Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting A Perspective for Property-Casualty Insurance Companies CAS Risk and Capital Management Seminar July 28, 2003
Download ReportTranscript Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting A Perspective for Property-Casualty Insurance Companies CAS Risk and Capital Management Seminar July 28, 2003
Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting A Perspective for Property-Casualty Insurance Companies CAS Risk and Capital Management Seminar July 28, 2003 Presenters Brian Reilly • Currently Chief Auditor at Travelers Property Casualty Corp. • Previously an audit partner at Arthur Andersen LLP and head of New England Insurance Practice. Edward Chanda • Ed is a partner at KPMG LLP. • He is based in Hartford and has 14 years of experience serving clients in the insurance industry. Chris Nyce, FCAS, MAAA • Currently a Manager in the Actuarial Practice of KPMG LLP. • Previously Actuarial Pricing officer and Reserving Officer for a national P&C company. • Previously Company Head Underwriting officer for Standard Commercial, and Large Commercial Accounts. 2 Topics for Discussion Overview of Sarbanes-Oxley Section 404 Management Perspective Actuarial Perspective Auditor Perspective Value Added Opportunities Questions & Answers 3 Overview of Sarbanes-Oxley Section 404 Annual Assessment of Internal Control Management’s annual report on internal control must: – State management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and – Contain management’s assessment, as of year-end, of the procedures for financial reporting Independent auditor must attest to and report on management’s assessment in accordance with standards issued or adopted by the PCAOB 4 Definition of Internal Control In the US, the most common reference is to the COSO report, Internal Control – An Integrated Framework Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting; effectiveness and efficiency of operations; and compliance with applicable laws and regulations Focus for §404 is on reliability of financial reporting COSO provides detailed internal control criteria and defines five components of internal control – Control Environment – Risk Assessment – Control Activities – Information and Communication – Monitoring 5 Focus on Significant Controls Determine which controls are significant – Controls that address significant classes of transactions, account balances, disclosures and related assertions – Consider likelihood that control failure could cause misstatements and the potential magnitude Must include: – Fraud programs and controls – Controls on which other controls are dependent (e.g., general controls) – Controls over significant non-routine transactions, journal entries, and accounts involving judgments and estimates – Controls over closing process and preparing F/S 6 Auditing Standards for Internal Control The Accounting Standards Board (ASB) of the AICPA has proposed standards for Section 404 The SEC’s input is reflected in the Exposure Draft issued by the ASB These standards may be subject to change, perhaps significantly, by the Public Company Oversight Board (PCAOB) 7 TPC 404 Approach Overview Methodology COSO-based framework is the foundation Financial statement analysis includes linkage to transaction flows Thorough filtering process to determine the most effective and efficient level of documentation and testing of financial, operational, and system-based controls Resources Business units are completing COSO-based risk assessment for their operations Business units are documenting key controls and assessing adequacy of control design and operating effectiveness ARR linking financial analysis and key controls to existing audit work performed ARR and management to conduct additional control validation for areas not recently audited Reporting Findings and conclusions to be aggregated and presented to Senior Management Corrective action plans to be developed and executed where appropriate Results of Management’s evaluation of internal controls and procedures over financial reporting as of December 31, 2003 to be presented to Audit Committee in January 2004 8 Internal Controls as part of the “Five Component” Framework Impacting Actuarial Responsibilities •Recalling the five component framework includes Control Environment: Risk Assessment Control Activities Information and Communication Monitoring Activities •And underpinning these are four key risk areas for Property/Casualty Underwriting and Claims Operations Data Gathering and Interpreting Performing Analysis/Compiling Results Management Review Process •And evaluating for each risk area: Completeness: Is something missing? Accuracy: Is information accurate? Judgments: Are judgments appropriate? Data Analysis Underwriting and Claims 9 Estimated Balances Must Properly Reflect the Following Company Operations Source A Source B Company Risk Assumption/ Underwriting Practices Source C Information and Communication Company IT/ Data Design and Collection Process Source Z Company Claims Handling and Settlement Practices Perform Estimates and Analysis Review and Communication Process Committee Process Input into Accounting System & Review Information and Communication Estimation processes include multiple intervention points with areas of judgment and interpretation