Introduction of Panel Members


What Actuaries Should
Know
Insert

Worlds Image /
The Sarbanes-Oxley Act of
2002 Client Specific Image
Terry O’Brien
Here
Principal
September 2003

The information and considerations presented herein do not constitute legal

or any other type of professional advice. Companies are encouraged to
consult with legal counsel concerning their responsibilities under and
compliance with the Sarbanes-Oxley Act of 2002 and related Securities and
Exchange (SEC) rules and regulations.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers1

 Sarbanes-Oxley Act of 2002

The Act was signed into law on July 30, 2002

Title I Public Company Accounting Oversight Board

Title II Auditor Independence
Title III Corporate Responsibility
Title IV Enhanced Financial Disclosures
Title V Analyst Conflicts of Interest
Title VI Commission Resources and Authority
Title VII Studies and Reports
Title VIII Corporate and Criminal Fraud Accountability
Title IX White Collar Crime Penalty Enhancements
Title X Corporate Tax Returns
Title XI Corporate Fraud and Accountability

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers2

 Title II - Auditor Independence

 Regulates non-audit services provided to audit clients:

– Bookkeeping, Financial IS Design & Implementation, Valuations, Actuarial Services, Internal
Audit, Management Functions, HR
– Actuarial Services allowed under 2000 rules generally are still allowed but cannot (1) audit
own work, (2) perform management functions, (3) act as an advocate

 Requires pre-approval of non-audit services .

 Audit Partner rotation after five years .

 Prohibits auditors from joining management within one year

 Certain matters must be reported to audit committee

 Audit Partner compensation may not be tied to non-audit services sales

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers3

 Section 302 – Requires the CEO and CFO

 To attest that they have reviewed the annual and quarterly reports and the
reports do not contain any materially false or misleading statements, fairly
represent the financial condition and results.

 To indicate their responsibility for establishing and maintaining internal

controls, have designed such internal controls to ensure that material
information will be made know, have evaluated the effectiveness of the internal
controls, and present their conclusions in the report.

 To disclose to the auditors and the audit committee all significant deficiencies
in the design or operation of the internal controls and any fraud that involves
any management or employee with significant roles in the internal controls.

 To indicate any significant changes in controls including any corrective actions.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers4

 Section 404 – Requires the SEC to Prescribe Rules

 Requiring management to annually state their responsibility for establishing

and maintaining an adequate internal control structure and procedures for
financial reporting.

 Requiring an assessment of the effectiveness of the internal control structure

and procedures.

 Requiring the auditor to attest to and report on the assessment that

management made.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers5

Section 404 Final Rule
Provisions
Section 404 Annual Assessment

Section 404 Auditor Attestation

Section 302 Quarterly Certifications


 Section 404 Final Rule Provisions: Section 404
Annual Assessment

 Compliance dates:
– Most domestic clients: for fiscal years ending on or after June 15, 2004.
– Foreign private issuers: for fiscal years ending on or after April 15, 2005.

 Definition of “internal control over financial reporting.”

– Encompasses internal controls addressed in the COSO Report that pertain to financial
reporting objectives.
– Includes controls over safeguarding assets.

 Management’s report to include statements of:

– Management’s responsibility for establishing and maintaining adequate internal control
over financial reporting.
– Management’s assessment of the effectiveness of such controls.
– Identification of the framework used to evaluate effectiveness.
– Attestation made by external auditor.

 COSO is an accepted standard for management’s assessment.

– See graphic on next page

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers7

 The Five Components under the COSO
Framework
Monitoring Control Activities
 Assessment of a control system’s  Policies/procedures that ensure
performance over time. management directives are carried
 Combination of ongoing and out.
separate evaluation.  Range of activities including
 Management and supervisory approvals, authorizations,
verifications, recommendations,
activities.
performance reviews, asset security
 Internal audit activities. and segregation of duties.

