1 CAS Annual Meeting November 14-16, 2005 Sarbanes-Oxley Act – Section 404 Implications for Insurance Companies Heidi Hoeller, PricewaterhouseCoopers Alan

1

CAS Annual Meeting November 14-16, 2005


Sarbanes-Oxley Act – Section 404

Implications for Insurance Companies

Heidi Hoeller, PricewaterhouseCoopers

Alan Hines, PricewaterhouseCoopers

Kevin Burns, The Hanover Insurance Group






2

Timeline of EventsTimeline of Events

12/2/2001Enron

Bankruptcy

8/29/2002 302

Certifications

7/30/2002SOX

Signed

12/31/2005All Other

SEC Filers - 404

Compliance Date

TBDNAIC12/31/2004

SEC Accelerated Filer - 404

Compliance Date

Today

3

Sarbanes – Oxley Act - OverviewSarbanes – Oxley Act - Overview

Sarbanes-Oxley Act signed into law on July 30, 2002

Most significant reform in the securities laws since enacted

Purpose is to restore confidence in public financial reporting

Fundamental change in how Audit Committees, management and auditors carry out responsibilities and interact

Passed with remarkable speed

Specific in some areas; only a framework in others with further rulemaking required to clarify

Increases accountability

4

The Components The Components

The Sarbanes – Oxley Act is divided in to 11 Sections (Titles) :

1. Public Company Accounting Oversight Board

2. Auditor Independence

3. Corporate Responsibility

4. Enhanced Financial Disclosures

5. Analyst Conflicts of Interest

6. Commission Resources & Authority

7. Studies & Reports

8. Corporate & Criminal Fraud Accountability

9. White-Collar Crime Penalty Enhancements

10. Corporate Tax Returns

11. Corporate Fraud & Accountability

5

Title III – Corporate ResponsibilityTitle III – Corporate Responsibility

Sets independence standards for members of Board and Audit Committee

Section 302 requires quarterly certification by the CEO and CFO

Reports have been reviewed

Report does not contain any material omissions or untrue statements

Financial statements fairly present, in all material respects the financial condition, results of operations and cash flows of the Company

They are responsible for establishing & maintaining disclosure controls and procedures and evaluated the design and effectiveness of these controls

Confirmation that all control deficiencies and fraud have been disclosed to the audit committee

Reporting of any subsequent control changes of significance

6

Title IV – Enhanced DisclosureTitle IV – Enhanced Disclosure

A number of provisions for enhanced financial statement disclosure are included in addition to…

Section 404 - Internal Control Report

Management’s annual assessment of internal controls

– Each annual report must contain an internal control report

Stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and

Management’s assessment, as of the end of the most recent fiscal year, of the effectiveness of such controls and procedures

Auditor attestation report

– External auditor is required to attest to and report on management’s assessment. This includes two separate attestations; one on design and another on the operating effectiveness of the controls

7

404 Key Elements – Auditor Assurance404 Key Elements – Auditor Assurance

The auditors’ objectives: Express an opinion on management’s assessment of the

effectiveness of the company’s internal control over financial reporting

Express an opinion on the effectiveness of the company’s internal controls

As of the date specified in management’s assessment.

The auditors’ objectives: Express an opinion on management’s assessment of the

effectiveness of the company’s internal control over financial reporting

Express an opinion on the effectiveness of the company’s internal controls

As of the date specified in management’s assessment.

8

404:Key Elements – New Environment404:Key Elements – New EnvironmentIn the old days, the auditor would… Today, the auditor must…

Understand how management controls its business.

Evaluate management’s assessment on the effectiveness of internal control.

Obtain an understanding of the design and operation of controls in order to determine the nature, timing and extent of substantive procedures.

Obtain an understanding of the design of controls by performing walkthroughs, including controls related to fraud, to issue an opinion on the effectiveness of internal control and to determine the nature, timing and extent of substantive procedures.

Test and evaluate the operation of internal controls only when the auditor intended to rely upon them.

Test controls to issue an opinion on the effectiveness of internal control- whether we would typically rely on them for audit purposes or not.

Complete auditor documentation to support the opinion on the financial statements.

Complete auditor documentation to support the opinions on the financial statements, on management’s assessment of the effectiveness of internal control over financial reporting and on the effectiveness of internal control over financial reporting.

