IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Session 704
Understanding the Examination Process
In order to be able to maximize examination efficiency and
have examiners fully leverage work being done by your
company, it is important to understand the risk-focused
examination process and requirements.
Risk-Focused Examinations
Presentation areas of focus:
1. How to prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
4. Observations from recent examinations
5. Q&A
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
4. Observations from recent examinations
5. Q&A
How to Prepare
I received an examination notice, now what?
Preparing for the Examination
Understand the process (second part of presentation)
Factors to consider in preparing for an examination:
• Timing
• Physical Space
• Personnel Identification
• IT Considerations
• Information Transfer
• Tracking of Open Items and requests
• Auditor Involvement (CPA/Internal)
• C-Suite Interviews
Timing
Frequency and scope of examinations
Establish an understanding of the timing of the examination (start date,
milestones (exhibit completion deadlines), anticipated end date, and
deadlines).
Discuss on-site vs. off-site examination work and timing of each
Consider the impact of the risk-focused change on examination timing
Risk assessment historically part of planning
Now extends through all seven phases
(more management involvement)
Examination Coordination considerations
Use of Experts
Timing of C-level interviews
Timing of CPA involvement
Communication of company constraints (reporting deadlines)
Physical Space
In order to prepare physical space
for the exam team, communication
about the space that will be
needed and the number of
examiners should be discussed
before the start of the exam.
Personnel Identification
Identify who will be involved
Company personnel and responsibilities relating to the exam
Examination personnel and responsibilities
Create a contact list
Off-site Considerations
Other personnel involved
IT Considerations
IT Connections
What are the examiner requirements
Method of information exchange
Electronic work-paper considerations
IT Security
Protect data and confidentiality of information
Handbook discussion of confidentiality
Confidentiality
The risk-focused surveillance approach contained within this Handbook will require examiners to incorporate new tools to document their
examination approach and to increase the extent of communication with their department analysts as well other regulators. Similar to other
documentation completed in accordance with a financial condition examination, these tools are considered examination work papers and thus
considered confidential under state law, including the state’s examination law. In addition, sensitive documents of the insurer that are used in the
risk assessment process, such as internal audit reports, will be examination work papers and protected under the confidentiality standards set forth
in the NAIC Model Law on Examinations. Furthermore, the enhanced communication between state insurance department examiners and analysts
and the sharing of information to other state insurance departments shall not impact the confidential status of these work papers. As with the
communication of other confidential information, examination work papers may be shared with other regulators whose state insurance department
has authority under state law to preserve the confidentiality of the information they receive and maintain.
Transfer of Information / Tracking of Outstanding Items
The insurer and regulator should have a system for the
transfer of information and the tracking of outstanding
items to avoid duplicate requests.
Regular status meetings
“Dashboard” reporting of status
CPA Work Papers
Auditor Work-papers:
Initiate a meeting and discussion between exam team and CPA
Work-papers for years under examination
Current year focus
Prior year work paper applicability
Current year not yet available
Rotational testing of controls
Prior year remediated issues
Lead time for requests
Follow-up meetings
Auditor and examiner should have a discussion prior to finalization of exam and audit
Internal Audit
The examiner will need to evaluate the internal audit process
for reliance
• If CPAs rely on the Internal Audit function, this process may be short-
cut by having CPAs discuss their evaluation/reliance with examiners
• Information needed by examiners
• Internal audit function overview
• Reporting lines
• Audit plans
• Audit results
Preparing for Interviews
Interviews will likely take place with:
Board of Directors
Audit Committee
Senior Management
Educate board members on the examination process:
Explain why interviews are occurring
Provide Exhibit Y for typical questions asked
Fiduciary duties of board members
Examination authority laws
STAT and GAAP accounting basis's
Mission of Examiner’s (protect promises made to policyholder)
Scope of exam includes long-term strategies and prospective risks
Ask Examiners to prepare an agenda and discussion topics
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
4. Observations from recent examinations
5. Q&A
Traditional and Risk-Focused Approach Comparison
Traditional
Details
Checklists
Symptoms
Reporting Findings
Transaction Testing
Task Oriented
Static Reviews
Current Issues
Risk-Focused
Big Picture/Top Down
Priorities (Risk Focus)
Cause
Make Recommendations
Process/Control Review
Results-Oriented
Ongoing Monitoring
Emerging/Prospective Issues
Risk-Focused Exam in a Nutshell
The risk-focused exam procedures are designed to allow
examiners to: • Develop an understanding of the insurer’s key functional activities and the
risks associated with those activities
• Evaluate the effectiveness of the risk mitigation strategies and controls
“Solvency issues generally result from business risks that were not mitigated
to an acceptable level by company controls. Inadequately controlled
operating risks may take several years to be reflected in the company’s
financial statements.”