Information and Communication Control Environment Risk Assessment

 Pertinent information identified,  Sets tone of organization-influencing  Risk assessment is the identification
captured and communicated in a control consciousness of its people. and analysis of relevant risks to
timely manner. achieving the entity’s objectives-
 Factors include integrity, ethical
forming the basis for determining
 Access to internal and externally values, competence, authority,
control activities.
generated information. responsibility.
 Flow of information that allows for  Foundation for all other components
successful control actions from of control.
instructions on responsibilities to
summary of findings for
management action. All five components must be in place
for a control to be effective.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers8

 Section 404 Final Rule Provisions: Section 404
Annual Assessment
 Management’s assessment must be based on procedures sufficient both to
evaluate design and test operating effectiveness. Inquiry alone will generally
not provide an adequate basis for assessment.

 Management must maintain evidential matter, including documentation, to

provide reasonable support for its assessment and testing of both design and
operating effectiveness.

 Any material weakness in internal control over financial reporting must be

disclosed by management in its assessment. Management is also precluded
from reporting that internal control over financial reporting is effective if a
material weakness is detected.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers9

 Section 404 Final Rule Provisions: Section 404
Annual Assessment

Guidance on controls subject to management’s assessment:

- Controls over initiating, recording, processing and reconciling accounts, transactions,
and disclosure and related assertions in financials
- Controls related to the initiation and processing of non-routine and non-systematic
transactions
- Controls related to the selection and application of appropriate accounting policies
- Controls related to the prevention, identification, and detection of fraud

Reiteration of guidance regarding auditor independence:

– Auditors may assist management in documenting internal controls.

– Management must be actively involved in the process; cannot delegate assessment

responsibility to the auditor.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers10

 Section 404 Final Rule Provisions: Auditor
Attestation
 The registered public accounting firm’s attestation report must be filed as part
of the annual report.

 Reiteration of PCAOB’s responsibility for setting 404 attestation standards for

registered public accountants
– Interim adoption of auditing standards in existence as of April 16, 2003

 PwC’s position: the attestation exposure draft (AT501) issued by ASB (and
not adopted by PCAOB) provides clarification of existing standards and we
will use it as interim guidance
– Scope of auditor’s work will include independent testing of controls as well as
testing of management’s assessment process
– Scope of controls testing will include testing over areas involving judgements and
estimates

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers11

 Section 404 Final Rule Provisions: 302 Quarterly
Certifications
 No change in requirement for Section 302 quarterly evaluation of disclosure
controls and procedures (DC&P) and disclosure of conclusions regarding
effectiveness of DC&P.

 Quarterly disclosure in 302 certification of material changes in internal control

over financial reporting rather than repetition of Section 404 annual assessment.

 Evaluation date is as of the end of the period covered by the report.

 Section 302 certifications filed as exhibits to all applicable SEC reports

 There is latitude for issuers in determining which internal controls over financial
reporting are included in the Company’s inventory of disclosure controls and
procedures under Section 302.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers12

 Current Situation
Understanding the 404 Attestation

Status of Compliance with Sections 302 and

404

Key Challenges


 Understanding the 404 Attestation: Comparison
to Audit of Financial Statements

Audit of Financial Statements 404 Attestation

 Understanding and consideration  100% controls-based approach

of internal controls only to
develop the audit approach  Must evaluate and test controls
across business and functional areas
 Overall objective is the to opine on effectiveness (broad and
rendering of an opinion on the deep) over financial reporting.
financial statements, not to opine
on internal controls  Lack of errors, historically,
in financial statements is not
 Internal control reports have de-facto evidence unto itself,
been very rare in practice and of an appropriate internal
are the subject of different control over financial reporting.
professional standards

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers14

 Understanding the 404 Attestation – Management
Documentation
Under the AT 501 Exposure Draft, Management Provides Documentation of the
Following:

 Significant controls and control objectives, including:

– Controls, including IT general controls, on which other controls are dependent
– Anti-fraud programs and controls
– Controls over the period-end financial reporting process
 Locations and business units included in assessment

