Sarbanes oxley section 404 internal controls and actuarial processes chris nyce kpmg llp
Download
1 / 38

Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes Chris Nyce KPMG LLP - PowerPoint PPT Presentation


  • 429 Views
  • Uploaded on

Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes Chris Nyce KPMG LLP. September 2006. Disclaimer. Views and opinions expressed in this presentation and the underlying paper are those of the authors.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes Chris Nyce KPMG LLP' - kipling


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Sarbanes oxley section 404 internal controls and actuarial processes chris nyce kpmg llp l.jpg

Sarbanes-Oxley Section 404 Internal Controls and Actuarial ProcessesChris NyceKPMG LLP

September 2006


Disclaimer l.jpg
Disclaimer Processes

  • Views and opinions expressed in this presentation and the underlying paper are those of the authors.

  • Needless to say then, they do not represent the opinions of the CAS, nor any employer of the presenters, nor any sponsors of the meeting.

  • Anyone who says otherwise is not only wrong, but is clearly itching for a fight.


Slide3 l.jpg
Note Processes

  • Risks to financial reporting are unique to each company

  • The following discussion highlights things that should commonly be considered, but companies may need to consider other types of controls, and do not necessarily need all types of controls discussed.

  • Companies should consider their unique risk profile and consult professional advisors when implementing and evaluating their own controls.


Sarbanes oxley section 404 internal controls and actuarial processes l.jpg
Sarbanes-Oxley Section 404 Internal Controls and Actuarial Processes

  • Background

  • COSO Framework

  • Scope for Actuarial Processes

  • Issues

    • Information Integrity & Availability

    • Analysis

    • End User Applications

    • Management’s Best Estimate

  • Documentation

  • Considerations by Size of Company

  • Status


Comments by harvey pitt sec chairman when sox was passed l.jpg
Comments by Harvey Pitt Processes(SEC Chairman when SOX was Passed)

  • Question: How is SOX like the weather

  • Answer: Everyone talks about it, but no-one does anything about it

  • Quote from Mr. Pitt

  • “The statute was hastily – and, therefore, badly – drafted; but it was and remains, necessary

Source: Wall Street Journal, April 13, 2006


Background l.jpg
Background Processes


Background7 l.jpg
Background Processes

  • SOX Section 404 Company Requirements:

    • State management’s role in establishing and maintaining an adequate central structure and procedures for financial reporting;

    • Report on the effectiveness of their internal controls over financial reporting procedures

      • Including supporting documentation of controls, and testing of their effectiveness.

  • SOX Section 404 Auditor Requirements:

    • Attest to and report on management’s assessment of internal controls;

    • Attest to the effectiveness of internal controls.


Background8 l.jpg
Background Processes

  • Deficiency = situation arises where internal controls are identified as not effective

  • Responses

    • Identify and implement remediation steps

    • Evaluate seriousness of the deficiency



The coso framework10 l.jpg
The COSO Framework Processes

  • Committee of Sponsoring Organizations issued in 1992

    • AKA The Treadway Commission;

    • Provides a basic framework for all internal controls;

    • Implementers not required to use this framework– But most do.

  • What is the framework

    • Control Environment;

    • Risk Assessment;

    • Control Activities;

    • Information and Communication;

    • Monitoring.


Diagram of coso based internal control structure l.jpg

*Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors

Diagram of COSO Based Internal Control Structure


Elements of coso based internal control structure l.jpg

Elements of COSO Based Internal Control Structure the Institute of Internal Auditors

*Presented with thanks to “Tone at the Top” published by the Institute of Internal Auditors


Scope for actuarial processes l.jpg

Scope for Actuarial Processes the Institute of Internal Auditors


Property casualty insurance operations chain l.jpg

Business Design the Institute of Internal Auditors

Underwriting Process

Product Rate Plan and Coverage

Underwriting Guides

Markets Targeted

Underwriting/Claims Transaction

Producer solicits/binds coverage, or policy renews

Policy expires and may be renewed or audited

Underwriter verifies risk acceptability and price

Claims are received or estimated

Property/Casualty Insurance Operations Chain:

Policy is submitted to Underwriter

Transactional Data Systems

Resulting Financial Flows

Underwriting Expenses result

Premiums Written and Earned

Losses received, recorded, estimated

14


Property casualty insurance operations chain15 l.jpg

Business Design the Institute of Internal Auditors

Underwriting Process

Product Rate Plan and Coverage

Underwriting Guides

Markets Targeted

Underwriting/Claims Transaction

Producer solicits/binds coverage, or policy renews

Policy expires and may be renewed or audited

Underwriter verifies risk acceptability and price

Claims are received or estimated

Policy is submitted to Underwriter

Traditional Financial Statement Audit Focus

Transactional Data Systems

Resulting Financial Flows

Underwriting Expenses result

Premiums Written and Earned

Losses received, recorded, estimated

Property/Casualty Insurance Operations Chain:

15


Slide16 l.jpg

Business Design the Institute of Internal Auditors

Underwriting Process

Markets Targeted

Product Rate Plan and Coverage

Underwriting Guides

Underwriting/Claims Transaction

Producer solicits/binds coverage, or policy renews

Policy expires and may be renewed or audited

Property/Casualty Insurance Internal Controls affecting Estimated Balance Sheet and Income Statement Items

Underwriter verifies risk acceptability and price

Claims are received or estimated

Policy is submitted to Underwriter

Transactional Data Systems

Additional Focus Areas for Internal Controls

Resulting Financial Flows

Underwriting Expenses result

Premiums Written and Earned

Losses received, recorded, estimated

16


Estimated balances must properly reflect the following company operations l.jpg
Estimated Balances Must Properly Reflect the Following Company Operations

Source A

Company

Risk Assumption/

Underwriting

Practices

Information and Communication

Source B

Source C

Perform

Estimates

and Analysis

Company IT/

Data Design and

Collection Process

Review and

Communication

Process

Committee

Process

Input into

Accounting

System

& Review

Source Z

Company

Claims

Handling and

Settlement

Practices

Information and Communication


Estimated balances must properly reflect the following company operations18 l.jpg
Estimated Balances Must Properly Reflect the Following Company Operations

Source A

Company

Risk Assumption/

Underwriting

Practices

Information and Communication

Source B

Source C

Perform

Estimates

and Analysis

Company IT/

Data Design and

Collection Process

Review and

Communication

Process

Committee

Process

Input into

Accounting

System

& Review

Source Z

Company

Claims

Handling and

Settlement

Practices

Information and Communication

Underwriting and Claims

Management Review Process

Analysis

Data


Comments on operational internal controls and sarbanes oxley section 404 l.jpg
Comments on Operational Internal Controls and Sarbanes-Oxley, Section 404

  • AICPA gives guidance as to how Sarbanes-Oxley applies to Internal controls in operational areas

    • Only controls which affect financial statement reporting are subject to Sarbanes-Oxley;

    • Includes items with significant input to financial reporting;

    • Should be taken to include disclosures.

  • Examples and the AICPA guidance are in the following table.



Industry track record l.jpg
Industry Track Record with Section 404 Goals


Industry track record22 l.jpg
Industry Track Record with Section 404 Goals



Information integrity and availability24 l.jpg

Management Review Process with Section 404 Goals

Analysis

Data

Underwriting and Claims

Information Integrity and Availability

  • Data

  • Controls to ensure data is accurate and complete

  • Data is available to enable comprehensive analysis

  • Data is available to monitor compliance with Claims and Underwriting controls

  • Data is available to support management review needs, including tracking of trends


Actuarial analysis l.jpg

Management Review Process with Section 404 Goals

Analysis

Data

Underwriting and Claims

Actuarial Analysis

  • Analysis

  • Access to data is sufficiently convenient to analysts

  • Available information is incorporated in analysis

  • Communication process with underwriting, claims, management is sufficient

  • Appropriate methods are used

  • Communication of results to management is clear

Peer Review !


End user applications l.jpg
End User Applications with Section 404 Goals

  • Spreadsheets, databases, word documents,….