Risk Focused Exam Process
19
• Understand the Company and Identify Key Functional Activities to be Reviewed Phase 1
• Identify and Assess Inherent Risk in Activities Phase 2
• Identify and Evaluate Risk Mitigation Strategies/Controls Phase 3
• Determine Residual Risk Phase 4
• Establish/Conclude Examination Procedures Phase 5
• Update Prioritization and Supervisory Plan Phase 6
• Draft Examination Report and Management Letter based upon Findings Phase 7
Procedures within
the Planning
Process- where
management can
have the most
impact
PHASE 1 Understanding the Company and Key Functional Areas
RISK-FOCUSED EXAMINATIONS
Phase 1: Understand the Company
Understanding the Company
Understanding the Corporate Governance Structure
Assessing the Adequacy of the Audit Function
Identifying Key Functional Activities
Consideration of Prospective Risks for Indication of
Solvency Concerns
21
Phase 1 Understanding the Company Sample Risk Assessment Catalog Process
Combined Risk
Catalog
Review Prior Examination
Review Prior External Audit
Review Internal Audits
Review SOX
Review self assessments
Meet with Key Members of
Management
Handbook Considerations
Regulatory Concerns
Other sources (news, current
events)
Phase 1 Corporate Governance Structure
Components of effective corporate governance programs
include: 1. Competency
2. Independent and adequate involvement
3. Communication
4. Code of conduct
5. Strategic and financial objectives
6. Business planning
7. Reliable risk management
8. Sound principals of conduct
9. Independence
10. Objective and independent reporting
11. Sarbanes-Oxley provisions
12. Board oversight
Exhibit M – Understanding Corporate Governance Structure 23
Phase 1 Management Preparation
What can management do to prepare?
• Understand the examination process – understand the goals and the
procedures used to achieve those goals
• Consider the information that examiners will be looking at in advance
of the examination process
• Ensure processes and corporate governance are documented
Starting the Process
• Be Proactive (consider process prior to exam)
• Phase 1 is often where management can be most involved
• Arrange regular meetings (internally and with examiners)
• Ask examiners to prepare formal request lists
• Have an overview meeting to tell about the company and set the
stage
24
Phase 1 Management Preparation – Exhibits and Questionnaires
Obtain and complete exhibits as early in process as possible
Don’t “skimp” on answers – use memos and attachments as necessary
Exhibit B – Planning questionnaire
“The questionnaire responses should be considered when identifying the inherent risks of the insurer.
They should also impact the planned examination approach, and the nature, timing and extent of
examination procedures performed”
• The more complete the questionnaire, the less work examiners need to do
• Plan ahead - document processes as they are being done
Exhibit C – Evaluation of controls in information technology
• Work program – examples of common risks, controls, example requests, tests
procedures
• Use as a guide to what examiners are looking for
Management Preparation Importance of Interviews
Exhibit Y – Examination Interviews
“It is critical for the examination team to understand and leverage the
company’s risk management program; i.e. how the company identifies,
controls, monitors, evaluates and responds to its risks….An examiner
can perform alternate, additional or fewer detail and control tests as a
result of interviews with the company.”
• Make sure examiners have an overall understanding of the company before
conducting high level interviews
• Get an agenda in advance of the meeting
• Exhibit Y has sample questions
• Provide management’s view of governance and control structure
(Top down approach).
