430 likes | 634 Views
The Sarbanes Oxley Act of 2002: What Does it Mean?. Moderator: Patricia Teufel – KPMG Speakers: Richard Lynch – Ernst & Young Marc Oberholtzer – PWC Jay Votta – Ernst & Young. Casualty Loss Reserve Seminar September 8-10, 2003 Chicago, Illinois.
E N D
The Sarbanes Oxley Act of 2002:What Does it Mean? Moderator: Patricia Teufel – KPMG Speakers: Richard Lynch – Ernst & Young Marc Oberholtzer – PWC Jay Votta – Ernst & Young Casualty Loss Reserve Seminar September 8-10, 2003 Chicago, Illinois
Patricia Teufel Casualty Loss Reserve Seminar September 8-10, 2003 Chicago, Illinois
Overview of SEC Rules:Management Reporting on Internal Control, Auditor Independence & Prohibited Non Audit Services Richard Lynch Casualty Loss Reserve Seminar September 8-10, 2003 Chicago, Illinois
Final Rule: Management Reporting on Internal Control • Management must report annually on effectiveness of company’s internal control over financial reporting. • Company’s auditor must attest to and report on management’s assessment. • Both management’s and the auditor’s reports must be included in the company’s annual report filed with the SEC.
Final Rule: Management Reporting on Internal Control • Management must evaluate, quarterly, any change in internal control over financial reporting that has “materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting.” • Final rule also modifies the management certifications and related disclosures adopted by the SEC under Section 302 of the Sarbanes-Oxley Act. • Section 906 certification now must be “furnished” as an exhibit.
Final Rule: Management Reporting on Internal Control • Effective for “accelerated filers” for fiscal years ending on or after June 15, 2004. • Effective for all other issuers for fiscal years ending on or after April 15, 2005. • In the issuer’s first periodic report due after its first section 404 report, management must evaluate material changes in internal control over financial reporting.
Final Rule: Management Reporting on Internal Control • Changes to the 302 certification and related disclosure requirements are effective August 14, 2003. • Disclose material changes in internal control over financial reporting that occurred during the fiscal period (during the fourth quarter in a Form 10-K). • Evaluate disclosure controls and procedures as of the end of the fiscal period. • Provide Section 302 and 906 certifications as exhibits.
Final Rule: Auditor Independence • Final rules adopted to implement Title II of the Act. • Rules address the following: • Prohibited non-audit services, • Audit committee pre-approval of services, • Audit partner rotation, • Employment by clients of members of the audit team, • Certain reports to audit committees, and • A prohibition on compensation to audit partners based on non-audit services
Prohibited Non-Audit Services • SEC adopted list of prohibited services set forth in Section 201 of the Act, many were already prohibited under the independence rules adopted in 2000. • For those services not previously prohibited, such services are prohibited as of May 6, 2003. • Services being provided pursuant to contract in place as of May 6 may continue for up to 12 months (as long as they are not materially modified).
Audit Committee Pre-Approval of Services for Indep. Auditors • Rule requires that either: • Audit committee pre-approve all audit or non-audit services to be rendered by the accounting firm, or • The engagement to render services is entered into pursuant to pre-approval policies and procedures established by the audit committee, provided: • the policies and procedures are detailed as to the particular service; • the audit committee is informed of each service that is rendered; and • such policies and procedures do not include delegation of the audit committee’s responsibilities to management.
Audit Committee Pre-Approval of Services for Indep. Auditors • Pre-approval requirements become effective on May 6 for services that are to be performed after that date. • Contracts dated prior to May 6 do not require pre-approval by the audit committee and may continue for up to 12 months (as long as they are not materially modified). • Once effective, companies will be required to disclose the audit committee’s policies and procedures for pre-approving audit and non-audit services.
Sarbanes Oxley Act 404 Marc Oberholtzer Casualty Loss Reserve Seminar September 8-10, 2003 Chicago, Illinois
Agenda • Overview Controls Testing – Audit versus 404 Attestation Five Components of COSO’s Internal Control Framework Overview of P/C Reserving and the Five COSO Components Risk and Controls, and Internal Control Maturity Framework • Property/Casualty Actuarial Reserving Process Examples – Points of Risk Examples – Potential Controls for a Risk
What is Different with 404 Attestation? • Financial statement audit focuses on the quality of the information in the financial statements, • Whereas • 404 Attestation focuses on the quality of the processes that produce the information in the financial statements. • 404 Attestation raises the bar for management, audit committee, board and its independent auditors.
Understanding and consideration of internal controls only to develop the audit approach Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls Internal control reports have been very rare in practice and are the subject of different auditing standards Does not include the rendering of an opinion on management’s assessment of internal control Control Testing During the Audit of Financial Statements
100% controls-based approach. No comfort from substantive/analytical procedures. Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep) Lack of errors, historically, in financial statements is not de-facto evidence unto itself, of an appropriate internal control structure Cumulative audit knowledge and rotation are not applicable Control Testing During the 404 Attestation
Recap of 404 Attestation • 404 Attestation focuses on the quality of the processes that produce the information in the financial statements. • Getting involved with your company’s readiness activities is important • You might have additional work to do to prepare your area for your independent auditors’ 404 Attestation – substantial incremental effort might be required
What is a Control? • A control is a process or step designed to mitigate a risk of not achieving an objective. • Questions to consider: • What is the business objective? • What risks interfere with achieving this objective? • What processes/steps can be taken to reduce these risks? • In this context, business objective could be reasonably stated reserves.
Overview of Actuarial Process –Illustration of P/C Reserving * Data Analysis Decision- making Reporting Possible Risk Areas Completeness Accuracy Adjustments External benchmarks Segmentation Level of Detail Qualitative Methods/ Assumptions Actuarial value/range versus Management best-estimate Documentation Communication * The process is generally not linear; iterations tend to occur. For example, new data are gathered based on initial findings from analysis.
P/C Reserving Process – What Do You Have to Do • Document the Reserving Process • Prerequisite to Identifying Points of Risk – Roadmap is Needed • Scope, Data Collection/Evaluation, Methods/Assumptions, Review Procedures, Bridging between Actuarial and Recorded • “How Much is Enough” Varies Among Companies • Identify Points of Risks • Design Control Activities or Identify Existing Control Activities to Mitigate Risks • Document the Control Activities and their Function • Monitor Effectiveness of Control Activities over Time
Control Environment – Potential Elements • Corporate values and code of ethics • Established, widely communicated, management and staff “walks the talk” • Clearly defined roles and responsibilities • Corporate organization structure for reserving actuary • Can a conflicting reserve opinion be heard by CFO, CEO, Chairman, Audit Committee? • Effectiveness of staff and management • Familiarity, understanding and training of Audit Committee members with reserving topics.
Risk Assessment – Potential Elements • Is claim and premium coding valid and accurate? • Do systems correctly employ coded transactions to produce reserving reports • Schedule P, Actuarial reserving triangles, etc. • Have all appropriate actuarial methods been employed? • Are all corporate initiatives considered in reserve projections? • Underwriting, pricing, claims, expense and other initiatives. • Has external environment events been considered in reserve projections? • Inflation trends, legislative activity, demographics, weather, etc.
Risk Assessment – Potential Elements (2) • Where are the key actuarial judgement points for each reserve? • Development patterns, loss ratios, price changes • Has actuarial professions “Statement of Principles” been considered? • Data organization, homogeneity, credibility, frequency and severity, etc. • Where are the key management judgement points for each reserve? • Adjustments, bulk loadings, etc. • What spreadsheets are used in the testing of reserves • Cell formulae, manual changes • SAP vs. GAAP differences
Control Activities – Potential Elements Documented Processes • Data Reconciliation • Checklist of Procedures • Approval of Deviations • Documentation of Judgments • Documentation of External Inputs • Peer Reviews • Does someone outside the reserve process verify completion of all procedures
Other Control Components – Potential Elements • Information & Communication • Input into reserving process – Are there control processes established for input into the reserving processes? • Loss and Premium Data • Ceded Reinsurance • Input of Pricing, Underwriting, Claims into Process • Output of reserving process – Communicating results to senior management • Is there a formal delivery package for reserve results each quarter? • What is lead actuary’s role in approving recorded reserves? Monitoring • Are exceptions or surprises evaluated? • Were there controls in place? • Why were those controls not effective? • Are post-mortem meetings conducted? • Is input from those outside of the reserving process (e.g., top management, third party actuaries, external and internal auditors) considered in re-evaluations of the process?
UNRELIABLE • Unpredictable environment where control activities are not designed or in place INFORMAL • Control activities are designed and in place but are not adequately documented • STANDARDIZED • Control activities are designed, in place and are adequately documented • MONITORED • Standardized controls with periodic testing for effective design and operation with reporting to management • OPTIMIZED • Integrated internal controls with real time monitoring by management and continuous improvement Internal Controls Maturity Framework • Level 1 – Unreliable • Unpredictable environment where control activities are not designed or in place • Level 2 – Informal • Disclosure Activities and Controls are designed and in place but are not adequately documented • Controls mostly dependent on people • No formal training or communication of control activities • Level 3 – Standardized • Control activities are designed and in place • Control activities have been documented and communicated to employees • Deviations from control activities will likely not be detected • Level 4 – Monitored • Standardized controls with periodic testing for effective design and operation with reporting to management • Automation and tools may be used in a limited way to support control activities • Level 5 – Optimized • An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise-Wide Risk Management) • Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed
Questions For Company Actuaries From a big picture, company actuaries need to ask themselves . . . • Are there adequate controls in place around the actuarial reserving process that impact financial reporting? • What does the internal control structure look like and how does it operate? • Are these controls formal or informal? • Are they documented and current? • Are they monitored and tested? • Who is accountable?
Questions For Company Actuaries (2) From a big picture, company actuaries need to ask themselves . . . • How will management assess the ongoing effectiveness of controls? • How are control issues tracked and evaluated? • What are the critical control activities? • How will I demonstrate that I have reviewed the controls every quarter? • What actuarial outputs impact the financial statements and footnotes?
Points of Risk Jay Votta Casualty Loss Reserve Seminar September 8-10, 2003 Chicago, Illinois
Point of Risk – Example 1 • Data utilized in the actuarial calculations are not complete or accurate. • Loss records with invalid coding are put in a dump file and not included in data used for reserve estimates. • The grand totals of actuarial data reconcile to systems control totals, but subtotal for relevant subsets (e.g., by accident year or by line of business) are inaccurate.
Potential Controls – Example 1 • Risk (1): Data utilized in the actuarial calculations are not complete or accurate. • Reconciliations of claim and premium data utilized in the actuarial calculations to underlying statistical records/subsidiary ledgers are performed and reviewed in a timely manner by appropriate personnel. • Reconciliations of underlying statistical records/subsidiary ledgers to appropriate supporting documentation are performed and reviewed in a timely manner by appropriate personnel. • Interface controls (e.g., exception reports detailing differences in batch totals) ensure that claim and premium data utilized in the actuarial calculations are appropriately interfaced with the underlying claims, premiums or actuarial systems. • Changes to data from underlying statistical records/subsidiary ledgers (e.g., manual adjustments) are appropriately supported with documentation and reviewed by an appropriate individual.
Point of Risk – Example 2 • Inappropriate methodologies could result in reserve estimates that are not reasonable. • Paid loss development is used when known changes in procedures distort the payment pattern. • Frequency & severity methods are used when the definition of a claim counts has changed recently. • Adjustments are used to reflect changes in claims department procedures without clear evidence in the data, e.g., a push to close large claims or a small file cleanup has recently begun. • Changes in claims department procedures exist, appear in the data and are modeled incorrectly. • Choosing a-priori loss ratios that are less than every LDF method calculated or otherwise biased.
Potential Controls – Example 2 • Risk (2): Inappropriate methodologies could result in reserve estimates that are not reasonable. • Actuaries meet with claim department on regular basis to assess potential effects of changes in claims practice on observed actuarial data. • Adjustments are reviewed and accepted by another Actuary. • A-prini loss ratios reserving selections are independent from pricing analysis. • Selection of a-priori loss ratios are determined independently but with consultation with underwriter and pricing actuaries.
Point of Risk – Example 3 • Inappropriate key assumptions could result in reserve estimates that are not reasonable . • Long-term averages are used for parameters when there is evidence of changes in recent years • Assumptions about the stability of the underlying data are not confirmed by the claims VP's discussion of recent activities in the claims department. • Changes in Claims Department case reserving procedures or practices are not reflected in estimates. • Changes in Claims Department claim payment procedures or practices are not reflected in estimates. • Backlogs or catch-up in Claims Department claims handling are not reflected in estimates. • Changes in mix of business within a reviewed segment are not reflected in estimates.
Potential Controls – Example 3 • Risk (3): Inappropriate key assumptions could result in reserve estimates that are not reasonable. • Parameter selections are reviewed and accepted by another actuary. • The company actuaries have a policy for utilizing a particular statistic (e.g., average of last 5 observed factors). Deviations are documented, reviewed, and accepted. • Actuaries meet with claim department on regular basis to assess potential effects of changes in claims practice on observed actuarial data. • Actuaries meet with underwriting department on a regular basis to assess potential effects of changes in the mix of business. • Selection of a-priori loss ratios are determined independently but with consultation with underwriter and pricing actuaries.
Point of Risk – Example 4 • Actuarial value/range does not reconcile to financial statement reserves and/or management’s best estimate. • Management’s view may differ from actuarial results. • Breakdown in reporting of actuarial results.
Potential Controls – Example 4 • Risk (4): Actuarial value/range does not reconcile to financial statement reserves and/or management’s best estimate. • A report exists that documents reasons for differences by sufficient detail to provide a reconciliation by line of business and in total. • A system exists for proper reporting of actuarial results.
Point of Risk – Example 5 • Reporting of actuarial findings is not well documented. • Documentation is not complete • Documentation is not accurate • Documentation is not recoverable • Documentation is not transferable • Documentation is not secure
Potential Controls – Example 5 • Risk (5): Reporting of actuarial findings is not well documented • Documentation follows ASOP 9 • Documentation is “tech” and “peer” reviewed • Documentation is stored on a common server • Multiple actuaries are intimate with documentation • Access to common server is limited/controlled
Point of Risk – Example 6 • Reporting of actuarial findings is not properly communicated • Communication does not follow company protocols • Communication is inconclusive • Communication is misunderstood • Communication is not secure
Potential Controls – Example 6 • Risk (6): Reporting of actuarial findings is not properly communicated • System exists for communicating results right up to the Board of Directors. • Documentation should include an Executive Summary. • Minutes are recorded when results are communicated verbally. • Follow up meetings are held when results are communicated in writing. • Multiple actuaries attend meetings.