September 01, 2008
by Ken Croarkin and Kevin Sullivan
Best's Review: September 2008 Copyrighted A.M. Best Company, Inc. 2008 All Rights Reserved, Reprinted with Permission
Insurers should start preparing for the Model Audit Rule that will debut in 2010.
|The Situation: States are moving toward adopting the so-called Model Audit Rule for insurers, developed by the NAIC.
The Issue: While similar to Sarbanes-Oxley in some ways, the Model Audit Rule's regulations differ in key areas.
The Road Ahead: Insurers are facing a January 2010 date for the MAR to become effective.
In 2002, the Public Company Accounting Reform and Investor Protection Act, otherwise known as the Sarbanes-Oxley Act, or SOX, was passed as a result of corporate governance scandals. Many viewed this drastic measure as a necessary step to restoring and sustaining investor confidence in response to the public's negative perception of corporate integrity.
Section 404 of the act includes a number of reforms that seek to eliminate conflicts of interest while strengthening companies' internal controls over financial reporting. SOX's reforms, however, only apply to publicly traded companies or to those registered with the Securities and Exchange Commission, since the overall goal is to protect investors and restore confidence in securities markets. SEC oversight is dependent on a company's internal reporting and the external audits by their retained outside accounting firms. However, in the case of the insurance industry, regulators also have ongoing oversight and perform regular, substantial on-site examinations of the companies' records.
Some key provisions of Sarbanes-Oxley are incorporated in the new Model Regulation Requiring Annual Audited Financial Reports, also called the Model Audit Rule or MAR. The Sarbanes-Oxley Act requires substantial changes to company internal control practices, resulting in significantly higher compliance efforts and costs than originally estimated. It is important to learn these lessons from SOX implementation and begin thinking about implementing the new rule now.
Current regulations require insurers with $1 million or more in written premiums or 1,000 or more policyholders or certificate holders to file audited, annual statutory financial statements with state insurance departments. But in June 2006, the National Association of Insurance Commissioners adopted significant changes to the regulation. The revised Model Audit Rule, called the Annual Financial Reporting Model Regulation or AFRMR, incorporates best-practice corporate governance standards and elements that are found within Sarbanes-Oxley. The NAIC hopes to achieve transparency, fraud prevention and restored public confidence in the insurance industry by raising its own level of self-governance with that of SOX.
The revisions to the model regulation will become effective on Jan. 1, 2010, for the financial year ending Dec. 31, 2010, pending adoption by individual states. The revisions will impact both nonpublic and public insurers. Nonpublic insurers will be required to comply with certain SOX-type provisions. Public insurers that are SOX-compliant will be subject to additional SOX-related reporting requirements for their statutory financial statements.
Understanding the Rules
Congress has found that companies that struggled to implement and comply with the act's stringent Section 404 regulations often experienced significant financial burdens as a result. Insurance companies should review how SOX affected small and midcap companies and take a proactive, early approach to complying with the new regulations.
It's time for insurers to take advantage of the three-year lead time before new Model Audit Rule regulations are imposed. That way they can familiarize themselves with the rule's requirements to ensure that their businesses are not impacted negatively. It is imperative that companies understand the model rule's requirements and begin preparing now to avoid headaches and costly and disruptive preparation time down the road.
Even though the revisions were scaled back somewhat during the NAIC's adoption process, it still contains provisions that could cause substantial costs to insurers. Specifically, insurers with annual direct written premiums of more than $500 million must submit a report to the domiciliary state insurance commissioner on how their internal controls ensure compliance with the statutory financial statement process.
The Model Audit Rule also requires that insurers have formal audit committees that meet periodically with their external auditors, with no management present, to discuss the insurers' control environments. Each audit committee is responsible for the selection, payment and oversight of its external auditor.
However, the Annual Financial Reporting Model Regulation differs from SOX Section 404 in that an insurer's external auditor is not required to provide an attestation report on the effectiveness of internal controls over financial reporting. This significantly reduces the efforts required by external auditors and the associated costs that would be incurred had the Model Audit Rule's revisions included this particular subsection of SOX.
While advocacy groups such as the U.S. Chamber of Commerce have complained that new SOX-related reporting requirements have had a disproportionate impact on small businesses, the writing is on the wall: Corporate boards are aiming for maximum transparency with their shareholders. Regardless of the fact that only Virginia and Alabama have adopted the revisions, it is almost certain that all states will eventually approve the model rule. Based on views shared by board members serving public companies in all industries, it appears that voluntary compliance with the Model Audit Rule is in the best interest of insurance companies.
A Team Effort
Buy-in and support from top management is essential to the success of this kind of undertaking. This is a job for the entire organization, not just for those preparing financial reports. Meeting the “internal controls over financial reporting” requirements may require the hiring of internal controls experts, IT auditors and business analysts. Most public companies that have successfully adopted SOX had a project-team concept consisting of various specialists.
This is not a one-time project; compliance must be continuous. As with all critical projects, strong management is required. Ideally the project should be in the hands of internal control experts working closely with operations and finance staff, with the strong oversight and support of the audit committee. In other words, this isn't simply internal audit's responsibility.
In addition, enterprise risk management plays an important role in the transition to the Annual Financial Reporting Model Regulation. Motivated in part by several catastrophic failures within the financial services industry, regulators, ratings agencies, institutional investors and corporate governance bodies now insist that senior corporate managers take greater responsibility for managing risks on an enterprise wide scale.
By nature, insurance organizations have a variety of functions designed to identify and manage particular risks. However, each risk function varies in capability. A central goal of ERM is to improve this risk-recognition capability while integrating ERM output to provide a unified picture of risk and improve the organization's ability to manage risks effectively. Synchronizing this philosophy with the Model Audit Rule, therefore, is critically important for insurers.
Accounting firms should commit to helping their clients reach this goal. Companies that work diligently to become rule-compliant and keep regulators satisfied will reap big dividends for themselves, and their shareholders and policyholders will reap big dividends down the road.
And while no one doubts that the Model Audit Rule will impose complex new levels of regulations on both public and private companies, the best advice is to stay ahead of the curve by meeting the most comprehensive level of compliance well before Dec. 31, 2010.
Consumers stand to gain the most from a strong, competitive marketplace for insurance. In order to sustain the vitality of the insurance industry, companies must begin to prepare themselves for changes in regulations. Waiting until the last minute to comply could ultimately involve significant investments in both financial and human capital and cause enterprise-wide business disruption.
In business as well as life in general, change is inevitable. The more prepared insurers are for the new Model Audit Rule, the easier it will be to implement and the more benefits they will receive. Insurers should seek the guidance of professional financial and accounting professionals who have a proven track record of success guiding companies through the turbulent new world of regulation that currently exists.
In terms of risk management, its a sure bet.
Contributors: Ken Croarkin and Kevin Sullivan are with EisnerAmper, Politziner, & Mattia LLP, in Edison, N.J. Croarkin is a partner in the Insurance Industry Services Practice. Sullivan is a senior manager in the Internal Audit Services Group.