24/7 Internal Audit Team Helps Bupa Pursue Ambitious Growth Around the Globe While Managing Risk

24/7 Internal Audit Team Helps Bupa Pursue Ambitious Growth Around the Globe While Managing Risk

Bupa - Client Story

Company Headquarters — United Kingdom

Number of Countries Operates in — 190

Number of Employees in Company — 70,000

Industry — healthcare, health insurance

Annual Revenues — gB£9.1 billion (as of dec. 31, 2013)

Number in IA Function — 20

Number of Years IA Function Has Been in Place — 20+

IA Director/CAE Reports to — Chief Financial Officer and Chairman of the Audit Committee


“ When recruiting, I look for the best future leaders for Bupa … Recruiting talent for internal audit is an investment.”

- Nicola Wood


“Longer, happier, healthier lives” is the purpose of global healthcare company, Bupa. Founded in 1947 as the British United Provident Association with a mission to provide healthcare to the general public, Bupa funds and provides quality healthcare in a range of settings, including clinics, dental centers, hospitals and long-term care facilities. Its services range from complex acute care to wellness management. The company also sells medical insurance both domestically and internationally.

Bupa is a provident organization; it has no shareholders and therefore reinvests all of its profits back into improving services for its more than 22 million customers in 190 countries. While Bupa is headquartered in the United Kingdom, more than 70 percent of its profits come from its operations in international markets, including Australia and Spain. The company employs about 70,000 people around the world. In 2013, Bupa reported group-wide revenues of GB£9.1 billion.

Bupa’s director of internal audit, Nicola Wood, has been with the company for 14 years. “One reason I’ve stayed so long is that Bupa is an incredibly dynamic organization,” she says. “It’s always changing according to how it needs to grow. It’s always fresh. And everything we do at Bupa really does go back to our purpose. We don’t just care for people when they’re sick. We help them to stay well.”

Wood reports to the chief financial officer at Bupa on an administrative basis and has “unrestricted access” to the chair of the group audit committee. She oversees a team of 20 internal auditors spread across Bupa’s operations and joint ventures in Australia, England, India, Spain, and in the U.S. city of Miami, Fla. “They all report directly to me, so we are a truly independent third line,” says Wood. 

Technology goes a long way toward helping the internal audit team overcome its geographic diversity, according to Wood: “We are a 24/7 operation. Australia can ask a question at the end of their day, go home, and when they start work the next morning, the rest of the world has given their answers.”

An expanded scope for internal audit

Over the past 14 years at Bupa, Wood has seen many changes in the internal audit industry. But in her view, new guidelines issued in 2013 by the Chartered Institute of Internal Auditors (CIIA), which represents the internal auditing profession in the United Kingdom and Ireland, have been perhaps the most significant change of all – at least, for internal audit functions in the insurance sector. Effective Internal Audit in the Financial Services Sector [1] has the overall aim of enhancing the effectiveness of internal audit and its impact on the U.K. financial services industry, which includes insurance.

“This guidance has changed what we do, and will continue to do so as regulators start to measure our performance against it,” Wood explains. “For example, our scope is now expanded to include risk and control culture, outcomes of processes, real-time auditing of high-risk areas, and information presented to the board for strategic and operational decisions.”

Since the CIIA issued its guidance, Wood says she’s been focused on helping her team to adapt to these new expectations. This includes identifying and addressing any potential skills and resources gaps. “We’ve added two more people to our team and we’re considering potential co-sourcing and guest auditor arrangements,” she explains. “Those arrangements would enable us to look at areas, such as actuarial and technical areas, that a small team of auditors would not necessarily have in their skill set.”

Wood points to the Solvency II standard as another catalyst for change for the internal audit industry in the United Kingdom – and another reason why she’s adding more resources to her internal audit team. Solvency II, a European Union directive, is scheduled to go into effect January 1, 2016. It requires insurers to focus on managing all risks their organization faces and ensure that they have enough capital set aside to provide reserve funds to cover all insurance claims they’re likely to receive.[2]

“We need to make sure we have the right skill set available to look at capital and risk in more detail,” says Wood.

