Publications

• 30 Second Ideas
• Accounting Updates
• Alerts
• Articles
• Business Surveys
• Construction Edge
• Healthcare Edge
• Insurance Edge
• Legal Talent
• Manufacturing Edge
• Not-for-Profit Edge
• Quick Links & Good Ideas
• SEC Edge
• Strategy Insights Blog
• Surviving the Upturn
• Tax Highlights

Changes to the Model Audit Rule and the Impact on Insurance Companies

With the advent of the new Model Audit Rule, Sarbanes-Oxley-like provisions will now impact the internal control requirements of many insurance companies. Insurance companies will need to spend considerable time and resources in an effort to comply. Additionally, the changes will affect the roles and responsibilities of their boards and management teams.

Insurers are correct to be concerned. Model Audit deals with matters never before required for nonpublic entities. In other words, they can no longer "turn a blind eye" to requirements and provisions.

As insurers assess the potential impact on their company, many are coming to the realization that their current internal staff does not have the expertise to efficiently deal with these new requirements.

A Brief History of the Model Audit Rule

Private insurance companies with direct premiums written and assumed in excess of $500 million per year are subject to the modifications to the Annual Financial Reporting Model Regulation (Model Audit Rule).

The Model Audit Rule, originally issued to drive consistency across insurance regulators by the National Association of Insurance Commissioners (NAIC), was revised in 2006. These modifications will take effect for the year ending 2010. The new requirements within the Model Audit Rule are similar to those of the Sarbanes-Oxley Act of 2002 (the SOX Act or Sarbanes-Oxley), issued in response to the well-publicized fraudulent financial reporting at large public corporations. This high-profile fraudulent activity placed even greater importance on the accuracy of companies' financial statements and the manner in which they are compiled. It has also levied increased penalties on those who fraudulently mislead others through inaccurate financial statements.

The NAIC did not wait for the insurance industry equivalent of an Enron scandal to implement what is generally considered an effective method for providing stakeholders with evidence that company executives are taking measures to accurately report the financial position of their organizations.

The Recent Modifications

The NAIC, in conjunction with the American Institute of Certified Public Accountants Working Group, has implemented three notable changes to the Model Audit Rule:

1. External Auditor Independence
   The new regulation prohibits audit firms from providing the following "nonaudit" services to an audit client:
   • Bookkeeping
   • Financial information systems design and implementation
   • Actuarial services
   • Internal audit outsourcing services
   • Management or human resource services
   • Expert services unrelated to the audit
     
     This also requires the engagement partner to rotate off the audit client every five years and to wait five years before returning to the audit client. These changes are in line with the independence rules implemented by the SOX Act and overseen by the Public Company Accounting Oversight Board (PCAOB). The PCAOB is the governing body, created by the SOX Act, to provide professional guidance and oversight to the accounting industry.
2. Corporate and Audit Committee Oversight
   The Model Audit Rule provides the following requirements on the makeup of the audit committee based on the insurance activity of the company:
   • The audit committee is responsible for the appointment, compensation and oversight of the external auditors.
   • For insurers with a holding company ownership structure, a separate audit committee is required for each legal entity, but only at the "ultimate controlling person" level.
   • Depending on the size of the company, a percentage of audit committee members need to be independent. Independence, in this context, is defined as "a person who does not accept any consulting, advisory or other compensatory fee from the company or its affiliates." An exception to this is given for states with conflicting laws in place. The table below defines the independence requirement of the audit committee based on the activity of the insurer, measured by direct premiums written and assumed.
     
     
3. Internal Controls Over Financial Reporting
   The most significant change to the Model Audit Rule requires management of insurers with direct premiums written and assumed in excess of $500 million to file a report with the state insurance department regarding the company's assessment of internal controls over financial reporting. This report will include the following information:
   • A statement that management is responsible for establishing and maintaining adequate internal controls over financial reporting
     A statement that management has established such controls and an assertion that these controls effectively provide reasonable assurance regarding the reliability of the statutory financial statements
     A statement regarding the process or approach utilized by management in this evaluation
     Disclosure of any unremediated material weaknesses in internal controls over financial reporting

The independent auditors will not issue an opinion on the effectiveness of a company's internal controls over financial reporting. However, the independent auditors should consider the report to the state insurance department during the planning and performance of the annual audit. The reliance on this report is based on the independent auditor's ability to gain comfort with the objectivity of the individuals testing and assessing the internal control environment.

