- Reducing the number of consecutive years a lead audit partner may participate on the audit of an insurer to five years
- Precluding a lead audit partner from rotating back on the engagement for a period of five years
- Listing various nonaudit services that auditors may not provide to an insurer in order to maintain the insurer’s independence from the auditor (Realizing that it may be difficult for small insurers to comply with the prohibited services requirement, a small company exemption is included that indicates that those insurers with less than $100 million in direct written and assumed premium may request an exemption from this requirement.)
- Requiring audit committee pre-approval of nonaudit services if the aggregate amount of the fees for the nonaudit services exceeds five percent of the audit fees
- Impairing the external audit firm’s independence, if the company hired the partner or manager, and placed him/her in a senior management position in the past year
What prompted the NAIC to revise the Model Audit Rule?
What are the differences between SEC oversight and NAIC oversight?
Are states obligated to adopt the same Model Audit Rule as the NAIC?
Does the Model Audit Rule apply to all state-regulated insurers?
What if my company is a foreign or alien insurer in the state and files the Audited Financial Report in another state pursuant to that state’s requirements?
What happens if an insurer initially falls under the thresholds for compliance and then subsequently exceeds these thresholds?
What impact does an acquisition by an insurer have on its annual Management’s Report of Internal Control Over Financial Reporting?
How are the Model Audit Rule requirements different from the requirements of Sections 302 and 404 of the SOA?
What specifically must be included in Management’s Report of Internal Control Over Financial Reporting?
- (A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting;
- A statement that management has established internal control over financial reporting and an assertion, to the knowledge and belief, after diligent inquiry, as to whether its internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles;
- A statement that briefly describes the approach or processes by which management evaluated the effectiveness of its internal control over financial reporting;
- A statement that briefly describes the scope of work that is included and whether any internal controls were excluded;
- The disclosure of any unremediated material weaknesses in the internal control over financial reporting identified by management as of December 31 immediately preceding. Management is not permitted to conclude that internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles if there is one or more unremediated material weaknesses in its internal control over financial reporting;
- A statement regarding the inherent limitations of internal control systems; and
- The signatures of the CEO and the CFO (or equivalent position/title).
If the insurer already has complied (either as required by the SEC or voluntarily) with the provisions of Section 404 of the SOA, how does that impact its compliance efforts with the Model Audit Rule?
- The insurer could file its Section 404 management report along with a Section 16 report covering the internal controls not covered in the Section 404 report, or
- File a Section 16 report covering the entire internal control environment.
Does the insurer’s external auditor have any reporting responsibilities related to internal control over financial reporting?
What does this mean for management?
As we consider the impact of this for insurers, we see several implications:
- Management alone must shoulder the compliance responsibilities, including the attendant consequences of noncompliance. Without an external audit of internal control over financial reporting, management assumes the full burden of the internal control evaluation. The risk is increased due to the current absence of standards defining management’s assessment. Therefore, certifying officers face the risk that no one has defined the target. They alone must identify the appropriate internal controls, evaluate their effectiveness and craft the appropriate disclosure. This current absence of standards defining management’s assessment may get some future clarification. The SEC recently indicated that it would develop some guidance for public companies and has published a Concept Release. Once finalized, the NAIC could amend the Model Audit Rule to incorporate this or other future guidance.
- Management must disclose the evaluation process used. Management of insurers will not be driven to comply with an auditor-directed standard. However, certifying officers assume the burden of articulating the process their companies have applied to evaluate the effectiveness of internal control over financial reporting. For example, what framework does management use as a basis for conducting the evaluation? What process does management use? This description must be incorporated in the annual Management’s Report of Internal Control Over Financial Reporting.
