Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

June 17, 2025

The Evolving Role of Internal Audit in MAR and SOX Compliance—And Beyond

Within insurance organizations, the internal audit function has traditionally centered on compliance, risk mitigation, and internal controls testing. While these responsibilities remain critical, particularly under the Model Audit Rule (MAR) and Sarbanes-Oxley Act (SOX), internal audit’s role is evolving. Today, it goes beyond fulfilling obligations to also creating value.

Internal auditors are increasingly acting as strategic advisors, helping organizations anticipate emerging risks, strengthen governance, and improve operational performance. This shift comes at a time when insurers face growing pressures, such as cybersecurity threats, an increase in natural disasters, and ongoing economic volatility. 

At Johnson Lambert, we partner with insurers to unlock the full potential of internal audit. We see firsthand how a proactive, advisory-based approach to internal audit can bridge compliance and strategy, ultimately strengthening business resilience.

Understanding MAR and SOX Compliance

To fully envision how internal audit can evolve beyond compliance, it’s helpful to revisit the regulations that most directly impact insurers. Both MAR and SOX mandate stronger oversight and internal controls, yet each carries unique requirements: 

  • Model Audit Rule: Developed by the National Association of Insurance Commissioners, MAR introduces regulatory requirements when insurers surpass $300 million and $500 million in direct written premiums. These include enhanced audit committee oversight, a formal internal audit function, and Management’s Report on Internal Control over Financial Reporting (ICFR). 
  • Sarbanes-Oxley: Enacted in the wake of financial scandals like Enron and WorldCom, SOX protects stakeholders from fraudulent financial reporting by mandating rigorous ICFR for publicly traded companies. Section 404, in particular, holds management accountable for assessing and reporting on the effectiveness of financial controls.

Despite differences in scope, both regulations require a disciplined, risk-based approach to internal controls, making a strong internal audit function essential for sustaining compliance.

From Compliance Function to Strategic Partner

For forward-thinking insurers, MAR and SOX are merely the starting point. A mature internal audit function does more than check boxes. It leverages comprehensive risk assessments, strategic use of control matrices and audit programs, and a commitment to continuous improvement to drive tangible results. In doing so, internal auditors transcend the role of gatekeepers to become coaches, consultants, and strategic advisors with unique insight into governance and risk. The most effective teams:

  1. Provide Independent Assurance: By integrating thorough risk assessments and well-documented control matrices, internal audit delivers objective evaluations of governance and enterprise risk management, minimizing financial misstatements and ensuring readiness for MAR/SOX. Early detection of vulnerabilities and actionable guidance help limit disruptions to key insurance operations such as underwriting and claims processing.
  2. Identify Emerging Risks: Cybersecurity, data privacy, and digital transformation pose critical challenges for insurers. A forward-looking internal audit function uses analytics and automation to pinpoint potential issues, such as an unprotected payment data feed or an outdated system, before they escalate into material risks.
  3. Enhance Efficiency for MAR & SOX Compliance: Supplementing risk-based test planning, control rationalization, and automation with training and coaching is key to streamlining compliance. In practice, this means helping process owners self-assess controls and embedding continuous monitoring tools that reduce time-consuming manual checks. The result? More resources free for higher-value activities, turning compliance from an operational burden into a strategic advantage.
  4. Act as Strategic Advisors: Going beyond routine audits, internal audit consults on decisions shaping an insurer’s future, whether that’s launching a new product line, expanding into niche markets, or reimagining claims workflows. By connecting day-to-day control activities with broader business goals, they provide data-driven insights that guide leadership through opportunities and emerging threats without compromising robust risk management.
  5. Drive Remediation & Continuous Improvement: Instead of simply flagging deficiencies, internal audit partners with business units to implement sustainable fixes, reinforcing a culture of proactive risk management. 

By taking on these expanded responsibilities, internal audit becomes an indispensable partner for insurers looking to remain competitive today, delivering stronger governance, more efficient compliance, and proactive risk management. Yet building a truly strategic internal audit function also prepares insurers for tomorrow’s challenges, from new technologies to global uncertainties.

