the sarbanes oxley act of 2002: what does it mean? moderator: patricia teufel – kpmg speakers:...

The Sarbanes Oxley Act of

2002:

What Does it Mean?

Moderator: Patricia Teufel – KPMG Speakers: Richard Lynch – Ernst & Young Marc Oberholtzer – PWC Jay Votta – Ernst & Young

Casualty Loss Reserve SeminarSeptember 8-10, 2003

Chicago, Illinois

Patricia Teufel


Chicago, Illinois

Overview of SEC Rules:

Management Reporting on Internal

Control, Auditor Independence &

Prohibited Non Audit Services

Richard Lynch


Chicago, Illinois

The Sarbanes-Oxley Act of 2002 4

Final Rule: Management Reporting on Internal Control

• Management must report annually on effectiveness of company’s internal control over financial reporting.

• Company’s auditor must attest to and report on management’s assessment.

• Both management’s and the auditor’s reports must be included in the company’s annual report filed with the SEC.


• Management must evaluate, quarterly, any change in internal control over financial reporting that has “materially affected, or is reasonably likely to materially affect, the registrant’s internal control over financial reporting.”

• Final rule also modifies the management certifications and related disclosures adopted by the SEC under Section 302 of the Sarbanes-Oxley Act.

• Section 906 certification now must be “furnished” as an exhibit.



• Effective for “accelerated filers” for fiscal years ending on or after June 15, 2004.

• Effective for all other issuers for fiscal years ending on or after April 15, 2005.

• In the issuer’s first periodic report due after its first section 404 report, management must evaluate material changes in internal control over financial reporting.



• Changes to the 302 certification and related disclosure requirements are effective August 14, 2003.

‐ Disclose material changes in internal control over

financial reporting that occurred during the fiscal

period (during the fourth quarter in a Form 10-K).

‐ Evaluate disclosure controls and procedures as of the

end of the fiscal period.

‐ Provide Section 302 and 906 certifications as exhibits.



Final Rule: Auditor Independence

• Final rules adopted to implement Title II of the Act.

• Rules address the following:‑ Prohibited non-audit services,‑ Audit committee pre-approval of services,‑ Audit partner rotation,‑ Employment by clients of members of the audit

team, ‑ Certain reports to audit committees, and‑ A prohibition on compensation to audit partners

based on non-audit services


Prohibited Non-Audit Services

• SEC adopted list of prohibited services set forth in Section 201 of the Act, many were already prohibited under the independence rules adopted in 2000.

• For those services not previously prohibited, such services are prohibited as of May 6, 2003.

• Services being provided pursuant to contract in place as of May 6 may continue for up to 12 months (as long as they are not materially modified).


Audit Committee Pre-Approval of Services for Indep. Auditors

• Rule requires that either:

‐ Audit committee pre-approve all audit or non-audit services to be rendered by the accounting firm, or

‐ The engagement to render services is entered into pursuant to pre-approval policies and procedures established by the audit committee, provided:

– the policies and procedures are detailed as to the particular service;

– the audit committee is informed of each service that is rendered; and

– such policies and procedures do not include delegation of the audit committee’s responsibilities to management.


• Pre-approval requirements become effective on May 6 for services that are to be performed after that date.

• Contracts dated prior to May 6 do not require pre-approval by the audit committee and may continue for up to 12 months (as long as they are not materially modified).

• Once effective, companies will be required to disclose the audit committee’s policies and procedures for pre-approving audit and non-audit services.

Audit Committee Pre-Approval of Services for Indep. Auditors

Sarbanes Oxley Act 404

Marc Oberholtzer


Chicago, Illinois


Agenda

Overview

Controls Testing – Audit versus 404 Attestation

Five Components of COSO’s Internal Control Framework

Overview of P/C Reserving and the Five COSO Components

Risk and Controls, and Internal Control Maturity Framework

Property/Casualty Actuarial Reserving Process

Examples – Points of Risk

Examples – Potential Controls for a Risk


What is Different with 404 Attestation?

• Financial statement audit focuses on the quality of the information in the financial statements,

Whereas

• 404 Attestation focuses on the quality of the processes that produce the information in the financial statements.

• 404 Attestation raises the bar for management, audit committee, board and its independent auditors.


Control Testing During the Audit of Financial Statements

•Understanding and consideration of internal controls only to develop the audit approach

•Overall objective is the rendering of an opinion on the financial statements, not to opine on internal controls

•Internal control reports have been very rare in practice and are the subject of different auditing standards

•Does not include the rendering of an opinion on management’s assessment of internal control


Control Testing During the 404 Attestation

• 100% controls-based approach. No comfort from substantive/analytical procedures.

• Must evaluate and test controls across business and functional areas to opine on effectiveness (broad and deep)

• Lack of errors, historically, in financial statements is not de-facto evidence unto itself, of an appropriate internal control structure

• Cumulative audit knowledge and rotation are not applicable


Recap of 404 Attestation

• 404 Attestation focuses on the quality of the processes that produce the information in the financial statements.

