Your SlideShare is downloading. ×
0
Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes May 2006
Disclaimer <ul><li>Views and opinions expressed in this presentation and the underlying paper are those of the authors.  <...
Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes <ul><li>Background </li></ul><ul><li>COSO Framework <...
Comments by Harvey Pitt  (SEC Chairman when SOX was Passed) <ul><li>Question:  How is SOX like the weather </li></ul><ul><...
Background
Background <ul><ul><li>SOX Section 404 Company Requirements: </li></ul></ul><ul><ul><ul><li>State management’s role in est...
Background <ul><ul><li>Deficiency = situation arises where internal controls are identified as not effective </li></ul></u...
The COSO Framework
The COSO Framework <ul><li>Committee of Sponsoring Organizations issued in 1992 </li></ul><ul><ul><li>AKA The Treadway Com...
Diagram of COSO Based Internal Control Structure <ul><li>*Presented with thanks to “Tone at the Top” published by the Inst...
Elements of COSO Based Internal Control Structure *Presented with thanks to “Tone at the Top” published by the Institute o...
Scope  for Actuarial Processes
Property/Casualty Insurance Operations Chain: Producer solicits/binds coverage, or policy renews Underwriting Process Poli...
Property/Casualty Insurance Operations Chain: Producer solicits/binds coverage, or policy renews Underwriting Process Poli...
Property/Casualty Insurance Internal Controls affecting Estimated Balance Sheet and Income Statement Items Producer solici...
Estimated Balances Must Properly Reflect the Following Company Operations Source A Source B Source C Company  Risk Assumpt...
Estimated Balances Must Properly Reflect the Following Company Operations Source A Source B Source C Company  Risk Assumpt...
Comments on Operational Internal Controls and Sarbanes-Oxley, Section 404 <ul><ul><li>AICPA gives guidance as to how Sarba...
Operational Controls; Management Responsibility Contrasted with Section 404 Goals Claim settlements are fair to both claim...
Industry Track Record
Industry Track Record
Information Integrity and Availability
Information Integrity and Availability <ul><li>Data </li></ul><ul><li>Controls to ensure data is accurate and complete </l...
<ul><ul><li>Quantitative Data: </li></ul></ul><ul><ul><ul><li>Verify information is entered timely and accurately and avai...
<ul><ul><li>Qualitative Data: </li></ul></ul><ul><ul><ul><li>Capture interaction with claims department; </li></ul></ul></...
Analysis
Actuarial Analysis <ul><li>Analysis </li></ul><ul><li>Access to data is sufficiently convenient to analysts </li></ul><ul>...
<ul><ul><li>Validate that the estimation process encompasses sufficiently broad technical analytics for the business writt...
End User Applications
End User Applications <ul><li>Spreadsheets, databases, word documents,…. </li></ul><ul><li>One of the most problematic pie...
Priority of Spreadsheet Controls Source: “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Ac...
What Controls to Consider <ul><li>Backups </li></ul><ul><li>Archiving </li></ul><ul><li>Security  </li></ul><ul><ul><li>Co...
Management’s Best Estimate vs. Actuarial Best Estimate
Management’s Best Estimate vs. Actuarial Best Estimate <ul><li>Management Review Process </li></ul><ul><li>Process to dete...
<ul><ul><li>Review the process to determine carried reserves from the analysis and indications; </li></ul></ul><ul><ul><li...
<ul><ul><li>Reserve Committee Process (best practices) </li></ul></ul><ul><ul><ul><li>Charter spelling out charge and oper...
Documentation Issues
Documentation <ul><li>While SOX has changed the documentation commonly used in Actuarial work, Accounting documentation re...
Documentation (continued) <ul><li>Most Common Pitfalls </li></ul><ul><ul><li>Controls over reserves usually just at year e...
Considerations by Size of Company
Considerations by Size of Company <ul><li>All companies need to weight costs and benefits associated with implementation o...
Status of Implementation
Status – Recent Events <ul><li>For most large domestic entities; Implemented 2004 </li></ul><ul><li>Large foreign filers; ...
