1 / 28

Introduction of Panel Members

Sarbanes-Oxley Act of 2002. The Act was signed into law on July 30, 2002Title I Public Company Accounting Oversight BoardTitle II Auditor IndependenceTitle III Corporate ResponsibilityTitle IV Enhanced Financial Disclosures Title V Analyst Conflicts of InterestTitle VI Commission Resou

margo
Download Presentation

Introduction of Panel Members

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Introduction of Panel Members

    2. Sarbanes-Oxley Act of 2002 The Act was signed into law on July 30, 2002 Title I Public Company Accounting Oversight Board Title II Auditor Independence Title III Corporate Responsibility Title IV Enhanced Financial Disclosures Title V Analyst Conflicts of Interest Title VI Commission Resources and Authority Title VII Studies and Reports Title VIII Corporate and Criminal Fraud Accountability Title IX White Collar Crime Penalty Enhancements Title X Corporate Tax Returns Title XI Corporate Fraud and Accountability

    3. Title II - Auditor Independence Regulates non-audit services provided to audit clients: Bookkeeping, Financial IS Design & Implementation, Valuations, Actuarial Services, Internal Audit, Management Functions, HR Actuarial Services allowed under 2000 rules generally are still allowed but cannot (1) audit own work, (2) perform management functions, (3) act as an advocate Requires pre-approval of non-audit services . Audit Partner rotation after five years . Prohibits auditors from joining management within one year Certain matters must be reported to audit committee Audit Partner compensation may not be tied to non-audit services sales

    4. Section 302 – Requires the CEO and CFO To attest that they have reviewed the annual and quarterly reports and the reports do not contain any materially false or misleading statements, fairly represent the financial condition and results. To indicate their responsibility for establishing and maintaining internal controls, have designed such internal controls to ensure that material information will be made know, have evaluated the effectiveness of the internal controls, and present their conclusions in the report. To disclose to the auditors and the audit committee all significant deficiencies in the design or operation of the internal controls and any fraud that involves any management or employee with significant roles in the internal controls. To indicate any significant changes in controls including any corrective actions.

    5. Section 404 – Requires the SEC to Prescribe Rules Requiring management to annually state their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting. Requiring an assessment of the effectiveness of the internal control structure and procedures. Requiring the auditor to attest to and report on the assessment that management made.

    6. Section 404 Final Rule Provisions Section 404 Annual Assessment Section 404 Auditor Attestation Section 302 Quarterly Certifications

    7. Section 404 Final Rule Provisions: Section 404 Annual Assessment Compliance dates: Most domestic clients: for fiscal years ending on or after June 15, 2004. Foreign private issuers: for fiscal years ending on or after April 15, 2005. Definition of “internal control over financial reporting.” Encompasses internal controls addressed in the COSO Report that pertain to financial reporting objectives. Includes controls over safeguarding assets. Management’s report to include statements of: Management’s responsibility for establishing and maintaining adequate internal control over financial reporting. Management’s assessment of the effectiveness of such controls. Identification of the framework used to evaluate effectiveness. Attestation made by external auditor. COSO is an accepted standard for management’s assessment. See graphic on next page

    8. The Five Components under the COSO Framework

    9. Section 404 Final Rule Provisions: Section 404 Annual Assessment Management’s assessment must be based on procedures sufficient both to evaluate design and test operating effectiveness. Inquiry alone will generally not provide an adequate basis for assessment. Management must maintain evidential matter, including documentation, to provide reasonable support for its assessment and testing of both design and operating effectiveness. Any material weakness in internal control over financial reporting must be disclosed by management in its assessment. Management is also precluded from reporting that internal control over financial reporting is effective if a material weakness is detected.

    10. Section 404 Final Rule Provisions: Section 404 Annual Assessment Guidance on controls subject to management’s assessment: Controls over initiating, recording, processing and reconciling accounts, transactions, and disclosure and related assertions in financials Controls related to the initiation and processing of non-routine and non-systematic transactions Controls related to the selection and application of appropriate accounting policies Controls related to the prevention, identification, and detection of fraud Reiteration of guidance regarding auditor independence: Auditors may assist management in documenting internal controls. Management must be actively involved in the process; cannot delegate assessment responsibility to the auditor.

