NAIC Insurer Financial Reports Rules

NAIC InsurerFinancial Reports Rules

Cost Advisors’ Background

Founded in 1999Focus on Financial Risk Management, Fraud and RecoveryDeveloped SarbOxPro® software www.sarboxpro.com

© 2008 Cost Advisors, Inc. All rights reserved.

2

http://www.sarboxpro.com/

Bill Douglas’ BackgroundPrincipal of Cost Advisors, Inc. 29 years’ experience

Management positions in Accounting, IT SystemsCFO, IPO, 'Big 4' public accounting, business processes, internal controls, fraud, internal auditing, Sarbanes-Oxley (SOX)Project management at both large and small public companiesPublished SOX Illustrated – a 200 page book on SOXPublished Guide for managing Sarbanes-Oxley projects in the Internal Auditor magazineInstructor for Oregon Society of CPAs

Credentials:Certified Public Accountant (CPA) Certified Internal Auditor (CIA)Certified Fraud Examiner (CFE)Licensed Private Investigator (PI) in Oregon


3

AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework

GovernanceAssessmentPreventionDetectionReporting & Correction

Software tools availableTakeaways & resources


4

Governance

Assessment

Prevention

Detection

Correction

Applicability of Insurer Financial Reports Rules

Over $500M in premiumsAudits of the year beginning January 1, 2010Can use SOX 404 report instead

> $500M

InsuranceSOX 404


5

Sarbanes-Oxley Act of 2002Contents

The Act is comprised of 11 Titles:Title I – Public Company Accounting Oversight Board (PCAOB)

Establishment, Auditing and Accounting Standards

Title II – Auditor IndependenceSets forth required actions by external auditors and audit committee

Title III – Corporate ResponsibilityRequires CEOs and CFOs to certify quarterly and annual reports to the SEC (Section 302)

Title IV – Enhanced Financial DisclosuresAdditional and accelerated disclosure requirementsSECTION 404: MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS

Title V – Analyst Conflicts of Interest Title VI – Commission Resources and Authority

Authorizations, qualifications

Title VII – Studies and ReportsCredit ratings, violators, etc

Title VIII – Corporate and Criminal Fraud AccountabilityProvides tougher criminal penalties for defrauding shareholder, altering docs, etc

Title IX – White-Collar Crime Penalty EnhancementsEnhanced penalties for certain white-collar crimes (i.e., mail/wire fraud)

Title X – Corporate Tax ReturnsTitle XI – Corporate Fraud and Accountability

Fines or imprisonment with regards to certain other matters involving corporate fraud

SECTION 404: MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS

Has the biggest impact on public companies

SECTION 302: CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS


6

SEC vs. PCAOB

External

Auditor

Public Co.

(Insurer)


7

AccountingPractices and Procedures

Manual

Rulemaking & Oversight

External

AuditorInsurer

Insurer Financial Reports Rules

Financial Condition Examiners Handbook

SAS 104 – 111‘Risk-Based Standards’

Examiner

Risk-Focused Surveillance Framework


8

Presenter

Presentation Notes

SAS No. 104, Amendment to Statement on Auditing Standards No. 1, Codification of Auditing Standards and Procedures ("Due Professional Care in the Performance of Work") SAS No. 105, Amendment to Statement on Auditing Standards No. 95, Generally Accepted Auditing Standards SAS No. 106, Audit Evidence SAS No. 107, Audit Risk and Materiality in Conducting an Audit SAS No. 108, Planning and Supervision SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluation the Audit Evidence Obtained SAS No. 111, Amendment to Statement on Auditing Standards No. 39, Audit Sampling

http://www.amazon.com/Financial-Condition-Examiners-Handbook-FCEH/dp/B001JHG4S0/ref=sr_1_1?ie=UTF8&s=books&qid=1226791736&sr=8-1

http://www.aicpa.org/

SOX 404 vs. Insurer Financial Reports Rules

SOX 404ick’ if erICFR= Internal Controls over Financial Reporting

Scope:Detailed, accurate records to reflect transactions and dispositionsTransactions roll up to Financial Statements which comply with GAAPManagement has authorized receipts and expendituresPrevent or Detect unauthorized acquisition, use or disposition – IF MATERIAL

•Ditto

•Ditto

•Ditto

•Ditto

Insurer Financial Reports Rules


9

Presenter

Presentation Notes

OAR # 836-011-0110 “Internal control over financial reporting” means a process effected by an entity’s board of directors, management and other personnel designed to provide reasonable assurance regarding the reliability of the financial statements, i.e., those items specified in OAR 836-011-0140(2) and (3), except for 836-011-0140(2)(a), and includes those policies and procedures that: (a) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets; (b) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of the financial statements, i.e., those items specified in OAR 836-011-0140(2) and (3), except for 836-011-0140(2)(a), and that receipts and expenditures are being made only in accordance with authorizations of management and directors; and (c) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets that could have a material effect on the financial statements, i.e., those items specified in OAR 836-011-0140(2) and (3), except for 836-011-0140(2)(a).