Phase 1 Assess the Audit Function
External auditors
• Provide an understanding of control structure to examiners
• CPA’s risk assessment is a starting point for examiners
• Compliance/control testing and substantive procedures reviewed for possible reliance
• Should be complementary to exam process
• Examiner must consider quality, adequacy and results of auditors work
Internal audit - Must be independent, objective and perform quality audits
• Provides insight into risk identification and control structure
• Financial
• Operational
• Compliance
• IT
• Should be complementary to external audit
• Examiner must understand IA’s role in internal control structure
• Examiner must understand qualifications and independence
27
New
Corporate
Governance
Requirement
Phase 1 Audit Function - Management Facilitation
Management Facilitation
• Discuss expected cooperation with external auditors
• Facilitate meetings
• Prepare required authorization letters
• Ensure availability of auditor work-papers
• Understand the required information (Exhibit E)
• Document role and structure of internal audit
• Provide a list of internal audit activities
28
Phase 1 Identify Key Functional Activities
Key Functional Activities
& Prospective Risks
Audit Assessment
(step 3)
Corporate Governance Assessment
(step 2)
Information Obtained (step 1)
13
Consideration is given to
qualitative and quantitative
measures
Phase 1 Key Activities and Prospective Risk Management Facilitation
Discuss key activities with examiners
Ensure activities match actual business
Match key activities with those identified by the company
Understand the company’s prospective risks
• Asset/liability matching
• Loss reserve development methods
• Pricing and underwriting
• Reinsurance
• Growth, M&A activity
• Liquidity of assets
• Other business risks
PHASE 2 Identify and Assess Inherent Risk
RISK-FOCUSED EXAMINATIONS
Phase 2 Identify and Assess Inherent Risk
Step 1: Identifying the Risk
Step 2: Identifying the Type of Risk
Step 3: Assessing the Inherent Risk
• Exhibit J - Risk Assessment Worksheets
• Exhibit K - Risk Assessment Matrix
• Exhibit L – Branded Risk Classifications
Repositories – Common risks, control best practices, test of
controls, sample testing
32
Phase 2 Step 1: Identifying the Risk
Key activities and sub-activities identified in Phase 1
are the building blocks for identifying inherent risk.
• Risks Other than Financial Reporting
• Financial Reporting Risks
Ask the question “What can go wrong?” for each of the
key activities.
Repositories included in handbook
33
Phase 2 Step 2: Identifying the Type of Risk
34
• Credit
• Market
• Pricing/underwriting
• Reserving
• Liquidity
• Operational
• Legal
• Strategic
• Reputational
Branded Risk Classifications:
Critical Risk
Why Critical Risk?
How will this change the exam process?
• Flexibility
• Removal of Tolerable Error
Schedule DD- Critical risk – 10 areas that
represent significant threats to a company’s
overall solvency position.
As of 12/31/13
Used for accreditation as of 12/31/13
Critical Risk
Valuation/ Impairment of Complex or Subjectively Valued Invested Assets
Liquidity Considerations
Appropriateness/
Adequacy of Reinsurance Program
Reinsurance Reporting and Collectability
Underwriting and Pricing Strategy/Quality
Reserve Data
Reserve Adequacy
Related Party/Holding Company Considerations
Capital Management
PHASE 3 Identify and Evaluate Risk Mitigation Strategies and Controls
RISK-FOCUSED EXAMINATIONS
Phase 3 Strategy/Control Assessment
Step 1: Identify Risk Mitigation Strategies/Controls
Step 2: Evaluate Risk Mitigation Strategies/Controls
Step 3: Consideration of Small/Medium-Size Insurers
Step 4: Examiner Use of Sarbanes-Oxley
Documentation
38
Phase 3 Step 1: Identify Risk Mitigation Controls
The insurer’s control risk should be assessed by
determining how well the risk mitigation strategies/controls
offset the inherent risks identified
Leverage off work of external and internal audit and
company self-assessments (e.g. SOX)
39
Phase 3 Step 2: Evaluate Risk Mitigation Controls
Controls over Financial Reporting Risks tested to ensure:
• Operating as expected
• Applied consistently throughout the entire period of reliance
• Performed on a timely basis
• Encompassing all transactions
• Identifying errors
Reliance on External Auditors
Reliance on Controls Testing Performed in Prior Years
40
Risk Mitigation Strategies/Controls Ratings
The Risk Mitigation Strategy/Control Assessment ratings to
be indicated in the Risk Assessment Matrix are:
• Strong Risk Management
• Moderate Risk Management
• Weak Risk Management
41
Phase 3 Step 2: Evaluate Risk Mitigation Controls
Phase 3 Management Considerations
Control structure and mitigating controls have a significant
impact on the level of work performed during the
examination
Designing and self evaluating controls is cost effective from
an audit and examination perspective.
