CAS Annual Meeting
November 14-16, 2005
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
1
Timeline of Events
12/2/2001
Enron
Bankruptcy
12/31/2005
All Other SEC
Filers - 404
Compliance
Date
8/29/2002
302
Certifications
7/30/2002
SOX Signed
12/31/2004
SEC Accelerated
Filer - 404
Compliance Date
Today
TBD
NAIC
2
Sarbanes – Oxley Act - Overview
Sarbanes-Oxley Act signed into law on July 30, 2002

Most significant reform in the securities laws since enacted

Purpose is to restore confidence in public financial reporting

Fundamental change in how Audit Committees, management
and auditors carry out responsibilities and interact

Passed with remarkable speed

Specific in some areas; only a framework in others with further
rulemaking required to clarify

Increases accountability
3
The Components
The Sarbanes – Oxley Act is divided in to 11 Sections (Titles) :
1.
Public Company Accounting Oversight Board
2.
Auditor Independence
3.
Corporate Responsibility
4.
Enhanced Financial Disclosures
5.
Analyst Conflicts of Interest
6.
Commission Resources & Authority
7.
Studies & Reports
8.
Corporate & Criminal Fraud Accountability
9.
White-Collar Crime Penalty Enhancements
10.
Corporate Tax Returns
11.
Corporate Fraud & Accountability
4
Title III – Corporate Responsibility
Sets independence standards for members of Board and Audit
Committee
Section 302 requires quarterly certification by the CEO and CFO

Reports have been reviewed

Report does not contain any material omissions or untrue statements

Financial statements fairly present, in all material respects the financial
condition, results of operations and cash flows of the Company

They are responsible for establishing & maintaining disclosure controls
and procedures and evaluated the design and effectiveness of these
controls

Confirmation that all control deficiencies and fraud have been disclosed
to the audit committee

Reporting of any subsequent control changes of significance
5
Title IV – Enhanced Disclosure
A number of provisions for enhanced financial statement disclosure
are included in addition to…
Section 404 - Internal Control Report

Management’s annual assessment of internal controls
–

Each annual report must contain an internal control report

Stating the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for
financial reporting and

Management’s assessment, as of the end of the most recent fiscal
year, of the effectiveness of such controls and procedures
Auditor attestation report
–
External auditor is required to attest to and report on management’s
assessment. This includes two separate attestations; one on design and
another on the operating effectiveness of the controls
6
404 Key Elements – Auditor Assurance
The auditors’ objectives:


Express an opinion on management’s assessment of the
effectiveness of the company’s internal control over financial
reporting
Express an opinion on the effectiveness of the company’s internal
controls
As of the date specified in management’s assessment.
7
404:Key Elements – New Environment
In the old days, the auditor would…
Understand how management controls its
business.
Obtain an understanding of the design and
operation of controls in order to determine
the nature, timing and extent of substantive
procedures.
Test and evaluate the operation of internal
controls only when the auditor intended to
rely upon them.
Complete auditor documentation to support
the opinion on the financial statements.
Today, the auditor must…
Evaluate management’s assessment on the
effectiveness of internal control.
Obtain an understanding of the design of
controls by performing walkthroughs,
including controls related to fraud, to issue
an opinion on the effectiveness of internal
control and to determine the nature, timing
and extent of substantive procedures.
Test controls to issue an opinion on the
effectiveness of internal control- whether
we would typically rely on them for audit
purposes or not.
Complete auditor documentation to support
the opinions on the financial statements, on
management’s assessment of the
effectiveness of internal control over
financial reporting and on the effectiveness
of internal control over financial reporting.
8
404: Key Steps for Assessing Controls
Scope &
Plan
Assess Risk
Consider
Work
Of Others
Test
Operating
Effectiveness
Identify
Processes &
Assertions
Scope
Locations
Perform
Walkthroughs
Understand
& Evaluate
Validate
Identify
Significant
Accounts
Evaluate
Design
Effectiveness
Evaluate
Management
Assessment
Consider
Impact of
Results
9
404:Implementation Phases
1.
Scoping & Planning
2.
Documentation
3.
Testing
4.
Evaluation & Communication
10
404:Scoping & Planning

Assessment of internal
controls must be based on a
suitable, recognized control
framework.

