As The Andover Companies (Andover), one of the largest mutual insurance groups in the Northeast, grew, it sought to address regulatory requirements and optimize its internal audit function proactively. Recognizing the need for a trusted partner with deep insurance knowledge, Andover partnered with Johnson Lambert to assist in this endeavor.
Johnson Lambert began its relationship with Andover as an outsourced internal audit partner assisting Andover in accomplishing its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes through an independent, objective assurance and advisory activity. As the internal audit relationship matured, Andover hired an internal audit manager in-house to continue to grow the function.
Johnson Lambert now provides co-sourced internal audit services to Andover, working directly with the internal audit manager to run the internal audit function.
“The Johnson Lambert team is a valued partner in strengthening our cyber security posture in principle and practice. In addition to proficient audits, professional staff, and insights, Johnson Lambert has provided pragmatic support on our adoption of NIST CSF 2.0, AuditBoard, GenAI policy validation, and other improvements to our overall risk and governance program within IT.”
Kevin McNamara
Vice President and Information Security Officer
While Andover was eager to embrace internal audit as a tool for continuous risk management, control, and governance improvement, the company faced several challenges that required guidance and support:
01
Regulatory Compliance
With Andover nearing the NAIC Model Audit Rule (MAR) and Massachusetts Regulation Section 26.17 threshold, the organization needed to establish an internal audit function to comply with applicable regulations.
02
Limited Internal Resources
Andover's internal team was focused on day-to-day operations and innovation initiatives, leaving limited bandwidth for the development of an internal audit function.
03
Keeping Up with the Pace of Change
Andover takes pride in proactively exploring new technologies and ideas to optimize organizational performance and be the easiest carrier to work with. The company wanted to partner with Johnson Lambert to enhance its risk management, control, and governance processes to address risks presented by new initiatives.
04
Rationalizing the Control Environment
The management team at Andover worked with another service provider to develop its MAR compliance approach. Andover wanted Johnson Lambert’s objective and independent point of view to rationalize its IT general controls and streamline its IT MAR compliance process.
Johnson Lambert took a proactive approach, working closely with Andover to understand its risk management, governance, and internal control processes. To help Andover optimize its internal audit resources to align with organizational objectives, Johnson Lambert followed a systematic process:
Strategically Prioritize Internal Audit Work
Helped Andover prioritize its forthcoming internal audits by facilitating an entity-wide risk assessment. An internal audit plan was developed based on assessed organizational risks, compliance concerns, and project timelines, ensuring this work was approached in a way that delivered the most value to the organization. Supplemental consulting projects, such as role-based access review and control mapping, were also added to address specific risk areas and improve the overall control environment.
Execution of the Internal Audit Plan
Conducted a mix of internal audits and advisory projects to provide Andover with assurance over the internal control environment and recommendations for how the internal control environment can continue to keep pace with the business. This also satisfied Andover’s MAR requirements for an internal audit function.
Monitoring and Validation of Observations
Andover’s internal audit staff worked with Johnson Lambert to monitor all remediation plans developed to address identified observations from assurance audits. This ensured that observations were addressed promptly and validated that the remediation plans put into place were mitigating identified risks.
Communication of Results
Johnson Lambert communicated audit and advisory results to Andover management and stakeholders who oversee governance within the organization.
Supported Cyber Compliance
Assisted Andover in adhering to New York Department of Financial Services (NYDFS) cybersecurity standards, mapped compliance to the NIST Cybersecurity Framework 2.0, and guided Andover’s AI risk management policy, focusing on developing roles and responsibilities and ensuring compliance with emerging regulatory requirements.
“Since partnering with Johnson Lambert, we have developed a repeatable and value-driven internal audit process that has led to improved policies and procedures, a stronger control environment, and a greater understanding and awareness of the auditing process throughout the organization. Johnson Lambert’s support has extended beyond the traditional internal audit function, and we consider ourselves fortunate to work with a team that is consistently responsive, practical, trustworthy, and, above all, deeply knowledgeable in their field.”
Amy DiPerna
Vice President and Treasurer
Andover made significant strides in improving its internal control environment and staying ahead of regulatory compliance requirements thanks to a partnership with Johnson Lambert.
60+% reduction
in cybersecurity control count
50% reduction
in NYDFS findings from 2022 to 2024
Streamlined Controls
The team reduced cybersecurity control count by over 60%, helping Andover focus on high-priority controls, reduce administrative overhead, and limit duplicative efforts. The optimized controls were integrated into the AuditBoard system, helping to streamline audit processes.
Improved Cybersecurity Posture
Johnson Lambert’s cybersecurity consulting contributed to substantial progress in Andover’s NYDFS compliance. An updated NYDFS cybersecurity report revealed a 50% reduction in findings in 2024, highlighting Andover’s strengthened cybersecurity defenses.
Wide-Spread Risk Coverage
Johnson Lambert addressed risks previously outside of Andover staff’s day-to-day activities, providing management and those charged with governance comfort over the internal control environment at Andover.
Enhanced Financial Planning and Analysis
An audit of Andover’s cost management and budgeting practices led to a restructured vendor and procurement process and an improved budgeting process. A new travel policy achieved consistent and predictable employee travel expenses, and the new budgeting process provided greater visibility into spending patterns, aiding financial planning. These changes enhanced financial control, transparency, operational efficiency, and cost savings.
Combining our internal audit methodology with deep insurance industry experience, technologies, and tools, our internal audit team is poised to help improve your operational efficiency, support strong corporate governance, and potentially lower your overhead costs. Our methodology is powered by training, risk and control matrices, audit programs, analytics workflows, reporting, and quality control. For more information, reach out to our consulting team.
