1. If one needs to evaluate the possible reasons behind the collapse one of the main factor would be the company’s policy in regard to prudential margins. In 2003, when the Royal commission published its reports on the main reasons of failure of HIH, the primary reason established was mismanagement and inadequate response by the company to emerging challenges internationally for the insurance industry.
In the year 2005, the CEO of HIH insurance was sentenced to jail for three transactions conducted during 1998 and 2000 which significantly altered the financial position of the company during the period. The three transactions that were referred are charged with signing of letters which are misleading, case of material omission and authorizing misleading financial statements which resulted in overstating profits of the company in the year 1998-99 (McNeil, 2015).
When there is a possibility of any of the three groups of HIH Insurance audit triggers — revenue, organizational or technical — could be affected, sourcing and vendor management leaders should invest in HIH Insurance-specific software asset management (SAM).
Those sourcing and vendor management leaders who are pursuing cost optimization initiatives will be challenged by an audit request when license spend decreases from previous years.
Auditor surveys indicate cost optimization is the top priority for procurement professionals, which can run counter to HIH Insurance's need to grow its revenue and earnings (Neves, 2014).
In order of importance, here are the most likely revenue-related triggers that tend to lead to an HIH Insurance audit:
- Failure to renew your Unlimited Licensing Agreements (ULAs) — Like most vendors, HIH Insurance wants the ULAs' (typically three-year) committed revenue stream. For those customers who already have a ULA and do not renew, the standard self-certification at the end of the ULA can easily turn into a formal and more wide-ranging audit.
- HIH Insurance loses an RFP for new business — Our research indicates this is an especially potent trigger, especially if the competitor is a cloud service provider (Reamer, 2013).
- Significant decrease in license spend — Our interactions with clients indicate that those customers who have not increased their license or cloud spend over an 18-month period and have no imminent intention to do so will likely be singled out for an audit.
- Reluctance to move from on-premises to HIH Insurance's cloud offerings — HIH Insurance has been very aggressive in proposals for moving its existing on-premises customers to its cloud offerings. HIH Insurance has also been known to pay its sales force between 3x to 8x higher commission when achieving a cloud sale.
- Moving (or contemplating a move) to third-party support — Due to inflexible HIH Insurance support policies, third-party support options have become a viable option for those companies looking to reduce their HIH Insurance support cost. Auditor has seen a significant increase in inquiries relating to independent third-party support for HIH Insurance. HIH Insurance support and maintenance revenue streams are very profitable at a +90% net profit level and are understandably well-protected (Sadgrove, 2016)
For operations and compliance managers in regulated industries, the cost of functions associated with legal concerns has been an area of heightened scrutiny. Flexible fee arrangements and write-offs have been applied to lower billing rate work, such as due diligence. Automation and efficiency-gaining technologies can improve an organization's bottom line.
Although law firms may be in a more-complex position when implementing newer technologies, such organizations can gain competitive advantage through appropriate decision making and the implementation of the right solution for their needs. Law firms that are capable of applying cutting-edge technologies can outperform those that are not, because the former operate more competitively by removing less-interesting work from legal practitioners and providing better services to their clients. Additionally, NLP for legal practices could leverage some of the knowledge management outcomes built by the organization in the past decade. Another practical use for NLP is RFP development for new business opportunities. These solutions could be used to gather relevant legal content and cost intelligence more quickly and efficiently.
2 The failure of FSPs is a common driver for M&A activities in this region, often involving government intervention. For instance, Australia's bankrupt insurance company, HIH was acquired by several FSPs such as NRMA, Allianz and QBE Insurance, each acquiring different business lines of HIH.
It is very important to note that in two years prior to collapse of HIH insurance, share prices of the company has fallen sharply. It means that investors were reading in between the reported lines. The investor sell out was majorly a response to poor financial results of the company and the significant asset sales which the company conducted. The objective highlighted behind the asset sales was improvement of the balance sheet and to fund insurance claims, however this was considered to be highly negative for the company as lot of good assets also went out of system during the whole process. The total amount paid for auditor and consulting service during the year 2000 was in tune to $3.3 million.
ASIC’s investigation also led to criminal prosecution of 9 other senior executives and directors of HIH insurance.
It is known that 100% protection is not possible. In turn, 100% assurance on protection is not possible. It is the auditor's job to identify weaknesses, gaps and potential risks. This is part of a higher goal for the audit function to provide a level of assurance on controls implementation meant to protect information assets. Security professionals should not treat audit findings as an inflexible requirement — treat these findings as an opportunity to open a dialogue with the auditors for mutual learning, improvement and increased stakeholder satisfaction. If you choose not to implement the recommendation, or if you choose a different solution, it should be supported by an approval process and should be documented (Smith, 2013).
An audit finding required proof that all code and database changes to ERP applications could be traced to specific changes authorized within the formal change management system.
- Risk factors: If change tracking and change control processes are not implemented and enforced, changes could be made that inadvertently disrupt service or create a risk of exposure allowing misuse of business-critical data or customer data.
- Challenges: There were more than a half million lines of code that had to be correlated to thousands of physical changes that then each had to be associated with one of the several hundred change tickets. It is not practical or cost-effective to attempt to track that level of change.