COSO (Committee of
Sponsoring Organizations)
Framework
11
404:Scoping & Planning - Components
o
o
o
Accounts – all significant accounts and their relevant assertions
Locations – significant (important) business locations or units
Processes – significant processes over major classes of transactions
Significant
Accounts,
Components, and
Assertions
Locations and
Sub-Locations
Processes and
Sub-Processes
Quantitative & Qualitative Considerations
12
404: Documentation
Management’s documentation should support:

Scoping decisions

Evaluation of whether controls are designed to
prevent or detect material misstatements

Conclusion that the tests of operating effectiveness
were planned and performed properly

That test results were considered in determining its
assertion
13
404:Documentation - Process
Four step documentation process:
1.
Determine scope of documentation
2.
Develop process documentation
3.
Develop controls documentation
4.
Assess the design of controls
14
404:Documentation – Other
Considerations

All significant controls must be documented; including general
computer controls and company level controls

The level of assurance from a control should be assessed
(manual vs. automated / simple vs. complex)

Control documentation should address six questions:
•
•
•
•
•
•
What is the risk?
What is the control activity?
Why is the activity performed?
Who performs the control?
When is the activity performed? (Frequency)
What mechanism is used to perform the activity?
15
404:Auditor Evaluation of Documentation

Inadequate documentation is a deficiency.
16
404:Testing Approach
Four key steps:

Identify controls to be tested

Identify who will perform the testing

Develop and execute a test plan

Evaluate the results
17
404:Indentifying Controls to Test
 Management
must obtain reasonable assurance of
operating effectiveness through testing.
 Management
must address operating effectiveness
of controls over all five components of COSO.
 Evidence
can include self-assessment, internal audit
procedures, and ongoing monitoring activities
 The
need for detailed testing is not eliminated, rather
it is reduced through other evidence.
 Robust
testing reduces the risk that deficiencies are
identified by independent auditors during testing
phase and allow adequate remediation time
18
404:Nature & Extent of Testing
Frequency of Manual
Control
Annually
Quarterly
Monthly
Weekly
Daily
Multiple Times per Day
Typical Number/Range
for Testing
1
2
2 to 5
5 to 15
20 to 40
25 to 60
Reperformance
Level
Examination
Of
Observation
Assurance
Inquiry
19
404:Evaluation – Deficiencies Defined
Deficiencies
Design
Operation
Reason
A control necessary to meet the control
objective is missing OR
An existing control is not properly
designed so that, even if the controls
operate, the control objective is not always
met.
A properly designed control does not
operate as intended OR
The person performing the control does not
possess the necessary authority or
qualifications to perform the control
effectively.
Deficiency – a control deficiency that adversely affects the
company’s ability to initiate, authorize, record, process, or report
external financial data reliably in accordance with generally accepted
accounting principles.
Significant
Weakness – a significant deficiency, or combination of
significant deficiencies, that results in more than a remote likelihood
that a material misstatement of the financial statements will not be
prevented or detected
Material
20
404:Evaluation of Deficiencies – Process
1.
Identify the Deficiencies
2.
Understand and Assess the Deficiency
3.
Assess the Likelihood of Misstatement
4.
Assess the Potential Magnitude of Misstatement
5.
Identify Compensating Controls
6.
Determine Classification of Deficiencies
7.
Assess Deficiencies in Aggregation with Others
21
404:Evaluation Criteria
Likelihood:


Not whether a misstatement HAS occurred
Is there a MORE THAN A REMOTE likelihood of occurrence?
Potential Magnitude:



Size of POTENTIAL error that COULD occur
Would the result be a more than inconsequential misstatement?
Would the result be a material misstatement?
22
Given the Requirements for Section 404,
How Does Management Ensure Readiness?
The
following is a recommended 404 readiness approach:
Continuous Improvement
Management
Initiate Project
And
Assess
Risk
Document
and
Evaluate
Control Design
Remediate
Auditor
Test
Operating
Effectiveness
Prepare
Report on
Internal
Control
Over Financial
Reporting
Attest
and
Report
Project Management Support
23
CAS Annual Meeting
November 14-16, 2005
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
24
Title IV Subgroup of the NAIC/AICPA’s
Working Group

Every insurer with $500 Million in premium will be required to submit
annual report from management on internal controls

SEC registrants, insurer members of a group that is an SEC registrant,
and companies that voluntary comply must file report with insurance
department

IP Proposal to allow management reports by legal entity or as a “group
of insurers”

Management Report Must Include the following:
 A statement management is responsible for maintaining adequate
controls over financial reporting
 Management’s belief that the controls are effective
 A description of the process used by management to evaluate the
effectiveness of controls
 Disclosure of unremediated material weakness in the controls
May be no requirement for an independent auditors report or CPA
attestation


