Sarbanes-Oxley
Section 404:
Internal Controls and Financial Reporting
A Perspective for Property-Casualty Insurance
Companies
CAS Risk and Capital Management Seminar
July 28, 2003
Presenters
Brian Reilly
• Currently Chief Auditor at Travelers Property Casualty Corp.
• Previously an audit partner at Arthur Andersen LLP and head of New England Insurance
Practice.
Edward Chanda
• Ed is a partner at KPMG LLP.
• He is based in Hartford and has 14 years of experience serving clients in the insurance
industry.
Chris Nyce, FCAS, MAAA
• Currently a Manager in the Actuarial Practice of KPMG LLP.
• Previously Actuarial Pricing officer and Reserving Officer for a national P&C company.
• Previously Company Head Underwriting officer for Standard Commercial, and Large
Commercial Accounts.
2
Topics for Discussion
Overview of Sarbanes-Oxley Section 404
Management Perspective
Actuarial Perspective
Auditor Perspective
Value Added Opportunities
Questions & Answers
3
Overview of Sarbanes-Oxley
Section 404

Annual Assessment of Internal Control

Management’s annual report on internal control must:

–
State management’s responsibility for establishing and maintaining an adequate
internal control structure and procedures for financial reporting, and
–
Contain management’s assessment, as of year-end, of the procedures for
financial reporting
Independent auditor must attest to and report on management’s assessment in
accordance with standards issued or adopted by the PCAOB
4
Definition of Internal Control

In the US, the most common reference is to the COSO report, Internal Control – An
Integrated Framework
Internal control is a process—effected by an entity’s board of directors,
management, and other personnel—designed to provide reasonable assurance
regarding the achievement of objectives in the following categories: reliability of
financial reporting; effectiveness and efficiency of operations; and compliance
with applicable laws and regulations

Focus for §404 is on reliability of financial reporting

COSO provides detailed internal control criteria and defines five components of internal
control
–
Control Environment
–
Risk Assessment
–
Control Activities
–
Information and Communication
–
Monitoring
5
Focus on Significant Controls


Determine which controls are significant
–
Controls that address significant classes of transactions, account balances,
disclosures and related assertions
–
Consider likelihood that control failure could cause misstatements and the
potential magnitude
Must include:
–
Fraud programs and controls
–
Controls on which other controls are dependent (e.g., general controls)
–
Controls over significant non-routine transactions, journal entries, and accounts
involving judgments and estimates
–
Controls over closing process and preparing F/S
6
Auditing Standards for Internal Control

The Accounting Standards Board (ASB) of the AICPA has proposed standards for
Section 404

The SEC’s input is reflected in the Exposure Draft issued by the ASB

These standards may be subject to change, perhaps significantly, by the Public
Company Oversight Board (PCAOB)
7
TPC 404 Approach Overview
Methodology

COSO-based framework is the foundation

Financial statement analysis includes linkage to transaction flows

Thorough filtering process to determine the most effective and efficient level of documentation and
testing of financial, operational, and system-based controls
Resources

Business units are completing COSO-based risk assessment for their operations

Business units are documenting key controls and assessing adequacy of control design and
operating effectiveness

ARR linking financial analysis and key controls to existing audit work performed

ARR and management to conduct additional control validation for areas not recently audited
Reporting

Findings and conclusions to be aggregated and presented to Senior Management

Corrective action plans to be developed and executed where appropriate

Results of Management’s evaluation of internal controls and procedures over financial reporting as
of December 31, 2003 to be presented to Audit Committee in January 2004
8
Internal Controls as part of the
“Five Component” Framework Impacting
Actuarial Responsibilities
•Recalling the five component framework
includes

Control Environment:

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities
•And underpinning these are four key risk
areas for Property/Casualty
Underwriting
and Claims
Operations
Data
Gathering and Interpreting
Performing
Analysis/Compiling
Results
Management
Review Process
•And evaluating for each risk area:
Completeness: Is
something missing?
Accuracy: Is information
accurate?
Judgments: Are judgments
appropriate?
Data
Analysis
Underwriting
and Claims
9
Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Source B
Company
Risk Assumption/
Underwriting
Practices
Source C
Information and Communication
Company IT/
Data Design and
Collection Process
Source Z
Company
Claims
Handling and
Settlement
Practices
Perform
Estimates
and Analysis
Review and
Communication
Process
Committee
Process
Input into
Accounting
System
& Review
Information and Communication
Estimation processes include multiple intervention points
with areas of judgment and interpretation
at each point within the process
10
Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Source B
Company
Risk Assumption/
Underwriting
Practices
Source C
Information and Communication
Company IT/
Data Design and
Collection Process
Source Z
Company
Claims
Handling and
Settlement
Practices
Underwriting
and Claims
Perform
Estimates
and Analysis
Review and
Communication
Process
Committee
Process
Input into
Accounting
System
& Review
Information and Communication
Data
Analysis
Management
Review Process
11
Risk Assessments and Control Activities
Underwriting and Claims
•Guidelines in place controlling
what risks the company will
assume
Data
Analysis
•Monitoring in place to assure
guidelines are followed
•Claims process is well
understood and changes
controlled
Underwriting and Claims
•Case reserving guidelines in
place and compliance monitored
12
Risk Assessments and Control Activities
Data
•Controls to ensure data is
accurate and complete
•Data is available to enable
comprehensive analysis
•Data is available to monitor
compliance with Claims and
Underwriting controls
Data
Analysis
Underwriting and Claims
•Data is available to support
management review needs,
including tracking of trends
13
Risk Assessments and Control Activities
Analysis
Data
Analysis
Underwriting and Claims
•Access to data is sufficiently
convenient to analysts
•Available information is
incorporated in analysis
•Communication process with
underwriting, claims,
management is sufficient
•Appropriate methods are used
•Communication of results to
management is clear
14
Risk Assessments and Control Activities
Data
Analysis
•Management Review
Process
•Process to determine booked
reserves is reasonable
Underwriting and Claims
•Reserve Committee and
management review is effective
•Underlying assumptions, such
as trends, are validated
15
Data
Examples of Internal Controls affecting
Estimates
Case 1
Case 2
Environment Changes
New Product
Situation
Company expands business
through new MGA network
Primary Internal
Controls
Involved

Clear underwriting guides
needed

Controls needed to validate
compliance
Company introduces new
products



Outcome
without
Appropriate
Controls
Controls needed to ensure
critical information gathered
on risks assumed
Without controls, or
recognition of the change in
conditions, original
assumptions no longer valid,
and significant misstatements
in estimates could result
Controls needed to ensure
policies are written in
accordance with product
and rate design
Communication process
needs to ensure new risks
assumed are reflected
properly in analysis,
assumptions, segmentation
New product would likely be
analyzed as part of an existing
product, but assumptions may
not hold and methods may be
inappropriate, leading to
financial reporting problems
Analysis
Underwriting
& Claims
Case 3
New Business ModelTPA’s
Company introduces new
business model that
incorporates the use of
TPA’s for claims handling

Need to validate
consistent case reserving,
or accommodate change

New systems and process
flows need to be reflected
in analysis
Without controls, or
recognition of the change in
conditions, original
assumptions no longer valid,
and significant
misstatements in estimates
could result
16
Data
Examples of Internal Controls affecting
Estimates
Case 4
Case 5
MGA places Reinsurance
Change in Market Pricing
Situation
Company expands business
through new MGA network, with
MGA having authority to place
reinsurance
Changes in the market cause a
reduction in the market price for
lines this insurer writes
Primary Internal
Controls
Involved

Need guides for when
reinsurance is required, and
quality of reinsurer

Controls in place to monitor
compliance

Outcome
without
Appropriate
Controls
Any changes in retentions
communicated and reflected
in estimates
Without controls on quality of
reinsurers, collectibility
assumptions may not hold. If
changes in retention not
reflected in analysis, could also
distort financial estimates
Analysis
Underwriting
& Claims
Case 6
Change in Claims
Environment
Change in social/judicial
environment increases loss
levels, such as the D&O
change in early 2000’s

Need guides in place with
clarity with respect to price,
terms, conditions that are
acceptable

Need communication
process in place between
operations and analysts to
properly reflect change

Controls needed to monitor
compliance


Data needed on the changes
in price levels actually
charged
Need feedback from
analysts to operations to
validate proper treatment

New types of data may be
needed to properly analyze
Without guides in place, and
data gathering to monitor, the
true underlying expected loss
ratio assumptions used in
estimates could be invalid,
causing financial estimate
misstatements
Without controls, the changes
in environment could
invalidate loss assumptions
underlying analysis
17
Data
Examples of Internal Controls affecting
Estimates
Underwriting
& Claims
Case 7
Case 8
Case 9
Changes in Products
Change in Trends
Growth Initiative
Situation
Changes in tax law cause a
shift from retrospective products
to deductible products
Primary Internal
Controls
Involved

