The Model Audit Rule 205, Model Audit Rule, or MAR 205 are the commonly applied terms for the Annual Financial Reporting Model Regulation.[1] Model Audit Rule is a financial reporting regulation applicable to insurance companies, and borrows significantly from the Sarbanes Oxley Act of 2002 (see ‘key sections’ below). The Model Audit Rule is co-developed by the American Institute of Certified Public Accountants (“AICPA”) and National Association of Insurance Commissioners (“NAIC”) and issued by NAIC [2] with revisions in 2006 and has taken effect in 2010.[3]

The NAIC internal designation for the Annual Financial Reporting Model Regulation is MDL 205, where MDL stands for Model, and the number of the model rule is 205.[4] Because the regulation was issued by NAIC, which is not a federal agency with direct regulatory power, its adoption is on a state-by-state basis.[5]

Purpose

edit

The Model Audit Rule was issued to:

  • Govern the submission of audited statutory financial statements by insurance companies [1]
  • Drive Consistency Across Insurance Regulators [3]
  • Improve the ability of state insurance departments to oversee the financial condition of insurers [1]

The Model Audit Rule requires the following to be submitted by insurance companies operating in states which have adopted the regulation:

  • An Annual Financial Statement Audit by an Independent CPA[6]
  • Communication of Internal Control Related Matters Noted in the Audit [6]
  • Managements Report of Internal Control over Financial Reporting [6]

Key Sections

edit

Section 4 – Financial Report Filing Requirements

edit

All insurers must have an annual audit by an independent CPA. This audit must be filed by June 1 following the preceding December 31 year end.[6] An insurer may receive an extension for both the Audit report (performed by an independent CPA) and Managements report on internal controls. Here, the term Management refers to the management of the insurer.

For example, filing for the year ending December 31, 2012 must be done by June 1, 2013.

Section 5 – Financial Report Contents

edit

The annual audited financial report should show the financial position, results of its operations, cash flows and changes in capital and surplus. The insurers report must be in conformity with statutory accounting practices of the Department of Insurance of the insurers’ state.[6]

§5(G) The financial reports must be comparative, that is, to show the most recent year end against the preceding year end. For example, in a financial report for the year ending December 31, 2013, for each line item, the report must show the result for December 31, 2013, and December 31, 2012.[6]

§5(A – F) The financial report must include:

  • Report by an Independent CPA (i.e. Independent Auditors Report) [6]
  • Balance Sheet [6]
  • Statement of Operations (i.e. Income Statement in a for-profit operation) [6]
  • Statement of Cash Flow [6]
  • Statement of Changes in Capital and Surplus [6]
  • Notes to the Financial Statements [6]

Section 7 – Qualifications of Independent External Auditor

edit

Many items in this section are based on the underlying requirement that the audit of the insurer must be performed by an independent CPA / CPA firm.[citation needed]

This section of the Model Audit Rule describes the qualifications of an Independent external auditor for an insurer through the following major themes:

  • Liability – External Auditor Liability and
  • Disassociation – Mandatory Audit Partner Rotation, and Audit Leadership being apart from insurers leadership through a minimum time frame
  • Non Audit Services – Description of Services that the External Auditor cannot perform while engaged in the audit of the insurers financial statement
Liability

§7(A)(2) The external auditor is liable for representations made in the audit of the insurer.[6] This promotes auditors independence because the external auditor has “skin in the game” and can be held liable for misrepresentations made on its audit report, and other responsibilities.

Disassociation

§7(D)(1) is similar to SOX 203 in requiring the rotation of the lead audit partner, with a five-year “cool off” period, after a five-year consecutive period with the audit of the insurer. In addition to this, Section 7(L)(1) addresses that a CPA firms senior manager or partner cannot be a part of the insurers leadership for one year prior to the audit.[1][6]: 9 

Non-Audit Services

§7(G)(1) is similar to SOX 201 in the restriction of non-audit services being performed by the CPA firm conducting the audit of the insurers financials.[1][6]

The principles governing non-audit services are that the CPA / CPA firm cannot:

  • Function in the role of management (§7(G)(2))[6]
  • Audit their own work (§7(G)(2)),[6] and
  • Serve in an advocacy role for the insurer (§7(G)(2))[6]

