aerial view people at long table collaboration

Model Audit Rule (MAR) road map: Key considerations for effective MAR implementation

This article covers the implementation and optimization of Model Audit Rule (MAR) programs for insurers approaching or having recently exceeded the $500M threshold of direct and assumed written premiums. For a more in-depth look into MAR, and to learn more about our MAR approach, check out our MAR webpage

For help with your MAR implementation journey, download our Model Audit Rule road map. 

For many insurers, understanding the Model Audit Rule (MAR) Internal Controls over Financial Reporting (ICFR) requirement and lifecycle is a key piece of regulatory compliance. The preparation to implement and optimize an effective MAR program, while staying in line with regulatory requirements and industry trends, can be challenging but is an opportunity for an insurer to enhance the value of their organization. If your organization has already hit the $500M threshold or intends to soon,it’s never too early to start considering your implementation plan. Below you will find four key takeaways that are necessary to keep in mind when implementing – and optimizing – your organization’s MAR program. Along with the information below, refer to our Model Audit Rule implementation road map for a step-by-step guide that you can download and refer back to.

When you are starting to plan for MAR program implementation and compliance, your viewpoint of the value a MAR program will bring to your organization is extremely important. During the beginning stages of MAR implementation, every organization is tasked with determining where their priorities lie. Most organizations fall within three main categories:  

  1. Compliance only: An organization falls under this category if it is only focused on compliance, and views and treats MAR program implementation as a necessary evil and just another part of doing business 
  2. Compliance with opportunities to enhance processes: An organization under this category chooses to use MAR implementation as an opportunity to improve processes and controls, however compliance is still a primary driver of MAR-related activities 
  3. Process improvement integrator: An organization under this category sees the value in implementing a MAR program, and therefore effort is utilized to drive continuous improvement, automation opportunities and risk and control re-evaluation 

We’ve found that the majority of insurance organizations in this position fall within the second category: They want to get more out of their MAR program and incorporate opportunities to improve, however they don’t necessarily have the resources to do a full backing. From a regulatory perspective, the adequacy and strength of your MAR program will be addressed during examinations. Regulators will review your approach and follow up on any material weaknesses when reporting. Depending on the amount of internal control and material weaknesses you have, your priority scoring – a risk score regulators give your organization that helps determine how much time they need to spend with you – may be impacted.  

For external audit purposes, external auditors are not required to report on the effectiveness of your internal controls and MAR program. They will review and analyze it from a control standpoint, however beyond that they are not required to report on it.  

It is never too early to start your MAR journey. If your organization is projected to hit $500M in direct and assumed written premiums in the next two years, or if it is already MAR compliant, now is the time to start planning your MAR implementation road map. When we build road maps for our clients, we break the process down into five phases: 

  • Phase 1 – Q1 of the year expected to breach $500M: Conduct a scoping, materiality and risk assessment exercise to document required areas and processes subject to MAR 
  • Phase 2 – Q2/Q3 of the year expected to breach $500M: Conduct a gap analysis of the current state processes. Conduct a remediation plan and identify key process owners and accountable timeframes for implementation 
  • Phase 3 – One year after breaching $500M: Develop required documentation of key controls for process areas and functions in scope. Conduct initial testing and remediation as necessary 
  • Phase 4 – Two years after breaching $500M: Execute on required MAR control identification, testing, remediation and internal reporting to key process owners and executive management 
  • Phase 5 – Three years after breaching $500M: Document certifications by process owners and summarize results for the CEO and CFO. Submit the certification to your state’s insurance department no later than July 31 three years after the year your organization breached $500M 

Once you’ve submitted your certification, it is important to continue to adapt and refine your MAR scope and approach and identify value drivers and challenges. Even if your organization has already established a MAR program and submitted your certification, it is still best practice to have a project management plan in place throughout the entirety of the MAR process. 

Click here to download our step-by-step guide for MAR implementation. 

The Model Audit Rule was designed to enhance the governance and oversight of internal controls, risk management and financial reporting within insurance organizations. Therefore, it should not be viewed as a burden and instead should be thought of as an opportunity for your organization to increase efficiency and effectiveness overall. After time spent working with insurance organizations on their MAR programs, we have found that often the biggest hurdle is ensuring that there is senior management and audit committee understanding, training and buy-in. Any client implementation we have had a challenge with was because the CEO and/or CFO of the organization were really hands off and therefore didn’t fully support the implementation. Ensuring that there is buy-in from other facets of your organization, and that you provide your leadership with the proper information prior to certifying, is extremely instrumental in having a successful MAR implementation experience.  

Failures and inefficiency occur when there is a lack of accountability and understanding. Whether you are starting the implementation process or have already implemented a MAR program, establishing consistent and open communication with every facet of your organization should be your number one priority. Provide comprehensive training and awareness programs for employees and management regarding MAR guidelines, internal controls, risk management practices and their roles and responsibilities in ensuring compliance. Beyond this, it is important to make sure that you identify a MAR champion for each functional area and work on establishing accountability amongst the proper groups within your organization. Having strong project management assists with cost reduction and increased effectiveness. Conducting self-assessments can be challenging and uncomfortable, but in the long run they will help reduce costs and increase awareness overall while identifying areas that need improvement. 

Leveraging technology solutions such as audit management software, data analytics tools and automation platforms to streamline MAR compliance processes, enhance data integrity and facilitate real-time monitoring and reporting is an important part of the MAR implementation process. However, it is important have the proper systems in place to ensure your data and systems remain safe and secure. As information technology (IT) controls have evolved over time, there are now several scope items that should be considered when implementing a MAR program within your organization. They include: 

  • IT governance: It is the role of executive management and those charged with governance to establish policies and procedures to ensure safe IT controls 
  • Access control: User access provisioning/deprovisioning and review. This includes segregation of duties, security administration, elevated privileges, access review and even physical security 
  • Change management: Includes planning, development, testing, approval, production and segregation of duties and environments 
  • Contingency planning: Have emergency systems in place to backup and restore processes 
  • Security operations: Vulnerability management, network security, encryption solutions, monitoring and alerting solutions 
  • IT operations: Includes environmental controls, system integrations and job scheduling and monitoring 
  • Vendor management: When working with third or even fourth party vendors, make sure you are doing your due diligence with planning, contracting, onboarding, monitoring and even termination 
  • Training and awareness: Technical training, security awareness and reinforcement and even anti-phishing 
  • Data governance: Ensure your data is protected and only being accessed by those with the proper clearance with the use of key report management and data flow mapping 
  • Asset management: Configuration management, keep an inventory of the assets you acquire, maintenance needs and disposal 

While it is not necessary to implement all of these, it is important to keep in mind and understand the risks that may be facing your organization. Establish mechanisms for continuous monitoring, testing and evaluation of internal controls, risk management practices and data governance. Beyond that, it is important to implement feedback loops and corrective actions to address identified deficiencies and improve overall effectiveness.  

By integrating these steps into your MAR implementation process, your organization will benefit in the short and long-term and will be more likely to increase your MAR program’s overall efficiency and effectiveness. Below you will find the presentation and recording from our recent webinar on the subject. To learn more about how our insurance and risk advisory specialists can assist your organization, refer to our Model Audit Rule (MAR), insurance and risk advisory webpages.

For help with your MAR implementation journey, download our Model Audit Rule road map. 

Russell Sommers
John Romano
sox compliance faq
Next up

SOX compliance FAQ: The basics of navigating regulatory demands