sarbanes-oxley 404 – where do we stand? cas 2004 annual meeting november 15 & 16, 2004...
TRANSCRIPT
Sarbanes-Oxley 404 – Sarbanes-Oxley 404 – Where Do We Stand?Where Do We Stand?
CAS 2004 Annual MeetingCAS 2004 Annual MeetingNovember 15 & 16, 2004November 15 & 16, 2004
Today’s PanelJames C. Votta, Partner, Ernst & Young LLPLise A. Hasegawa, AVP and Reserving Actuary, MetLife Auto & HomeKenneth T. Sipiora, Senior Manager, Deloitte & Touche LLPDavid T. Perine, Senior Manager, Ernst & Young LLP
2
Sarbanes-Oxley 404 – Where Do We Sarbanes-Oxley 404 – Where Do We Stand?Stand?
RemediationDocumentation Testing Sign Off
Company Completed Auditor Reviewed
Company Completed Auditor Completed
Company Completed Auditor Reviewed
Auditor Management
3
Sarbanes-Oxley 404 – Where Do We Sarbanes-Oxley 404 – Where Do We Stand?Stand?
Survey of 950 SEC Registrants as of October 2004
Green = No concern with timely completion = 32% Yellow = Greater than low level concern = 60% Red = Significant concern = 8%
4
Sarbanes-Oxley 404 – Where Do We Sarbanes-Oxley 404 – Where Do We Stand?Stand?
In Scope or Out of Scope?
Pricing IBNR Generating Systems Pockets of Reserves CAT Models
5
Sarbanes-Oxley 404 – Where Do We Sarbanes-Oxley 404 – Where Do We Stand?Stand?
What is Ahead?
Internal Audit Focus Spitzer Investigations NAIC Model Law
Sarbanes-Oxley 404Sarbanes-Oxley 404Where Do We Stand?Where Do We Stand?
Insurance Company PerspectiveLise A. Hasegawa, AVP and Reserving Actuary
MetLife Auto & Home
7
The MetLife EnterpriseThe MetLife Enterprise
Over $300 Billion in Assets Under Management Locations
United States International – 11 Locations
Business segments include
■ Individual ■ International
■ Institutional ■ Reinsurance
■ Auto & Home
8
SOX SOX ─ The Players─ The Players
Steering Committee Project Management Office Line of Business Teams Internal Auditing Outside Advisor External Auditor
9
SOX SOX ─ The Process─ The Process
Identify Processes Scope & Coverage Process Map Activities Identify Risks Identify Key Controls Testing Action Plans Review and Signoff
10
In Scope Actuarial ProcessesIn Scope Actuarial Processes
Reserves Reinsurance
11
Reserving Process MapReserving Process Map
DataData
AnalysisAnalysis
DocumentationDocumentation
CommunicationCommunication
12
Data Data ─ The Risks─ The Risks
All loss data accounted for? Loss data accurate? Loss data transferred and separated accurately?
13
Data Data ─ The Controls─ The Controls
All loss data accounted for?
Balancing reports, consistency, judgment
Loss data accurate?
Claims edits, audits, detective reports
Loss data transferred and separated accurately?
More balancing reports, consistency, judgment
14
Next StepsNext Steps
Testing Action Plans Review Sign Off
Repeat
15
Lessons LearnedLessons Learned
Support from the top
Takes more effort, energy and people than you think ─ but it is worth it
Define the scope precisely ─ expect it to change
Expect guests … often … add a chair
Auditable proof
16
Lessons LearnedLessons Learned
Software versus Spreadsheets
Controls are closer than you think
Education for all employees
Take advantage of the situation Learn how other processes work Learn how the data is created and used Improve processes Eliminate risk
Sarbanes-Oxley 404Sarbanes-Oxley 404Where Do We Stand?Where Do We Stand?
Corporate Risk Management Perspective
Kenneth T. Sipiora, Senior Manager
Deloitte & Touche LLP
18
Corporate Risk Management Corporate Risk Management ─ ─ EnvironmentEnvironment
Risk Management (broadly defined) increasingly critical to corporations, their officers and directors
COSO, ERM, etc. Investors, Regulators, Lenders and other stakeholders demanding disclosure and
independent verification of financial controls Risk Management and related insurance transactions increasingly
complex Many large corporations have significant self-insured/retained risk
General/Product Liabilities, Auto Liability, Workers’ Compensation, D&O, etc. Third-party service providers common
19
Corporate Risk Management Corporate Risk Management ─ ─ EnvironmentEnvironment
Paid losses and reserves are material to financial reporting Significant cost drivers, financial statement disclosures common Independent actuarial analysis
Variety of alternative risk financing strategies in use Qualified self insurance, Captives, Finite Risk, Capital Markets, etc.