Internal Audit and Future Readiness

Even with a more strategic internal audit function in place, insurers can’t afford complacency. New technologies, evolving regulations, and shifting market dynamics all create fresh risks and opportunities. Here are a few emerging priorities that proactive, tech-enabled internal audit teams are tackling right now:

  • Cybersecurity and IT Governance: With cyber risks on the rise, boards and leadership increasingly rely on internal audit to review incident response plans, system access controls, and vendor oversight, ensuring that critical data remains protected.
  • AI and Automation Risk: As insurers deploy AI tools across underwriting, claims, and finance, internal audit helps evaluate ethical use, data governance, and algorithmic accuracy, preventing unintended consequences and reputational harm.
  • Natural Disaster Preparedness: Severe weather events are posing new challenges for underwriting, claims management, and financial risk. Internal audit can assess process readiness, data integrity, and compliance to help insurers respond effectively.
  • Continuous Risk Monitoring: Rather than relying solely on periodic audits, leading teams are moving toward ongoing assessments, leveraging real-time analytics to detect anomalies, bolster controls, and drive more proactive decision-making.

Focusing on these emerging priorities ensures that internal audit remains not just a compliance hub, but also a key player in strengthening an insurer’s ability to adapt and thrive.

Turn Internal Audit into a Catalyst for Growth

At Johnson Lambert, we help insurers build, optimize, and modernize internal audit programs through outsourced, co-sourced, or consulting arrangements—all through a strategic lens that makes internal audit more efficient and more valuable.

Ready to align your internal audit strategy with your business goals? Partner with Johnson Lambert to:

  • Evaluate your internal audit program against MAR and SOX requirements
  • Enhance internal audit quality through automation and risk-based testing
  • Strengthen governance and resilience across your enterprise

Contact us to discover how we can help you transform compliance into a catalyst for sustainable growth.

Kim Mobley

Kim Mobley

Partner

View Bio
Matt Kranisky

Matt Kranisky

Managing Director - Internal Audit

View Bio
Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit

View Bio

Questions?

Our team can help you discover how to transform compliance into a catalyst for sustainable growth.

Contact Us

Related Resources

The Evolving Role of Internal Audit in MAR and SOX Compliance—And Beyond

Within insurance organizations, the internal audit function has traditionally centered on compliance, risk mitigation, and internal controls testing. While these responsibilities remain critical, particularly under the Model Audit Rule (MAR) and Sarbanes-Oxley Act (SOX), internal audit’s role is evolving. Today, it goes beyond fulfilling obligations to also creating value.

Internal auditors are increasingly acting as strategic advisors, helping organizations anticipate emerging risks, strengthen governance, and improve operational performance. This shift comes at a time when insurers face growing pressures, such as cybersecurity threats, an increase in natural disasters, and ongoing economic volatility. 

At Johnson Lambert, we partner with insurers to unlock the full potential of internal audit. We see firsthand how a proactive, advisory-based approach to internal audit can bridge compliance and strategy, ultimately strengthening business resilience.

Understanding MAR and SOX Compliance

To fully envision how internal audit can evolve beyond compliance, it’s helpful to revisit the regulations that most directly impact insurers. Both MAR and SOX mandate stronger oversight and internal controls, yet each carries unique requirements: 

  • Model Audit Rule: Developed by the National Association of Insurance Commissioners, MAR introduces regulatory requirements when insurers surpass $300 million and $500 million in direct written premiums. These include enhanced audit committee oversight, a formal internal audit function, and Management’s Report on Internal Control over Financial Reporting (ICFR). 
  • Sarbanes-Oxley: Enacted in the wake of financial scandals like Enron and WorldCom, SOX protects stakeholders from fraudulent financial reporting by mandating rigorous ICFR for publicly traded companies. Section 404, in particular, holds management accountable for assessing and reporting on the effectiveness of financial controls.

Despite differences in scope, both regulations require a disciplined, risk-based approach to internal controls, making a strong internal audit function essential for sustaining compliance.