Particular non-audit services mentioned include (Section 7(G)(1))

  • Bookkeeping or other services related to accounting records of the Insurer [6]: 7 
  • Financial Information System Design & Implementation [6]: 7 
  • Appraisal or Valuation Services [6]: 7 
  • Actuarial advisory services involving determination of financial statement amounts [6]: 7 
  • Internal Audit Outsourcing [6]: 7 
  • Management or Human Resources functions [6]: 7 
  • Broker / Dealer functions [6]: 7 
  • Legal services or expert services unrelated to the audit [6]: 7 
  • Any other services that the commissioner determines, by regulation, to be impermissible.[6]: 7 

§7(F) provides that state insurance commissioner the authority to, following a hearing on the matter, force an insurer to change the auditor of its financial statements.[6] In addition, according to drafting notes contained within this section, the state insurance commissioner shall consider using guidance provided in the Securities and Exchange Commission (SEC) final rule No.33-8183,[7] strengthening the commissions requirements regarding auditor independence.[6]

§7(J) provides that all audit and non-audit services to the insurer must be approved first by the insurers audit committee.[6]: 8 

Section 9 – Scope of Audit and Independent External Audit Report

edit

This section of the Model Audit Rule describes the resources that the external auditor must consult in planning and performing the audit of an insurers financial statements. The following are the requirements noted and standards borrowed to complete the requirement. The Auditor must:

Component of Audit Scope, per MAR §9 External Rule / Standard / Reference
Conduct the audit in accordance with Generally Accepted Auditing Standards (GAAS) Generally Accepted Auditing Standards (GAAS) [6]: 10 
Obtain Understanding of Internal Control AU319 of the American Institute of Certified Public Accountants (AICPA)[6]: 10 
Scoping for audits of insurers that file a report on internal controls (MAR §16) to accompany the financial statements Statement of Auditing Standards (SAS) No. 102 or its replacement, and Financial Condition Examiners Handbook (by NAIC)[6]: 10 

Section 11 – Communication of Internal Control Matters

edit

The insurer must provide to the state insurance commissioner a report on internal control weaknesses that are still outstanding as of the close of the audit. The terminology used here is unremediated material weaknesses in internal control over financial reporting.[6]: 10 

To successfully provide the unremediated internal control weaknesses report, the concept of materiality must be explained. Here, the insurer and external auditor are directed to the Statements on Auditing Standards No. 60 (SAS 60), Internal Control Related Matters Noted in the Audit [1]: 10  regarding the term material weakness.[6]: 11 

The Internal Controls Report must, for each material weakness:

  • Describe the unremediated material weakness [6]: 11 
  • Describe Actions taken or planned on to remediate the weakness going forward (if not already communicated by the auditor)[6]: 11 
  • (If none exist), then the report must state that fact [6]: 11 
  • The report must also coincide with the most recent insurers annual financial statements [6]: 11 

An example of this communication, as would be sent to the state insurance commissioner, is the following:

 

Example - Communication of Internal Control Matter [8]: G10 

Honorable Commissioner State of Domicile Insurance Department State of Domicile

Dear Honorable Commissioner:

During the audit completed for the year ended December 31, 20XX, for XYZ Holding Company Inc (“XYZ”), a material weakness was noted in XYZ’s internal control over financial reporting related to the calculation of insurance reserves. Due to the manner in which the data for homeowners policies are captured by the systems used in its Southeastern US regional office, changes in XYZ’s estimate of insurance reserves for certain policies are not reviewed by XYZ’s Actuarial Department prior to being recorded in the company’s accounting records.

A material weakness is a deficiency or a combination of deficiencies in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. In connection with the weakness noted above, XYZ’s management has taken remedial actions to change its procedures for coding policies issued in the states affected so that all homeowners’ policy data are included in the Actuarial Department review of estimate of insurance reserves. This change was effective on July 1, 20XX.

Should you have any questions regarding this matter, please do not hesitate to contact me at the number noted above.
Regards,

XYZ Holding Company, Inc.