    11. Section 404 Final Rule Provisions: Auditor Attestation The registered public accounting firm’s attestation report must be filed as part of the annual report. Reiteration of PCAOB’s responsibility for setting 404 attestation standards for registered public accountants Interim adoption of auditing standards in existence as of April 16, 2003 PwC’s position: the attestation exposure draft (AT501) issued by ASB (and not adopted by PCAOB) provides clarification of existing standards and we will use it as interim guidance Scope of auditor’s work will include independent testing of controls as well as testing of management’s assessment process Scope of controls testing will include testing over areas involving judgements and estimates

    12. Section 404 Final Rule Provisions: 302 Quarterly Certifications No change in requirement for Section 302 quarterly evaluation of disclosure controls and procedures (DC&P) and disclosure of conclusions regarding effectiveness of DC&P. Quarterly disclosure in 302 certification of material changes in internal control over financial reporting rather than repetition of Section 404 annual assessment. Evaluation date is as of the end of the period covered by the report. Section 302 certifications filed as exhibits to all applicable SEC reports There is latitude for issuers in determining which internal controls over financial reporting are included in the Company’s inventory of disclosure controls and procedures under Section 302. Regarding disclosure controls and procedures versus internal controls over financial reporting: The rule states that while the two types of controls are similar in nature, neither one is a complete subset of the other. Disclosure controls will include the components of internal control over financial reporting that reasonably assure financial statements are prepared in accordance with GAAP, but may not include other components of internal control over financial reporting such as safeguarding of assets. The rule gives the example of the control of dual signatures on checks that, while part of internal control over financial reporting, may not necessarily be part of disclosure controls and procedures of a particular company. Regarding disclosure controls and procedures versus internal controls over financial reporting: The rule states that while the two types of controls are similar in nature, neither one is a complete subset of the other. Disclosure controls will include the components of internal control over financial reporting that reasonably assure financial statements are prepared in accordance with GAAP, but may not include other components of internal control over financial reporting such as safeguarding of assets. The rule gives the example of the control of dual signatures on checks that, while part of internal control over financial reporting, may not necessarily be part of disclosure controls and procedures of a particular company.

    13. Current Situation Understanding the 404 Attestation Status of Compliance with Sections 302 and 404 Key Challenges

    14. Understanding the 404 Attestation: Comparison to Audit of Financial Statements Audit of Financial Statements Understanding and consideration of internal controls only to develop the audit approach Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls Internal control reports have been very rare in practice and are the subject of different professional standards 404 Attestation 100% controls-based approach Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep) over financial reporting. Lack of errors, historically, in financial statements is not de-facto evidence unto itself, of an appropriate internal control over financial reporting.

    15. Understanding the 404 Attestation – Management Documentation Under the AT 501 Exposure Draft, Management Provides Documentation of the Following: Significant controls and control objectives, including: Controls, including IT general controls, on which other controls are dependent Anti-fraud programs and controls Controls over the period-end financial reporting process Locations and business units included in assessment Review and evaluation of design effectiveness Assessment of operating effectiveness including tests Evaluation of control deficiencies to determine whether they are significant deficiencies or material weaknesses Written assertion about effectiveness of controls over financial reporting Communication of findings to auditor and audit committee

    16. Status of Compliance with Sections 302 and 404 Many 302 efforts center largely around executive management and disclosure committee Supported by cascades of representation letters Varying levels of detailed evidence of design/operating effectiveness Varying methodologies in basis for self-evaluation Existing documentation of design of controls required under Section 404: Frequency of updates for changes in systems or business processes varies Not always modified for new reporting, accounting, and disclosure developments Level of required review and documentation is more rigorous and complex than many companies anticipated. Companies need the extra time gained from delay in implementation of Section 404 requirements in order to comply.

