200 likes | 302 Views
Casualty Loss Reserve Seminar General Session II September 9, 2003. Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know. Jan A. Lommele, FCAS, MAAA, FCA. Overview of the Act (and the Related SEC Rules). Became law July 30, 2002 Key features:
E N D
Casualty Loss Reserve SeminarGeneral Session IISeptember 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS, MAAA, FCA
Overview of the Act (and the Related SEC Rules) • Became law July 30, 2002 • Key features: • Established an independent, full-time Public Company Accounting and Oversight Board (PCAOB) to establish auditing standards and to regulate the independent auditors for all SEC registrants • Set forth specific auditor independence requirements • Specified corporate responsibility including: • Management's responsibility for financial reporting and internal controls and • Audit committee standards and requirements • Enacted new rules relevant to attorneys, securities analysts and brokers/dealers • Established corporate and criminal penalties
Objectives of Internal Control Requirements • Restore public trust and confidence in the public securities markets • Improve corporate governance and promote ethical business practices • Enhance transparency and completeness of financial statements and disclosures • Ensure that company executives are aware of material information emanating from a well-controlled environment • Hold company management accountable for material information that is filed with the SEC and released to investors • Achieve new levels of corporate excellence
Section 302 (Evaluation and Certification) CEO and CFO to certify quarterly and annually: Financial information contains no untrue statements and is fairly presented in all material respects Effectiveness of their disclosure controls and procedures Disclosed certain changes in internal controls over financial reporting Became effective in 2002 (amended in June 2003) Overview of Internal Control Requirements
Definition of Disclosure Controls and Procedures • Designed to ensure that required disclosed information is recorded, processed, summarized, and reported within the time periods specified by the SEC • Includes controls and procedures to help ensure that information is accumulated and communicated to executive management to allow timely decisions regarding required disclosure
Definition of Internal Control over Financial Reporting A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes: • Maintenance of records in reasonable detail • Proper recording and authorization of transactions • Safeguarding of assets
Disclosure Controls vs. Financial Reporting Controls Company Notes FinancialStatements Cash Flow Business Income Statement Properties BalanceSheet LegalProceedings Financial Statements Annual Report on Form 10-K Disclosure Controls Procedures Internal Controls Over Financial Reporting
Section 302 (Evaluation and Certification) CEO and CFO to certify quarterly and annually: Financial information contains no untrue statements and is fairly presented in all material respects Effectiveness of their disclosure controls and procedures Disclosed certain changes in internal controls over financial reporting Became effective in 2002 (amended in June 2003) Section 404 (Assessment and Report) CEO and CFO to include certain statements and conclusions relating to internal control over financial reporting in their annual report Effective for annual periods ending after June 15, 2004 (small business and foreign filers April 15, 2005). Overview of Internal Control Requirements
Management’s Report under 404 • The following must be included: • Management is responsible for establishing and maintaining effective internal controls over financial reporting • The internal control framework used by management to evaluate internal controls over financial reporting (e.g. COSO) • Management’s assessment of internal controls over financial reporting at the date of its assertion • Identification of any material weaknesses at the date of the assertion • A statement that the registered public accounting firm that audited the company's financial statements has issued an attestation report on management's assessment of the company's internal control over financial reporting
The process to determine whether internal control is adequately designed, executed, effective and adaptive The process which ensures that relevant information is identified and communicated in a timely manner The policies and procedures that help ensure that actions identified to manage risk are executed and timely The evaluation of internal and external factors that impact an organization’s performance The control conscience of an organization. The “tone at the top” What is COSO
404: Key Provisions • Assessment must be based on procedures sufficient to both: • Evaluate the effectiveness of the design of internal control over financial reporting • Test and document their operating effectiveness • Must have evidential matter, including documentation, to provide reasonable support • Management cannot state that internal controls over financial reporting are effective if a material weakness exists at the date of its assertion
404: Key Provisions as Set Forth in the Act • Management is responsible for documenting and evaluating internal control over financial reporting in order to make the required certifications • Auditors cannot perform management functions without impairing independence • Auditors can advise and assist management as management documents its internal controls over financial reporting; however, management has to be actively engaged in all aspects
Understanding Control Deficiencies • Control deficiency is a flaw in the design, implementation, and/or operating effectiveness of a control activity that could adversely affect the company’s ability to initiate, record, process, summarize, and report accurate financial and nonfinancial data. • Significant deficiency is an internal control deficiency in a significant control or an aggregation of such deficiencies that could result in a misstatement of the financial statements that is more than inconsequential. • Material weakness is a significant deficiency or aggregation of deficiencies that precludes the internal control from providing reasonable assurance that material misstatements will be prevented or detected on a timely basis by employees in the normal course of performing their assigned functions.
COSO- Process Level for Risk Assessment and Control Activity • Identify the significant processes and related IT systems; e.g. loss reserve process • Evaluate the effectiveness of the design of internal control by: • Documenting the process; e.g. flowcharts, narratives • Identifying the relevant objectives; e.g. valuation of loss reserves • Identifying the key risks that may impair meeting the objective; e.g. historical claim data is not accurate • Developing a response (control activity) to mitigate the risk; e.g. controls over the input and maintenance of actual claims
COSO- Process Level • Obtain evidence that the controls are in fact operating effectively: • Self-assessment • Internal Audit • Identify any control gaps or operating deficiencies • Aggregate for consideration under 302/404 • Remediate
jeff getz (Open): jan, I am not the insurance expert but this might list the typical processes/sub-processes that an actuary may be involved in as it relates to IC I think this needs some refining. Examples of Loss Reserve Internal Controls • Data flows from the financial system to the loss reserve system • Estimation processes underlying the loss reserve methods • Timing of and responsibility for the reviews • Balancing company actuarial loss reserves, and other reserves (e.g., pools) to the financial reports
Management’s Assessment Should include, but is not limited to: • Controls over initiating, recording, processing, and reconciling account balances, classes of transactions, and disclosure and related assertions • Controls related to the initiation and processing of non-routine and non-systematic transactions • Controls related to the selection and application of appropriate accounting policies • Controls related to the prevention, identification, and detection of fraud
Evidential Matter • Management should have reasonable support: • For the evaluation of whether the control is designed to prevent or detect material misstatement or omissions • For the conclusion that the tests were appropriately planned and performed • That the results of the tests were appropriately considered • Management will also be required to provide adequate support for their assessment to enable the auditor to perform their attestation procedures
Controls Documentation • Documentation to support management’s assessment may take various forms: policy manuals, accounting manuals, narrative memoranda, flow charts, decision tables, procedural write-ups, or completed questionnaires. The extent of documentation is expected to vary depending on the size and complexity of the entity
Group Discussion • You’re on a 404 Implementation Team for Loss Reserves • Possible considerations from the company perspective?