1 / 38

Sarbanes-Oxley 404 – Where Do We Stand? CAS 2004 Annual Meeting November 15 & 16, 2004

Sarbanes-Oxley 404 – Where Do We Stand? CAS 2004 Annual Meeting November 15 & 16, 2004. Today’s Panel James C. Votta, Partner, Ernst & Young LLP Lise A. Hasegawa, AVP and Reserving Actuary, MetLife Auto & Home Kenneth T. Sipiora, Senior Manager, Deloitte & Touche LLP

blaine
Download Presentation

Sarbanes-Oxley 404 – Where Do We Stand? CAS 2004 Annual Meeting November 15 & 16, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sarbanes-Oxley 404 – Where Do We Stand?CAS 2004 Annual MeetingNovember 15 & 16, 2004 Today’s Panel James C. Votta, Partner, Ernst & Young LLP Lise A. Hasegawa, AVP and Reserving Actuary, MetLife Auto & Home Kenneth T. Sipiora, Senior Manager, Deloitte & Touche LLP David T. Perine, Senior Manager, Ernst & Young LLP

  2. Sarbanes-Oxley 404 – Where Do We Stand? Auditor Management Company Completed Auditor Reviewed Company Completed Auditor Completed Company Completed Auditor Reviewed Sign Off Remediation Testing Documentation

  3. Sarbanes-Oxley 404 – Where Do We Stand? • Survey of 950 SEC Registrants as of October 2004 • Green = No concern with timely completion = 32% • Yellow = Greater than low level concern = 60% • Red = Significant concern = 8%

  4. Sarbanes-Oxley 404 – Where Do We Stand? • In Scope or Out of Scope? • Pricing • IBNR Generating Systems • Pockets of Reserves • CAT Models

  5. Sarbanes-Oxley 404 – Where Do We Stand? • What is Ahead? • Internal Audit Focus • Spitzer Investigations • NAIC Model Law

  6. Sarbanes-Oxley 404Where Do We Stand? Insurance Company Perspective Lise A. Hasegawa, AVP and Reserving Actuary MetLife Auto & Home

  7. The MetLife Enterprise • Over $300 Billion in Assets Under Management • Locations • United States • International – 11 Locations • Business segments include ■ Individual ■International ■ Institutional ■ Reinsurance ■ Auto & Home

  8. SOX ─ The Players • Steering Committee • Project Management Office • Line of Business Teams • Internal Auditing • Outside Advisor • External Auditor

  9. SOX ─ The Process • Identify Processes • Scope & Coverage • Process Map Activities • Identify Risks • Identify Key Controls • Testing • Action Plans • Review and Signoff

  10. In Scope Actuarial Processes • Reserves • Reinsurance

  11. Reserving Process Map Data Analysis Documentation Communication

  12. Data ─ The Risks • All loss data accounted for? • Loss data accurate? • Loss data transferred and separated accurately?

  13. Data ─ The Controls • All loss data accounted for? Balancing reports, consistency, judgment • Loss data accurate? Claims edits, audits, detective reports • Loss data transferred and separated accurately? More balancing reports, consistency, judgment

  14. Next Steps • Testing • Action Plans • Review • Sign Off • Repeat

  15. Lessons Learned • Support from the top • Takes more effort, energy and people than you think ─ but it is worth it • Define the scope precisely ─ expect it to change • Expect guests … often … add a chair • Auditable proof

  16. Lessons Learned • Software versus Spreadsheets • Controls are closer than you think • Education for all employees • Take advantage of the situation • Learn how other processes work • Learn how the data is created and used • Improve processes • Eliminate risk

  17. Sarbanes-Oxley 404Where Do We Stand? Corporate Risk Management Perspective Kenneth T. Sipiora, Senior Manager Deloitte & Touche LLP

  18. Corporate Risk Management ─ Environment • Risk Management (broadly defined) increasingly critical to corporations, their officers and directors • COSO, ERM, etc. • Investors, Regulators, Lenders and other stakeholders demanding disclosure and independent verification of financial controls • Risk Management and related insurance transactions increasingly complex • Many large corporations have significant self-insured/retained risk • General/Product Liabilities, Auto Liability, Workers’ Compensation, D&O, etc. • Third-party service providers common