Proposed effective date for compliance December 31,2009
25
Overview – 404 for Actuaries
A Systematic Approach
7) Auditor Testing
6) Test Operation
5) Test Design
4) Identify Existing
or New Controls
5a/6a) Remediate
Gaps
3) Identify Risks
2) Document
Processes
1) Take Inventory
26
Step 1 – Take Inventory
 Identify
•
•
•
All Actuarial Balances
Gross Loss and LAE Reserves
Ceded Loss and LAE Reserves
Premium accruals for audits and retro rating
 Identify Actuarial Notes to Financial
• Current/prior year split; A&E reserves
 Identify
•
Statements
Those That Are Significant
Loss and LAE reserves are significant
 Identify
Those That Are Not Significant
Some subsets of reserves may not be significant
 Document
27
Step 2 – Identify and Document the Process(es)
Associated with the Significant Balances
 Prerequisite
Needed
to Identifying Points of Risk – Roadmap is
 The
level of detail of the documentation is considered
sufficient when:
•
•
•
•
A reasonably qualified person,
who is not intimately familiar with the process,
can obtain sufficient understanding of how the process and
embedded controls operate,
in order to be able to perform objective validation thereof.
28
Roadmap to Actuarial Reserves
Determined By:
Account:
GL Owner
Claims
Dept
Catastrophe
IBNR
P&C
Acctn
g
Reins
Accounting
Voluntary
Pools
IBNR
Reins
Acctn
g
Involuntary
Pools
IBNR
Reins
Acctn
g
Reserving
Process
Reins
Accounting
Reserving
Process
Product
Management
(Pricing,
Trends..)
Financial Planning
(Forecasted prem.,
U/W)
Company
IBNR
Control Matrix
P&C Financial
Reporting
4.2.1.1, 4.2.1.2, 4.3.1.1,
Assumed Reinsurance
& Pools Acctng
3.1.1.2, 5.1.1.2, 5.1.1.4
Assumed Reinsurance
& Pools Acctg
3.1.1.2, 5.1.1.2, 5.1.1.4
P&C Actuarial
Controls
5.1.1.1 - 5.3.2.3
P&C
Acctn
g
P&C Financial
Reporting
4.2.1.1, 4.2.1.2, 4.3.1.1,
29
Step 2 – Identify and Document the Process(es)
Associated with the Significant Balances
A
•
•
•
•
•
•
Generic List of Processes Might Include
Data Collection and Testing
Actuarial Judgments Relating to Methods/Assumptions
Actuarial calculation environment
Peer Review Procedures
Determination of Selected Estimates
Bridging the Gap between Actuarial Indications and Recorded
Reserves
30
Step 3 – Identify Risks
 Risk
Risk
of Material Financial Misstatement – Not Operational
 Look
for points in the process where a potential
misstatement could occur (may be due to inherent risk or
fraud risk).
• Data
• IT environment - including Spreadsheets
• Methods, Calculations, and Assumptions
• Actuarial Judgments
• Management “Adjustments” or differences
• Recording Reserve Changes
 Qualify
Risk – High or Low
31
Step 4 – Identify Existing or New Control
Activities

Controls over a process created to ensure:
•
•
•
•

Accuracy
Completeness
Validity
Restricted access
Many actuarial processes have controls embedded into them!
•
Consider a review of the ratio of case reserves to paid claims:
• Is it a control over the appropriateness of the development
method?
• Is it part of the reserve estimating process?

Some controls are automated; some are manual.

May not be 1-to-1 correspondence between processes and
controls nor between risks and controls:
•
•
Some controls may mitigate many risks.
Some risks may be mitigated by a combination of controls.
32
Step 5 – Test the Design of Controls
 This
was a new concept for actuaries.
 Walkthroughs can be a useful testing procedure for
assessing whether the documentation accurately
reflects actual controls.
 Evaluating the design effectiveness of a control is an
attempt to look at the activity and decide whether it
achieves its objective.
 The testing should consider how the control was
applied, the consistency with which it was applied,
and by whom it was applied.
 Only properly designed controls are capable of
operating effectively.
33
Step 6 – Test the Operation of Controls
 This
was also a new concept for actuaries.
 Testing the control involves determining that the
control step was performed and that it achieved its
intended function.
 Testing can be performed in the following ways:
•
•
•
•
Inquiry
Observation
Inspection/examination
Re-performance
 Documentation
•
•
is required to give evidence of:
The performance of the control, and
The testing of the control’s operating effectiveness.
34
Step 5a or 6a – Remediate any Gap(s)
 When
the evaluation of design yielded a missing key
control, then one must be created.
 When
the test of a key control’s design yields a gap, it
must be fixed (remediated).
 If
the test of a key control’s operation yields a
significant gap, it must be remediated
•
•
May involve re-designing the control
For some processes, other controls effectively mitigated the
risk and the key controls were redefined
 Management
needs adequate time to remediate and
re-test the design to avoid a control deficiency.
35
Step 7 – Auditor Testing of the Internal
Controls
 By
the time this happens, management’s
documentation job should be essentially done (if it was
done properly).
 The controls must already be in place and operating.
 The audit firm will need to:
•
•
•
•
Review management’s testing in support of management’s
assertion,
Perform its own testing of the internal controls to support its
opinion on the controls,
Evaluate whether deficiencies are inconsequential or
significant, and
Determine if the deficiencies create a material weakness.
36
Internal Control – The Finish Line
 An
opinion that controls are effective would require, at
least, the following:
•
Processes for significant account balances and disclosures
are adequately documented.
•
Control activities are designed and in place.
•
Control activities have been documented and communicated
to employees.
•
Standardized controls with periodic testing for effective design
and operation with reporting to management.
37
Lessons Learned From Year One
 Need to use a systematic approach
by identifying risks and controls is not efficient.
– Attempting to start
 Most
companies had effective controls over actuarial
process but poor documentation. Key was to identify which
steps in the process were controls.
 Common
Gaps in Controls:
•
Spreadsheet controls
•
Controls over Actuarial Judgment
•
Bridging the gap between actuarial indication and management’s
best estimate.
38
Spreadsheets – Why the focus?