From Compliance Function to Strategic Partner

For forward-thinking insurers, MAR and SOX are merely the starting point. A mature internal audit function does more than check boxes. It leverages comprehensive risk assessments, strategic use of control matrices and audit programs, and a commitment to continuous improvement to drive tangible results. In doing so, internal auditors transcend the role of gatekeepers to become coaches, consultants, and strategic advisors with unique insight into governance and risk. The most effective teams:

  1. Provide Independent Assurance: By integrating thorough risk assessments and well-documented control matrices, internal audit delivers objective evaluations of governance and enterprise risk management, minimizing financial misstatements and ensuring readiness for MAR/SOX. Early detection of vulnerabilities and actionable guidance help limit disruptions to key insurance operations such as underwriting and claims processing.
  2. Identify Emerging Risks: Cybersecurity, data privacy, and digital transformation pose critical challenges for insurers. A forward-looking internal audit function uses analytics and automation to pinpoint potential issues, such as an unprotected payment data feed or an outdated system, before they escalate into material risks.
  3. Enhance Efficiency for MAR & SOX Compliance: Supplementing risk-based test planning, control rationalization, and automation with training and coaching is key to streamlining compliance. In practice, this means helping process owners self-assess controls and embedding continuous monitoring tools that reduce time-consuming manual checks. The result? More resources free for higher-value activities, turning compliance from an operational burden into a strategic advantage.
  4. Act as Strategic Advisors: Going beyond routine audits, internal audit consults on decisions shaping an insurer’s future, whether that’s launching a new product line, expanding into niche markets, or reimagining claims workflows. By connecting day-to-day control activities with broader business goals, they provide data-driven insights that guide leadership through opportunities and emerging threats without compromising robust risk management.
  5. Drive Remediation & Continuous Improvement: Instead of simply flagging deficiencies, internal audit partners with business units to implement sustainable fixes, reinforcing a culture of proactive risk management. 

By taking on these expanded responsibilities, internal audit becomes an indispensable partner for insurers looking to remain competitive today, delivering stronger governance, more efficient compliance, and proactive risk management. Yet building a truly strategic internal audit function also prepares insurers for tomorrow’s challenges, from new technologies to global uncertainties.

Internal Audit and Future Readiness

Even with a more strategic internal audit function in place, insurers can’t afford complacency. New technologies, evolving regulations, and shifting market dynamics all create fresh risks and opportunities. Here are a few emerging priorities that proactive, tech-enabled internal audit teams are tackling right now:

  • Cybersecurity and IT Governance: With cyber risks on the rise, boards and leadership increasingly rely on internal audit to review incident response plans, system access controls, and vendor oversight, ensuring that critical data remains protected.
  • AI and Automation Risk: As insurers deploy AI tools across underwriting, claims, and finance, internal audit helps evaluate ethical use, data governance, and algorithmic accuracy, preventing unintended consequences and reputational harm.
  • Natural Disaster Preparedness: Severe weather events are posing new challenges for underwriting, claims management, and financial risk. Internal audit can assess process readiness, data integrity, and compliance to help insurers respond effectively.
  • Continuous Risk Monitoring: Rather than relying solely on periodic audits, leading teams are moving toward ongoing assessments, leveraging real-time analytics to detect anomalies, bolster controls, and drive more proactive decision-making.

Focusing on these emerging priorities ensures that internal audit remains not just a compliance hub, but also a key player in strengthening an insurer’s ability to adapt and thrive.

Turn Internal Audit into a Catalyst for Growth

At Johnson Lambert, we help insurers build, optimize, and modernize internal audit programs through outsourced, co-sourced, or consulting arrangements—all through a strategic lens that makes internal audit more efficient and more valuable.

Ready to align your internal audit strategy with your business goals? Partner with Johnson Lambert to:

  • Evaluate your internal audit program against MAR and SOX requirements
  • Enhance internal audit quality through automation and risk-based testing
  • Strengthen governance and resilience across your enterprise

Contact us to discover how we can help you transform compliance into a catalyst for sustainable growth.

Kim Mobley

Kim Mobley

Partner

Matt Kranisky

Matt Kranisky

Managing Director - Internal Audit

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit