38
Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes Chris Nyce KPMG LLP September 2006
| Date post: | 18-Dec-2015 |
| Category: |
Documents |
| View: | 216 times |
| Download: | 0 times |
Sarbanes-Oxley Section 404 Internal Controls and Actuarial
Processes
Chris NyceKPMG LLP
September 2006
2
Disclaimer
•Views and opinions expressed in this presentation and the underlying paper are those of the authors.
•Needless to say then, they do not represent the opinions of the CAS, nor any employer of the presenters, nor any sponsors of the meeting.
•Anyone who says otherwise is not only wrong, but is clearly itching for a fight.
3
Note
•Risks to financial reporting are unique to each company
•The following discussion highlights things that should commonly be considered, but companies may need to consider other types of controls, and do not necessarily need all types of controls discussed.
•Companies should consider their unique risk profile and consult professional advisors when implementing and evaluating their own controls.
4
Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes
• Background
• COSO Framework
• Scope for Actuarial Processes
• Issues
Information Integrity & Availability
Analysis
End User Applications
Management’s Best Estimate
• Documentation
•Considerations by Size of Company
• Status
5
Comments by Harvey Pitt (SEC Chairman when SOX was Passed)
Question: How is SOX like the weather
Answer: Everyone talks about it, but no-one does anything about it
Quote from Mr. Pitt
“The statute was hastily – and, therefore, badly – drafted; but it was and remains, necessary
Source: Wall Street Journal, April 13, 2006
6
Background
7
Background
SOX Section 404 Company Requirements:
– State management’s role in establishing and maintaining an adequate central structure and procedures for financial reporting;
– Report on the effectiveness of their internal controls over financial reporting procedures
• Including supporting documentation of controls, and testing of their effectiveness.
SOX Section 404 Auditor Requirements:
– Attest to and report on management’s assessment of internal controls;
– Attest to the effectiveness of internal controls.
8
Background
Deficiency = situation arises where internal controls are identified as not effective
Responses
– Identify and implement remediation steps
– Evaluate seriousness of the deficiency
Type of Deficiency Criteria Reporting Requirement
Deficiency Doesn’t rise to a more serious level.
Auditor to management.
Significant Deficiency Results in a more than remote likelihood of a misstatement that is more than inconsequential.
Auditor to Audit Committee
Material Weakness Results in a more than remote likelihood of a material misstatement.
Auditor to Audit Committee and in Audit Opinion (a public document).
9
The COSO Framework
10
The COSO Framework
•Committee of Sponsoring Organizations issued in 1992 AKA The Treadway Commission; Provides a basic framework for all internal controls; Implementers not required to use this framework– But most do.
•What is the framework Control Environment; Risk Assessment; Control Activities; Information and Communication; Monitoring.
11
Diagram of COSO Based Internal Control Structure
*Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors
Elements of COSO Based Internal Control Structure
*Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors
Scope for Actuarial Processes
Property/Casualty Insurance Operations Chain:
Producer solicits/binds coverage, or policy renews
Underwriting Process
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Underwriting/Claims Transaction
Underwriting Guides
Product Rate Plan and Coverage
Premiums Written and Earned
Resulting Financial FlowsLosses received, recorded, estimated
Business DesignMarkets Targeted
Underwriting Expenses result
Transactional Data Systems
14
Producer solicits/binds coverage, or policy renews
Underwriting Process
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Underwriting/Claims Transaction
Underwriting Guides
Product Rate Plan and Coverage
Premiums Written and Earned
Resulting Financial FlowsLosses received, recorded, estimated
Business Design
Markets Targeted
Underwriting Expenses result
Transactional Data SystemsTraditional Financial Statement
Audit Focus
Property/Casualty Insurance Operations Chain:
15
Property/Casualty Insurance Internal Controls affecting Estimated Balance Sheet and Income Statement Items
16
Producer solicits/binds coverage, or policy renews
Underwriting Process
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Underwriting/Claims Transaction
Underwriting Guides
Product Rate Plan and Coverage
Premiums Written and Earned
Resulting Financial FlowsLosses received, recorded, estimated
Business DesignMarkets Targeted
Underwriting Expenses result
Transactional Data Systems
Additional Focus Areas for Internal Controls
17
Estimated Balances Must Properly Reflect the Following Company Operations
Source A
Source B
Source C
Company Risk Assumption/
Underwriting Practices
Company Claims
Handling andSettlementPractices
Company IT/Data Design and
Collection Process
PerformEstimates
and Analysis
Review and Communication
Process
Committee Process
Input intoAccounting
System & ReviewSource Z
Information and Communication
Information and Communication
18
Estimated Balances Must Properly Reflect the Following Company Operations
Source A
Source B
Source C
Company Risk Assumption/
Underwriting Practices
Company Claims
Handling andSettlementPractices
Company IT/Data Design and
Collection Process
PerformEstimates
and Analysis
Review and Communication
Process
Committee Process
Input intoAccounting
System & ReviewSource Z
Information and Communication
Information and Communication
Underwriting and Claims Data Analysis
Management Review Process
19
Comments on Operational Internal Controls and Sarbanes-Oxley, Section 404
AICPA gives guidance as to how Sarbanes-Oxley applies to Internal controls in operational areas
– Only controls which affect financial statement reporting are subject to Sarbanes-Oxley;
– Includes items with significant input to financial reporting;
– Should be taken to include disclosures.