Upcoming SlideShare
Loading in...5
×

Download Handout 1

343

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
343
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Download Handout 1"

  1. 1. Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes May 2006
  2. 2. Disclaimer <ul><li>Views and opinions expressed in this presentation and the underlying paper are those of the authors. </li></ul><ul><li>Needless to say then, they do not represent the opinions of the CAS, nor any employer of the presenters, nor any sponsors of the meeting. </li></ul><ul><li>Anyone who says otherwise is not only wrong, but is clearly itching for a fight. </li></ul>
  3. 3. Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes <ul><li>Background </li></ul><ul><li>COSO Framework </li></ul><ul><li>Scope for Actuarial Processes </li></ul><ul><li>Issues </li></ul><ul><ul><li>Information Integrity & Availability </li></ul></ul><ul><ul><li>Analysis </li></ul></ul><ul><ul><li>End User Applications </li></ul></ul><ul><ul><li>Management’s Best Estimate </li></ul></ul><ul><li>Documentation </li></ul><ul><li>Considerations by Size of Company </li></ul><ul><li>Status </li></ul>
  4. 4. Comments by Harvey Pitt (SEC Chairman when SOX was Passed) <ul><li>Question: How is SOX like the weather </li></ul><ul><li>Answer: Everyone talks about it, but no-one does anything about it </li></ul><ul><li>Quote from Mr. Pitt </li></ul><ul><li>“ The statute was hastily – and, therefore, badly – drafted; but it was and remains, necessary </li></ul>Source: Wall Street Journal, April 13, 2006
  5. 5. Background
  6. 6. Background <ul><ul><li>SOX Section 404 Company Requirements: </li></ul></ul><ul><ul><ul><li>State management’s role in establishing and maintaining an adequate central structure and procedures for financial reporting; </li></ul></ul></ul><ul><ul><ul><li>Report on the effectiveness of their internal controls over financial reporting procedures </li></ul></ul></ul><ul><ul><ul><ul><li>Including supporting documentation of controls, and testing of their effectiveness. </li></ul></ul></ul></ul><ul><ul><li>SOX Section 404 Auditor Requirements: </li></ul></ul><ul><ul><ul><li>Attest to and report on management’s assessment of internal controls; </li></ul></ul></ul><ul><ul><ul><li>Attest to the effectiveness of internal controls. </li></ul></ul></ul>
  7. 7. Background <ul><ul><li>Deficiency = situation arises where internal controls are identified as not effective </li></ul></ul><ul><ul><li>Responses </li></ul></ul><ul><ul><ul><li>Identify and implement remediation steps </li></ul></ul></ul><ul><ul><ul><li>Evaluate seriousness of the deficiency </li></ul></ul></ul>Auditor to Audit Committee and in Audit Opinion (a public document). Results in a more than remote likelihood of a material misstatement. Material Weakness Auditor to Audit Committee Results in a more than remote likelihood of a misstatement that is more than inconsequential. Significant Deficiency Auditor to management. Doesn’t rise to a more serious level. Deficiency Reporting Requirement Criteria Type of Deficiency
  8. 8. The COSO Framework
  9. 9. The COSO Framework <ul><li>Committee of Sponsoring Organizations issued in 1992 </li></ul><ul><ul><li>AKA The Treadway Commission; </li></ul></ul><ul><ul><li>Provides a basic framework for all internal controls; </li></ul></ul><ul><ul><li>Implementers not required to use this framework– But most do. </li></ul></ul><ul><li>What is the framework </li></ul><ul><ul><li>Control Environment; </li></ul></ul><ul><ul><li>Risk Assessment; </li></ul></ul><ul><ul><li>Control Activities; </li></ul></ul><ul><ul><li>Information and Communication; </li></ul></ul><ul><ul><li>Monitoring. </li></ul></ul>
  10. 10. Diagram of COSO Based Internal Control Structure <ul><li>*Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors </li></ul>
  11. 11. Elements of COSO Based Internal Control Structure *Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors
  12. 12. Scope for Actuarial Processes
  13. 13. Property/Casualty Insurance Operations Chain: Producer solicits/binds coverage, or policy renews Underwriting Process Policy expires and may be renewed or audited Claims are received or estimated Underwriter verifies risk acceptability and price Policy is submitted to Underwriter Underwriting/Claims Transaction Underwriting Guides Product Rate Plan and Coverage Premiums Written and Earned Resulting Financial Flows Losses received, recorded, estimated Business Design Markets Targeted Underwriting Expenses result Transactional Data Systems
