sarbanes-oxley 404 – where do we stand? cas 2004 annual meeting november 15 & 16, 2004...

Sarbanes-Oxley 404 – Sarbanes-Oxley 404 – Where Do We Stand?Where Do We Stand?

CAS 2004 Annual MeetingCAS 2004 Annual MeetingNovember 15 & 16, 2004November 15 & 16, 2004

Today’s PanelJames C. Votta, Partner, Ernst & Young LLPLise A. Hasegawa, AVP and Reserving Actuary, MetLife Auto & HomeKenneth T. Sipiora, Senior Manager, Deloitte & Touche LLPDavid T. Perine, Senior Manager, Ernst & Young LLP

2

Sarbanes-Oxley 404 – Where Do We Sarbanes-Oxley 404 – Where Do We Stand?Stand?

RemediationDocumentation Testing Sign Off

Company Completed Auditor Reviewed

Company Completed Auditor Completed

Company Completed Auditor Reviewed

Auditor Management

3


Survey of 950 SEC Registrants as of October 2004

Green = No concern with timely completion = 32% Yellow = Greater than low level concern = 60% Red = Significant concern = 8%

4


In Scope or Out of Scope?

Pricing IBNR Generating Systems Pockets of Reserves CAT Models

5


What is Ahead?

Internal Audit Focus Spitzer Investigations NAIC Model Law

Sarbanes-Oxley 404Sarbanes-Oxley 404Where Do We Stand?Where Do We Stand?

Insurance Company PerspectiveLise A. Hasegawa, AVP and Reserving Actuary

MetLife Auto & Home

7

The MetLife EnterpriseThe MetLife Enterprise

Over $300 Billion in Assets Under Management Locations

United States International – 11 Locations

Business segments include

■ Individual ■ International

■ Institutional ■ Reinsurance

■ Auto & Home

8

SOX SOX ─ The Players─ The Players

Steering Committee Project Management Office Line of Business Teams Internal Auditing Outside Advisor External Auditor

9

SOX SOX ─ The Process─ The Process

Identify Processes Scope & Coverage Process Map Activities Identify Risks Identify Key Controls Testing Action Plans Review and Signoff

10

In Scope Actuarial ProcessesIn Scope Actuarial Processes

Reserves Reinsurance

11

Reserving Process MapReserving Process Map

DataData

AnalysisAnalysis

DocumentationDocumentation

CommunicationCommunication

12

Data Data ─ The Risks─ The Risks

All loss data accounted for? Loss data accurate? Loss data transferred and separated accurately?

13

Data Data ─ The Controls─ The Controls

All loss data accounted for?

Balancing reports, consistency, judgment

Loss data accurate?

Claims edits, audits, detective reports

Loss data transferred and separated accurately?

More balancing reports, consistency, judgment

14

Next StepsNext Steps

Testing Action Plans Review Sign Off

Repeat

15

Lessons LearnedLessons Learned

Support from the top

Takes more effort, energy and people than you think ─ but it is worth it

Define the scope precisely ─ expect it to change

Expect guests … often … add a chair

Auditable proof

16

Lessons LearnedLessons Learned

Software versus Spreadsheets

Controls are closer than you think

Education for all employees

Take advantage of the situation Learn how other processes work Learn how the data is created and used Improve processes Eliminate risk


Corporate Risk Management Perspective

Kenneth T. Sipiora, Senior Manager

Deloitte & Touche LLP

18

Corporate Risk Management Corporate Risk Management ─ ─ EnvironmentEnvironment

Risk Management (broadly defined) increasingly critical to corporations, their officers and directors

COSO, ERM, etc. Investors, Regulators, Lenders and other stakeholders demanding disclosure and

independent verification of financial controls Risk Management and related insurance transactions increasingly

complex Many large corporations have significant self-insured/retained risk

General/Product Liabilities, Auto Liability, Workers’ Compensation, D&O, etc. Third-party service providers common

19


Paid losses and reserves are material to financial reporting Significant cost drivers, financial statement disclosures common Independent actuarial analysis

Variety of alternative risk financing strategies in use Qualified self insurance, Captives, Finite Risk, Capital Markets, etc.

Risk Management Information Systems (RMIS) prevalent Data warehouses, Management Reporting, Actuarial Data

Entity level controls (“C” level and B.O.D.) requiring greater scrutiny Retain or Transfer risk? Counterparty security

20

Corporate Risk Management Corporate Risk Management ─ SOX 404 ─ SOX 404 ExamplesExamples

Control Objectives Process Documentation Testing

21


Reserve estimates are adequately developed, reported and monitored

Appropriate data is accurately documented and retained to support management estimates of liabilities.

Reserves are determined according to appropriate actuarial standards of practice, consistent with regulatory, GAAP and other required standards.

Financial reporting is timely and accurate Claims activity is recorded timely and accurately in the appropriate

accounting period. Disbursements for premium expenses, claims payments, captive fees and

other risk management expenses are validated, calculated accurately, processed completely and recorded to general ledger.

22


Risks are identified, quantified or transferred Expected losses to be retained are quantified. Commercial insurance for risk not self-insured is secured. Insurance company counterparty security (financial strength) evaluated

regularly.

Claims reporting is timely and accurate Claims processing policy and procedures established by Senior

Management exists and duties or claims staff and third-party administrators (TPAs) are performed accordingly.

TPAs or other external providers have adequate controls in place.

23


Self-insured risks are identified and funded by captive as appropriate

Captive transactions are accurately recorded in a timely manner. Captive management and other service providers have adequate controls Captive financial statements are timely and accurately consolidated with

parent company statements.

24

Corporate Risk Management Corporate Risk Management ─ SOX 404 ─ SOX 404 Sample Process DocumentationSample Process Documentation

Claims (workers’ compensation) Loss reserving Financial reporting Captive transaction

25

Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Claims Processing - Workers’ Compensation

Cla

iman

t/ Fa

cilit

ies

Ris

k M

anag

emen

tTP

A

Employee is sent to a participating clinic and the Accident and Investigation Report is forwarded to the

Clinic Administrator. (HR Contact)

On-line Internet read only and ad-hoc reporting access(Claims System)

Claims are paid out of escrow fund

(Claims Adjuster)

Timing

TPA is notified of the new claim, claims are assigned to an

adjuster, claims information is entered in claims system (Claims

Adjuster)

Start

TPA sends one weekly invoice to Risk Management

for payment.(Claims Adjuster)

Injury is reported to a 3rd Party Call Center (HR Contact or

Participating Clinic)

Employee reports incident to facility supervisor(Facility Employee/

Claimant)

New claims information from Call Center is received data transfer; States first report of injury; HS Corporate Risk Management is

notified via email of incident/ investigation report

(Call Center)

Preliminary Draft for Discussion Purposes Only

Claims case management is conducted daily (investigations are conducted based

on payment information from invoice, reports/questions from facilities, lost time

reports, claimant inquires, etc.) (Risk Management Staff)

Claimant’s profile and injury information is reported to the TPA. Call Center’s system is integrated with PeopleSoft to

ensure claimants are employees

(Call Center)

TPA Reimbursement

for claims payments

The invoice is received(Risk Management Staff)

An incident report is completed and forwarded to the facility HR contact

(Employee and Supervisor)

Adjuster notifies Corporate Risk Management if case reserve changes are > $10K, if the

claimant is taken out of work, settlement authorization or other

claims authorization issues(Claims Adjuster)

Claims payments and changes in case reserves are entered into the claims

system (Claims Adjuster)

Claims are investigated, and initial case reserves are

established; reserves are adjusted for open claims

where necessary (ESIS Claims Adjuster)

(RMIS)

On a weekly basis, claims activity is downloaded from

the claims system into a spreadsheet and uploaded

into RMIS(Risk Management Staff)

An error report is generated corrections

are made to RMIS (e.g. unmatched SSI #)

(Risk Management Staff)

(HR/ERP)

RM 1014

RM 1014

RM 1014

RM1015RM1015 RM1015

Email notification of incident/investigation report is received and

an internal claims file is opened(Call Center)

