sarbanes-oxley section 404: internal controls and financial reporting
DESCRIPTION
Sarbanes-Oxley Section 404: Internal Controls and Financial Reporting. A Perspective for Property-Casualty Insurance Companies CAS Risk and Capital Management Seminar July 28, 2003. Presenters. Brian Reilly Currently Chief Auditor at Travelers Property Casualty Corp. - PowerPoint PPT PresentationTRANSCRIPT
Sarbanes-OxleySection 404:
Internal Controls and Financial Reporting
A Perspective for Property-Casualty Insurance Companies
CAS Risk and Capital Management Seminar
July 28, 2003
2
PresentersBrian Reilly
• Currently Chief Auditor at Travelers Property Casualty Corp.
• Previously an audit partner at Arthur Andersen LLP and head of New England Insurance Practice.
Edward Chanda
• Ed is a partner at KPMG LLP.
• He is based in Hartford and has 14 years of experience serving clients in the insurance industry.
Chris Nyce, FCAS, MAAA
• Currently a Manager in the Actuarial Practice of KPMG LLP.
• Previously Actuarial Pricing officer and Reserving Officer for a national P&C company.
• Previously Company Head Underwriting officer for Standard Commercial, and Large Commercial Accounts.
3
Topics for DiscussionOverview of Sarbanes-Oxley Section 404
Management Perspective
Actuarial Perspective
Auditor Perspective
Value Added Opportunities
Questions & Answers
4
Overview of Sarbanes-Oxley Section 404 Annual Assessment of Internal Control
Management’s annual report on internal control must:
– State management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and
– Contain management’s assessment, as of year-end, of the procedures for financial reporting
Independent auditor must attest to and report on management’s assessment in accordance with standards issued or adopted by the PCAOB
5
Definition of Internal Control In the US, the most common reference is to the COSO report, Internal Control – An
Integrated Framework
Internal control is a process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: reliability of financial reporting; effectiveness and efficiency of operations; and compliance with applicable laws and regulations
Focus for §404 is on reliability of financial reporting
COSO provides detailed internal control criteria and defines five components of internal control
– Control Environment
– Risk Assessment
– Control Activities
– Information and Communication
– Monitoring
6
Focus on Significant Controls Determine which controls are significant
– Controls that address significant classes of transactions, account balances, disclosures and related assertions
– Consider likelihood that control failure could cause misstatements and the potential magnitude
Must include:
– Fraud programs and controls
– Controls on which other controls are dependent (e.g., general controls)
– Controls over significant non-routine transactions, journal entries, and accounts involving judgments and estimates
– Controls over closing process and preparing F/S
7
Auditing Standards for Internal Control The Accounting Standards Board (ASB) of the AICPA has proposed standards for
Section 404
The SEC’s input is reflected in the Exposure Draft issued by the ASB
These standards may be subject to change, perhaps significantly, by the Public Company Oversight Board (PCAOB)
8
TPC 404 Approach OverviewMethodology
COSO-based framework is the foundation
Financial statement analysis includes linkage to transaction flows
Thorough filtering process to determine the most effective and efficient level of documentation and testing of financial, operational, and system-based controls
Resources
Business units are completing COSO-based risk assessment for their operations
Business units are documenting key controls and assessing adequacy of control design and operating effectiveness
ARR linking financial analysis and key controls to existing audit work performed
ARR and management to conduct additional control validation for areas not recently audited
Reporting
Findings and conclusions to be aggregated and presented to Senior Management
Corrective action plans to be developed and executed where appropriate
Results of Management’s evaluation of internal controls and procedures over financial reporting as of December 31, 2003 to be presented to Audit Committee in January 2004
9
Internal Controls as part of the “Five Component” Framework Impacting Actuarial Responsibilities
•Recalling the five component framework includes
Control Environment:
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
•And underpinning these are four key risk areas for Property/Casualty
Underwriting and Claims Operations
Data Gathering and Interpreting
Performing Analysis/Compiling Results
Management Review Process
•And evaluating for each risk area:
Completeness: Is something missing?
Accuracy: Is information accurate?
Judgments: Are judgments appropriate?
Data Analysis
Underwriting and Claims
10
Estimation processes include multiple intervention points with areas of judgment and interpretation
at each point within the process
Estimated Balances Must Properly Reflect the Following Company Operations
Source A
Source B
Source C
Company Risk Assumption/
Underwriting Practices
Company Claims
Handling andSettlementPractices
Company IT/Data Design and
Collection Process
PerformEstimates
and Analysis
Review and Communication
Process
Committee Process
Input intoAccounting
System & ReviewSource Z
Information and Communication
Information and Communication
11
Estimated Balances Must Properly Reflect the Following Company Operations
Source A
Source B
Source C
Company Risk Assumption/
Underwriting Practices
Company Claims
Handling andSettlementPractices
Company IT/Data Design and
Collection Process
PerformEstimates
and Analysis
Review and Communication
Process
Committee Process
Input intoAccounting
System & ReviewSource Z
Information and Communication
Information and Communication
Underwriting and Claims Data Analysis
Management Review Process
12
Underwriting and Claims•Guidelines in place controlling what risks the company will assume•Monitoring in place to assure guidelines are followed•Claims process is well understood and changes controlled•Case reserving guidelines in place and compliance monitored
Risk Assessments and Control Activities
Data Analysis
Underwriting and Claims
13
Data
•Controls to ensure data is accurate and complete
•Data is available to enable comprehensive analysis
•Data is available to monitor compliance with Claims and Underwriting controls
•Data is available to support management review needs, including tracking of trends
Risk Assessments and Control Activities
Data Analysis
Underwriting and Claims
14
Risk Assessments and Control Activities
Analysis
•Access to data is sufficiently convenient to analysts
•Available information is incorporated in analysis
•Communication process with underwriting, claims, management is sufficient
•Appropriate methods are used
•Communication of results to management is clear
Data Analysis
Underwriting and Claims
15
Risk Assessments and Control Activities
•Management Review Process
•Process to determine booked reserves is reasonable
•Reserve Committee and management review is effective
•Underlying assumptions, such as trends, are validated
Data Analysis
Underwriting and Claims
16
Examples of Internal Controls affecting Estimates
Case 1Environment Changes
Case 2New Product
Case 3New Business Model-
TPA’s
Situation Company expands business through new MGA network
Company introduces new products
Company introduces new business model that incorporates the use of TPA’s for claims handling
Primary Internal
Controls Involved
Clear underwriting guides needed
Controls needed to validate compliance
Controls needed to ensure critical information gathered on risks assumed
Controls needed to ensure policies are written in accordance with product and rate design
Communication process needs to ensure new risks assumed are reflected properly in analysis, assumptions, segmentation
Need to validate consistent case reserving, or accommodate change
New systems and process flows need to be reflected in analysis
Outcome without Appropriate Controls
Without controls, or recognition of the change in conditions, original assumptions no longer valid, and significant misstatements in estimates could result
New product would likely be analyzed as part of an existing product, but assumptions may not hold and methods may be inappropriate, leading to financial reporting problems
Without controls, or recognition of the change in conditions, original assumptions no longer valid, and significant misstatements in estimates could result
Data Analysis
Underwriting & Claims
17
Examples of Internal Controls affecting Estimates
Case 4MGA places Reinsurance
Case 5Change in Market Pricing
Case 6Change in Claims
Environment
Situation Company expands business through new MGA network, with MGA having authority to place reinsurance
Changes in the market cause a reduction in the market price for lines this insurer writes
Change in social/judicial environment increases loss levels, such as the D&O change in early 2000’s
Primary Internal Controls Involved
Need guides for when reinsurance is required, and quality of reinsurer
Controls in place to monitor compliance
Any changes in retentions communicated and reflected in estimates
Need guides in place with clarity with respect to price, terms, conditions that are acceptable
Controls needed to monitor compliance
Data needed on the changes in price levels actually charged
Need communication process in place between operations and analysts to properly reflect change
Need feedback from analysts to operations to validate proper treatment
New types of data may be needed to properly analyze
Outcome without Appropriate Controls
Without controls on quality of reinsurers, collectibility assumptions may not hold. If changes in retention not reflected in analysis, could also distort financial estimates
Without guides in place, and data gathering to monitor, the true underlying expected loss ratio assumptions used in estimates could be invalid, causing financial estimate misstatements
Without controls, the changes in environment could invalidate loss assumptions underlying analysis
Data Analysis
Underwriting & Claims
18
Examples of Internal Controls affecting Estimates
Case 7Changes in Products
Case 8Change in Trends
Case 9Growth Initiative
Situation Changes in tax law cause a shift from retrospective products to deductible products