 

Section 15 – Conduct of Insurer for Documentation

edit

The insurers’ leadership (officers, directors) cannot improperly influence an external auditor of the insurers’ financial statements. “When the officer, director, or person acting under his or her direction knew or should have known that the action, if successful (but regardless of whether the action is in fact successful) could result in rendering the issuers financial statements materially misleading” [1]: 7 

Fraud and Gross Negligence

edit

§15 is closely related to Rule 13b2-2(b) under the Securities Exchange Act of 1934.[1]: 7  The standard for violation used here includes fraud (acting with intent to deceive) as well as gross negligence (reckless disregard for the truth). Gross negligence is invoked under the phrase “known or should have known”.[9][1]: 7 [10][11]

Section 16 – Management Report on Internal Control

edit

This section of the Model Audit Rule is most closely related to and departs from Sarbanes Oxley Section 404 (SOX 404) on Internal Control.[1]: 7 

  • Similar to SOX 404, Management (the insurer) is required to issue an internal controls assessment report.[1]: 7 
  • Departing from SOX 404, the external auditor does not attest to Managements assessment of internal controls.[1]: 7 

§16(A - D) Which Insurers must file – generally, this report is required for large insurers, those with:

  • Premiums of $500,000,000 or more (with exceptions),[6]: 15  or
  • That are subject to Sarbanes Oxley section 404 (with exceptions) [6]: 15 

No need for Duplicate Internal Control Reports

If an insurer is a publicly traded and subject to SOX 404, then they are already preparing an internal controls report. Therefore, the Model Audit Rule specifically states that this type of insurer “may file its or its parent’s section 404 report and an addendum in satisfaction of this §16 requirement”.[6]: 15 

The addendum is a statement by the insurer that “there are no material processes with respect to the preparation of the insurer’s or group of insurers’ audited statutory financial statements...[]... excluded from the section 404 report.” [6]: 15 

§16(D) Internal Control Report Contents – Managements Report on Internal Control for statutory financial statements must include:

  • Statement that Management is Responsible for establishing and maintaining Internal Controls [6]: 16 
  • Statement that Management has in-fact established internal controls over financial reporting [6]: 16 
  • Statement on the effectiveness of Internal Controls (providing reasonable assurance regarding the reliability of financial statements according to statutory accounting principles) [6]: 16 
  • Approach or processes regarding Managements internal control evaluation [6]: 16 
  • Scope of Work regarding Management internal control evaluation [6]: 16 
  • Disclosure of unremediated material weaknesses of internal control (If there is at least one, management cannot conclude that internal controls are effective) [6]: 16 
  • Statement on inherent limitations of internal control [6]: 16 
  • Signatures of CEO and CFO [6]: 16 

§16(E) Management (Insurer) Supporting Activities – During an Audit or financial condition examination, the insurer must make available the basis for assertions used in evaluation of internal control.[6]: 16 

The insurer is given the freedom (discretion) regarding:

  • Internal control framework used,[6]: 16  and
  • Nature and extent of documentation[6]: 16 

The insurer has aforementioned discretion under the Model Audit Rule to achieve internal control objectives in a cost-effective manner.[6]: 16 

Report and Addendum Example: The following is of an SEC registrant who had all Internal Controls covered in the 404 Report.

 

Example Part 1 – Report – Management’s Report of Internal Control over Financial Reporting[8]: G23 

XYZ Holding Company Inc (“XYZ”) is required to file annual reports on Form 10-K/20-F with the U.S. Securities and Exchange Commission. Each of the insurance companies listed on Attachment B is a wholly owned subsidiary of XYZ. For the purpose of XYZ’s Management’s Report of Internal Control over Financial Reporting, management has identified its “Group of insurers,” as that term is defined in [relevant state statute or Section 3H of the Model], as the insurance companies listed on Attachment B.