A delicate balancing act

The move in the business world in recent years to split internal audit and risk into two functions has been another big change, according to Wood. But it’s one she believes has led to positive outcomes for many organizations, including Bupa. “When I joined Bupa, the internal audit and risk functions were handled by us – one team,” she says. “Now that risk is its own function, internal audit can be a true third line of defense, with risk as the second line.”

She continues, “The emergence of dedicated risk teams – and the development of risk frameworks with appetites and tolerances – is really strengthening the role of the chief risk officer, too. It’s helping to ensure the CRO is at the top table with management, and that risk is seen as a function in its own right. In our organization, we’ve also seen the emergence of very strong CROs in all of our business units, who report to local directors, have a seat at the top table, and are very senior in the organization.”

While the internal audit team at Bupa may no longer be responsible for risk management, Wood says they are still very risk-based in their approach and in their annual plan. Clinical risk is particularly on the radar for a healthcare business like Bupa. “Our ambition is to be seen as a healthcare partner to millions, and we can’t be unless we really understand the clinical risks that the business faces and can manage and monitor them properly,” Wood says.

Business transformation and IT initiatives are other potential risk areas where Bupa’s internal audit team works to add value: “In a dynamic organization like Bupa, major change projects are always under way. We get involved at the early stages of these initiatives, so we can work alongside the business to help add value. We’re able to do more real-time auditing that way.”

Wood says her team always receives more audit requests from the business than it can address. “I think that’s a good indication of the reputation we have and the desire from the business to have us help and support them. I do think internal audit is viewed as a partner at Bupa. But ultimately, we report to the board, and provide assurance over the governance, risk and internal controls facing Bupa. So, our primary customer is the board – the audit committee.”

She adds, “It’s a delicate balancing act, providing your primary customer with what they want and being seen as a business partner to management.”

Support for ambitious growth

Another way Bupa’s internal audit function works to add value to the business is by conducting post-acquisition reviews. “Bupa is very acquisitive. We did six major deals just last year,” says Wood. “Internal audit looks at the acquisition process not only to confirm that management complied with controls in place, but also to identify lessons learned and best practices to reference in the future. This is not something we would have done – or been asked by management to do – a decade ago.”

Wood says Bupa’s chief executive officer has announced “ambitious goals for Bupa” in terms of growth for the next few years. “Internal audit, risk and compliance are fundamental to achieving that growth. If you have poor controls, time is wasted correcting them,” Wood says. “We want the business to grow, of course, but we also want to ensure controls are dealt with in a stable and sustainable way so energy can be directed into developing the business.”

Talent recruitment: an ongoing priority

New regulatory demands, changing business models, and heightened expectations by stakeholders inside and outside of Bupa are all prompting Wood to recruit a different type of auditor for her team than she might have hired in the past. “Fourteen years ago I would’ve looked for the best internal auditors,” she explains. “When recruiting, I look for the best future leaders for Bupa who can learn internal audit. Internal audit is a place to come learn about the business, and then move out into the business.”

Like many audit leaders, Wood expects talent recruitment to be an ongoing priority, and challenge, for her organization in the coming decade. That’s why she works closely with Bupa’s talent directors, and also reaches out directly to potential candidates through the professional networking site, LinkedIn.

“To me, internal audit is all about the individuals. If I invest time to make sure I get the very best people for the team, those with the potential to become great Bupa leaders, then we’ll have a strong internal audit function with a great reputation,” says Wood. “Recruiting talent for internal audit is an investment. I have to do it and I want to do it. It’s a non-negotiable part of my job.”




[1]Effective Internal Audit in the Financial Services Sector: Recommendations from the Committee on Internal Audit Guidance for Financial Services, Chartered Institute of Internal Auditors, July 2013.
[2]Solvency II FAQs,” Association of British Insurers.