- With respect to the external audit of the issuer’s financial statements, the stakes will be higher. If the external auditor requires recording of a material audit adjustment and/or the restatement of prior period financial statements, there will be a strong indication that a material weakness existed. While audit adjustments and financial reporting restatements are not necessarily conclusive evidence of a material weakness in internal control over financial reporting, they may trigger the auditor’s assessment of their root causes. This analysis could result in a conclusion by the auditor that a material weakness exists. While auditors will not be required to plan their audit of financial statements to find material weaknesses in internal control over financial reporting, auditing standards do require an understanding of internal controls in planning an audit, and auditors will report internal control deficiencies they encounter to management and the audit committee. If these deficiencies are material weaknesses and were not discovered by management nor disclosed in the internal control report of prior periods (assuming the material weakness condition existed in prior years), management and the board may be in a difficult position.
- Questions may arise if restatements are required. Asmentioned above, a restatement is a strong indicationthat a material weakness in internal control may exist. If a material weakness condition exists and is not detected and corrected in a timely manner by the insurer and a restatement of financial results is required, management may be exposed to questions from the commissioner, rating agencies and others, regarding management’s process and/or conclusion on the evaluation of internal control.
- Certifying officers need authoritative guidelines or standards to support their assertion regarding the effectiveness of internal control over financial reporting. The Public Company Accounting Oversight Board (PCAOB) standards for auditors have provided de facto parameters for management’s assessment. While some guidance will be provided by the NAIC via an implementation guide, it likely will not be prescriptive in nature.
Given the absence of such standards, we have aggregated below some of the guidelines and principles that have evolved based on our experience with hundreds of Sarbanes-Oxley clients. These standards and principles may provide insurers with a helpful benchmark to use in defining the appropriate evaluation practices.
In addition to using a suitable framework, such as the COSO framework, that provides criteria for the assessment, the process should:
- Document the critical processes supporting statutory financial reporting and the most important underlying controls embedded within those processes. This documentation provides a basis for concluding that relevant financial reporting assertions are met. We suggest that this documentation be sufficient to enable an independent party to review it for purposes of evaluating the design effectiveness of the key internal controls. By “key,” we mean the vital controls on which management is relying to ensure that financial reporting assertions are met. New employees should be able to review the documentation for their functional area to learn their roles and understand how they are expected to contribute to the control environment.
- Establish an effective process for risk identification. Management’s approach should be top-down and risk based. The approach should periodically assess the financial reporting risks inherent in the insurer’s processes. It also should result in periodic improvements in these processes and in the underlying key controls embedded within those processes.
- Implement a robust self-assessment process to periodically confirm that key controls remain in place. Certifying officers will find self-assessment to be a useful way to ensure accountability for the key internal controls. The self-assessment process should facilitate periodic feedback from the responsible process owners regarding the continued effectiveness of the key controls in the critical processes comprising the insurer’s internal control structure. The process should be supported by the periodic testing of the key controls by the process owners responsible for those controls.
- Provide appropriate oversight by implementing an effectively functioning process for monitoring and testing. This process should include periodic independent tests of controls by an objective and competent evaluator (such as an effective internal audit function) in significant risk areas. The testing documentation (including the rationale for the nature, timing and extent of testing) should be sufficient to enable an independent party to review it for purposes of evaluating the operating effectiveness of internal control over financial reporting.
- Implement effective entity-level controls that are reviewed periodically with the audit committee as changes occur in the company. The insurer’s entitylevel controls should be strengthened continually with the objective of improving entity-level monitoring and auditing systems that report and provide feedback with respect to the performance of the financial reporting process. This continuous improvement process should be supported through effective audit committee oversight.
- Implement a process to identify when changes in critical processes and key controls occur. This ongoing process should monitor for and escalate change that materially affects, or is reasonably likely to materially affect, internal control over financial reporting.
- Document and evaluate antifraud controls. These controls should be documented and evaluated in a manner that is integrated with the documentation and evaluation of controls at the entity level and within the key financial reporting processes.
