Planning

•
Communicati •
Walkthrough
on (Test of One)
•
Resourcing •
Risk Control
•
Understand •
Flowchart
•
Scoping Matrix
the process •
Audit Planning
Memorandum

Evaluation Reporting Issue tracking

•
Design and •
Issue root cause
Operating •
Tracking of
analysis
effectiveness issues
•
Management
•
Potential Issue •
Issue
discussions
listing Verification

*RCM- Risk Control Matrix

17
Tools of Process Audit

Ø Flow Chart

Ø Check List

Ø Process Note

Ø Risk Control Matrix

Ø Data Analysis

18
Planning – Important points

Ø Timing

Ø Communication with auditee

Ø Preliminary research

Ø Inherent risks

Ø Annual Risk assessment

Ø

Ø Identification of scope items

Ø Formal engagement memo

Ø19Opening Meeting with the auditee

Fieldwork

Ø Assign areas to team members.

Ø Interviews with auditee on areas covered under the audit.

Ø Review of the processes involved in the audit engagement.

Ø Document reviews

Ø Decide sampling strategy

Ø Testing and verification of the data and documents

20
 Planning &
Design effectiveness

21
Planning : Step 1- Pre –Planning

q Pre-Planning is the first step in the Planning Phase.

q The main objectives of this phase are:

Ø Verify logistics of audit.
Ø Understand objective of the process being audited.
Ø Officially announce the audit engagement.

q Understand the business objective:

Ø Review available audit documents such as: Prior year work papers, continuous risk
assessment, annual risk assessment.
Ø Review available client information such as: Risks and Controls Self assessment,
SOX, IFC / ICFR, business plan and budgets, Fraud information.

22
Planning : Step 2- Understand the Process

q This step is typically the beginning of “on ‐site” planning where the audit team interacts directly with
the audit client to gather information and conducts interviews to understand the business.

q The primary objective of this step is to understand how the business operates (e.g., process,
people, IT systems, etc.) to achieve its objectives.

q Define the Functions / Activities within the Process:

Ø Functions may be defined as key processes, locations, products, etc.

Ø Defining functions provides the framework for assessing risk for the audit engagement.

q Obtain an Understanding of Each Function:

Ø This knowledge is generally gathered by reviewing available documentation and interviewing

the client.

Ø The audit team needs to balance the amount of information and detail to gather at this stage.
Too much information provides unnecessary detail and wastes time and effort.

Ø The type, level and amount of information to gather is to facilitate:

23 § Identifying major risks and controls

Planning : Step 3 – Process Risk Assessment

Process Risk Assessment differs from the Annual Risk Assessment, as depicted
below:
Type Annual Process

Purpose To determine business level To identify function level key risks

Audit Strategy and Annual and controls and develop Audit Test
Audit Plan Plan

Hierarchy Level Auditable Entity Audit Unit /Functions

e.g. XYZ Company e.g. Purchase / Production

Tasks Assess inherent risk and Identify specific risks and controls
control environment for each relevant Process / function

24
Planning : Step 3 – Process Risk Assessment -
Identifying Key Risks
q Brainstorm:

Ø For each major process/function, walk through the process and brainstorm “What could go
wrong?”

Ø Use flowchart / narratives developed

Ø Areas have greatest impact on process / business objectives if things go wrong.

Ø Areas with greatest potential vulnerabilities for e.g. Manual process, decision / judgment
points, management over-rides, handoffs, dependencies on other groups, etc.

Ø What are the most critical steps that has to get right?

Ø Do activities / output have direct impact to external customers / stakeholders

q Determine Key Risks:

Ø Assess the likelihood of occurrence.

Ø Assess the magnitude of impact.

25
q Document:
Planning : Step 3 – Process Risk Assessment-
Identifying Controls
q Brainstorm expected controls based on Understanding of business and key
risks:

▸ Possible preventive and detective

▸ Possible manual and automated.

[Link] existing controls:

▸ Existing Controls (based on interviews, flowchart and document reviewed).

▸ Verify risks and control with clients.

q Identify Gaps Between Expected and Existing Controls:

▸ Determine which Expected Controls do not currently exist in the client’s process.

▸ Evaluate whether there is a potential control gap, i.e., either no controls exist for the risk or
current controls do not fully mitigate the risk.

