Model Audit Rule FAQs

Newsletter
Model Audit Rule FAQs
While many private and not-for-profit companies already have adopted certain measures voluntarily in response to the Sarbanes-Oxley Act (SOA), the National Association of Insurance Commissioners (NAIC) has taken a step that requires all insurers (whether publicly traded or not) to implement certain requirements that mirror, in part, requirements of the SOA, including Section 404. This was effected by the NAIC’s adoption of revisions to the Annual Financial Reporting Model Regulation (“Model Audit Rule”) on June 11, 2006. These revisions have three potential impacts on insurers. First, they require annual management reporting on the adequacy of the internal control over financial reporting once an insurer meets certain thresholds. Second, the revisions address the requirement for insurers to have an audit committee comprised of independent members of the board of directors that is solely responsible for the appointment, compensation and oversight of the insurer’s auditor. Finally, the revisions implement many of the SOA reforms around the relationship of the external auditors and their clients. The NAIC was formed in 1871 to address the need to coordinate the regulation of multistate insurers. The membership is limited to the insurance commissioners from the 50 states, the District of Columbia and the four U.S. territories. The first major step taken by the new organization was to develop uniform financial reporting requirements for insurers. Since then, and with changes in regulatory requirements and information technology capabilities, the NAIC describes itself as a “multidimensional, regulatory support organization.” 
 
The NAIC definition of internal control over financial reporting matches the Securities and Exchange Commission (SEC) definition, clearly placing both the insurer’s CEO and CFO in positions of responsibility. However, the focus of this reporting is on the insurer’s statutory reporting. As part of the assessment, management must include a statement acknowledging their responsibility for establishing and maintaining adequate internal control over financial reporting, and a statement identifying the framework used by management to evaluate the effectiveness of the insurer’s internal control – both reflective of SOA Section 404.
 
The revisions dealing with an insurer’s external auditor implement many of the SOA
reforms. These revisions include:
  • Reducing the number of consecutive years a lead audit partner may participate on the audit of an insurer to five years
  • Precluding a lead audit partner from rotating back on the engagement for a period of five years
  • Listing various nonaudit services that auditors may not provide to an insurer in order to maintain the insurer’s independence from the auditor (Realizing that it may be difficult for small insurers to comply with the prohibited services requirement, a small company exemption is included that indicates that those insurers with less  than $100 million in direct written and assumed premium may request an exemption from this requirement.)
  • Requiring audit committee pre-approval of nonaudit services if the aggregate amount of the fees for the nonaudit services exceeds five percent of the audit fees
  • Impairing the external audit firm’s independence, if the company hired the partner or manager, and placed him/her in a senior management position in the past year

What prompted the NAIC to revise the Model Audit Rule? 

The revisions are the result of the passage of the Sarbanes-Oxley Act. They represent an attempt to address accounting issues that have occurred in the insurance industry in recent years. Along with enforcing regulatory requirements, the NAIC has the ability to create task forces as needed. Thus, the NAIC/AICPA Working Group was created in response to the Sarbanes-Oxley Act to develop and propose revisions to the Model Audit Rule. 

What are the differences between SEC oversight and NAIC oversight?

The focus of the SEC is to protect shareholders and other stakeholders by ensuring that public companies provide accurate, reliable and timely information on which to base investment decisions. The NAIC initially was formed to coordinate the regulation of multistate insurers. The focus of the NAIC has evolved to provide state regulators with the support and structure to protect the interests of insurance consumers. 

Are states obligated to adopt the same Model Audit Rule as the NAIC? 

No. However, we believe it is likely, despite opposition from various factions within the insurance industry, that most states will adopt a majority of the changes.  Though insurance is state-regulated, most state statutes contain language similar to that in Florida and California, both of which require insurers to provide annual audited financial statements “in conformity with the Annual Audited Financial Statement instructions contained in the annual statement instructions as adopted from time to time by the NAIC.” 

Does the Model Audit Rule apply to all state-regulated insurers? 

The Model Audit Rule applies to all insurers within each state with the exception of insurance companies having direct premiums written in the state of less than $1 million in any calendar year, and less than 1,000 policyholders or certificate holders of directly written policies nationwide at the end of the calendar year, in which case they are exempt for the year. The $1 million cap includes premiums pursuant to contracts and/or treaties of reinsurance. The state commissioner may deny the exemption if he/she determines that compliance is necessary for the commissioner to carry out statutory responsibilities. 
 
Effective January 1, 2010, every insurer required to file a financial report also is required to have an audit committee. Carriers with $300 to $500 million in annual premiums are required to have a majority (50 percent or more) of independent audit committee members. Carriers with more than $500 million in annual premiums are required to have a supermajority (75 percent or more) of independent audit committee members.
 