at each point within the process 10 Estimated Balances Must Properly Reflect the Following Company Operations Source A Source B Company Risk Assumption/ Underwriting Practices Source C Information and Communication Company IT/ Data Design and Collection Process Source Z Company Claims Handling and Settlement Practices Underwriting and Claims Perform Estimates and Analysis Review and Communication Process Committee Process Input into Accounting System & Review Information and Communication Data Analysis Management Review Process 11 Risk Assessments and Control Activities Underwriting and Claims •Guidelines in place controlling what risks the company will assume Data Analysis •Monitoring in place to assure guidelines are followed •Claims process is well understood and changes controlled Underwriting and Claims •Case reserving guidelines in place and compliance monitored 12 Risk Assessments and Control Activities Data •Controls to ensure data is accurate and complete •Data is available to enable comprehensive analysis •Data is available to monitor compliance with Claims and Underwriting controls Data Analysis Underwriting and Claims •Data is available to support management review needs, including tracking of trends 13 Risk Assessments and Control Activities Analysis Data Analysis Underwriting and Claims •Access to data is sufficiently convenient to analysts •Available information is incorporated in analysis •Communication process with underwriting, claims, management is sufficient •Appropriate methods are used •Communication of results to management is clear 14 Risk Assessments and Control Activities Data Analysis •Management Review Process •Process to determine booked reserves is reasonable Underwriting and Claims •Reserve Committee and management review is effective •Underlying assumptions, such as trends, are validated 15 Data Examples of Internal Controls affecting Estimates Case 1 Case 2 Environment Changes New Product Situation Company expands business through new MGA network Primary Internal Controls Involved Clear underwriting guides needed Controls needed to validate compliance Company introduces new products Outcome without Appropriate Controls Controls needed to ensure critical information gathered on risks assumed Without controls, or recognition of the change in conditions, original assumptions no longer valid, and significant misstatements in estimates could result Controls needed to ensure policies are written in accordance with product and rate design Communication process needs to ensure new risks assumed are reflected properly in analysis, assumptions, segmentation New product would likely be analyzed as part of an existing product, but assumptions may not hold and methods may be inappropriate, leading to financial reporting problems Analysis Underwriting & Claims Case 3 New Business ModelTPA’s Company introduces new business model that incorporates the use of TPA’s for claims handling Need to validate consistent case reserving, or accommodate change New systems and process flows need to be reflected in analysis Without controls, or recognition of the change in conditions, original assumptions no longer valid, and significant misstatements in estimates could result 16 Data Examples of Internal Controls affecting Estimates Case 4 Case 5 MGA places Reinsurance Change in Market Pricing Situation Company expands business through new MGA network, with MGA having authority to place reinsurance Changes in the market cause a reduction in the market price for lines this insurer writes Primary Internal Controls Involved Need guides for when reinsurance is required, and quality of reinsurer Controls in place to monitor compliance Outcome without Appropriate Controls Any changes in retentions communicated and reflected in estimates Without controls on quality of reinsurers, collectibility assumptions may not hold. If changes in retention not reflected in analysis, could also distort financial estimates Analysis Underwriting & Claims Case 6 Change in Claims Environment Change in social/judicial environment increases loss levels, such as the D&O change in early 2000’s Need guides in place with clarity with respect to price, terms, conditions that are acceptable Need communication process in place between operations and analysts to properly reflect change Controls needed to monitor compliance Data needed on the changes in price levels actually charged Need feedback from analysts to operations to validate proper treatment New types of data may be needed to properly analyze Without guides in place, and data gathering to monitor, the true underlying expected loss ratio assumptions used in estimates could be invalid, causing financial estimate misstatements Without controls, the changes in environment could invalidate loss assumptions underlying analysis 17 Data Examples of Internal Controls affecting Estimates Underwriting & Claims Case 7 Case 8 Case 9 Changes in Products Change in Trends Growth Initiative Situation Changes in tax law cause a shift from retrospective products to deductible products Primary Internal Controls Involved Communication between underwriters and analysts Data needs may change New methods of analysis may be required Outcome without Appropriate Controls Analysis If proper controls are not in place to ensure methods