IT Risk, SOX and the Smaller Insurance Company

1
IT Risk, SOX and the Smaller Insurance Company
11/17/2006
2
Andrew Pinnero

• Director of Information Technology Assurance
  Practice
• Task Force Member COSOs New Guidance for Smaller
  Public Companies

3
Information Technology Risks SOX History and
Challenges
4
Public Company Financial Fraud and Sarbanes Oxley
Act of 2002 (SOX)

• Per SEC publicly traded companies must comply
  with SOX
• Senior management is responsible for accuracy of
  financials
• Financially relevant IT systems are part of
  corporate compliance
• COSO became the standard framework for majority
  of companies
• External Auditors must objectively assess the IT
  controls supporting in scope systems

5
Examples of IT Control Frameworks

• Control Objectives for IT (COBIT) IT-related
  control framework
• Committee of Sponsoring Organizations of the
  Treadway Commission (COSO) - Original framework
  weaves IT controls into a general business
  control framework

6
The SOX Challenge

• The External Auditor must
• Assess the accuracy of the reporting companys
  financial statements
• Meet the requirements of SOX
• Maintain a healthy relationship with its client
• The Audited Company must
• Weigh its risk appetite vs. its compliance
  requirements and costs
• Use a generally accepted control framework

7
SOX Had Created its Own Issues

• Average annual post-SOX cost of reporting to SEC
  doubled from 1.3M to 2.9M
• Second-year filers issued formal complaints to
  the SEC
• Auditors/clients took the approach of documenting
  every controlnot key controls

8
and Backlash

• Audit Fees paid by companies doubled resulting in
  calls for new industry regulations
• Some NYSE companies are considering alternative
  capital resources including going private
• A number of large IPO's have opted to go public
  overseas

9
Foreign Capital Inflow Has Slowed

• Of the 24 largest IPO deals in 2005, Wall Street
  captured one.
• Tougher corporate disclosure laws enacted in
  2002 SOX have influenced the decisions of many
  non-US companiesto IPO in Europe - PWC
• NY Post 9/17/06

10
COSO Small Company Guidance
11
Guidance Overview

• Provides principles and attributes, aligned with
  COSOs 1992 internal controls framework
• Assists smaller organizations in understanding
  how to ensure a robust system of internal control
  reflecting size, structure and degree of
  complexity
• Provides examples of how small businesses have
  actually implemented the principles and related
  attributes identified in the document
• Not a checklist !

12
Why Was it Needed?

• A response to the discontent over SOX filing
  requirements
• Smaller companies have unique IT control issues
• IT management needed to be considered at the
  beginning of the assessment process, not at the
  end

13
Guidance Objectives

• Three objectives of good internal control
• Accuracy of financial reporting
• Compliance with laws and regulations
• Effective and efficient operations
• The COSO control components are designed to
  assist the organization in achieving objectives

14
2006 Guidance IT Specific Highlights

• The 2006 COSO Smaller Companies framework is
  comprised of 20 principles clustered into the
  five COSO areas
• Control Environment IT Governance should be
  considered
• Risk Assessment IT should be involved in early
  stages
• Control Activities Specific IT principles and
  controls
• Information and Communication - Policy flow
• Monitoring IT monitoring is an integral part of
  SOX

15
Smaller Public Insurance Companies Internal
Control Challenges

• Resources Obtaining sufficient resources
  (segregation of duties)
• Management Domination Opportunities for improper
  management override of processes
• Board Expertise Recruiting individuals with
  requisite financial reporting and insurance
  expertise to serve effectively on the board

16
Smaller Public Insurance Companies Internal
Control Challenges (cont.)

• Management Competence Recruiting and retaining
  personnel with sufficient experience and skill in
  accounting, financial and actuarial reporting
• Running the Business Taking management
  attention away from daily routines in order to
  focus on accounting and financial reporting
• Information Technology Controlling information
  technology and maintaining appropriate general
  and application controls over computer
  information systems with limited technical
  resources

17
Smaller Insurance Company IT Characteristics

• High employee to IT staff ratio
• Faster response to internal and external changes
• Employees may assume multiple roles and
  responsibilities and change them often
• Segregation of duties may be unfeasible
• Actuarial systems usually not managed by IT
• Heavy use of end-user applications

18
Information TechnologyA Dynamic Risk to
Financial Reporting
19
Corporate Risk Tolerance and Appetite

• Corporate culture weighs heavily on how
  management reacts to and manages IT risk
• IT Managements risk appetite is often a
  reflection of C level management attitude
  toward risk
• Management's belief that IT can prevent fraud
  compounds risk identification and measurement
  issues

20
Types of IT Risk

• General Computer Operations
• IT Supported Applications
• End User Systems

21
General Computer Operations Risk Overview

• Unauthorized access to computing resources such
  as network, O/S or physical systems
• Data integration errors
• Monitoring and incident escalation issues
• Physical security violations go undetected
• Programmer access to production systems

22
GCO Example 1 - Access to IT Resources

• Risk Improper use, disclosure, modification or
  loss of critical data
• Controls
• Physical access limited to authorized people
• Logical access controlled via information
  security policy implemented on the network

23
GCO Example 2 - Change Management

• Risk Incorrect changes made to system,
  application, infrastructure and/or database
• Controls
• Change management policy procedure
• Changes tested approved prior to release
• Separate development, test production
  environments

24
IT Supported Application Risk Overview

• Unauthorized access to applications
• Segregation of duties
• Administrator independence
• Monitoring and incident escalation issues

25
IT Supported Applications Example 1

• Risk Segregation of duties in a claims
  processing system
• Controls
• Periodic recertification of users on the claims
  system
• Policies
• Management authorization/provisioning

26
IT Supported Applications Example 2

• Risk Unauthorized access is not detected
• Controls
• Monitoring controls are consistently applied to
  immediately identify unauthorized activity on the
  system
• Audit logs are protected
• Audit triggers are properly configured

27
End User Systems Risk Overview

• High risk of inadvertent changes (e.g., queries,
  formulas)
• High risk of insufficient testing of changes
• Undocumented spaghetti code understood only by
  its creator
• Difficult to secure

28
End User Systems Example

• IT Controls for Actuarial Loss Triangle
  Spreadsheets
• Consistent change management (version control)
• Network security
• Substantive review of code
• Password Protection

29
Summary

• The risk appetite and corporate culture of a
  company impacts IT risk exposure
• IT systems are tools by which fraudulent behavior
  may be carried out
• IT controls are utilized to mitigate IT risks
  identified by management
• IT controls may be owned by IT or by the
  end-user, therefore risks are dynamic

30
Questions and Answers
apinnero_at_verisconsulting.com
31
THANK YOU FOR VISITING WITH US.