The insurance commissioner may grant an exemption from any and all provisions of the regulation if the regulation would constitute a financial or organizational hardship on the insurer. 
 
Effective December 31, 2010, insurers must file Management’s Report of Internal Control Over Financial Reporting if they are required to comply with the Model Audit Rule and have annual direct written and assumed premiums of $500 million or more. If the $500 million premium threshold is not met, the commissioner still may require an insurer to file the report if the insurer is deemed to be in hazardous financial condition.

What if my company is a foreign or alien insurer in the state and files the Audited Financial Report in another state pursuant to that state’s requirements?

The Model Audit Rule provides that if the state commissioner determines that the other state’s requirement for filing audited financial reports is substantially similar to his/her requirements, the foreign or alien insurer could be exempted from the Annual Financial Report requirements, as long as a copy of the relevant reports filed in another state also is filed with the state commissioner.

What happens if an insurer initially falls under the thresholds for compliance and then subsequently exceeds these thresholds?

The Model Audit Rule provides that an insurer has two calendar years after it meets the thresholds for compliance to file Management’s Report of Internal Control Over Financial Reporting.

What impact does an acquisition by an insurer have on its annual Management’s Report of Internal Control Over Financial Reporting?

The Model Audit Rule provides that the acquiring insurer has up to two calendar years to incorporate the internal control over financial reporting requirements of the acquired entity into its annual Management’s Report of Internal Control Over Financial Reporting. 

How are the Model Audit Rule requirements different from the requirements of Sections 302 and 404 of the SOA? 

SOA Section 302 requires the CEO and CFO to certify, in both the quarterly and annual SEC filings, the adequacy of the company’s disclosure controls and whether
there have been changes in its internal control over financial reporting. The Model Audit Rule only applies to the internal controls over the annual statutory financial statements filed by insurers. Therefore, the certifications would apply only to the annual reports. 
 
SOA Section 404 requires that the company’s independent public accountant has attested to and reported on management’s evaluation of internal control over financial reporting. The Model Audit Rule has no such attestation requirement. 
 
SOA Sections 302 and 404 do not provide any opportunities for exemption of public companies from the requirements. 

What specifically must be included in Management’s Report of Internal Control Over Financial Reporting? 

As described in Section 16 D of the Model Audit Rule, the report shall contain: 
  1. (A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting; 
  2. A statement that management has established internal control over financial reporting and an assertion, to the knowledge and belief, after diligent inquiry, as  to whether its internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles; 
  3. A statement that briefly describes the approach or processes by which management evaluated the effectiveness of its internal control over financial reporting;
  4. A statement that briefly describes the scope of work that is included and whether any internal controls were excluded;
  5. The disclosure of any unremediated material weaknesses in the internal control over financial reporting identified by management as of December 31 immediately preceding. Management is not permitted to conclude that internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles if there is one or more unremediated material weaknesses in its internal control over financial reporting;
  6. A statement regarding the inherent limitations of internal control systems; and
  7. The signatures of the CEO and the CFO (or equivalent position/title). 

If the insurer already has complied (either as required by the SEC or voluntarily) with the provisions of Section 404 of the SOA, how does that impact its compliance efforts with the Model Audit Rule?

That will depend somewhat on the scope of the Section 404 effort. Again, Section 404 revolves around the internal control over the company’s SEC financial reporting. The Model Audit Rule focuses on the reporting by management on the internal control over the statutory financial reporting. If the internal control environments are the same, then the Section 404 effort covers the need to satisfy the Model Audit Rule. As a result, the insurer could file its Section 404 management report with the commissioner in lieu of the above-described Section 16 report.
 
If differences in the internal control environments exist that have a material impact on the preparation of the insurer’s audited statutory financial statements, the insurer has a couple of alternatives in order to meet the requirements of the Model Audit Rule: 
  • The insurer could file its Section 404 management report along with a Section 16 report covering the internal controls not covered in the Section 404 report, or
  • File a Section 16 report covering the entire internal control environment. 

Does the insurer’s external auditor have any reporting responsibilities related to internal control over financial reporting?

Yes. Generally Accepted Auditing Standards (GAAS) in the United States require that auditors gain an understanding of the internal control over financial reporting in order to effectively plan the scope of their engagement. The Model Audit Rule requires that each insurer furnish the commissioner with a written communication from the external auditor as to whether any unremediated material weaknesses in its internal control over financial reporting were noted during the audit. This does not require an audit of internal control over financial reporting as required by Section 404 of the SOA. It merely requires a reporting of the external auditor’s knowledge of unremediated material weaknesses that they became aware of based on the audit performed in accordance with GAAS. If the external auditor is not aware of any unremediated material weaknesses, the communication should so state.

