Model Audit Rule Adoption Has Advantages For Insurers
With the upcoming January 2010 effective date fast approaching for the revised Model Audit Rule (MAR), insurance departments nationwide appear to be on track to unanimously adopt this set of regulations.
MAR is designed to ensure that insurance companies identify and test key controls over financial reporting and submit, annually, to the department of insurance of the state in which they are domiciled a report of the effectiveness of theses controls.
While complying with MAR is a substantial undertaking that spans multiple disciplines within an organization, there are benefits to be realized beyond just compliance.
This effort can lay the foundation for the development of an enterprise risk management program, which is crucial in our financial climate today.
Motivated in part by several catastrophic failures within the financial services industry, regulators, ratings agencies, institutional investors and corporate governance bodies now insist that senior corporate managers take greater responsibility for managing risks on an enterprisewide scale.
Twenty-three states have adopted MAR thus far, with the remaining 28 jurisdictions reporting that they are in the process of adopting to meet the December 2009 deadline, according to the National Association of Insurance Commissioners’ recent Model Audit Rule Adoption Survey.
The originally introduced MAR was developed as a nonpublic insurer’s answer to the Sarbanes-Oxley Act (better known as SOX), passed in 2002 as a result of corporate governance scandals. Many SOX provisions were incorporated into MAR.
In June 2006, however, NAIC introduced significant changes to the existing MAR. The revised MAR—officially known as the Annual Financial Reporting Model Regulation, or AFRMR—incorporates best-practice corporate governance standards and elements that are found within SOX. The NAIC hopes to achieve transparency, prevent fraud and restore public confidence in the insurance industry by raising its own level of self-governance with that of SOX.
It is these revisions that will become effective on Jan 1, 2010 for the 23 states that have already adopted the rule, and upon adoption by the remaining 28 jurisdictions. The revisions will impact both nonpublic and public insurers.
Specific provisions of MAR include the following:
- Management Report. Insurers with annual direct written premiums of more than $500 million must submit, to the domiciliary state insurance commissioner, a "Management's Report of Internal Control Over Financial Reporting." The report, to be signed by the chief executive officer and chief financial officer, will describe how internal controls ensure compliance with the statutory financial statement process.
- Audit Committee Requirement. Effective Jan. 1, 2010, every insurer required to file a financial report is also required to have an audit committee.
Carriers with $300-to-$500 million in annual premiums are required to have a majority (50 percent or more) of independent audit committee members.
Carriers with more than $500 million in annual premiums are required to have a supermajority (75 percent or more) of independent audit committee members.
This is meant to eliminate the conflict of interest inherent in non-independent members making decisions that could directly or indirectly affect their compensation. In other words, they could attempt to unduly influence what the independent auditor reports publicly.
- Audit Firm Rules. The lead partner of the independent CPA firm cannot serve in that role for more than five years. In addition, the independent CPA firm is prohibited from performing any non-audit services for the insurance company, such as any management functions or internal audit.
Buy-in and support from top management is essential to the success of this kind of long-term undertaking. Assuming that all jurisdictions will adopt MAR, it is in the best interest of insurers to ask themselves how going through the MAR compliance process can help their organization in other ways.
To start, take the larger view—this is not just about compliance. If you are going to invest the funds and personnel time and effort, get the maximum benefit out of the effort. MAR adoption will:
- Create a catalog of key controls over significant processes. This allows the company to focus on only those controls whose failure could result in a material misstatement in the financial statements.
- Form the basis for a comprehensive ERM program. Good controls at the process and entity level allow management to focus on identifying and monitoring the other major risks to the organization, such as regulatory and operational risks.
- Exhibit to rating agencies and state regulators a commitment to ERM. Solid controls over financial reporting provide a strong foundation for any ERM program.
- Identify opportunities to improve business processes. A by-product of documenting the company’s controls is that it gives management the opportunity to eliminate redundant or ineffective controls and identify ways to streamline their business processes.
- Benchmark current procedures against insurance industry best practices.
- Document the critical processes supporting statutory financial reporting and the most important underlying controls embedded within those processes.
By nature, insurance organizations have a variety of functions designed to identify and manage particular risks. However, each risk function varies in capability.
A central goal of ERM is to improve this risk-recognition capability while integrating ERM output to provide a unified picture of risk and improve the organization’s ability to effectively manage risks.
Synchronizing this philosophy with the MAR is critically important for insurers. This will also have the additional benefit of creating a strong risk-aware culture in the company while making all employees responsible for managing risk.
There is no doubt that the MAR will create complex new levels of regulations on both public and private companies. The best strategy is to stay ahead of the curve and be willing to maximize the compliance effort for the future. Insurers should seek the guidance of financial and accounting professionals who can guide them through this new era of regulation.