NAIC Insurer Financial Reports Rules
description
Transcript of NAIC Insurer Financial Reports Rules
NAIC InsurerFinancial Reports Rules
Cost Advisors’ Background
Founded in 1999Focus on Financial Risk Management, Fraud and RecoveryDeveloped SarbOxPro® software www.sarboxpro.com
© 2008 Cost Advisors, Inc. All rights reserved.
2
Bill Douglas’ BackgroundPrincipal of Cost Advisors, Inc. 29 years’ experience
Management positions in Accounting, IT SystemsCFO, IPO, 'Big 4' public accounting, business processes, internal controls, fraud, internal auditing, Sarbanes-Oxley (SOX)Project management at both large and small public companiesPublished SOX Illustrated – a 200 page book on SOXPublished Guide for managing Sarbanes-Oxley projects in the Internal Auditor magazineInstructor for Oregon Society of CPAs
Credentials:Certified Public Accountant (CPA) Certified Internal Auditor (CIA)Certified Fraud Examiner (CFE)Licensed Private Investigator (PI) in Oregon
© 2008 Cost Advisors, Inc. All rights reserved.
3
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
4
Governance
Assessment
Prevention
Detection
Correction
Applicability of Insurer Financial Reports Rules
Over $500M in premiumsAudits of the year beginning January 1, 2010Can use SOX 404 report instead
> $500M
InsuranceSOX 404
© 2008 Cost Advisors, Inc. All rights reserved.
5
Sarbanes-Oxley Act of 2002Contents
The Act is comprised of 11 Titles:Title I – Public Company Accounting Oversight Board (PCAOB)
Establishment, Auditing and Accounting Standards
Title II – Auditor IndependenceSets forth required actions by external auditors and audit committee
Title III – Corporate ResponsibilityRequires CEOs and CFOs to certify quarterly and annual reports to the SEC (Section 302)
Title IV – Enhanced Financial DisclosuresAdditional and accelerated disclosure requirementsSECTION 404: MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
Title V – Analyst Conflicts of Interest Title VI – Commission Resources and Authority
Authorizations, qualifications
Title VII – Studies and ReportsCredit ratings, violators, etc
Title VIII – Corporate and Criminal Fraud AccountabilityProvides tougher criminal penalties for defrauding shareholder, altering docs, etc
Title IX – White-Collar Crime Penalty EnhancementsEnhanced penalties for certain white-collar crimes (i.e., mail/wire fraud)
Title X – Corporate Tax ReturnsTitle XI – Corporate Fraud and Accountability
Fines or imprisonment with regards to certain other matters involving corporate fraud
SECTION 404: MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS
Has the biggest impact on public companies
SECTION 302: CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS
© 2008 Cost Advisors, Inc. All rights reserved.
6
SEC vs. PCAOB
External
Auditor
Public Co.
(Insurer)
© 2008 Cost Advisors, Inc. All rights reserved.
7
AccountingPractices and Procedures
Manual
Rulemaking & Oversight
External
AuditorInsurer
Insurer Financial Reports Rules
Financial Condition Examiners Handbook
SAS 104 – 111‘Risk-Based Standards’
Examiner
Risk-Focused Surveillance Framework
© 2008 Cost Advisors, Inc. All rights reserved.
8
SOX 404 vs. Insurer Financial Reports Rules
SOX 404ick’ if erICFR= Internal Controls over Financial Reporting
Scope:Detailed, accurate records to reflect transactions and dispositionsTransactions roll up to Financial Statements which comply with GAAPManagement has authorized receipts and expendituresPrevent or Detect unauthorized acquisition, use or disposition – IF MATERIAL
•Ditto
•Ditto
•Ditto
•Ditto
Insurer Financial Reports Rules
© 2008 Cost Advisors, Inc. All rights reserved.
9
SOX 404 vs. Insurer Financial Reports Rules Page 1 of 2
SOX Insurer Fin. Rept. RulesAudit Committee Yes – with one Financial
ExpertYes – with independence rules
Audit Required Yes YesDesignation of CPA Yes to SEC – when
changedYes - to Insurance Dept of State with letter from CPA
Audit Partner Rotation Yes YesCPA barred from non-audit services
Yes – except tax prep or other approved by Board
Yes –• except if premiums < $100M with waiver
• except tax prep or other approved by Board
• Except if < 5%CPA manager & partner can’t be hired for 1 year
Yes Yes
© 2008 Cost Advisors, Inc. All rights reserved.