SOX 404 vs. Insurer Financial Reports Rules Page 1 of 2

SOX Insurer Fin. Rept. RulesAudit Committee Yes – with one Financial

ExpertYes – with independence rules

Audit Required Yes YesDesignation of CPA Yes to SEC – when

changedYes - to Insurance Dept of State with letter from CPA

Audit Partner Rotation Yes YesCPA barred from non-audit services

Yes – except tax prep or other approved by Board

Yes –• except if premiums < $100M with waiver

• except tax prep or other approved by Board

• Except if < 5%CPA manager & partner can’t be hired for 1 year

Yes Yes


10

SOX Insurer Fin. Rept. RulesCPA studies controls Yes YesAdverse Condition Notice As audit opinion only Yes- to Director in 5 daysMaterial Weaknesses In Management's Report Tell Director 60 days after

auditSignificant Deficiencies Tell Audit Committee Hold for ExaminersAccountant's Letter of Qualifications

No Yes to Insurer

Accountant’s workpapers No Hold for ExaminersManagement’s report on Controls

Yes – documentation & testing

Yes – Some documentation & diligent inquiry

SOX 404 vs. Insurer Financial Reports Rules Page 2 of 2


11

Internal Control Framework(COSO)

Documentation & Testing

ManagementAssertion

AuditorAttest

SOX 404 vs. Insurer Financial Reports Rules

NAIC Rules with any framework

Documentation & Diligent Inquiry*

ManagementAssertion

AuditorConsideration

* No special documentation necessary. ‘Diligent Inquiry’ includes review, monitoring and testing in the normal course of business.


12

Sarbanes-Oxley Section 404COSO Objectives vs. Section 404

Section 404 Scope

Operations Laws & Regulations

FinancialReporting


13

Insurer Financial Reports Rules CEO and CFO Statement

Management is responsible for internal control Management has established internal control and its internal controls are effective

No Material Weaknesses

The approach and scope management used Effectiveness

Unremediated material weaknesses from prior year


14





15

Governance

Assessment

Prevention

Detection

Correction

Governance

Assessment

Prevention

Detection

Correction

16

• Process Controls Testing• IT Testing• 3rd Party controls (SAS70)

• Deficiency Evaluation• Deficiency Remediation• Mgt/Board Reporting

• Process Improvement• Internal Controls

• Process flowcharts & narratives

• Risk Identification• Risk Evaluation• Segregation of Duties

analysis

• Entity-Level Controls• Tone-at-the-Top

Risk-based Framework


16





17

Governance

Assessment

Prevention

Detection

Correction

The ‘Wedding Cake’

Company-Level Controls

IT Infrastructure

IT Applications

Business Processes

Data Centers, Operating Systems, Networks (IT General Controls)

Flowcharts, Risk & Control Matrices

Testing Coordinated with Application Superusers

‘Tone at the Top’, Governance


18

GovernanceIntegrity & ethics

Business PracticesHR PoliciesWhistleblower proceduresPerformance Evaluation process

Board of DirectorsMinutesGovernance GuidelinesAudit Committee CharterCompensation Committee Charter

Operating StyleRisk AnalysisEmployee TurnoverFinancial Manager Code of EthicsTravel to subsManagement IncentivesRecognition Awards

Organizational StructureOrg ChartsJob Descriptions & Classifications

HR PoliciesHiring Guidelines & ProceduresNew Employee OrientationBackground Checks

Risk AssessmentSOX Process DocumentationBusiness Plans

Info & CommunicationIT General Controls Division ReviewsAccounting & Finance Meetings

MonitoringInternal Audit functionIRS auditsRegulatory AuditsSEC commentsSOX Steering Committee


19





20

Governance

Assessment

Prevention

Detection

Correction

Processes vs. Risks


21

Assessment Identifying Process Population

Process ListProcess List

Process List

Other Companies• Company X• Company Y• Company Z

FinanceProcessOwner

Validation

CompanyFinancial Statements

and Disclosures(account mapping)


