AICP Journal Article
A Look at the NAIC Model Audit Rule
The big boys are in their third year of complying with Sarbanes Oxley (SOX). “Continuous compliance” and “control standardization” slogans are reverberating through the cubicles of internal audit and compliance departments across the country. And the NAIC, after several knock-down/drag-out battles with the industry, has finally come up with its version of SOX for insurers.
The regulations require the CEO and CFO to attest to the company’s system of internal controls – that there is such a system in place, that it’s working, and that the financial statements can be relied upon as a result thereof.
In this issue, we’ll take a look at what the NAIC has come up with for us. Next time we’ll look at how we can start reaping the “benefits” of SOX without so much of the pain and cost that the big public companies experienced.
NAIC Guidelines
As of 6/12/06, the full NAIC Executive Committee, after extensive consultation with industry, passed the new Model Audit Rule applying certain Sarbanes-Oxley-related reporting requirements to the insurance industry. These rules apply to all insurers, including privately held and mutual insurers. The rules generally go into effect January 1, 2010, and are tied to annual financial statement reporting.
“And how does this affect me?” you ask. Well, unfortunately, a comprehensive assessment of internal controls involves more than just the accounting department. It can involve all areas of the company that have or impact financial activity, e.g., claims, actuarial, information systems, agency, even underwriting. The Compliance unit may or may not be charged with implementation, depending on how the company approaches it. In many of the large, early filers, the Internal Audit department had the privilege of running the SOX show.
Exempt insurers
The NAIC, in its concern for the feedback it received around the prohibitive costs for smaller companies, provided for certain exceptions to its new rules. Exceptions to the SOX 404-type reporting, where management has to issue an opinion on its internal controls and financial statements, and probably the most expensive part of the SOX effort:
l Companies with less than $500 million premium will be exempt from the 404-type reporting.
l Insurers who are already SOX compliant are exempt.
l No auditor attestation is required. In other words, no separate audit opinion on management’s controls is necessary. This exclusion alone will eliminate not only the additional cost of a second SOX review by the outside auditor, but the elimination of duplicate effort and time spent by the insurer’s staff.
l If part of the insurer is already certified as SOX compliant, it will not have to repeat.
Audit Committees
The NAIC liked the SOX emphasis on stronger audit committees. Therefore it was not so lenient on who is exempt from the Independent Audit Committee rules. These rules require the Audit Committee to be made up of “independent” board members - no ties to the company other than their board duties.
l Insurers with over $500 million in annual premium (direct and assumed) must have 75% of their audit committee member independent.
l Insurers with $300 - $500 million should have 50% of their audit committee independent
l Insurers with under $300 million will not have to have any independent audit committee members
l There is a promise by the NAIC to index this $500 million in the future, but there are no processes in place yet for this.
l At least one of the audit committee members must be a “financial expert,” capable of understanding complex financial instruments, and internal controls (and, hopefully, asking hard questions around them).
o Insurers with greater than $100 million are required to have a financial expert
o Insurers with less than $100 million are “encouraged” to have a financial expert
Audit Committee Selection
The NAIC is intent on making sure all insurers have audit committees.
l Every insurer “should” have an audit committee
l For companies with small boards, the entire board can be the audit committee
l The holding company audit committee can also serve as the company committee
l The audit committee members must be members of the board
l Audit committee members must be independent - cannot do other consulting to the company
l Individual state laws may modify these independence requirements
Auditor Independence
The NAIC is also intent on encouraging outside auditor independence when it comes to companies implementing their SOX requirements.
l The audit partner for the company must be rotated every five years
l There must be a one-year “cooling off period” before the audit firm partner or senior manager can become a company employee ((the company may apply to the commissioner for relief from this rule)
l The outside auditor is prohibited from providing certain non-audit services to the company:
o Bookkeeping or other services related to the accounting records
o Financial information systems design and implementation
o Appraisal or valuation services, fairness opinions, or contribution-in-kind reports
o Actuarial advisory services (with certain limited exceptions)
o Internal Audit outsourcing
o Management or human resources services
o Broker/dealer, investment advisor, or investment banking
o Legal services and expert services unrelated to the financial audit
o Any other services that the state commissioners determine, by regulation, are impermissible
l The audit committee can approve, in advance, other non-audit services
l Insurers with less than $100 million may request exemption from the non-audit service rules
l The auditor must report to the audit committee on all critical accounting policies and practices used by the insurer
l The auditor cannot serve in an advocacy role for the insurer
Management’s Responsibility
Along with the 404-type certification requirements, the NAIC set out other specific requirements for management:
l The audit committee of the board must preapprove all audit and permissible non-audit services by the outside auditor
l Specifically addresses the conduct of the insurer, in that management cannot:
o Lie to auditors
o Can’t cause others to lie to auditors
o Can’t coerce auditors
l The insurer must notify the Department of Insurance if:
o There are material changes to internal controls or corporate governance – must do so within five days.
o There are unremediated material weaknesses in the internal control system – must do so within 60 days.
Management will now be required to issue it’s own report on internal controls in conjunction with the annual financial statements. It must include a:
l Statement that mangement is responsible for internal control
l Statement that management has established internal control and if it is effective
l Description of the process used to evaluate the effectiveness
l Description of the evaluation’s scope
l Disclosure of any unremediated material weaknesses in internal control
l Statement regarding any inherent limitations of internal control
l Signatures of the CEO and CFO
Effective Dates
Now that you probably know more than you wanted to know about the new Model Audit Rule, there’s a slight modification to the effective date mentioned at the beginning of this article:
l The management reporting piece does, in fact, go into effect starting with the period ending 12/31/09
l However, the audit partner section begins within two years of state enactment of the model rule
l And the audit committee composition section begins January 1, 2008
Back to the Future
The NAIC has promised to issue “implementation guidelines.” However, after three years, the SEC has yet to do so for the publicly traded companies. We’ll see if the NAIC is any quicker.
Be aware that certain industry groups fought tooth-and-nail to prevent these rules in any form. That effort paid off in modifications resulting in the rules above, which, in many cases, are not as stringent as originally intended by the NAIC. These same groups have vowed to take the fight to the individual state legislatures, hoping to gut the new Model Rule even further. So stay tuned for the next round.
---------------------------------------------------------------------------------------------------------
No comments:
Post a Comment