240 likes | 566 Views
Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting. A Perspective for Property-Casualty Insurance Companies CAS Risk and Capital Management Seminar July 28, 2003. Presenters. Brian Reilly Currently Chief Auditor at Travelers Property Casualty Corp.
E N D
Sarbanes-OxleySection 404:Internal Controls and Financial Reporting A Perspective for Property-Casualty Insurance Companies CAS Risk and Capital Management Seminar July 28, 2003
Presenters • Brian Reilly • Currently Chief Auditor at Travelers Property Casualty Corp. • Previously an audit partner at Arthur Andersen LLP and head of New England Insurance Practice. • Edward Chanda • Ed is a partner at KPMG LLP. • He is based in Hartford and has 14 years of experience serving clients in the insurance industry. • Chris Nyce, FCAS, MAAA • Currently a Manager in the Actuarial Practice of KPMG LLP. • Previously Actuarial Pricing officer and Reserving Officer for a national P&C company. • Previously Company Head Underwriting officer for Standard Commercial, and Large Commercial Accounts.
Topics for Discussion • Overview of Sarbanes-Oxley Section 404 • Management Perspective • Actuarial Perspective • Auditor Perspective • Value Added Opportunities • Questions & Answers
Overview of Sarbanes-Oxley Section 404 • Annual Assessment of Internal Control • Management’s annual report on internal control must: • State management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and • Contain management’s assessment, as of year-end, of the procedures for financial reporting • Independent auditor must attest to and report on management’s assessment in accordance with standards issued or adopted by the PCAOB
Definition of Internal Control • In the US, the most common reference is to the COSO report, Internal Control – An Integrated Framework Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting; effectiveness and efficiency of operations; and compliance with applicable laws and regulations • Focus for §404 is on reliability of financial reporting • COSO provides detailed internal control criteria and defines five components of internal control • Control Environment • Risk Assessment • Control Activities • Information and Communication • Monitoring
Focus on Significant Controls • Determine which controls are significant • Controls that address significant classes of transactions, account balances, disclosures and related assertions • Consider likelihood that control failure could cause misstatements and the potential magnitude • Must include: • Fraud programs and controls • Controls on which other controls are dependent (e.g., general controls) • Controls over significant non-routine transactions, journal entries, and accounts involving judgments and estimates • Controls over closing process and preparing F/S
Auditing Standards for Internal Control • The Accounting Standards Board (ASB) of the AICPA has proposed standards for Section 404 • The SEC’s input is reflected in the Exposure Draft issued by the ASB • These standards may be subject to change, perhaps significantly, by the Public Company Oversight Board (PCAOB)
TPC 404 Approach Overview • Methodology • COSO-based framework is the foundation • Financial statement analysis includes linkage to transaction flows • Thorough filtering process to determine the most effective and efficient level of documentation and testing of financial, operational, and system-based controls • Resources • Business units are completing COSO-based risk assessment for their operations • Business units are documenting key controls and assessing adequacy of control design and operating effectiveness • ARR linking financial analysis and key controls to existing audit work performed • ARR and management to conduct additional control validation for areas not recently audited • Reporting • Findings and conclusions to be aggregated and presented to Senior Management • Corrective action plans to be developed and executed where appropriate • Results of Management’s evaluation of internal controls and procedures over financial reporting as of December 31, 2003 to be presented to Audit Committee in January 2004
Management Review Process Analysis Data Underwriting and Claims Internal Controls as part of the “Five Component” Framework Impacting Actuarial Responsibilities • Recalling the five component framework includes • Control Environment: • Risk Assessment • Control Activities • Information and Communication • Monitoring Activities • And underpinning these are four key risk areas for Property/Casualty • Underwriting and Claims Operations • Data Gathering and Interpreting • Performing Analysis/Compiling Results • Management Review Process • And evaluating for each risk area: • Completeness: Is something missing? • Accuracy: Is information accurate? • Judgments: Are judgments appropriate?