▸ For potential control gaps, document the issue as an Exception in the Summary of Audit
Findings and Dispositions for further consideration.
26
▸ Customize the Standard RCM to reflect only existing controls.
Planning : Step 4 – Evaluate Control Design

Approach

q Analyze Controls to determine if they are adequately designed to mitigate the

stated risk:
▸ In analyzing controls, use understanding of the audit area’s control environment, including flowcharts and
narratives.

▸ The Elements of a Good Control .

[Link] if a Potential Issue or a PIO should be raised:

▸ If the control is designed effectively to mitigate the risk, the control(s) can be considered for potential
testing.

▸ If a control is NOT designed effectively to mitigate the identified risk, the control should NOT be tested.

▸ If a risk is not adequately mitigated, either by one control or a group of controls, a potential audit issue is
required to be documented in the Summary of Audit Findings and Dispositions.

▸ The Audit Team should identify potential Process improvement opportunities (PIO), if any. PIOs are
opportunities to make a process better and/or more efficient and do not arise from a control breakdown.

[Link] Control Design Evaluation:

27
▸The Audit Team’s evaluation of control design provides a basis for part of the overall audit opinion
Workshop
Process Description – JV Authorization
▸ Two types of JV’s are raised, one is normal JV and other is auto reversal, which are automatically
reversed in subsequent month.

▸ Process executives raises JVs in respective departments and a Accounts manager authorizes all.

▸ Manual JV no. is allotted following the sequential order based on the list maintained for controlling
the sequence numbers for each Process executives.

▸ After authorization same process executives enter in JV system.

▸ After entering the JV the same is validated in system by process executives for any error in
punching.

▸ After validation the JV is posted only for the month that is open.

▸ In System JV can be entered by two options, one is by Journal Entry & other way is by Journal
Import.

▸ In case of Journal Entry, the entry is directly keyed in to system.

▸ In case of journal import, the JV is directly imported in to system from worksheet, by using
Microsoft access.

▸ Account Executives Post the entry in to general ledger.

▸ 28
After entered and posting of JV, the Account manager approves the same.
Work Shop -Flowchart

Preparation of journal Allotment of manual Entered in system Checked the JV on

voucher by Process Journal voucher number screen for validation
Start Executives based on the based on list maintained
supporting documents

R R
3 2

Correct the error

Data
entry
error ?

R R
1 4
Account Executives Manager authorise
Post the entry in to the JV
general ledger

End

29
Workshop – JV Authorization
Risks and Control Indentified.

1. Authorization of JV is insufficient and inaccurate.

(R1)
Ø All JVs are authorized by Account Manager. (C1)
Ø Staff who prepares does not authorize. (C2)

2. Posting with wrong account, amount and period.

(R2)
Ø All JVs are authorized by Account Manager. (C1)
Ø JV is validated on screen before posting. (C3)
Ø Staff who prepares does not authorize. (C2)
30
Workshop – JV Authorization
Control Deficiencies
▸ Responsibility / financial limit to authorize the JV is not defined. (R1)

▸ JV documentation are not reviewed periodically by independent staff

for correctness. (R2)

▸ Account Manager has access to system to enter and post JV.

(R1&R2)

31
Planning : Step 5 – Develop the Test Plan

The final step in the Planning Phase is to Develop the Audit Test Plan.

q Objective is to determine:

▸ Which control to test and how to test.

▸ To obtain the most persuasive audit evidence in the most effective and efficient manner.

q Only key controls can be tested; factors to consider:

▸ Cannot live without the control for that risk.

▸ Most efficient or effective control to mitigate the risk i.e. generally preventive control.

▸ Provide the most persuasive audit evidence e.g. reconciliations.

q Validate control description:

▸ A “test of one” walkthrough sample is required for all key controls.

▸ The purpose of walkthrough is to verify that the control has been implemented and is
32 operating as designed before investing in additional resources to test the control.
Planning : Step 5 – Develop the Test Plan

Determine How to Test the Controls

q Control Testing Techniques

Ø The following four techniques may be considered when developing the audit test plan, including a
combination of techniques.

q Substantive Testing

May decide to perform substantive testing to provide additional assurance of a control’s operation.

q Analytics
33any Analytics
Plan
Elements of a Good Risk

When identifying and writing risks, test them against these elements:

q Answers “So What?”