9

404: Key Steps for Assessing Controls404: Key Steps for Assessing Controls

Scope & Plan

Understand & Evaluate

Validate

Assess Risk

Identify Significant Accounts

Identify Processes &

Assertions

Scope Locations

Perform Walkthroughs

Evaluate Design

Effectiveness

Consider Impact of Results

Evaluate Management Assessment

Test Operating

Effectiveness

Consider Work

Of Others

10

404:Implementation Phases404:Implementation Phases

1. Scoping & Planning

2. Documentation

3. Testing

4. Evaluation & Communication

1. Scoping & Planning

2. Documentation

3. Testing

4. Evaluation & Communication

11

404:Scoping & Planning404:Scoping & Planning

Assessment of internal controls must be based on a suitable, recognized control framework.

COSO (Committee of Sponsoring Organizations) Framework

Assessment of internal controls must be based on a suitable, recognized control framework.

COSO (Committee of Sponsoring Organizations) Framework

12

404:Scoping & Planning - Components404:Scoping & Planning - Components

o Accounts – all significant accounts and their relevant assertions o Locations – significant (important) business locations or units o Processes – significant processes over major classes of transactions

Significant

Accounts,

Components, and

Assertions

Locations and

Sub-Locations

Processes and

Sub-Processes

Quantitative & Qualitative Considerations

13

404: Documentation 404: Documentation

Management’s documentation should support:

Scoping decisions

Evaluation of whether controls are designed to prevent or detect material misstatements

Conclusion that the tests of operating effectiveness were planned and performed properly

That test results were considered in determining its assertion

Management’s documentation should support:

Scoping decisions

Evaluation of whether controls are designed to prevent or detect material misstatements

Conclusion that the tests of operating effectiveness were planned and performed properly

That test results were considered in determining its assertion

14

404:Documentation - Process404:Documentation - Process

Four step documentation process:

1. Determine scope of documentation

2. Develop process documentation

3. Develop controls documentation

4. Assess the design of controls

Four step documentation process:

1. Determine scope of documentation

2. Develop process documentation

3. Develop controls documentation

4. Assess the design of controls

15

404:Documentation – Other Considerations

404:Documentation – Other Considerations

All significant controls must be documented; including general computer controls and company level controls

The level of assurance from a control should be assessed (manual vs. automated / simple vs. complex)

Control documentation should address six questions:

• What is the risk?• What is the control activity?• Why is the activity performed?• Who performs the control?• When is the activity performed? (Frequency)• What mechanism is used to perform the activity?

All significant controls must be documented; including general computer controls and company level controls

The level of assurance from a control should be assessed (manual vs. automated / simple vs. complex)

Control documentation should address six questions:

• What is the risk?• What is the control activity?• Why is the activity performed?• Who performs the control?• When is the activity performed? (Frequency)• What mechanism is used to perform the activity?

16

404:Auditor Evaluation of Documentation404:Auditor Evaluation of Documentation

Inadequate documentation is a deficiency. Inadequate documentation is a deficiency.

17

404:Testing Approach404:Testing Approach

Four key steps:

Identify controls to be tested

Identify who will perform the testing

Develop and execute a test plan

Evaluate the results

Four key steps:

Identify controls to be tested

Identify who will perform the testing

Develop and execute a test plan

Evaluate the results

18

404:Indentifying Controls to Test404:Indentifying Controls to Test

Management must obtain reasonable assurance of operating effectiveness through testing.

Management must address operating effectiveness of controls over all five components of COSO.

Evidence can include self-assessment, internal audit procedures, and ongoing monitoring activities

The need for detailed testing is not eliminated, rather it is reduced through other evidence.

Robust testing reduces the risk that deficiencies are identified by independent auditors during testing phase and allow adequate remediation time

Management must obtain reasonable assurance of operating effectiveness through testing.

Management must address operating effectiveness of controls over all five components of COSO.

Evidence can include self-assessment, internal audit procedures, and ongoing monitoring activities

The need for detailed testing is not eliminated, rather it is reduced through other evidence.