22

Causes of Inherent PROCESS risk

Size of account (materiality)Susceptibility to errors or fraudComplex accounting (GAAP)Subjectivity, estimates, judgmentTransaction complexityLack of automationRecent changesContingent LiabilitiesRelated-Party transactionsSubject to environmental factors, such as technological and/or economic developments


23

Presenter

Presentation Notes

For Sarbanes-Oxley, a threshold is used to determine whether or not a unique process will be documented and tested. We use $3.0M as the threshold. For example, in Tek Inc., there is more than $3.0M of activity in travel and entertainment expense, therefore the process is documented and tested. In Singapore, the level is below $3.0M, so the process is not documented or tested. We are using a lower threshold than 5% of income to be more conservative, and to ensure that our test plans and sample sizes will still be appropriate in lower income years. To evaluate deficiencies, we consider whether or not other controls would effectively mitigate the risk of a misstatement and we consider the type of failure. For example, a failure in the design of controls would typically be considered more serious than a failure in the performance of a control. We also consider the level of the potential misstatement. We apply a guideline of 20% of the $4.0M materiality threshold to determine the level at which a deficiency might be significant. In this case, $0.8M. The 20% is the public accounting firms’ consensus interpretation of PCAOB guidance.

Risk of CONTROL Failure The nature and materiality of misstatements that the control is intended to prevent or detect;The risk of management override;Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness;Whether the control has a history of errors;The effectiveness of entity-level controls, especially controls that monitor other controls;The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls); The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance;Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective);The complexity of the control.


24

Presenter

Presentation Notes

For Sarbanes-Oxley, a threshold is used to determine whether or not a unique process will be documented and tested. We use $3.0M as the threshold. For example, in Tek Inc., there is more than $3.0M of activity in travel and entertainment expense, therefore the process is documented and tested. In Singapore, the level is below $3.0M, so the process is not documented or tested. We are using a lower threshold than 5% of income to be more conservative, and to ensure that our test plans and sample sizes will still be appropriate in lower income years. To evaluate deficiencies, we consider whether or not other controls would effectively mitigate the risk of a misstatement and we consider the type of failure. For example, a failure in the design of controls would typically be considered more serious than a failure in the performance of a control. We also consider the level of the potential misstatement. We apply a guideline of 20% of the $4.0M materiality threshold to determine the level at which a deficiency might be significant. In this case, $0.8M. The 20% is the public accounting firms’ consensus interpretation of PCAOB guidance.

Risk-Based Approach to Testing

Continued below


25

Free download at: www.sarboxpro.com


Risk Assessment (Heat Sheet)

Source: MANAGEMENT’S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING, SEC, December 20, 2006

Less

Evidence

More Evidence

Low

Medium

High

Medium High

Risk of Control Failure

Inherent Risk


26

Reliance on Controls

Controls

Financial Statements

Can rely

Cannot rely


27

Assessing Risk in Segregation of Duties(SOD)

Risk AssessmentSegregation of Duties SOD Matrix (Good Approach)

Investigate Further

Authorize Record Custody Control Function

Name HereName HereName HereName HereName HereName HereName HereName HereName Here

Issue - Over-reliance on process owner representations


29

Risk AssessmentSegregation of Duties Export System Access data and combine with Manual Activities (Best Approach)

IT System

System Access Report

Excel or Access

Conflict ReportsList of Manual Activities


30





31

Governance

Assessment

Prevention

Detection

Correction

Controls

Real ‘Swimlane’ FlowchartA

P S

yste

mG

L S

yste

m


32

Sarbanes-Oxley Testing TrainingRisk & Control Matrix

Control Description Control Frequency Control Owner

Accounts Payable verifies that all invoices from new vendors are approved for validity prior to adding the vendor to the vendor master file.

Many X / Day Accounts Payable

Check signers verify the invoice is valid, and the check amount and GL coding are accurate prior to signing the check. Many X / Day

Authorized Signers are CEO, CFO, CAO, CLO Controller, Cashier, SVP/Operations, or Human Resources Officer.