Ø Determine how the risk impacts the business in achieving its objectives if the risk is not mitigated.

Ø Example: Invoices are not authorized. Having unauthorized invoices may not impact the business
if the invoice is valid. Paying for invalid or incorrect invoices would be a risk as it could result in
financial loss.

Not an “opposite Control”

Ø Avoid using the control in the risk description.

Ø Attempt to re‐write “opposite controls” by thinking of the reason for the control’s existence in order
to identify the risk the control is managing.

Ø The “opposite‐control” should not be used for the following reasons:

ü All risks relevant to the audit may not be evaluated if the focus is on the opposite of existing
controls.

ü All controls to mitigate the true risk(s) may not be identified,

Ø Example of a risk worded as an Opposite‐control:

ü Control: Management reviews the accounts weekly using a standardized checklist.

34
Elements of a Good Control
When identifying and writing controls, test them against these
elements:

q Not Just a Standard, Policy, or Process

ü A policy or standard is not a control on its own.

ü The control is the activity to help ensure adherence to the policy or standard.

q Answers “How is this Activity Mitigating This Risk?”

ü Not all activities are controls.

ü WHO •
A control shouldWho is performing
manage the activity?
or mitigate the specified risk.
WHAT • What is the activity
WHEN • Timing within the process?
q Addresses Who, What, When,
Frequency
• Where,
of the control?How/Why

ü A control description
WHERE • Whereshould include
is the activity all of these elements:
performed?

HOW/ • How is the control activity managing the risks?

WHY • Why does the control exist?

35
Planning- Sample Walkthrough document

•
Attendees of the meeting

•
Date of meeting

•
Discussion with the auditee
•
Activities handled by the auditee’s department

•
Process flows of the activities

The template for the walkthrough document is given below:

Sample walkthrough Doc..doc

36
Planning - Sample process flow
Activity 1
Start

C1

R2
Activity 2
R1 Yes C2
Decision 1

No

Activity 3
Yes
Decision 2
R3

C3
No

Yes
Decision 3
Activity 4
R4

C4
No

End

37
Planning -Sample Risk Control Matrix (RCM)

Activity Risk Risk Key Risk Control Description of Control Activity Frequency Audit
Category No. No. Of Control Test Step

Activity 1 R.1 Risk 1 C.1 Control 1 Annually/monthly/daily

Activity 2 R.2 Risk 2 C.2 Control 2 Annually/monthly/daily

Activity 3 R.3 Risk 3 C.3 Control 3 Annually/monthly/daily

Activity 4 R.4 Risk 4 C.4 Control 4 Annually/monthly/daily

38
Sample Audit Planning Memo

Audit Name
Audit Director
Audit Manager
Auditor In-Charge

Business Overview Department Overview Application/Systems

Overview

Key Personnel Risk Assessment Frauds &

Investigations

Audit Scope SOX Applicability Data Analytics

Time Budget & Sampling Strategy

Staffing

39
Planning -Sample checkpoint

The objective is to evidence the planning checkpoint meeting among

the internal audit team members regarding the Engagement Memo,
Planning Memo, RCM and Flowcharts and/or Narratives.

This meeting is attended by the audit engagement members along

with the Senior Audit Manager and Head of Internal Audit department.

The template for the planning checkpoint and Workpaper Quality

Planning Checklist are given below:

Planning Checkpoint [Link]

Workpaper Quality Planning Checklist [Link]

*RCM- Risk Control Matrix

40
 Evaluation

41
Performing audit activities- Sampling

Ø
In performing audit activities, auditors should review and execute the test plan developed in
Planning.

Ø
Utilize Internal audit sampling approach in testing. Sampling allows the application of audit
procedures to less than 100% of a population to form a conclusion on the entire population.

Ø
Audit sampling is primarily used to assess the operating effectiveness of controls in
mitigating key risks.

Ø
The following is an outline of the steps to be taken in determining the appropriate sample
size, selecting a sample and documenting your sampling approach.

1. Determine type of sampling.

2. Define the period under review, population and the source of the information.
3. Define the sampling unit.
4. Determine the sample size.
5. Choose Sampling Selection Method.
6. Select the sample.
7. Document exceptions.

42
Performing audit activities- Evaluating test results

Ø
Evaluate test results against the test objectives and determine if the key control(s)
is/are operating effectively to mitigate the stated risk(s).