What does this mean for management?

As we consider the impact of this for insurers, we see several implications:

  • Management alone must shoulder the compliance responsibilities, including the attendant consequences of noncompliance.  Without an external audit of internal control over financial reporting, management assumes the full burden of the internal control evaluation. The risk is increased due to the current absence of standards defining management’s assessment. Therefore, certifying officers face the risk that no one has defined the target. They alone must identify the appropriate internal controls, evaluate their effectiveness and craft the appropriate disclosure. This current absence of standards defining management’s assessment may get some future clarification. The SEC recently indicated that it would develop some guidance for public companies and has published a Concept Release. Once finalized, the NAIC could amend the Model Audit Rule to incorporate this or other future guidance.
  • Management must disclose the evaluation process used. Management of insurers will not be driven to comply with an auditor-directed standard. However, certifying officers assume the burden of articulating the process their companies have applied to evaluate the effectiveness of internal control over financial reporting. For example, what framework does management use as a basis for conducting the evaluation? What process does management use? This description must be incorporated in the annual Management’s Report of Internal Control Over Financial Reporting.
  • With respect to the external audit of the issuer’s financial statements, the stakes will be higher. If the external auditor requires recording of a material audit adjustment and/or the restatement of prior period financial statements, there will be a strong indication that a material weakness existed. While audit adjustments and financial reporting restatements are not necessarily conclusive evidence of a material weakness in internal control over financial reporting, they may trigger the auditor’s assessment of their root causes. This analysis could result in a conclusion by the auditor that a material weakness exists. While auditors will not be required to plan their audit of financial statements to find material weaknesses in internal control over financial reporting, auditing standards do require an understanding of internal controls in planning an audit, and auditors will report internal control deficiencies they encounter to management and the audit committee. If these deficiencies are material weaknesses and were not discovered by management nor disclosed in the internal control report of prior periods (assuming the material weakness condition existed in prior years), management and the board may be in a difficult position.
  • Questions may arise if restatements are required. Asmentioned above, a restatement is a strong indicationthat a material weakness in internal control may exist. If a material weakness condition exists and is not detected and corrected in a timely manner by the insurer and a restatement of financial results is required, management may be exposed to questions from the commissioner, rating agencies and others, regarding management’s process and/or conclusion on the evaluation of internal control.
  • Certifying officers need authoritative guidelines or standards to support their assertion regarding the effectiveness of internal control over financial reporting. The Public Company Accounting Oversight Board (PCAOB) standards for auditors have provided de facto parameters for management’s assessment. While some guidance will be provided by the NAIC via an implementation guide, it likely will not be prescriptive in nature.

Given the absence of such standards, we have aggregated below some of the guidelines and principles that have evolved based on our experience with hundreds of Sarbanes-Oxley clients. These standards and principles may provide insurers with a helpful benchmark to use in defining the appropriate evaluation practices.

In addition to using a suitable framework, such as the COSO framework, that provides criteria for the assessment, the process should:

  • Document the critical processes supporting statutory financial reporting and the most important underlying controls embedded within those processes. This documentation provides a basis for concluding that relevant financial reporting assertions are met. We suggest that this documentation be sufficient to enable an independent party to review it for purposes of evaluating the design effectiveness of the key internal controls. By “key,” we mean the vital controls on which management is relying to ensure that financial reporting assertions are met. New employees should be able to review the documentation for their functional area to learn their roles and understand how they are expected to contribute to the control environment.
  • Establish an effective process for risk identification. Management’s approach should be top-down and risk based. The approach should periodically assess the financial reporting risks inherent in the insurer’s processes. It also should result in periodic improvements in these processes and in the underlying key controls embedded within those processes.
  • Implement a robust self-assessment process to periodically confirm that key controls remain in place. Certifying officers will find self-assessment to be a useful way to ensure accountability for the key internal controls. The self-assessment process should facilitate periodic feedback from the responsible process owners regarding the continued effectiveness of the key controls in the critical processes comprising the insurer’s internal control structure. The process should be supported by the periodic testing of the key controls by the process owners responsible for those controls.
  • Provide appropriate oversight by implementing an effectively functioning process for monitoring and testing. This process should include periodic independent tests of controls by an objective and competent evaluator (such as an effective internal audit function) in significant risk areas. The testing documentation (including the rationale for the nature, timing and extent of testing) should be sufficient to enable an independent party to review it for purposes of evaluating the operating effectiveness of internal control over financial reporting.
  • Implement effective entity-level controls that are reviewed periodically with the audit committee as changes occur in the company. The insurer’s entitylevel controls should be strengthened continually with the objective of improving entity-level monitoring and auditing systems that report and provide feedback with respect to the performance of the financial reporting process. This continuous improvement process should be supported through effective audit committee oversight.
  • Implement a process to identify when changes in critical processes and key controls occur. This ongoing process should monitor for and escalate change that materially affects, or is reasonably likely to materially affect, internal control over financial reporting.
  • Document and evaluate antifraud controls. These controls should be documented and evaluated in a manner that is integrated with the documentation and evaluation of controls at the entity level and within the key financial reporting processes.
  • Evaluate whether all IT applications have been configured appropriately to automate the associated controls. Our experience is that excessive reliance on manual, backend detective controls is both costly and difficult to sustain, particularly when embedded within largely manual processes. These manual controls often do not identify and correct errors in the transaction processing stream, driving a substantial amount of rework. As the mix of preventive and detective controls, and of automated and manual controls, is improved, the cost-effectiveness of the internal control structure and compliance process also is improved.
  • Document “management’s evaluation process” to conclude as to the effectiveness of internal control over financial reporting, in a manner sufficient that an independent party can understand what was actually done and the basis for management’s conclusions. The documentation supporting management’s assessment process should provide reasonable support for the assessment. This documentation should address the processes, procedures and due diligence management completed when executing its responsibilities and supporting its conclusions.