    17. Key Challenges: Overall Process Documenting and evaluating design of controls vs. testing controls Who – management, internal auditor, external auditor, consultant? What – entity vs. activity level controls? How – periodic vs. ongoing? When – interim vs. year-end? Where – which entities/locations are in scope? Creating an evaluation planning mindset using materiality, including qualitative criteria Mapping controls to significant accounts, classes of transactions, disclosures and vice-versa Planning efforts at subsidiaries/divisions based on relative significance Determining how service providers impact the evaluation

    18. Key Challenges: Overall Process Reporting relative control impacts to audit committee Reporting 404-control issues publicly, with appropriate perspective Determining impact of material weaknesses on quarterly certifications current and previously filed Creating an internal control reporting process that is built into the control structure, including tools such Documentation aids Dashboards Compliance monitoring tools Optimizing the efficiency of internal control effectiveness reporting

    19. Key Challenges: Finding a Common Language to Discuss “Quality of Controls” Needed by audit committees to evidence oversight Expected by regulators Important that technical and judgmental elements of final assessment are communicated and understood To be effective, audit committees will require: Perspective to sort out material, “significant” and lesser deficiencies Definitions of materiality that are reconciled by management from planning through execution, to conclusion Consistent processes to summarize, categorize, assess, discuss and conclude on relative control issues Protocols developed in advance to govern the execution of the above processes

    20. Overview of Actuarial Process – Illustration of P/C Reserving One of the best ways to get started with planning/scoping is to create a process map of the company's reserving process. from the source data, to the calculations, interactions with other departments, to the final actuarial estimates, and to the meetings with finance and other executives as the final reserves are decided. once the process is mapped out, you can begin to see the areas where different points of risk emerge -- in a cracks and crevices -- when things don't always work out as smoothly as you would have liked.One of the best ways to get started with planning/scoping is to create a process map of the company's reserving process. from the source data, to the calculations, interactions with other departments, to the final actuarial estimates, and to the meetings with finance and other executives as the final reserves are decided. once the process is mapped out, you can begin to see the areas where different points of risk emerge -- in a cracks and crevices -- when things don't always work out as smoothly as you would have liked.

    21. Control Environment – Potential Elements Corporate values and code of ethics Established, widely communicated, management and staff “walks the talk” Clearly defined roles and responsibilities Corporate organization structure for reserving actuary Can a conflicting reserve opinion be heard by CFO, CEO, Chairman, Audit Committee? Effectiveness of staff and management Familiarity, understanding and training of Audit Committee members with reserving topics. Mention/reinforce how all 5 components of the control framework need to be present for a control to be considered effective. We will be walking through some considerations for each of the 5 components of the COSO frameworkMention/reinforce how all 5 components of the control framework need to be present for a control to be considered effective. We will be walking through some considerations for each of the 5 components of the COSO framework

    22. Risk Assessment – Potential Elements Is claim and premium coding valid and accurate? Do systems correctly employ coded transactions to produce reserving reports Schedule P, Actuarial reserving triangles, etc. Have all appropriate actuarial methods been employed? Are all corporate initiatives considered in reserve projections? Underwriting, pricing, claims, expense and other initiatives. Has external environment events been considered in reserve projections? Inflation trends, legislative activity, demographics, weather, etc.

    23. Risk Assessment – Potential Elements (2) Where are the key actuarial judgment points for each reserve? Development patterns, loss ratios, price changes Has actuarial professions “Statement of Principles” been considered? Data organization, homogeneity, credibility, frequency and severity, etc. Where are the key management judgment points for each reserve? Adjustments, bulk loadings, etc. What spreadsheets are used in the testing of reserves Cell formulae, manual changes SAP vs. GAAP differences

    24. Control Activities – Potential Elements Documented Processes Data Reconciliation Checklist of Procedures Approval of Deviations Documentation of Judgments Documentation of External Inputs Peer Reviews Does someone outside the reserve process verify completion of all procedures control activities - the point with the label "documented processes" is that these control activities need to be documented, right? but it's not just about documentation -- the control activity needs to occur, and then evidence be available (e.g., documentation) to demonstrate the control procedure was done. control activities - the point with the label "documented processes" is that these control activities need to be documented, right? but it's not just about documentation -- the control activity needs to occur, and then evidence be available (e.g., documentation) to demonstrate the control procedure was done.

