View
217
Download
3
Tags:
Embed Size (px)
Citation preview
1
CAS Annual Meeting November 14-16, 2005
CAS Annual Meeting November 14-16, 2005
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
2
Timeline of EventsTimeline of Events
12/2/2001Enron
Bankruptcy
8/29/2002 302
Certifications
7/30/2002SOX
Signed
12/31/2005All Other
SEC Filers - 404
Compliance Date
TBDNAIC12/31/2004
SEC Accelerated Filer - 404
Compliance Date
Today
3
Sarbanes – Oxley Act - OverviewSarbanes – Oxley Act - Overview
Sarbanes-Oxley Act signed into law on July 30, 2002
Most significant reform in the securities laws since enacted
Purpose is to restore confidence in public financial reporting
Fundamental change in how Audit Committees, management and auditors carry out responsibilities and interact
Passed with remarkable speed
Specific in some areas; only a framework in others with further rulemaking required to clarify
Increases accountability
4
The Components The Components
The Sarbanes – Oxley Act is divided in to 11 Sections (Titles) :
1. Public Company Accounting Oversight Board
2. Auditor Independence
3. Corporate Responsibility
4. Enhanced Financial Disclosures
5. Analyst Conflicts of Interest
6. Commission Resources & Authority
7. Studies & Reports
8. Corporate & Criminal Fraud Accountability
9. White-Collar Crime Penalty Enhancements
10. Corporate Tax Returns
11. Corporate Fraud & Accountability
5
Title III – Corporate ResponsibilityTitle III – Corporate Responsibility
Sets independence standards for members of Board and Audit Committee
Section 302 requires quarterly certification by the CEO and CFO
Reports have been reviewed
Report does not contain any material omissions or untrue statements
Financial statements fairly present, in all material respects the financial condition, results of operations and cash flows of the Company
They are responsible for establishing & maintaining disclosure controls and procedures and evaluated the design and effectiveness of these controls
Confirmation that all control deficiencies and fraud have been disclosed to the audit committee
Reporting of any subsequent control changes of significance
6
Title IV – Enhanced DisclosureTitle IV – Enhanced Disclosure
A number of provisions for enhanced financial statement disclosure are included in addition to…
Section 404 - Internal Control Report
Management’s annual assessment of internal controls
– Each annual report must contain an internal control report
Stating the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting and
Management’s assessment, as of the end of the most recent fiscal year, of the effectiveness of such controls and procedures
Auditor attestation report
– External auditor is required to attest to and report on management’s assessment. This includes two separate attestations; one on design and another on the operating effectiveness of the controls
7
404 Key Elements – Auditor Assurance404 Key Elements – Auditor Assurance
The auditors’ objectives: Express an opinion on management’s assessment of the
effectiveness of the company’s internal control over financial reporting
Express an opinion on the effectiveness of the company’s internal controls
As of the date specified in management’s assessment.
The auditors’ objectives: Express an opinion on management’s assessment of the
effectiveness of the company’s internal control over financial reporting
Express an opinion on the effectiveness of the company’s internal controls
As of the date specified in management’s assessment.
8
404:Key Elements – New Environment404:Key Elements – New EnvironmentIn the old days, the auditor would… Today, the auditor must…
Understand how management controls its business.
Evaluate management’s assessment on the effectiveness of internal control.
Obtain an understanding of the design and operation of controls in order to determine the nature, timing and extent of substantive procedures.
Obtain an understanding of the design of controls by performing walkthroughs, including controls related to fraud, to issue an opinion on the effectiveness of internal control and to determine the nature, timing and extent of substantive procedures.
Test and evaluate the operation of internal controls only when the auditor intended to rely upon them.
Test controls to issue an opinion on the effectiveness of internal control- whether we would typically rely on them for audit purposes or not.
Complete auditor documentation to support the opinion on the financial statements.
Complete auditor documentation to support the opinions on the financial statements, on management’s assessment of the effectiveness of internal control over financial reporting and on the effectiveness of internal control over financial reporting.
9
404: Key Steps for Assessing Controls404: Key Steps for Assessing Controls
Scope & Plan
Understand & Evaluate
Validate
Assess Risk
Identify Significant Accounts
Identify Processes &
Assertions
Scope Locations
Perform Walkthroughs
Evaluate Design
Effectiveness
Consider Impact of Results
Evaluate Management Assessment
Test Operating
Effectiveness
Consider Work
Of Others
10
404:Implementation Phases404:Implementation Phases
1. Scoping & Planning
2. Documentation
3. Testing
4. Evaluation & Communication
1. Scoping & Planning
2. Documentation
3. Testing
4. Evaluation & Communication
11
404:Scoping & Planning404:Scoping & Planning
Assessment of internal controls must be based on a suitable, recognized control framework.
COSO (Committee of Sponsoring Organizations) Framework
Assessment of internal controls must be based on a suitable, recognized control framework.
COSO (Committee of Sponsoring Organizations) Framework
12
404:Scoping & Planning - Components404:Scoping & Planning - Components
o Accounts – all significant accounts and their relevant assertions o Locations – significant (important) business locations or units o Processes – significant processes over major classes of transactions
Significant
Accounts,
Components, and
Assertions
Locations and
Sub-Locations
Processes and
Sub-Processes
Quantitative & Qualitative Considerations
13
404: Documentation 404: Documentation
Management’s documentation should support:
Scoping decisions
Evaluation of whether controls are designed to prevent or detect material misstatements
Conclusion that the tests of operating effectiveness were planned and performed properly
That test results were considered in determining its assertion
Management’s documentation should support:
Scoping decisions
Evaluation of whether controls are designed to prevent or detect material misstatements
Conclusion that the tests of operating effectiveness were planned and performed properly
That test results were considered in determining its assertion
14
404:Documentation - Process404:Documentation - Process
Four step documentation process:
1. Determine scope of documentation
2. Develop process documentation
3. Develop controls documentation
4. Assess the design of controls
Four step documentation process:
1. Determine scope of documentation
2. Develop process documentation
3. Develop controls documentation
4. Assess the design of controls
15
404:Documentation – Other Considerations
404:Documentation – Other Considerations
All significant controls must be documented; including general computer controls and company level controls
The level of assurance from a control should be assessed (manual vs. automated / simple vs. complex)
Control documentation should address six questions:
• What is the risk?• What is the control activity?• Why is the activity performed?• Who performs the control?• When is the activity performed? (Frequency)• What mechanism is used to perform the activity?
All significant controls must be documented; including general computer controls and company level controls
The level of assurance from a control should be assessed (manual vs. automated / simple vs. complex)
Control documentation should address six questions:
• What is the risk?• What is the control activity?• Why is the activity performed?• Who performs the control?• When is the activity performed? (Frequency)• What mechanism is used to perform the activity?
16
404:Auditor Evaluation of Documentation404:Auditor Evaluation of Documentation
Inadequate documentation is a deficiency. Inadequate documentation is a deficiency.
17
404:Testing Approach404:Testing Approach
Four key steps:
Identify controls to be tested
Identify who will perform the testing
Develop and execute a test plan
Evaluate the results
Four key steps:
Identify controls to be tested
Identify who will perform the testing
Develop and execute a test plan
Evaluate the results
18
404:Indentifying Controls to Test404:Indentifying Controls to Test
Management must obtain reasonable assurance of operating effectiveness through testing.
Management must address operating effectiveness of controls over all five components of COSO.
Evidence can include self-assessment, internal audit procedures, and ongoing monitoring activities
The need for detailed testing is not eliminated, rather it is reduced through other evidence.
Robust testing reduces the risk that deficiencies are identified by independent auditors during testing phase and allow adequate remediation time
Management must obtain reasonable assurance of operating effectiveness through testing.
Management must address operating effectiveness of controls over all five components of COSO.
Evidence can include self-assessment, internal audit procedures, and ongoing monitoring activities
The need for detailed testing is not eliminated, rather it is reduced through other evidence.
Robust testing reduces the risk that deficiencies are identified by independent auditors during testing phase and allow adequate remediation time
19
404:Nature & Extent of Testing404:Nature & Extent of TestingFrequency of Manual
Control Typical Number/Range
for Testing Annually 1 Quarterly 2 Monthly 2 to 5 Weekly 5 to 15 Daily 20 to 40 Multiple Times per Day 25 to 60
Reperformance
Examination
Observation
Inquiry
Level
Of
Assurance
20
404:Evaluation – Deficiencies Defined404:Evaluation – Deficiencies Defined
Significant Deficiency – a control deficiency that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles.
Material Weakness – a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected
Significant Deficiency – a control deficiency that adversely affects the company’s ability to initiate, authorize, record, process, or report external financial data reliably in accordance with generally accepted accounting principles.
Material Weakness – a significant deficiency, or combination of significant deficiencies, that results in more than a remote likelihood that a material misstatement of the financial statements will not be prevented or detected
Deficiencies Reason Design A control necessary to meet the control
objective is missing OR An existing control is not properly designed so that, even if the controls operate, the control objective is not always met.
Operation A properly designed control does not operate as intended OR The person performing the control does not possess the necessary authority or qualifications to perform the control effectively.
21
404:Evaluation of Deficiencies – Process404:Evaluation of Deficiencies – Process
1. Identify the Deficiencies
2. Understand and Assess the Deficiency
3. Assess the Likelihood of Misstatement
4. Assess the Potential Magnitude of Misstatement
5. Identify Compensating Controls
6. Determine Classification of Deficiencies
7. Assess Deficiencies in Aggregation with Others
1. Identify the Deficiencies
2. Understand and Assess the Deficiency
3. Assess the Likelihood of Misstatement
4. Assess the Potential Magnitude of Misstatement
5. Identify Compensating Controls
6. Determine Classification of Deficiencies
7. Assess Deficiencies in Aggregation with Others
22
404:Evaluation Criteria404:Evaluation Criteria
Likelihood: Not whether a misstatement HAS occurred Is there a MORE THAN A REMOTE likelihood of occurrence?
Potential Magnitude: Size of POTENTIAL error that COULD occur Would the result be a more than inconsequential misstatement? Would the result be a material misstatement?
Likelihood: Not whether a misstatement HAS occurred Is there a MORE THAN A REMOTE likelihood of occurrence?
Potential Magnitude: Size of POTENTIAL error that COULD occur Would the result be a more than inconsequential misstatement? Would the result be a material misstatement?
23
Given the Requirements for Section 404, How Does Management Ensure Readiness?
Given the Requirements for Section 404, How Does Management Ensure Readiness?
Project Management SupportProject Management Support
Initiate Project
AndAssess
Risk
Document and
EvaluateControl Design
Prepare Report onInternal Control
Over Financial Reporting
The following is a recommended 404 readiness approach:
Remediate
TestOperatingEffective-
ness
Attest and
Report
Management Auditor
Continuous ImprovementContinuous Improvement
24
CAS Annual Meeting November 14-16, 2005
CAS Annual Meeting November 14-16, 2005
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
25
Title IV Subgroup of the NAIC/AICPA’s Working Group
Title IV Subgroup of the NAIC/AICPA’s Working Group
Every insurer with $500 Million in premium will be required to submit annual report from management on internal controls
SEC registrants, insurer members of a group that is an SEC registrant, and companies that voluntary comply must file report with insurance department
IP Proposal to allow management reports by legal entity or as a “group of insurers”
Management Report Must Include the following: A statement management is responsible for maintaining adequate
controls over financial reporting Management’s belief that the controls are effective A description of the process used by management to evaluate the
effectiveness of controls Disclosure of unremediated material weakness in the controls
May be no requirement for an independent auditors report or CPA attestation
Proposed effective date for compliance December 31,2009
Every insurer with $500 Million in premium will be required to submit annual report from management on internal controls
SEC registrants, insurer members of a group that is an SEC registrant, and companies that voluntary comply must file report with insurance department
IP Proposal to allow management reports by legal entity or as a “group of insurers”
Management Report Must Include the following: A statement management is responsible for maintaining adequate
controls over financial reporting Management’s belief that the controls are effective A description of the process used by management to evaluate the
effectiveness of controls Disclosure of unremediated material weakness in the controls
May be no requirement for an independent auditors report or CPA attestation
Proposed effective date for compliance December 31,2009
26
Overview – 404 for ActuariesA Systematic ApproachOverview – 404 for ActuariesA Systematic Approach
1) Take Inventory
2) DocumentProcesses
3) Identify Risks
4) Identify Existingor New Controls
5) Test Design
7) Auditor Testing
6) Test Operation
5a/6a) RemediateGaps
Management’s
Responsib
ility
27
Step 1 – Take InventoryStep 1 – Take Inventory
Identify All Actuarial Balances• Gross Loss and LAE Reserves• Ceded Loss and LAE Reserves• Premium accruals for audits and retro rating
Identify Actuarial Notes to Financial Statements
• Current/prior year split; A&E reserves
Identify Those That Are Significant • Loss and LAE reserves are significant
Identify Those That Are Not SignificantSome subsets of reserves may not be significant
Document
Identify All Actuarial Balances• Gross Loss and LAE Reserves• Ceded Loss and LAE Reserves• Premium accruals for audits and retro rating
Identify Actuarial Notes to Financial Statements
• Current/prior year split; A&E reserves
Identify Those That Are Significant • Loss and LAE reserves are significant
Identify Those That Are Not SignificantSome subsets of reserves may not be significant
Document
28
Step 2 – Identify and Document the Process(es) Associated with the Significant BalancesStep 2 – Identify and Document the Process(es) Associated with the Significant Balances
Prerequisite to Identifying Points of Risk – Roadmap is Needed
The level of detail of the documentation is considered sufficient when:
• A reasonably qualified person,• who is not intimately familiar with the process,• can obtain sufficient understanding of how the
process and embedded controls operate,• in order to be able to perform objective validation
thereof.
Prerequisite to Identifying Points of Risk – Roadmap is Needed
The level of detail of the documentation is considered sufficient when:
• A reasonably qualified person,• who is not intimately familiar with the process,• can obtain sufficient understanding of how the
process and embedded controls operate,• in order to be able to perform objective validation
thereof.
29
Roadmap to Actuarial ReservesRoadmap to Actuarial Reserves
Catastrophe IBNR
VoluntaryPools IBNR
Involuntary Pools IBNR
CompanyIBNR
ClaimsDept
ReinsAccounting
Product Management
(Pricing, Trends..)
ReinsAccounting
Financial Planning(Forecasted prem., U/W)
Reserving Process
P&C Acctng
ReinsAcctng
ReinsAcctn
g
P&CAcctng
P&C Financial Reporting4.2.1.1, 4.2.1.2, 4.3.1.1,
Assumed Reinsurance& Pools Acctng3.1.1.2, 5.1.1.2, 5.1.1.4
Assumed Reinsurance& Pools Acctg3.1.1.2, 5.1.1.2, 5.1.1.4
P&C ActuarialControls5.1.1.1 - 5.3.2.3
P&C Financial Reporting4.2.1.1, 4.2.1.2, 4.3.1.1,
Reserving Process
Determined By: Account: GL Owner Control Matrix
30
Step 2 – Identify and Document the Process(es) Associated with the Significant BalancesStep 2 – Identify and Document the Process(es) Associated with the Significant Balances
A Generic List of Processes Might Include • Data Collection and Testing• Actuarial Judgments Relating to Methods/Assumptions• Actuarial calculation environment• Peer Review Procedures• Determination of Selected Estimates• Bridging the Gap between Actuarial Indications and
Recorded Reserves
A Generic List of Processes Might Include • Data Collection and Testing• Actuarial Judgments Relating to Methods/Assumptions• Actuarial calculation environment• Peer Review Procedures• Determination of Selected Estimates• Bridging the Gap between Actuarial Indications and
Recorded Reserves
31
Step 3 – Identify RisksStep 3 – Identify Risks
Risk of Material Financial Misstatement – Not Operational Risk
Look for points in the process where a potential misstatement could occur (may be due to inherent risk or fraud risk).
• Data • IT environment - including Spreadsheets• Methods, Calculations, and Assumptions• Actuarial Judgments• Management “Adjustments” or differences• Recording Reserve Changes
Qualify Risk – High or Low
Risk of Material Financial Misstatement – Not Operational Risk
Look for points in the process where a potential misstatement could occur (may be due to inherent risk or fraud risk).
• Data • IT environment - including Spreadsheets• Methods, Calculations, and Assumptions• Actuarial Judgments• Management “Adjustments” or differences• Recording Reserve Changes
Qualify Risk – High or Low
32
Step 4 – Identify Existing or New Control ActivitiesStep 4 – Identify Existing or New Control Activities
Controls over a process created to ensure:• Accuracy• Completeness• Validity • Restricted access
Many actuarial processes have controls embedded into them!
• Consider a review of the ratio of case reserves to paid claims:
• Is it a control over the appropriateness of the development method?
• Is it part of the reserve estimating process?
Some controls are automated; some are manual.
May not be 1-to-1 correspondence between processes and controls nor between risks and controls:
• Some controls may mitigate many risks.• Some risks may be mitigated by a combination of controls.
Controls over a process created to ensure:• Accuracy• Completeness• Validity • Restricted access
Many actuarial processes have controls embedded into them!
• Consider a review of the ratio of case reserves to paid claims:
• Is it a control over the appropriateness of the development method?
• Is it part of the reserve estimating process?
Some controls are automated; some are manual.
May not be 1-to-1 correspondence between processes and controls nor between risks and controls:
• Some controls may mitigate many risks.• Some risks may be mitigated by a combination of controls.
33
Step 5 – Test the Design of ControlsStep 5 – Test the Design of Controls
This was a new concept for actuaries. Walkthroughs can be a useful testing procedure
for assessing whether the documentation accurately reflects actual controls.
Evaluating the design effectiveness of a control is an attempt to look at the activity and decide whether it achieves its objective.
The testing should consider how the control was applied, the consistency with which it was applied, and by whom it was applied.
Only properly designed controls are capable of operating effectively.
This was a new concept for actuaries. Walkthroughs can be a useful testing procedure
for assessing whether the documentation accurately reflects actual controls.
Evaluating the design effectiveness of a control is an attempt to look at the activity and decide whether it achieves its objective.
The testing should consider how the control was applied, the consistency with which it was applied, and by whom it was applied.
Only properly designed controls are capable of operating effectively.
34
Step 6 – Test the Operation of ControlsStep 6 – Test the Operation of Controls This was also a new concept for actuaries. Testing the control involves determining
that the control step was performed and that it achieved its intended function.
Testing can be performed in the following ways:
• Inquiry• Observation• Inspection/examination• Re-performance
Documentation is required to give evidence of:
• The performance of the control, and• The testing of the control’s operating effectiveness.
This was also a new concept for actuaries. Testing the control involves determining
that the control step was performed and that it achieved its intended function.
Testing can be performed in the following ways:
• Inquiry• Observation• Inspection/examination• Re-performance
Documentation is required to give evidence of:
• The performance of the control, and• The testing of the control’s operating effectiveness.
35
Step 5a or 6a – Remediate any Gap(s)Step 5a or 6a – Remediate any Gap(s)
When the evaluation of design yielded a missing key control, then one must be created.
When the test of a key control’s design yields a gap, it must be fixed (remediated).
If the test of a key control’s operation yields a significant gap, it must be remediated
• May involve re-designing the control• For some processes, other controls effectively
mitigated the risk and the key controls were redefined
Management needs adequate time to remediate and re-test the design to avoid a control deficiency.
When the evaluation of design yielded a missing key control, then one must be created.
When the test of a key control’s design yields a gap, it must be fixed (remediated).
If the test of a key control’s operation yields a significant gap, it must be remediated
• May involve re-designing the control• For some processes, other controls effectively
mitigated the risk and the key controls were redefined
Management needs adequate time to remediate and re-test the design to avoid a control deficiency.
36
Step 7 – Auditor Testing of the Internal ControlsStep 7 – Auditor Testing of the Internal Controls
By the time this happens, management’s documentation job should be essentially done (if it was done properly).
The controls must already be in place and operating.
The audit firm will need to:• Review management’s testing in support of
management’s assertion,• Perform its own testing of the internal controls to
support its opinion on the controls,• Evaluate whether deficiencies are inconsequential or
significant, and• Determine if the deficiencies create a material
weakness.
By the time this happens, management’s documentation job should be essentially done (if it was done properly).
The controls must already be in place and operating.
The audit firm will need to:• Review management’s testing in support of
management’s assertion,• Perform its own testing of the internal controls to
support its opinion on the controls,• Evaluate whether deficiencies are inconsequential or
significant, and• Determine if the deficiencies create a material
weakness.
37
Internal Control – The Finish LineInternal Control – The Finish Line
An opinion that controls are effective would require, at least, the following:
• Processes for significant account balances and disclosures are adequately documented.
• Control activities are designed and in place.• Control activities have been documented and
communicated to employees.• Standardized controls with periodic testing for
effective design and operation with reporting to management.
An opinion that controls are effective would require, at least, the following:
• Processes for significant account balances and disclosures are adequately documented.
• Control activities are designed and in place.• Control activities have been documented and
communicated to employees.• Standardized controls with periodic testing for
effective design and operation with reporting to management.
38
Lessons Learned From Year OneLessons Learned From Year One
Need to use a systematic approach – Attempting to start by identifying risks and controls is not efficient.
Most companies had effective controls over actuarial process but poor documentation. Key was to identify which steps in
the process were controls. Common Gaps in Controls:
• Spreadsheet controls• Controls over Actuarial Judgment• Bridging the gap between actuarial indication and
management’s best estimate.
Need to use a systematic approach – Attempting to start by identifying risks and controls is not efficient.
Most companies had effective controls over actuarial process but poor documentation. Key was to identify which steps in
the process were controls. Common Gaps in Controls:
• Spreadsheet controls• Controls over Actuarial Judgment• Bridging the gap between actuarial indication and
management’s best estimate.
39
Spreadsheets – Why the focus?Spreadsheets – Why the focus?
An error in a spreadsheet at a major financial institution was a significant factor in a $1 billion misclassification of securities in the financial statements.
Computer World published an article in May 2004 suggesting 20-40% of spreadsheets have errors while testing by the University of Hawaii found a 91% error rate.
The Journal of Property Management found 30 to 90% of spreadsheets have errors, with the highest percentage coming from complex sheets (more than 200 lines).
Many companies rely heavily on spreadsheets.
An error in a spreadsheet at a major financial institution was a significant factor in a $1 billion misclassification of securities in the financial statements.
Computer World published an article in May 2004 suggesting 20-40% of spreadsheets have errors while testing by the University of Hawaii found a 91% error rate.
The Journal of Property Management found 30 to 90% of spreadsheets have errors, with the highest percentage coming from complex sheets (more than 200 lines).
Many companies rely heavily on spreadsheets.
40
Spreadsheets - Potential RisksSpreadsheets - Potential Risks
When evaluating risks, consider: Complexity Purpose Type of input Size of spreadsheet Sophistication of developer Uses of output Frequency of modification Development Cycle (testing, training, etc.)
When evaluating risks, consider: Complexity Purpose Type of input Size of spreadsheet Sophistication of developer Uses of output Frequency of modification Development Cycle (testing, training, etc.)
41
Spreadsheets – Practical StepsSpreadsheets – Practical Steps
The following practical steps can be taken to ensure proper controls over spreadsheets:
Inventory spreadsheets
Evaluate the use and complexity of spreadsheets
Determine the necessary level of controls for “key” spreadsheets
Evaluate existing “as is” controls
Develop and action plan for remediating deficiencies
The following practical steps can be taken to ensure proper controls over spreadsheets:
Inventory spreadsheets
Evaluate the use and complexity of spreadsheets
Determine the necessary level of controls for “key” spreadsheets
Evaluate existing “as is” controls
Develop and action plan for remediating deficiencies
42
Spreadsheets:Base Level ControlsSpreadsheets:Base Level Controls
Base level controls for spreadsheets should include: Change Control
Version Control
Access Control
Input Control
Security & Data Integrity
More complete controls should be in place for spreadsheets assessed as other than low priority
Base level controls for spreadsheets should include: Change Control
Version Control
Access Control
Input Control
Security & Data Integrity
More complete controls should be in place for spreadsheets assessed as other than low priority
43
CAS Annual Meeting November 14-16, 2005
CAS Annual Meeting November 14-16, 2005
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
Sarbanes-Oxley Act – Section 404
Implications for Insurance Companies
Heidi Hoeller, PricewaterhouseCoopers
Alan Hines, PricewaterhouseCoopers
Kevin Burns, The Hanover Insurance Group
44
Reserving Process FlowchartReserving Process Flowchart
Processed Paid & Case Reserve Adjustments from Claims Systems
Manual Paid & Case Reserve Adjustments from General Ledger
Earned Premium and Paid ULAE from the General Ledger
Claims Initiatives
Pricing Activity Reports
In-force PolicyReports
Trends and otherinfluences
Reconcile to General Ledger
Present ReserveIndications toReserve Committee
Provide Business Leaders with AY profitability trends
Input for IBNR FundingModel
Actuarial
Reserving DataProcess
Reinsurance, Pools & Association Adjustment See Reins Accounting Cycle
Actuarial
Reserving
AnalysisProcess
IBNR Recordi
ngProcess
Catastrophe Reserve see Claims Cycle
45
Reserving Risks and Control ObjectivesReserving Risks and Control Objectives
Three Main Processes Data
Reserve Analysis
Recording
Three Main Processes Data
Reserve Analysis
Recording
46
Reserving Risks and Control ObjectivesReserving Risks and Control Objectives
Data Process: Risk - Data utilized is not complete, accurate or timely
resulting in inaccurate reserve estimates
Control Objective - Ensure the data utilized for the actuarial review of reserves is complete, accurate, and received in a timely manner
Data Process: Risk - Data utilized is not complete, accurate or timely
resulting in inaccurate reserve estimates
Control Objective - Ensure the data utilized for the actuarial review of reserves is complete, accurate, and received in a timely manner
47
Reserving Risks and Control ObjectivesReserving Risks and Control Objectives
Analysis: Risk - Use of or reliance on inappropriate
methodologies or underlying assumptions may result in inaccurate estimates of the liabilities
Control Objective - Ensure the methods and assumptions used in calculating reserve estimates are in accordance with standards as promulgated by the Casualty Actuarial Society to ensure completeness, consistency, and reasonableness
Analysis: Risk - Use of or reliance on inappropriate
methodologies or underlying assumptions may result in inaccurate estimates of the liabilities
Control Objective - Ensure the methods and assumptions used in calculating reserve estimates are in accordance with standards as promulgated by the Casualty Actuarial Society to ensure completeness, consistency, and reasonableness
48
Reserving Risks and Control ObjectivesReserving Risks and Control Objectives
Recording: Risk - Adjustments to IBNR are not valid or are
recorded incorrectly resulting in inaccurate financial statements
Control Objective - Ensure adjustments to IBNR are valid and recorded correctly within the financial statements.
Recording: Risk - Adjustments to IBNR are not valid or are
recorded incorrectly resulting in inaccurate financial statements
Control Objective - Ensure adjustments to IBNR are valid and recorded correctly within the financial statements.
49
Key Mitigating Controls - DataKey Mitigating Controls - Data
Detailed Close Schedule - A detailed close schedule for the reserving unit's quarterly reserving analysis is prepared and monitored.
Balance Processed Data - A reconciliation between the Loss Reserving System and the Corporate Claims System is performed.
Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed PRIOR to starting reserve analysis.
Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed AFTER reserve analysis is completed.
Communication to Senior Management - The Lead Reserving Actuary "signs off" that information in key management reports is both accurate
and complete. Systems Security - access to server containing reserving files limited to
members of reserving unit.
Detailed Close Schedule - A detailed close schedule for the reserving unit's quarterly reserving analysis is prepared and monitored.
Balance Processed Data - A reconciliation between the Loss Reserving System and the Corporate Claims System is performed.
Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed PRIOR to starting reserve analysis.
Balance Data to the General Ledger - A reconciliation between the data underlying the Reserve analysis and that contained in the General Ledger is performed AFTER reserve analysis is completed.
Communication to Senior Management - The Lead Reserving Actuary "signs off" that information in key management reports is both accurate
and complete. Systems Security - access to server containing reserving files limited to
members of reserving unit.
50
Control 1.1.1.2 – Data TimelineControl 1.1.1.2 – Data Timeline
Completed by : Date: (Signature:) ___________________________________________
Expected Actual Completed
Task Deliverable Control Completion Completion By
Number Close Day Number Task Description Date Date Initials
1 ULAE Paid-to-Paid Update 15-Sep 15-Sep _______
2 Update Reserving Software 25-Sep 25-Sep _______
6 1 1.1.1.3 Day 1 Reconciliation Report 3-Oct 3-Oct _______
9 3 Environmental Reserve Analysis 5-Oct 6-Oct _______
14 5 1.1.1.7 Day 5 Reconciliation Report 7-Oct 7-Oct _______
51
Key Mitigating Controls - AnalysisKey Mitigating Controls - Analysis
Multiple Reserving Methodologies Applied - The indications produced by the various methodologies is evaluated for each accident year and selections are based on a review of the strengths and weaknesses of each method.
Actuarial Judgments Checklist - The Lead Reserving Actuary formally reviews the consistency of assumptions, methodologies, loss development selections, and reserve selections made by staff reserving actuaries.
External Reserve Review - An external actuarial consulting firm is retained to perform independent reserve estimates.
Internal Communication - Loss trend groups, represented and attended by all major functional areas (Accounting, Claims, Reinsurance, Underwriting, Regional Management) meet on a quarterly basis.
Actuarial Standards of Practice – The actuarial review is performed in accordance with standards published by the CAS.
Actuarial Opinion - A qualified actuary (FCAS) issues and opinion on the adequacy of the reserves on an annual basis to ensure completeness, consistency, and reasonableness.
Multiple Reserving Methodologies Applied - The indications produced by the various methodologies is evaluated for each accident year and selections are based on a review of the strengths and weaknesses of each method.
Actuarial Judgments Checklist - The Lead Reserving Actuary formally reviews the consistency of assumptions, methodologies, loss development selections, and reserve selections made by staff reserving actuaries.
External Reserve Review - An external actuarial consulting firm is retained to perform independent reserve estimates.
Internal Communication - Loss trend groups, represented and attended by all major functional areas (Accounting, Claims, Reinsurance, Underwriting, Regional Management) meet on a quarterly basis.
Actuarial Standards of Practice – The actuarial review is performed in accordance with standards published by the CAS.
Actuarial Opinion - A qualified actuary (FCAS) issues and opinion on the adequacy of the reserves on an annual basis to ensure completeness, consistency, and reasonableness.
52
Control 1.1.1.2 – Actuarial JudgmentControl 1.1.1.2 – Actuarial Judgment
Completed by : Date: (Signature:) ___________________________________________
CHECKLIST FOR REVIEW OF ACTUARIAL JUDGMENTS
FOR RESERVE CYCLE: SEPTEMBER 30, 2005
(change from prior quarter, Y or N) (change from prior quarter, Y or N)
Consistency Consistency Consistency Consistency Consistency
Line of of Incurred of Paid of Paid of Average of Settlement
Business Link Ratios Link Ratios Tail Factor Case Reserves Rates
Personal Auto BI no no no no no
Personal Auto PIP no no no no no
Personal Auto PDL no no no yes no
Personal Auto Phy Dam no no no no yes
53
Control 1.1.1.2 – Actuarial JudgmentControl 1.1.1.2 – Actuarial Judgment
Completed by : Date: (Signature:) ___________________________________________
CHECKLIST FOR REVIEW OF ACTUARIAL JUDGMENTS
FOR RESERVE CYCLE:
(change from prior quarter, Y or N)
Change in Change in (change from prior quarter, Y or N)
Methodology Methodology Consistency Consistency of
Line of Weights Weightsof Paid ALAE
Ult ALAE-Ult Loss
Business Prior Acc Yrs Impact Current Acc Yr Impact Link Ratios Assumptions Impact
Personal Auto BI yes 769 no no no
Personal Auto PIP no no no no
Personal Auto PDL no no no no
Personal Auto Phy Dam no yes (632) no no
54
Key Mitigating Controls - RecordingKey Mitigating Controls - Recording
Reserve Committee – A Reserve Committee (comprised of senior management including the Lead Reserve Actuary) evaluates the quarterly actuarial indications and decides on appropriate IBNR Adjustments.
Financial Statements Reconciliation - A formal reconciliation of the adjustments to IBNR is performed at the end of each quarter under the direction of the Lead Reserving Actuary.
CAT Reserve Review - Adjustments for CAT IBNR are estimated by the Claims Dept and recorded in the ledger by P&C Accounting. Refer to the Claims cycle and the P&C Financial Reporting cycle.
Other Reserve Adjustments - Adjustments for Voluntary Pools IBNR are recorded in the ledger by Reinsurance Accounting. Refer to Assumed Reinsurance & Pools Accounting.
Reserve Committee – A Reserve Committee (comprised of senior management including the Lead Reserve Actuary) evaluates the quarterly actuarial indications and decides on appropriate IBNR Adjustments.
Financial Statements Reconciliation - A formal reconciliation of the adjustments to IBNR is performed at the end of each quarter under the direction of the Lead Reserving Actuary.
CAT Reserve Review - Adjustments for CAT IBNR are estimated by the Claims Dept and recorded in the ledger by P&C Accounting. Refer to the Claims cycle and the P&C Financial Reporting cycle.
Other Reserve Adjustments - Adjustments for Voluntary Pools IBNR are recorded in the ledger by Reinsurance Accounting. Refer to Assumed Reinsurance & Pools Accounting.