Management’s required reporting and filing requirements
The National Association of Insurance Commissioners' (NAIC) Annual Financial Reporting Model Regulation #205, commonly known as the Model Audit Rule (MAR) was enacted for three primary purposes:
Effective threshold: $500 million in premiums written
Section 16/17 Management’s Report of Internal Control over Financial Reporting – Annual Attestation on Internal Control mandates that every insurer having annual, direct-written and assumed premiums of $500 million or more (i.e., the act provides a calculation for life and health entities) shall prepare a report, for the prior calendar year’s year-end, attesting to the insurer’s, or the group of insurer’s, internal controls over financial reporting.
The report is to be filed with state commissioner 60 days after the audited financial report is filed, with a cutoff and requirement to file by Aug. 1, with the exception of the state of New York which requires the report to be filed by May 31.
The act provides the insurer with a two year grace period, which starts Dec. 31 year-end that the threshold is breached, to formalize the company’s internal controls and to prepare for filing management’s report of internal control over financial reporting. For example, if an insurer has breached the $500 million direct written and assumed premium threshold on Dec. 31 201X, the company would be required to comply by filing management’s assertion regarding the effectiveness of the insurer’s Internal control over financial reporting as of Dec. 31, 201X+2, with the filing due by August 201X+3).
However, New York did not adopt the Model Audit Rule and rather has passed similar requirements through Regulation 118. Regulation 118 does not allow a two year grace period unless the threshold is breached through a business combination or acquisition. Therefore, the New York regulator would expect compliance and associated management filing immediately following the year and as of Dec. 31, 201X the premium threshold is breached.
Under Section 17/(18), MAR has granted insurers the ability to file with the commissioner for hardship, which will allow the insurer to be exempt from MAR compliance. Hardship is granted under the discretion of the commissioner and is usually approved if it can be determined that the act will cause the insurer financial/organizational hardship.
Management’s Report filing key statements
If an insurer meets the requirements and is not granted a hardship waiver, the MAR requirement mandates that management’s filing be signed by the chief executive officer (CEO) and chief financial officer (CFO), inclusive of the following key statements:
SOX compliance expedient for MAR compliance
If your institution is already compliant with the Sarbanes-Oxley Act (SOX), Section 16/17 states that if the insurer, or group of insurers, are directly subject to section 404, or parent company is subject to section 404, the insurer may file its, or their parent’s, Section 404 SOX report, including an addendum to satisfy the section 16/17 requirement. An insurer, or group of insurers, can take advantage of this as long as their internal controls that have a material impact on the preparation of the audited statutory financial statements were included within the scope of the Section 404 SOX report.
Management’s responsibility for diligent inquiry
A common question insurers have regarding MAR implementation is in regards to the amount of testing that is generally required. Section 16D(2)/17D(2) states that management’s assertion regarding the effectiveness of the insurer’s financial reporting controls must be made to the best of their knowledge after diligent inquiry. To define diligent inquiry, refer to the Annual Financial Reporting Model Regulation Implementation Guide, which defines it as “conducting a search and thorough review of relevant documents which are reasonably likely to contain significant information with regards to internal control over financial reporting” (i.e., further discussion regarding testing requirements is discussed below under common misconceptions).
Additional consideration should be taken regarding Section 16D(5)/17D(5), which requires the insurer to identify all material weaknesses in internal control over financial reporting that exist as of the balance sheet date. If the insurer has identified unremediated material weaknesses, the company will be required to disclose the material weaknesses within its required reporting to the commissioner of their domiciled state. Material weaknesses can often be determined by identifying the significance of an internal control failure, and if it is reasonable to concur that the probability of a material error in future financial statements, which would not be detected by other controls (i.e., compensating controls), ranges from 5 percent to 10 percent.
Industry common misconceptions
Below are common misconceptions, as it relates to MAR, based on our work with clients and feedback received at industry conferences and events:
Misconception: If an insurer is required to file an Own Risk Solvency Assessment (ORSA) report they are also required to file MAR, and vice versa
The misconception is due to the differences in the threshold requirements. MAR requires the report to be filed once the insurer reaches the $500-million-dollar threshold based on their direct written premium on the audited financial statements, while the own risk and solvency assessment (ORSA) has a $500 million or $1 billion for the group threshold on either the audited or annual statement. For example, if an insurer records on their annual statement $478 million in total direct written premium, but records on the audited financial statement, $475 million in premiums earned, $23 million in change in unearned and $2 million in reinsurance ceded, the insurer may be required to file the MAR attestation report but not ORSA.