Ensure examiners fully understand control structure and
testing done by external auditors, internal auditors, Sox
testing
PHASES 4-7
RISK-FOCUSED EXAMINATIONS
Phases 4 & 5
Phase 4 – Determination of residual risk
Combination of inherent risk and control risk
Also allows for examiner judgmental risk
Extent of testing in Phase 5 is determinant on residual risk
• High – Detail procedures required
• Moderate – Fewer detailed procedures, more analytical
• Low – Limited or no detail procedures performed, may be limited to
analytical
Phase 5 – Detailed Examination Procedures
Testing should focus on risk areas
May also include state-specific procedures
Phases 6 & 7
Phase 6 – Update prioritization and supervisory plan
• Examiners use material findings and risk assessment to update
ongoing supervisory plan for the insurer
Management involvement - None
Phase 7 – Draft examination report and management letter
Management involvement:
Ensure exam report is accurate and does not disclose confidential
information
Draft management letter responses, take credit for controls already
instituted
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
3. Observations from recent examinations
4. Q&A
What’s New in Examinations
Form F – Enterprise Risk Report
ORSA Summary Report
• ORSA exam/ analysis procedures exposed for comment under the
Risk-Focused Surveillance (E) Working Group
Exhibit DD – Critical Risk
• 10 Critical Risk Categories
• Tolerable error (TE)removal- 12/31/2013
• Exhibit DD- Accreditation requirement
as of 12/31/2013
Recent Examination Guidance Changes
Exhibit V – Prospective Risk Assessment
• Examiners should corroborate assertions that management has made
regarding identified risks and their mitigation
• Examiners should identify follow-up procedures for analysts
• Examples provided for completing exhibit
Exhibit- E- Internal/ External Audit
• Corporate Governance
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
3. Observations from recent examinations
4. Q&A
Risk-Focused Exams Observations
Sound practices
• Schedule regular face-to-face meetings between insurer, examiner
and analysts
• Provide forms (planning questionnaire, IT planning questionnaire and
preliminary company request as early as practical
• Consider constraints on company personnel when establishing
request due dates
• Interviews:
• Review Annual statement, prior year reports, AM Best report, news reports
and inquiry of analyst to obtain basic insurer understanding before
conducting interviews
• Provide topical agenda as a guide for discussion
• Give adequate advance notice (30 days)
Risk-Focused Exams Observations
Interviews – cont’d
• C-Level interviews should be performed in Phase 1 to gain a better
understanding of the company and its significant risks
Using work of others (CPA, IA)
• Issues in obtaining work of others should be communicated promptly
• Deficiencies noted in work of others that limits usefulness for exam
purposes should be communicated to allow company to correct
deficiencies in future exams
Control identification
• Discuss perceived missing controls with company before
documenting control weaknesses
Leverage information from prior examinations
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. Observations from recent examinations
4. Q&A
Contact Information
Sherry “Cyranna” L. Flippo, CPA, FLMI
Financial Program Manager
1100 Walnut Street, Suite 1500 Kansas City, MO 64106
816-783-8133
Dianne Batistoni, CPA, CFE
Partner, Insurance Services
111 Wood Ave South, Iselin, NJ 08830
732-243-7220
IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2015 Annual Conference! NOTE: Your Conference Registration ID# is Located at the
Bottom Left Hand Corner of Your Badge.