10
SOX Insurer Fin. Rept. RulesCPA studies controls Yes YesAdverse Condition Notice As audit opinion only Yes- to Director in 5 daysMaterial Weaknesses In Management's Report Tell Director 60 days after
auditSignificant Deficiencies Tell Audit Committee Hold for ExaminersAccountant's Letter of Qualifications
No Yes to Insurer
Accountant’s workpapers No Hold for ExaminersManagement’s report on Controls
Yes – documentation & testing
Yes – Some documentation & diligent inquiry
SOX 404 vs. Insurer Financial Reports Rules Page 2 of 2
© 2008 Cost Advisors, Inc. All rights reserved.
11
Internal Control Framework(COSO)
Documentation & Testing
ManagementAssertion
AuditorAttest
SOX 404 vs. Insurer Financial Reports Rules
NAIC Rules with any framework
Documentation & Diligent Inquiry*
ManagementAssertion
AuditorConsideration
* No special documentation necessary. ‘Diligent Inquiry’ includes review, monitoring and testing in the normal course of business.
© 2008 Cost Advisors, Inc. All rights reserved.
12
Sarbanes-Oxley Section 404COSO Objectives vs. Section 404
Section 404 Scope
Operations Laws & Regulations
FinancialReporting
© 2008 Cost Advisors, Inc. All rights reserved.
13
Insurer Financial Reports Rules CEO and CFO Statement
Management is responsible for internal control Management has established internal control and its internal controls are effective
No Material Weaknesses
The approach and scope management used Effectiveness
Unremediated material weaknesses from prior year
© 2008 Cost Advisors, Inc. All rights reserved.
14
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
15
Governance
Assessment
Prevention
Detection
Correction
Governance
Assessment
Prevention
Detection
Correction
16
• Process Controls Testing• IT Testing• 3rd Party controls (SAS70)
• Deficiency Evaluation• Deficiency Remediation• Mgt/Board Reporting
• Process Improvement• Internal Controls
• Process flowcharts & narratives
• Risk Identification• Risk Evaluation• Segregation of Duties
analysis
• Entity-Level Controls• Tone-at-the-Top
Risk-based Framework
© 2008 Cost Advisors, Inc. All rights reserved.
16
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
17
Governance
Assessment
Prevention
Detection
Correction
The ‘Wedding Cake’
Company-Level Controls
IT Infrastructure
IT Applications
Business Processes
Data Centers, Operating Systems, Networks (IT General Controls)
Flowcharts, Risk & Control Matrices
Testing Coordinated with Application Superusers
‘Tone at the Top’, Governance
© 2008 Cost Advisors, Inc. All rights reserved.
18
GovernanceIntegrity & ethics
Business PracticesHR PoliciesWhistleblower proceduresPerformance Evaluation process
Board of DirectorsMinutesGovernance GuidelinesAudit Committee CharterCompensation Committee Charter
Operating StyleRisk AnalysisEmployee TurnoverFinancial Manager Code of EthicsTravel to subsManagement IncentivesRecognition Awards
Organizational StructureOrg ChartsJob Descriptions & Classifications
HR PoliciesHiring Guidelines & ProceduresNew Employee OrientationBackground Checks
Risk AssessmentSOX Process DocumentationBusiness Plans
Info & CommunicationIT General Controls Division ReviewsAccounting & Finance Meetings
MonitoringInternal Audit functionIRS auditsRegulatory AuditsSEC commentsSOX Steering Committee
© 2008 Cost Advisors, Inc. All rights reserved.
19
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
20
Governance
Assessment
Prevention
Detection
Correction
Processes vs. Risks
© 2008 Cost Advisors, Inc. All rights reserved.
21
Assessment Identifying Process Population
Process ListProcess List
Process List
Other Companies• Company X• Company Y• Company Z
FinanceProcessOwner
Validation
CompanyFinancial Statements
and Disclosures(account mapping)
© 2008 Cost Advisors, Inc. All rights reserved.
22
Causes of Inherent PROCESS risk
Size of account (materiality)Susceptibility to errors or fraudComplex accounting (GAAP)Subjectivity, estimates, judgmentTransaction complexityLack of automationRecent changesContingent LiabilitiesRelated-Party transactionsSubject to environmental factors, such as technological and/or economic developments
© 2008 Cost Advisors, Inc. All rights reserved.
23
Risk of CONTROL Failure The nature and materiality of misstatements that the control is intended to prevent or detect;The risk of management override;Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness;Whether the control has a history of errors;The effectiveness of entity-level controls, especially controls that monitor other controls;The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls); The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance;Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective);The complexity of the control.
