Sarbanes-Oxley Section 404
Internal Controls and Actuarial
Processes
Chris Nyce
KPMG LLP
September 2006
Disclaimer
•Views and opinions expressed in this presentation and the
underlying paper are those of the authors.
•Needless to say then, they do not represent the opinions of
the CAS, nor any employer of the presenters, nor any
sponsors of the meeting.
•Anyone who says otherwise is not only wrong, but is clearly
itching for a fight.
2
Note
•Risks to financial reporting are unique to each company
•The following discussion highlights things that should
commonly be considered, but companies may need to
consider other types of controls, and do not necessarily need
all types of controls discussed.
•Companies should consider their unique risk profile and
consult professional advisors when implementing and
evaluating their own controls.
3
Sarbanes-Oxley Section 404 Internal Controls
and Actuarial Processes
• Background
• COSO Framework
• Scope for Actuarial Processes
• Issues

Information Integrity & Availability

Analysis

End User Applications

Management’s Best Estimate
• Documentation
•Considerations by Size of Company
• Status
4
Comments by Harvey Pitt
(SEC Chairman when SOX was Passed)
Question: How is SOX like the weather
Answer: Everyone talks about it, but no-one
does anything about it
Quote from Mr. Pitt
“The statute was hastily – and, therefore, badly
– drafted; but it was and remains, necessary
Source: Wall Street Journal, April 13, 2006
5
Background
6
Background

SOX Section 404 Company Requirements:
– State management’s role in establishing and maintaining an
adequate central structure and procedures for financial reporting;
– Report on the effectiveness of their internal controls over financial
reporting procedures
• Including supporting documentation of controls, and testing of
their effectiveness.

SOX Section 404 Auditor Requirements:
– Attest to and report on management’s assessment of internal
controls;
– Attest to the effectiveness of internal controls.
7
Background

Deficiency = situation arises where internal controls are identified as not effective

