Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting

Sarbanes-OxleySection 404:

Internal Controls and Financial Reporting

A Perspective for Property-Casualty Insurance Companies

CAS Risk and Capital Management Seminar

July 28, 2003

2

PresentersBrian Reilly

• Currently Chief Auditor at Travelers Property Casualty Corp.

• Previously an audit partner at Arthur Andersen LLP and head of New England Insurance Practice.

Edward Chanda

• Ed is a partner at KPMG LLP.

• He is based in Hartford and has 14 years of experience serving clients in the insurance industry.

Chris Nyce, FCAS, MAAA

• Currently a Manager in the Actuarial Practice of KPMG LLP.

• Previously Actuarial Pricing officer and Reserving Officer for a national P&C company.

• Previously Company Head Underwriting officer for Standard Commercial, and Large Commercial Accounts.

3

Topics for DiscussionOverview of Sarbanes-Oxley Section 404

Management Perspective

Actuarial Perspective

Auditor Perspective

Value Added Opportunities

Questions & Answers

4

Overview of Sarbanes-Oxley Section 404 Annual Assessment of Internal Control

Management’s annual report on internal control must:

– State management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and

– Contain management’s assessment, as of year-end, of the procedures for financial reporting

Independent auditor must attest to and report on management’s assessment in accordance with standards issued or adopted by the PCAOB

5

Definition of Internal Control In the US, the most common reference is to the COSO report, Internal Control – An

Integrated Framework

Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting; effectiveness and efficiency of operations; and compliance with applicable laws and regulations

Focus for §404 is on reliability of financial reporting

COSO provides detailed internal control criteria and defines five components of internal control

– Control Environment

– Risk Assessment

– Control Activities

– Information and Communication

– Monitoring

6

Focus on Significant Controls Determine which controls are significant

– Controls that address significant classes of transactions, account balances, disclosures and related assertions

– Consider likelihood that control failure could cause misstatements and the potential magnitude

Must include:

– Fraud programs and controls

– Controls on which other controls are dependent (e.g., general controls)

– Controls over significant non-routine transactions, journal entries, and accounts involving judgments and estimates

– Controls over closing process and preparing F/S

7

Auditing Standards for Internal Control The Accounting Standards Board (ASB) of the AICPA has proposed standards for

Section 404

The SEC’s input is reflected in the Exposure Draft issued by the ASB

These standards may be subject to change, perhaps significantly, by the Public Company Oversight Board (PCAOB)

8

TPC 404 Approach OverviewMethodology

COSO-based framework is the foundation

Financial statement analysis includes linkage to transaction flows

Thorough filtering process to determine the most effective and efficient level of documentation and testing of financial, operational, and system-based controls

Resources

Business units are completing COSO-based risk assessment for their operations

Business units are documenting key controls and assessing adequacy of control design and operating effectiveness

ARR linking financial analysis and key controls to existing audit work performed

ARR and management to conduct additional control validation for areas not recently audited

Reporting

Findings and conclusions to be aggregated and presented to Senior Management

Corrective action plans to be developed and executed where appropriate

Results of Management’s evaluation of internal controls and procedures over financial reporting as of December 31, 2003 to be presented to Audit Committee in January 2004

9

Internal Controls as part of the “Five Component” Framework Impacting Actuarial Responsibilities

•Recalling the five component framework includes

Control Environment:

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

•And underpinning these are four key risk areas for Property/Casualty

Underwriting and Claims Operations

Data Gathering and Interpreting

Performing Analysis/Compiling Results

Management Review Process

•And evaluating for each risk area:

Completeness: Is something missing?

Accuracy: Is information accurate?

Judgments: Are judgments appropriate?

