THE OFFICE OF THE INTERNAL AUDITOR STATUS UPDATE
MARCH 17, 2015
Since the last Audit Committee meeting, the OIA has focused on providing consultative
support to management and the Corporation and finalizing the execution of audits against the
approved audit plan.
2014 Annual Report
Florida statutes require the Chief of Internal Audit to submit an annual report on or before
February 15, summarizing the activities of the OIA during the preceding fiscal year. Per statute
this report should include, but not be limited to, the following:



An evaluation of the effectiveness of Citizens’ internal controls
Recommendations for corrective action, if necessary
Summaries of the audits, reviews and investigations conducted by the office
We delivered this report to Citizens’ Board of Governors, the Executive Director, the members
of the Financial Services Commission, the President of the Senate and the Speaker of the
House of Representatives to comply with Florida statutes and to provide information on how
the OIA accomplishes its mission. A copy of the report is included later in the Audit Committee
materials.
2015 Audit Plan Execution
OIA follows a risk-based approach in developing and monitoring progress in delivering the
audit plan. As we reassess our understanding of the enterprise risks managed within the
organization and consider the changing operational challenges, we continually reassess our
plan, thereby confirming that it continues to provide the expected assurance and that audit
resources remain appropriately focused. Since the previous meeting, we assessed the overall
plan coverage for 2015 and identified some additional focus areas for inclusion in the plan.
These include a targeted review of a vendor scoring spreadsheet in development; and an audit
of a newly developed Claims Quality Assurance Program. In order to provide for these projects
we deferred an audit of the Special investigations Unit (SIU). Following discussion with
executive management, we reassessed audit engagements on the plan and agreed to cancel
the following projects following risk mitigation action taken by the respective business units:
an assessment of the CORE Project spending, and an audit of the Sinkhole Managed Repair
Program.
Progress against Plan
During the course of December and early January, we focused on the completion of audits
remaining on the 2014 audit plan. The following graph represents progress to date on the
2015 audit plan. We have thirty-four audit engagements scheduled for the year, and so far, we
completed three engagements with six others in progress.
1
Progress Against Plan
9%
6%
18%
Completed
Draft Report
In Progress
To Do
67%
We completed five audit engagements since the last Audit Committee meeting:





Network Assessment (Audit)
Legal Firm Reimbursement (MAS)
Sinkhole Settlement Process (MAS)
Vendor Scoring Spreadsheet (MAS)
Audit work completed in assistance to the External Auditors
OIA further contracted with a vendor and provided consulting services to IT Risk and Security
with the development of a comprehensive Enterprise Data Incident Response Plan.
Summary of Audit Results
The following represents a brief summary of the audit work completed and presented to
management. Detailed copies of the reports and memorandums have been included in this
presentation for your consideration.

Network Assessment (Needs Improvement) - The objective of the audit was to
evaluate the adequacy and effectiveness of vulnerability management processes
implemented to safeguard Citizens’ computer network and ensure that the network
security and availability adequately support the objectives of the business. A specialist
vendor supported the audit and the scope of the work included comprehensive
assessments of potential external, internal and Wi-Fi vulnerabilities.
Results from our work confirmed that a number of security enhancements have been
made in the cyber security realm over the past two years. Following the onboarding of a
Director of IT Security and Risk, a greater focus has been placed on the management of
privacy and security risks with the implementation of a privacy framework comprised of a
privacy policy, an information security policy and an information classification and
handling policy. Greater emphasis was placed on enhancements and tools associated
with vulnerability management and penetration testing processes. Notwithstanding these
changes, this audit highlighted the need to further improve and develop network security
in order to adequately secure against penetration risk. Management agreed with the
details of our findings and corrective action.
2

Legal Firm Reimbursement (Memo) - The objective of this review was to evaluate the
adequacy and effectiveness of the recently developed reimbursement process to ensure
appropriate recording and monitoring of reimbursement payments.
We concluded that the practices in place for the management of reimbursements from
the legal defense firm are informal and incomplete and management corrective action
plans are currently underway to resolve it.

Sinkhole Settlement Process (Memo) - The objective of this review was to evaluate
adequacy of the control design for the processes specifically developed to handle the
claims covered by the global sinkhole settlement agreements.
We confirmed that adequate procedures were developed and appropriate controls are in
place to manage the intake and validation of settlement agreement participants, pay
policyholder’s attorney fees, set appropriate reserves, and provide communication with
policyholders and external stakeholders. In addition, we noted that development began
on a Quality Assurance program, with the objective to assess samples of claim files to
ensure compliance with the settlement agreements.

