Orlando - Ethics in Financial Reporting

1

Sarbanes-Oxley: Implications for Insurers and Actuaries

SOA Annual MeetingOctober 29, 2003

Agenda

Where Sarbanes fits inScope of SarbanesSection 404Financial Services and SarbanesPractical ConsiderationsValue from Sarbanes

2

Where Sarbanes fits in

Addresses financial reporting/disclosure riskImpacts:

IssuersExternal auditorsInvestment analysts

Objectives: financial reports that are:InformativeAccurateIndependently audited

Scope of SOA

Public Company Accounting Oversight Board (PCAOB)Auditor IndependenceCorporate ResponsibilityEnhanced Financial DisclosuresAnalyst Conflicts of InterestComission Resources and AuthorityStudies and ReportsCorporate and Criminal Fraud AccountabilityWhite-Collar Crime Penalty EnhancementsCorporate Tax ReturnsCorporate Fraud and Accountability

3

PCAOB Objective

“…to oversee the audit of public companies…in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for companies the securities of which are sold to , and held by and for, public investors.”

SOA 404 Requirements

a) …each annual report…contain an internal control report, which shall:1. State the responsibility of management for establishing and

maintaining an adequate internal control structure and procedures for financial reporting; and

2. Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

b) The auditor shall attest to, and report on, the assessment made by the management of the issuer.

4

SEC 404 Rule: Summary

“Internal Controls and Procedures for Financial Reporting”Purpose is to ensure that companies have processes designed to provide reasonable assurance that:

The company’s transactions are properly authorizedThe company’s assets are safeguarded against unauthorized or improper useThe company’s transactions are properly recorded and reported

to permit the preparations of the financial statements in accordance with GAAP

Relates to the audited financial statements and notes theretoSafeguarding of assetsEffective for years ending on or after 6/15/04

Management assessed the Company’s internal control over financial reporting as of December 31, 200X. Based on this assessment,

management believes that, as of December 31, 200X, the Company maintained effective internal control over financial reporting,

Management Assertion

including maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the Company,

and policies and procedures that provide reasonable assurance that (a) transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in

the United States of America and (b) receipts and expenditures of the Company are being made only in accordance with authorizations of

management and directors of the Company,

based on the criteria for effective internal control over financial reporting established in Internal Control-Integrated Framework issued by the

Committee of Sponsoring Organizations of the Treadway Commission.

EXAMPLE LANGUAGE FOR ILLUSTRATION PURPOSES ONLY

5

Required Elements: Assessment Process I

To support the assertion, the Company’s process must:

Determine which controls are significantDetermine which locations or business units should be included in the evaluation Document and evaluate the design of significant controls Evaluate the operating effectiveness of controls

Required Elements: Assessment Process II

To support the assertion, the Company’s process must:

Identify significant deficiencies or material weaknessesDocument the results of the evaluationCommunicate findings (e.g., significant deficiencies and materials weaknesses) to the independent auditor

Absence of sufficient evidence to support the company’s evaluation constitutes a material weakness that results in a

report qualification.

6

Required Elements: Documentation

Importance of Documentation Documentation of the design of significant controls; e.g. policies and procedures, provides evidence that controls have been identified and are capable of being monitored by the companyInadequate documentation of the design of controls may result in a significant deficiency or a material weakness and may constitute a limitation on the scope of the engagement

Key Considerations (Continued)

Formalizing the process and controls for risk areas; e.g.:

Non-routine transactions and balancesEstimatesConsideration and documentation of GAAP(transactions, contracts and agreements)Fraud risk areas; e.g.

Consideration of management overrideMonitoring- unusual and significant journal entries

Other specific risk areasAudit adjustments

7

Sarbanes Oxley 404 Overview

Determine Scope –Entity

& Fin’l.Stmt. Lines

IndividualLife –

Premiums

IdentifyApplicable

Cycles

Premiums / Deposits

IdentifyRisks

Premiums Recorded

on Lapsed Policies

IdentifyControl

Objectives

PremiumsRecorded

on Valid Policies,Valued Accurately Recorded Timely

& ProcessedCompletely

IdentifyControl

Activities

An IntegratedApplication

AllowsBills To Be

Processed OnlyFor In-Force

Policies

Obtain / Complete

Document-ation

Document Rules &

Processes overIn-force file Maintenance

TestEffectiveness

Test In-forceFile Maint.Procedures,including a Sample of

Lapsed Polices y

Auditor’s

Attestation

Report

Company A’s12/31/03 Assertion

Company A’s Financial Statements

Process to Sustain the Effectivenessof Controls and Documentation

Timeline

Stage I Stage II Stage III

• Develop a plan• Design framework• Scope company• Assess risk• Starter control sets• Set project roles