Ø
Evaluate Test Results:
•
All differences from the expected result are required to be evaluated to determine
if they are potential audit findings.

•
In certain instances, testing an additional sub-sample of items may be needed to
substantiate the impact of a potential audit finding.

•
If testing exceptions are identified, discuss the items with the client to verify the
facts. Document the finding in an Exception template.

43
Performing audit activities- Document the test results

Ø
Test results are required to be adequately documented and testing
documentation is required to be sufficient to support conclusions reached.

Ø
Each test /lead sheet which provides a summary of the test objectives,
sampling information, procedures, results, and conclusions.

Ø
During fieldwork, the Audit Team evaluates the test results, discusses
exceptions with the client, adjusts the audit test plan if necessary, and
concludes on control effectiveness.

Ø
The template for the Workpaper Leadsheet is given below:

Ø
Lead Sheet [Link]

44
Sample test sheet

The objective of test sheet is to ensure that audit evidence from the test work has
been documented in a consistent manner.
Test sheet template
Objective of test sheet:

RCM Reference:
Risks and Controls
Test Name:

Test Objective:

Client Contact:

Sample Period:

Source of Information:

Sampling Information:

Test Steps/ Results:

Exceptions:
Conclusion:
45
Sample test matrix

▸ Internal Audit Division

▸ [Audit name]
▸ [Audit time period]
▸ [Workpaper title]

Item # Item information Test step 1 Test step 2 Reference Comments

46
Performing audit activities- Managing the fieldwork phase

Ø
Meetings with client management are required to be held periodically during fieldwork.

Ø
Control testing is executed and completed during the Fieldwork Phase.

Ø
Fieldwork cannot begin until the:
•
Engagement Memo, Audit Planning Memo, and RCM have been finalised and reviewed
and confirmed with the client.

•
Workpaper Quality Planning Checklist has been completed.

Ø
The end date of fieldwork is typically when audit testing is substantially complete.

Ø
Audit team management during fieldwork
•
The Audit team should meet frequently during fieldwork to ensure the audit is
progressing as planned and to discuss any challenges that may affect the timely
completion.
•
Potential audit findings should be discussed as they are identified to ensure timely
communications with audit and client management, as necessary.

•
Work papers are required to be properly documented and reviewed as completed.

47
Workpapers- General workpaper guidelines

Ø
Workpapers are written documentation that provide principal support for the
procedures applied, tests performed and conclusions reached during an audit
engagement. They are necessary to demonstrate compliance with Internal audit
Policies and Internal Audit Standards.

Ø
Workpapers are required to stand on their own to enable an experienced auditor,
having no previous connection to the engagement, to understand the procedures
performed, evidence obtained, and conclusions reached.

Ø
In addition, workpapers may be used to:
•
Provide background information for future audits.
•
Facilitate third‐party review and reliance.
•
Facilitate professional development of audit staff.

48
Sample Fieldwork checkpoint

The objective is to evidence the fieldwork checkpoint meeting among the

internal audit team members on the progress of all audits and follow-up
audits during fieldwork.

This meeting is attended by the audit engagement members along with

the Senior Audit Manager and Head of Internal Audit department.

The template for the fieldwork checkpoint and Workpaper Quality

fieldwork Checklist are given below:

Fieldwork Checkpoint [Link]

Workpaper Quality Fieldwork Checklist [Link]

49
 Reporting

50
Reporting

Ø Develop draft audit report

Ø Closing meeting with the auditee

Ø Reporting checkpoint meeting

Ø Management responses on the issues raised

Ø Validate management response

Ø Positive assurance

Ø Root cause

Ø Final report discussion and distribution of the report to the management

51
Reporting-
Summary Of Audit Findings And Disposition

Ø
As potential findings and Process Improvement Opportunities (PIOs) are identified
during planning and fieldwork, required to document these.

Ø
Potential findings are required to be addressed in one of the following ways:
a) Carried forward to the Audit Report as an Issue or PIO;
b) Combined with another finding and carried forward to the Audit Report; or
c) Disposed of in the SAFD.