Estimated Balances Must Properly Reflect the Following Company Operations Source A Company Risk Assumption/ Underwriting Practices Information and Communication Source B Source C Perform Estimates and Analysis Company IT/ Data Design and Collection Process Review and Communication Process Committee Process Input into Accounting System & Review Source Z Company Claims Handling and Settlement Practices Information and Communication Estimation processes include multiple intervention points with areas of judgment and interpretation at each point within the process
Estimated Balances Must Properly Reflect the Following Company Operations Source A Company Risk Assumption/ Underwriting Practices Information and Communication Source B Source C Perform Estimates and Analysis Company IT/ Data Design and Collection Process Review and Communication Process Committee Process Input into Accounting System & Review Source Z Company Claims Handling and Settlement Practices Information and Communication Underwriting and Claims Management Review Process Analysis Data
Management Review Process Analysis Data Underwriting and Claims Risk Assessments and Control Activities • Underwriting and Claims • Guidelines in place controlling what risks the company will assume • Monitoring in place to assure guidelines are followed • Claims process is well understood and changes controlled • Case reserving guidelines in place and compliance monitored
Management Review Process Analysis Data Underwriting and Claims Risk Assessments and Control Activities • Data • Controls to ensure data is accurate and complete • Data is available to enable comprehensive analysis • Data is available to monitor compliance with Claims and Underwriting controls • Data is available to support management review needs, including tracking of trends
Management Review Process Analysis Data Underwriting and Claims Risk Assessments and Control Activities • Analysis • Access to data is sufficiently convenient to analysts • Available information is incorporated in analysis • Communication process with underwriting, claims, management is sufficient • Appropriate methods are used • Communication of results to management is clear
Management Review Process Analysis Data Underwriting and Claims Risk Assessments and Control Activities • Management Review Process • Process to determine booked reserves is reasonable • Reserve Committee and management review is effective • Underlying assumptions, such as trends, are validated
Management Review Process Analysis Data Underwriting & Claims Examples of Internal Controls affecting Estimates
Management Review Process Analysis Data Underwriting & Claims Examples of Internal Controls affecting Estimates
Management Review Process Analysis Data Underwriting & Claims Examples of Internal Controls affecting Estimates
Auditors’ Approach to 404 Attestation • Planning – Obtain an understanding of management’s process: • Select and apply a framework (i.e. COSO) • Identify significant account balances, classes of transactions and subsidiaries/other locations • Tests of design – Assess whether managements’ identified controls are appropriate for meeting financial statement assertions (in accordance with COSO): • Inspect documentation prepared by management • Perform “walkthroughs” of processes • Inquire, observe, inspect control documentation supporting identified controls • Tests of operating effectiveness – Consider the results of Internal Audit/Management testing: • Perform independent tests regarding general controls, financial reporting non-routine transaction and fraud • Re-perform a selection of tests performed by Internal Audit/Management • Perform a selection of independent tests (beyond Internal Audit/Management) • Reporting • Analyze Impact of exceptions (if any)
Comparison of Audit of Control Evaluation • Control Environment Evaluation • Audit • Obtain knowledge sufficient to enable us to identify and understand the events, transactions and practices that, in our judgment, may have significant effect on the financial statements. • Section 404 • Perform tests of both design and operating effectiveness for each element of the control environment. The nature, extent and timing of tests are more extensive. • Risk Assessment • Audit • Obtain an understanding of strategic business risk (“SBRs”), including their financial statement implications, and identify significant classes of transactions (“SCOTs”) and the key process that generate them. • Section 404 • Evaluate the design and test the effectiveness of management’s risk assessment process in addition to considering the specific risks identified.
Auditors’ Approach to 404 Attestation, Cont. • Design Evaluation • Audit • Obtain an understanding of how each key process operates focused on the identified SBRs and SCOTs. • Section 404 • Identify expanded scope of control activities that cover a much broader range of controls than those that would historically have been included in an audit. • Testing Operating Effectiveness • Audit • Test control activities throughout the year, focusing on the SBRs and SCOTs identified in the risk assessment process. • Section 404 • Test control activities close to the end of the year (as of date), focusing on a much broader scope of control activities than the audit.
Auditors’ Approach to 404 Attestation, Cont. • Substantive Procedures • Audit • Perform substantive procedures as required by generally accepted auditing standards, including tests of details or analytical procedures for each material account balance and class of transaction. Some level of substantive procedures will always be required for an audit due to inherent limitations in internal control and because internal control can be overridden. • Section 404 • None required. • Reporting • Audit • Report on whether the financial statements, in all material respects, are free of material misstatements, as of and for the year ending December 31, 2003. Exceptions, if any, are evaluated as audit differences. • Section 404 • Report on whether the Company maintained, in all material respects, effective internal control over financial reporting, as of December 31, 2003. Exceptions, if any, are evaluated to determine if they represent significant deficiencies or material weaknesses. Audit differences identified as part of the audit need to be considered in this evaluation.
While Sarbanes-Oxley 404 increases the documentation burden, it also provides opportunities: • Sarbanes-Oxley 404 gives an opportunity to: • For Companies: • Gain more information and control over factors impacting current results, and more control in situations of market or company stress • Expect more responsible competition, as competitors sharpen controls around reporting current loss ratios reducing irrational price competition • Increased awareness to impact of changes • For Actuaries: • Expand reserve analysis to take into account issues that have caused past variability by instituting meaningful controls enhancing the precision of estimates • Actuaries can expand professionally becoming more involved and aware in all competencies of risk assessment, such as underwriting and claims • For Auditors: • Reduce the chance of audit failures due to lack of company controls (such as Enron) • Expand and deepen the audit relationship with client companies