540 likes | 556 Views
This presentation discusses the implications of Section 404 of the Sarbanes-Oxley Act for insurance companies and the steps they need to take to ensure compliance. It outlines the key elements of the act, the new environment it creates, and the implementation phases.
E N D
CAS Annual Meeting November 14-16, 2005 Sarbanes-Oxley Act – Section 404 Implications for Insurance Companies Heidi Hoeller, PricewaterhouseCoopers Alan Hines, PricewaterhouseCoopers Kevin Burns, The Hanover Insurance Group
12/2/2001 Enron Bankruptcy 12/31/2005 All Other SEC Filers - 404 Compliance Date 8/29/2002 302 Certifications TBD NAIC 7/30/2002 SOX Signed 12/31/2004 SEC Accelerated Filer - 404 Compliance Date Today Timeline of Events
Sarbanes – Oxley Act - Overview Sarbanes-Oxley Act signed into law on July 30, 2002 • Most significant reform in the securities laws since enacted • Purpose is to restore confidence in public financial reporting • Fundamental change in how Audit Committees, management and auditors carry out responsibilities and interact • Passed with remarkable speed • Specific in some areas; only a framework in others with further rulemaking required to clarify • Increases accountability
The Components The Sarbanes – Oxley Act is divided in to 11 Sections (Titles) : • Public Company Accounting Oversight Board • Auditor Independence • Corporate Responsibility • Enhanced Financial Disclosures • Analyst Conflicts of Interest • Commission Resources & Authority • Studies & Reports • Corporate & Criminal Fraud Accountability • White-Collar Crime Penalty Enhancements • Corporate Tax Returns • Corporate Fraud & Accountability
Title III – Corporate Responsibility Sets independence standards for members of Board and Audit Committee Section 302 requires quarterly certification by the CEO and CFO • Reports have been reviewed • Report does not contain any material omissions or untrue statements • Financial statements fairly present, in all material respects the financial condition, results of operations and cash flows of the Company • They are responsible for establishing & maintaining disclosure controls and procedures and evaluated the design and effectiveness of these controls • Confirmation that all control deficiencies and fraud have been disclosed to the audit committee • Reporting of any subsequent control changes of significance
Title IV – Enhanced Disclosure A number of provisions for enhanced financial statement disclosure are included in addition to… Section 404 - Internal Control Report • Management’s annual assessment of internal controls • Each annual report must contain an internal control report • Stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and • Management’s assessment, as of the end of the most recent fiscal year, of the effectiveness of such controls and procedures • Auditor attestation report • External auditor is required to attest to and report on management’s assessment. This includes two separate attestations; one on design and another on the operating effectiveness of the controls
404 Key Elements – Auditor Assurance The auditors’ objectives: • Express an opinion on management’s assessment of the effectiveness of the company’s internal control over financial reporting • Express an opinion on the effectiveness of the company’s internal controls As of the date specified in management’s assessment.
404: Key Steps for Assessing Controls Scope & Plan Assess Risk Identify Significant Accounts Identify Processes & Assertions Scope Locations Understand & Evaluate Perform Walkthroughs Evaluate Design Effectiveness Validate Consider Work Of Others Test Operating Effectiveness Evaluate Management Assessment Consider Impact of Results
404:Implementation Phases • Scoping & Planning • Documentation • Testing • Evaluation & Communication
404:Scoping & Planning • Assessment of internal controls must be based on a suitable, recognized control framework. • COSO (Committee of Sponsoring Organizations) Framework
404: Documentation Management’s documentation should support: • Scoping decisions • Evaluation of whether controls are designed to prevent or detect material misstatements • Conclusion that the tests of operating effectiveness were planned and performed properly • That test results were considered in determining its assertion
404:Documentation - Process Four step documentation process: • Determine scope of documentation • Develop process documentation • Develop controls documentation • Assess the design of controls
404:Documentation – Other Considerations • All significant controls must be documented; including general computer controls and company level controls • The level of assurance from a control should be assessed (manual vs. automated / simple vs. complex) • Control documentation should address six questions: • What is the risk? • What is the control activity? • Why is the activity performed? • Who performs the control? • When is the activity performed? (Frequency) • What mechanism is used to perform the activity?
