Introduction of Panel Members

1
Introduction of Panel Members
PwC
What Actuaries Should Know The Sarbanes-Oxley
Act of 2002 Terry OBrien PrincipalSeptember
2003 The information and considerations
presented herein do not constitute legal or any
other type of professional advice. Companies are
encouraged to consult with legal counsel
concerning their responsibilities under and
compliance with the Sarbanes-Oxley Act of 2002
and related Securities and Exchange (SEC) rules
and regulations.
Insert Worlds Image / Client Specific Image Here
2
Sarbanes-Oxley Act of 2002

• The Act was signed into law on July 30, 2002
• Title I Public Company Accounting Oversight
  Board
• Title II Auditor Independence
• Title III Corporate Responsibility
• Title IV Enhanced Financial Disclosures
• Title V Analyst Conflicts of Interest
• Title VI Commission Resources and Authority
• Title VII Studies and Reports
• Title VIII Corporate and Criminal Fraud
  Accountability
• Title IX White Collar Crime Penalty
  Enhancements
• Title X Corporate Tax Returns
• Title XI Corporate Fraud and Accountability

3
Title II - Auditor Independence

• Regulates non-audit services provided to audit
  clients
• Bookkeeping, Financial IS Design
  Implementation, Valuations, Actuarial Services,
  Internal Audit, Management Functions, HR
• Actuarial Services allowed under 2000 rules
  generally are still allowed but cannot (1) audit
  own work, (2) perform management functions, (3)
  act as an advocate
• Requires pre-approval of non-audit services .
• Audit Partner rotation after five years .
• Prohibits auditors from joining management within
  one year
• Certain matters must be reported to audit
  committee
• Audit Partner compensation may not be tied to
  non-audit services sales

4
Section 302 Requires the CEO and CFO

• To attest that they have reviewed the annual and
  quarterly reports and the reports do not contain
  any materially false or misleading statements,
  fairly represent the financial condition and
  results.
• To indicate their responsibility for establishing
  and maintaining internal controls, have designed
  such internal controls to ensure that material
  information will be made know, have evaluated the
  effectiveness of the internal controls, and
  present their conclusions in the report.
• To disclose to the auditors and the audit
  committee all significant deficiencies in the
  design or operation of the internal controls and
  any fraud that involves any management or
  employee with significant roles in the internal
  controls.
• To indicate any significant changes in controls
  including any corrective actions.

5
Section 404 Requires the SEC to Prescribe Rules

• Requiring management to annually state their
  responsibility for establishing and maintaining
  an adequate internal control structure and
  procedures for financial reporting.
• Requiring an assessment of the effectiveness of
  the internal control structure and procedures.
• Requiring the auditor to attest to and report on
  the assessment that management made.

6
Section 404 Final Rule Provisions

• Section 404 Annual Assessment
• Section 404 Auditor Attestation
• Section 302 Quarterly Certifications

7
Section 404 Final Rule Provisions Section 404
Annual Assessment

• Compliance dates
• Most domestic clients for fiscal years ending
  on or after June 15, 2004.
• Foreign private issuers for fiscal years ending
  on or after April 15, 2005.
• Definition of internal control over financial
  reporting.
• Encompasses internal controls addressed in the
  COSO Report that pertain to financialreporting
  objectives.
• Includes controls over safeguarding assets.
• Managements report to include statements of
• Managements responsibility for establishing and
  maintaining adequate internal controlover
  financial reporting.
• Managements assessment of the effectiveness of
  such controls.
• Identification of the framework used to evaluate
  effectiveness.
• Attestation made by external auditor.
• COSO is an accepted standard for managements
  assessment.
• See graphic on next page

8
The Five Components under the COSO Framework

• Control Activities
• Policies/procedures that ensure management
  directives are carried out.
• Range of activities including approvals,
  authorizations, verifications, recommendations,
  performance reviews, asset security and
  segregation of duties.

• Monitoring
• Assessment of a control systems performance over
  time.
• Combination of ongoing and separate evaluation.
• Management and supervisory activities.
• Internal audit activities.

• Control Environment
• Sets tone of organization-influencing control
  consciousness of its people.
• Factors include integrity, ethical values,
  competence, authority, responsibility.
• Foundation for all other components of control.

• Information and Communication
• Pertinent information identified, captured and
  communicated in a timely manner.
• Access to internal and externally generated
  information.
• Flow of information that allows for successful
  control actions from instructions on
  responsibilities to summary of findings for
  management action.

• Risk Assessment
• Risk assessment is the identification and
  analysis of relevant risks to achieving the
  entitys objectives-forming the basis for
  determining control activities.

All five components must be in place for a
control to be effective.
9
Section 404 Final Rule Provisions Section 404
Annual Assessment

• Managements assessment must be based on
  procedures sufficient both to evaluate design and
  test operating effectiveness. Inquiry alone will
  generally not provide an adequate basis for
  assessment.
• Management must maintain evidential matter,
  including documentation, to provide reasonable
  support for its assessment and testing of both
  design and operating effectiveness.
• Any material weakness in internal control over
  financial reporting must be disclosed by
  management in its assessment. Management is also
  precluded from reporting that internal control
  over financial reporting is effective if a
  material weakness is detected.

10
Section 404 Final Rule Provisions Section 404
Annual Assessment

• Guidance on controls subject to managements
  assessment
• Controls over initiating, recording, processing
  and reconciling accounts, transactions, and
  disclosure and related assertions in financials
• Controls related to the initiation and processing
  of non-routine and non-systematic transactions
• Controls related to the selection and application
  of appropriate accounting policies
• Controls related to the prevention,
  identification, and detection of fraud
• Reiteration of guidance regarding auditor
  independence
• Auditors may assist management in documenting
  internal controls.
• Management must be actively involved in the
  process cannot delegate assessment
  responsibility to the auditor.

11
Section 404 Final Rule Provisions Auditor
Attestation

• The registered public accounting firms
  attestation report must be filed as part of the
  annual report.
• Reiteration of PCAOBs responsibility for setting
  404 attestation standards for registered public
  accountants
• Interim adoption of auditing standards in
  existence as of April 16, 2003
• PwCs position the attestation exposure draft
  (AT501) issued by ASB (and not adopted by PCAOB)
  provides clarification of existing standards and
  we will use it as interim guidance
• Scope of auditors work will include independent
  testing of controls as well as testing of
  managements assessment process
• Scope of controls testing will include testing
  over areas involving judgements and estimates

12
Section 404 Final Rule Provisions 302 Quarterly
Certifications

• No change in requirement for Section 302
  quarterly evaluation of disclosure controls and
  procedures (DCP) and disclosure of conclusions
  regarding effectiveness of DCP.
• Quarterly disclosure in 302 certification of
  material changes in internal control over
  financial reporting rather than repetition of
  Section 404 annual assessment.
• Evaluation date is as of the end of the period
  covered by the report.
• Section 302 certifications filed as exhibits to
  all applicable SEC reports
• There is latitude for issuers in determining
  which internal controls over financial reporting
  are included in the Companys inventory of
  disclosure controls and procedures under Section
  302.

13
Current Situation

• Understanding the 404 Attestation
• Status of Compliance with Sections 302 and 404
• Key Challenges

14
Understanding the 404 Attestation Comparison to
Audit of Financial Statements

• Audit of Financial Statements
• Understanding and consideration of internal
  controls only to develop the audit approach
• Overall objective is the rendering of an opinion
  on the financial statements, not to opine on
  internal controls
• Internal control reports have been very rare in
  practice and are the subject of different
  professional standards

• 404 Attestation
• 100 controls-based approach
• Must evaluate and test controls across business
  and functional areas to opine on effectiveness
  (broad and deep) over financial reporting.
• Lack of errors, historically,in financial
  statements is notde-facto evidence unto
  itself,of an appropriate internalcontrol over
  financial reporting.