33





34

Governance

Assessment

Prevention

Detection

Correction

DetectionPurpose is to evaluate control operationPurpose not to detect fraudPurpose not to detect financial misstatements


35

Control FrequenciesControl Frequency Examples

More than Daily (Large Pop.) Vendor Invoicing

Daily Sub-ledger distribution

Monthly Account reconciliations

Quarterly Reserve Adjustments

Semiannual SAS-70

System / Annual 10K Report


36

Control Frequencies/Sample Sizes


37

Example Test Plan

Sample identification

Test attributes


38

What is a walkthrough?Physical “walk-through” the documented process from beginning to end with the Control Owner.Observe the steps and controls in the process. Mark hardcopy documentation with discrepancies.Observe Physical security.Confirm employee’s understanding of controls and the timeliness of performance.Confirm what happens (per documentation) when there is an error.Identify recent changes in the process.Note un-identified risks or controls that are ineffective.Obtain copies of testable documents and screen shots that show the documented process.


39





40

Governance

Assessment

Prevention

Detection

Correction

Gaps & Deficiencies3 levels of identified gaps: deficiencies, significant deficiencies and material weaknessesGaps may be identified during documentation, internal testing or auditor testing

Material WeaknessDisclose to Shareholders via

Management’s Letter

Inconsequential Material

Remote

Reasonably Possible

Control Deficiency (least severe)

Reportable in writing to management by auditors

Judgmental materiality

Merits Attention


41

Top 10 Material Weaknesses(for all public companies)

1. Poor accounting documentation2. External auditor adjustments 3. Lack of training, competency of accounting people4. Poor account reconciliations5. Restatements6. Poor controls over non-routine transactions7. IT Access and security8. Poor JE controls9. Poor control design and segregation of duties10. Issues with top management and tone at the top

Data provided by Audit Analytics.


42

Managing Gaps (Deficiencies)

Keep a list of all gapsDesign Gaps from DocumentationTesting Failures

Prioritize gaps by:Risk of failure and Financial statement impactAggregation of gaps in Financial Statements (Cycles)


43

Test Failure Form

Four Sections:1. Tester’s Reason for Failing2. Manager’s Evaluation3. Process Owner’s Remediation4. Evaluation Team Sign Off


44





45

Governance

Assessment

Prevention

Detection

Correction

If you only use Excel, Word, Visio…


46

ExcelDesktop

Database Web-BasedShare controls and tests between documenters

√ √

Ensure pre-defined and uniform data capture

√ √

Run consolidated reports for all documenters

√ √

Easy to setup √ √Custom reports in Excel √ √ maybeResponsive (no latency) √ √Low Cost √ √E-Mail notification √# Simultaneous users 1 about 5 dozens

Software Tool Alternatives


47

Download a free copy of our desktop tool at www.sarboxpro.com


Agenda Reasons for SOX

COSO StudyScandals in 2000ACFE Report to the Nation

How SOX tackles fraudGovernanceAssessmentPreventionDetectionReporting & Correction

Takeaways & resources


48

Takeaways

SOX and the NAIC Financial rules use a similar

framework

Include only relevant processes

Use a risk-based assessment

Document controls preventing risks

Test for control operation, not fraud occurrenceDocument how you established that controls work

Well performed tests will save examiners’ time

Control deficiencies should be evaluated & reported


49

SOX Resources(most relevant in red)

SEC PCAOB COSO AICPA1977 - Foreign Corrupt Practices Act (Have good controls)

1992 - Internal Control Framework 1996 – Addendum to address Safeguarding of Assets

June 5, 2003 - Rules implementing Section 404 (Use a framework like COSO)

March 9, 2004 - Auditing Standard #2 Auditing Internal Control

December 2004 – Evaluating Deficiencies (aka – The Concluding Framework)

May 16, 2005 - Staff Guidance (Management is responsible)

May 16, 2005 - Increase Efficiency of Audits (Top down, Risk-based, Integrated audit)

April 23, 2006 – Advisory Committee for Small Companies (exempt most)

SAS 99 Consideration of Fraud in a Financial Statement Audit

April 2006 – Govt. Accountability Office (Management needs more guidance)

July 11, 2006 - Guidance for Smaller Public Companies

March 2006 – SAS 104-111 (Risk Standards), effective for 2007 audits

June 20, 2007 – New Guidance corresponding to AS #5

July 25, 2007 –Auditing Standard (AS) #5

June 20, 2008 extend auditor attestation for non-accelerated filers until 2009 (and begin a small business cost study)

October 17, 2007 – Proposed Guidance for Auditors of Smaller Public Companies

October 21, 2008 – Proposed New Auditing Standards Related to the Auditor's Assessment of Risk

July 4, 2008 – Monitoring Internal Control (Draft)