52
Sample Audit Findings And Dispositions summary

REASON WHO
Sr. LINK TO DISPOSITION ITEM NUMBER
SUMMARY OF FINDING NOT DISCUSSED
No. FINDING OF ITEM IN REPORT
REPORTED WITH

The template for the Reporting checkpoint and Workpaper Quality Reporting
Checklist are given below:

Reporting Checkpoint [Link]

Workpaper Quality Reporting Checklist [Link]

53
Kaizen Memo sample

Kaizen is the practise of continuous improvement.

Audit Name

Audit Manager

Auditor-In-Charge

Learning Opportunities

Audit stages Observations/Experiences/Challenges Opportunities for Improvement

54
Audit Survey
The objective of audit survey is to assist in maintaining the efficiency of the audit
process and the quality of the audit report.

Audit survey questionnaire

Rating Scale

▸ Importance: 1 = Low importance 2 = Medium importance 3 = High importance

▸ Questions
Performance: 1 = Strongly disagree 2Importance
= Disagree Performance
3 = Agree 4 = Strongly Agree
The timing of the audit was 1 2 3 1 2 3 4
appropriate.
Were informed throughout the 1 2 3 1 2 3 4
process on a timely basis and
there were ‘no surprises’.
The internal auditor(s) 1 2 3 1 2 3 4
demonstrated a good
knowledge of the subject
matter.

55
 Process audit - Workshop

56
 Motor Insurance Claim

Personal Loss /
Accident damage to
cover– the insured
Owner & vehicle
Driver

Liability to
third
parties

57
 Auto claim process background

q
In Insurance Industry Auto insurance is a major contributor. Typically, when an accident occurs, the insured
notifies insurer’s claim department after this claims handling process begins.
q
Surveyors assessment in select cases.
q
Claims nature generally is large volume less value.
q
Auto Insurance covers two aspects:
§
Own damage:
§
Third party Damage:
q
Types of Vehicle covers:
§
Private Car / Two Wheeler Insurance
§
Commercial Vehicle Insurance
q
Compliance Requirements for Claims processing and payments:
§
Protection of Policyholder Interest, Regulations
§
Grievance Redressal guidelines, IRDAI
§
IRDAI has defined Parameters for monitoring timelines for claims processing.
q
Some Inherent High risk area under auto Claims are:
§
Fraudulent claims
§
Inadequate reserve
§
IRDAI compliance
§
Customer Satisfaction
§
Subrogation

58
Claims Processing- Planning Audit Scope

ü Claims processing, payments and accounting

ü Timely provisioning of claims reserves

ü Payments to surveyors and external investigators

ü Subrogation and salvage recoveries

ü Information Technology controls

ü Compliance with IRDAI regulations and contractual obligations

*IRDAI- Insurance Regulatory and Development Authority of India

59
Key aspects to be considered during claims process planning

Ø
Preliminary research:
ü
IRDAI regulations and circulars
ü
IRDAI Penalty orders
ü
Past audit report
ü
Past reported frauds and Industry frauds
ü
Statutory auditor presentation
ü
SOX/ICFR requirements

Ø
Internal claims department SOP

Ø
ERM Risk register

Ø
Sampling techniques

Ø
Data Analytics
*ERM- Enterprise Risk Management *ICFR- Internal control over financial reporting
*SOP- Standard Operating Procedures *SOX- Sarbanes Oxley

60
 Claims process flowchart

Claimant Insured suffers

Start
a loss
B1 I1

C3 C11
Call Search for policy in Inform caller that
Center/ system based on call back will be
Receive a Enter claim in made within time
Claims policy A
call/email/fax/SMS to system as per limit specified for
Executive number/cover note 1
intimate loss standard procedure each city,
(Branch) number/insured
name documentation
required, claim no.

Claims
Executive
(Head
Receive a Forward
Office)
call/email/fax to email/fax/SMS to
intimate of loss call center for
(exceptional logging in of claims
circumstances) in system

61
 Claims process flowchart

Send a
Call Centre consolidated email
A1 to corporate claims
Executive
dept. on Claims
received

Call back claimant/

Claims insured to
Executive/ Is there break
complete claim Update calls made Send email to
Analyst in insurance on Yes
information and fix during the day in designated person
(Branch) the policy for
date, time & place the log for inspection report
which claim is
for copy.
reported
survey/inspection

No

A
2

62
 Claims process flowchart
Claims Send email to
Executive/ designated person in
Analyst A2 Has Policy No respective dept. and
(Branch) been issued? get policy issued in
system

Yes

Send email to
Discrepancy Yes designated person
in documents for discrepancies,
received? Update in system
A
3
No

Receive CBC, Yes

A Update physical file Is
Policy details
4 for each claims confirmatio
status from
n positive
respective dept.

