In examining the impact of the Sarbanes-Oxley Act on insurance, Bill Sofsky emphasises that data quality and accuracy will be more important than ever for direct writers and reinsurers alike

By now, almost everyone in our industry has heard the names Sarbanes and Oxley. Besides being distinguished members of the US Congress, Messrs Sarbanes and Oxley are co-authors of a piece of legislation that has had a profound impact on accounting, reporting and corporate governance in the US. What are the relevant provisions of the Sarbanes-Oxley Act of 2002 (SOX) and how will they affect the re/insurance industry?

SOX overview

The US Congress enacted SOX at least partially in response to a wave of corporate accounting scandals. The legislation has far reaching implications for any company that meets the definition of an "issuer" under the Securities and Exchange Act of 1934. This primarily means publicly traded companies with shares listed in the US, but includes issuers of other types of securities or any company required to provide reporting to the Securities and Exchange Commission (SEC) under the 1934 Act.

SOX provides for the establishment of the Public Company Accounting Oversight Board (PCAOB) as a rule-setting body to oversee public accounting firms who audit issuers. There are several sections dealing with rules and practices for public accounting firms, while other sections of SOX cover rules for companies subject to the Act regarding their audit committees, financial reporting and internal control. SOX also has sections dealing with the criminal penalties associated with violating any of its provisions.

The most relevant sections of SOX for re/insurers are sections 302 and 404. Section 302: Corporate Responsibility For Financial Reports, requires the CEO and CFO of each issuer to sign a statement to accompany the filed report to certify the "appropriateness of the financial statements and disclosures contained in the periodic report, and that those financial statements and disclosures fairly present, in all material respects, the operations and financial condition of the issuer." Section 404: Management Assessment Of Internal Controls, requires each annual report of an issuer to contain an "internal control report". This report shall:

1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting;

2) contain an assessment of the effectiveness of that internal control structure and procedures for financial reporting.

Section 404 also requires an issuer's auditor to attest to the assessment made by management in accordance with standards set for an attestation engagement issued and adopted by the PCAOB.

The concepts in sections 302 and 404 are not new. However, the potential for fines and criminal penalties for violation of SOX provisions certainly has raised the bar for senior management in public companies and their auditors.

This raising of the bar has translated into a great deal of work at many companies to complete their assessment of their internal controls and to prepare for the day when they will have to provide the disclosures required by SOX. Domestic US issuers have to comply with the requirements of section 302 no later than 14 August 2003, and section 404 no later than 15 June 2004. Foreign issuers required to file reports with the SEC must comply no later than 15 April 2005.

This assessment has led many companies to look at the controls over the accuracy and quality of the financial information they provide. This would include taking a closer look at the financial information on which they rely from other companies.

Who is affected?

Since SOX applies to issuers under the 1934 Act, it applies to the financial statements and reports filed with the SEC by those issuers. That does not mean, however, that SOX only affects issuers who file US GAAP 10Q and 10K reports with the SEC. It has an impact on all issuers, regardless of their reporting basis. Beyond that, any company providing financial information on which the issuer will rely will be affected as the issuer will require proof of the accuracy and completeness of the information.

The issuer may also require (or at least request) a Statement of Auditing Standards No 70 (SAS 70) report from any third party administrators or other service organisations on whose system of internal control the issuer must rely. A SAS 70 examination involves a service organisation having its control objectives and control activities examined by an independent accounting and auditing firm. A formal report including the auditor's opinion is issued.

mpact for ceding companies and reinsurers

In a reinsurance transaction it is possible that either the ceding company or the reinsurer (or both) will be subject to SOX. Insurance companies that are not an issuer under the 1934 Act, should not consider themselves immune. Foreign companies doing business with issuers subject to SOX may be impacted depending on the reporting requirements they have in their contracts with the issuer.

US domestic insurers and reinsurers that are not issuers have two concerns.

The first would be the reporting requirements imposed by companies subject to SOX with which they do business. The second is that the National Association of Insurance Commissioners (NAIC) is currently considering its own version of a SOX-like regulation that would most likely be adopted by the regulators in their state of domicile.

All companies that exchange financial information in the normal conduct of their business will most likely be affected by SOX. Reinsurers are especially impacted by the quality of the information they receive from ceding companies. Almost every piece of financial information affecting a reinsurer's financial statements comes from ceding companies. Before SOX, most reinsurers operated under the assumption that they could rely on the information from ceding companies. Many contracts called for 'bulk' reporting and administration where policy level data was kept primarily at the ceding company. Bulk reporting facilitated the reinsurance relationship and ostensibly held costs lower. Reinsurers assumed their financial statements would be considered accurate and complete if they could show they had relied on, and could tie their statements back to, that information.

The statements and attestation required in sections 302 and 404 call for more than that. SOX compliance involves following the guidelines for effective internal control established in the 1980s by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission published in Internal Control - Integrated Framework. The PCAOB has referred to the COSO guidelines in the rules and auditing standards they have published to date.

The American Institute of Certified Public Accountants (AICPA) Audit Guide for Life and Health Insurance Entities describes internal controls that ceding companies should have over the accuracy and completeness of their reporting for reinsurance contracts. It also describes the types of controls reinsurers should have in place to ensure the quality and completeness of the data received from ceding companies on which they will rely.

In response, many reinsurers have been working with their client ceding companies on the consistency, accuracy and quality of the data they provide.

Reinsurers are also strengthening the language in the provisions in their treaties regarding the format, timeliness and accuracy of the data required from the ceding company. And there is a move toward requiring electronic seriatim data from ceding companies on a monthly or at least quarterly basis.

Reinsurers have always been challenged to try to get the most accurate and timely reporting possible from their ceding company clients. SOX has increased the emphasis required on receiving quality data. It also provides an opportunity for reinsurers to assist clients in their efforts to enhance their reporting and control capabilities. The increased emphasis on data quality will likely lead to more frequent dialogue on data quality, and should also lead to more timely recognition of potential errors or omissions and help avoid disputes or inconsistencies. The more frequent contact between the ceding company and reinsurer could also lead to more informed and accurate pricing or identification of business opportunities for both.