1 Sarbanes-Oxley: Implications for Insurers and Actuaries SOA Annual Meeting October 29, 2003 Agenda Where Sarbanes fits in Scope of Sarbanes Section 404 Financial Services and Sarbanes Practical Considerations Value from Sarbanes
Jun 20, 2015
1
Sarbanes-Oxley: Implications for Insurers and Actuaries
SOA Annual MeetingOctober 29, 2003
Agenda
Where Sarbanes fits inScope of SarbanesSection 404Financial Services and SarbanesPractical ConsiderationsValue from Sarbanes
2
Where Sarbanes fits in
Addresses financial reporting/disclosure riskImpacts:
IssuersExternal auditorsInvestment analysts
Objectives: financial reports that are:InformativeAccurateIndependently audited
Scope of SOA
Public Company Accounting Oversight Board (PCAOB)Auditor IndependenceCorporate ResponsibilityEnhanced Financial DisclosuresAnalyst Conflicts of InterestComission Resources and AuthorityStudies and ReportsCorporate and Criminal Fraud AccountabilityWhite-Collar Crime Penalty EnhancementsCorporate Tax ReturnsCorporate Fraud and Accountability
3
PCAOB Objective
“…to oversee the audit of public companies…in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for companies the securities of which are sold to , and held by and for, public investors.”
SOA 404 Requirements
a) …each annual report…contain an internal control report, which shall:1. State the responsibility of management for establishing and
maintaining an adequate internal control structure and procedures for financial reporting; and
2. Contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
b) The auditor shall attest to, and report on, the assessment made by the management of the issuer.
4
SEC 404 Rule: Summary
“Internal Controls and Procedures for Financial Reporting”Purpose is to ensure that companies have processes designed to provide reasonable assurance that:
The company’s transactions are properly authorizedThe company’s assets are safeguarded against unauthorized or improper useThe company’s transactions are properly recorded and reported
to permit the preparations of the financial statements in accordance with GAAP
Relates to the audited financial statements and notes theretoSafeguarding of assetsEffective for years ending on or after 6/15/04
Management assessed the Company’s internal control over financial reporting as of December 31, 200X. Based on this assessment,
management believes that, as of December 31, 200X, the Company maintained effective internal control over financial reporting,
Management Assertion
including maintenance of records that in reasonable detail accurately and fairly reflect the transactions and dispositions of the assets of the Company,
and policies and procedures that provide reasonable assurance that (a) transactions are recorded as necessary to permit preparation of financial statements in accordance with accounting principles generally accepted in
the United States of America and (b) receipts and expenditures of the Company are being made only in accordance with authorizations of
management and directors of the Company,
based on the criteria for effective internal control over financial reporting established in Internal Control-Integrated Framework issued by the
Committee of Sponsoring Organizations of the Treadway Commission.
EXAMPLE LANGUAGE FOR ILLUSTRATION PURPOSES ONLY
5
Required Elements: Assessment Process I
To support the assertion, the Company’s process must:
Determine which controls are significantDetermine which locations or business units should be included in the evaluation Document and evaluate the design of significant controls Evaluate the operating effectiveness of controls
Required Elements: Assessment Process II
To support the assertion, the Company’s process must:
Identify significant deficiencies or material weaknessesDocument the results of the evaluationCommunicate findings (e.g., significant deficiencies and materials weaknesses) to the independent auditor
Absence of sufficient evidence to support the company’s evaluation constitutes a material weakness that results in a
report qualification.
6
Required Elements: Documentation
Importance of Documentation Documentation of the design of significant controls; e.g. policies and procedures, provides evidence that controls have been identified and are capable of being monitored by the companyInadequate documentation of the design of controls may result in a significant deficiency or a material weakness and may constitute a limitation on the scope of the engagement
Key Considerations (Continued)
Formalizing the process and controls for risk areas; e.g.:
Non-routine transactions and balancesEstimatesConsideration and documentation of GAAP(transactions, contracts and agreements)Fraud risk areas; e.g.