 Review and evaluation of design effectiveness

 Assessment of operating effectiveness including tests

 Evaluation of control deficiencies to determine whether they are

significant deficiencies or material weaknesses

 Written assertion about effectiveness of controls over financial reporting

 Communication of findings to auditor and audit committee

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers15
 Status of Compliance with Sections 302 and 404

 Many 302 efforts center largely around executive management and

disclosure committee
– Supported by cascades of representation letters
– Varying levels of detailed evidence of design/operating effectiveness
– Varying methodologies in basis for self-evaluation

 Existing documentation of design of controls required under

Section 404:
– Frequency of updates for changes in systems or business processes varies
– Not always modified for new reporting, accounting, and disclosure developments

 Level of required review and documentation is more rigorous and complex

than many companies anticipated.

Companies need the extra time gained from delay in implementation of

Section 404 requirements in order to comply.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers16

 Key Challenges: Overall Process

 Documenting and evaluating design of controls vs. testing controls

– Who – management, internal auditor, external auditor, consultant?
– What – entity vs. activity level controls?
– How – periodic vs. ongoing?
– When – interim vs. year-end?
– Where – which entities/locations are in scope?
 Creating an evaluation planning mindset using materiality, including
qualitative criteria
 Mapping controls to significant accounts, classes of transactions, disclosures
and vice-versa
 Planning efforts at subsidiaries/divisions based on relative significance
 Determining how service providers impact the evaluation

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers17

 Key Challenges: Overall Process

 Reporting relative control impacts to audit committee

 Reporting 404-control issues publicly, with appropriate perspective
 Determining impact of material weaknesses on quarterly certifications
– current and previously filed
 Creating an internal control reporting process that is built into the control
structure, including tools such
– Documentation aids
– Dashboards
– Compliance monitoring tools
 Optimizing the efficiency of internal control effectiveness reporting

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers18

 Key Challenges: Finding a Common Language to
Discuss “Quality of Controls”
 Needed by audit committees to evidence oversight
 Expected by regulators
 Important that technical and judgmental elements of final assessment are
communicated and understood
 To be effective, audit committees will require:
– Perspective to sort out material, “significant” and lesser deficiencies
– Definitions of materiality that are reconciled by management from
planning through execution, to conclusion
– Consistent processes to summarize, categorize, assess, discuss and
conclude on relative control issues
– Protocols developed in advance to govern the execution of
the above processes

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers19

 Overview of Actuarial Process –
Illustration of P/C Reserving
*

Decision-
Data Analysis Reporting
making

Possible Risk Areas

Completeness
Accuracy
Adjustments Methods/ Actuarial value/range Documentation
External benchmarks Assumptions versus Communication
Segmentation Management best-estimate
Level of Detail
Qualitative

* The process is generally not linear; iterations tend to occur.

For example, new data are gathered based on initial findings from analysis.
The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers20
 Control Environment – Potential Elements

• Corporate values and code of ethics

‐ Established, widely communicated, management and staff “walks the talk”

• Clearly defined roles and responsibilities

• Corporate organization structure for reserving actuary

‐ Can a conflicting reserve opinion be heard by CFO, CEO, Chairman, Audit Committee?

• Effectiveness of staff and management

• Familiarity, understanding and training of Audit Committee members with

reserving topics.

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers21

 Risk Assessment – Potential Elements

– Is claim and premium coding valid and accurate?

– Do systems correctly employ coded transactions to produce reserving

reports
• Schedule P, Actuarial reserving triangles, etc.

– Have all appropriate actuarial methods been employed?

– Are all corporate initiatives considered in reserve projections?

• Underwriting, pricing, claims, expense and other initiatives.

– Has external environment events been considered in reserve projections?

• Inflation trends, legislative activity, demographics, weather, etc .

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers22

 Risk Assessment – Potential Elements (2)

– Where are the key actuarial judgment points for each reserve?
• Development patterns, loss ratios, price changes

– Has actuarial professions “Statement of Principles” been considered?