Board Review Board Review

For each location/process:• Tailor control objectives• Tailor control activities• Identify documentation• Test operating effectiveness• Assess gaps• Remediate

• Update assessment• Prepare assertion• Prepare report• Develop sustainable

302/404 process

Auditor Attest Procedures

Auditor ReadinessAssessment andPlanning

Plan & Scope Document, Assess & Remediate Report/Sustain

8

Financial Services and Sarbanes

Good news: Risk management is a key aspect of the business and, in most cases, cultureOpportunities:

Alignment of “tone at the top” and processDocumentationConsistencyMetricsDisclosure controls

Insurers and Sarbanes

“…the unique nature of insurance risk (the quantification of which is often inherently difficult and judgemental) is leading many insurers’ disclosure committees to involve claims, underwriting, and actuarial personnel-groups that traditionally have not been a core part of a financial disclosure team.”

9

Top-Down Actuarial Control Structure

Methods and assumptionsMeet applicable guidanceReflect policy characteristics

Data integrityInput itemsMovement among systems

Accuracy of calculationsSeriatim accuracy/reasonablenessManual adjustments

DisclosureTranslation to financial statementsAggregate reasonableness

Practical Considerations

Top-down vs bottom-upCorporate actuarial vs lines of businessPractical vs comprehensiveProcess ownersGranularity

Lines of businessProductOwnerSystemsFinancial statement lines

10

Practical Considerations (Cont’d)

Interaction with other functions/business unitsTesting/validationDocumentationStart at the end (ie financial statements)Leverage existing documentation (eg internal audit reviews)Address known weaknesses earlyWork in the context of 404 technology

Documentation-Content

Specific control being documentedRisks mitigated by the controlWhen (how often) and where control occursWho performs the controlInformation produced by control, and to whomWho monitors the effectiveness of the control

11

Documentation-Characteristics

FormalUp-to-dateClearly describedOwned by business unitLinked to Sarbanes 404 compliance programCentralizedCommon format

What You Can Do

Dialogue with:CFO/Corporate controllerInternal and external auditorsOther actuarial areas

Participate in the processDocument (ASOP 21)Keep the goal in mind: Accurate and informative financial statements

12

Benefits

You get to stay listedCreate key measures/dashboard for CEO’s/CFO’s to see how well controls are workingCreate an internal control change function for the organization

Reduce surprisesMore orderly implementations/organizational changes

Restore confidence to the public markets that, in the end, we all report to

Contact Details

Darryl Wagner1-860-725-3165 [email protected]

1

Ethics in Financial Reporting

Neville S. Henderson

Session 1330F - SoA Annual Meeting

October 29, 2003

PricewaterhouseCoopers

2

Sources of governance in Canada

• Insurance Company’s Act (“ICA”)

• Office of the Superintendent of Financial Institutions (“OSFI”)

• Provincial Insurance Regulators

• Canadian Institute of Actuaries (“CIA”)

• SEC

2

3

Insurance Company’s Act

• All Federally licensed companies must comply

• Roles and responsibilities of Actuary and Auditor defined

• Protection for Actuary in complying with Act

• Allows OSFI to require an external review of the actuaries work if there are concerns about quality or financial integrity

4

OSFI

• Administers ICA

• Power to order a complete review of the actuary’s work

• Issues annual memorandum to the appointed actuary with any additional requirements

• Influences the CIA in developing standards

3

5

CIA

• Sets standards of practice– Code of professional conduct– General standards of practice– Practice specific standards of practice

• Enforces compliance – Discipline process– Previously compliance questionnaires– Currently peer review

6

SEC

• Exerts direct control over all companies registered on the US stock exchanges

• Audit committees of Non-SEC registrants may use SEC requirements as a guide in establishing internal procedures

• Audit committees may be more rigid than SEC requires

4

7

Background to formalizing the External Review Process

•Several insolvencies in 80’s and 90’s

•Range of practice a concern to regulators– Discipline process formalized– compliance questionnaires introduced

•OSFI unilaterally implemented a triennial review process in late 90’s– Encouraged CIA to establish peer review process