Examples and the AICPA guidance are in the following table.
20
Operational Controls; Management Responsibility Contrasted with Section 404 Goals
Area of ControlSection 404 Internal Controls Include:
Examples of Additional Management Responsibilities, not section 404
In General (from AICPA 319, item 40)
Address “Inherent and control risks to evaluate the likelihood that material misstatement could occur in the financial statements”
Address “identify, analyze, and manage risks that affect entity objectives”
Underwriting Company intent around which exposures to insure, at what prices, terms and conditions is clear, is followed, and consistent with assumptions underlying balance sheet and income statement estimates
Management executes an underwriting strategy that provides appropriate returns with reasonable risk to capital providers. Staffing resource is appropriate to the volume of business.
Claims Case reserving philosophy, and claims processes are understood, impacts of changes are understood, and consistent with assumptions underlying profit, loss, and balance sheet estimates
Claim settlements are fair to both claimants and capital providers. Appropriate legal strategies are pursued to defend policyholders. Claims staffing resource is appropriate to the volume of claims.
21
Industry Track Record
Industry Experience-Runoff of Held Loss and LAE ReservesIndustry All Lines Experience in millions of US$
Reserve DateHeld Reserves for
Loss and LAE
(Equity)/ Deficiency as Recorded
12/31/2004Ratio (Eq)/Def to Held Reserves
12/31/1995 360,940 (723) -0.2%12/31/1996 365,319 189 0.1%12/31/1997 363,351 6,119 1.7%12/31/1998 378,278 24,638 6.5%12/31/1999 375,734 45,101 12.0%12/31/2000 372,075 64,129 17.2%12/31/2001 389,764 60,076 15.4%12/31/2002 414,813 34,650 8.4%12/31/2003 448,652 9,882 2.2%12/31/2004 486,438 NA NA
Accident Year Evaluated at 12/31/2004Negative means favorable runoff
Source for Accident Year: AM BEST Aggregates and Averages, "Industry Schedule P".
22
Industry Track Record
Industry Experience-Loss and Loss Expense RatioComparison of Accident Year to Calendar Year
CY
Earned Premium 000,000's
Accident Year Loss and LAE
Ratio
Calendar Year Loss and LAE
Ratio Difference1995 247,338 76.1% 78.9% -2.8%1996 257,558 78.3% 78.4% -0.1%1997 265,356 76.0% 72.8% 3.2%1998 270,253 82.6% 76.5% 6.1%1999 277,760 84.8% 78.9% 5.9%2000 291,472 86.7% 81.3% 5.4%2001 312,286 86.7% 88.4% -1.7%2002 351,388 74.0% 81.5% -7.5%2003 394,951 68.2% 75.0% -6.8%2004 425,230 70.2% 72.8% -2.7%Total 3,093,591 77.6% 78.3% -0.6%
Accident Year Evaluated at 12/31/2004Negative means the Accident Year Ratio is Less Than the Calendar Year RatioSource for Calendar Year: AM BEST Aggregates and Averages, "Cumulative by Line Net Underwriting Experience, Industry".