- Solution: The level of change management is determined by the value it provides in securing the business or preventing business disruption. Tracking all possible changes, especially from a third-party service provider, without just cause is neither reasonable nor operationally possible. While it may be useful to have the capability to investigate a specific change when there is an outage or wrongdoing is suspected, it is not useful to track the hundreds of thousands of database changes. Robust change and configuration processes (as described earlier) should be in place and complemented by tools to automate ticketing and configuration tracking (Schwalbe, 2015).
3. HIH would have want prior members of its external audit teams so that they can update on the financial gaps which exist and then hide it from the main system and reporting. This would be the primary reason behind recruiting people who have been involved in your company’s audit. It is easier to conclude as now we have chain of events which led to the whole audit process fallout at HIH. A contract in which a service provider shares in benefits realization risk is strongly to the advantage of the buyer. Depending on the relative strength of the buying organization and the service provider, it may be necessary to offer service providers a share in the "upside" — in other words, a part of the rewards or benefits the buying organization would achieve if business outcomes exceed expectations. Many negotiations on business outcome contracts fail, because the buyer's senior executives are unwilling to share any of the gains of overachievement. Sometimes, this is seen simply as good hard-nosed procurement practice. Sometimes, there are administrative challenges in budgeting for a purchase where the payment amounts are not yet finalized. These can be solved by capping upside payments. There are advantages in offering upside. Firstly, it is nearly always affordable, because it is only triggered by overachievement of the business outcome. In the fictional example above, a 10% increase in payments to the service provider can easily be funded by a 10% overachievement in product revenue. Secondly, sharing rewards builds trust between the buyer and the service provider. Lastly, the prospect of improved revenue and margins makes most service providers open to taking on more risk (Schneider, 2014).
It is advantageous to have same firm provide for the audit and consulting service as the other vendor would need to draw a new baseline and study the firms, however if they are same auditor already know a lot about the company. A service provider that is financially strong will see business outcome contracts as a way of expressing partnership, using its financial strength to align its interests with those of its customers. Less-strong service providers may be concerned about their ability to recognize revenue on projects, about the cost of financing the cash flow and about the risk that they will be paid late or in part. In these cases, improving the service provider's share in upside can be an effective negotiating technique (Teller, 2014).
During a mandated regulatory review, the auditor requests ongoing certification of the access qualifications of control owners, as well as of the individuals generating control reports. Just two weeks prior to the on-site audit, the auditor asked for the code (see Note 4) for all the reports used for access reviews or submitted as supporting evidence — and asked to observe the reports being run (Willcocks, 2013).
- Risk factors: Lack of assurance on a possible deficiency in the monitoring of access privilege controls for that audit period.
- Challenges: The auditor's request will be extremely difficult to comply with in two weeks because of existing demands on personnel time.
- Solution: If it is not possible to meet the timeline, request an extension. Provide change management processes applicable to the access certification process and access privilege monitoring procedure to the auditor. Also, provide evidence that updates to access configuration were made. If a request cannot be met within two weeks, remind the auditors that all data requests should have a mutually agreed upon timeline. Any additional requests for data and resources should be considered changes. Use project management methodologies to help keep audit requests in scope and audits on schedule.
Today's complex business environment is subject to increasing regulation. In the past few years, regulations as diverse as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act, Basel II, Clerp 9, New York Stock Exchange and NASD regulations, the USA Patriot Act and others have forced enterprises to become accountable and transparent with their data. Under pressure from these regulations and potential legal liability, enterprises struggle to achieve a "single source of the truth" — the idea that one set of data can be trusted as being fully accurate and accountable. This has been a challenge because structured data has traditionally been stored in databases, while unstructured data (for example, documents and images) has resided on desktops, in file systems and in content management systems. The drivers for greater unification are clear, and compliance is only one of many forces pushing organizations to achieve a more integrated view of their enterprise data.
- McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management
- Neves, S. M., da Silva, C. E. S., Salomon, V. A. P., da Silva, A. F., & Sotomonte, B. E. P. (2014). Risk management in software projects through knowledge management techniques: cases in Brazilian incubated technology-based firms.International Journal of Project Management, 32(1), 125-138
- Reamer, F. G. (2013). Social work in a digital age: Ethical and risk management challenges.Social work, swt003
- Sadgrove, K. (2016).The complete guide to business risk management. Routledge
- Schneider, E. C., Ridgely, M. S., Meeker, D., Hunter, L. E., Khodyakov, D., Rudin, R., ... & Harpel, J. (2014). Promoting patient safety through effective Health Information Technology risk management.Santa Monica, CA: RAND
- Schwalbe, K. (2015).Information technology project management. Cengage Learning
- Smith, K. (2013).Environmental hazards: assessing risk and reducing disaster. Routledge
- Teller, J., Kock, A., & Gemünden, H. G. (2014). Risk management in project portfolios is more than managing project risks: A contingency perspective on risk management.Project Management Journal, 45(4), 67-80
- Willcocks, L. (2013).Information management: the evaluation of information systems investments. Springer