E1 No

C7

A
5

D1
Follow Claims
Guidelines for End
C6
repudiation

63
 Claims process flowchart
Claims
File
Analyst
A Survey or conduct documents/inspection A
(Branch)
3 inspection process report in physical file 4
for the claim

A2 A3 C1 C2

Claims
Analyst
(Branch) Follow up with
A5 Process Claim
claimant for Update in system
Files for Payment
missing documents

F1 C1

C8 C5

Finance & Standard payment

Accounts Dept. G1 process B3

C9 C4

Bank Prints cheques ;

dispatches
cheques to Insured
using courier G2

C10

End

64
Risk Control Matrix
Activity Risk Risk Key Risk Control Description of Control Frequency Audit Test Step
Categ No. No. Activity Of Control
ory

Claims Strate A.1 Non NA Claims Dept has Board As needed 1. Obtain Board approved Claims
Processing gic standardizat approved claims management Philosophy.
ion of claims philosophy in place. 2. Obtained latest approved SOP
settlement developed by claims Dept.
Claims Dept has a claim
settlement SOP in place & the
same is reviewed and updated
periodically
Claims Fraud A.2 Occurrence C.1 A standardized process exists As needed Inquire and obtain process defined
processing of external for appointment of surveyors/ for Surveyor empanelment.
frauds external service providers and
allocation of work to external
service providers.
Claims Fraud A.3 Collusion C.2 Empanelment of authorized & As needed Obtain list of authorized garages.
processing Risk between preferred workshops is in place. Perform ratio analysis of claims
external settled cashless garage wise
vendors and
claimant
Claims Opera B.1 Unauthorize Adequate system controls exist As needed Verify whether claims are
processing tional d claim C.3 to ensure no claims are booked processed only on the basis of valid
risk/ processing without a valid policy number policy numbers.
Fraud and
settlement

65
Risk Control Matrix
Activity Risk Risk Key Risk Contro Description of Control Frequency Audit Test Step
Categ No. l No. Activity Of Control
ory

Claims Fraud B.2 Collusion NA Delegation of authority As needed Obtain the Delegation of Authority
processing between staff matrix is developed and matrix developed for claims
from different adhered during claims processing
departments / processing at all times.
between staff Obtain data of user ids of claims and
& external Claims processing policy system and check if claims
party personnel do not have write user has a policy write access
access to policy issuance
system. For employee claims, verify the
approval from head claims.
For employee claims, the
payment authorization is
required from Head claims

Claims Fraud B.3 Unauthorized C.4 Authorization for change of As needed Verify Claimant’s letter instructing
processing Risk claim payee name is obtained in beneficiary name for which claims
processing writing from the have to be settled vis-à-vis the
and insured/claimant Payee name
settlement

66
Risk Control Matrix
Activity Risk Risk Key Risk Control Description of Frequency Audit Test Step
Categor No. No. Control Activity Of Control
y
Claim Financial C.1 Inconsistent execution of All claims are As needed Verify for the samples
Processing / policies leading to erroneous C.5 processed and paid selected that claims are
Reputati claims processing or or closed in processed in accordance
onal incorrect claim payments or accordance with the with the policy terms and
repudiation of claims policy terms & conditions
conditions.

Customer Reputati D.1 Improper management of C.6 Internal re- As needed Check for sample
Relationshi on risk claims denial or failure to assessment of the repudiations if, at the
p manage poor perceptions claim is done and if instance of the claimant
required investigation request, repudiations are
by approved agency re-assessed by the
is initiated for Claims management &
doubtful cases or at Verify whether
the instance of investigation by an
claimant on case to independent agency is
case basis. carried out to ascertain
the validity of the denial
Claim Operatio E.1 Claims may be settled without C.7 Policy booking At all times Verify whether system
settlement nal risk confirmation for collection of system is interfaced interface exists between
outstanding premium. with receipting both systems for
system to ensure reflecting the correct
clearing status of status of receipt
premium collection
instruments is
updated on timely
basis

