380 likes | 716 Views
Sarbanes-Oxley 404 – Where Do We Stand? CAS 2004 Annual Meeting November 15 & 16, 2004. Today’s Panel James C. Votta, Partner, Ernst & Young LLP Lise A. Hasegawa, AVP and Reserving Actuary, MetLife Auto & Home Kenneth T. Sipiora, Senior Manager, Deloitte & Touche LLP
E N D
Sarbanes-Oxley 404 – Where Do We Stand?CAS 2004 Annual MeetingNovember 15 & 16, 2004 Today’s Panel James C. Votta, Partner, Ernst & Young LLP Lise A. Hasegawa, AVP and Reserving Actuary, MetLife Auto & Home Kenneth T. Sipiora, Senior Manager, Deloitte & Touche LLP David T. Perine, Senior Manager, Ernst & Young LLP
Sarbanes-Oxley 404 – Where Do We Stand? Auditor Management Company Completed Auditor Reviewed Company Completed Auditor Completed Company Completed Auditor Reviewed Sign Off Remediation Testing Documentation
Sarbanes-Oxley 404 – Where Do We Stand? • Survey of 950 SEC Registrants as of October 2004 • Green = No concern with timely completion = 32% • Yellow = Greater than low level concern = 60% • Red = Significant concern = 8%
Sarbanes-Oxley 404 – Where Do We Stand? • In Scope or Out of Scope? • Pricing • IBNR Generating Systems • Pockets of Reserves • CAT Models
Sarbanes-Oxley 404 – Where Do We Stand? • What is Ahead? • Internal Audit Focus • Spitzer Investigations • NAIC Model Law
Sarbanes-Oxley 404Where Do We Stand? Insurance Company Perspective Lise A. Hasegawa, AVP and Reserving Actuary MetLife Auto & Home
The MetLife Enterprise • Over $300 Billion in Assets Under Management • Locations • United States • International – 11 Locations • Business segments include ■ Individual ■International ■ Institutional ■ Reinsurance ■ Auto & Home
SOX ─ The Players • Steering Committee • Project Management Office • Line of Business Teams • Internal Auditing • Outside Advisor • External Auditor
SOX ─ The Process • Identify Processes • Scope & Coverage • Process Map Activities • Identify Risks • Identify Key Controls • Testing • Action Plans • Review and Signoff
In Scope Actuarial Processes • Reserves • Reinsurance
Reserving Process Map Data Analysis Documentation Communication
Data ─ The Risks • All loss data accounted for? • Loss data accurate? • Loss data transferred and separated accurately?
Data ─ The Controls • All loss data accounted for? Balancing reports, consistency, judgment • Loss data accurate? Claims edits, audits, detective reports • Loss data transferred and separated accurately? More balancing reports, consistency, judgment
Next Steps • Testing • Action Plans • Review • Sign Off • Repeat
Lessons Learned • Support from the top • Takes more effort, energy and people than you think ─ but it is worth it • Define the scope precisely ─ expect it to change • Expect guests … often … add a chair • Auditable proof
Lessons Learned • Software versus Spreadsheets • Controls are closer than you think • Education for all employees • Take advantage of the situation • Learn how other processes work • Learn how the data is created and used • Improve processes • Eliminate risk
Sarbanes-Oxley 404Where Do We Stand? Corporate Risk Management Perspective Kenneth T. Sipiora, Senior Manager Deloitte & Touche LLP
Corporate Risk Management ─ Environment • Risk Management (broadly defined) increasingly critical to corporations, their officers and directors • COSO, ERM, etc. • Investors, Regulators, Lenders and other stakeholders demanding disclosure and independent verification of financial controls • Risk Management and related insurance transactions increasingly complex • Many large corporations have significant self-insured/retained risk • General/Product Liabilities, Auto Liability, Workers’ Compensation, D&O, etc. • Third-party service providers common
Corporate Risk Management ─ Environment • Paid losses and reserves are material to financial reporting • Significant cost drivers, financial statement disclosures common • Independent actuarial analysis • Variety of alternative risk financing strategies in use • Qualified self insurance, Captives, Finite Risk, Capital Markets, etc. • Risk Management Information Systems (RMIS) prevalent • Data warehouses, Management Reporting, Actuarial Data • Entity level controls (“C” level and B.O.D.) requiring greater scrutiny • Retain or Transfer risk? • Counterparty security
Corporate Risk Management ─ SOX 404 Examples • Control Objectives • Process Documentation • Testing
Corporate Risk Management ─ Environment • Reserve estimates are adequately developed, reported and monitored • Appropriate data is accurately documented and retained to support management estimates of liabilities. • Reserves are determined according to appropriate actuarial standards of practice, consistent with regulatory, GAAP and other required standards. • Financial reporting is timely and accurate • Claims activity is recorded timely and accurately in the appropriate accounting period. • Disbursements for premium expenses, claims payments, captive fees and other risk management expenses are validated, calculated accurately, processed completely and recorded to general ledger.
Corporate Risk Management ─ Environment • Risks are identified, quantified or transferred • Expected losses to be retained are quantified. • Commercial insurance for risk not self-insured is secured. • Insurance company counterparty security (financial strength) evaluated regularly. • Claims reporting is timely and accurate • Claims processing policy and procedures established by Senior Management exists and duties or claims staff and third-party administrators (TPAs) are performed accordingly. • TPAs or other external providers have adequate controls in place.
Corporate Risk Management ─ Environment • Self-insured risks are identified and funded by captive as appropriate • Captive transactions are accurately recorded in a timely manner. • Captive management and other service providers have adequate controls • Captive financial statements are timely and accurately consolidated with parent company statements.
Corporate Risk Management ─ SOX 404 Sample Process Documentation • Claims (workers’ compensation) • Loss reserving • Financial reporting • Captive transaction
LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap
LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap
LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap
LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap
Corporate Risk ManagementSOX 404 Sample Control Tests – Loss Reserving
Corporate Risk ManagementSOX 404 Sample Control Tests – Loss Reserving
Sarbanes-Oxley 404Where Do We Stand? A Consultant’s Perspective David T. Perine, Senior Manager Ernst & Young LLP
What Have We Done To Date? • Planning • Timing • Structure • Roles • Documentation • Business and financial processes • Risks • Controls
What Have We Done To Date? • Testing and Remediation • Remediation of controls deemed necessary as a result of the documentation phase • Testing of controls • Remediation as a result of testing
What Is Happening Now Through Q1 2005? • Documentation of new processes or significant changes to existing processes • Continued remediation • 4th quarter and annual testing • As a result of remediation of controls • Of 3rd and 4th quarter controls • Of annual controls • Evaluating exceptions and deficiencies
What Is Happening Now Through Q1 2005? • Management’s assertion on the effectiveness of internal controls • Auditor’s attestation to the effectiveness of internal controls
Future Steps/Commitments to SOX 404 • Reinforce a compliance culture • From the top (Audit Committee, CEO, CFO, CCO) • SOX 404 compliance must be embedded in the company’s culture • Ownership of SOX 404 must reside with the company, not outside parties • Consider maintaining/establishing a Project Management Office
Future Steps/Commitments to SOX 404 • The changing role of internal audit • More internal control focused? • The role of outside consultants • Coaching? Support? • Updating documentation • When and by whom? • Peer review
Future Steps/Commitments to SOX 404 • Testing • When and by whom? • Remediation • Management’s assertion • Auditors attestation • Responding to a negative attestation?