15
Understanding the 404 Attestation Management
Documentation

• Under the AT 501 Exposure Draft, Management
  Provides Documentation of the Following
• Significant controls and control objectives,
  including
• Controls, including IT general controls, on which
  other controls are dependent
• Anti-fraud programs and controls
• Controls over the period-end financial reporting
  process
• Locations and business units included in
  assessment
• Review and evaluation of design effectiveness
• Assessment of operating effectiveness including
  tests
• Evaluation of control deficiencies to determine
  whether they aresignificant deficiencies or
  material weaknesses
• Written assertion about effectiveness of controls
  over financial reporting
• Communication of findings to auditor and audit
  committee

16
Status of Compliance with Sections 302 and 404

• Many 302 efforts center largely around executive
  management and disclosure committee
• Supported by cascades of representation letters
• Varying levels of detailed evidence of
  design/operating effectiveness
• Varying methodologies in basis for
  self-evaluation
• Existing documentation of design of controls
  required underSection 404
• Frequency of updates for changes in systems or
  business processes varies
• Not always modified for new reporting,
  accounting, and disclosure developments
• Level of required review and documentation is
  more rigorous and complex than many companies
  anticipated.
• Companies need the extra time gained from delay
  in implementation of Section 404 requirements in
  order to comply.

17
Key Challenges Overall Process

• Documenting and evaluating design of controls vs.
  testing controls
• Who management, internal auditor, external
  auditor, consultant?
• What entity vs. activity level controls?
• How periodic vs. ongoing?
• When interim vs. year-end?
• Where which entities/locations are in scope?
• Creating an evaluation planning mindset using
  materiality, including qualitative criteria
• Mapping controls to significant accounts, classes
  of transactions, disclosures and vice-versa
• Planning efforts at subsidiaries/divisions based
  on relative significance
• Determining how service providers impact the
  evaluation

18
Key Challenges Overall Process

• Reporting relative control impacts to audit
  committee
• Reporting 404-control issues publicly, with
  appropriate perspective
• Determining impact of material weaknesses on
  quarterly certifications
• current and previously filed
• Creating an internal control reporting process
  that is built into the control structure,
  including tools such
• Documentation aids
• Dashboards
• Compliance monitoring tools
• Optimizing the efficiency of internal control
  effectiveness reporting

19
Key Challenges Finding a Common Language to
Discuss Quality of Controls

• Needed by audit committees to evidence oversight
• Expected by regulators
• Important that technical and judgmental elements
  of final assessment are communicated and
  understood
• To be effective, audit committees will require
• Perspective to sort out material, significant
  and lesser deficiencies
• Definitions of materiality that are reconciled by
  management from planning through execution, to
  conclusion
• Consistent processes to summarize, categorize,
  assess, discuss and conclude on relative control
  issues
• Protocols developed in advance to govern the
  execution ofthe above processes

20
Overview of Actuarial Process Illustration of
P/C Reserving

Data
Analysis
Decision- making
Reporting
Possible Risk Areas
Completeness Accuracy Adjustments External
benchmarks Segmentation Level of
Detail Qualitative
Methods/ Assumptions
Actuarial value/range versus Management
best-estimate
Documentation Communication
The process is generally not linear iterations
tend to occur. For example, new data are gathered
based on initial findings from analysis.
21
Control Environment Potential Elements

• Corporate values and code of ethics
• Established, widely communicated, management and
  staff walks the talk
• Clearly defined roles and responsibilities
• Corporate organization structure for reserving
  actuary
• Can a conflicting reserve opinion be heard by
  CFO, CEO, Chairman, Audit Committee?
• Effectiveness of staff and management
• Familiarity, understanding and training of Audit
  Committee members with reserving topics.