An error in a spreadsheet at a major financial institution was a
significant factor in a $1 billion misclassification of securities in
the financial statements.

Computer World published an article in May 2004 suggesting
20-40% of spreadsheets have errors while testing by the
University of Hawaii found a 91% error rate.

The Journal of Property Management found 30 to 90% of
spreadsheets have errors, with the highest percentage coming
from complex sheets (more than 200 lines).

Many companies rely heavily on spreadsheets.
39
Spreadsheets - Potential Risks
When evaluating risks, consider:








Complexity
Purpose
Type of input
Size of spreadsheet
Sophistication of developer
Uses of output
Frequency of modification
Development Cycle (testing, training, etc.)
40
Spreadsheets – Practical Steps
The following practical steps can be taken to ensure
proper controls over spreadsheets:

Inventory spreadsheets

Evaluate the use and complexity of spreadsheets

Determine the necessary level of controls for “key”
spreadsheets

Evaluate existing “as is” controls

Develop and action plan for remediating deficiencies
41
Spreadsheets:Base Level Controls
Base level controls for spreadsheets should include:

Change Control

Version Control

Access Control

Input Control

Security & Data Integrity
More complete controls should be in place for spreadsheets
assessed as other than low priority
42
CAS Annual Meeting
November 14-16, 2005
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
43
Reserving Process Flowchart
Processed Paid & Case
Reserve Adjustments from
Claims Systems
Earned Premium and
Paid ULAE from the
General Ledger
Manual Paid & Case
Reserve Adjustments
from General Ledger
Actuarial
Reserving
Data
Process
Reinsurance, Pools &
Association Adjustment
See Reins Accounting Cycle
Reconcile to
General Ledger
Claims Initiatives
Pricing Activity
Reports
In-force Policy
Reports
Trends and other
influences
Actuarial
Reserving
Analysis
Process
Present Reserve
Indications to
Reserve
Committee
Input for
IBNR Funding
Model
Provide Business
Leaders with AY
profitability trends
IBNR
Recordin
g
Process
Catastrophe Reserve
see Claims Cycle
44
Reserving Risks and Control Objectives
Three Main Processes

Data

Reserve Analysis

Recording
45
Reserving Risks and Control Objectives
Data Process:

Risk - Data utilized is not complete, accurate or timely
resulting in inaccurate reserve estimates

Control Objective - Ensure the data utilized for the
actuarial review of reserves is complete, accurate,
and received in a timely manner
46
Reserving Risks and Control Objectives
Analysis:

Risk - Use of or reliance on inappropriate
methodologies or underlying assumptions may
result in inaccurate estimates of the liabilities

Control Objective - Ensure the methods and
assumptions used in calculating reserve estimates
are in accordance with standards as promulgated by
the Casualty Actuarial Society to ensure
completeness, consistency, and reasonableness
47
Reserving Risks and Control Objectives
Recording:

Risk - Adjustments to IBNR are not valid or are
recorded incorrectly resulting in inaccurate financial
statements

Control Objective - Ensure adjustments to IBNR are
valid and recorded correctly within the financial
statements.
48
Key Mitigating Controls - Data

Detailed Close Schedule - A detailed close schedule for the reserving
unit's quarterly reserving analysis is prepared and monitored.