Risk Management Information Systems (RMIS) prevalent Data warehouses, Management Reporting, Actuarial Data
Entity level controls (“C” level and B.O.D.) requiring greater scrutiny Retain or Transfer risk? Counterparty security
20
Corporate Risk Management Corporate Risk Management ─ SOX 404 ─ SOX 404 ExamplesExamples
Control Objectives Process Documentation Testing
21
Corporate Risk Management Corporate Risk Management ─ ─ EnvironmentEnvironment
Reserve estimates are adequately developed, reported and monitored
Appropriate data is accurately documented and retained to support management estimates of liabilities.
Reserves are determined according to appropriate actuarial standards of practice, consistent with regulatory, GAAP and other required standards.
Financial reporting is timely and accurate Claims activity is recorded timely and accurately in the appropriate
accounting period. Disbursements for premium expenses, claims payments, captive fees and
other risk management expenses are validated, calculated accurately, processed completely and recorded to general ledger.
22
Corporate Risk Management Corporate Risk Management ─ ─ EnvironmentEnvironment
Risks are identified, quantified or transferred Expected losses to be retained are quantified. Commercial insurance for risk not self-insured is secured. Insurance company counterparty security (financial strength) evaluated
regularly.
Claims reporting is timely and accurate Claims processing policy and procedures established by Senior
Management exists and duties or claims staff and third-party administrators (TPAs) are performed accordingly.
TPAs or other external providers have adequate controls in place.
23
Corporate Risk Management Corporate Risk Management ─ ─ EnvironmentEnvironment
Self-insured risks are identified and funded by captive as appropriate
Captive transactions are accurately recorded in a timely manner. Captive management and other service providers have adequate controls Captive financial statements are timely and accurately consolidated with
parent company statements.
24
Corporate Risk Management Corporate Risk Management ─ SOX 404 ─ SOX 404 Sample Process DocumentationSample Process Documentation
Claims (workers’ compensation) Loss reserving Financial reporting Captive transaction
25
Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Claims Processing - Workers’ Compensation
Cla
iman
t/ Fa
cilit
ies
Ris
k M
anag
emen
tTP
A
Employee is sent to a participating clinic and the Accident and Investigation Report is forwarded to the
Clinic Administrator. (HR Contact)
On-line Internet read only and ad-hoc reporting access(Claims System)
Claims are paid out of escrow fund
(Claims Adjuster)
Timing
TPA is notified of the new claim, claims are assigned to an
adjuster, claims information is entered in claims system (Claims
Adjuster)
Start
TPA sends one weekly invoice to Risk Management
for payment.(Claims Adjuster)
Injury is reported to a 3rd Party Call Center (HR Contact or
Participating Clinic)
Employee reports incident to facility supervisor(Facility Employee/
Claimant)
New claims information from Call Center is received data transfer; States first report of injury; HS Corporate Risk Management is
notified via email of incident/ investigation report
(Call Center)
Preliminary Draft for Discussion Purposes Only
Claims case management is conducted daily (investigations are conducted based
on payment information from invoice, reports/questions from facilities, lost time
reports, claimant inquires, etc.) (Risk Management Staff)
Claimant’s profile and injury information is reported to the TPA. Call Center’s system is integrated with PeopleSoft to
ensure claimants are employees
(Call Center)
TPA Reimbursement
for claims payments
The invoice is received(Risk Management Staff)
An incident report is completed and forwarded to the facility HR contact
(Employee and Supervisor)
Adjuster notifies Corporate Risk Management if case reserve changes are > $10K, if the
claimant is taken out of work, settlement authorization or other
claims authorization issues(Claims Adjuster)
Claims payments and changes in case reserves are entered into the claims
system (Claims Adjuster)
Claims are investigated, and initial case reserves are
established; reserves are adjusted for open claims
where necessary (ESIS Claims Adjuster)
(RMIS)
On a weekly basis, claims activity is downloaded from
the claims system into a spreadsheet and uploaded
into RMIS(Risk Management Staff)
An error report is generated corrections
are made to RMIS (e.g. unmatched SSI #)
(Risk Management Staff)
(HR/ERP)
RM 1014
RM 1014
RM 1014
RM1015RM1015 RM1015
Email notification of incident/investigation report is received and
an internal claims file is opened(Call Center)
RM 1018
RM1021
RM 1024
RM 1025
RM 1025
RM1026
RM1026RM1030RM1030
RM1030
RM1030
RM1030 RM1030
RM 1029
RM1028
RM 1031
RM 1019
RM 1022
LEGEND
Primary Control Activity Secondary Control Activity
Primary Company Level Controls Control Gap
26
Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Reserving
Cap
tive
Man
ager
CFO
Cor
pora
te R
isk
Man
agem
ent
Inde
pend
ent
Act
uary
The developed loss reserves and loss projections for captive and
pre-captive policy years are reviewed, approved and signed-
off and communicated to the SVP of Corporate Risk Management
CFO
Preliminary Draft for Discussion Purposes Only
Actuary develops the loss reserves for
historical losses and loss projection for
future losses
An annual Independent Actuarial Report, which
includes an Actuarial Opinion signed by a
Credentialed actuary is produced.
Timing
Exposure information and loss experience is reviewed and
submitted to the independent actuary
Corporate Risk Management Staff
Start
RM 1003
Exposure data is gathered from the
facilities (PeopleSoft) and loss runs from the
TPACorporate Risk
Management Staff
(HR/ERP)RMIS merges information for
customized reports
TPA Loss Runs
The annual independent Actuarial Report is
received and reviewedCorporate Risk
Management SVP
The Actuarial Report is submitted to Risk
Management
The Independent Actuarial Report
The historical loss reserves and projected losses (funding for captive)
are determined based on industry trends, loss experience and the
Actuarial ReportThe Corporate Risk Management
SVP
RM1002
RM 1009
RM 1008
RM1011
RM 1012
RM1013
RM 1003
Financial Reporting
RM 1002
RM 1004
RM 1004
RM 1006
RM1011
Captive Manager is notified of the loss reserves
approved for the captive(Corporate Risk Management)
The loss reserves are recorded on the captive
financial statements by the captive managerRM
1010
LEGEND
Primary Control Activity Secondary Control Activity
Primary Company Level Controls Control Gap
27
Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Financial Reporting
<Process Name>
Capt
iveCa
ptive
Man
ager
Trea
sury
/Acc
ount
ing/ C
FOCo
rpor
ate
Risk
Man
agem
ent
LOCs, Surety Bonds or other security deposits are issued to
the relevant parties (TPA, insurer/fronting company or state regulator) to meet the
financial obligations. (Treasury)
The approved pre-captive loss reserves are sent to Corporte Accounting to
recorded on the Financial Statements
CFO
Financial Reporting
Loss reserves and projected losses are recorded(Captive Manager)
The approved captive loss reserves and projected losses are sent to IAS, Captive Manager to be recorded on Captive’s’
booksCFO
Loss Reserving
Captive Insurance –
Fronted Programs
Captive Insurance –
Non- Fronted Programs
Requests are sent to Treasury to issue LOCs
and Surety Bonds(Corporate Risk
Management Staff)
Treasury Cycle: Subprocess – Treasury other
debt – Unrestricted
Cash
RM 1009
RM 1009
RM 1023
RM1032
RM1032
LEGEND
Primary Control Activity Secondary Control Activity
Primary Company Level Controls Control Gap
28
Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Captive Transactions – Direct Placement
<Process Name>
Cap
tive
Cap
tive
Man
ager
Trea
sury
/Ac
coun
ting
Cor
pora
te R
isk
Man
agem
ent
Yes
No
Payment of premium is received by Captive
Manager.
Risk Assessment and Transfer
Premiums (premium allocations) are determined for the retained risk, which are funded by the captive
Corporate Risk Management SVP
Treasury Cycle: Subprocess – Treasury other debt – Surety
Bonds/Restricted Cash
Captive enters an agreement with the Captive Manager to
record and manage the captive transactions
An invoice for captive premium payment is
submitted.
Are these retained risk funded through
fronted arrangements?
Allocation of Cost of
Risk
Invoice is approved Corporate Risk
Management SVP
Invoice is received and checked for
accuracy Corporate Risk
Management Staff
Captive Manager records transactions.