  14. 14. Property/Casualty Insurance Operations Chain: Producer solicits/binds coverage, or policy renews Underwriting Process Policy expires and may be renewed or audited Claims are received or estimated Underwriter verifies risk acceptability and price Policy is submitted to Underwriter Underwriting/Claims Transaction Underwriting Guides Product Rate Plan and Coverage Premiums Written and Earned Resulting Financial Flows Losses received, recorded, estimated Business Design Markets Targeted Underwriting Expenses result Transactional Data Systems Traditional Financial Statement Audit Focus
  15. 15. Property/Casualty Insurance Internal Controls affecting Estimated Balance Sheet and Income Statement Items Producer solicits/binds coverage, or policy renews Underwriting Process Policy expires and may be renewed or audited Claims are received or estimated Underwriter verifies risk acceptability and price Policy is submitted to Underwriter Underwriting/Claims Transaction Underwriting Guides Product Rate Plan and Coverage Premiums Written and Earned Resulting Financial Flows Losses received, recorded, estimated Business Design Markets Targeted Underwriting Expenses result Transactional Data Systems Additional Focus Areas for Internal Controls
  16. 16. Estimated Balances Must Properly Reflect the Following Company Operations Source A Source B Source C Company Risk Assumption/ Underwriting Practices Company Claims Handling and Settlement Practices Company IT/ Data Design and Collection Process Perform Estimates and Analysis Review and Communication Process Committee Process Input into Accounting System & Review Source Z Information and Communication Information and Communication
  17. 17. Estimated Balances Must Properly Reflect the Following Company Operations Source A Source B Source C Company Risk Assumption/ Underwriting Practices Company Claims Handling and Settlement Practices Company IT/ Data Design and Collection Process Perform Estimates and Analysis Review and Communication Process Committee Process Input into Accounting System & Review Source Z Information and Communication Information and Communication Underwriting and Claims Data Analysis Management Review Process
  18. 18. Comments on Operational Internal Controls and Sarbanes-Oxley, Section 404 <ul><ul><li>AICPA gives guidance as to how Sarbanes-Oxley applies to Internal controls in operational areas </li></ul></ul><ul><ul><ul><li>Only controls which affect financial statement reporting are subject to Sarbanes-Oxley; </li></ul></ul></ul><ul><ul><ul><li>Includes items with significant input to financial reporting; </li></ul></ul></ul><ul><ul><ul><li>Should be taken to include disclosures. </li></ul></ul></ul><ul><ul><li>Examples and the AICPA guidance are in the following table. </li></ul></ul>
  19. 19. Operational Controls; Management Responsibility Contrasted with Section 404 Goals Claim settlements are fair to both claimants and capital providers. Appropriate legal strategies are pursued to defend policyholders. Claims staffing resource is appropriate to the volume of claims. Management executes an underwriting strategy that provides appropriate returns with reasonable risk to capital providers. Staffing resource is appropriate to the volume of business. Address “identify, analyze, and manage risks that affect entity objectives” Examples of Additional Management Responsibilities, not section 404 Case reserving philosophy, and claims processes are understood, impacts of changes are understood, and consistent with assumptions underlying profit, loss, and balance sheet estimates Company intent around which exposures to insure, at what prices, terms and conditions is clear, is followed, and consistent with assumptions underlying balance sheet and income statement estimates Address “Inherent and control risks to evaluate the likelihood that material misstatement could occur in the financial statements” Section 404 Internal Controls Include: Claims Underwriting In General (from AICPA 319, item 40) Area of Control
  20. 20. Industry Track Record
  21. 21. Industry Track Record
  22. 22. Information Integrity and Availability
  23. 23. Information Integrity and Availability <ul><li>Data </li></ul><ul><li>Controls to ensure data is accurate and complete </li></ul><ul><li>Data is available to enable comprehensive analysis </li></ul><ul><li>Data is available to monitor compliance with Claims and Underwriting controls </li></ul><ul><li>Data is available to support management review needs, including tracking of trends </li></ul>Data Analysis Underwriting and Claims Management Review Process
