Title: Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes Chris Nyce KPMG LLP
1Sarbanes-Oxley Section 404 Internal Controls and
Actuarial ProcessesChris NyceKPMG LLP
2Disclaimer
- Views and opinions expressed in this presentation
and the underlying paper are those of the
authors. - Needless to say then, they do not represent the
opinions of the CAS, nor any employer of the
presenters, nor any sponsors of the meeting. - Anyone who says otherwise is not only wrong, but
is clearly itching for a fight.
3Note
- Risks to financial reporting are unique to each
company - The following discussion highlights things that
should commonly be considered, but companies may
need to consider other types of controls, and do
not necessarily need all types of controls
discussed. - Companies should consider their unique risk
profile and consult professional advisors when
implementing and evaluating their own controls.
4Sarbanes-Oxley Section 404 Internal Controls and
Actuarial Processes
- Background
- COSO Framework
- Scope for Actuarial Processes
- Issues
- Information Integrity Availability
- Analysis
- End User Applications
- Managements Best Estimate
- Documentation
- Considerations by Size of Company
- Status
5Comments by Harvey Pitt (SEC Chairman when SOX
was Passed)
- Question How is SOX like the weather
- Answer Everyone talks about it, but no-one does
anything about it - Quote from Mr. Pitt
- The statute was hastily and, therefore, badly
drafted but it was and remains, necessary
Source Wall Street Journal, April 13, 2006
6Background
7Background
- SOX Section 404 Company Requirements
- State managements role in establishing and
maintaining an adequate central structure and
procedures for financial reporting - Report on the effectiveness of their internal
controls over financial reporting procedures - Including supporting documentation of controls,
and testing of their effectiveness. - SOX Section 404 Auditor Requirements
- Attest to and report on managements assessment
of internal controls - Attest to the effectiveness of internal controls.
8Background
- Deficiency situation arises where internal
controls are identified as not effective - Responses
- Identify and implement remediation steps
- Evaluate seriousness of the deficiency
Type of Deficiency Criteria Reporting Requirement
Deficiency Doesnt rise to a more serious level. Auditor to management.
Significant Deficiency Results in a more than remote likelihood of a misstatement that is more than inconsequential. Auditor to Audit Committee
Material Weakness Results in a more than remote likelihood of a material misstatement. Auditor to Audit Committee and in Audit Opinion (a public document).
9The COSO Framework
10The COSO Framework
- Committee of Sponsoring Organizations issued in
1992 - AKA The Treadway Commission
- Provides a basic framework for all internal
controls - Implementers not required to use this framework
But most do. - What is the framework
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring.
11Diagram of COSO Based Internal Control Structure
- Presented with thanks to Tone at the Top
published by the Institute of Internal Auditors
12Elements of COSO Based Internal Control Structure
Presented with thanks to Tone at the Top
published by the Institute of Internal Auditors
13Scope for Actuarial Processes
14Property/Casualty Insurance Operations Chain
Business Design
Underwriting Process
Underwriting Guides
Product Rate Plan and Coverage
Markets Targeted
Underwriting/Claims Transaction
Producer solicits/binds coverage, or policy renews
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Transactional Data Systems
Resulting Financial Flows
Underwriting Expenses result
Premiums Written and Earned
Losses received, recorded, estimated
14
15Property/Casualty Insurance Operations Chain
15
16Property/Casualty Insurance Internal Controls
affecting Estimated Balance Sheet and Income
Statement Items
Business Design
Underwriting Process
Markets Targeted
Product Rate Plan and Coverage
Underwriting Guides
Underwriting/Claims Transaction
Producer solicits/binds coverage, or policy renews
Policy expires and may be renewed or audited
Claims are received or estimated
Underwriter verifies risk acceptability and price
Policy is submitted to Underwriter
Transactional Data Systems
Additional Focus Areas for Internal Controls
Resulting Financial Flows
Underwriting Expenses result
Premiums Written and Earned
Losses received, recorded, estimated
16
17Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Company Risk Assumption/ Underwriting Practices
Information and Communication
Source B
Source C
Perform Estimates and Analysis
Company IT/ Data Design and Collection Process
Review and Communication Process
Committee Process
Input into Accounting System Review
Source Z
Company Claims Handling and Settlement Practices
Information and Communication
18Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Company Risk Assumption/ Underwriting Practices
Information and Communication
Source B
Source C
Perform Estimates and Analysis
Company IT/ Data Design and Collection Process
Review and Communication Process
Committee Process
Input into Accounting System Review
Source Z
Company Claims Handling and Settlement Practices
Information and Communication
Underwriting and Claims
Management Review Process
Analysis
Data
19Comments on Operational Internal Controls and
Sarbanes-Oxley, Section 404
- AICPA gives guidance as to how Sarbanes-Oxley
applies to Internal controls in operational areas - Only controls which affect financial statement
reporting are subject to Sarbanes-Oxley - Includes items with significant input to
financial reporting - Should be taken to include disclosures.
- Examples and the AICPA guidance are in the
following table.