Data Analysis

Underwriting and Claims

10

Estimation processes include multiple intervention points with areas of judgment and interpretation

at each point within the process

Estimated Balances Must Properly Reflect the Following Company Operations

Source A

Source B

Source C

Company Risk Assumption/

Underwriting Practices

Company Claims

Handling andSettlementPractices

Company IT/Data Design and

Collection Process

PerformEstimates

and Analysis

Review and Communication

Process

Committee Process

Input intoAccounting

System & ReviewSource Z



11

Estimated Balances Must Properly Reflect the Following Company Operations

Source A

Source B

Source C

Company Risk Assumption/

Underwriting Practices

Company Claims

Handling andSettlementPractices

Company IT/Data Design and

Collection Process

PerformEstimates

and Analysis

Review and Communication

Process

Committee Process

Input intoAccounting

System & ReviewSource Z



Underwriting and Claims Data Analysis

Management Review Process

12

Underwriting and Claims•Guidelines in place controlling what risks the company will assume•Monitoring in place to assure guidelines are followed•Claims process is well understood and changes controlled•Case reserving guidelines in place and compliance monitored

Risk Assessments and Control Activities

Data Analysis


13

Data

•Controls to ensure data is accurate and complete

•Data is available to enable comprehensive analysis

•Data is available to monitor compliance with Claims and Underwriting controls

•Data is available to support management review needs, including tracking of trends


Data Analysis


14


Analysis

•Access to data is sufficiently convenient to analysts

•Available information is incorporated in analysis

•Communication process with underwriting, claims, management is sufficient

•Appropriate methods are used

•Communication of results to management is clear

Data Analysis


15


•Management Review Process

•Process to determine booked reserves is reasonable

•Reserve Committee and management review is effective

•Underlying assumptions, such as trends, are validated

Data Analysis


16

Examples of Internal Controls affecting Estimates

Case 1Environment Changes

Case 2New Product

Case 3New Business Model-

TPA’s

Situation Company expands business through new MGA network

Company introduces new products

Company introduces new business model that incorporates the use of TPA’s for claims handling

Primary Internal

Controls Involved

Clear underwriting guides needed

Controls needed to validate compliance

Controls needed to ensure critical information gathered on risks assumed

Controls needed to ensure policies are written in accordance with product and rate design

Communication process needs to ensure new risks assumed are reflected properly in analysis, assumptions, segmentation

Need to validate consistent case reserving, or accommodate change

New systems and process flows need to be reflected in analysis

Outcome without Appropriate Controls

Without controls, or recognition of the change in conditions, original assumptions no longer valid, and significant misstatements in estimates could result

New product would likely be analyzed as part of an existing product, but assumptions may not hold and methods may be inappropriate, leading to financial reporting problems

Without controls, or recognition of the change in conditions, original assumptions no longer valid, and significant misstatements in estimates could result

Data Analysis

Underwriting & Claims

17


Case 4MGA places Reinsurance

Case 5Change in Market Pricing

Case 6Change in Claims

Environment

Situation Company expands business through new MGA network, with MGA having authority to place reinsurance

Changes in the market cause a reduction in the market price for lines this insurer writes

Change in social/judicial environment increases loss levels, such as the D&O change in early 2000’s

Primary Internal Controls Involved

Need guides for when reinsurance is required, and quality of reinsurer

Controls in place to monitor compliance

Any changes in retentions communicated and reflected in estimates

Need guides in place with clarity with respect to price, terms, conditions that are acceptable

Controls needed to monitor compliance

Data needed on the changes in price levels actually charged

Need communication process in place between operations and analysts to properly reflect change

Need feedback from analysts to operations to validate proper treatment

New types of data may be needed to properly analyze


Without controls on quality of reinsurers, collectibility assumptions may not hold. If changes in retention not reflected in analysis, could also distort financial estimates

Without guides in place, and data gathering to monitor, the true underlying expected loss ratio assumptions used in estimates could be invalid, causing financial estimate misstatements

Without controls, the changes in environment could invalidate loss assumptions underlying analysis

Data Analysis


18


Case 7Changes in Products

Case 8Change in Trends

Case 9Growth Initiative

Situation Changes in tax law cause a shift from retrospective products to deductible products

Changes in the external environment cause an exogenous change in loss trends

Changes in the Company goals cause a push to grow the premium volume

Primary Internal Controls Involved

Communication between underwriters and analysts

Data needs may change

New methods of analysis may be required

Communication between claims examiners and analysts

Appropriate data collection

Trend evaluation controls need to be in place

Underwriting guides must be in place, and compliance verified

Analysts must perform diagnostics to ensure new business is consistent with assumptions