Materiality and scoping
Misconception: Materiality and scoping can be completed without regards to risks
Materiality and annual risk assessments should drive the MAR program’s overall scope and plan. Ensuring that a formalized risk assessment is completed annually by obtaining business owner and management input is key to ensuring that internal audit is testing/focusing on the appropriate key areas.
Misconception: All general sub ledger accounts need to be in scope
This is generally not the case as it largely is impacted by materiality, areas that are not material can be excluded from the scope to increase efficiency and keep costs down.
Misconception: Entity level controls can be ignored
Entity level controls should be included within the scoping if it materially effects the subsidiaries (i.e., insurer) audited financial statements. As aforementioned, if the parent is SOX compliant, the insurer can file the SOX 404 report to cover entity level controls and reduce duplication of efforts.
Misconception: Management cannot elect their own framework
The Committee of Sponsoring Organizations (COSO) 1992 was superseded, and MAR does allow management to utilize their own control framework, however, COSO 2013 is recommended.
Misconception: IT systems are not significant unless they relate to the general ledger
IT systems including the general ledger system, policy and claims administration systems, as well as data warehouses and overall network, should be included within scope as it all relates to data integrity. Remember the term “garbage in, garbage out.” If IT systems are not appropriately coded or mapped, the data being extracted will be inaccurate and lead to misstated financial statements.
Misconception: All key controls should be independently tested annually
In order to remain efficient and cost effective, insurers can consider rotation of formal independent testing by supplementing with management self-assessments. The MAR guidance allows management to determine the nature, scope and timing of testing suitable to their environment.
Misconception: A walkthrough alone is sufficient to determine operation effectiveness, and diligent inquiry, for key control testing
Although for IT automated controls, where a walkthrough alone is sufficient, testing a population or a frequency (i.e., daily/monthly/quarterly) requires a formal sample selection, and cannot be determined based on a sample of one. Internal audit/management should reference the American Institute of Certified Public Accountants (AICPA)/Institute of Internal Auditors (IIA) standards to determine appropriate sample sizes.
Misconception: All supporting documentation should be obtained and stored centrally
MAR does not require the insurer to centrally house all supporting documentation, rather the insurer can reference where the documentation can be found (i.e., claims administration system, policy administration system, etc.) From an NAIC state examination efficiency perspective, all supporting documentation should be readily available, specifically documentation related to the last scope year (i.e., unless the company plans to give the examination team access to the where documentation is maintained).
Trends in MAR
Insurers in the process of implementing, or that have implemented, MAR programs are consistently revitalizing processes to better increase alignment, effectiveness and efficiency, and thus the following trends have emerged:
Alignment trends include utilizing risk analytics and materiality scoping to ensure the MAR key areas are appropriate to address identified financial reporting risk. Enhancing an insurer’s alignment with its MAR program can be realized by:
Management should ensure the appropriate amount of key controls are identified to mitigate the financial reporting risk without being duplicative or not substantially covering the risk. By reducing the number of key controls while still maintaining adequate coverage over the risk, organizations will realize a more efficient MAR process. Additional efficiency trends include:
Effectiveness trends include:
Trends in implementation
The aforementioned trends are holistic and can be applied to current and implementing MAR programs. Some additional trends and best practices apply specifically to the implementation process, including:
Information technology (IT) is a key component in MAR implementation and testing. Similar to above, there are multiple ways to improve overall efficiency and effectiveness, including:
Efficiency trends/best practices
Reengineering your processes
MAR can be a significant undertaking for most insurers; taking action to understand the controls and identifying weaknesses is crucial to ensure the insurer is prepared when the threshold is reached. For insurers that have already reached the threshold and are required to be compliant with MAR, however, reviewing your organization’s process annually to identify efficiencies and ways to improve overall effectiveness will ensure that key risks are addressed and the program is overall cost effective.
Some ways an insurer can improve their organization’s existing program include:
By taking small steps to improve your MAR program, your organization will benefit in the long term and be more likely to increase your MAR program’s overall efficiency and effectiveness.
For more information on this topic, or to learn how Baker Tilly insurance specialists can help, contact our team.