22
Risk Assessment Potential Elements

• Is claim and premium coding valid and accurate?
• Do systems correctly employ coded transactions to
  produce reserving reports
• Schedule P, Actuarial reserving triangles, etc.
• Have all appropriate actuarial methods been
  employed?
• Are all corporate initiatives considered in
  reserve projections?
• Underwriting, pricing, claims, expense and other
  initiatives.
• Has external environment events been considered
  in reserve projections?
• Inflation trends, legislative activity,
  demographics, weather, etc.

23
Risk Assessment Potential Elements (2)

• Where are the key actuarial judgment points for
  each reserve?
• Development patterns, loss ratios, price changes
• Has actuarial professions Statement of
  Principles been considered?
• Data organization, homogeneity, credibility,
  frequency and severity, etc.
• Where are the key management judgment points for
  each reserve?
• Adjustments, bulk loadings, etc.
• What spreadsheets are used in the testing of
  reserves
• Cell formulae, manual changes
• SAP vs. GAAP differences

24
Control Activities Potential Elements

• Documented Processes
• Data Reconciliation
• Checklist of Procedures
• Approval of Deviations
• Documentation of Judgments
• Documentation of External Inputs
• Peer Reviews
• Does someone outside the reserve process verify
  completion of all procedures

25
P/C Reserving Process What Do You Have to Do

• Document the Reserving Process
• Prerequisite to Identifying Points of Risk
  Roadmap is Needed
• Scope, Data Collection/Evaluation,
  Methods/Assumptions, Review Procedures, Bridging
  between Actuarial and Recorded
• How Much is Enough Varies Among Companies
• Identify Points of Risks
• Design Control Activities or Identify Existing
  Control Activities to Mitigate Risks
• Document the Control Activities and their
  Function
• Monitor Effectiveness of Control Activities over
  Time

26
Other Control Components Potential Elements

• Information Communication
• Input into reserving process Are there control
  processes established for input into the
  reserving processes?
• Loss and Premium Data
• Ceded Reinsurance
• Input of Pricing, Underwriting, Claims into
  Process
• Output of reserving process Communicating
  results to senior management
• Is there a formal delivery package for reserve
  results each quarter?
• What is lead actuarys role in approving recorded
  reserves?
• Monitoring
• Are exceptions or surprises evaluated?
• Were there controls in place?
• Why were those controls not effective?
• Are post-mortem meetings conducted?
• Is input from those outside of the reserving
  process (e.g., top management, third party
  actuaries, external and internal auditors)
  considered in re-evaluations of the process?

27
Internal Controls Maturity Framework

• Level 1 Unreliable
• Unpredictable environment where control
  activities are not designed or in place
• Level 2 Informal
• Disclosure Activities and Controls are designed
  and in place but are not adequately documented
• Controls mostly dependent on people
• No formal training or communication of control
  activities
• Level 3 Standardized
• Control activities are designed and in place
• Control activities have been documented and
  communicated to employees
• Deviations from control activities will likely
  not be detected
• Level 4 Monitored
• Standardized controls with periodic testing for
  effective design and operation with reporting to
  management
• Automation and tools may be used in a limited way
  to support control activities
• Level 5 Optimized
• An integrated internal control framework with
  real time monitoring by management with
  continuous improvement (Enterprise-Wide Risk
  Management)
• Automation and tools are used to support controls
  activities and allow the organization to make
  rapid changes to the control activities if needed

28
Questions For Company Actuaries

• From a big picture, company actuaries need to ask
  themselves . . .
• Are there adequate controls in place around the
  actuarial reserving process that impact financial
  reporting?
• What does the internal control structure look
  like and how does it operate?
• Are these controls formal or informal?
• Are they documented and current?
• Are they monitored and tested?
• Who is accountable?

29
Questions For Company Actuaries (2)

• From a big picture, company actuaries need to ask
  themselves . . .
• How will management assess the ongoing
  effectiveness of controls?
• How are control issues tracked and evaluated?
• What are the critical control activities?
• How will I demonstrate that I have reviewed the
  controls every quarter?
• What actuarial outputs impact the financial
  statements and footnotes?