Corporation issues surety bonds and
security deposits to collateralize the
financial estimated loss obligations
Payment is sent via wire to the bank of Captive
Corporate Risk Management SVP
Financial Reporting –
Captive Transactions
Accounting/Treasury is notified of the
payment transactionCorporate Risk
Management SVP
Captive issues policies to subsidiaries
Captive Transactions –
Fronted Arrangements
End
LEGEND
Primary Control Activity Secondary Control Activity
Primary Company Level Controls Control Gap
29
Corporate Risk ManagementCorporate Risk ManagementSOX 404 Sample Control Tests – Loss ReservingSOX 404 Sample Control Tests – Loss Reserving
Control Objective Type of Test (Corroborative inquiry, observation, re-performance or examination)
Sample Type (Biased, Unbiased or None)
Sample Size (If sampling is used)
Test Scenario(s) Design Gap (If Any)
Design Gap Remediation
Client has established written policies and procedures in governing establishment and modification of loss reserves
Examination None N/A Review Actuarial Reports to verify if loss reserves approved by the CFO is within the Actuary's range. Examine documentation of loss reserves determined by the CFO that was sent to Corporate Accounting.
There is no formal documentation of the reserving policy.
This is a "to be" recommendation. The reserving policy should be documented in a policy manual, a sign-off process should be implemented, and the documentation of the policy and approvals should be maintained by CRM, the CFO and Corporate Accounting.
Client has established written policies and procedures in governing establishment and modification of loss reserves
1) Examination
2) Observation
Unbiased 3 1) Review the last 3 reports submitted to the Actuary. Verify that loss information data (loss runs) and exposure information (estimated payroll, sales/revenues, FTE's) matches data on the report being submitted to the Actuary.
2) Run a query on HR/ERP for those periods to determine if exposure information matches the information on the reports.
CRM has a consistent practice for collecting loss and exposure information; however, the process should be formally documented.
Include process of gathering data in a procedure/policy/process manual. This is a "to be" recommendation.
30
Corporate Risk ManagementCorporate Risk ManagementSOX 404 Sample Control Tests – Loss ReservingSOX 404 Sample Control Tests – Loss Reserving
Control Objective Type of Test (Corroborative inquiry, observation, re-performance or examination)
Sample Type (Biased, Unbiased or None)
Sample Size (If sampling is used)
Test Scenario's) Design Gap (If Any)
Design Gap Remediation
Determination of reserves is consistent with applicable actuarial standards, regulatory and company standards.
Examination Review the last Actuarial Reports to determine completeness and reasonableness of Actuarial assumptions.
Currently, no interim actuarial analysis exists.
An actuarial analysis should be completed on a interim basis to identify any necessary reserve adjustments. This is a "to be" process.
Sarbanes-Oxley 404Sarbanes-Oxley 404Where Do We Stand?Where Do We Stand?
A Consultant’s PerspectiveDavid T. Perine, Senior Manager
Ernst & Young LLP
32
What Have We Done To Date?What Have We Done To Date?
Planning Timing Structure Roles
Documentation Business and financial processes Risks Controls
33
What Have We Done To Date?What Have We Done To Date?
Testing and Remediation
Remediation of controls deemed necessary as a result of the documentation phase
Testing of controls Remediation as a result of testing
34
What Is Happening Now Through Q1 What Is Happening Now Through Q1 2005?2005?
Documentation of new processes or significant changes to existing processes
Continued remediation 4th quarter and annual testing
As a result of remediation of controls Of 3rd and 4th quarter controls Of annual controls
Evaluating exceptions and deficiencies
35
What Is Happening Now Through Q1 What Is Happening Now Through Q1 2005?2005?
Management’s assertion on the effectiveness of internal controls
Auditor’s attestation to the effectiveness of internal controls
36
Future Steps/Commitments to SOX Future Steps/Commitments to SOX 404404
Reinforce a compliance culture From the top (Audit Committee, CEO, CFO, CCO) SOX 404 compliance must be embedded in the company’s
culture Ownership of SOX 404 must reside with the company, not
outside parties Consider maintaining/establishing a Project Management
Office
37
Future Steps/Commitments to SOX Future Steps/Commitments to SOX 404404
The changing role of internal audit More internal control focused?
The role of outside consultants Coaching? Support?
Updating documentation When and by whom? Peer review
38
Future Steps/Commitments to SOX Future Steps/Commitments to SOX 404404
Testing When and by whom?
Remediation Management’s assertion Auditors attestation Responding to a negative attestation?