© 2008 Cost Advisors, Inc. All rights reserved.
24
Risk-Based Approach to Testing
Continued below
© 2008 Cost Advisors, Inc. All rights reserved.
25
Free download at: www.sarboxpro.com
Risk Assessment (Heat Sheet)
Source: MANAGEMENT’S REPORT ON INTERNAL CONTROL OVER FINANCIAL REPORTING, SEC, December 20, 2006
Less
Evidence
More Evidence
Low
Medium
High
Medium High
Risk of Control Failure
Inherent Risk
© 2008 Cost Advisors, Inc. All rights reserved.
26
Reliance on Controls
Controls
Financial Statements
Can rely
Cannot rely
© 2008 Cost Advisors, Inc. All rights reserved.
27
Assessing Risk in Segregation of Duties(SOD)
Risk AssessmentSegregation of Duties SOD Matrix (Good Approach)
Investigate Further
Authorize Record Custody Control Function
Name HereName HereName HereName HereName HereName HereName HereName HereName Here
Issue - Over-reliance on process owner representations
© 2008 Cost Advisors, Inc. All rights reserved.
29
Risk AssessmentSegregation of Duties Export System Access data and combine with Manual Activities (Best Approach)
IT System
System Access Report
Excel or Access
Conflict ReportsList of Manual Activities
© 2008 Cost Advisors, Inc. All rights reserved.
30
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
31
Governance
Assessment
Prevention
Detection
Correction
Controls
Real ‘Swimlane’ FlowchartA
P S
yste
mG
L S
yste
m
© 2008 Cost Advisors, Inc. All rights reserved.
32
Sarbanes-Oxley Testing TrainingRisk & Control Matrix
Control Description Control Frequency Control Owner
Accounts Payable verifies that all invoices from new vendors are approved for validity prior to adding the vendor to the vendor master file.
Many X / Day Accounts Payable
Check signers verify the invoice is valid, and the check amount and GL coding are accurate prior to signing the check. Many X / Day
Authorized Signers are CEO, CFO, CAO, CLO Controller, Cashier, SVP/Operations, or Human Resources Officer.
© 2008 Cost Advisors, Inc. All rights reserved.
33
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
34
Governance
Assessment
Prevention
Detection
Correction
DetectionPurpose is to evaluate control operationPurpose not to detect fraudPurpose not to detect financial misstatements
© 2008 Cost Advisors, Inc. All rights reserved.
35
Control FrequenciesControl Frequency Examples
More than Daily (Large Pop.) Vendor Invoicing
Daily Sub-ledger distribution
Monthly Account reconciliations
Quarterly Reserve Adjustments
Semiannual SAS-70
System / Annual 10K Report
© 2008 Cost Advisors, Inc. All rights reserved.
36
Control Frequencies/Sample Sizes
© 2008 Cost Advisors, Inc. All rights reserved.
37
Example Test Plan
Sample identification
Test attributes
© 2008 Cost Advisors, Inc. All rights reserved.
38
What is a walkthrough?Physical “walk-through” the documented process from beginning to end with the Control Owner.Observe the steps and controls in the process. Mark hardcopy documentation with discrepancies.Observe Physical security.Confirm employee’s understanding of controls and the timeliness of performance.Confirm what happens (per documentation) when there is an error.Identify recent changes in the process.Note un-identified risks or controls that are ineffective.Obtain copies of testable documents and screen shots that show the documented process.
© 2008 Cost Advisors, Inc. All rights reserved.
39
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
40
Governance
Assessment
Prevention
Detection
Correction
Gaps & Deficiencies3 levels of identified gaps: deficiencies, significant deficiencies and material weaknessesGaps may be identified during documentation, internal testing or auditor testing
Material WeaknessDisclose to Shareholders via
Management’s Letter
Inconsequential Material
Remote
Reasonably Possible
Control Deficiency (least severe)
Reportable in writing to management by auditors
Judgmental materiality
Merits Attention
© 2008 Cost Advisors, Inc. All rights reserved.
41
Top 10 Material Weaknesses(for all public companies)
1. Poor accounting documentation2. External auditor adjustments 3. Lack of training, competency of accounting people4. Poor account reconciliations5. Restatements6. Poor controls over non-routine transactions7. IT Access and security8. Poor JE controls9. Poor control design and segregation of duties10. Issues with top management and tone at the top
Data provided by Audit Analytics.