Management of XYZ is responsible for establishing and maintaining adequate internal control over statutory financial reporting. XYZ’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of statutory financial statements in accordance with statutory accounting principles. Management conducted an assessment of the effectiveness, as of December 31, 201X, of the Group of insurers’ internal control over statutory financial reporting, based on the framework established in Internal Control—Integrated Framework Issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on our assessment under that framework, management concluded that the Group of insurers’ internal control over statutory financial reporting is effective to provide reasonable assurance regarding the reliability of financial reporting and the preparation of statutory financial statements as of December 31, 201X.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Projections of any evaluation of effectiveness to future periods are also subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

In satisfaction of the Group of insurers’ obligation to deliver Management’s Report of Internal Control over Financial Reporting for the fiscal year ended December 31, 201X, as permitted by [relevant state statute or Section 16C of the Model], XYZ is hereby providing the Insurance Commissioner of [domiciliary state] copies of Management’s Report of Internal Control over Financial Reporting and the report of independent registered public accounting firm on internal control over financial reporting for XYZ included in XYZ’s Form 10-K/20-F for the fiscal year ended December 31, 201X (or alternatively the Annual Report to Stockholders). In addition, an Addendum (Attachment A) is included to this report which identifies the material processes that were not included in the Section 404 Report (as defined in Attachment A).

Based on management review of internal controls, there were no unremediated material weaknesses as of December 31, 201X identified as part of the Group of insurers’ internal control structure over the statutory financial statements for the year ended December 31, 201X.

(Signed)____________________________________________ (Date)______________
(Chief Executive Officer)

(Signed)____________________________________________ (Date)______________
(Chief Financial Officer)

 

 

Example Part 2 – Addendum [8]: G24 

XYZ Holding Company, Inc.

Addendum to Management’s Report of Internal Control over Financial Reporting

For the Year Ended December 31, 201X

For purposes of this addendum, the “Section 404 Report” means Management’s Report on Internal Control over Financial Reporting and the report of independent registered public accounting firm on internal control over financial reporting contained in or incorporated by reference in the Form 10-K/20-F. Accordingly, as required by [relevant state statute or Section 16C of the Model], management of XYZ hereby affirms that there are no material processes with respect to the preparation of the audited statutory financial statements of the Group of insurers that were excluded from the Section 404 Report.

 

References

edit
  1. ^ a b c d e f g h i j k l Burton, Scott B.; Krus, Cynthia M.; Roth, Stephen E.; Wilson-Bilik, Mary Jane (October 29, 2009). "The NAIC's New Model Audit Rule: Is Your Organization Ready?" (PDF). Sutherland. {{cite journal}}: Cite journal requires |journal= (help)[permanent dead link]
  2. ^ Murphy, James, CPA. "The NAIC Model Audit Rule: Change is Imminent – Will Your Organization be Prepared?". Retrieved July 3, 2013.{{cite web}}: CS1 maint: multiple names: authors list (link)
  3. ^ a b "SUNERA – Model Audit Rule". Sunera LLC. 2013 [2005]. Retrieved July 1, 2013.
  4. ^ "NAIC Model Laws, Regulations and Guidelines". National Association of Insurance Commissioners. 2013 [1991]. Retrieved July 8, 2013.
  5. ^ "FAQ" (PDF). NAIC. Retrieved June 28, 2013.
  6. ^ a b c d e f g h i j k l m n o p q r s t u v w x y z aa ab ac ad ae af ag ah ai aj ak al am an ao ap aq ar as at au av aw ax ay az ba bb bc "Annual Financial Reporting Model Regulation" (PDF). National Association of Insurance Commissioners – Model Regulation Service. October 2007. Retrieved June 28, 2013.
  7. ^ "Securities and Exchange Commission, Release No. 33-8183". March 27, 2003. Retrieved July 8, 2013.
  8. ^ a b c "Appendix G, Implementation Guide for the Annual Financial Reporting Model Regulation" (PDF). National Association of Insurance Commissioners – NAIC/AICPA Working Group. 2010. Retrieved June 28, 2013.
  9. ^ "Financial Mistakes to Avoid". Retrieved May 18, 2016.
  10. ^ "Law.com Legal Dictionary - Fraud". 2013. Retrieved July 8, 2013.
  11. ^ "Law.com Legal Dictionary – Gross Negligence". 2013. Retrieved July 8, 2013.

Further reading

edit
  1. "SECURITIES EXCHANGE ACT OF 1934" (PDF). Securities and Exchange Commission. August 10, 2012. {{cite journal}}: Cite journal requires |journal= (help)
  2. "PUBLIC COMPANY ACCOUNTING REFORM AND CORPORATE RESPONSIBILITY" (PDF). 107th United States Congress. July 30, 2002. {{cite journal}}: Cite journal requires |journal= (help)