Vendor Scoring Spreadsheet (Memo) - Purchasing requested that OIA review the
functionality and mechanics of an Excel spreadsheet (RFP 14-0019 –
MasterBidTabSheet) to ensure individual and cumulative scores, including vendor
ranking, are accurately calculated. The spreadsheet is designed to assist with the
scoring of vendor of vendor responses during the solicitation process. We noted that the
spreadsheet was well developed, appropriately protected and will satisfy the stated
objective, A minor exception was noted and some enhancement recommendations, that
would improve the mechanics of the spreadsheet, have been discussed and corrected.

Audit work completed in assistance to the External Auditors (Memo) – In support of
Johnson Lambert LLP and their annual financial attestation we completed specific audit
procedures. Our work focused primarily on assessing the adequacy and effectiveness of
key controls related to depopulation wire transfers, cash disbursements and loss
reserves processes.
We noted that controls associated with the processes audited are generally well
designed and operating effectively. In addition, management and staff members are very
knowledgeable and embodied a strong culture of ethics and control awareness. OIA has
provided the testing work papers and results to Johnson Lambert LLP.

Enterprise Data Incident Response Plan (Consulting) – In support of the business OIA
contracted with a vendor to work with Citizens in the development of an Enterprise Data
Incident Response Plan. Following a potential data security incident earlier in 2014, OIA
noted that there is a need to formalize a process for classifying and responding to data
security incidents at an enterprise level. Previously, a technical computer incident
response plan had been developed but it was focused primarily on computer forensics
response actions. OIA coordinated a project that included appropriate executives,
business units and subject matter experts to develop a plan that would extend across the
business and incorporate all potential areas of impact and coordinated response actions
required for a data security incident. The plan was completed in January and Executive
Leadership Team approval is forthcoming. The Director of IT Security and Risk will
manage the Data Incident Response program and plan going forward.
3
Update on Citizens Internal Control Framework Project
Since the last Audit Committee, meeting the project team completed a project scope and plan
and agreed specific focus areas and timelines with stakeholders. At the same time, we have
concluded our first process review using the Claims Litigation Support area as our project pilot.
Thanks to the pro-active involvement of the Claims Litigation Support staff, as well as the hard
work of the ICF support team, we were able to document the process in its entirety along with
their respective objectives, risks, and controls, assess the design and operating effectiveness
of those controls, identify any missing controls or potential control enhancements, and identify
process improvement opportunities - all within planned timelines. Some positive highlights
from that pilot program included a few control enhancements that, once implemented, would
enhance information security and reporting accuracy. In addition, process efficiency
enhancements were identified that could provide significant savings in time per matter
processed by the various Litigation Support units.
With the exception of the IT resource required to support the rollout of COBIT, the ICF team
has been assembled and trained on their responsibilities and expectations. As a refresher, the
team is comprised of:
The project is jointly sponsored by The Chief Financial Officer and the
Chief of Internal Audit. A Project Leader was provided by OIA while
Finance, ERM and IT recruited (or are recruiting) staff to manage the
project implementation and beyond. The Business Process Improvement
unit has provided a dedicated specialist (sigma black belt) to assist with
the documentation of the control processes and identification of potential
process improvements.
Finally, concerning the supporting risk & control management system, we are currently
working with the Procurement function to release a solicitation with the intent to procure and
implement a system during the 2nd quarter of 2015.
Work In Progress
OIA has six engagements in progress:







Key Accounts (Draft report issued)
IT GCC External Audit Support (Draft report issued)
Independent Adjuster Spend
General Expense Management
Rate Accuracy
Contract Administration
Citizens Internal Control Framework Project
4
Staffing, Development and Training
Within the department, we have three vacancies. We are currently searching for a Senior
Internal Auditor with finance and insurance operational experience as well as two Senior
Internal Auditors with forensic audit experience. We recently appointed Anthony Huebner as a
Senior Internal Auditor. He has more than 10 years of insurance and reinsurance experience.
Most recently, Anthony served as Senior General Auditor for Guardian Life Insurance Co.,
where he conducted operational and financial internal audits and performed external audit
assurance testing. Prior to Guardian, Anthony served in various audit capacities at Swiss Re
and White Mountain Re. Anthony is a Certified Internal Auditor and has provided internal audit
support for underwriting, claims, reinsurance, finance, treasury, accounting, operational,
Sarbanes-Oxley (SOX) and information technology audits. He earned his Bachelor of Science
degree in finance and a minor in information systems from Clarkson University, Potsdam, NY.
OIA is dedicated to the professional development of its staff to ensure continuous growth of
knowledge, skills and other competencies throughout the year. For this purpose, each audit
staff member developed an Individual Development Plan (IDP), in alignment with position
specific competencies, which provides focused guidance towards personal growth through
targeted training. We encourage and periodically review achievement of identified training
needs.
OIA Administration
OIA is continuously refining its audit processes and procedures (standards) in order to ensure
that its’ work product aligns to acceptable audit practice and it remains a credible and
sustainable internal audit function for Citizens. These standards are used to deliver audit
engagements efficiently, effectively and in accordance with professional standards. Our
engagement standards align with The Institute of Internal Auditors (The IIA’s) International
Professional Practices Framework (IPPF).
Annual Charter Update and Review
Citizens Audit Committee Charter
The primary function of the Citizens Property Insurance Corporation (Citizens) Audit
Committee (Committee) is to assist the Board of Governors (Board) in fulfilling its oversight
responsibilities for the financial reporting process, system of internal controls and risk
management, Citizens’ compliance with legal and regulatory requirements, the qualifications,
independence, and performance of the external auditors and internal audit function.
The Audit Committee Charter is the formal written document that defines the authority and
responsibility of the Committee as delegated by the Board. The Audit Committee Charter was
originally approved during the March 13, 2008 Board of Governors meeting with subsequent
approvals annually thereafter. This year’s review of the Charter did not reveal any specific
need for revision. If there are no changes from the Committee, I recommended that the
Committee approve the charter in its current form.
Citizens OIA Charter
The Office of the Internal Auditor departmental Charter is the formal written document that
defines the OIA purpose, authority and responsibility. The charter establishes the OIA position
within the organization, authorizes access to records, personnel and physical property relevant
5
to the performance of engagements, and further defines the scope of the OIA activities. The
Audit Committee last reviewed and amended the charter in March 2014.
This year’s review of the Charter did not reveal any specific need for revision. If there are no
changes from the Committee, I recommended that the Committee approve the charter in its
current form.
Control Deficiency Resolution
As of February 28, 2015, there are twenty-six remaining open items. Overall, open items
generally receive adequate business focus and implementation of agreed corrective action is
managed well.
Of the remaining issues, there is one high rated item, which relates to the follow-up and
possible recovery of overbilling by attorneys. Progress with this issue has been relatively slow
with six attorney firms under review. We are conducting detailed file reviews, for each firm, in
order to assess their billing practices. For three of the six firms we completed the detailed file
reviews and presented a comprehensive demand. One of the firms settled the amount
demanded in full while the other two firms are less responsive and may progress into litigation.
Five open issues are currently past their target completion dates. These relate to:





Specific security protection mechanisms have not been implemented based on the risk
and sensitivity of certain data elements. In addressing the issue IT, management started
a project to identify and mitigate security control gaps. This project is underway and, as a
first step, management tasked the participants to develop a comprehensive remediation
plan. We foresee that this issue will be closed by OIA once the plan is developed and
remediation is in progress. Delivery of the planned initiatives will be monitored.
The security controls over SQL database servers needs improvement. Best practices
require that servers be installed with the minimal options required for functionality to
ensure that systems are not more vulnerable to individuals using the weaknesses in
those programs to access the systems. The implementation of initiatives to resolve this
issue was delayed due to unexpected loss of key Database and System administrator
staff members. Management has extended the project delivery date to June with
approximately 30% of the project completed to date.
Certain encryption controls require improvements within the Citizens Insurance Suite. IT
management indicates that additional security controls have been added to this project,
causing the delay. Management is targeting March month-end to complete the work.
Segregation of duties related to the Citizens Data Warehouse (CDW) need to be
revisited as developers have access to production systems. The CDW automation
project, which would address segregation weaknesses, was deferred. In the interim,
management indicates that a series of compensating controls have been developed
along with a process document addressing separation of duties. A new target date is
forthcoming.
Although a social media policy was developed and implemented, an internal procedures
document has not yet been created outlining specific internal processes specific to the
program. The program is relatively new within the company, and as such, processes are
still being developed and enhanced.
6
Open Items by Risk Rating
30
25
2
2
14
20
15
16
16
6
6
10
5
0
1
2
15
13
9/30/14
10/31/14
Low
10
12/31/14 2/28/15
Medium
High
Audit Dashboard
The Office of the Internal Auditor February 28, 2015 audit dashboard reporting statistics are
included in the Audit Committee materials for review. The productive hours reported are in line
with projections and the OIA productivity percentage of 71% is within the targeted range of 7075%.
Recommendations
The Chief of Internal Audit recommends that the Audit Committee approve both the Audit
Committee and the Office of the Internal Auditor Charters.
7