© 2008 Cost Advisors, Inc. All rights reserved.
42
Managing Gaps (Deficiencies)
Keep a list of all gapsDesign Gaps from DocumentationTesting Failures
Prioritize gaps by:Risk of failure and Financial statement impactAggregation of gaps in Financial Statements (Cycles)
© 2008 Cost Advisors, Inc. All rights reserved.
43
Test Failure Form
Four Sections:1. Tester’s Reason for Failing2. Manager’s Evaluation3. Process Owner’s Remediation4. Evaluation Team Sign Off
© 2008 Cost Advisors, Inc. All rights reserved.
44
AgendaSOX vs. Insurer Financial Reports RulesNAIC Project Framework
GovernanceAssessmentPreventionDetectionReporting & Correction
Software tools availableTakeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
45
Governance
Assessment
Prevention
Detection
Correction
If you only use Excel, Word, Visio…
© 2008 Cost Advisors, Inc. All rights reserved.
46
ExcelDesktop
Database Web-BasedShare controls and tests between documenters
√ √
Ensure pre-defined and uniform data capture
√ √
Run consolidated reports for all documenters
√ √
Easy to setup √ √Custom reports in Excel √ √ maybeResponsive (no latency) √ √Low Cost √ √E-Mail notification √# Simultaneous users 1 about 5 dozens
Software Tool Alternatives
© 2008 Cost Advisors, Inc. All rights reserved.
47
Download a free copy of our desktop tool at www.sarboxpro.com
Agenda Reasons for SOX
COSO StudyScandals in 2000ACFE Report to the Nation
How SOX tackles fraudGovernanceAssessmentPreventionDetectionReporting & Correction
Takeaways & resources
© 2008 Cost Advisors, Inc. All rights reserved.
48
Takeaways
SOX and the NAIC Financial rules use a similar
framework
Include only relevant processes
Use a risk-based assessment
Document controls preventing risks
Test for control operation, not fraud occurrenceDocument how you established that controls work
Well performed tests will save examiners’ time
Control deficiencies should be evaluated & reported
© 2008 Cost Advisors, Inc. All rights reserved.
49
SOX Resources(most relevant in red)
SEC PCAOB COSO AICPA1977 - Foreign Corrupt Practices Act (Have good controls)
1992 - Internal Control Framework 1996 – Addendum to address Safeguarding of Assets
June 5, 2003 - Rules implementing Section 404 (Use a framework like COSO)
March 9, 2004 - Auditing Standard #2 Auditing Internal Control
December 2004 – Evaluating Deficiencies (aka – The Concluding Framework)
May 16, 2005 - Staff Guidance (Management is responsible)
May 16, 2005 - Increase Efficiency of Audits (Top down, Risk-based, Integrated audit)
April 23, 2006 – Advisory Committee for Small Companies (exempt most)
SAS 99 Consideration of Fraud in a Financial Statement Audit
April 2006 – Govt. Accountability Office (Management needs more guidance)
July 11, 2006 - Guidance for Smaller Public Companies
March 2006 – SAS 104-111 (Risk Standards), effective for 2007 audits
June 20, 2007 – New Guidance corresponding to AS #5
July 25, 2007 –Auditing Standard (AS) #5
June 20, 2008 extend auditor attestation for non-accelerated filers until 2009 (and begin a small business cost study)
October 17, 2007 – Proposed Guidance for Auditors of Smaller Public Companies
October 21, 2008 – Proposed New Auditing Standards Related to the Auditor's Assessment of Risk
July 4, 2008 – Monitoring Internal Control (Draft)
© 2008 Cost Advisors, Inc. All rights reserved.
50
ResourcesCOSO Small Business Guidance
$65 Paperback (3 volumes)$50 PDF (3 PDF, 1 Word)www.cpa2biz.com
Internal Control over Financial Reporting –Guidance for Smaller Public Companies
© 2008 Cost Advisors, Inc. All rights reserved.
51
Resources – IT General Controls
CobiT IT Control Objectives for
SOX
COSO (Small Business)
34 Objectives 12 Objectives 10 Objectives
© 2008 Cost Advisors, Inc. All rights reserved.
52
For More InformationBill Douglas CPA CIA CFE PIMain: [email protected]
Molly Remington, Business Development Mgr.Main: [email protected]
Free software downloads: www.sarboxpro.comCompany information: www.costadvisors.com
© 2008 Cost Advisors, Inc. All rights reserved.
53US-5-1208-IC