  24. 24. <ul><ul><li>Quantitative Data: </li></ul></ul><ul><ul><ul><li>Verify information is entered timely and accurately and available to management and analysts to make estimates; </li></ul></ul></ul><ul><ul><ul><li>Review reconciliation procedures used to discover processing or data errors; investigation process in place when discrepancies arise? </li></ul></ul></ul><ul><ul><ul><li>Review the edit process used to ensure correctness of operational data for use by management in breakdowns required for analysis, such as class of business, coverages granted; </li></ul></ul></ul><ul><ul><ul><li>Verify that data elements are coded and reported in the detail required to support critical analysis needs (losses, expenses, claim counts, premium, etc.); </li></ul></ul></ul><ul><ul><ul><li>Identify and review new impact events, such as new products and regulations, and determine if appropriate data is being gathered; </li></ul></ul></ul><ul><ul><ul><li>Validate the compilation and availability of cost trend information underlying the financial estimates. </li></ul></ul></ul>Data Completeness Accuracy Judgmental Areas Control Activities, Information and Communication, Monitoring Data Analysis Underwriting & Claims Management Review Process
  25. 25. <ul><ul><li>Qualitative Data: </li></ul></ul><ul><ul><ul><li>Capture interaction with claims department; </li></ul></ul></ul><ul><ul><ul><li>Capture interaction with underwriting department; </li></ul></ul></ul><ul><ul><ul><li>Verify that information gained from such interactions are manifested within actuarial analysis in an appropriate manner; </li></ul></ul></ul><ul><ul><ul><li>For companies with multiple business units, ensure that information is interpreted and used consistently across business units. </li></ul></ul></ul>Data Completeness Accuracy Judgmental Areas Control Activities, Information and Communication, Monitoring Data Analysis Underwriting & Claims Management Review Process
  26. 26. Analysis
  27. 27. Actuarial Analysis <ul><li>Analysis </li></ul><ul><li>Access to data is sufficiently convenient to analysts </li></ul><ul><li>Available information is incorporated in analysis </li></ul><ul><li>Communication process with underwriting, claims, management is sufficient </li></ul><ul><li>Appropriate methods are used </li></ul><ul><li>Communication of results to management is clear </li></ul>Data Analysis Underwriting and Claims Management Review Process
  28. 28. <ul><ul><li>Validate that the estimation process encompasses sufficiently broad technical analytics for the business written; </li></ul></ul><ul><ul><li>Verify that information from the internal operating environment (underwriting, claims) is used to support and validate estimates, including consideration of large losses; </li></ul></ul><ul><ul><li>Review the segmentation of the business into lines of review, and the controls in place to ensure the business in each segment is correctly understood and reflected in estimates; </li></ul></ul><ul><ul><li>Verify that external trends and changes are identified, and incorporated into the analysis; </li></ul></ul><ul><ul><li>Review the process used to keep estimates current between review dates (currency of data relative to financial statement date); </li></ul></ul><ul><ul><li>Review the process followed to validate estimates with functional management; </li></ul></ul><ul><ul><li>Validate that the considerations in the CAS and AAA guidance are followed and documented. </li></ul></ul>Analysis Completeness Accuracy Judgmental Areas Control Activities, Information and Communication, Monitoring Peer Review ! Data Analysis Underwriting & Claims Management Review Process
  29. 29. End User Applications
  30. 30. End User Applications <ul><li>Spreadsheets, databases, word documents,…. </li></ul><ul><li>One of the most problematic pieces of control documentation </li></ul><ul><li>Relevant literature; PwC publication “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act” </li></ul><ul><li>There is a group dedicated to spreadsheet risks, lots of stories available </li></ul><ul><ul><li>See Website http://www.eusprig.org/stories.htm </li></ul></ul><ul><li>University of Hawaii research that error rates on spreadsheets near 90% </li></ul><ul><ul><li>And this goes near 100% if more than 200 lines </li></ul></ul>
  31. 31. Priority of Spreadsheet Controls Source: “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Available at www.Pwcglobal.com
  32. 32. What Controls to Consider <ul><li>Backups </li></ul><ul><li>Archiving </li></ul><ul><li>Security </li></ul><ul><ul><li>Controls over Access </li></ul></ul><ul><li>Change Control and Version Control </li></ul><ul><ul><li>Such as Formula Locking </li></ul></ul><ul><li>Baselining – In depth review of calculations and functions </li></ul><ul><li>Internal Data Reconciliations </li></ul><ul><li>Peer Review – Sometimes outside the chain of reporting </li></ul><ul><li>Documentation </li></ul>
  33. 33. Management’s Best Estimate vs. Actuarial Best Estimate
  34. 34. Management’s Best Estimate vs. Actuarial Best Estimate <ul><li>Management Review Process </li></ul><ul><li>Process to determine booked reserves is reasonable </li></ul><ul><li>Reserve Committee and management review is effective </li></ul><ul><li>Underlying assumptions, such as trends, are validated </li></ul>Data Analysis Underwriting and Claims Management Review Process