Robust testing reduces the risk that deficiencies are identified by independent auditors during testing phase and allow adequate remediation time

19

404:Nature & Extent of Testing404:Nature & Extent of TestingFrequency of Manual

Control Typical Number/Range

for Testing Annually 1 Quarterly 2 Monthly 2 to 5 Weekly 5 to 15 Daily 20 to 40 Multiple Times per Day 25 to 60

Reperformance

Examination

Observation

Inquiry

Level

Of

Assurance

20

404:Evaluation – Deficiencies Defined404:Evaluation – Deficiencies Defined

Significant Deficiency – a control deficiency that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles.

Material Weakness – a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected

Significant Deficiency – a control deficiency that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles.

Material Weakness – a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected

Deficiencies Reason Design A control necessary to meet the control

objective is missing OR An existing control is not properly designed so that, even if the controls operate, the control objective is not always met.

Operation A properly designed control does not operate as intended OR The person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

21

404:Evaluation of Deficiencies – Process404:Evaluation of Deficiencies – Process

1. Identify the Deficiencies

2. Understand and Assess the Deficiency

3. Assess the Likelihood of Misstatement

4. Assess the Potential Magnitude of Misstatement

5. Identify Compensating Controls

6. Determine Classification of Deficiencies

7. Assess Deficiencies in Aggregation with Others

1. Identify the Deficiencies

2. Understand and Assess the Deficiency

3. Assess the Likelihood of Misstatement

4. Assess the Potential Magnitude of Misstatement

5. Identify Compensating Controls

6. Determine Classification of Deficiencies

7. Assess Deficiencies in Aggregation with Others

22

404:Evaluation Criteria404:Evaluation Criteria

Likelihood: Not whether a misstatement HAS occurred Is there a MORE THAN A REMOTE likelihood of occurrence?

Potential Magnitude: Size of POTENTIAL error that COULD occur Would the result be a more than inconsequential misstatement? Would the result be a material misstatement?

Likelihood: Not whether a misstatement HAS occurred Is there a MORE THAN A REMOTE likelihood of occurrence?

Potential Magnitude: Size of POTENTIAL error that COULD occur Would the result be a more than inconsequential misstatement? Would the result be a material misstatement?

23

Given the Requirements for Section 404, How Does Management Ensure Readiness?

Given the Requirements for Section 404, How Does Management Ensure Readiness?

Project Management SupportProject Management Support

Initiate Project

AndAssess

Risk

Document and

EvaluateControl Design

Prepare Report onInternal Control

Over Financial Reporting

The following is a recommended 404 readiness approach:

Remediate

TestOperatingEffective-

ness

Attest and

Report

Management Auditor

Continuous ImprovementContinuous Improvement

24













25

Title IV Subgroup of the NAIC/AICPA’s Working Group

Title IV Subgroup of the NAIC/AICPA’s Working Group

Every insurer with $500 Million in premium will be required to submit annual report from management on internal controls

SEC registrants, insurer members of a group that is an SEC registrant, and companies that voluntary comply must file report with insurance department

IP Proposal to allow management reports by legal entity or as a “group of insurers”

Management Report Must Include the following: A statement management is responsible for maintaining adequate

controls over financial reporting Management’s belief that the controls are effective A description of the process used by management to evaluate the

effectiveness of controls Disclosure of unremediated material weakness in the controls

May be no requirement for an independent auditors report or CPA attestation

Proposed effective date for compliance December 31,2009

Every insurer with $500 Million in premium will be required to submit annual report from management on internal controls

SEC registrants, insurer members of a group that is an SEC registrant, and companies that voluntary comply must file report with insurance department

IP Proposal to allow management reports by legal entity or as a “group of insurers”

Management Report Must Include the following: A statement management is responsible for maintaining adequate

controls over financial reporting Management’s belief that the controls are effective A description of the process used by management to evaluate the

effectiveness of controls Disclosure of unremediated material weakness in the controls

May be no requirement for an independent auditors report or CPA attestation

Proposed effective date for compliance December 31,2009

26

Overview – 404 for ActuariesA Systematic ApproachOverview – 404 for ActuariesA Systematic Approach

1) Take Inventory

2) DocumentProcesses

3) Identify Risks

4) Identify Existingor New Controls

5) Test Design

7) Auditor Testing

6) Test Operation

5a/6a) RemediateGaps

Management’s

Responsib

ility

27

Step 1 – Take InventoryStep 1 – Take Inventory

Identify All Actuarial Balances• Gross Loss and LAE Reserves• Ceded Loss and LAE Reserves• Premium accruals for audits and retro rating