404:Auditor Evaluation of Documentation • Inadequate documentation is a deficiency.
404:Testing Approach Four key steps: • Identify controls to be tested • Identify who will perform the testing • Develop and execute a test plan • Evaluate the results
404:Indentifying Controls to Test • Management must obtain reasonable assurance of operating effectiveness through testing. • Management must address operating effectiveness of controls over all five components of COSO. • Evidence can include self-assessment, internal audit procedures, and ongoing monitoring activities • The need for detailed testing is not eliminated, rather it is reduced through other evidence. • Robust testing reduces the risk that deficiencies are identified by independent auditors during testing phase and allow adequate remediation time
404:Nature & Extent of Testing Reperformance Level Of Assurance Examination Observation Inquiry
404:Evaluation – Deficiencies Defined • Significant Deficiency – a control deficiency that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles. • Material Weakness – a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected
404:Evaluation of Deficiencies – Process • Identify the Deficiencies • Understand and Assess the Deficiency • Assess the Likelihood of Misstatement • Assess the Potential Magnitude of Misstatement • Identify Compensating Controls • Determine Classification of Deficiencies • Assess Deficiencies in Aggregation with Others
404:Evaluation Criteria Likelihood: • Not whether a misstatement HAS occurred • Is there a MORE THAN A REMOTE likelihood of occurrence? Potential Magnitude: • Size of POTENTIAL error that COULD occur • Would the result be a more than inconsequential misstatement? • Would the result be a material misstatement?
Given the Requirements for Section 404, How Does Management Ensure Readiness? • The following is a recommended 404 readiness approach: Continuous Improvement Management Auditor Document and Evaluate Control Design Test Operating Effective- ness Prepare Report on Internal Control Over Financial Reporting Initiate Project And Assess Risk Remediate Attest and Report Project Management Support
CAS Annual Meeting November 14-16, 2005 Sarbanes-Oxley Act – Section 404 Implications for Insurance Companies Heidi Hoeller, PricewaterhouseCoopers Alan Hines, PricewaterhouseCoopers Kevin Burns, The Hanover Insurance Group
Title IV Subgroup of the NAIC/AICPA’s Working Group • Every insurer with $500 Million in premium will be required to submit annual report from management on internal controls • SEC registrants, insurer members of a group that is an SEC registrant, and companies that voluntary comply must file report with insurance department • IP Proposal to allow management reports by legal entity or as a “group of insurers” • Management Report Must Include the following: • A statement management is responsible for maintaining adequate controls over financial reporting • Management’s belief that the controls are effective • A description of the process used by management to evaluate the effectiveness of controls • Disclosure of unremediated material weakness in the controls • May be no requirement for an independent auditors report or CPA attestation • Proposed effective date for compliance December 31,2009
Overview – 404 for ActuariesA Systematic Approach 7) Auditor Testing 6) Test Operation 5) Test Design 4) Identify Existing or New Controls 5a/6a) Remediate Gaps Management’s Responsibility 3) Identify Risks 2) Document Processes 1) Take Inventory
Step 1 – Take Inventory • Identify All Actuarial Balances • Gross Loss and LAE Reserves • Ceded Loss and LAE Reserves • Premium accruals for audits and retro rating • Identify Actuarial Notes to Financial Statements • Current/prior year split; A&E reserves • Identify Those That Are Significant • Loss and LAE reserves are significant • Identify Those That Are Not Significant Some subsets of reserves may not be significant • Document
Step 2 – Identify and Document the Process(es) Associated with the Significant Balances • Prerequisite to Identifying Points of Risk – Roadmap is Needed • The level of detail of the documentation is considered sufficient when: • A reasonably qualified person, • who is not intimately familiar with the process, • can obtain sufficient understanding of how the process and embedded controls operate, • in order to be able to perform objective validation thereof.