Not adopting these practices could place management in a difficult position if called upon to explain how they conducted their evaluation of internal control over financial reporting. The exclusion of the external auditor from the evaluation process does not preclude the possibility that a third party might ultimately request a review of the basis for management’s conclusions with the intention of understanding how the assertions reported as required in the Model Audit Rule were supported. Without documentation, management is exposed if such circumstances were to arise.

The above observations should not be construed as suggesting that an insurer’s documentation be sufficient to support an external audit of internal control over financial reporting. Due to the active supervision of and involvement in day-to-day operations, management has evidence available that an external auditor cannot rely on for purposes of formulating a conclusion regarding the effectiveness of internal control over financial reporting. Therefore, the body of evidence relied upon by management and by external auditors is different. That said, the absence of documentation of the key controls will place certifying officers and their direct reports on the defensive if their organization’s evaluation approach should ever come under question.

Our experience has shown that much of the additional cost and unnecessary effort under SOA compliance was due to several factors. For example, inadequate project management coupled with a tight implementation time frame greatly impacted costs. The “over-scoping” of the evaluation process by strict adherence to quantitative materiality thresholds to the exclusion of qualitative considerations resulted in an overly detailed focus on lowrisk areas. The number of controls tested also is a major cost driver. If management does not “filter” these controls down to the ones that matter, unnecessary costs often result. We believe there is an opportunity to do it better and learn from the experiences of others. Management should adopt a top-down, risk-based approach to the assessment. Such an approach would result in a more cost-effective and value-added evaluation process.

While the deadline for compliance may seem far off, insurers who have not yet begun to address the requirements to evaluate their internal control over financial reporting need to start making plans. We typically find companies require 12 to 24 months to complete a cost-effective evaluation of internal controls in the first year, with the documentation effort comprising a significant portion of that time. The good news, however, is that the documentation effort is significantly reduced in subsequent years.

The Model Audit Rule requirements will become effective on different dates. The requirement for independent audit committee members will be effective January 1, 2010. The effective date for providing Management’s Report of Internal Control Over Financial Reporting will be December 31, 2010. Each state will begin the model adoption process via reference, promulgating a new regulation and/or legislative change.

The NAIC will publish a final copy of the adopted Model Audit Rule and an implementation guide. In addition to an NAIC implementation guide, the SEC intends to issue guidance to management to assist in their performance of a top-down, risk-based assessment of internal control over financial reporting. This guidance may assist carriers even though they may not be subject to SEC regulation.

What can I do now to prepare for the new requirements that reflect SOA 404?

Learn from the public companies’ experience and begin planning now:

Organize the project. Identify the project sponsor and team members.

Develop a project plan. Define objectives and establish a critical path, determining key success factors, milestones and checkpoints.

Agree on a project approach. Obtain agreement from management, and both external and internal auditors. What control framework will be used? Agree on required documentation and testing.

Determine how the project team will be formed. Will it consist of internal resources, or be outsourced or co-sourced?

Define team member roles and responsibilities. Who will be the subject-matter experts?

Determine what technology tools will be used. Research what is available to best meet your needs.

A Final Note

Based on comments provided in a GAIN survey on SOA Year One experience, “planning” and “starting early” are the key drivers of success.

 

SUBSCRIBE TO VIDEOS:

Ready to work with us?