Team members working on report

The Model Audit Rule: best practices and recommendations to improve your organization’s program

This article covers the Model Audit Rule (MAR) and its purpose, as well as the trends and industry common misconceptions associated with MAR. For a more in-depth look into MAR, and to learn more about our MAR approach, check out our MAR webpage.

The National Association of Insurance Commissioners' (NAIC) Annual Financial Reporting Model Regulation #205, commonly known as the Model Audit Rule (MAR), requires that insurance companies that exceed certain thresholds of direct and assumed written premiums adopt auditor independence, corporate governance and internal control over financial reporting standards.

MAR was enacted for three primary purposes:
  1. To provide regulators with greater confidence that their domiciled insurance entities have effective controls in place to mitigate the risk of publishing inaccurate annual statements
  2. To increase efficiency of the risk-focused examinations by allowing the examination teams to rely on the control testing performed by the insurer regarding their financial reporting risks
  3. To enhance corporate governance by increasing management’s confidence in their internal controls environment

It is important to note that although a majority of states have adopted MAR in its entirety based on the NAIC’s recommendations, some have chosen to adopt or modify specific sections. In 2021, the NAIC published a guide to assist MAR compliance by state.

Effective threshold: $500 million in direct and assumed written premium

Section 17 Management’s Report of Internal Control over Financial Reporting – Annual Attestation on Internal Control mandates that every insurer having annual, direct-written and assumed premiums of $500 million or more (i.e., the act provides a calculation for life and health entities) shall prepare a report, for the prior calendar year’s year-end, attesting to the insurer’s, or the group of insurer’s, internal controls over financial reporting.

The report is to be filed with the state commissioner 60 days after the audited financial report is filed, with a cutoff and requirement to file by Aug. 1. The only exception is the state of New York, which requires the report to be filed by May 31. 

The rule provides the insurer with a two-year grace period, which starts Dec. 31 of the year that the threshold is breached, to formalize the company’s internal controls and to prepare for filing management’s report of internal control over financial reporting. For example, if an insurer has breached the $500 million direct written and assumed premium threshold on Dec. 31 201X, the company would be required to comply by filing management’s assertion regarding the effectiveness of the insurer’s internal control over financial reporting as of Dec. 31, 201X+2, with the filing due by August 201X+3). 

However, New York did not adopt the model audit rule, but instead passed similar requirements through Regulation 118. Regulation 118 does not allow a two-year grace period unless the threshold is breached through a business combination or acquisition. Therefore, according to Regulation 118, compliance and associated management filing would occur immediately following the year as of Dec. 31, 201X, that the premium threshold is breached. 

Under section 18, MAR has granted insurers the ability to file with the commissioner for hardship, which will allow the insurer to be exempt from MAR compliance. Hardship is granted under the discretion of the commissioner and is usually approved if it can be determined that the act will cause the insurer financial/organizational hardship.

Management’s report filing key statements

If an insurer meets the requirements and is not granted a hardship waiver, the MAR requirement mandates that management’s filing be signed by the chief executive officer (CEO) and chief financial officer (CFO), and must include the following key statements:

  • Management is responsible for establishing and maintaining internal controls
  • Internal controls have been established and are operating effectively
  • Brief description regarding the scope, any controls excluded and the overall approach utilized to evaluate effectiveness
  • Disclosure of any unremediated material weaknesses of internal controls
  • Statement regarding any inherent limitations of internal control
SOX compliance expedient for MAR compliance

If your institution is already compliant with the Sarbanes-Oxley Act (SOX), MAR section 16/17 states that if the insurer, group of insurers, or parent company are directly subject to SOX section 404, the insurer may file its, or their parent’s, section 404 SOX report, including an addendum to satisfy the section 16/17 requirement. An insurer, or group of insurers, can take advantage of this as long as their internal controls that have a material impact on the preparation of the audited statutory financial statements were included within the scope of the section 404 SOX report.

Management’s responsibility for diligent inquiry

A common question insurers have regarding MAR implementation is in regard to the amount of testing that is generally required. Section 17D(2) states that management’s assertion regarding the effectiveness of the insurer’s financial reporting controls must be made to the best of their knowledge after diligent inquiry. To define “diligent inquiry,” refer to the Annual Financial Reporting Model Regulation Implementation Guide, which defines it as “conducting a search and thorough review of relevant documents which are reasonably likely to contain significant information with regards to internal control over financial reporting.” (Further discussion regarding testing requirements is discussed below under common misconceptions).

Additional consideration should be taken regarding section 17D(5), which requires the insurer to identify all material weaknesses in internal control over financial reporting that exist as of the balance sheet date. If the insurer has identified unremediated material weaknesses, the company will be required to disclose the material weaknesses within its required reporting to the commissioner of their domiciled state. Material weaknesses can often be determined by identifying the significance of an internal control failure, and if it is reasonable to concur that the probability of a material error in future financial statements, which would not be detected by other controls (i.e., compensating controls), ranges from 5% to 10%.