• Getting involved with your company’s readiness activities is important

• You might have additional work to do to prepare your area for your independent auditors’ 404 Attestation – substantial incremental effort might be required


What is a Control?

• A control is a process or step designed to mitigate a risk of not achieving an objective.

• Questions to consider:

What is the business objective?

What risks interfere with achieving this objective?

What processes/steps can be taken to reduce these risks?

• In this context, business objective could be reasonably stated reserves.


Five Components of COSO’s Internal Control Framework


Overview of Actuarial Process –Illustration of P/C Reserving

Data Analysis Decision-

making Reporting

CompletenessAccuracy

AdjustmentsExternal benchmarks

SegmentationLevel of Detail

Qualitative

Methods/Assumptions

Actuarial value/range versus

Management best-estimate

DocumentationCommunication

Possible Risk Areas

* The process is generally not linear; iterations tend to occur.For example, new data are gathered based on initial findings from

analysis.

*


P/C Reserving Process – What Do You Have to Do

•Document the Reserving Process‐ Prerequisite to Identifying Points of Risk – Roadmap is Needed‐ Scope, Data Collection/Evaluation, Methods/Assumptions,

Review Procedures, Bridging between Actuarial and Recorded‐ “How Much is Enough” Varies Among Companies

•Identify Points of Risks

•Design Control Activities or Identify Existing Control Activities to Mitigate Risks

•Document the Control Activities and their Function

•Monitor Effectiveness of Control Activities over Time


Control Environment – Potential Elements

•Corporate values and code of ethics‐ Established, widely communicated, management and staff

“walks the talk”

•Clearly defined roles and responsibilities

•Corporate organization structure for reserving actuary‐ Can a conflicting reserve opinion be heard by CFO, CEO,

Chairman, Audit Committee?

•Effectiveness of staff and management

•Familiarity, understanding and training of Audit Committee members with reserving topics.


Risk Assessment – Potential Elements

– Is claim and premium coding valid and accurate?

– Do systems correctly employ coded transactions to produce reserving reports• Schedule P, Actuarial reserving triangles, etc.

– Have all appropriate actuarial methods been employed?

– Are all corporate initiatives considered in reserve projections?• Underwriting, pricing, claims, expense and other initiatives.

– Has external environment events been considered in reserve projections?• Inflation trends, legislative activity, demographics, weather, etc.


Risk Assessment – Potential Elements (2)

– Where are the key actuarial judgement points for each reserve?• Development patterns, loss ratios, price changes

– Has actuarial professions “Statement of Principles” been considered?• Data organization, homogeneity, credibility, frequency and severity,

etc.

– Where are the key management judgement points for each reserve?• Adjustments, bulk loadings, etc.

– What spreadsheets are used in the testing of reserves• Cell formulae, manual changes

– SAP vs. GAAP differences


Control Activities – Potential Elements

Documented Processes

• Data Reconciliation

• Checklist of Procedures

• Approval of Deviations

• Documentation of Judgments

• Documentation of External Inputs

• Peer Reviews

• Does someone outside the reserve process verify completion of all procedures


Other Control Components – Potential ElementsInformation & Communication

• Input into reserving process – Are there control processes established for input into the reserving processes?

– Loss and Premium Data– Ceded Reinsurance– Input of Pricing, Underwriting, Claims into Process

• Output of reserving process – Communicating results to senior management– Is there a formal delivery package for reserve results each quarter?– What is lead actuary’s role in approving recorded reserves?

Monitoring

Are exceptions or surprises evaluated?– Were there controls in place?

– Why were those controls not effective?

Are post-mortem meetings conducted?

Is input from those outside of the reserving process (e.g., top management, third party actuaries, external and internal auditors) considered in re-evaluations of the process?


Internal Controls Maturity Framework

Level 1 – Unreliable

– Unpredictable environment where control activities are not designed or in place Level 2 – Informal

– Disclosure Activities and Controls are designed and in place but are not adequately documented

– Controls mostly dependent on people

– No formal training or communication of control activities

Level 3 – Standardized Control activities are designed and in place Control activities have been documented and communicated to employees Deviations from control activities will likely not be detected Level 4 – Monitored

– Standardized controls with periodic testing for effective design and operation with reporting to management

– Automation and tools may be used in a limited way to support control activities Level 5 – Optimized

– An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise-Wide Risk Management)

– Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control activities if needed

UNRELIABLE Unpredictable

environment where control activities are not designed or in place

INFORMAL Control

activities are designed and in place but are not adequately documented

STANDARDIZED Control

activities are designed, in place and are adequately documented

MONITORED Standardized

controls with periodic testing for effective design and operation with reporting to management

OPTIMIZED Integrated

internal controls with real time monitoring by management and continuous improvement


Questions For Company Actuaries

From a big picture, company actuaries need to ask themselves . . .

Are there adequate controls in place around the actuarial reserving process that impact financial reporting?

What does the internal control structure look like and how does it operate?

Are these controls formal or informal?

Are they documented and current?

Are they monitored and tested?

Who is accountable?


Questions For Company Actuaries (2)

From a big picture, company actuaries need to ask themselves . . .

How will management assess the ongoing effectiveness of controls?

How are control issues tracked and evaluated?

What are the critical control activities?

How will I demonstrate that I have reviewed the controls every quarter?

What actuarial outputs impact the financial statements and footnotes?

Points of Risk

Jay Votta


Chicago, Illinois


Point of Risk – Example 1

Data utilized in the actuarial calculations are not complete or accurate.

Loss records with invalid coding are put in a dump file and not included in data used for reserve estimates.

The grand totals of actuarial data reconcile to systems control totals, but subtotal for relevant subsets (e.g., by accident year or by line of business) are inaccurate.


Potential Controls – Example 1

Risk (1): Data utilized in the actuarial calculations are not complete or accurate.

Reconciliations of claim and premium data utilized in the actuarial calculations to underlying statistical records/subsidiary ledgers are performed and reviewed in a timely manner by appropriate personnel.

Reconciliations of underlying statistical records/subsidiary ledgers to appropriate supporting documentation are performed and reviewed in a timely manner by appropriate personnel.

Interface controls (e.g., exception reports detailing differences in batch totals) ensure that claim and premium data utilized in the actuarial calculations are appropriately interfaced with the underlying claims, premiums or actuarial systems.

Changes to data from underlying statistical records/subsidiary ledgers (e.g., manual adjustments) are appropriately supported with documentation and reviewed by an appropriate individual.



Inappropriate methodologies could result in reserve estimates that are not reasonable.

Paid loss development is used when known changes in procedures distort the payment pattern.

Frequency & severity methods are used when the definition of a claim counts has changed recently.

Adjustments are used to reflect changes in claims department procedures without clear evidence in the data, e.g., a push to close large claims or a small file cleanup has recently begun.

Changes in claims department procedures exist, appear in the data and are modeled incorrectly.

Choosing a-priori loss ratios that are less than every LDF method calculated or otherwise biased.



Risk (2): Inappropriate methodologies could result in reserve estimates that are not reasonable.

Actuaries meet with claim department on regular basis to assess potential effects of changes in claims practice on observed actuarial data.

Adjustments are reviewed and accepted by another Actuary.

A-prini loss ratios reserving selections are independent from pricing analysis.

Selection of a-priori loss ratios are determined independently but with consultation with underwriter and pricing actuaries.



Inappropriate key assumptions could result in reserve estimates that are not reasonable .

Long-term averages are used for parameters when there is evidence of changes in recent years

Assumptions about the stability of the underlying data are not confirmed by the claims VP's discussion of recent activities in the claims department.

Changes in Claims Department case reserving procedures or practices are not reflected in estimates.

Changes in Claims Department claim payment procedures or practices are not reflected in estimates.

Backlogs or catch-up in Claims Department claims handling are not reflected in estimates.

Changes in mix of business within a reviewed segment are not reflected in estimates.



Risk (3): Inappropriate key assumptions could result in reserve estimates that are not reasonable.

Parameter selections are reviewed and accepted by another actuary.

The company actuaries have a policy for utilizing a particular statistic (e.g., average of last 5 observed factors). Deviations are documented, reviewed, and accepted.

Actuaries meet with claim department on regular basis to assess potential effects of changes in claims practice on observed actuarial data.

Actuaries meet with underwriting department on a regular basis to assess potential effects of changes in the mix of business.

Selection of a-priori loss ratios are determined independently but with consultation with underwriter and pricing actuaries.



Actuarial value/range does not reconcile to financial statement reserves and/or management’s best estimate.

Management’s view may differ from actuarial results.

Breakdown in reporting of actuarial results.



Risk (4): Actuarial value/range does not reconcile to financial statement reserves and/or management’s best estimate.

A report exists that documents reasons for differences by sufficient detail to provide a reconciliation by line of business and in total.

A system exists for proper reporting of actuarial results.



Reporting of actuarial findings is not well documented.

Documentation is not complete

Documentation is not accurate

Documentation is not recoverable

Documentation is not transferable

Documentation is not secure



Risk (5): Reporting of actuarial findings is not well documented

Documentation follows ASOP 9

Documentation is “tech” and “peer” reviewed

Documentation is stored on a common server

Multiple actuaries are intimate with documentation

Access to common server is limited/controlled



Reporting of actuarial findings is not properly communicated

Communication does not follow company protocols

Communication is inconclusive

Communication is misunderstood

Communication is not secure



Risk (6): Reporting of actuarial findings is not

properly communicated

System exists for communicating results right up to the Board of Directors.

Documentation should include an Executive Summary.

Minutes are recorded when results are communicated verbally.

Follow up meetings are held when results are communicated in writing.

Multiple actuaries attend meetings.


Q&A

the sarbanes oxley act of 2002: what does it mean? moderator: patricia teufel – kpmg speakers:...

Documents

sarbanes oxley act

management reporting

financial reporting

illinoisthe sarbanesoxley

internal controlmanagement

registrants internal

audit committees

audit team