Roadmap to Actuarial Reserves Determined By: Account: GL Owner Control Matrix P&C Financial Reporting 4.2.1.1, 4.2.1.2, 4.3.1.1, Claims Dept Catastrophe IBNR P&C Acctng Voluntary Pools IBNR Assumed Reinsurance & Pools Acctng 3.1.1.2, 5.1.1.2, 5.1.1.4 Reins Acctng Reins Accounting Reserving Process Involuntary Pools IBNR Assumed Reinsurance & Pools Acctg 3.1.1.2, 5.1.1.2, 5.1.1.4 Reins Acctng Reins Accounting Reserving Process P&C Actuarial Controls 5.1.1.1 - 5.3.2.3 Company IBNR Product Management (Pricing, Trends..) P&C Acctng P&C Financial Reporting 4.2.1.1, 4.2.1.2, 4.3.1.1, Financial Planning (Forecasted prem., U/W)
Step 2 – Identify and Document the Process(es) Associated with the Significant Balances • A Generic List of Processes Might Include • Data Collection and Testing • Actuarial Judgments Relating to Methods/Assumptions • Actuarial calculation environment • Peer Review Procedures • Determination of Selected Estimates • Bridging the Gap between Actuarial Indications and Recorded Reserves
Step 3 – Identify Risks • Risk of Material Financial Misstatement – Not Operational Risk • Look for points in the process where a potential misstatement could occur (may be due to inherent risk or fraud risk). • Data • IT environment - including Spreadsheets • Methods, Calculations, and Assumptions • Actuarial Judgments • Management “Adjustments” or differences • Recording Reserve Changes • Qualify Risk – High or Low
Step 4 – Identify Existing or New Control Activities • Controls over a process created to ensure: • Accuracy • Completeness • Validity • Restricted access • Many actuarial processes have controls embedded into them! • Consider a review of the ratio of case reserves to paid claims: • Is it a control over the appropriateness of the development method? • Is it part of the reserve estimating process? • Some controls are automated; some are manual. • May not be 1-to-1 correspondence between processes and controls nor between risks and controls: • Some controls may mitigate many risks. • Some risks may be mitigated by a combination of controls.
Step 5 – Test the Design of Controls • This was a new concept for actuaries. • Walkthroughs can be a useful testing procedure for assessing whether the documentation accurately reflects actual controls. • Evaluating the design effectiveness of a control is an attempt to look at the activity and decide whether it achieves its objective. • The testing should consider how the control was applied, the consistency with which it was applied, and by whom it was applied. • Only properly designed controls are capable of operating effectively.
Step 6 – Test the Operation of Controls • This was also a new concept for actuaries. • Testing the control involves determining that the control step was performed and that it achieved its intended function. • Testing can be performed in the following ways: • Inquiry • Observation • Inspection/examination • Re-performance • Documentation is required to give evidence of: • The performance of the control, and • The testing of the control’s operating effectiveness.
Step 5a or 6a – Remediate any Gap(s) • When the evaluation of design yielded a missing key control, then one must be created. • When the test of a key control’s design yields a gap, it must be fixed (remediated). • If the test of a key control’s operation yields a significant gap, it must be remediated • May involve re-designing the control • For some processes, other controls effectively mitigated the risk and the key controls were redefined • Management needs adequate time to remediate and re-test the design to avoid a control deficiency.
Step 7 – Auditor Testing of the Internal Controls • By the time this happens, management’s documentation job should be essentially done (if it was done properly). • The controls must already be in place and operating. • The audit firm will need to: • Review management’s testing in support of management’s assertion, • Perform its own testing of the internal controls to support its opinion on the controls, • Evaluate whether deficiencies are inconsequential or significant, and • Determine if the deficiencies create a material weakness.
Internal Control – The Finish Line • An opinion that controls are effective would require, at least, the following: • Processes for significant account balances and disclosures are adequately documented. • Control activities are designed and in place. • Control activities have been documented and communicated to employees. • Standardized controls with periodic testing for effective design and operation with reporting to management.