Responses
– Identify and implement remediation steps
– Evaluate seriousness of the deficiency
Type of Deficiency
Criteria
Reporting Requirement
Deficiency
Doesn’t rise to a more
serious level.
Auditor to management.
Significant Deficiency
Results in a more than
remote likelihood of a
misstatement that is more
than inconsequential.
Auditor to Audit
Committee
Material Weakness
Results in a more than
remote likelihood of a
material misstatement.
Auditor to Audit
Committee and in Audit
Opinion (a public
document).
8
The COSO Framework
9
The COSO Framework
•Committee of Sponsoring Organizations issued in 1992
 AKA The Treadway Commission;
 Provides a basic framework for all internal controls;
 Implementers not required to use this framework– But most do.
•What is the framework
 Control Environment;
 Risk Assessment;
 Control Activities;
 Information and Communication;
 Monitoring.
10
Diagram of COSO Based Internal Control
Structure
*Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors
11
Elements of COSO Based
Internal Control Structure
*Presented with thanks to “Tone at the Top” published by
the Institute of Internal Auditors
Scope for Actuarial Processes
Property/Casualty Insurance Operations Chain:
Business Design
Underwriting
Process
Markets
Targeted
Product Rate
Plan and
Coverage
Underwriting
Guides
Underwriting/Claims Transaction
Producer
solicits/binds
coverage, or
policy renews
Underwriter
verifies risk
acceptability and
price
Policy is
submitted to
Underwriter
Claims are
received or
estimated
Policy expires
and may be
renewed or
audited
Transactional Data Systems
Resulting Financial Flows
Underwriting
Expenses result
Premiums
Written and
Earned
Losses
received,
recorded,
estimated
14
Property/Casualty Insurance Operations Chain:
Business Design
Underwriting
Process
Markets
Targeted
Product Rate
Plan and
Coverage
Underwriting
Guides
Underwriting/Claims Transaction
Producer
solicits/binds
coverage, or
policy renews
Underwriter
verifies risk
acceptability and
price
Policy is
submitted to
Underwriter
Claims are
received or
estimated
Traditional
Financial
Statement
Audit Focus
Transactional Data Systems
Resulting Financial Flows
Policy expires
and may be
renewed or
audited
Underwriting
Expenses result
Premiums
Written and
Earned
Losses
received,
recorded,
estimated
15
Property/Casualty Insurance Internal Controls affecting
Estimated Balance Sheet and Income Statement Items
Business Design
Underwriting
Process
Markets
Targeted
Product Rate
Plan and
Coverage
Underwriting
Guides
Underwriting/Claims Transaction
Producer
solicits/binds
coverage, or
policy renews
Underwriter
verifies risk
acceptability and
price
Policy is
submitted to
Underwriter
Claims are
received or
estimated
Policy expires
and may be
renewed or
audited
Transactional Data Systems
Resulting Financial Flows
Underwriting
Expenses result
Premiums
Written and
Earned
Losses
received,
recorded,
estimated
Additional
Focus Areas
for Internal
Controls
16
Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Source B
Company
Risk Assumption/
Underwriting
Practices
Source C
Information and Communication
Company IT/
Data Design and
Collection Process
Source Z
Company
Claims
Handling and
Settlement
Practices
Perform
Estimates
and Analysis
Review and
Communication
Process
Committee
Process
Input into
Accounting
System
& Review
Information and Communication
17
Estimated Balances Must Properly Reflect the
Following Company Operations
Source A
Source B
Company
Risk Assumption/
Underwriting
Practices
Source C
Information and Communication
Company IT/
Data Design and
Collection Process
Source Z
Company
Claims
Handling and
Settlement
Practices
Underwriting
and Claims
Perform
Estimates
and Analysis
Review and
Communication
Process
Committee
Process
Input into
Accounting
System
& Review
Information and Communication
Data
Analysis
Management
Review Process
18
Comments on Operational Internal Controls and
Sarbanes-Oxley, Section 404
 AICPA gives
guidance as to how SarbanesOxley applies to Internal controls in operational
areas
– Only controls which affect financial statement
reporting are subject to Sarbanes-Oxley;
– Includes items with significant input to
financial reporting;
– Should be taken to include disclosures.
 Examples
and the AICPA guidance are in the
following table.
19
Operational Controls; Management Responsibility
Contrasted with Section 404 Goals
Section 404 Internal Controls
Include:
Examples of Additional Management
Responsibilities, not section 404
In General (from
AICPA 319, item
40)
Address “Inherent and control risks to
evaluate the likelihood that material
misstatement could occur in the
financial statements”
Address “identify, analyze, and manage
risks that affect entity objectives”
Underwriting
Company intent around which
exposures to insure, at what prices,
terms and conditions is clear, is
followed, and consistent with
assumptions underlying balance sheet
and income statement estimates
Management executes an underwriting
strategy that provides appropriate
returns with reasonable risk to capital
providers. Staffing resource is
appropriate to the volume of
business.
Claims
Case reserving philosophy, and
claims processes are understood,
impacts of changes are understood,
and consistent with assumptions
underlying profit, loss, and balance
sheet estimates
Claim settlements are fair to both
claimants and capital providers.
Appropriate legal strategies are
pursued to defend policyholders.
Claims staffing resource is appropriate
to the volume of claims.
Area of Control
20
Industry Track Record
Industry Experience-Runoff of Held Loss and LAE Reserves
Industry All Lines Experience in millions of US$
Reserve Date
12/31/1995
12/31/1996
12/31/1997
12/31/1998
12/31/1999
12/31/2000
12/31/2001
12/31/2002
12/31/2003
12/31/2004
Held Reserves for
Loss and LAE
360,940
365,319
363,351
378,278
375,734
372,075
389,764
414,813
448,652
486,438
(Equity)/ Deficiency
as Recorded
12/31/2004
(723)
189
6,119
24,638
45,101
64,129
60,076
34,650
9,882
NA
Ratio (Eq)/Def to
Held Reserves
-0.2%
0.1%
1.7%
6.5%
12.0%
17.2%
15.4%
8.4%
2.2%
NA
Accident Year Evaluated at 12/31/2004
Negative means favorable runoff
Source for Accident Year: AM BEST Aggregates and Averages, "Industry Schedule P".
21
Industry Track Record
Industry Experience-Loss and Loss Expense Ratio
Comparison of Accident Year to Calendar Year
CY
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
Total
Earned
Premium
000,000's
247,338
257,558
265,356
270,253
277,760
291,472
312,286
351,388
394,951
425,230
3,093,591
Accident Year
Loss and LAE
Ratio
76.1%
78.3%
76.0%
82.6%
84.8%
86.7%
86.7%
74.0%
68.2%
70.2%
77.6%
Calendar Year
Loss and LAE
Ratio
78.9%
78.4%
72.8%
76.5%
78.9%
81.3%
88.4%
81.5%
75.0%
72.8%
78.3%
Difference
-2.8%
-0.1%
3.2%
6.1%
5.9%
5.4%
-1.7%
-7.5%
-6.8%
-2.7%
-0.6%
Accident Year Evaluated at 12/31/2004
Negative means the Accident Year Ratio is Less Than the Calendar Year Ratio
Source for Calendar Year: AM BEST Aggregates and Averages, "Cumulative by Line Net
Underwriting Experience, Industry".
Source for Accident Year: AM BEST Aggregates and Averages, "Industry Schedule P".
22
Information Integrity and
Availability
Information Integrity and Availability
Data
•Controls to ensure data is
accurate and complete
•Data is available to enable
comprehensive analysis
•Data is available to monitor
compliance with Claims and
Underwriting controls
Data
Analysis
Underwriting and Claims
•Data is available to support
management review needs,
including tracking of trends
24
Actuarial Analysis
Analysis
•Access to data is sufficiently
convenient to analysts
Data
Analysis
•Available information is
incorporated in analysis
•Communication process with
underwriting, claims,
management is sufficient
Underwriting and Claims
•Appropriate methods are used
•Communication of results to
management is clear
25
End User Applications
•Spreadsheets, databases, word documents,….
•One of the most problematic pieces of control documentation
•There is a group dedicated to spreadsheet risks, lots of stories
available