•Consolidated Standards of Practice introduced by the CIA in 2002– Increased the range of practice– Compliance questionnaires inadequate

•Formal introduction of External Review of the Actuary’s Work by CIA and OSFI

8

Background and Objectives of the External Review Process - CIA

• Improve quality of work actuaries provide to clients

• Strengthen the position of the profession and members

• Maintain and strengthen confidence of users in the work

• Education for both actuaries involved and should be collegial

• Minimize risk of errors that might jeopardize the reputation of actuaries

• Expected to narrow range of results

• Preferable to occur prior to release but within 3 months after is acceptable

5

9

Terms of Engagement - CIA

•Reviewer recommended by 1st actuary (AA)

•Engaged by AA’s firm

•Same competence tests applied as for AA – If FCIA required to do work, reviewer must be an FCIA– Expertise and experience requirements

• Objectivity

• Limited engagement for 2 or 3 cycles before change

• Sample engagement letter provided

10

Conduct of review - CIA

•1st actuary and reviewer to cooperate fully

•Confidentiality to be maintained

•Review in adequate depth to supply written opinion but not as onerous review as work itself

– Not necessary to reproduce calculations– Not required to do in-depth research of contracts

• 1st actuary to provide – relevant documentation– Logic behind conclusions– Thorough controls of processes

6

11

Objectives of the external review process - OSFI

• Strengthen confidence by public, management directors and regulators

• Narrow the range of practice

• Improve quality of the AA’s work

• Provide professional education to the AA

12

Work to be reviewed - OSFI

•Valuation of actuarial and policy liabilities and preparation of AAR

•For federally regulated companies, AA’s oversight of regulatory capital requirement

•For Canadian life insurance companies, allocations of investmentincome, expenses, and taxes to par accounts and actuarial opinions relating to the dividends paid to par policyholders

•Future financial condition report

7

13

Review to confirm - OSFI

•Work of AA within range of accepted actuarial practice

•Appropriateness of assumptions and methods

•Whether AAR accurately describes assumptions and methodology employed

•Review adequacy of procedures, systems, work of others relied on by AA

•Produce a written report

14

Timing - OSFI

•All work should be reviewed at least triennially

•Could subdivide the work over the 3 year cycle

•Prefer to have review prior to releasing the pertinent report

•Should be submitted no later than 3 months after release by AA

•If completed by the audit firm, review must be completed prior to issuing audit opinion

8

15

Report - OSFI

•Available to:– audit committee of BoD– OSFI on a confidential basis

• Should describe:– Extent of work done by reviewer– Conclusions with respect to compliance with accepted

actuarial practice– Conclusions with respect to other objectives or requirements

established by OSFI– Changes to previously employed methods/assumptions– Any remaining differences between AA and reviewer

16

Selection of Reviewer - OSFI

•Qualifications include:– Same as to be an AA– Experience requirements including exposure to 2 or more

companies to acquire sense for range of practice

• Should be objective:– No prior relationship that would impair objectivity– May not be employee or served as AA within 3 years– No financial interest in company– If AA is a consultant, reviewer can not be from same firm– Should not provide advice with respect to recommended changes

• Change every 2 cycles

9

17

Reaction to the new process

• Some feel it provides a second opinion and sense of comfort to AA

• Others feel SoP’s are adequate

• Expense, especially to small companies

• Difficult for sole practitioners

• Reviewer bound by Rule 13 of Rules of Professional Conduct of CIA

1

Peer Review

Joint CIA-SOA Meeting October 29, 2003

Josephine Robinson

Peer Review

Practice at Sun Life for:• External Review• Internal Review

2

Sun Life

International Company with Operations in:• Canada• US• UK• Asia

• Hong Kong, Philippines, Indonesia, China, & India

Sun Life Structure

Corporate Actuarial – Toronto• Valuation is decentralized

National Operation Corporate Actuarial area• Chief Actuary in each operation worldwide

Business Units• Actuary whose responsibility includes valuation• Business Units perform the valuation

3

Sun Life Structure

Asset liability management• Done at the national operation level• Asset cash flows often prepared by national operation

corporate area or a corporate area of Investments• Liability cash flows prepared by business unit• CALM testing generally done by the business unit

Goals of Review

Narrow the range of actuarial practice across the Company (depending on necessity for consistency)Improve quality of the workProvide education for the business units, national operation, corporateBetter understanding of what everyone is doing and ensure practices meet with the Appointed Actuary’s approval

4

What is reviewed?