Identify Actuarial Notes to Financial Statements

• Current/prior year split; A&E reserves

Identify Those That Are Significant • Loss and LAE reserves are significant

Identify Those That Are Not SignificantSome subsets of reserves may not be significant

Document

Identify All Actuarial Balances• Gross Loss and LAE Reserves• Ceded Loss and LAE Reserves• Premium accruals for audits and retro rating

Identify Actuarial Notes to Financial Statements

• Current/prior year split; A&E reserves

Identify Those That Are Significant • Loss and LAE reserves are significant

Identify Those That Are Not SignificantSome subsets of reserves may not be significant

Document

28

Step 2 – Identify and Document the Process(es) Associated with the Significant BalancesStep 2 – Identify and Document the Process(es) Associated with the Significant Balances

Prerequisite to Identifying Points of Risk – Roadmap is Needed

The level of detail of the documentation is considered sufficient when:

• A reasonably qualified person,• who is not intimately familiar with the process,• can obtain sufficient understanding of how the

process and embedded controls operate,• in order to be able to perform objective validation

thereof.

Prerequisite to Identifying Points of Risk – Roadmap is Needed

The level of detail of the documentation is considered sufficient when:

• A reasonably qualified person,• who is not intimately familiar with the process,• can obtain sufficient understanding of how the

process and embedded controls operate,• in order to be able to perform objective validation

thereof.

29

Roadmap to Actuarial ReservesRoadmap to Actuarial Reserves

Catastrophe IBNR

VoluntaryPools IBNR

Involuntary Pools IBNR

CompanyIBNR

ClaimsDept

ReinsAccounting

Product Management

(Pricing, Trends..)

ReinsAccounting

Financial Planning(Forecasted prem., U/W)

Reserving Process

P&C Acctng

ReinsAcctng

ReinsAcctn

g

P&CAcctng

P&C Financial Reporting4.2.1.1, 4.2.1.2, 4.3.1.1,

Assumed Reinsurance& Pools Acctng3.1.1.2, 5.1.1.2, 5.1.1.4

Assumed Reinsurance& Pools Acctg3.1.1.2, 5.1.1.2, 5.1.1.4

P&C ActuarialControls5.1.1.1 - 5.3.2.3

P&C Financial Reporting4.2.1.1, 4.2.1.2, 4.3.1.1,

Reserving Process

Determined By: Account: GL Owner Control Matrix

30

Step 2 – Identify and Document the Process(es) Associated with the Significant BalancesStep 2 – Identify and Document the Process(es) Associated with the Significant Balances

A Generic List of Processes Might Include • Data Collection and Testing• Actuarial Judgments Relating to Methods/Assumptions• Actuarial calculation environment• Peer Review Procedures• Determination of Selected Estimates• Bridging the Gap between Actuarial Indications and

Recorded Reserves

A Generic List of Processes Might Include • Data Collection and Testing• Actuarial Judgments Relating to Methods/Assumptions• Actuarial calculation environment• Peer Review Procedures• Determination of Selected Estimates• Bridging the Gap between Actuarial Indications and

Recorded Reserves

31

Step 3 – Identify RisksStep 3 – Identify Risks

Risk of Material Financial Misstatement – Not Operational Risk

Look for points in the process where a potential misstatement could occur (may be due to inherent risk or fraud risk).

• Data • IT environment - including Spreadsheets• Methods, Calculations, and Assumptions• Actuarial Judgments• Management “Adjustments” or differences• Recording Reserve Changes

Qualify Risk – High or Low

Risk of Material Financial Misstatement – Not Operational Risk

Look for points in the process where a potential misstatement could occur (may be due to inherent risk or fraud risk).

• Data • IT environment - including Spreadsheets• Methods, Calculations, and Assumptions• Actuarial Judgments• Management “Adjustments” or differences• Recording Reserve Changes

Qualify Risk – High or Low

32

Step 4 – Identify Existing or New Control ActivitiesStep 4 – Identify Existing or New Control Activities

Controls over a process created to ensure:• Accuracy• Completeness• Validity • Restricted access

Many actuarial processes have controls embedded into them!

