Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes Chris Nyce KPMG LLP

1
Sarbanes-Oxley Section 404 Internal Controls and
Actuarial ProcessesChris NyceKPMG LLP

• September 2006

2
Disclaimer

• Views and opinions expressed in this presentation
  and the underlying paper are those of the
  authors.
• Needless to say then, they do not represent the
  opinions of the CAS, nor any employer of the
  presenters, nor any sponsors of the meeting.
• Anyone who says otherwise is not only wrong, but
  is clearly itching for a fight.

3
Note

• Risks to financial reporting are unique to each
  company
• The following discussion highlights things that
  should commonly be considered, but companies may
  need to consider other types of controls, and do
  not necessarily need all types of controls
  discussed.
• Companies should consider their unique risk
  profile and consult professional advisors when
  implementing and evaluating their own controls.

4
Sarbanes-Oxley Section 404 Internal Controls and
Actuarial Processes

• Background
• COSO Framework
• Scope for Actuarial Processes
• Issues
• Information Integrity Availability
• Analysis
• End User Applications
• Managements Best Estimate
• Documentation
• Considerations by Size of Company
• Status

5
Comments by Harvey Pitt (SEC Chairman when SOX
was Passed)

• Question How is SOX like the weather
• Answer Everyone talks about it, but no-one does
  anything about it
• Quote from Mr. Pitt
• The statute was hastily and, therefore, badly
  drafted but it was and remains, necessary

Source Wall Street Journal, April 13, 2006
6
Background
7
Background

• SOX Section 404 Company Requirements
• State managements role in establishing and
  maintaining an adequate central structure and
  procedures for financial reporting
• Report on the effectiveness of their internal
  controls over financial reporting procedures
• Including supporting documentation of controls,
  and testing of their effectiveness.
• SOX Section 404 Auditor Requirements
• Attest to and report on managements assessment
  of internal controls
• Attest to the effectiveness of internal controls.

8
Background

• Deficiency situation arises where internal
  controls are identified as not effective
• Responses
• Identify and implement remediation steps
• Evaluate seriousness of the deficiency

Type of Deficiency Criteria Reporting Requirement
Deficiency Doesnt rise to a more serious level. Auditor to management.
Significant Deficiency Results in a more than remote likelihood of a misstatement that is more than inconsequential. Auditor to Audit Committee
Material Weakness Results in a more than remote likelihood of a material misstatement. Auditor to Audit Committee and in Audit Opinion (a public document).
9
The COSO Framework
10
The COSO Framework

• Committee of Sponsoring Organizations issued in
  1992
• AKA The Treadway Commission
• Provides a basic framework for all internal
  controls
• Implementers not required to use this framework
  But most do.
• What is the framework
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring.

11
Diagram of COSO Based Internal Control Structure

• Presented with thanks to Tone at the Top
  published by the Institute of Internal Auditors

12
Elements of COSO Based Internal Control Structure
Presented with thanks to Tone at the Top
published by the Institute of Internal Auditors
13
Scope for Actuarial Processes
14
Property/Casualty Insurance Operations Chain
Business Design
Underwriting Process
Underwriting Guides
Product Rate Plan and Coverage
Markets Targeted
Underwriting/Claims Transaction
Producer solicits/binds coverage, or policy renews
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Transactional Data Systems
Resulting Financial Flows
Underwriting Expenses result
Premiums Written and Earned
Losses received, recorded, estimated
14
15
Property/Casualty Insurance Operations Chain
15
16
Property/Casualty Insurance Internal Controls
affecting Estimated Balance Sheet and Income
Statement Items
Business Design
Underwriting Process
Markets Targeted
Product Rate Plan and Coverage
Underwriting Guides
Underwriting/Claims Transaction
Producer solicits/binds coverage, or policy renews
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Transactional Data Systems
Additional Focus Areas for Internal Controls
Resulting Financial Flows
Underwriting Expenses result
Premiums Written and Earned
Losses received, recorded, estimated
16
17
Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Company Risk Assumption/ Underwriting Practices
Information and Communication
Source B
Source C
Perform Estimates and Analysis
Company IT/ Data Design and Collection Process
Review and Communication Process
Committee Process
Input into Accounting System Review
Source Z
Company Claims Handling and Settlement Practices
Information and Communication
18
Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Company Risk Assumption/ Underwriting Practices
Information and Communication
Source B
Source C
Perform Estimates and Analysis
Company IT/ Data Design and Collection Process
Review and Communication Process
Committee Process
Input into Accounting System Review
Source Z
Company Claims Handling and Settlement Practices
Information and Communication
Underwriting and Claims
Management Review Process
Analysis
Data
19
Comments on Operational Internal Controls and
Sarbanes-Oxley, Section 404

• AICPA gives guidance as to how Sarbanes-Oxley
  applies to Internal controls in operational areas
• Only controls which affect financial statement
  reporting are subject to Sarbanes-Oxley
• Includes items with significant input to
  financial reporting
• Should be taken to include disclosures.
• Examples and the AICPA guidance are in the
  following table.