Consideration of management overrideMonitoring- unusual and significant journal entries
Other specific risk areasAudit adjustments
7
Sarbanes Oxley 404 Overview
Determine Scope –Entity
& Fin’l.Stmt. Lines
IndividualLife –
Premiums
IdentifyApplicable
Cycles
Premiums / Deposits
IdentifyRisks
Premiums Recorded
on Lapsed Policies
IdentifyControl
Objectives
PremiumsRecorded
on Valid Policies,Valued Accurately Recorded Timely
& ProcessedCompletely
IdentifyControl
Activities
An IntegratedApplication
AllowsBills To Be
Processed OnlyFor In-Force
Policies
Obtain / Complete
Document-ation
Document Rules &
Processes overIn-force file Maintenance
TestEffectiveness
Test In-forceFile Maint.Procedures,including a Sample of
Lapsed Polices y
Auditor’s
Attestation
Report
Company A’s12/31/03 Assertion
Company A’s Financial Statements
Process to Sustain the Effectivenessof Controls and Documentation
Timeline
Stage I Stage II Stage III
• Develop a plan• Design framework• Scope company• Assess risk• Starter control sets• Set project roles
Board Review Board Review
For each location/process:• Tailor control objectives• Tailor control activities• Identify documentation• Test operating effectiveness• Assess gaps• Remediate
• Update assessment• Prepare assertion• Prepare report• Develop sustainable
302/404 process
Auditor Attest Procedures
Auditor ReadinessAssessment andPlanning
Plan & Scope Document, Assess & Remediate Report/Sustain
8
Financial Services and Sarbanes
Good news: Risk management is a key aspect of the business and, in most cases, cultureOpportunities:
Alignment of “tone at the top” and processDocumentationConsistencyMetricsDisclosure controls
Insurers and Sarbanes
“…the unique nature of insurance risk (the quantification of which is often inherently difficult and judgemental) is leading many insurers’ disclosure committees to involve claims, underwriting, and actuarial personnel-groups that traditionally have not been a core part of a financial disclosure team.”
9
Top-Down Actuarial Control Structure
Methods and assumptionsMeet applicable guidanceReflect policy characteristics
Data integrityInput itemsMovement among systems
Accuracy of calculationsSeriatim accuracy/reasonablenessManual adjustments
DisclosureTranslation to financial statementsAggregate reasonableness
Practical Considerations
Top-down vs bottom-upCorporate actuarial vs lines of businessPractical vs comprehensiveProcess ownersGranularity
Lines of businessProductOwnerSystemsFinancial statement lines
10
Practical Considerations (Cont’d)
Interaction with other functions/business unitsTesting/validationDocumentationStart at the end (ie financial statements)Leverage existing documentation (eg internal audit reviews)Address known weaknesses earlyWork in the context of 404 technology
Documentation-Content
Specific control being documentedRisks mitigated by the controlWhen (how often) and where control occursWho performs the controlInformation produced by control, and to whomWho monitors the effectiveness of the control
11
Documentation-Characteristics
FormalUp-to-dateClearly describedOwned by business unitLinked to Sarbanes 404 compliance programCentralizedCommon format
What You Can Do
Dialogue with:CFO/Corporate controllerInternal and external auditorsOther actuarial areas
Participate in the processDocument (ASOP 21)Keep the goal in mind: Accurate and informative financial statements
12
Benefits
You get to stay listedCreate key measures/dashboard for CEO’s/CFO’s to see how well controls are workingCreate an internal control change function for the organization
Reduce surprisesMore orderly implementations/organizational changes
Restore confidence to the public markets that, in the end, we all report to
Contact Details
Darryl Wagner1-860-725-3165 [email protected]
1
Ethics in Financial Reporting
Neville S. Henderson
Session 1330F - SoA Annual Meeting
October 29, 2003
PricewaterhouseCoopers
2
Sources of governance in Canada
• Insurance Company’s Act (“ICA”)
• Office of the Superintendent of Financial Institutions (“OSFI”)
• Provincial Insurance Regulators
• Canadian Institute of Actuaries (“CIA”)
• SEC
2
3
Insurance Company’s Act
• All Federally licensed companies must comply
• Roles and responsibilities of Actuary and Auditor defined
• Protection for Actuary in complying with Act
• Allows OSFI to require an external review of the actuaries work if there are concerns about quality or financial integrity
4
OSFI
• Administers ICA
• Power to order a complete review of the actuary’s work
• Issues annual memorandum to the appointed actuary with any additional requirements
• Influences the CIA in developing standards
3
5
CIA
• Sets standards of practice– Code of professional conduct– General standards of practice– Practice specific standards of practice
• Enforces compliance – Discipline process– Previously compliance questionnaires– Currently peer review
6
SEC
• Exerts direct control over all companies registered on the US stock exchanges
• Audit committees of Non-SEC registrants may use SEC requirements as a guide in establishing internal procedures
• Audit committees may be more rigid than SEC requires
4
7
Background to formalizing the External Review Process
•Several insolvencies in 80’s and 90’s