• Consider a review of the ratio of case reserves to paid claims:

• Is it a control over the appropriateness of the development method?

• Is it part of the reserve estimating process?

Some controls are automated; some are manual.

May not be 1-to-1 correspondence between processes and controls nor between risks and controls:

• Some controls may mitigate many risks.• Some risks may be mitigated by a combination of controls.

Controls over a process created to ensure:• Accuracy• Completeness• Validity • Restricted access

Many actuarial processes have controls embedded into them!

• Consider a review of the ratio of case reserves to paid claims:

• Is it a control over the appropriateness of the development method?

• Is it part of the reserve estimating process?

Some controls are automated; some are manual.

May not be 1-to-1 correspondence between processes and controls nor between risks and controls:

• Some controls may mitigate many risks.• Some risks may be mitigated by a combination of controls.

33

Step 5 – Test the Design of ControlsStep 5 – Test the Design of Controls

This was a new concept for actuaries. Walkthroughs can be a useful testing procedure

for assessing whether the documentation accurately reflects actual controls.

Evaluating the design effectiveness of a control is an attempt to look at the activity and decide whether it achieves its objective.

The testing should consider how the control was applied, the consistency with which it was applied, and by whom it was applied.

Only properly designed controls are capable of operating effectively.

This was a new concept for actuaries. Walkthroughs can be a useful testing procedure

for assessing whether the documentation accurately reflects actual controls.

Evaluating the design effectiveness of a control is an attempt to look at the activity and decide whether it achieves its objective.

The testing should consider how the control was applied, the consistency with which it was applied, and by whom it was applied.

Only properly designed controls are capable of operating effectively.

34

Step 6 – Test the Operation of ControlsStep 6 – Test the Operation of Controls This was also a new concept for actuaries. Testing the control involves determining

that the control step was performed and that it achieved its intended function.

Testing can be performed in the following ways:

• Inquiry• Observation• Inspection/examination• Re-performance

Documentation is required to give evidence of:

• The performance of the control, and• The testing of the control’s operating effectiveness.

This was also a new concept for actuaries. Testing the control involves determining

that the control step was performed and that it achieved its intended function.

Testing can be performed in the following ways:

• Inquiry• Observation• Inspection/examination• Re-performance

Documentation is required to give evidence of:

• The performance of the control, and• The testing of the control’s operating effectiveness.

35

Step 5a or 6a – Remediate any Gap(s)Step 5a or 6a – Remediate any Gap(s)

When the evaluation of design yielded a missing key control, then one must be created.

When the test of a key control’s design yields a gap, it must be fixed (remediated).

If the test of a key control’s operation yields a significant gap, it must be remediated

• May involve re-designing the control• For some processes, other controls effectively

mitigated the risk and the key controls were redefined

Management needs adequate time to remediate and re-test the design to avoid a control deficiency.

When the evaluation of design yielded a missing key control, then one must be created.

When the test of a key control’s design yields a gap, it must be fixed (remediated).

If the test of a key control’s operation yields a significant gap, it must be remediated

• May involve re-designing the control• For some processes, other controls effectively

mitigated the risk and the key controls were redefined

Management needs adequate time to remediate and re-test the design to avoid a control deficiency.

36

Step 7 – Auditor Testing of the Internal ControlsStep 7 – Auditor Testing of the Internal Controls

By the time this happens, management’s documentation job should be essentially done (if it was done properly).

The controls must already be in place and operating.

The audit firm will need to:• Review management’s testing in support of

management’s assertion,• Perform its own testing of the internal controls to

support its opinion on the controls,• Evaluate whether deficiencies are inconsequential or

significant, and• Determine if the deficiencies create a material

weakness.

By the time this happens, management’s documentation job should be essentially done (if it was done properly).

The controls must already be in place and operating.

The audit firm will need to:• Review management’s testing in support of

management’s assertion,• Perform its own testing of the internal controls to

support its opinion on the controls,• Evaluate whether deficiencies are inconsequential or

significant, and• Determine if the deficiencies create a material

weakness.

37

Internal Control – The Finish LineInternal Control – The Finish Line

An opinion that controls are effective would require, at least, the following:

• Processes for significant account balances and disclosures are adequately documented.