  35. 35. <ul><ul><li>Review the process to determine carried reserves from the analysis and indications; </li></ul></ul><ul><ul><li>Review the reserve committee process and minutes to ensure proper management control, involvement, and review in the estimating process; </li></ul></ul><ul><ul><li>Review controls to ensure the estimate selection process is consistent with the outcome of the underlying estimates, or reasons for departure are documented – including quantification of reasons; </li></ul></ul><ul><ul><li>Verify controls are in place to validate the underlying assumptions in the estimating process are consistent with the observations of functional management; </li></ul></ul><ul><ul><li>Review the process to reconcile the estimates with the underlying trends. </li></ul></ul>Management Review Process Completeness Accuracy Judgmental Areas Control Activities, Information and Communication, Monitoring Data Analysis Underwriting & Claims Management Review Process
  36. 36. <ul><ul><li>Reserve Committee Process (best practices) </li></ul></ul><ul><ul><ul><li>Charter spelling out charge and operation of Committee; </li></ul></ul></ul><ul><ul><ul><li>Participation by Senior Management, Finance, Claims, Underwriting, Actuarial; </li></ul></ul></ul><ul><ul><ul><li>Access to a well documented actuarial estimate and range prepared prior to the Committee meeting; </li></ul></ul></ul><ul><ul><ul><li>Active questioning by Committee; </li></ul></ul></ul><ul><ul><ul><li>Well documented outcome of Committee meetings, including approved reserve amount; </li></ul></ul></ul><ul><ul><ul><li>Documentation of differences between management’s best estimate and actuarial best estimate. </li></ul></ul></ul>Management Review Process Completeness Accuracy Judgmental Areas Control Activities, Information and Communication, Monitoring Data Analysis Underwriting & Claims Management Review Process
  37. 37. Documentation Issues
  38. 38. Documentation <ul><li>While SOX has changed the documentation commonly used in Actuarial work, Accounting documentation requirements are similar to common standards prior to SOX. </li></ul><ul><li>Most Common Pitfalls </li></ul><ul><ul><li>Controls should be specific </li></ul></ul><ul><ul><ul><li>What is the control?, who performs?, who reviews?, what is the documentation?, how often?, where maintained? </li></ul></ul></ul><ul><ul><li>Informal processes do not fully replace controls; </li></ul></ul><ul><ul><li>Conservatism doesn’t take the place of controls; </li></ul></ul><ul><ul><li>Lack of misstatement in the past doesn’t obviate the need for controls. </li></ul></ul>
  39. 39. Documentation (continued) <ul><li>Most Common Pitfalls </li></ul><ul><ul><li>Controls over reserves usually just at year end, but release of results to markets quarterly; </li></ul></ul><ul><ul><li>Controls over processes with significant input to financial statement balances missing; </li></ul></ul><ul><ul><li>“ Common knowledge” instead of rigorous analysis; </li></ul></ul><ul><ul><li>Considering the auditor as part of the control process; </li></ul></ul><ul><ul><li>Forgetting controls over significant actuarial balances other than reserves. </li></ul></ul>
  40. 40. Considerations by Size of Company
  41. 41. Considerations by Size of Company <ul><li>All companies need to weight costs and benefits associated with implementation of SOX 404. Management may consider some deficiencies acceptable relative to costs associated with remediation. </li></ul><ul><li>Larger companies generally have the actuarial resources to implement internal controls effectively. </li></ul><ul><li>Smaller companies likely have resource constraints, most apparently relative to peer review. </li></ul><ul><ul><li>Third party actuarial analysis; </li></ul></ul><ul><ul><li>Thorough review (and documentation) of reserves by all professionals in the organization that would be best versed in reasonability of reserves --- senior claims, underwriting, and finance management. </li></ul></ul>
  42. 42. Status of Implementation
  43. 43. Status – Recent Events <ul><li>For most large domestic entities; Implemented 2004 </li></ul><ul><li>Large foreign filers; Implementation in 2006 </li></ul><ul><li>NAIC considering statutory rules </li></ul><ul><ul><li>Current form would affect large entities, newly impacting about 190 Companies; </li></ul></ul><ul><ul><li>Proposed effective for 2009; </li></ul></ul><ul><ul><li>No external audit requirement. </li></ul></ul><ul><li>Canadian Securities Administrator has proposed SOX type requirements </li></ul><ul><ul><li>No external audit requirement. </li></ul></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×