You probably remember that, in June 2006, the NAIC/AICPA Working Group adopted sweeping revisions to the Annual Financial Reporting Model Regulation (as revised, the "Model Audit Rule" or "MAR"). You also may remember that the revisions relate to auditor independence, corporate governance and internal control over financial reporting, and were intended, at least in some respects, to implement certain requirements similar to those found in the Sarbanes Oxley Act of 2002 ("SOX"). But did you know that the effective date of some of these revisions to MAR is January 1, 2010 - less than three months from now - and that the remaining revisions will take effect by the end of next year?
Many states have already adopted MAR, and those that haven't are planning to do so. Successful compliance with MAR requires careful planning, allowing enough time to resolve deficiencies and mitigate risks.
MAR mandates that every insurance company required to file annual audited financial reports "designate a group of individuals as constituting its Audit committee." Section 3 of MAR defines "audit committee" as a committee "established by the board of directors of an entity for the purpose of overseeing the accounting and financial reporting processes of an insurer…and audits of financial statements of the insurer…" The audit committee requirement can be satisfied if an entity that controls an insurer or group of insurers elects for the audit committee of such controlling entity to be deemed, and to serve as, the audit committee of the insurer or group of insurers.
MAR also requires that audit committees be comprised of a certain percentage of directors who are "independent" from company management based on the size of the insurer. For example, insurers with more than $500 million in direct written and assumed premiums must have an audit committee comprised of at least 75% "independent" directors. However, this audit committee independence requirement does not apply to an insurer that is wholly-owned, directly or indirectly, by a "SOX Compliant Entity."
Further, MAR requires that an insurer with $500 million or more in direct and assumed premium file a report regarding its assessment of internal control over financial reporting. This report must include, among other things, a statement by management concerning whether these controls are effective to provide reasonable assurance regarding the reliability of the statutory financial statements and disclosure of any unremediated material weaknesses in internal control over financial reporting. Insurance companies subject to MAR's requirement to document internal controls over financial reporting should take time to learn from public companies that have already complied with the similar requirements in Section 404 of SOX. For one thing, documenting and testing internal controls is a time consuming process. (For a recent report by the SEC on the cost of complying with SOX, see http://www.sec.gov/news/studies/2009/sox-404_study.pdf.) However, insurance companies that are already subject to Section 404 of SOX, or that are part of a holding company system whose parent is directly subject to Section 404 of SOX, may comply to a substantial degree with this MAR requirement by filing its or its parent's Section 404 Report in lieu of, or supplemental to, the report required by MAR.
In addition, MAR also contains several SOX-like restrictions relating to an insurance company's independent auditor. For example, MAR prohibits audit firms from providing the following "non-audit" services to an external audit client: bookkeeping; financial information systems design and implementation; actuarial services; internal audit outsourcing services; management or human resource services; or expert services unrelated to the audit.
If you're already in compliance with the new requirements, congratulations! If not, it's time to get started.