See Website http://www.eusprig.org/stories.htm
•University of Hawaii research that error rates on spreadsheets near
90%

And this goes near 100% if more than 200 lines
26
Priority of Spreadsheet Controls
Financial
Reporting
Moderate Controls
Extensive
Controls
Analytical
Simple Controls
Moderate Controls
Operational
Simple
Complex
For more information see “The Use of Spreadsheets: Considerations for Section 404 of the
Sarbanes-Oxley Act” Available at www.Pwcglobal.com
27
What Controls to Consider
•Backups
•Archiving
•Security

Controls over Access
•Change Control and Version Control

Such as Formula Locking
•Baselining – In depth review of calculations and functions
•Internal Data Reconciliations
•Peer Review – Sometimes outside the chain of reporting
•Documentation
28
Management’s Best Estimate vs.
Actuarial Best Estimate
Management’s Best Estimate vs. Actuarial Best Estimate
•Management Review
Process
•Process to determine booked
reserves is reasonable
Data
Analysis
Underwriting and
Claims
•Reserve Committee and
management review is effective
•Underlying assumptions, such
as trends, are validated
Review controls to ensure the estimate selection process is consistent with
the outcome of the underlying estimates, or reasons for departure are
documented – including quantification of reasons;
30
Data
Management Review
Process
Completeness

Analysis
Underwriting
& Claims
Accuracy
Judgmental Areas
Reserve Committee Process (best practices)
– Charter spelling out charge and operation of Committee;
– Participation by Senior Management, Finance, Claims, Underwriting,
Actuarial;
– Access to a well documented actuarial estimate and range prepared
prior to the Committee meeting;
– Active questioning by Committee;
– Well documented outcome of Committee meetings, including
approved reserve amount;
– Documentation of differences between management’s best estimate
and actuarial best estimate.
31
Documentation Issues
Documentation
•While SOX has changed the documentation commonly used
in Actuarial work, Accounting documentation requirements are
similar to common standards prior to SOX.
•Most Common Pitfalls

Controls should be specific
– What is the control?, who performs?, who reviews?,
what is the documentation?, how often?, where
maintained?

Informal processes do not fully replace controls;

Conservatism doesn’t take the place of controls;

Lack of misstatement in the past doesn’t obviate the need
for controls.
33
Documentation (continued)
•Most Common Pitfalls

Controls over reserves usually just at year end, but release
of results to markets quarterly;

Controls over processes with significant input to financial
statement balances missing;

“Common knowledge” instead of rigorous analysis;

Considering the auditor as part of the control process;

Forgetting controls over significant actuarial balances other
than reserves.
34
Considerations by Size of
Company
Considerations by Size of Company
•All companies need to weight costs and benefits associated with
implementation of SOX 404. Management may consider some
deficiencies acceptable relative to costs associated with remediation.
•Larger companies generally have the actuarial resources to
implement internal controls effectively.
•Smaller companies likely have resource constraints, most apparently
relative to peer review.

Third party actuarial analysis;

Thorough review (and documentation) of reserves by all
professionals in the organization that would be best versed in
reasonability of reserves --- senior claims, underwriting, and
finance management.
36
Status of Implementation
Status – Recent Events
•For most large domestic entities; Implemented 2004
•Large foreign filers; Implementation in 2006
•NAIC considering statutory rules

Current form would affect large entities, newly impacting about
190 Companies;

Proposed effective for 2009;

No external audit requirement.
•Canadian Securities Administrator has proposed SOX type
requirements

No external audit requirement.
38