Communication between
underwriters and analysts

Data needs may change

New methods of analysis
may be required
Outcome
without
Appropriate
Controls
Analysis
If proper controls are not in
place to ensure methods adapt,
estimated premium accruals
may be overstated, requiring a
charge in future reporting
periods
Changes in the external
environment cause an
exogenous change in loss
trends
Changes in the Company
goals cause a push to grow
the premium volume

Communication between
claims examiners and
analysts

Underwriting guides must
be in place, and compliance
verified

Appropriate data collection


Trend evaluation controls
need to be in place
Analysts must perform
diagnostics to ensure new
business is consistent with
assumptions
Without these controls delayed
recognition of the change may
require a reserve charge
reflecting significant restatement
of results for several prior years
Without rigor in the recognition
process, changes affecting
assumptions may not be
incorporated in the analysis,
leading to restatements in
future financial statements
when changes become more
apparent
18
Auditors’ Approach to 404 Attestation
Planning – Obtain an understanding of management’s process:

Select and apply a framework (i.e. COSO)

Identify significant account balances, classes of transactions and subsidiaries/other locations
Tests of design – Assess whether managements’ identified controls are appropriate for meeting financial
statement assertions (in accordance with COSO):

Inspect documentation prepared by management

Perform “walkthroughs” of processes

Inquire, observe, inspect control documentation supporting identified controls
Tests of operating effectiveness – Consider the results of Internal Audit/Management testing:

Perform independent tests regarding general controls, financial reporting non-routine transaction
and fraud

Re-perform a selection of tests performed by Internal Audit/Management

Perform a selection of independent tests (beyond Internal Audit/Management)
Reporting

Analyze Impact of exceptions (if any)
19
Comparison of Audit of Control Evaluation
Control Environment Evaluation
Audit
Obtain knowledge sufficient to enable us to identify and understand the events, transactions and practices that,
in our judgment, may have significant effect on the financial statements.
Section 404
Perform tests of both design and operating effectiveness for each element of the control environment. The
nature, extent and timing of tests are more extensive.
Risk Assessment
Audit
Obtain an understanding of strategic business risk (“SBRs”), including their financial statement implications, and
identify significant classes of transactions (“SCOTs”) and the key process that generate them.
Section 404
Evaluate the design and test the effectiveness of management’s risk assessment process in addition to
considering the specific risks identified.
20
Auditors’ Approach to 404 Attestation, Cont.
Design Evaluation
Audit
Obtain an understanding of how each key process operates focused on the identified SBRs and SCOTs.
Section 404
Identify expanded scope of control activities that cover a much broader range of controls than those that would
historically have been included in an audit.
Testing Operating Effectiveness
Audit
Test control activities throughout the year, focusing on the SBRs and SCOTs identified in the risk assessment
process.
Section 404
Test control activities close to the end of the year (as of date), focusing on a much broader scope of control
activities than the audit.
21
Auditors’ Approach to 404 Attestation, Cont.
Substantive Procedures
Audit
Perform substantive procedures as required by generally accepted auditing standards, including tests of details
or analytical procedures for each material account balance and class of transaction. Some level of substantive
procedures will always be required for an audit due to inherent limitations in internal control and because internal
control can be overridden.
Section 404
None required.
Reporting
Audit
Report on whether the financial statements, in all material respects, are free of material misstatements, as of and
for the year ending December 31, 2003. Exceptions, if any, are evaluated as audit differences.
Section 404
Report on whether the Company maintained, in all material respects, effective internal control over financial
reporting, as of December 31, 2003. Exceptions, if any, are evaluated to determine if they represent significant
deficiencies or material weaknesses. Audit differences identified as part of the audit need to be considered in this
evaluation.
22
While Sarbanes-Oxley 404 increases the
documentation burden, it also provides
opportunities:
Sarbanes-Oxley 404 gives an opportunity to:



For Companies:
–
Gain more information and control over factors impacting current results, and more control in
situations of market or company stress
–
Expect more responsible competition, as competitors sharpen controls around reporting current
loss ratios reducing irrational price competition
–
Increased awareness to impact of changes
For Actuaries:
–
Expand reserve analysis to take into account issues that have caused past variability by
instituting meaningful controls enhancing the precision of estimates
–
Actuaries can expand professionally becoming more involved and aware in all competencies of
risk assessment, such as underwriting and claims
For Auditors:
–
Reduce the chance of audit failures due to lack of company controls (such as Enron)
–
Expand and deepen the audit relationship with client companies
23
Questions and Answers
24