Audits, Controls, Compliance – The New Requirements and What They Mean
Blog RSS Feed
Subscribe Blog RSSRecent Blog Post
- NAIC Kicks Off New Season
- The Time is Now
- What’s the Impact?
- Some Thoughts on Thought Leadership
- Make a Sound Buy Decision While Improving the User Experience
- Who Guards the Guardians?
- The Five Most Dreaded Words to Hear When Working With Customer Support
- Audit and Compliance – Workflow, Documents and Business Intelligence
- Audits, Controls and Compliance – Security, Distribution Services and Notepad
- Audits, Controls and Compliance – Configuration, Financials and Party
Archive
- August, 2009 (1)
- September, 2009 (11)
- October, 2009 (5)
- November, 2009 (5)
- December, 2009 (3)
- January, 2010 (1)
- February, 2010 (2)
- March, 2010 (1)
For further information about this blog, review our policy page.
Don Goodenow
Director, Product Management, Reinsurance & Collections
StoneRiver
The world of audits, controls and compliance is not what it used to be. It changed dramatically in 2002 with the passage of Sarbanes-Oxley (SOX). It changed again for many insurers when the NAIC adopted a replacement of its Model Audit Rule (MAR), in June of 2006.
SOX was enacted in response to widely publicized corporate scandals. It touches every aspect of the financial management, control and reporting processes of a public company. SOX implemented tight control and reporting requirements, and established strict management responsibility for all aspects of internal financial controls. Controls were also tightened on auditors, analysts and attorneys.
CEOs and CFOs are now explicitly responsible for the accuracy of their company’s financial statement, and for the mechanisms and controls used to process, manage and report on their company’s financial activities and status. There are significant personal penalties, both civil and criminal, for failure to assure accurate reporting.
CEOs and CFOs must now assert that:
- they have reviewed the company’s financial report
- it is true
- it fairly represents the financial condition of the company,
and - they know these things are true because they have:
- determined that controls are in place to ensure that material information reaches them
- personally evaluated the effectiveness of these controls, and
- explicitly accepted responsibility for the internal controls established for the company’s financial processes.
In addition, external auditors now report to a board’s audit committee, which must be made up solely of independent directors. Auditors must sign an agreement stating that management’s assessment is accurate, or document any deficiencies they identify.
In June of 2006, the NAIC adopted the Annual Financial Reporting Model Regulation (MAR) replacing a previous Model Audit Rule. The new MAR requirements include certain modified provisions of the Sarbanes-Oxley Act of 2002. Those provisions deal with:
- audit committee requirements (effective January 1, 2010)
- management reporting on internal control over financial reporting (effective December 31, 2010) and
- audit partner rotation (effective for 2010 statutory audits and thereafter).
The changes to the MAR apply to all insurers. However, some of the requirements are tiered by the premium volume of the company. Only companies with direct plus assumed premium volumes of $500M or more must perform the internal controls testing and file Management’s Report of Internal Control over Financial Reporting.
The new MAR establishes more stringent requirements relating to the certification of an insurance entity’s financial statements. The new requirements leave many of the implementation details to the discretion of the company. This has generated a great deal of concern on the part of the boards of these organizations as to how to produce acceptable certified financial statements.
What does all this mean for an insurer?
It means:
- Company management has the primary responsibility for the accuracy of what is reported – not the auditors
- The board has the primary oversight responsibility – not the auditors
- The nature, extent and quality of the processes and controls used:
- to assure accuracy
- control against misuse of corporate assets, and
- quickly identify conditions to be corrected
are the primary responsibility of management – no one else.
These new requirements have impacts on a company far beyond the accounting department. In upcoming posts we’ll see how these changes can impact different aspects of an insurer’s processing environment.
- Don Goodenow's blog
- Login or register to post comments