Compliance with the NAIC's Model Audit Rule - MAR
What complex problems or issues do you face in complying with the Model Audit Rule?
The Model Audit Rule changes are focused on three major areas:
- Corporate Governance
- Auditor Independence
- Internal Control over Financial Reporting (ICFR)!
How Can Insurance Organizations Skip the SOX Missteps
The Model Audit Rule reminds the author of the many SOX missteps,
lack of prescriptive guidance from the regulators and COSO, continuing
over compliance concerning detailed business process controls, a lack
of understand concerning risk based compliance and the continuing lack
of attention to Entity Level Controls. The author's top ten myths in
ICFR compliance are:
1. Compliance is an audit. The most qualified consultants and
advisors are auditors.
2. Compliance is centered on documenting and testing all business
processes and information technology controls at the most detailed level.
3. Compliance can be accomplished in less than three months at
the end of the year.
4. A simple questionnaire will provide confirmation of the
"Tone at the Top" and all entity level controls.
5. Compliance is always measured in cost, never look at the benefits.
6. We do not need to focus on risk assessment at the annual statement level.
7. Desktop tools are effective and efficient in the management of
ICFR documentation and testing.
8. Lack of effective corporate governance has not caused most
insolvency problems.
9. SAS 70's are effective internal controls over outsourced
business processes.
10. Information technology controls are not that important.
top of page
Signup for Workshop
The NAIC is Focus on Solvency not Shareholder Protection
At General American in St. Louis, insolvency would not have been avoided
by looking at the business processes, only a very good risk assessment
would have prevented the failure at this otherwise well administered
insurance operation. The NAIC is focused on the insolvency problem and
better corporate governance with the Model Audit Rule.
The implementation and maintenance of internal controls over financial
reporting (ICFR) is quickly becoming a standard requirement for all
audited organizations. The passage of the Sarbanes-Oxley Act of 2002 (SOX)
has created massive changes within the auditing industry.
1. Major Insurance Operations -
2. Public Companies -
3. Federal Agencies -
4. State Agencies in the Commonwealth of Virginia -
top of page
Signup for Workshop
External Auditors Impact
External audit firms now have to submit their audit workpapers to outside
review by the Public Company Accounting Oversight Board (PCAOB). The audit
client management and the external auditor are both concerned with ICFR
and its assessment to manage the liability they face from their various stakeholders.
The initial efforts to implement internal control frameworks and to provide
audit opinions on their effectiveness have been abysmal. The Committee of Sponsoring
Organizations of the Treadway Commission (COSO) created their outline to visualize
an internal control framework in 1992. This first effort, which is still the standard,
was fifteen years after the requirement was established by Foreign Corrupt Practices
Act of 1977.
COSO and its member organizations seem to not be interested in providing a
prescriptive set of ICFR guidelines. This lack of COSO guidance or any other
comprehensive guidance has lead to excesses that we are all familiar with
in the implementation and auditing of ICFR. The press loves to report anecdotal
evidence of the high costs of compliance. Few experts are ever in the press
talking about the benefits of "Quality Control".
The insurance industry is beginning to focus on how to effectively and
efficiently create and maintain ICFR within their organizations and annually
assess its effectiveness. Stock companies have provided excellent anecdotal
evidence as to how not to address Sarbanes-Oxley driven compliance. The rest
of the industry has less than two years to become compliant with the NAIC Model
Audit Rule.
top of page
Signup for Workshop
Opportunities to be Effective and Efficient
For those that must comply with all the aspects of the Model Audit Rule, there
are four major ingredients to effective and efficient compliance:
- Education and planning at the Board and Executive levels
- Comprehensive program planning and management
- Understanding the principals behind COSO framework
- Using a sustainable approach supported by administrative software
The Insurance Industry is one of the most regulated businesses in the industrial world.
Insurance professionals have designed their administrative systems to support regulatory
requirements. The Model Audit Rule changes provide an opportunity to establish a comprehensive
program to improve corporate governance, business processes and information technology
administration. The definition of ICFR focuses on having the most effective and efficient
governance and processes within an insurance organization.
The ICFR requirements are very simple in that they bring quality control to the
management of an organization that is presenting its financial statements as a score
card to the public. Any organization that thinks it does not need quality control over
the management of its assets needs to rethink their position on the "costs" of controls.
They need to take a hard look at the U.S. automobile industry that was very slow to
embrace "Quality Control" as a basic business tenant. If you want to slowly go out
of the insurance business just keep on residing change.
The task at hand is to create controls within the fabric of the insurance organization
which will make it more effective and efficient; first at the entity level and then back
into the administrative processes. With this focus on ICFR, the resulting financial
statements will properly record the results of the enhanced operations.
top of page
Signup for Workshop
How Does This Work
Every insurance organization that has been in business more than one year already
has ICFR in place. What's missing is assessing the maturity and completeness of your ICFR:
- Has a comprehensive risk assessment been accomplished at each level of the COSO framework?
- Are the controls at the entity-level appropriate to address the risks?
- What is the maturity of the key controls?
- Are there in place adequate monitoring of the underlying transaction processing to
alert executive management to the symptoms of issues?
Can you explain and educate your external auditors on your ICFR?
Everyone must minimize the cost of becoming compliant and maintaining compliance with
the Model Audit Act. Most insurance ICFR staff members do not have the time or expertise
to attempt to go it alone in the initial year of compliance. Look outside for assistance
if you don't have the experienced resources to:
- Organize the details and create a sustainable program, which requires extensive
experience with the COSO framework
- Insight and objective counsel into Sarbanes-Oxley-Type compliance, "Best Practices"
- Guide the internal ICFR staff to effective implementation of an affordable solution
- Reduce risks associated with the compliance process with "Best Practices" throughout
ICFR
One of management's biggest challenges is to determine who is going to be responsible for
implementation of ICFR program and the on-going maintenance of the internal control
infrastructure. Is the initial project the responsibility of the internal auditor?
Should the initial project be the responsibility of the CFO? Is the on-going maintenance
of the internal control infrastructure for business processes the responsibility of the
business process owners? Is the periodic testing of the internal control infrastructure
the responsibility of the internal auditor? Who is going to be responsible for the funding
and completion of remediation projects?
Executive management must address the above and many other questions which will arise
in the process of changing how the organization addresses the effective control of its
financial reporting processes.
top of page
Signup for Workshop
Change Management
Compliance to the Model Audit Act is going to make fundamental changes to what
takes place in every insurance organization's day-to-day business operations.
People do not like to change. As the internal control infrastructure is being initially
documented, there will be defects which will require immediate changes to Entity-Level
activities, business processes and/or information technology. Management will have to
react quickly to determine the extent of changes that can be accomplished within the
initial project and those that can be delayed. Those changes that are delayed will have
to be documented and discussed with the external auditors and audit committee.
Internal to the project, change management tasks will concern themselves with managing
the project to meet the requirements but allow for later changes in the requirements and
scope. The changes in requirements and scope will have to be approved.
top of page
Signup for Workshop
Capabilities
We help others define the scope of the ICFR program and the tasks to be accomplished
with our SOXmaster methodology, which contains the following ten major program topics:
1. Training
2. Document the current "Situation"
3. Focus on the Financial Reporting Risk
4. Entity-Level Controls Identification and Assessment
5. General Information Technology Controls Identification and Assessment
6. Business Process Controls Identification and Assessment
7. Select and Implement a Toolset
8. Initial Testing and Assessment of ICFR
9. Remediation Plans
10. Finalize Annual Documentation
top of page
Signup for Workshop
Summary
Tips to meet the Model Audit Act's requirements and comply:
1. You are behind if you have not started the program!
2. Be realistic.
3. Do not fall for urban legends.
4. Establish a program management office.
5. Understand and adopt a top down approach.
6. Assess your risks - fraud, material operations and accounts.
7. Total organizational involvement - educate and build habits.
8. Bring in experienced advisors where needed.
9. Educate and communicate with your external audit firm.
10. Develop a measurable, ongoing and sustainable program that contributes to improve financial and operational performance.
John C. Blackshire, Jr. CPA
Corporate Compliance Seminars
The Accountware Group (TAG)
P.O. Box 40897
Austin, Texas 78704
479-200-4373
top of page
Signup for Workshop
|