•Range of practice a concern to regulators– Discipline process formalized– compliance questionnaires introduced
•OSFI unilaterally implemented a triennial review process in late 90’s– Encouraged CIA to establish peer review process
•Consolidated Standards of Practice introduced by the CIA in 2002– Increased the range of practice– Compliance questionnaires inadequate
•Formal introduction of External Review of the Actuary’s Work by CIA and OSFI
8
Background and Objectives of the External Review Process - CIA
• Improve quality of work actuaries provide to clients
• Strengthen the position of the profession and members
• Maintain and strengthen confidence of users in the work
• Education for both actuaries involved and should be collegial
• Minimize risk of errors that might jeopardize the reputation of actuaries
• Expected to narrow range of results
• Preferable to occur prior to release but within 3 months after is acceptable
5
9
Terms of Engagement - CIA
•Reviewer recommended by 1st actuary (AA)
•Engaged by AA’s firm
•Same competence tests applied as for AA – If FCIA required to do work, reviewer must be an FCIA– Expertise and experience requirements
• Objectivity
• Limited engagement for 2 or 3 cycles before change
• Sample engagement letter provided
10
Conduct of review - CIA
•1st actuary and reviewer to cooperate fully
•Confidentiality to be maintained
•Review in adequate depth to supply written opinion but not as onerous review as work itself
– Not necessary to reproduce calculations– Not required to do in-depth research of contracts
• 1st actuary to provide – relevant documentation– Logic behind conclusions– Thorough controls of processes
6
11
Objectives of the external review process - OSFI
• Strengthen confidence by public, management directors and regulators
• Narrow the range of practice
• Improve quality of the AA’s work
• Provide professional education to the AA
12
Work to be reviewed - OSFI
•Valuation of actuarial and policy liabilities and preparation of AAR
•For federally regulated companies, AA’s oversight of regulatory capital requirement
•For Canadian life insurance companies, allocations of investmentincome, expenses, and taxes to par accounts and actuarial opinions relating to the dividends paid to par policyholders
•Future financial condition report
7
13
Review to confirm - OSFI
•Work of AA within range of accepted actuarial practice
•Appropriateness of assumptions and methods
•Whether AAR accurately describes assumptions and methodology employed
•Review adequacy of procedures, systems, work of others relied on by AA
•Produce a written report
14
Timing - OSFI
•All work should be reviewed at least triennially
•Could subdivide the work over the 3 year cycle
•Prefer to have review prior to releasing the pertinent report
•Should be submitted no later than 3 months after release by AA
•If completed by the audit firm, review must be completed prior to issuing audit opinion
8
15
Report - OSFI
•Available to:– audit committee of BoD– OSFI on a confidential basis
• Should describe:– Extent of work done by reviewer– Conclusions with respect to compliance with accepted
actuarial practice– Conclusions with respect to other objectives or requirements
established by OSFI– Changes to previously employed methods/assumptions– Any remaining differences between AA and reviewer
16
Selection of Reviewer - OSFI
•Qualifications include:– Same as to be an AA– Experience requirements including exposure to 2 or more
companies to acquire sense for range of practice
• Should be objective:– No prior relationship that would impair objectivity– May not be employee or served as AA within 3 years– No financial interest in company– If AA is a consultant, reviewer can not be from same firm– Should not provide advice with respect to recommended changes
• Change every 2 cycles
9
17
Reaction to the new process
• Some feel it provides a second opinion and sense of comfort to AA
• Others feel SoP’s are adequate
• Expense, especially to small companies
• Difficult for sole practitioners
• Reviewer bound by Rule 13 of Rules of Professional Conduct of CIA
1
Peer Review
Joint CIA-SOA Meeting October 29, 2003
Josephine Robinson
Peer Review
Practice at Sun Life for:• External Review• Internal Review
2
Sun Life
International Company with Operations in:• Canada• US• UK• Asia
• Hong Kong, Philippines, Indonesia, China, & India
Sun Life Structure
Corporate Actuarial – Toronto• Valuation is decentralized
National Operation Corporate Actuarial area• Chief Actuary in each operation worldwide
Business Units• Actuary whose responsibility includes valuation• Business Units perform the valuation
3
Sun Life Structure
Asset liability management• Done at the national operation level• Asset cash flows often prepared by national operation
corporate area or a corporate area of Investments• Liability cash flows prepared by business unit• CALM testing generally done by the business unit
Goals of Review
Narrow the range of actuarial practice across the Company (depending on necessity for consistency)Improve quality of the workProvide education for the business units, national operation, corporateBetter understanding of what everyone is doing and ensure practices meet with the Appointed Actuary’s approval
4
What is reviewed?