adapt, estimated premium accruals may be overstated, requiring a charge in future reporting periods Changes in the external environment cause an exogenous change in loss trends Changes in the Company goals cause a push to grow the premium volume Communication between claims examiners and analysts Underwriting guides must be in place, and compliance verified Appropriate data collection Trend evaluation controls need to be in place Analysts must perform diagnostics to ensure new business is consistent with assumptions Without these controls delayed recognition of the change may require a reserve charge reflecting significant restatement of results for several prior years Without rigor in the recognition process, changes affecting assumptions may not be incorporated in the analysis, leading to restatements in future financial statements when changes become more apparent 18 Auditors’ Approach to 404 Attestation Planning – Obtain an understanding of management’s process: Select and apply a framework (i.e. COSO) Identify significant account balances, classes of transactions and subsidiaries/other locations Tests of design – Assess whether managements’ identified controls are appropriate for meeting financial statement assertions (in accordance with COSO): Inspect documentation prepared by management Perform “walkthroughs” of processes Inquire, observe, inspect control documentation supporting identified controls Tests of operating effectiveness – Consider the results of Internal Audit/Management testing: Perform independent tests regarding general controls, financial reporting non-routine transaction and fraud Re-perform a selection of tests performed by Internal Audit/Management Perform a selection of independent tests (beyond Internal Audit/Management) Reporting Analyze Impact of exceptions (if any) 19 Comparison of Audit of Control Evaluation Control Environment Evaluation Audit Obtain knowledge sufficient to enable us to identify and understand the events, transactions and practices that, in our judgment, may have significant effect on the financial statements. Section 404 Perform tests of both design and operating effectiveness for each element of the control environment. The nature, extent and timing of tests are more extensive. Risk Assessment Audit Obtain an understanding of strategic business risk (“SBRs”), including their financial statement implications, and identify significant classes of transactions (“SCOTs”) and the key process that generate them. Section 404 Evaluate the design and test the effectiveness of management’s risk assessment process in addition to considering the specific risks identified. 20 Auditors’ Approach to 404 Attestation, Cont. Design Evaluation Audit Obtain an understanding of how each key process operates focused on the identified SBRs and SCOTs. Section 404 Identify expanded scope of control activities that cover a much broader range of controls than those that would historically have been included in an audit. Testing Operating Effectiveness Audit Test control activities throughout the year, focusing on the SBRs and SCOTs identified in the risk assessment process. Section 404 Test control activities close to the end of the year (as of date), focusing on a much broader scope of control activities than the audit. 21 Auditors’ Approach to 404 Attestation, Cont. Substantive Procedures Audit Perform substantive procedures as required by generally accepted auditing standards, including tests of details or analytical procedures for each material account balance and class of transaction. Some level of substantive procedures will always be required for an audit due to inherent limitations in internal control and because internal control can be overridden. Section 404 None required. Reporting Audit Report on whether the financial statements, in all material respects, are free of material misstatements, as of and for the year ending December 31, 2003. Exceptions, if any, are evaluated as audit differences. Section 404 Report on whether the Company maintained, in all material respects, effective internal control over financial reporting, as of December 31, 2003. Exceptions, if any, are evaluated to determine if they represent significant deficiencies or material weaknesses. Audit differences identified as part of the audit need to be considered in this evaluation. 22 While Sarbanes-Oxley 404 increases the documentation burden, it also provides opportunities: Sarbanes-Oxley 404 gives an opportunity to: For Companies: – Gain more information and control over factors impacting current results, and more control in situations of market or company stress – Expect more responsible competition, as competitors sharpen controls around reporting current loss ratios reducing irrational price competition – Increased awareness to impact of changes For Actuaries: – Expand reserve analysis to take into account issues that have caused past variability by instituting meaningful controls enhancing the precision of estimates – Actuaries can expand professionally becoming more involved and aware in all competencies of risk assessment, such as underwriting and claims For Auditors: – Reduce the chance of audit failures due to lack of company controls (such as Enron) – Expand and deepen the audit relationship with client companies 23 Questions and Answers 24