Balance Processed Data - A reconciliation between the Loss
Reserving System and the Corporate Claims System is performed.

Balance Data to the General Ledger - A reconciliation between
the data underlying the Reserve analysis and that contained in the General Ledger
is performed PRIOR to starting reserve analysis.

Balance Data to the General Ledger - A reconciliation between
the data underlying the Reserve analysis and that contained in the General Ledger
is performed AFTER reserve analysis is completed.

Communication to Senior Management - The Lead Reserving
Actuary "signs off" that information in key management reports is both accurate
and complete.

Systems Security - access to server containing reserving files limited to
members of reserving unit.
49
Control 1.1.1.2 – Data Timeline
Expected
Actual
Completed
Completion
Completion
By
Task Description
Date
Date
Initials
1
ULAE Paid-to-Paid Update
15-Sep
15-Sep
_______
2
Update Reserving Software
25-Sep
25-Sep
_______
Day 1 Reconciliation Report
3-Oct
3-Oct
_______
Environmental Reserve Analysis
5-Oct
6-Oct
_______
Day 5 Reconciliation Report
7-Oct
7-Oct
_______
Task
Deliverable
Control
Number
Close Day
Number
6
1
9
3
14
5
1.1.1.3
1.1.1.7
Completed by :
Date:
(Signature:)
___________________________________________
50
Key Mitigating Controls - Analysis

Multiple Reserving Methodologies Applied - The
indications produced by the various methodologies is evaluated for each
accident year and selections are based on a review of the strengths and
weaknesses of each method.

Actuarial Judgments Checklist - The Lead Reserving Actuary
formally reviews the consistency of assumptions, methodologies, loss
development selections, and reserve selections made by staff reserving
actuaries.

External Reserve Review - An external actuarial consulting firm is
retained to perform independent reserve estimates.

Internal Communication - Loss trend groups, represented and
attended by all major functional areas (Accounting, Claims, Reinsurance,
Underwriting, Regional Management) meet on a quarterly basis.

Actuarial Standards of Practice – The actuarial review is
performed in accordance with standards published by the CAS.

Actuarial Opinion - A qualified actuary (FCAS) issues and opinion on
the adequacy of the reserves on an annual basis to ensure completeness,
consistency, and reasonableness.
51
Control 1.1.1.2 – Actuarial Judgment
CHECKLIST FOR REVIEW OF ACTUARIAL JUDGMENTS
FOR RESERVE CYCLE:
SEPTEMBER 30, 2005
(change from prior quarter, Y or N)
(change from prior quarter, Y or N)
Consistency
Consistency
Consistency
Consistency
Consistency
Line of
of Incurred
of Paid
of Paid
of Average
of Settlement
Business
Link Ratios
Link Ratios
Tail Factor
Case Reserves
Rates
Personal Auto BI
no
no
no
no
no
Personal Auto PIP
no
no
no
no
no
Personal Auto PDL
no
no
no
yes
no
Personal Auto Phy Dam
no
no
no
no
yes
Completed by :
Date:
(Signature:)
___________________________________________
52
Control 1.1.1.2 – Actuarial Judgment
CHECKLIST FOR REVIEW OF ACTUARIAL JUDGMENTS
FOR RESERVE CYCLE:
(change from prior quarter, Y or N)
Change in
Change in
(change from prior quarter, Y or N)
Methodology
Methodology
Consistency
Consistency of
Line of
Weights
Weights
of Paid
ALAE
Ult ALAE-Ult
Loss
Business
Prior Acc Yrs
Impact
Current Acc Yr
Link Ratios
Assumptions
Personal Auto BI
yes
769
no
no
no
Personal Auto PIP
no
no
no
no
Personal Auto PDL
no
no
no
no
Personal Auto Phy Dam
no
yes
no
no
Impact
(632)
Impact
Completed by :
Date:
(Signature:)
___________________________________________
53
Key Mitigating Controls - Recording

Reserve Committee – A Reserve Committee (comprised of
senior management including the Lead Reserve Actuary) evaluates
the quarterly actuarial indications and decides on appropriate IBNR
Adjustments.

Financial Statements Reconciliation - A formal
reconciliation of the adjustments to IBNR is performed at the end of
each quarter under the direction of the Lead Reserving Actuary.

CAT Reserve Review - Adjustments for CAT IBNR are
estimated by the Claims Dept and recorded in the ledger by
P&C Accounting. Refer to the Claims cycle and the P&C
Financial Reporting cycle.

Other Reserve Adjustments - Adjustments for
Voluntary Pools IBNR are recorded in the ledger by
Reinsurance Accounting. Refer to Assumed Reinsurance &
Pools Accounting.
54