The National Association of Insurance Commissioners (NAIC) Annual Financial Reporting Model Regulation, also known as the Model Audit Rule (MAR), requires that private insurance companies with direct premiums written and assumed in excess of $500 million per year adopt corporate governance and reporting standards. The Model Audit Rule, originally issued to drive consistency across insurance regulators, was modified in 2006 and took effect in 2010. The new modifications within the Model Audit Rule are very similar to those of the Sarbanes-Oxley Act of 2002 (SOX or Sarbanes-Oxley), which was issued in response to several high-profile fraudulent financial reporting scandals at large public corporations. These scandals placed a much greater emphasis placed on the accuracy of companies’ financial statements and the method in which they were assembled.
External Auditor Independence – Prohibits the external audit firm from providing the following “non-audit” services to an external audit client: bookkeeping, financial information systems design and implementation, actuarial services, internal audit outsourcing services, management or human resource services, and/or expert service unrelated to audit.
Corporate and Audit Committee Oversight – Creates requirements on the makeup of the audit committee based on the insurance activity of the company and state. The audit committee is responsible for appointment, compensation and oversight of external auditors; holding company ownership structures requires a separate audit committee for each legal entity, but only at the ultimate controlling person level; and, depending on the size of the company, a percentage of audit committee members must be independent.
Internal Controls Over Financial Reporting – Requires the management of insurers with direct premiums written and assumed in excess of $500 million to file a report with the state insurance department regarding the company’s assessment of internal controls over financial reporting. The report must include the following information:
- A statement that management is responsible for creating and sustaining adequate internal controls over financial reporting
- A statement that management has created such controls and an assertion that these controls successfully provide reasonable assurance regarding the reliability of the statutory financial statements
- A statement regarding the process or method utilized by management in this assessment
- Disclosure of any un-remediated material weaknesses in internal controls over financial reporting
Lessons from SOX
Implementing the Model Audit Rule requirements to document internal controls over financial reporting at private insurers should take into account lessons learned from public companies that have already had to comply with Section 404 of Sarbanes-Oxley.
- Many companies do not realize documenting and testing is a time consuming process
- Documentation already in place may not be current and detailed enough to meet external audit’s standards
- Compliance with Model Audit Rule, like Section 404, is not only an accounting and/or internal audit project, but affects virtually all departments
- Time, effort, and, most importantly, costs can all be reduced significantly if the insurer allows an experienced outside firm, like Sunera, to lead them through the process
Sunera Service Offerings
Sunera professionals have a multitude of experience working with insurance companies and providing Sarbanes-Oxley services like those required by the Model Audit Rule.
Our services include:
Project Management – We provide leadership and coordination throughout our Model Audit Rule assistance projects. Our responsibilities typically include monitoring and reporting the progress of the project against milestones and the ongoing modification and monitoring of a detailed work plan. We coordinate resources, prepare status reports, update the project plan, and present at Steering Committee meetings.
Risk Assessment, Scoping & Materiality – We perform a financial statement risk assessment that includes identifying the specific financial reporting risks, mapping of the financial statement accounts to the financial statement processes and identifying the specific control objectives associated with the identified risks. As part of this process, we would also identify the in scope locations and financial statement accounts based on an appropriate materiality threshold.
Entity Level Assessment – We believe that compliance with the Model Audit Rule should be based on a top down approach which involves assessing the overall entity-level control environment. We assist in the identification, documentation and testing of entity-level controls using an entity-level control catalog which is based on the COSO framework and, if applicable, incorporates the guidance for smaller insurance companies.
Process & Controls Documentation – Using the risk assessment, we can help you prepare your Model Audit Rule documentation of the identified processes and control activities that are in scope and identify the key controls. As part of the key control selection effort, we will focus on ensuring that the scope of the key controls addresses only those processes and activities which cover internal controls over financial reporting and not operational or compliance activities, which are outside the scope of the Model Audit Rule. We will also focus on selecting key controls that are, wherever possible, automated and preventive versus manual and detective. Typically, automated and preventive type controls are more reliable and less costly to test. We will also emphasize the importance of being economical in the selection of key controls, which should also result in lower future costs for testing. Our standardized approach produces just the right amount of documentation for your management assessment and your external auditors. Our multidisciplinary teams ensure that the documentation addresses all of the necessary elements, such as entity-level, IT and financial disclosure controls. Moreover, our experience keeps the project focused on what is really required by the Model Audit Rule and provides you with suitable integration with your external auditors.
Controls Testing – Our control experts are well trained in testing techniques and documentation standards. We provide testing results that meet the requirements of the public accounting firms without the high cost. We believe that control testing is repetitive and can be performed more efficiently with resources that have the appropriate skills and training. We will develop testing plans, test scripts and templates to ensure that your external auditor can place maximum reliance on the work performed by our team. We will also coordinate testing activities and prepare work papers documenting testing results.
IT Controls Documentation & Testing – Assessing IT controls requires highly specialized skills. Although many public companies have an Internal Audit capability, many lack the skills in-house to effectively document and test IT controls. Sunera possesses the entire breadth of technical skills required to work with ERPs, databases, networks and websites as well as IT processes. Our professionals are experts in COBIT and most have completed many IT general controls work paper sets for “Big 4” audit firms.
Controls Remediation – Fixing control design and operating effectiveness gaps often requires changing existing processes and technologies. To do so successfully, a change agent must understand how to gain acceptance by the organization for the change, as well as, know the many process and technology alternatives to consider. Unlike a typical auditor, our professionals are capable of helping your organization implement new practices and modernizing your technologies. Throughout the MAR effort, we identify, track, and report any internal control deficiencies. We will coordinate any necessary remediation activities related to the correction of specific control deficiencies. Sunera possesses specialists from across a broad spectrum of disciplines skilled in fostering organizational change, preparing policies and procedures, and designing new processes and controls. We provide as much guidance on remediation as possible during the documentation and testing effort.
Improving MAR Compliance – Many companies rely on manual, detective controls that are costly to operate and test and are prone to error. We help you replace those controls with automated controls that are more reliable and cost-effective. We have the expertise to help you get the most from your existing ERP systems by utilizing functionality already embedded within them. In addition, we deploy emerging controls automation software or controls monitoring/self-assessment programs to make controls testing and monitoring more efficient. We also help organizations consolidate disparate compliance efforts into a single, integration compliance program.