• Control activities are designed and in place.• Control activities have been documented and

communicated to employees.• Standardized controls with periodic testing for

effective design and operation with reporting to management.

An opinion that controls are effective would require, at least, the following:

• Processes for significant account balances and disclosures are adequately documented.

• Control activities are designed and in place.• Control activities have been documented and

communicated to employees.• Standardized controls with periodic testing for

effective design and operation with reporting to management.

38

Lessons Learned From Year OneLessons Learned From Year One

Need to use a systematic approach – Attempting to start by identifying risks and controls is not efficient.

Most companies had effective controls over actuarial process but poor documentation. Key was to identify which steps in

the process were controls. Common Gaps in Controls:

• Spreadsheet controls• Controls over Actuarial Judgment• Bridging the gap between actuarial indication and

management’s best estimate.

Need to use a systematic approach – Attempting to start by identifying risks and controls is not efficient.

Most companies had effective controls over actuarial process but poor documentation. Key was to identify which steps in

the process were controls. Common Gaps in Controls:

• Spreadsheet controls• Controls over Actuarial Judgment• Bridging the gap between actuarial indication and

management’s best estimate.

39

Spreadsheets – Why the focus?Spreadsheets – Why the focus?

An error in a spreadsheet at a major financial institution was a significant factor in a $1 billion misclassification of securities in the financial statements.

Computer World published an article in May 2004 suggesting 20-40% of spreadsheets have errors while testing by the University of Hawaii found a 91% error rate.

The Journal of Property Management found 30 to 90% of spreadsheets have errors, with the highest percentage coming from complex sheets (more than 200 lines).

Many companies rely heavily on spreadsheets.

An error in a spreadsheet at a major financial institution was a significant factor in a $1 billion misclassification of securities in the financial statements.

Computer World published an article in May 2004 suggesting 20-40% of spreadsheets have errors while testing by the University of Hawaii found a 91% error rate.

The Journal of Property Management found 30 to 90% of spreadsheets have errors, with the highest percentage coming from complex sheets (more than 200 lines).

Many companies rely heavily on spreadsheets.

40

Spreadsheets - Potential RisksSpreadsheets - Potential Risks

When evaluating risks, consider: Complexity Purpose Type of input Size of spreadsheet Sophistication of developer Uses of output Frequency of modification Development Cycle (testing, training, etc.)

When evaluating risks, consider: Complexity Purpose Type of input Size of spreadsheet Sophistication of developer Uses of output Frequency of modification Development Cycle (testing, training, etc.)

41

Spreadsheets – Practical StepsSpreadsheets – Practical Steps

The following practical steps can be taken to ensure proper controls over spreadsheets:

Inventory spreadsheets

Evaluate the use and complexity of spreadsheets

Determine the necessary level of controls for “key” spreadsheets

Evaluate existing “as is” controls

Develop and action plan for remediating deficiencies

The following practical steps can be taken to ensure proper controls over spreadsheets:

Inventory spreadsheets

Evaluate the use and complexity of spreadsheets

Determine the necessary level of controls for “key” spreadsheets

Evaluate existing “as is” controls

Develop and action plan for remediating deficiencies

42

Spreadsheets:Base Level ControlsSpreadsheets:Base Level Controls

Base level controls for spreadsheets should include: Change Control

Version Control

Access Control

Input Control

Security & Data Integrity

More complete controls should be in place for spreadsheets assessed as other than low priority

Base level controls for spreadsheets should include: Change Control

Version Control

Access Control

Input Control

Security & Data Integrity

More complete controls should be in place for spreadsheets assessed as other than low priority

43













44

Reserving Process FlowchartReserving Process Flowchart

Processed Paid & Case Reserve Adjustments from Claims Systems

Manual Paid & Case Reserve Adjustments from General Ledger

Earned Premium and Paid ULAE from the General Ledger

Claims Initiatives

Pricing Activity Reports

In-force PolicyReports

Trends and otherinfluences

Reconcile to General Ledger

Present ReserveIndications toReserve Committee

Provide Business Leaders with AY profitability trends

Input for IBNR FundingModel

Actuarial

Reserving DataProcess

Reinsurance, Pools & Association Adjustment See Reins Accounting Cycle

Actuarial

Reserving

AnalysisProcess

IBNR Recordi

ngProcess

Catastrophe Reserve see Claims Cycle

45

Reserving Risks and Control ObjectivesReserving Risks and Control Objectives

Three Main Processes Data

Reserve Analysis

Recording

Three Main Processes Data

Reserve Analysis

Recording

46


Data Process: Risk - Data utilized is not complete, accurate or timely

resulting in inaccurate reserve estimates

Control Objective - Ensure the data utilized for the actuarial review of reserves is complete, accurate, and received in a timely manner