Canadian statement policy liabilities• Appointed Actuary’s Report
Financial Condition Reports -Dynamic Capital Adequacy Testing (DCAT)Actuarial opinions regarding capital requirements - Minimum Continuing Capital and Surplus Requirements (MCCSR)
What is reviewed?
Allocation of investment income, expenses & taxes -Compliance to the Insurance Companies Act (ICA)Actuarial opinions relating to policyholder dividends (ICA)
5
Scope of External Review
Ascertain that work is within range of accepted actuarial practiceReview appropriateness of assumptions made and methods employedReview adequacy of procedures, systems and work of others that AA relies onProduce a written report documenting findings and recommendations• Management responses included
Requirements
It does not mean reproducing the work or doing any detailed recalculations
6
External Review
First review conducted for 2002 year-end• Individual Insurance in all Operations• Established materiality limits i.e. did not review small
blocks of business
Started summer of 2002 with review of 2001 AA Report • Documentation regarding assumptions, experience
studies
External Review
Post-release review – report completed early AprilSummarized report submitted to Board in July• Focus on what is important to them
A number of recommendations made some of which have already been implementedOthers postponed until Operation can develop plan
7
What did we learn?
Educational value of more significance to Operations outside of CanadaBusiness units frustrated with amount of scrutiny, questions• Some people more open to suggestions than others• Some differences of opinion as to interpretation
What did we learn?
Suggested changes were practical and for most not difficult to implement Some recommendations supported changes that we wanted to make – appeal to a 3rd party expertCompared to other reviews conducted in the past by other consultants this review was not excessive and yet produced a number of recommendations for improvement
8
What were the benefits?
Benefit included creation of documents and Corporate review of the documentationDisciplined approachResponding to questions provides opportunity to learn more about the businessProvides opportunity for sharing best practices
Process this year
Second review for 2003 started• Schedule created with input from national operations
and business units to obtain buy-in for timeframe and work effort
Schedule frequent question & answer sessions between business units, national operation coordinator, Corporate Office actuarial coordinator and Consultant
9
Internal Review
Not mandatedGoal to review line of business prior to external reviewInternal review more extensive and needs to involve review of systems, data, and policy liability testing at a more detailed level
Internal Review
Ideally it should be done a year in advance to allow for time to make the changes necessary Assumptions and method changes reviewed at least quarterlySystem checks and associated detailed policy data checks may be completed say once every 3-5 years• Also when program changes made a review of the
changes is necessary
10
Note:Best estimate assumptions andmargin for adverse deviation− mortality− morbidity− lapse− expenses− inflation− asset default− reinvestment− tax− interest rate where applicablePlus− policyholder dividends− tax reserve
Appointed Actuaryapproves theassumptions & methodologyy
National Operations
Appointed Actuaryreviews and questionsassumptions & methodology
Nat’l Operationssubmit assumption & methodology changes
Run valuation andreview valuation test where irregularitiesare noted
Submit changes
Corporate Actuarial
Appointed Actuary discusses with Chief Actuary
Resolved?
No Yes
Issues?
Yes
No
Corporate Actuarial – Assumption & Methodology Change Process
Internal Review
Developed a peer review tracking system • ensure that management responses to recommended
changes are completed
The reviews support each other
11
Valuation Review & Sarbanes-Oxley
External review and internal review provides process support and documentation to demonstrate compliance to Sarbanes-OxleyEnsures quality assuranceDocumentation database to include supporting documents
Are we overdoing it?
Internal reviews allow us to investigate work more thoroughly• It can reduce work effort of
consultant
Good practice to ensure one’s own work is appropriate • Important for risk management• Feeds nicely to Sarbanes-Oxley
12
Does Organizational Structure Support Strategy?
With decentralized valuation need to have different controls For centralized valuation benefit of lower costs and fewer people having to be familiar with standards
Structure we had prior to demutualization
Valuation Review & Sarbanes-Oxley
Valuation actuary should now have improved data integrityPreviously administrative or claims areas accuracy on some data items was viewed as only important to actuaries (e.g. coding of sex, age or standard, sub-standard)Demonstrate controls are in place
13
Conclusion
Valuation actuaries and other users of actuarial information should have more confidence in the resultsReview should provide opportunity to introduce continuous improvement