  • One of the most problematic pieces of control documentation

  • There is a group dedicated to spreadsheet risks, lots of stories available

    • See Website http://www.eusprig.org/stories.htm

  • University of Hawaii research that error rates on spreadsheets near 90%

    • And this goes near 100% if more than 200 lines


Priority of spreadsheet controls l.jpg

Financial with Section 404 Goals

Reporting

Extensive

Controls

Moderate Controls

Analytical

Simple Controls

Moderate Controls

Operational

Complex

Simple

Priority of Spreadsheet Controls

For more information see “The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act” Available at www.Pwcglobal.com


What controls to consider l.jpg
What Controls to Consider with Section 404 Goals

  • Backups

  • Archiving

  • Security

    • Controls over Access

  • Change Control and Version Control

    • Such as Formula Locking

  • Baselining – In depth review of calculations and functions

  • Internal Data Reconciliations

  • Peer Review – Sometimes outside the chain of reporting

  • Documentation



Management s best estimate vs actuarial best estimate30 l.jpg

Management Review Process with Section 404 Goals

Analysis

Data

Underwriting and Claims

Management’s Best Estimate vs. Actuarial Best Estimate

  • Management Review Process

  • Process to determine booked reserves is reasonable

  • Reserve Committee and management review is effective

  • Underlying assumptions, such as trends, are validated

Review controls to ensure the estimate selection process is consistent with the outcome of the underlying estimates, or reasons for departure are documented – including quantification of reasons;


Management review process l.jpg

Management Review Process with Section 404 Goals

Analysis

Data

Underwriting & Claims

Control Activities, Information and Communication, Monitoring

Management ReviewProcess

  • Reserve Committee Process (best practices)

    • Charter spelling out charge and operation of Committee;

    • Participation by Senior Management, Finance, Claims, Underwriting, Actuarial;

    • Access to a well documented actuarial estimate and range prepared prior to the Committee meeting;

    • Active questioning by Committee;

    • Well documented outcome of Committee meetings, including approved reserve amount;

    • Documentation of differences between management’s best estimate and actuarial best estimate.

Completeness

Accuracy

Judgmental Areas


Documentation issues l.jpg

Documentation Issues with Section 404 Goals


Documentation l.jpg
Documentation with Section 404 Goals

  • While SOX has changed the documentation commonly used in Actuarial work, Accounting documentation requirements are similar to common standards prior to SOX.

  • Most Common Pitfalls

    • Controls should be specific

      • What is the control?, who performs?, who reviews?, what is the documentation?, how often?, where maintained?

    • Informal processes do not fully replace controls;

    • Conservatism doesn’t take the place of controls;

    • Lack of misstatement in the past doesn’t obviate the need for controls.


Documentation continued l.jpg
Documentation (continued) with Section 404 Goals

  • Most Common Pitfalls

    • Controls over reserves usually just at year end, but release of results to markets quarterly;

    • Controls over processes with significant input to financial statement balances missing;

    • “Common knowledge” instead of rigorous analysis;

    • Considering the auditor as part of the control process;

    • Forgetting controls over significant actuarial balances other than reserves.


Considerations by size of company l.jpg

Considerations by Size of Company with Section 404 Goals


Considerations by size of company36 l.jpg
Considerations by Size of Company with Section 404 Goals

  • All companies need to weight costs and benefits associated with implementation of SOX 404. Management may consider some deficiencies acceptable relative to costs associated with remediation.

  • Larger companies generally have the actuarial resources to implement internal controls effectively.

  • Smaller companies likely have resource constraints, most apparently relative to peer review.

    • Third party actuarial analysis;

    • Thorough review (and documentation) of reserves by all professionals in the organization that would be best versed in reasonability of reserves --- senior claims, underwriting, and finance management.


Status of implementation l.jpg

Status of Implementation with Section 404 Goals


Status recent events l.jpg
Status – Recent Events with Section 404 Goals

  • For most large domestic entities; Implemented 2004

  • Large foreign filers; Implementation in 2006

  • NAIC considering statutory rules

    • Current form would affect large entities, newly impacting about 190 Companies;

    • Proposed effective for 2009;

    • No external audit requirement.

  • Canadian Securities Administrator has proposed SOX type requirements

    • No external audit requirement.