Data Process: Risk - Data utilized is not complete, accurate or timely

resulting in inaccurate reserve estimates

Control Objective - Ensure the data utilized for the actuarial review of reserves is complete, accurate, and received in a timely manner

47


Analysis: Risk - Use of or reliance on inappropriate

methodologies or underlying assumptions may result in inaccurate estimates of the liabilities

Control Objective - Ensure the methods and assumptions used in calculating reserve estimates are in accordance with standards as promulgated by the Casualty Actuarial Society to ensure completeness, consistency, and reasonableness

Analysis: Risk - Use of or reliance on inappropriate

methodologies or underlying assumptions may result in inaccurate estimates of the liabilities

Control Objective - Ensure the methods and assumptions used in calculating reserve estimates are in accordance with standards as promulgated by the Casualty Actuarial Society to ensure completeness, consistency, and reasonableness

48


Recording: Risk - Adjustments to IBNR are not valid or are

recorded incorrectly resulting in inaccurate financial statements

Control Objective - Ensure adjustments to IBNR are valid and recorded correctly within the financial statements.

Recording: Risk - Adjustments to IBNR are not valid or are

recorded incorrectly resulting in inaccurate financial statements

Control Objective - Ensure adjustments to IBNR are valid and recorded correctly within the financial statements.

49

Key Mitigating Controls - DataKey Mitigating Controls - Data

Detailed Close Schedule - A detailed close schedule for the reserving unit's quarterly reserving analysis is prepared and monitored.

Balance Processed Data - A reconciliation between the Loss Reserving System and the Corporate Claims System is performed.

Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed PRIOR to starting reserve analysis.

Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed AFTER reserve analysis is completed.

Communication to Senior Management - The Lead Reserving Actuary "signs off" that information in key management reports is both accurate

and complete. Systems Security - access to server containing reserving files limited to

members of reserving unit.

Detailed Close Schedule - A detailed close schedule for the reserving unit's quarterly reserving analysis is prepared and monitored.

Balance Processed Data - A reconciliation between the Loss Reserving System and the Corporate Claims System is performed.

Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed PRIOR to starting reserve analysis.

Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed AFTER reserve analysis is completed.

Communication to Senior Management - The Lead Reserving Actuary "signs off" that information in key management reports is both accurate

and complete. Systems Security - access to server containing reserving files limited to

members of reserving unit.

50

Control 1.1.1.2 – Data TimelineControl 1.1.1.2 – Data Timeline

Completed by : Date: (Signature:) ___________________________________________

Expected Actual Completed

Task Deliverable Control Completion Completion By

Number Close Day Number Task Description Date Date Initials

1 ULAE Paid-to-Paid Update 15-Sep 15-Sep _______

2 Update Reserving Software 25-Sep 25-Sep _______

6 1 1.1.1.3 Day 1 Reconciliation Report 3-Oct 3-Oct _______

9 3 Environmental Reserve Analysis 5-Oct 6-Oct _______

14 5 1.1.1.7 Day 5 Reconciliation Report 7-Oct 7-Oct _______

51

Key Mitigating Controls - AnalysisKey Mitigating Controls - Analysis

Multiple Reserving Methodologies Applied - The indications produced by the various methodologies is evaluated for each accident year and selections are based on a review of the strengths and weaknesses of each method.

Actuarial Judgments Checklist - The Lead Reserving Actuary formally reviews the consistency of assumptions, methodologies, loss development selections, and reserve selections made by staff reserving actuaries.

External Reserve Review - An external actuarial consulting firm is retained to perform independent reserve estimates.

Internal Communication - Loss trend groups, represented and attended by all major functional areas (Accounting, Claims, Reinsurance, Underwriting, Regional Management) meet on a quarterly basis.