Source for Accident Year: AM BEST Aggregates and Averages, "Industry Schedule P".
Information Integrity and Availability
24
Data
•Controls to ensure data is accurate and complete
•Data is available to enable comprehensive analysis
•Data is available to monitor compliance with Claims and Underwriting controls
•Data is available to support management review needs, including tracking of trends
Information Integrity and Availability
Data Analysis
Underwriting and Claims
25
Actuarial Analysis
Analysis
•Access to data is sufficiently convenient to analysts
•Available information is incorporated in analysis
•Communication process with underwriting, claims, management is sufficient
•Appropriate methods are used
•Communication of results to management is clear
Data Analysis
Underwriting and Claims
26
End User Applications
•Spreadsheets, databases, word documents,….
•One of the most problematic pieces of control documentation
•There is a group dedicated to spreadsheet risks, lots of stories available
See Website http://www.eusprig.org/stories.htm
•University of Hawaii research that error rates on spreadsheets near 90%
And this goes near 100% if more than 200 lines
27
Priority of Spreadsheet Controls
ComplexSimple
Operational
Analytical
FinancialReporting
Simple Controls
Extensive Controls
Moderate Controls
Moderate Controls
For more information see “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act” Available at www.Pwcglobal.com
28
What Controls to Consider
•Backups
•Archiving
•Security
Controls over Access
•Change Control and Version Control
Such as Formula Locking
•Baselining – In depth review of calculations and functions
•Internal Data Reconciliations
•Peer Review – Sometimes outside the chain of reporting
•Documentation
Management’s Best Estimate vs. Actuarial Best Estimate
30
Management’s Best Estimate vs. Actuarial Best Estimate
•Management Review Process
•Process to determine booked reserves is reasonable
•Reserve Committee and management review is effective
•Underlying assumptions, such as trends, are validated
Data Analysis
Underwriting and Claims
Review controls to ensure the estimate selection process is consistent with the outcome of the underlying estimates, or reasons for departure are documented – including quantification of reasons;
31
Reserve Committee Process (best practices)
– Charter spelling out charge and operation of Committee;
– Participation by Senior Management, Finance, Claims, Underwriting, Actuarial;
– Access to a well documented actuarial estimate and range prepared prior to the Committee meeting;
– Active questioning by Committee;
– Well documented outcome of Committee meetings, including approved reserve amount;
– Documentation of differences between management’s best estimate and actuarial best estimate.
Completeness Accuracy Judgmental Areas
Management ReviewProcess
Control Activities, Information and Communication, Monitoring
Data Analysis
Underwriting & Claims
Documentation Issues
33
Documentation
•While SOX has changed the documentation commonly used in Actuarial work, Accounting documentation requirements are similar to common standards prior to SOX.
•Most Common Pitfalls
Controls should be specific
– What is the control?, who performs?, who reviews?, what is the documentation?, how often?, where maintained?
Informal processes do not fully replace controls;
Conservatism doesn’t take the place of controls;
Lack of misstatement in the past doesn’t obviate the need for controls.
34
Documentation (continued)
•Most Common Pitfalls
Controls over reserves usually just at year end, but release of results to markets quarterly;
Controls over processes with significant input to financial statement balances missing;
“Common knowledge” instead of rigorous analysis;
Considering the auditor as part of the control process;
Forgetting controls over significant actuarial balances other than reserves.
Considerations by Size of Company
36
Considerations by Size of Company
•All companies need to weight costs and benefits associated with implementation of SOX 404. Management may consider some deficiencies acceptable relative to costs associated with remediation.
•Larger companies generally have the actuarial resources to implement internal controls effectively.
•Smaller companies likely have resource constraints, most apparently relative to peer review.
Third party actuarial analysis;
Thorough review (and documentation) of reserves by all professionals in the organization that would be best versed in reasonability of reserves --- senior claims, underwriting, and finance management.
Status of Implementation
38
Status – Recent Events
•For most large domestic entities; Implemented 2004
•Large foreign filers; Implementation in 2006
•NAIC considering statutory rules
Current form would affect large entities, newly impacting about 190 Companies;
Proposed effective for 2009;
No external audit requirement.
•Canadian Securities Administrator has proposed SOX type requirements
No external audit requirement.