Lessons Learned From Year One • Need to use a systematic approach – Attempting to start by identifying risks and controls is not efficient. • Most companies had effective controls over actuarial process but poor documentation. Key was to identify which steps in the process were controls. • Common Gaps in Controls: • Spreadsheet controls • Controls over Actuarial Judgment • Bridging the gap between actuarial indication and management’s best estimate.
Spreadsheets – Why the focus? • An error in a spreadsheet at a major financial institution was a significant factor in a $1 billion misclassification of securities in the financial statements. • Computer World published an article in May 2004 suggesting 20-40% of spreadsheets have errors while testing by the University of Hawaii found a 91% error rate. • The Journal of Property Management found 30 to 90% of spreadsheets have errors, with the highest percentage coming from complex sheets (more than 200 lines). • Many companies rely heavily on spreadsheets.
Spreadsheets - Potential Risks When evaluating risks, consider: • Complexity • Purpose • Type of input • Size of spreadsheet • Sophistication of developer • Uses of output • Frequency of modification • Development Cycle (testing, training, etc.)
Spreadsheets – Practical Steps The following practical steps can be taken to ensure proper controls over spreadsheets: • Inventory spreadsheets • Evaluate the use and complexity of spreadsheets • Determine the necessary level of controls for “key” spreadsheets • Evaluate existing “as is” controls • Develop and action plan for remediating deficiencies
Spreadsheets:Base Level Controls Base level controls for spreadsheets should include: • Change Control • Version Control • Access Control • Input Control • Security & Data Integrity More complete controls should be in place for spreadsheets assessed as other than low priority
CAS Annual Meeting November 14-16, 2005 Sarbanes-Oxley Act – Section 404 Implications for Insurance Companies Heidi Hoeller, PricewaterhouseCoopers Alan Hines, PricewaterhouseCoopers Kevin Burns, The Hanover Insurance Group
Reserving Process Flowchart Actuarial Reserving Data Process Processed Paid & Case Reserve Adjustments from Claims Systems Manual Paid & Case Reserve Adjustments from General Ledger Earned Premium and Paid ULAE from the General Ledger Reinsurance, Pools & Association Adjustment See Reins Accounting Cycle Reconcile to General Ledger Present Reserve Indications to Reserve Committee IBNR Recording Process Claims Initiatives Actuarial Reserving Analysis Process Pricing Activity Reports Input for IBNR Funding Model In-force Policy Reports Trends and other influences Provide Business Leaders with AY profitability trends Catastrophe Reserve see Claims Cycle
Reserving Risks and Control Objectives Three Main Processes • Data • Reserve Analysis • Recording
Reserving Risks and Control Objectives Data Process: • Risk - Data utilized is not complete, accurate or timely resulting in inaccurate reserve estimates • Control Objective - Ensure the data utilized for the actuarial review of reserves is complete, accurate, and received in a timely manner
Reserving Risks and Control Objectives Analysis: • Risk - Use of or reliance on inappropriate methodologies or underlying assumptions may result in inaccurate estimates of the liabilities • Control Objective - Ensure the methods and assumptions used in calculating reserve estimates are in accordance with standards as promulgated by the Casualty Actuarial Society to ensure completeness, consistency, and reasonableness
Reserving Risks and Control Objectives Recording: • Risk - Adjustments to IBNR are not valid or are recorded incorrectly resulting in inaccurate financial statements • Control Objective - Ensure adjustments to IBNR are valid and recorded correctly within the financial statements.
Key Mitigating Controls - Data • Detailed Close Schedule - A detailed close schedule for the reserving unit's quarterly reserving analysis is prepared and monitored. • Balance Processed Data - A reconciliation between the Loss Reserving System and the Corporate Claims System is performed. • Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed PRIOR to starting reserve analysis. • Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed AFTER reserve analysis is completed. • Communication to Senior Management - The Lead Reserving Actuary "signs off" that information in key management reports is both accurate and complete. • Systems Security - access to server containing reserving files limited to members of reserving unit.