The reporting of internal controls over financial reporting will not apply to companies writing less than $500 million in annual gross (direct and assumed) premium, at this time. There are some experts who believe these companies will be required to comply with all changes to the Model Audit Rule in the future.

How the Model Audit Rule Directly Affects Private Insurers

Privately held insurance companies subject to the Model Audit Rule's requirement to document internal controls over financial reporting should take time to learn from public companies that have already complied with Section 404 of the SOX Act.

Documenting and testing internal controls is a time-consuming process. Some corporate managers viewed Section 404 simply as an exercise of pulling documentation together and testing controls to provide a letter stating that their internal controls over financial reporting were effective. As a result, management did not allocate the necessary time and resources to become compliant, which in turn, increased the level of time and effort needed to complete the processes. Or, worse, companies were not able to complete documentation and testing of internal controls over financial reporting and issued material weaknesses stating such.

Documentation might not be current and detailed enough. Before Sarbanes-Oxley, management teams of many public companies felt they were operating in a well-documented, controlled environment and, as a result, felt they had already met the requirements of the SOX Act. But many companies found that such documentation, when it did exist, did not provide sufficient detail or accuracy to be audited, tested and found satisfactory by the external auditor. This resulted in re-documentation efforts, which often resulted in allocating more resources and time than initially budgeted.

Section 404 compliance is not solely an accounting or internal audit project. Other public companies might have viewed Section 404 compliance as something that applied only to internal audit or accounting departments. However, companies found that proper internal controls over financial reporting touched virtually every department. Workers, who might never have seen a process flowchart, were suddenly involved in creating flowcharts for nearly all activities of their jobs.

Why Insurance Companies Should Start Preparing Now

Clearly, Section 404 compliance, and its NAIC equivalent, the Model Audit Rule, will affect virtually all departments in a company. Executive management will need to understand all requirements upfront and allocate solid business resources to meet compliance needs.

Publicly traded companies that properly planned and identified key personnel from multiple departments, including information technology, to lead the project seemed to experience smoother Sarbanes-Oxley implementation. Companies affected by the Model Audit Rule will have sufficient time to comply and should take advantage of this cushion by thinking through the processes that go into preparing financial statement balances, the current state of documentation and what new documentation would be needed to support proper internal controls. The company should also consider the number of resources that will be needed and how these resource needs fit with other business priorities.

Some publicly traded companies postponed internal controls implementation, and consequently, have experienced some setbacks. These companies often experienced an increase in fees (or increased headcount when completed in-house) and hurried implementation of controls that resulted in inefficiencies due to a "bandage" style to address risks. By delaying implementation, management did not have time to ask the question, "Do the controls we implemented complement or hinder our current operations?" Controls often added steps to operations and resulted in inefficiencies. Additionally, late adopters did not have the luxury of delays, temporary reallocation of resources or unexpected turnover, which often resulted in hurried documentation, testing and reporting. Lastly, by deferring the project until a later date management sent a message to employees that internal controls are not a priority at the organization.

With proper early planning and dedicated resources, insurers should be able to efficiently comply with the new Model Audit Rule requirements, realize benefits from their improved control environment, and comfortably avoid pitfalls, unexpected costs and business interruptions such as those faced by late SOX adopters.

Questions about the Model Audit Rule or Sarbanes-Oxley?
Contact Jerry Hufton, Partner, at 312-980-2961 or your Blackman Kallick representative.
Our thanks to Steven A. Baer for his contribution to this article.

This publication is part of Blackman Kallick’s marketing of professional services, and is not written tax advice directed at the specific facts and circumstances of any person and/or entity. Contents of this publication are of a general nature, and you should not act on this information without obtaining professional advice from your business advisor that is appropriately tailored to your individual needs and circumstances. This written advice is not intended or written to be used, and cannot be used by any taxpayer, for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.