    25. P/C Reserving Process – What Do You Have to Do Document the Reserving Process Prerequisite to Identifying Points of Risk – Roadmap is Needed Scope, Data Collection/Evaluation, Methods/Assumptions, Review Procedures, Bridging between Actuarial and Recorded “How Much is Enough” Varies Among Companies Identify Points of Risks Design Control Activities or Identify Existing Control Activities to Mitigate Risks Document the Control Activities and their Function Monitor Effectiveness of Control Activities over Time

    26. Other Control Components – Potential Elements Information & Communication Input into reserving process – Are there control processes established for input into the reserving processes? Loss and Premium Data Ceded Reinsurance Input of Pricing, Underwriting, Claims into Process Output of reserving process – Communicating results to senior management Is there a formal delivery package for reserve results each quarter? What is lead actuary’s role in approving recorded reserves? Monitoring Are exceptions or surprises evaluated? Were there controls in place? Why were those controls not effective? Are post-mortem meetings conducted? Is input from those outside of the reserving process (e.g., top management, third party actuaries, external and internal auditors) considered in re-evaluations of the process?

    27. Internal Controls Maturity Framework Level 1 – Unreliable Unpredictable environment where control activities are not designed or in place Level 2 – Informal Disclosure Activities and Controls are designed and in place but are not adequately documented Controls mostly dependent on people No formal training or communication of control activities Level 3 – Standardized Control activities are designed and in place Control activities have been documented and communicated to employees Deviations from control activities will likely not be detected Level 4 – Monitored Standardized controls with periodic testing for effective design and operation with reporting to management Automation and tools may be used in a limited way to support control activities Level 5 – Optimized An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise-Wide Risk Management) Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed The Internal Controls Maturity Framework can be applied to an entire company, a single business unit of a company, a department, a function, or a process. There is flexibility in how it can be used. In the context of certification requirements: Many businesses are in the informal state because controls may exist but have not been sufficiently documented. Even though a company has an internal audit department, they may still be at the “Informal” stage if controls have not been sufficiently documented. To be ready for an auditor attest (under Section 404), companies should be between Levels 3 and 4. Ideally, at Level 4. If companies are at the highest Level, #5, then it is likely that they could submit a sufficient certification at any time during the year. They typically have a sophisticated, integrated real-time system of assuring changing risks and monitoring controls year-round.The Internal Controls Maturity Framework can be applied to an entire company, a single business unit of a company, a department, a function, or a process. There is flexibility in how it can be used. In the context of certification requirements: Many businesses are in the informal state because controls may exist but have not been sufficiently documented. Even though a company has an internal audit department, they may still be at the “Informal” stage if controls have not been sufficiently documented. To be ready for an auditor attest (under Section 404), companies should be between Levels 3 and 4. Ideally, at Level 4. If companies are at the highest Level, #5, then it is likely that they could submit a sufficient certification at any time during the year. They typically have a sophisticated, integrated real-time system of assuring changing risks and monitoring controls year-round.

    28. Questions For Company Actuaries From a big picture, company actuaries need to ask themselves . . . Are there adequate controls in place around the actuarial reserving process that impact financial reporting? What does the internal control structure look like and how does it operate? Are these controls formal or informal? Are they documented and current? Are they monitored and tested? Who is accountable?

    29. Questions For Company Actuaries (2) From a big picture, company actuaries need to ask themselves . . . How will management assess the ongoing effectiveness of controls? How are control issues tracked and evaluated? What are the critical control activities? How will I demonstrate that I have reviewed the controls every quarter? What actuarial outputs impact the financial statements and footnotes?

More Related