RM 1018

RM1021

RM 1024

RM 1025

RM 1025

RM1026

RM1026RM1030RM1030

RM1030

RM1030

RM1030 RM1030

RM 1029

RM1028

RM 1031

RM 1019

RM 1022

LEGEND

Primary Control Activity Secondary Control Activity

Primary Company Level Controls Control Gap

26

Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Reserving

Cap

tive

Man

ager

CFO

Cor

pora

te R

isk

Man

agem

ent

Inde

pend

ent

Act

uary

The developed loss reserves and loss projections for captive and

pre-captive policy years are reviewed, approved and signed-

off and communicated to the SVP of Corporate Risk Management

CFO

Preliminary Draft for Discussion Purposes Only

Actuary develops the loss reserves for

historical losses and loss projection for

future losses

An annual Independent Actuarial Report, which

includes an Actuarial Opinion signed by a

Credentialed actuary is produced.

Timing

Exposure information and loss experience is reviewed and

submitted to the independent actuary

Corporate Risk Management Staff

Start

RM 1003

Exposure data is gathered from the

facilities (PeopleSoft) and loss runs from the

TPACorporate Risk

Management Staff

(HR/ERP)RMIS merges information for

customized reports

TPA Loss Runs

The annual independent Actuarial Report is

received and reviewedCorporate Risk

Management SVP

The Actuarial Report is submitted to Risk

Management

The Independent Actuarial Report

The historical loss reserves and projected losses (funding for captive)

are determined based on industry trends, loss experience and the

Actuarial ReportThe Corporate Risk Management

SVP

RM1002

RM 1009

RM 1008

RM1011

RM 1012

RM1013

RM 1003

Financial Reporting

RM 1002

RM 1004

RM 1004

RM 1006

RM1011

Captive Manager is notified of the loss reserves

approved for the captive(Corporate Risk Management)

The loss reserves are recorded on the captive

financial statements by the captive managerRM

1010

LEGEND



27

Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Financial Reporting

<Process Name>

Capt

iveCa

ptive

Man

ager

Trea

sury

/Acc

ount

ing/ C

FOCo

rpor

ate

Risk

Man

agem

ent

LOCs, Surety Bonds or other security deposits are issued to

the relevant parties (TPA, insurer/fronting company or state regulator) to meet the

financial obligations. (Treasury)

The approved pre-captive loss reserves are sent to Corporte Accounting to

recorded on the Financial Statements

CFO

Financial Reporting

Loss reserves and projected losses are recorded(Captive Manager)

The approved captive loss reserves and projected losses are sent to IAS, Captive Manager to be recorded on Captive’s’

booksCFO

Loss Reserving

Captive Insurance –

Fronted Programs

Captive Insurance –

Non- Fronted Programs

Requests are sent to Treasury to issue LOCs

and Surety Bonds(Corporate Risk

Management Staff)

Treasury Cycle: Subprocess – Treasury other

debt – Unrestricted

Cash

RM 1009

RM 1009

RM 1023

RM1032

RM1032

LEGEND



28

Cycle: Risk Management CycleProcess: Manage RiskSub-Process: Captive Transactions – Direct Placement

<Process Name>

Cap

tive

Cap

tive

Man

ager

Trea

sury

/Ac

coun

ting

Cor

pora

te R

isk

Man

agem

ent

Yes

No

Payment of premium is received by Captive

Manager.

Risk Assessment and Transfer

Premiums (premium allocations) are determined for the retained risk, which are funded by the captive

Corporate Risk Management SVP

Treasury Cycle: Subprocess – Treasury other debt – Surety

Bonds/Restricted Cash

Captive enters an agreement with the Captive Manager to

record and manage the captive transactions

An invoice for captive premium payment is

submitted.

Are these retained risk funded through

fronted arrangements?

Allocation of Cost of

Risk

Invoice is approved Corporate Risk

Management SVP

Invoice is received and checked for

accuracy Corporate Risk

Management Staff

Captive Manager records transactions.