Canadian statement policy liabilities• Appointed Actuary’s Report

Financial Condition Reports -Dynamic Capital Adequacy Testing (DCAT)Actuarial opinions regarding capital requirements - Minimum Continuing Capital and Surplus Requirements (MCCSR)

What is reviewed?

Allocation of investment income, expenses & taxes -Compliance to the Insurance Companies Act (ICA)Actuarial opinions relating to policyholder dividends (ICA)

5

Scope of External Review

Ascertain that work is within range of accepted actuarial practiceReview appropriateness of assumptions made and methods employedReview adequacy of procedures, systems and work of others that AA relies onProduce a written report documenting findings and recommendations• Management responses included

Requirements

It does not mean reproducing the work or doing any detailed recalculations

6

External Review

First review conducted for 2002 year-end• Individual Insurance in all Operations• Established materiality limits i.e. did not review small

blocks of business

Started summer of 2002 with review of 2001 AA Report • Documentation regarding assumptions, experience

studies

External Review

Post-release review – report completed early AprilSummarized report submitted to Board in July• Focus on what is important to them

A number of recommendations made some of which have already been implementedOthers postponed until Operation can develop plan

7

What did we learn?

Educational value of more significance to Operations outside of CanadaBusiness units frustrated with amount of scrutiny, questions• Some people more open to suggestions than others• Some differences of opinion as to interpretation

What did we learn?

Suggested changes were practical and for most not difficult to implement Some recommendations supported changes that we wanted to make – appeal to a 3rd party expertCompared to other reviews conducted in the past by other consultants this review was not excessive and yet produced a number of recommendations for improvement

8

What were the benefits?

Benefit included creation of documents and Corporate review of the documentationDisciplined approachResponding to questions provides opportunity to learn more about the businessProvides opportunity for sharing best practices

Process this year

Second review for 2003 started• Schedule created with input from national operations

and business units to obtain buy-in for timeframe and work effort

Schedule frequent question & answer sessions between business units, national operation coordinator, Corporate Office actuarial coordinator and Consultant

9

Internal Review

Not mandatedGoal to review line of business prior to external reviewInternal review more extensive and needs to involve review of systems, data, and policy liability testing at a more detailed level

Internal Review

Ideally it should be done a year in advance to allow for time to make the changes necessary Assumptions and method changes reviewed at least quarterlySystem checks and associated detailed policy data checks may be completed say once every 3-5 years• Also when program changes made a review of the

changes is necessary

10

Note:Best estimate assumptions andmargin for adverse deviation− mortality− morbidity− lapse− expenses− inflation− asset default− reinvestment− tax− interest rate where applicablePlus− policyholder dividends− tax reserve

Appointed Actuaryapproves theassumptions & methodologyy

National Operations

Appointed Actuaryreviews and questionsassumptions & methodology

Nat’l Operationssubmit assumption & methodology changes

Run valuation andreview valuation test where irregularitiesare noted

Submit changes

Corporate Actuarial

Appointed Actuary discusses with Chief Actuary

Resolved?

No Yes

Issues?

Yes

No

Corporate Actuarial – Assumption & Methodology Change Process

Internal Review

Developed a peer review tracking system • ensure that management responses to recommended

changes are completed

The reviews support each other

11

Valuation Review & Sarbanes-Oxley

External review and internal review provides process support and documentation to demonstrate compliance to Sarbanes-OxleyEnsures quality assuranceDocumentation database to include supporting documents

Are we overdoing it?

Internal reviews allow us to investigate work more thoroughly• It can reduce work effort of

consultant

Good practice to ensure one’s own work is appropriate • Important for risk management• Feeds nicely to Sarbanes-Oxley

12

Does Organizational Structure Support Strategy?

With decentralized valuation need to have different controls For centralized valuation benefit of lower costs and fewer people having to be familiar with standards

Structure we had prior to demutualization

Valuation Review & Sarbanes-Oxley

Valuation actuary should now have improved data integrityPreviously administrative or claims areas accuracy on some data items was viewed as only important to actuaries (e.g. coding of sex, age or standard, sub-standard)Demonstrate controls are in place

13

Conclusion

Valuation actuaries and other users of actuarial information should have more confidence in the resultsReview should provide opportunity to introduce continuous improvement