Industry common misconceptions

Below are common misconceptions, as it relates to MAR, based on our work with clients and feedback received at industry conferences and events:

Misconception: Materiality and scoping can be completed without regards to risks

Materiality and annual risk assessments should drive the MAR program’s overall scope and plan. Ensuring that a formalized risk assessment is completed annually by obtaining business owner and management input is key to ensuring that internal audit is testing/focusing on the appropriate key areas. 

Misconception: All general sub-ledger accounts need to be in scope

This is generally not the case as it largely is impacted by materiality. Areas that are not material can be excluded from the scope to increase efficiency and keep costs down. Performing materiality on a subaccount level will allow the company to focus on subaccounts that drive the overall materiality of the line item on the financials and avoid wasting time on areas that are not material.

Misconception: Entity level controls can be ignored

Entity level controls should be included within the scoping if it materially affects the subsidiaries (i.e., insurer) audited financial statements. As aforementioned, if the parent is SOX compliant, the insurer can file the SOX 404 report to cover entity level controls and reduce duplication of efforts.  Regulators, when conducting their analysis and financial examinations of domiciled insurers, actively consider and assess corporate governance and entity level controls. In addition, the MAR Implementation guide refers to the following as aspects and components of internal control that insurers may want to consider when making the assertions and determining relevant documentary evidence: “The internal control environment including oversight provided by the Audit committee of the Board of Directors. Insurers may want to consider how they can demonstrate “Tone at the Top.” The insurer’s compliance programs, code of conduct and the processes for reporting policy exceptions and overrides of controls may also be appropriate to consider.” The previous example is a clear outline of consideration of entity level controls.

Misconception: Management cannot elect their own framework 

MAR does not mandate a specific framework for management’s review and evaluation of internal controls. SEC registrants typically (but are not required to) use the COSO Internal Control-Integrated Framework in assessing the effectiveness of internal control over financial reporting. Management should assess and select an appropriate framework or approach based upon its business risks and objectives.

Misconception: IT systems are not significant unless they relate to the general ledger

IT systems including the general ledger system, policy and claims administration systems, as well as data warehouses and overall network, should be included within scope as it all relates to data integrity. Remember the term “garbage in, garbage out.” If IT systems are not appropriately coded or mapped, the data being extracted will be inaccurate and lead to misstated financial statements.

Misconception: All key controls should be independently tested annually

In order to remain efficient and cost effective, insurers can consider rotation of formal independent testing by supplementing with management self-assessments. The MAR guidance allows management to determine the nature, scope and timing of testing suitable to their environment.

Misconception: A walkthrough alone is sufficient to determine operation effectiveness, and diligent inquiry, for key control testing

Although for IT automated controls, where a walkthrough alone is sufficient, testing a population or a frequency (i.e., daily/monthly/quarterly) requires a formal sample selection, and cannot be determined based on a sample of one. Internal audit/management should reference the American Institute of Certified Public Accountants (AICPA)/Institute of Internal Auditors (IIA) standards to determine appropriate sample sizes.

Misconception: All supporting documentation should be obtained and stored centrally

MAR does not require the insurer to centrally house all supporting documentation; rather the insurer can reference where the documentation can be found (i.e., claims administration system, policy administration system, etc.) From an NAIC state examination efficiency perspective, all supporting documentation should be readily available, specifically documentation related to the last scope year (unless the company plans to give the examination team access to the where documentation is maintained).

Trends in MAR

Insurers in the process of implementing, or that have implemented, MAR programs are consistently revitalizing processes to better increase alignment, effectiveness and efficiency, and thus the following trends have emerged:

Alignment trends include utilizing risk analytics and materiality scoping to ensure the MAR key areas are appropriate to address identified financial reporting risk. Enhancing an insurer’s alignment with its MAR program can be realized by:

  • Taking a risk-based, instead of control-based, approach
  • Revisiting the financial statements to determine materiality through a combination of the following methods:
  • Utilizing the NAIC’s benchmark (e.g., 5% of surplus for planning materiality)
  • Applying sub-ledger materiality (i.e., percent of the general ledger account greater than or equal to the dollar amount)
  • Utilizing management judgment based on qualitative judgment scores, areas of audit weaknesses or strengths, or areas of emerging risks
  • Aligning the key risks identified to management assertions
  • Having management (not internal audit) own and attest to the key controls, resulting in the company continuing to remove/add controls based on its changing control environment to ensure the risks are inherently mitigated