20Operational Controls Management Responsibility
Contrasted with Section 404 Goals
Area of Control Section 404 Internal Controls Include Examples of Additional Management Responsibilities, not section 404
In General (from AICPA 319, item 40) Address Inherent and control risks to evaluate the likelihood that material misstatement could occur in the financial statements Address identify, analyze, and manage risks that affect entity objectives
Underwriting Company intent around which exposures to insure, at what prices, terms and conditions is clear, is followed, and consistent with assumptions underlying balance sheet and income statement estimates Management executes an underwriting strategy that provides appropriate returns with reasonable risk to capital providers. Staffing resource is appropriate to the volume of business.
Claims Case reserving philosophy, and claims processes are understood, impacts of changes are understood, and consistent with assumptions underlying profit, loss, and balance sheet estimates Claim settlements are fair to both claimants and capital providers. Appropriate legal strategies are pursued to defend policyholders. Claims staffing resource is appropriate to the volume of claims.
21Industry Track Record
22Industry Track Record
23Information Integrity and Availability
24Information Integrity and Availability
- Data
- Controls to ensure data is accurate and complete
- Data is available to enable comprehensive
analysis - Data is available to monitor compliance with
Claims and Underwriting controls - Data is available to support management review
needs, including tracking of trends
25Actuarial Analysis
- Analysis
- Access to data is sufficiently convenient to
analysts - Available information is incorporated in analysis
- Communication process with underwriting, claims,
management is sufficient - Appropriate methods are used
- Communication of results to management is clear
Peer Review !
26End User Applications
- Spreadsheets, databases, word documents,.
- One of the most problematic pieces of control
documentation - There is a group dedicated to spreadsheet risks,
lots of stories available - See Website http//www.eusprig.org/stories.htm
- University of Hawaii research that error rates on
spreadsheets near 90 - And this goes near 100 if more than 200 lines
27Priority of Spreadsheet Controls
For more information see The Use of
Spreadsheets Considerations for Section 404 of
the Sarbanes-Oxley Act Available at
www.Pwcglobal.com
28What Controls to Consider
- Backups
- Archiving
- Security
- Controls over Access
- Change Control and Version Control
- Such as Formula Locking
- Baselining In depth review of calculations and
functions - Internal Data Reconciliations
- Peer Review Sometimes outside the chain of
reporting - Documentation
29Managements Best Estimate vs. Actuarial Best
Estimate
30Managements Best Estimate vs. Actuarial Best
Estimate
- Management Review Process
- Process to determine booked reserves is
reasonable - Reserve Committee and management review is
effective - Underlying assumptions, such as trends, are
validated
Review controls to ensure the estimate selection
process is consistent with the outcome of the
underlying estimates, or reasons for departure
are documented including quantification of
reasons
31Management ReviewProcess
Control Activities, Information and
Communication, Monitoring
Completeness
Accuracy
Judgmental Areas
- Reserve Committee Process (best practices)
- Charter spelling out charge and operation of
Committee - Participation by Senior Management, Finance,
Claims, Underwriting, Actuarial - Access to a well documented actuarial estimate
and range prepared prior to the Committee
meeting - Active questioning by Committee
- Well documented outcome of Committee meetings,
including approved reserve amount - Documentation of differences between managements
best estimate and actuarial best estimate.
32Documentation Issues
33Documentation
- While SOX has changed the documentation commonly
used in Actuarial work, Accounting documentation
requirements are similar to common standards
prior to SOX. - Most Common Pitfalls
- Controls should be specific
- What is the control?, who performs?, who
reviews?, what is the documentation?, how often?,
where maintained? - Informal processes do not fully replace controls
- Conservatism doesnt take the place of controls
- Lack of misstatement in the past doesnt obviate
the need for controls.
34Documentation (continued)
- Most Common Pitfalls
- Controls over reserves usually just at year end,
but release of results to markets quarterly - Controls over processes with significant input to
financial statement balances missing - Common knowledge instead of rigorous analysis
- Considering the auditor as part of the control
process - Forgetting controls over significant actuarial
balances other than reserves.
35Considerations by Size of Company
36Considerations by Size of Company
- All companies need to weight costs and benefits
associated with implementation of SOX 404.
Management may consider some deficiencies
acceptable relative to costs associated with
remediation. - Larger companies generally have the actuarial
resources to implement internal controls
effectively. - Smaller companies likely have resource
constraints, most apparently relative to peer
review. - Third party actuarial analysis
- Thorough review (and documentation) of reserves
by all professionals in the organization that
would be best versed in reasonability of reserves
--- senior claims, underwriting, and finance
management.
37Status of Implementation
38Status Recent Events
- For most large domestic entities Implemented
2004 - Large foreign filers Implementation in 2006
- NAIC considering statutory rules
- Current form would affect large entities, newly
impacting about 190 Companies - Proposed effective for 2009
- No external audit requirement.
- Canadian Securities Administrator has proposed
SOX type requirements - No external audit requirement.