Changes in the external environment cause an exogenous change in loss trends
Changes in the Company goals cause a push to grow the premium volume
Primary Internal Controls Involved
Communication between underwriters and analysts
Data needs may change
New methods of analysis may be required
Communication between claims examiners and analysts
Appropriate data collection
Trend evaluation controls need to be in place
Underwriting guides must be in place, and compliance verified
Analysts must perform diagnostics to ensure new business is consistent with assumptions
Outcome without Appropriate Controls
If proper controls are not in place to ensure methods adapt, estimated premium accruals may be overstated, requiring a charge in future reporting periods
Without these controls delayed recognition of the change may require a reserve charge reflecting significant restatement of results for several prior years
Without rigor in the recognition process, changes affecting assumptions may not be incorporated in the analysis, leading to restatements in future financial statements when changes become more apparent
Data Analysis
Underwriting & Claims
19
Auditors’ Approach to 404 Attestation
Planning – Obtain an understanding of management’s process:
Select and apply a framework (i.e. COSO)
Identify significant account balances, classes of transactions and subsidiaries/other locations
Tests of design – Assess whether managements’ identified controls are appropriate for meeting financial statement assertions (in accordance with COSO):
Inspect documentation prepared by management
Perform “walkthroughs” of processes
Inquire, observe, inspect control documentation supporting identified controls
Tests of operating effectiveness – Consider the results of Internal Audit/Management testing:
Perform independent tests regarding general controls, financial reporting non-routine transaction and fraud
Re-perform a selection of tests performed by Internal Audit/Management
Perform a selection of independent tests (beyond Internal Audit/Management)
Reporting
Analyze Impact of exceptions (if any)
20
Comparison of Audit of Control Evaluation
Control Environment Evaluation
AuditObtain knowledge sufficient to enable us to identify and understand the events, transactions and practices that, in our judgment, may have significant effect on the financial statements.
Section 404Perform tests of both design and operating effectiveness for each element of the control environment. The nature, extent and timing of tests are more extensive.
Risk Assessment
AuditObtain an understanding of strategic business risk (“SBRs”), including their financial statement implications, and identify significant classes of transactions (“SCOTs”) and the key process that generate them.
Section 404Evaluate the design and test the effectiveness of management’s risk assessment process in addition to considering the specific risks identified.
21
Auditors’ Approach to 404 Attestation, Cont.
Design Evaluation
AuditObtain an understanding of how each key process operates focused on the identified SBRs and SCOTs.
Section 404Identify expanded scope of control activities that cover a much broader range of controls than those that would historically have been included in an audit.
Testing Operating Effectiveness
AuditTest control activities throughout the year, focusing on the SBRs and SCOTs identified in the risk assessment process.
Section 404Test control activities close to the end of the year (as of date), focusing on a much broader scope of control activities than the audit.
22
Auditors’ Approach to 404 Attestation, Cont.
Substantive Procedures
AuditPerform substantive procedures as required by generally accepted auditing standards, including tests of details or analytical procedures for each material account balance and class of transaction. Some level of substantive procedures will always be required for an audit due to inherent limitations in internal control and because internal control can be overridden.
Section 404None required.
Reporting
AuditReport on whether the financial statements, in all material respects, are free of material misstatements, as of and for the year ending December 31, 2003. Exceptions, if any, are evaluated as audit differences.
Section 404Report on whether the Company maintained, in all material respects, effective internal control over financial reporting, as of December 31, 2003. Exceptions, if any, are evaluated to determine if they represent significant deficiencies or material weaknesses. Audit differences identified as part of the audit need to be considered in this evaluation.
23
While Sarbanes-Oxley 404 increases the documentation burden, it also provides opportunities:
Sarbanes-Oxley 404 gives an opportunity to:
For Companies:
– Gain more information and control over factors impacting current results, and more control in situations of market or company stress
– Expect more responsible competition, as competitors sharpen controls around reporting current loss ratios reducing irrational price competition
– Increased awareness to impact of changes
For Actuaries:
– Expand reserve analysis to take into account issues that have caused past variability by instituting meaningful controls enhancing the precision of estimates
– Actuaries can expand professionally becoming more involved and aware in all competencies of risk assessment, such as underwriting and claims
For Auditors:
– Reduce the chance of audit failures due to lack of company controls (such as Enron)
– Expand and deepen the audit relationship with client companies
24
Questions and Answers