By Don Goodenow, StoneRiver
The world of audits, controls and compliance changed dramatically in 2002 with the passage of Sarbanes-Oxley (SOX), and has continued to change for insurers with the NAIC's 2006 adoption of a new Model Audit Rule (MAR). These changes implement much tighter control and reporting requirements on companies, and establish strict management responsibility for all aspects of internal financial controls. Tighter controls are also defined for auditors, analysts and attorneys.While the application of the new MAR primarily impacts larger insurers, the changes are significant. Taken together, SOX and the new MAR make changes in two main areas.
First, a company's CEO and CFO must now assert that: • They've reviewed the company's report • The report is true • It fairly represents the financial condition of the company, and • They know these things are true because they have: - determined that controls are in place and are constructed to ensure that material information reaches them - personally evaluated the effectiveness of these controls, and - explicitly accepted responsibility for the internal controls established for the company's financial processes.
It's up to management to define its controls and how they will be documented and tested.
Second, the board has the primary oversight responsibility, not the auditors. External auditors now report to a board's audit committee, which must be made up entirely of independent directors. The auditors must now sign an agreement that management's assessment is accurate, or document any deficiencies they identify.
There are significant personal penalties, both civil and criminal, for failure to assure accurate reporting.
"Control" involves more than simply controlling who enters the transactions and capturing the debit and credit entries. Acceptable controls will involve securing access to systems, managing user rights, restricting entry to individual transaction fields, and recording the impact that field changes have on financial transactions.
The MAR requires:
"The maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets." Assets include everything that a company owns or holds in custody, so the requirement impacts everything from cash to investments to furniture and equipment.
The MAR requires that controls and processes:
"Provide reasonable assurance that transactions are recorded as necessary to permit preparation of the financial statements ... and that receipts and expenditures are being made only in accordance with authorizations of management and directors." This requirement covers all aspects of an insurance company's processing. All policy entries, cash receipts and disbursements need to be subject to acceptable controls.
The MAR also requires that controls and processes:
"Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of assets that could have a material effect on the financial statements ..." "Acquisition, use or disposition" covers a lot of ground. The requirement that unauthorized activities be prevented or detected means that after-the-fact detection alone will not be a sufficient control.
To meet these new requirements, a company must:
• Formally define its processes for manipulating financial data • Document the processes • Ensure they are built to mitigate the risks they face • Assess whether it has adequate security controls to ward off theft or intentional corruption of data, and • Control their employees' job duties and data access authority to eliminate the possibility that employees could commit material fraud or misrepresent financial data.
A company must also ensure that:
• Any problem can be and is quickly identified • The magnitude of the problem is readily determinable, and • The root cause and impact of the problem can be clearly communicated and dealt with.
These requirements apply to manual processes and to the systems that process and manage financial information.
What were considered acceptable controls in the past may well be deemed inadequate and non-compliant in the new world. The organizations that oversee financial reporting have said that if a company's controls were deemed to be deficient, the company could fail to meet SOX requirements even if no real problem existed.
SOX compliance goes a long way, but there is work to do in the area of controls. Go to it -- your CEO and CFO are depending on you.
About the Author: Don Goodenow is director of product management for StoneRiver's reinsurance and collections solutions. During his career he has designed and implemented a number of processing systems and held senior officer positions at both privately and publicly owned P&C carriers. He has also served as the chairman of industry Commercial Fire and Commercial Lines committees and as an Inland Marine committee member. He can be reached at [email protected] or 614-397-7392.What were considered acceptable controls in the past may well be deemed inadequate and non-compliant in the new world. The organizations that oversee financial reporting have said that if a company's controls were deemed to be deficient, the company could fail to meet SOX requirements even if no real problem existed.