  19. Corporate Risk Management ─ Environment • Paid losses and reserves are material to financial reporting • Significant cost drivers, financial statement disclosures common • Independent actuarial analysis • Variety of alternative risk financing strategies in use • Qualified self insurance, Captives, Finite Risk, Capital Markets, etc. • Risk Management Information Systems (RMIS) prevalent • Data warehouses, Management Reporting, Actuarial Data • Entity level controls (“C” level and B.O.D.) requiring greater scrutiny • Retain or Transfer risk? • Counterparty security

  20. Corporate Risk Management ─ SOX 404 Examples • Control Objectives • Process Documentation • Testing

  21. Corporate Risk Management ─ Environment • Reserve estimates are adequately developed, reported and monitored • Appropriate data is accurately documented and retained to support management estimates of liabilities. • Reserves are determined according to appropriate actuarial standards of practice, consistent with regulatory, GAAP and other required standards. • Financial reporting is timely and accurate • Claims activity is recorded timely and accurately in the appropriate accounting period. • Disbursements for premium expenses, claims payments, captive fees and other risk management expenses are validated, calculated accurately, processed completely and recorded to general ledger.

  22. Corporate Risk Management ─ Environment • Risks are identified, quantified or transferred • Expected losses to be retained are quantified. • Commercial insurance for risk not self-insured is secured. • Insurance company counterparty security (financial strength) evaluated regularly. • Claims reporting is timely and accurate • Claims processing policy and procedures established by Senior Management exists and duties or claims staff and third-party administrators (TPAs) are performed accordingly. • TPAs or other external providers have adequate controls in place.

  23. Corporate Risk Management ─ Environment • Self-insured risks are identified and funded by captive as appropriate • Captive transactions are accurately recorded in a timely manner. • Captive management and other service providers have adequate controls • Captive financial statements are timely and accurately consolidated with parent company statements.

  24. Corporate Risk Management ─ SOX 404 Sample Process Documentation • Claims (workers’ compensation) • Loss reserving • Financial reporting • Captive transaction

  25. LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap

  26. LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap

  27. LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap

  28. LEGEND Primary Control Activity Secondary Control Activity Primary Company Level Controls Control Gap

  29. Corporate Risk ManagementSOX 404 Sample Control Tests – Loss Reserving

  30. Corporate Risk ManagementSOX 404 Sample Control Tests – Loss Reserving

  31. Sarbanes-Oxley 404Where Do We Stand? A Consultant’s Perspective David T. Perine, Senior Manager Ernst & Young LLP

  32. What Have We Done To Date? • Planning • Timing • Structure • Roles • Documentation • Business and financial processes • Risks • Controls

  33. What Have We Done To Date? • Testing and Remediation • Remediation of controls deemed necessary as a result of the documentation phase • Testing of controls • Remediation as a result of testing

  34. What Is Happening Now Through Q1 2005? • Documentation of new processes or significant changes to existing processes • Continued remediation • 4th quarter and annual testing • As a result of remediation of controls • Of 3rd and 4th quarter controls • Of annual controls • Evaluating exceptions and deficiencies

  35. What Is Happening Now Through Q1 2005? • Management’s assertion on the effectiveness of internal controls • Auditor’s attestation to the effectiveness of internal controls

  36. Future Steps/Commitments to SOX 404 • Reinforce a compliance culture • From the top (Audit Committee, CEO, CFO, CCO) • SOX 404 compliance must be embedded in the company’s culture • Ownership of SOX 404 must reside with the company, not outside parties • Consider maintaining/establishing a Project Management Office

  37. Future Steps/Commitments to SOX 404 • The changing role of internal audit • More internal control focused? • The role of outside consultants • Coaching? Support? • Updating documentation • When and by whom? • Peer review

  38. Future Steps/Commitments to SOX 404 • Testing • When and by whom? • Remediation • Management’s assertion • Auditors attestation • Responding to a negative attestation?

More Related