- Evaluate whether all IT applications have been configured appropriately to automate the associated controls. Our experience is that excessive reliance on manual, backend detective controls is both costly and difficult to sustain, particularly when embedded within largely manual processes. These manual controls often do not identify and correct errors in the transaction processing stream, driving a substantial amount of rework. As the mix of preventive and detective controls, and of automated and manual controls, is improved, the cost-effectiveness of the internal control structure and compliance process also is improved.
- Document “management’s evaluation process” to conclude as to the effectiveness of internal control over financial reporting, in a manner sufficient that an independent party can understand what was actually done and the basis for management’s conclusions. The documentation supporting management’s assessment process should provide reasonable support for the assessment. This documentation should address the processes, procedures and due diligence management completed when executing its responsibilities and supporting its conclusions.
Not adopting these practices could place management in a difficult position if called upon to explain how they conducted their evaluation of internal control over financial reporting. The exclusion of the external auditor from the evaluation process does not preclude the possibility that a third party might ultimately request a review of the basis for management’s conclusions with the intention of understanding how the assertions reported as required in the Model Audit Rule were supported. Without documentation, management is exposed if such circumstances were to arise.
The above observations should not be construed as suggesting that an insurer’s documentation be sufficient to support an external audit of internal control over financial reporting. Due to the active supervision of and involvement in day-to-day operations, management has evidence available that an external auditor cannot rely on for purposes of formulating a conclusion regarding the effectiveness of internal control over financial reporting. Therefore, the body of evidence relied upon by management and by external auditors is different. That said, the absence of documentation of the key controls will place certifying officers and their direct reports on the defensive if their organization’s evaluation approach should ever come under question.
Our experience has shown that much of the additional cost and unnecessary effort under SOA compliance was due to several factors. For example, inadequate project management coupled with a tight implementation time frame greatly impacted costs. The “over-scoping” of the evaluation process by strict adherence to quantitative materiality thresholds to the exclusion of qualitative considerations resulted in an overly detailed focus on lowrisk areas. The number of controls tested also is a major cost driver. If management does not “filter” these controls down to the ones that matter, unnecessary costs often result. We believe there is an opportunity to do it better and learn from the experiences of others. Management should adopt a top-down, risk-based approach to the assessment. Such an approach would result in a more cost-effective and value-added evaluation process.
While the deadline for compliance may seem far off, insurers who have not yet begun to address the requirements to evaluate their internal control over financial reporting need to start making plans. We typically find companies require 12 to 24 months to complete a cost-effective evaluation of internal controls in the first year, with the documentation effort comprising a significant portion of that time. The good news, however, is that the documentation effort is significantly reduced in subsequent years.
The Model Audit Rule requirements will become effective on different dates. The requirement for independent audit committee members will be effective January 1, 2010. The effective date for providing Management’s Report of Internal Control Over Financial Reporting will be December 31, 2010. Each state will begin the model adoption process via reference, promulgating a new regulation and/or legislative change.
The NAIC will publish a final copy of the adopted Model Audit Rule and an implementation guide. In addition to an NAIC implementation guide, the SEC intends to issue guidance to management to assist in their performance of a top-down, risk-based assessment of internal control over financial reporting. This guidance may assist carriers even though they may not be subject to SEC regulation.
What can I do now to prepare for the new requirements that reflect SOA 404?
Learn from the public companies’ experience and begin planning now:
Organize the project. Identify the project sponsor and team members.
Develop a project plan. Define objectives and establish a critical path, determining key success factors, milestones and checkpoints.
Agree on a project approach. Obtain agreement from management, and both external and internal auditors. What control framework will be used? Agree on required documentation and testing.
Determine how the project team will be formed. Will it consist of internal resources, or be outsourced or co-sourced?
Define team member roles and responsibilities. Who will be the subject-matter experts?
Determine what technology tools will be used. Research what is available to best meet your needs.
A Final Note
Based on comments provided in a GAIN survey on SOA Year One experience, “planning” and “starting early” are the key drivers of success.