Corporation issues surety bonds and

security deposits to collateralize the

financial estimated loss obligations

Payment is sent via wire to the bank of Captive

Corporate Risk Management SVP

Financial Reporting –

Captive Transactions

Accounting/Treasury is notified of the

payment transactionCorporate Risk

Management SVP

Captive issues policies to subsidiaries

Captive Transactions –

Fronted Arrangements

End

LEGEND



29

Corporate Risk ManagementCorporate Risk ManagementSOX 404 Sample Control Tests – Loss ReservingSOX 404 Sample Control Tests – Loss Reserving

Control Objective Type of Test (Corroborative inquiry, observation, re-performance or examination)

Sample Type (Biased, Unbiased or None)

Sample Size (If sampling is used)

Test Scenario(s) Design Gap (If Any)

Design Gap Remediation

Client has established written policies and procedures in governing establishment and modification of loss reserves

Examination None N/A Review Actuarial Reports to verify if loss reserves approved by the CFO is within the Actuary's range. Examine documentation of loss reserves determined by the CFO that was sent to Corporate Accounting.

There is no formal documentation of the reserving policy.

This is a "to be" recommendation. The reserving policy should be documented in a policy manual, a sign-off process should be implemented, and the documentation of the policy and approvals should be maintained by CRM, the CFO and Corporate Accounting.

Client has established written policies and procedures in governing establishment and modification of loss reserves

1) Examination

2) Observation

Unbiased 3 1) Review the last 3 reports submitted to the Actuary. Verify that loss information data (loss runs) and exposure information (estimated payroll, sales/revenues, FTE's) matches data on the report being submitted to the Actuary.

2) Run a query on HR/ERP for those periods to determine if exposure information matches the information on the reports.

CRM has a consistent practice for collecting loss and exposure information; however, the process should be formally documented.

Include process of gathering data in a procedure/policy/process manual. This is a "to be" recommendation.

30

Corporate Risk ManagementCorporate Risk ManagementSOX 404 Sample Control Tests – Loss ReservingSOX 404 Sample Control Tests – Loss Reserving

Control Objective Type of Test (Corroborative inquiry, observation, re-performance or examination)

Sample Type (Biased, Unbiased or None)

Sample Size (If sampling is used)

Test Scenario's) Design Gap (If Any)

Design Gap Remediation

Determination of reserves is consistent with applicable actuarial standards, regulatory and company standards.

Examination Review the last Actuarial Reports to determine completeness and reasonableness of Actuarial assumptions.

Currently, no interim actuarial analysis exists.

An actuarial analysis should be completed on a interim basis to identify any necessary reserve adjustments. This is a "to be" process.


A Consultant’s PerspectiveDavid T. Perine, Senior Manager

Ernst & Young LLP

32

What Have We Done To Date?What Have We Done To Date?

Planning Timing Structure Roles

Documentation Business and financial processes Risks Controls

33

What Have We Done To Date?What Have We Done To Date?

Testing and Remediation

Remediation of controls deemed necessary as a result of the documentation phase

Testing of controls Remediation as a result of testing

34

What Is Happening Now Through Q1 What Is Happening Now Through Q1 2005?2005?

Documentation of new processes or significant changes to existing processes

Continued remediation 4th quarter and annual testing

As a result of remediation of controls Of 3rd and 4th quarter controls Of annual controls

Evaluating exceptions and deficiencies

35

What Is Happening Now Through Q1 What Is Happening Now Through Q1 2005?2005?

Management’s assertion on the effectiveness of internal controls

Auditor’s attestation to the effectiveness of internal controls

36

Future Steps/Commitments to SOX Future Steps/Commitments to SOX 404404

Reinforce a compliance culture From the top (Audit Committee, CEO, CFO, CCO) SOX 404 compliance must be embedded in the company’s

culture Ownership of SOX 404 must reside with the company, not

outside parties Consider maintaining/establishing a Project Management

Office

37


The changing role of internal audit More internal control focused?

The role of outside consultants Coaching? Support?

Updating documentation When and by whom? Peer review

38


Testing When and by whom?

Remediation Management’s assertion Auditors attestation Responding to a negative attestation?

sarbanes-oxley 404 – where do we stand? cas 2004 annual meeting november 15 & 16, 2004...

Documents

risk slide

auditor management slide

judgment slide

repeat slide

signoff slide

ernst young llp slide

advisor external auditor

chair auditable proof