Background
The Sarbanes-Oxley Act of 2002 has precipitated the most prevalent changes to financial reporting, corporate governance, and regulatory environment for public companies since the Securities Act of 1933 and 1934. The failure in internal controls, especially relating to financial reporting, was among the specific concerns addressed by the Act. Several high profile business failures that began with ENRON in late 2001 exposed serious weaknesses in the systems of checks and balances that serve to protect shareholders, policyholders, employees, and general confidence in the stability and fairness of United States markets. The process of internal control relies on management, directors, external lawyers, external accountants, and others to function. In reviewing the business failures, a common problem was identified. The executives, directors, lawyers, public accountants, etc., who were relied on to make the system work were found missing or, worse, complicit in the breaches of public trust. The Sarbanes-Oxley Act was crafted to address those failures.
Amendment of Model Audit Rule
The proposed amendment of the Model Audit Rule addresses corporate governance, independence, and direct attestation of internal control.
Governance-The corporate governance provisions include the change in relationship between management and the audit committee of the Board of Directors. Previously, both sides worked as a team with the audit committee following the company's lead, but the Act clarifies that the Audit Committee has direct oversight responsibilities for hiring and firing of the external auditors. The change is intended to motivate audit committees to identify and understand audit risks.
Auditor Independence-Independence rules have been expanded to more explicitly prohibit external auditors from providing services which might impair their ability or the perception of a fair and objective audit. The rules can generally be summarized as follows:
- The auditor should not audit or attest to his or her own work.
- The auditor should not act as if he or she is management.
- The auditor should not act as an advocate for the client.
Internal Control Opinion-Section 404 of the Act requires public companies to include a separate report by management on the assessment of the effectiveness of the entity's internal control. The external auditors must attest to and report on internal controls. The overall assessment is limited to internal controls over financial reporting. The SEC example of internal control encompasses the integrated framework internal control definition developed and published by the Committee of Sponsoring Organization of the Treadway Commission ("COSO").
The COSO framework is not a fixed, prescriptive approach to internal control and recognizes that internal control can not be mechanically evaluated against a detailed set of fixed, required procedures. The SEC has frowned on checklist, canned operating software which supplies form without substance.
In performing audit and attestation procedures, new standards will be followed by external auditors. Inadequate documentation, under the new standards and the Act, is a control deficiency that may rise to the level of a material weakness. The new standards prohibit the external auditors from using management's tests for evaluating internal controls. Entities that lack sufficient resources or expertise may look to third parties for assistance but management remains ultimately responsible for evaluating and reporting on the effectiveness of the entity's internal control.
Impact on Non-Public Insurance Companies
At this date the amendment to the Model Audit Rule is in a proposed form. The probability of the amendment being finalized is high. The key costs involved have been soft costs of the time required for management to change its role and relationship with both the audit committee and external auditors. Also involved are the incremental costs incurred to review the design and maintenance of the company's internal control.
Insurance is a highly regulated, solvency driven industry. The amendment to the Model Audit Rule reinforces a long standing principle that management has always been responsible for the design and maintenance of the company's internal control structure. The proposal requires positive assurance on internal control and modifies the current audit process but it does not materially change the original audit rule intent. The proposed adoption date allows management to systematically review and adjust, if necessary, its governance and internal control processes. The time is right to plan and start the process.
Public companies have addressed the audit committee role. The financial printer, Bowne, has published "The Audit Committee Guide" by Arthur H. Bill and has made it available on its website www.bowne.com/bsc/pubs.asp. This is must reading for executives and audit committee members. It gives a comprehensive overview of Sarbanes-Oxley Act provisions and the current guidance from the SEC and other interested parties.
The independence requirements for external auditors will need to be discussed with your auditors. A process which includes audit committee approval needs to be developed to review the services that the external auditors are performing and whether their participation violates either the perception of independence or the prohibited services.
The internal control provisions of Section 404 of the Sarbanes-Oxley Act require a separate report by management on the assessment of the effectiveness of the entity's internal control. The entity's external auditors must attest to and report on the assessment made by management. It is anticipated that the Model Audit Rule will follow a similar approach and the current letter on internal control would be eliminated.
The internal control framework that the SEC sighted as an example was the COSO framework. The approach has and is being refined, but its origin is from the late 1980s. The "Big Eight" accounting firms (at that time) adopted versions of the approach so that audited companies have seen the logic and process. The major changes are in the integration of approach, the emphasis on formal internal control attestation, changes in technology, and regulations. Also, the new audit standards require a higher level of documentation of financial areas related to financial reporting, which if not followed, could cause a control deficiency that may rise to the level of a material weakness.
In order to reach a reliable conclusion about effectiveness of the entity's internal control, management needs to refine their current audit planning. Management needs to consider a logical, structured, and measured approach to its testing and evaluation. For example:
- Determine the adequacy of existing documentation. If controls are found to be missing, contain design deficiencies, or have changed, then the new or redesigned controls need to be documented.
- Perform tests of the design and operating effectiveness of all significant controls.
- Evaluate the test results and form a conclusion about the effectiveness of internal control. If the tests reveal significant deficiencies or material weaknesses in internal control, then corrective action should be taken.
- Prepare management's report on internal control.
If sufficient resources or expertise are lacking, temporary third party assistance may be warranted. It is our recommendation that the company be responsible for maintenance of the internal control documentation and subsequent changes. Complete outsourcing does not benefit management since management remains responsible for evaluating and reporting on the effectiveness of the entity's internal control.
Conclusion
The NAIC proposed amendment to the Model Audit Rule is a proactive measure designed to ensure the objectivity and integrity of the solvency and financial monitoring process. For most insurance companies it will be a chance to revalidate their internal control process and update the process for change. A side benefit to public entities is that more automation is deployed both in processing and monitoring internal controls.
For management and audit committees it provides a formal structure for monitoring financial reporting risk and defining responsibilities. For the external auditor it clarifies their role and protects their independence. The combined result is the continued protection of the policyholders, shareholders, employees and the trust that insurance contracts will be able to pay the promised benefits.
Valued Resource
Health Risk Management Services, Inc. has a history of providing internal control services from identification, evaluation, and documentation to redesigning financial systems. Our involvement has included both advisory and supervisory roles. Our expertise extends to performing procedures in key areas such as claim/loss reserves, policy reserves, reinsurance transactions, deferred and current tax provisions, statutory and generally accepted accounting principles basis accounting and reporting matters, managed care evaluation and management, capital adequacy, financial modeling, and business plans. A more comprehensive service list can be found in the Services section of this website.
Contact us to discuss the impact that the proposed amendment to the Model Audit Rule will have on your insurance entity. We can be contacted at (630)243-0117 or e-mail MFischer@riskinc.net.