50

Presenter

Presentation Notes

Note that SAS 112 Communicating Internal Control Related Matters Identified in an Audit is for NON-public companies that have an audit. PCAOB Audit Risk Standards Audit Risk in an Audit of Financial Statements. This proposed standard describes the components of audit risk and the auditor's responsibilities for reducing audit risk to an appropriately low level in order to obtain reasonable assurance in an audit of financial statements. Audit Planning and Supervision. This proposed standard describes the auditor's responsibilities for planning the audit, including assessing matters that are important to the audit, and establishing an appropriate audit strategy and audit plan. The proposed standard also describes the responsibilities of the engagement partner and other engagement team members for supervising and reviewing the work of the engagement team. Identifying and Assessing Risks of Material Misstatement. This proposed standard describes the auditor's responsibilities for identifying and assessing risks of material misstatement. The risk assessment process discussed in the proposed standard includes information-gathering procedures to identify risks (e.g., obtaining an understanding of the company, its environment, and its internal control) and analysis of the identified risks. The Auditor's Responses to the Risks of Material Misstatement. This proposed standard sets forth the auditor's responsibilities for responding to the risks of material misstatement in the general conduct of the audit and specific audit procedures. Evaluating Audit Results. This proposed standard describes the auditor's responsibilities regarding the process of evaluating the results of the audit in order to form the opinion(s) to be presented in the auditor's report. This process includes evaluating uncorrected misstatements and control deficiencies identified during the audit. Consideration of Materiality in Planning and Performing an Audit. This proposed standard sets forth the auditor's responsibilities for applying the concept of materiality, as described by the federal securities laws, in planning the audit and determining the scope of the audit procedures. Audit Evidence. This proposed standard sets forth the auditor's responsibilities regarding designing and applying audit procedures to obtain sufficient appropriate evidence to support the opinion(s) in the auditor's report. In particular, it discusses the principles for determining the sufficiency and appropriateness of audit evidence. COSO Draft Monitoring Internal Controls: Monitoring involves (1) establishing a foundation for monitoring, (2) designing and executing monitoring procedures that are prioritized based on risk, and (3) assessing and reporting the results, including following up on corrective action where necessary. Planning and organizational support form the foundation for monitoring, which includes (1) a tone from the top about the importance of internal control (including monitoring), (2) an organizational structure that considers the roles of management and the board in regard to monitoring and the use of evaluators with appropriate capabilities, objectivity and authority, and (3) a baseline understanding of internal control effectiveness. As with every internal control component, the ways in which management and the board express their beliefs about the importance of monitoring have a direct impact on its effectiveness. Management’s tone influences the way employees conduct and react to monitoring. Likewise, the board’s tone influences the way management conducts and reacts to monitoring. In most cases, the board is ultimately responsible for determining whether management has implemented effective internal control (including monitoring). It makes this assessment by (1) understanding the risks the organization faces, and (2) gaining an understanding of how senior management manages or mitigates those risks that are meaningful to the organization’s objectives. Obtaining this understanding includes determining how management supports its beliefs about the effectiveness of the internal control system in those important areas. Characteristics of Evaluators: Monitoring is conducted by evaluators who are appropriately competent and objective in the given circumstances. Competence refers to the evaluator’s knowledge of the controls and related processes, including how controls should operate and what constitutes a control deficiency. The evaluator’s objectivity refers to the extent to which he or she can be expected to perform an evaluation with no concern about possible personal consequences and no vested interest in manipulating the information for personal benefit or self-preservation.

ResourcesCOSO Small Business Guidance

$65 Paperback (3 volumes)$50 PDF (3 PDF, 1 Word)www.cpa2biz.com

Internal Control over Financial Reporting –Guidance for Smaller Public Companies


51

http://www.cpa2biz.com/

Resources – IT General Controls

CobiT IT Control Objectives for

SOX

COSO (Small Business)

34 Objectives 12 Objectives 10 Objectives


52

For More InformationBill Douglas CPA CIA CFE PIMain: [email protected]

Molly Remington, Business Development Mgr.Main: [email protected]

Free software downloads: www.sarboxpro.comCompany information: www.costadvisors.com


53US-5-1208-IC

mailto:[email protected]

mailto:[email protected]


http://www.costadvisors.com/

Date post:	31-Oct-2014
Category:	Documents
Upload:	mricky
View:	937 times
Download:	1 times

NAIC Insurer Financial Reports Rules

Documents