• Data organization, homogeneity, credibility, frequency and severity, etc.

– Where are the key management judgment points for each reserve?
• Adjustments, bulk loadings, etc.

– What spreadsheets are used in the testing of reserves

• Cell formulae, manual changes

– SAP vs. GAAP differences

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers23

 Control Activities – Potential Elements

Documented Processes

• Data Reconciliation

• Checklist of Procedures

• Approval of Deviations

• Documentation of Judgments

• Documentation of External Inputs

• Peer Reviews

• Does someone outside the reserve process verify completion of all

procedures

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers24

 P/C Reserving Process –
What Do You Have to Do

• Document the Reserving Process

‐ Prerequisite to Identifying Points of Risk – Roadmap is Needed
‐ Scope, Data Collection/Evaluation, Methods/Assumptions, Review Procedures, Bridging
between Actuarial and Recorded
‐ “How Much is Enough” Varies Among Companies

• Identify Points of Risks

• Design Control Activities or Identify Existing Control Activities to Mitigate

Risks

• Document the Control Activities and their Function

• Monitor Effectiveness of Control Activities over Time

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers25

 Other Control Components – Potential Elements
Information & Communication
• Input into reserving process – Are there control processes established for input into the reserving processes?
– Loss and Premium Data
– Ceded Reinsurance
– Input of Pricing, Underwriting, Claims into Process

• Output of reserving process – Communicating results to senior management

– Is there a formal delivery package for reserve results each quarter?
– What is lead actuary’s role in approving recorded reserves?

Monitoring
 Are exceptions or surprises evaluated?
– Were there controls in place?
– Why were those controls not effective?

 Are post-mortem meetings conducted?

 Is input from those outside of the reserving process (e.g., top management, third party actuaries, external and
internal auditors) considered in re-evaluations of the process?

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers26

 Internal Controls Maturity Framework
UNRELIABLE INFORMAL STANDARDIZED MONITORED OPTIMIZED
 Unpredictable  Control activities  Control activities  Standardized  Integrated internal
environment where are designed and in are designed, in controls with controls with real
control activities are place but are not place and are periodic testing for time monitoring by
not designed or in adequately adequately effective design and management and
place documented documented operation with continuous
reporting to improvement
management

 Level 1 – Unreliable
– Unpredictable environment where control activities are not designed or in place
 Level 2 – Informal
– Disclosure Activities and Controls are designed and in place but are not adequately documented
– Controls mostly dependent on people
– No formal training or communication of control activities
Level 3 – Standardized
– Control activities are designed and in place
– Control activities have been documented and communicated to employees
– Deviations from control activities will likely not be detected
 Level 4 – Monitored
– Standardized controls with periodic testing for effective design and operation with reporting to management
– Automation and tools may be used in a limited way to support control activities
 Level 5 – Optimized
– An integrated internal control framework with real time monitoring by management with continuous improvement (Enterprise-
Wide Risk Management)
– Automation and tools are used to support controls activities and allow the organization to make rapid changes to the control
activities if needed PricewaterhouseCoopers27
The Sarbanes-Oxley Act of 2002
 Questions For Company Actuaries

From a big picture, company actuaries need to ask themselves . . .

 Are there adequate controls in place around the actuarial reserving process that impact
financial reporting?

 What does the internal control structure look like and how does it operate?

 Are these controls formal or informal?

 Are they documented and current?

 Are they monitored and tested?

 Who is accountable?

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers28

 Questions For Company Actuaries (2)

From a big picture, company actuaries need to ask themselves . . .

 How will management assess the ongoing effectiveness of controls?

 How are control issues tracked and evaluated?

 What are the critical control activities?

 How will I demonstrate that I have reviewed the controls every quarter?

 What actuarial outputs impact the financial statements and footnotes?

The Sarbanes-Oxley Act of 2002 PricewaterhouseCoopers29