Verisk’s Internal Audit Department evaluates whether the Company’s network of risk management, control, and governance processes, as designed and promulgated by management, is adequate and functioning in a manner that ensures the following outcomes, among others:
To protect the independence of the Internal Audit Department, its personnel report to a Chief Internal Auditor, who reports administratively to Verisk’s General Counsel and functionally to the Audit Committee of Verisk’s Board of Directors.
The Audit Committee of the Board establishes, maintains and assures that the Internal Audit Department has sufficient authority to fulfill its duties. The Audit Committee approves the Internal Audit Department’s charter and its annual risk-based audit plan, monitors performance relative to the plan, and engages with management and the Chief Internal Auditor to determine whether the scope of its activities is appropriate and accompanied by adequate resources.
The Chief Internal Auditor meets quarterly with the Audit Committee in executive session.
The Internal Audit Department governs itself by adherence to the mandatory elements of the Institute of Internal Auditors (IIA) Global Internal Audit Standards, including the International Professional Practices Framework for the Professional Practice of Internal Auditing, Code of Ethics, and Definition of Internal Auditing. The Chief Internal Auditor reports periodically to senior management and the Audit Committee of the Board regarding its conformance to the IIA Code of Ethics and Standards.
The Internal Audit Department develops a detailed annual plan for consideration by the Audit Committee of the Board. A typical plan may include engagements related to (1) the effectiveness of internal controls over financial reporting, such as those associated with Sarbanes-Oxley Section 404 Compliance; (2) assurance audits, such as reviews associated with licensee royalty payments, data security and privacy, compliance with government regulations and contractual provisions; and (3) consulting services that serve proactively to mitigate risk.
Once the annual audit plan is approved, engagements are conducted in accordance with their objectives and scope, the assignment of appropriate and adequately supervised resources, and the documentation of work programs and testing results. As each engagement is completed, the applicable conclusions and recommendations are communicated to the appropriate parties, including senior management, and the status of any corrective action is subject to regular follow-up review and management reporting on progress. Periodic reports are issued to the Audit Committee summarizing the results of these engagements.
In addition to subject matter engagements which may vary from year-to-year, the audit plan also incorporates activities associated with Verisk’s Continuous Control Auditing (CCA) platform, which consists of both automated and manual control testing techniques designed to augment manual financial transaction audits and periodic sampling with 100% real-time coverage of essential day-to-day operations. CCA enhances Verisk’s ability to identify and prevent fraud, errors, and operational policy violations. It also identifies opportunities for consideration that could improve operational efficiency and margins. Its Financial Transactions Analytics highlight potential billing irregularities, duplicate payments and credits, purchase authorizations, and more. Non-Financial Transactions Analytics range from reporting line conflicts of interest to journal entries created and approved by the same person.
Verisk has also implemented a Cloud Computing Monitoring program designed to identify, report, and track activity associated with configuration rules and vulnerabilities within Verisk’s cloud-based data processing platforms.