Douglas Stolte and Stephen Johnson believe insurers have an opportunity to regain public faith, but at what cost?

404. Could these be lottery numbers? An area code? Perhaps a flight number? To anyone within the business world, these numbers could mean only one thing: Sarbanes-Oxley.

The Sarbanes-Oxley Act of 2002 was created in the wake of several major corporate failures. Two of the primary objectives of the act are to regain the investing public's lost trust and to increase the reliability of financial statements.

These financial statements are used not only by investors but also by company directors, creditors and regulators. Without credible and accurate financial information, these parties cannot make informed business decisions.

The act includes 11 titles ranging from auditor independence to white-collar crime penalty enhancements. Perhaps the most controversial area within the act is Section 404: Management Assessment of Internal Controls.

This requires primarily two things: management's assessment of the effectiveness of internal controls over financial reporting and an auditor's attestation report on the assessment made by management. Both of these are critical in accomplishing the act's primary objectives.

In development of the act, Congress stated the traditional financial audit prepared in accordance with generally accepted auditing standards (GAAS) and on the basis of generally accepted accounting principles (GAAP) was inadequate since there was not enough attention placed on the consideration of internal controls. Therefore, Section 404 now requires that a separate audit of the internal controls over the financial reporting process be performed.

Similar to Congress, US regulators within the insurance industry also have concluded the GAAS audit prepared on the basis of statutory accounting principles (SAP) needs to be strengthened. Currently, the Model Regulation Requiring Audited Financial Report (the Model Audit Rule) requires insurers to submit the auditor's report on significant deficiencies in internal controls when such deficiencies are identified in the course of the GAAS/SAP audit.

US insurance regulators have only received a very limited number of such reports, despite numerous insolvencies that appear to be caused by at least some form of company mismanagement which can be traced to inadequate controls over financial reporting, poor corporate governance and audit failures.

One of the National Association of Insurance Commissioners' (NAIC) related subgroups, the NAIC/AICPA Working Group (Working Group), has been charged with the task of reviewing guidance within the act and analysing whether certain best practices should apply to insurers.

The Working Group has been studying this issue for two years and has proposed revisions to the Model Audit Rule that would require management's assessment, as well as an auditor's attestation report, on the effectiveness of internal controls over financial reporting for certain companies.


This has been a hotly debated issue at the NAIC. Those in opposition say the US insurance market is already highly regulated and subject to extensive financial reporting requirements. While it is true that the insurance industry is highly regulated, virtually every regulatory tool with the exception of the annual audit and the on-site financial condition examination is predicated on the existence of high quality data.

Because of the promises made by insurers, policyholders need to be assured their insurer will remain solvent in order to pay future claims. As a result, regulators require additional tools to allow them to assess the financial condition and stability of the companies they regulate.

There is one inherent problem with the majority of the financial tools utilised by regulators: the tools are only as good as the information provided. That is, if the information provided by an insurance company is not accurate, the regulators will not be able to make accurate assessments of the company's financial condition.

If the financial statements are not correct, the regulators will not be able to early on identify and intervene in potentially troubled companies.

The result is insolvent companies, which hurt not only policyholders, but the general public.

The insurance industry is a highly-specialised market, very much like the banking industry. When drafting regulations related to management assessment of internal controls, the insurance regulators looked towards their banking and securities brethren to review their requirements.


As it turns out, banking institutions have been subject to at least some Sarbanes-Oxley-like regulations for more than a decade. In fact, Part 363 of the Federal Deposit Insurance Corporation's Rules and Regulations became effective for fiscal years beginning after 31 December 1992 and applies to depository institutions with total assets of more than $500m.

Section 363.2 and 363.3 include requirements that mirror those included in Section 404 of the act. It requires the preparation of a management report, which includes management's assessment of the effectiveness of its internal control structure over financial reporting, as well as an independent public accountant's attestation report on this assessment.

Securities regulators now have the Sarbanes-Oxley Act of 2002.

Similar to the banking industry, the Working Group realises that the requirements proposed may not hold the same benefits for smaller, less complex insurers. For this very reason, the Working Group has discussed exemptions for smaller companies based on total premiums written and assumed.

These exemptions would apply when the cost of implementing the requirements would be prohibitive when compared to the size of the company.

The Working Group has taken company size and formation into consideration for other sections of Sarbanes-Oxley as well. For example, the current revisions to the Model Audit Rule do not require the existence of an audit committee at each individual legal-entity level.

Rather, the audit committee of the ultimate controlling entity may act as the audit committee of its various subsidiaries. In addition, the Working Group has indicated that, under certain circumstances, it may be appropriate to assess internal controls over financial reporting at the holding company level, rather than for each legal entity.

The Working Group has been asked why it is considering subjecting mutual and non-public stock insurers to requirements similar to those of Sarbanes-Oxley regarding corporate governance, improvements to the external audit function and internal controls over financial reports, a legislative bill focused purely on public companies and other SEC registrants.

Because of the nature of the insurance industry and the fiduciary duty on the part of insurers, they must be held to a very high standard. In addition, other industries within the financial services sector are already subject to these measures and the insurance industry is no different.

The Working Group has also been asked on numerous occasions to conduct a "cost-benefit analysis" of the proposed changes to the Model Audit Rule.

The Working Group believes the changes will result in numerous benefits to the insurance regulators and the industry but says it is almost impossible to quantify the benefits.

How can anyone place a price tag on the benefit of an early identification of a troubled insurer by a regulator and the ability of the regulator to have, therefore, avoided the necessity of placing an insurer in liquidation?

The Working Group believes success is dependent on the implementation of three key components: responsible corporate governance structure; an improved audit function; and, most importantly, well documented and tested internal controls over financial reporting. Absent such system and an insurer can not effectively manage its business - it will be forced to manage by crisis and not by design.

The non-public and mutual US insurance industry is in a unique position to gain significant public trust by embracing what has quickly become on international business standard. The policyholders and the public deserve these necessary solvency protections.

Douglas C Stolte, deputy insurance commissioner for the Financial Regulation Division, Commonwealth of Virginia, State Corporation Commission, Bureau of Insurance. Stephen Johnson, deputy insurance commissioner for the Office of Corporate and Financial Regulation, Pennsylvania Insurance Department.


Under Section 404 of the Sarbanes-Oxley Act 2002, companies are required to include in their annual report details relating to the company's internal control of financial reporting. According to the US Securities and Exchange Commission, this internal control report must include the following:

- a statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company;

- management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year;

- a statement identifying the framework used by management to evaluate the effectiveness of the company's internal control over financial reporting;

- and a statement that the registered public accounting firm that audited the company's financial statements included in the annual report has issued an attestation report on management's assessment of the company's internal control over financial reporting.