If proper controls are not in place to ensure methods adapt, estimated premium accruals may be overstated, requiring a charge in future reporting periods

Without these controls delayed recognition of the change may require a reserve charge reflecting significant restatement of results for several prior years

Without rigor in the recognition process, changes affecting assumptions may not be incorporated in the analysis, leading to restatements in future financial statements when changes become more apparent

Data Analysis


19

Auditors’ Approach to 404 Attestation

Planning – Obtain an understanding of management’s process:

Select and apply a framework (i.e. COSO)

Identify significant account balances, classes of transactions and subsidiaries/other locations

Tests of design – Assess whether managements’ identified controls are appropriate for meeting financial statement assertions (in accordance with COSO):

Inspect documentation prepared by management

Perform “walkthroughs” of processes

Inquire, observe, inspect control documentation supporting identified controls

Tests of operating effectiveness – Consider the results of Internal Audit/Management testing:

Perform independent tests regarding general controls, financial reporting non-routine transaction and fraud

Re-perform a selection of tests performed by Internal Audit/Management

Perform a selection of independent tests (beyond Internal Audit/Management)

Reporting

Analyze Impact of exceptions (if any)

20

Comparison of Audit of Control Evaluation

Control Environment Evaluation

AuditObtain knowledge sufficient to enable us to identify and understand the events, transactions and practices that, in our judgment, may have significant effect on the financial statements.

Section 404Perform tests of both design and operating effectiveness for each element of the control environment. The nature, extent and timing of tests are more extensive.

Risk Assessment

AuditObtain an understanding of strategic business risk (“SBRs”), including their financial statement implications, and identify significant classes of transactions (“SCOTs”) and the key process that generate them.

Section 404Evaluate the design and test the effectiveness of management’s risk assessment process in addition to considering the specific risks identified.

21

Auditors’ Approach to 404 Attestation, Cont.

Design Evaluation

AuditObtain an understanding of how each key process operates focused on the identified SBRs and SCOTs.

Section 404Identify expanded scope of control activities that cover a much broader range of controls than those that would historically have been included in an audit.

Testing Operating Effectiveness

AuditTest control activities throughout the year, focusing on the SBRs and SCOTs identified in the risk assessment process.

Section 404Test control activities close to the end of the year (as of date), focusing on a much broader scope of control activities than the audit.

22

Auditors’ Approach to 404 Attestation, Cont.

Substantive Procedures

AuditPerform substantive procedures as required by generally accepted auditing standards, including tests of details or analytical procedures for each material account balance and class of transaction. Some level of substantive procedures will always be required for an audit due to inherent limitations in internal control and because internal control can be overridden.

Section 404None required.

Reporting

AuditReport on whether the financial statements, in all material respects, are free of material misstatements, as of and for the year ending December 31, 2003. Exceptions, if any, are evaluated as audit differences.

Section 404Report on whether the Company maintained, in all material respects, effective internal control over financial reporting, as of December 31, 2003. Exceptions, if any, are evaluated to determine if they represent significant deficiencies or material weaknesses. Audit differences identified as part of the audit need to be considered in this evaluation.

23

While Sarbanes-Oxley 404 increases the documentation burden, it also provides opportunities:

Sarbanes-Oxley 404 gives an opportunity to:

For Companies:

– Gain more information and control over factors impacting current results, and more control in situations of market or company stress

– Expect more responsible competition, as competitors sharpen controls around reporting current loss ratios reducing irrational price competition

– Increased awareness to impact of changes

For Actuaries:

– Expand reserve analysis to take into account issues that have caused past variability by instituting meaningful controls enhancing the precision of estimates

– Actuaries can expand professionally becoming more involved and aware in all competencies of risk assessment, such as underwriting and claims

For Auditors:

– Reduce the chance of audit failures due to lack of company controls (such as Enron)

– Expand and deepen the audit relationship with client companies

24

Questions and Answers

Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting

Documents

Transcript of Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting