The Model Audit Rule: best practices and recommendations to improve your organization’s program

Co-authored with Rachel Myslinski

Management’s required reporting and filing requirements

The National Association of Insurance Commissioners' (NAIC) Annual Financial Reporting Model Regulation #205, commonly known as the Model Audit Rule (MAR) was enacted for three primary purposes:

  1. Provide regulators with greater confidence that their domiciled insurance entities have effective controls in place to mitigate the risk of that they are publishing inaccurate annual statements
  2. Increase efficiency of the risk focused examinations by allowing the examination teams to rely on the control testing performed by the insurer regarding their financial reporting risks
  3. Enhance corporate governance by increasing management’s confidence in their internal controls environment

Effective threshold: $500 million in premiums written

Section 16/17 Management’s Report of Internal Control over Financial Reporting – Annual Attestation on Internal Control mandates that every insurer having annual, direct-written and assumed premiums of $500 million or more (i.e., the act provides a calculation for life and health entities) shall prepare a report, for the prior calendar year’s year-end, attesting to the insurer’s, or the group of insurer’s, internal controls over financial reporting.

Timing requirements

The report is to be filed with state commissioner 60 days after the audited financial report is filed, with a cutoff and requirement to file by Aug. 1, with the exception of the state of New York which requires the report to be filed by May 31.

The act provides the insurer with a two year grace period, which starts Dec. 31 year-end that the threshold is breached, to formalize the company’s internal controls and to prepare for filing management’s report of internal control over financial reporting. For example, if an insurer has breached the $500 million direct written and assumed premium threshold on Dec. 31 201X, the company would be required to comply by filing management’s assertion regarding the effectiveness of the insurer’s Internal control over financial reporting as of Dec. 31, 201X+2, with the filing due by August 201X+3).

However, New York did not adopt the Model Audit Rule and rather has passed similar requirements through Regulation 118. Regulation 118 does not allow a two year grace period unless the threshold is breached through a business combination or acquisition. Therefore, the New York regulator would expect compliance and associated management filing immediately following the year and as of Dec. 31, 201X the premium threshold is breached.

Hardship exemption

Under Section 17/(18), MAR has granted insurers the ability to file with the commissioner for hardship, which will allow the insurer to be exempt from MAR compliance. Hardship is granted under the discretion of the commissioner and is usually approved if it can be determined that the act will cause the insurer financial/organizational hardship.

Management’s Report filing key statements

If an insurer meets the requirements and is not granted a hardship waiver, the MAR requirement mandates that management’s filing be signed by the chief executive officer (CEO) and chief financial officer (CFO), inclusive of the following key statements:

  • Management is responsible for establishing and maintaining internal controls
  • Internal controls have been established and are operating effectively
  • Brief description regarding the scope, any controls excluded, and the overall approach utilized to evaluate effectiveness
  • Disclosure of any unremediated material weaknesses of internal controls
  • Statement regarding any inherent limitations of internal control

SOX compliance expedient for MAR compliance

If your institution is already compliant with the Sarbanes-Oxley Act (SOX), Section 16/17 states that if the insurer, or group of insurers, are directly subject to section 404, or parent company is subject to section 404, the insurer may file its, or their parent’s, Section 404 SOX report, including an addendum to satisfy the section 16/17 requirement. An insurer, or group of insurers, can take advantage of this as long as their internal controls that have a material impact on the preparation of the audited statutory financial statements were included within the scope of the Section 404 SOX report.

Management’s responsibility for diligent inquiry

A common question insurers have regarding MAR implementation is in regards to the amount of testing that is generally required. Section 16D(2)/17D(2) states that management’s assertion regarding the effectiveness of the insurer’s financial reporting controls must be made to the best of their knowledge after diligent inquiry. To define diligent inquiry, refer to the Annual Financial Reporting Model Regulation Implementation Guide, which defines it as “conducting a search and thorough review of relevant documents which are reasonably likely to contain significant information with regards to internal control over financial reporting” (i.e., further discussion regarding testing requirements is discussed below under common misconceptions).

Additional consideration should be taken regarding Section 16D(5)/17D(5), which requires the insurer to identify all material weaknesses in internal control over financial reporting that exist as of the balance sheet date. If the insurer has identified unremediated material weaknesses, the company will be required to disclose the material weaknesses within its required reporting to the commissioner of their domiciled state. Material weaknesses can often be determined by identifying the significance of an internal control failure, and if it is reasonable to concur that the probability of a material error in future financial statements, which would not be detected by other controls (i.e., compensating controls), ranges from 5 percent to 10 percent.

Industry common misconceptions

Below are common misconceptions, as it relates to MAR, based on our work with clients and feedback received at industry conferences and events:

Reporting requirements

Misconception: If an insurer is required to file an Own Risk Solvency Assessment (ORSA) report they are also required to file MAR, and vice versa

The misconception is due to the differences in the threshold requirements. MAR requires the report to be filed once the insurer reaches the $500-million-dollar threshold based on their direct written premium on the audited financial statements, while the own risk and solvency assessment (ORSA) has a $500 million or $1 billion for the group threshold on either the audited or annual statement. For example, if an insurer records on their annual statement $478 million in total direct written premium, but records on the audited financial statement, $475 million in premiums earned, $23 million in change in unearned and $2 million in reinsurance ceded, the insurer may be required to file the MAR attestation report but not ORSA.

Materiality and scoping

Misconception: Materiality and scoping can be completed without regards to risks

Materiality and annual risk assessments should drive the MAR program’s overall scope and plan. Ensuring that a formalized risk assessment is completed annually by obtaining business owner and management input is key to ensuring that internal audit is testing/focusing on the appropriate key areas. 

Misconception: All general sub ledger accounts need to be in scope

This is generally not the case as it largely is impacted by materiality, areas that are not material can be excluded from the scope to increase efficiency and keep costs down. 

Misconception: Entity level controls can be ignored

Entity level controls should be included within the scoping if it materially effects the subsidiaries (i.e., insurer) audited financial statements. As aforementioned, if the parent is SOX compliant, the insurer can file the SOX 404 report to cover entity level controls and reduce duplication of efforts. 

Misconception: Management cannot elect their own framework 

The Committee of Sponsoring Organizations (COSO) 1992 was superseded, and MAR does allow management to utilize their own control framework, however, COSO 2013 is recommended. 

Misconception: IT systems are not significant unless they relate to the general ledger

IT systems including the general ledger system, policy and claims administration systems, as well as data warehouses and overall network, should be included within scope as it all relates to data integrity. Remember the term “garbage in, garbage out.” If IT systems are not appropriately coded or mapped, the data being extracted will be inaccurate and lead to misstated financial statements. 

Control testing

Misconception: All key controls should be independently tested annually

In order to remain efficient and cost effective, insurers can consider rotation of formal independent testing by supplementing with management self-assessments. The MAR guidance allows management to determine the nature, scope and timing of testing suitable to their environment.

Misconception: A walkthrough alone is sufficient to determine operation effectiveness, and diligent inquiry, for key control testing

Although for IT automated controls, where a walkthrough alone is sufficient, testing a population or a frequency (i.e., daily/monthly/quarterly) requires a formal sample selection, and cannot be determined based on a sample of one. Internal audit/management should reference the American Institute of Certified Public Accountants (AICPA)/Institute of Internal Auditors (IIA) standards to determine appropriate sample sizes.

Misconception: All supporting documentation should be obtained and stored centrally

MAR does not require the insurer to centrally house all supporting documentation, rather the insurer can reference where the documentation can be found (i.e., claims administration system, policy administration system, etc.) From an NAIC state examination efficiency perspective, all supporting documentation should be readily available, specifically documentation related to the last scope year (i.e., unless the company plans to give the examination team access to the where documentation is maintained).

Trends in MAR

Insurers in the process of implementing, or that have implemented, MAR programs are consistently revitalizing processes to better increase alignment, effectiveness and efficiency, and thus the following trends have emerged:

Alignment trends

Alignment trends include utilizing risk analytics and materiality scoping to ensure the MAR key areas are appropriate to address identified financial reporting risk. Enhancing an insurer’s alignment with its MAR program can be realized by:

  • Taking a risk, instead of control, based approach
  • Revisiting the financial statements to determine materiality through a combination of the following methods:
  • Utilizing the NAIC’s benchmark (e.g., 5 percent of surplus for planning materiality)
  • Applying sub ledger materiality (i.e., percent of the general ledger account greater than or equal to the dollar amount)
  • Utilizing management judgment based on qualitative judgment scores, areas of audit weaknesses or strengths, or areas of emerging risks
  • Aligning the key risks identified to management assertions
  • Having management (not internal audit) own and attest to the key controls, resulting in the company continuing to remove/add controls based on its changing control environment to ensure the risks are inherently mitigated

Efficiency trends

Management should ensure the appropriate amount of key controls are identified to mitigate the financial reporting risk without being duplicative or not substantially covering the risk. By reducing the number of key controls while still maintaining adequate coverage over the risk, organizations will realize a more efficient MAR process. Additional efficiency trends include:

  • Rotational auditing and supplementing with management self-assessments for low-risk areas that are on rotation
  • State examination/NAIC risk matrix approach

Effectiveness trends

Effectiveness trends include:

  • Reviewing key control and compensating control assessments
  • Completing a deficiency evaluation for each control failure identified to determine if the control is a material deficiency/weakness
  • Dashboards to understand the boarder impact of the results. Results should be tabulated based on overall function and a trend assessment over time conducted
  • Utilizing state examination language and building the testing lead sheets to include the risk, management assertion(s), overall inherent risk assessment, control and control testing results

Trends in implementation

The aforementioned trends are holistic and can be applied to current and implementing MAR programs. Some additional trends and best practices apply specifically to the implementation process, including:

  • Discussing internally, and with the board of directors, management’s planned approach to executing MAR
  • Performing a high-level assessment of the insurer’s current control state versus the requirements of MAR
  • Taking time to perform a thorough risk assessment including addressing accounts and assertions
  • Preparing a comprehensive road map for execution, including resource management
  • Recruiting or contracting with experienced MAR professions, and delegating an internally dedicated liaison (i.e., MAR champion) to manage the MAR program
  • Developing a sustainable program for ongoing reliance by either external audit or the state examiners

IT trends

Information technology (IT) is a key component in MAR implementation and testing. Similar to above, there are multiple ways to improve overall efficiency and effectiveness, including:

Efficiency trends/best practices

  • Taking a risk-based approach and identifying the volume of transactions, the level of automation and any compensating downstream detective controls
  • Leveraging other assessments completed such as System and Organization Controls (SOC) examinations, Health Information Trust Alliance (HITRUST), International Organization for Standardization (ISO), National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), etc.
  • Obtaining an understanding of the control framework and identifying ideas where controls have already been tested, appropriately determined reliance will aid in increasing the overall efficiency of the program

Effectiveness trends

  • Identifying automated controls within the business process which reduce manual intervention and the potential for human error
    Automated controls generally only require a sample of one to determine operational effectiveness and can increase efficiency of the program overall
  • Obtaining a further understanding of completeness and accuracy including data mapping, when data can be manually input or edited, etc. (i.e., garbage in, garbage out)

Reengineering your processes

MAR can be a significant undertaking for most insurers; taking action to understand the controls and identifying weaknesses is crucial to ensure the insurer is prepared when the threshold is reached. For insurers that have already reached the threshold and are required to be compliant with MAR, however, reviewing your organization’s process annually to identify efficiencies and ways to improve overall effectiveness will ensure that key risks are addressed and the program is overall cost effective.

Some ways an insurer can improve their organization’s existing program include:

  • Increasing corporate governance unity and control confidence
  • Providing and obtaining senior management and audit committee understanding, training, and buy-in to the program
  • Implementing a MAR steering committee to ensure significant financial reporting areas are addressed
  • Incorporating functional area certifications to provide to the CEO and CFO prior to certifying to help them gain comfort over their control environment
  • Increasing organizational unity
  • Identifying a MAR champion for each functional area (i.e., does not have to be the key process owner)
  • Providing training annually and request feedback from the business owners/key personnel of each area to determine training needs are met
  • Increasing leverage of departmental testing through self-assessments, ensuring that the process is guided by someone independent of the function
  • Increasing overall process
  • Revisiting the risk assessments and materiality scoping annually to determine that areas under review are appropriate
  • Consider incorporating a subledger materiality to reduce accounts in scope, including clear explanations for the exclusion
  • Implementing effective project management including, but not limited to, a MAR calendar of kickoff meetings, testing timeline and deliverables and making all affected parties aware
  • Conducting rotational auditing which is determined based the areas inherent risk assessment
  • Incorporating MAR testing as part of other planned operational/compliance internal audits to increase efficiency
  • Increasing the use of technology
  • Incorporating dashboards and analysis of key controls and deficiencies
  • Utilizing SharePoint of other workflow functions for signoffs and version control and to create an audit trail
  • Conducting cost analysis of MAR compliance including opportunity costs, identifying bottlenecks and cost drivers, and replacing with automation, computer assisted audit techniques (CAAT) or a third party software

By taking small steps to improve your MAR program, your organization will benefit in the long term and be more likely to increase your MAR program’s overall efficiency and effectiveness.

For more information on this topic, or to learn how Baker Tilly insurance specialists can help, contact our team.

John Romano
A Different Perspective of Compliance
Next up

A Different Perspective of Compliance