20
Operational Controls Management Responsibility
Contrasted with Section 404 Goals
Area of Control Section 404 Internal Controls Include Examples of Additional Management Responsibilities, not section 404
In General (from AICPA 319, item 40) Address Inherent and control risks to evaluate the likelihood that material misstatement could occur in the financial statements Address identify, analyze, and manage risks that affect entity objectives
Underwriting Company intent around which exposures to insure, at what prices, terms and conditions is clear, is followed, and consistent with assumptions underlying balance sheet and income statement estimates Management executes an underwriting strategy that provides appropriate returns with reasonable risk to capital providers. Staffing resource is appropriate to the volume of business.
Claims Case reserving philosophy, and claims processes are understood, impacts of changes are understood, and consistent with assumptions underlying profit, loss, and balance sheet estimates Claim settlements are fair to both claimants and capital providers. Appropriate legal strategies are pursued to defend policyholders. Claims staffing resource is appropriate to the volume of claims.
21
Industry Track Record
22
Industry Track Record
23
Information Integrity and Availability
24
Information Integrity and Availability

• Data
• Controls to ensure data is accurate and complete
• Data is available to enable comprehensive
  analysis
• Data is available to monitor compliance with
  Claims and Underwriting controls
• Data is available to support management review
  needs, including tracking of trends

25
Actuarial Analysis

• Analysis
• Access to data is sufficiently convenient to
  analysts
• Available information is incorporated in analysis
• Communication process with underwriting, claims,
  management is sufficient
• Appropriate methods are used
• Communication of results to management is clear

Peer Review !
26
End User Applications

• Spreadsheets, databases, word documents,.
• One of the most problematic pieces of control
  documentation
• There is a group dedicated to spreadsheet risks,
  lots of stories available
• See Website http//www.eusprig.org/stories.htm
• University of Hawaii research that error rates on
  spreadsheets near 90
• And this goes near 100 if more than 200 lines

27
Priority of Spreadsheet Controls
For more information see The Use of
Spreadsheets Considerations for Section 404 of
the Sarbanes-Oxley Act Available at
www.Pwcglobal.com
28
What Controls to Consider

• Backups
• Archiving
• Security
• Controls over Access
• Change Control and Version Control
• Such as Formula Locking
• Baselining In depth review of calculations and
  functions
• Internal Data Reconciliations
• Peer Review Sometimes outside the chain of
  reporting
• Documentation

29
Managements Best Estimate vs. Actuarial Best
Estimate
30
Managements Best Estimate vs. Actuarial Best
Estimate

• Management Review Process
• Process to determine booked reserves is
  reasonable
• Reserve Committee and management review is
  effective
• Underlying assumptions, such as trends, are
  validated

Review controls to ensure the estimate selection
process is consistent with the outcome of the
underlying estimates, or reasons for departure
are documented including quantification of
reasons
31
Management ReviewProcess
Control Activities, Information and
Communication, Monitoring
Completeness
Accuracy
Judgmental Areas

• Reserve Committee Process (best practices)
• Charter spelling out charge and operation of
  Committee
• Participation by Senior Management, Finance,
  Claims, Underwriting, Actuarial
• Access to a well documented actuarial estimate
  and range prepared prior to the Committee
  meeting
• Active questioning by Committee
• Well documented outcome of Committee meetings,
  including approved reserve amount
• Documentation of differences between managements
  best estimate and actuarial best estimate.

32
Documentation Issues
33
Documentation

• While SOX has changed the documentation commonly
  used in Actuarial work, Accounting documentation
  requirements are similar to common standards
  prior to SOX.
• Most Common Pitfalls
• Controls should be specific
• What is the control?, who performs?, who
  reviews?, what is the documentation?, how often?,
  where maintained?
• Informal processes do not fully replace controls
• Conservatism doesnt take the place of controls
• Lack of misstatement in the past doesnt obviate
  the need for controls.

34
Documentation (continued)

• Most Common Pitfalls
• Controls over reserves usually just at year end,
  but release of results to markets quarterly
• Controls over processes with significant input to
  financial statement balances missing
• Common knowledge instead of rigorous analysis
• Considering the auditor as part of the control
  process
• Forgetting controls over significant actuarial
  balances other than reserves.

35
Considerations by Size of Company
36
Considerations by Size of Company

• All companies need to weight costs and benefits
  associated with implementation of SOX 404.
  Management may consider some deficiencies
  acceptable relative to costs associated with
  remediation.
• Larger companies generally have the actuarial
  resources to implement internal controls
  effectively.
• Smaller companies likely have resource
  constraints, most apparently relative to peer
  review.
• Third party actuarial analysis
• Thorough review (and documentation) of reserves
  by all professionals in the organization that
  would be best versed in reasonability of reserves
  --- senior claims, underwriting, and finance
  management.

37
Status of Implementation
38
Status Recent Events

• For most large domestic entities Implemented
  2004
• Large foreign filers Implementation in 2006
• NAIC considering statutory rules
• Current form would affect large entities, newly
  impacting about 190 Companies
• Proposed effective for 2009
• No external audit requirement.
• Canadian Securities Administrator has proposed
  SOX type requirements
• No external audit requirement.