Actuarial Standards of Practice – The actuarial review is performed in accordance with standards published by the CAS.

Actuarial Opinion - A qualified actuary (FCAS) issues and opinion on the adequacy of the reserves on an annual basis to ensure completeness, consistency, and reasonableness.

Multiple Reserving Methodologies Applied - The indications produced by the various methodologies is evaluated for each accident year and selections are based on a review of the strengths and weaknesses of each method.

Actuarial Judgments Checklist - The Lead Reserving Actuary formally reviews the consistency of assumptions, methodologies, loss development selections, and reserve selections made by staff reserving actuaries.

External Reserve Review - An external actuarial consulting firm is retained to perform independent reserve estimates.

Internal Communication - Loss trend groups, represented and attended by all major functional areas (Accounting, Claims, Reinsurance, Underwriting, Regional Management) meet on a quarterly basis.

Actuarial Standards of Practice – The actuarial review is performed in accordance with standards published by the CAS.

Actuarial Opinion - A qualified actuary (FCAS) issues and opinion on the adequacy of the reserves on an annual basis to ensure completeness, consistency, and reasonableness.

52

Control 1.1.1.2 – Actuarial JudgmentControl 1.1.1.2 – Actuarial Judgment


CHECKLIST FOR REVIEW OF ACTUARIAL JUDGMENTS

FOR RESERVE CYCLE: SEPTEMBER 30, 2005

(change from prior quarter, Y or N) (change from prior quarter, Y or N)

Consistency Consistency Consistency Consistency Consistency

Line of of Incurred of Paid of Paid of Average of Settlement

Business Link Ratios Link Ratios Tail Factor Case Reserves Rates

Personal Auto BI no no no no no

Personal Auto PIP no no no no no

Personal Auto PDL no no no yes no

Personal Auto Phy Dam no no no no yes

53

Control 1.1.1.2 – Actuarial JudgmentControl 1.1.1.2 – Actuarial Judgment


CHECKLIST FOR REVIEW OF ACTUARIAL JUDGMENTS

FOR RESERVE CYCLE:

(change from prior quarter, Y or N)

Change in Change in (change from prior quarter, Y or N)

Methodology Methodology Consistency Consistency of

Line of Weights Weightsof Paid ALAE

Ult ALAE-Ult Loss

Business Prior Acc Yrs Impact Current Acc Yr Impact Link Ratios Assumptions Impact

Personal Auto BI yes 769 no no no

Personal Auto PIP no no no no

Personal Auto PDL no no no no

Personal Auto Phy Dam no yes (632) no no

54

Key Mitigating Controls - RecordingKey Mitigating Controls - Recording

Reserve Committee – A Reserve Committee (comprised of senior management including the Lead Reserve Actuary) evaluates the quarterly actuarial indications and decides on appropriate IBNR Adjustments.

Financial Statements Reconciliation - A formal reconciliation of the adjustments to IBNR is performed at the end of each quarter under the direction of the Lead Reserving Actuary.

CAT Reserve Review - Adjustments for CAT IBNR are estimated by the Claims Dept and recorded in the ledger by P&C Accounting. Refer to the Claims cycle and the P&C Financial Reporting cycle.

Other Reserve Adjustments - Adjustments for Voluntary Pools IBNR are recorded in the ledger by Reinsurance Accounting. Refer to Assumed Reinsurance & Pools Accounting.

Reserve Committee – A Reserve Committee (comprised of senior management including the Lead Reserve Actuary) evaluates the quarterly actuarial indications and decides on appropriate IBNR Adjustments.

Financial Statements Reconciliation - A formal reconciliation of the adjustments to IBNR is performed at the end of each quarter under the direction of the Lead Reserving Actuary.

CAT Reserve Review - Adjustments for CAT IBNR are estimated by the Claims Dept and recorded in the ledger by P&C Accounting. Refer to the Claims cycle and the P&C Financial Reporting cycle.

Other Reserve Adjustments - Adjustments for Voluntary Pools IBNR are recorded in the ledger by Reinsurance Accounting. Refer to Assumed Reinsurance & Pools Accounting.

Documents

1 CAS Annual Meeting November 14-16, 2005 Sarbanes-Oxley Act – Section 404 Implications for Insurance Companies Heidi Hoeller, PricewaterhouseCoopers Alan