67
Risk Control Matrix
Activity Risk Risk Key Risk Control Description of Control Activity Frequency Audit Test Step
Catego No. No. Of Control
ry
Reserve Operati F.1 Reserve C.8 The reserve provisioning philosophy One time Verify whether claims
onal/ created is defined on a scientific basis with manual specify the
Financi may be clearly defined assumptions minimum reserve creation
al insufficient/ for each line of business
over
estimation
of liabilities

Claims Operati G.1 All C.9 Claims disbursal process is in place As needed Verify claims manuals to
Payment onal/fra approved to ensure timely and safe delivery of check whether a specific
ud claims claims cheques / remittance of funds mention on the process of
cheques not through NEFT to beneficiaries/ claim payments detailing
dispatched claimants. mode of payment,
to insured. beneficiary , payment
Finance Dept performs Bank authorizations etc.
reconciliation on monthly basis to
Identify open entries Perform data analytics on
duplicate claims payment
with same amount to same
insured under single claims
number.

68
Risk Control Matrix
Activity Risk Risk Key Risk Control Description of Control Activity Frequency Audit Test Step
Catego No. No. Of Control
ry
Payment Operati G.2 Non timely C.10 Agreements are entered with the As all times Verify the agreement for
onal payment of Bank , to ensure cheques are printed timely payment terms
risk claims and delivered to the claimant on a
timely basis

Statutory Regulat H.1 Non NA Internal guidelines are in place to As needed Obtains and verify the
complianc ory compliance ensure compliance to IRDAI Internal guidelines
es to IRDAI regulations at all times documents to ensure it is in
Regulations line with IRDAI regulations

Fraudulent Fraud I.1 Fraudulent C.11 1. Claims Management has defined As needed 1. Obtain red flags list and
claims claims red flags to be considered by verify that same is
registered claims processor at the time of modified periodically.
and claims processing. 2. For sample files
processed 2. Claims processor has to review selected check whether
each case for possible red flag the red flags are
indicator & to check mark in the checked in system by
system the claims processor.
3. All Red flagged cases are 3. Obtain the MIS of red
reviewed by Investigation unit and flagged cases and
guidance is provided in respect of verify the
the same. remark/guidance by the
investigation unit.

69
Sampling techniques

Ø Obtain claims paid report from system/IT team for the audit period.

Ø Document in testing sheet the sampling method chosen. Some of the

examples are as under:

ü Select a sample of 25 claims using the Random Sampling method.

ü Select a sample of 25 claims using the Judgemental Sampling method

i.e. claims above INR 1 crore.

ü Select a sample of 25 claims using the Judgemental Sampling method

i.e. claims with close proximity to policy inception and policy expiry date
70
Red Flags Indicators

q Red Flags theft in OD Claims:

▸ The insured vehicle was hit by more than two cars
▸ Delayed reporting of accident
▸ Vehicle placed at a notorious garage which in known to engage in fraud
▸ No injuries in total loss claim
▸ Fresh opening mark on the nut and bolts of the parts

q Red Flags in Theft Claims:

▸ Delay in lodging of FIR
▸ Delay in reporting of claim
▸ Close proximity cases

q Red Flags common to OD / Theft:

▸ Insured wants the claim to be settled early
▸
71
Insured does not want his family to know about the loss
Examples of data analytics in claims process

Test Test objective

Garage Payments Perform trend analysis of claims settled
cashless for garage wise to see any trend or
pattern for fraud trigger

Missing claim number Perform data analysis on system list of claims

paid to identify any missing claim number.

TAT analysis Perform data analysis on various internal

TATs set by the Claims guidelines and as per
IRDA I guidelines

Multiple claims from single insured Perform data analysis on multiple claims on
same policy number from single insured

*TAT – Turn around time

72
SUMMARY OF AUDIT FINDINGS AND DISPOSITIONS

REASON WHO
Sr. LINK TO DISPOSITION ITEM NUMBER
SUMMARY OF FINDING NOT DISCUSSED
No. FINDING OF ITEM IN REPORT
REPORTED WITH

1. ISS.1 Xxx Reported Issue # 1 NA Relevant

stakeholders

2. ISS.2 Xxx Reported Issue # 2 NA Relevant

stakeholders

3. ISS.3 Xxx Reported Issue # 3 NA Relevant

stakeholders

4. ISS.4 Xxx Not NA xxx. Relevant

Reported stakeholders

73
 Q&A

74
 Thank You!

75