Management should ensure the appropriate amount of key controls are identified to mitigate the financial reporting risk without being duplicative or not substantially covering the risk. By reducing the number of key controls while still maintaining adequate coverage over the risk, organizations will realize a more efficient MAR process. Additional efficiency trends include:

  • Rotational auditing and supplementing with management self-assessments for low-risk areas that are on rotation
  • Conducting periodic control rationalization exercises
  • Utilizing a Governance Risk and Compliance (GRC) cloud-based software
  • State examination/NAIC risk matrix approach

Effectiveness trends include:

  • Reviewing key control and compensating control assessments
  • Completing a deficiency evaluation for each control failure identified to determine if the control is a material deficiency/weakness
  • Dashboards to understand the broader impact of the results. Results should be tabulated based on overall function and a trend assessment over time conducted
  • Utilizing state examination language and building the testing lead sheets to include the risk, management assertion(s), overall inherent risk assessment, control and control testing results

The aforementioned trends are holistic and can be applied to current and new MAR programs. Some additional trends and best practices apply specifically to the implementation process, including:

  • Discussing internally, and with the board of directors, management’s planned approach to executing MAR
  • Performing a high-level assessment of the insurer’s current control state versus the requirements of MAR
  • Taking time to perform a thorough risk assessment including addressing accounts and assertions
  • Preparing a comprehensive road map for execution, including resource management
  • Recruiting or contracting with experienced MAR professions, and delegating an internally dedicated liaison (i.e., MAR champion) to manage the MAR program
  • Developing a sustainable program for ongoing reliance by either external audit or the state examiners

Information technology (IT) is a key component in MAR implementation and testing. There are multiple ways to improve overall efficiency and effectiveness, including:

Efficiency trends/best practices

  • Taking a risk-based approach and identifying the volume of transactions, the level of automation and any compensating downstream detective controls
  • Leveraging other assessments completed such as System and Organization Controls (SOC) examinations, Health Information Trust Alliance (HITRUST), International Organization for Standardization (ISO), National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), etc.
  • Understanding the control framework and identifying areas where controls have already been tested will aid in increasing the overall efficiency of the program

Effectiveness trends

  • Identifying automated controls within the business process which reduce manual intervention and the potential for human error. (Automated controls generally only require a sample of one to determine operational effectiveness and can increase efficiency of the program overall.)
  • Obtaining a further understanding of completeness and accuracy including data mapping, when data can be manually input or edited, etc. (i.e., garbage in, garbage out)

Reengineering your processes

MAR can be a significant undertaking for most insurers. Taking action to understand the controls and identifying weaknesses is crucial to ensure the insurer is prepared when the threshold is reached. For insurers that have already reached the threshold and are required to be compliant with MAR, however, reviewing your organization’s process annually to identify efficiencies and ways to improve overall effectiveness will ensure that key risks are addressed and the program is overall cost effective.

  • Some ways an insurer can improve their organization’s existing program include:
  • Increasing corporate governance unity and control confidence
  • Providing and obtaining senior management and audit committee understanding, training, and buy-in to the program
  • Implementing a MAR steering committee to ensure significant financial reporting areas are addressed
  • Incorporating functional area certifications to provide to the CEO and CFO prior to certifying to help them gain comfort over their control environment
  • Increasing organizational unity
  • Identifying a MAR champion for each functional area; this does not have to be the key process owner
  • Providing training annually and requesting feedback from the business owners/key personnel of each area to determine if training needs are met
  • Increasing leverage of departmental testing through self-assessments, ensuring that the process is guided by someone independent of the function
  • Revisiting the risk assessments and materiality scoping annually to determine that areas under review are appropriate
  • Consider incorporating a sub-ledger materiality to reduce accounts in scope, including clear explanations for the exclusion
  • Implementing effective project management including, but not limited to, a MAR calendar of kickoff meetings, testing timeline and deliverables and making all affected parties aware
  • Conducting rotational auditing which is determined based on the area’s inherent risk assessment
  • Incorporating MAR testing as part of other planned operational/compliance internal audits to increase efficiency
  • Increasing the use of technology
  • Incorporating dashboards and analysis of key controls and deficiencies
  • Utilizing SharePoint or other workflow functions for signoffs and version control and to create an audit trail
  • Conducting cost analysis of MAR compliance including opportunity costs, identifying bottlenecks and cost drivers, and replacing with automation, computer assisted audit techniques (CAAT) or a third-party software

By taking small steps to improve your MAR program, your organization will benefit in the long term and be more likely to increase your MAR program’s overall efficiency and effectiveness.

Below you will find the presentation and recording from our recent webinar, Lessons learned through Model Audit Rule implementation. For more information on the subject, and to learn more about our MAR approach, refer to our MAR webpage.

John Romano
AI data board
Next up

Enterprise AI tools: A new era