Have questions about the Moss Adams combination? We're here to help. Submit your inquiry.

Loading...

The Model Audit Rule: Best practices and recommendations to improve your organization’s program | Baker Tilly

Team members working on report

Article

The Model Audit Rule: best practices and recommendations to improve your organization’s program

Sept. 27, 2023 · Authored by John Romano, Rachel Schmoyer

This article covers the Model Audit Rule (MAR) and its purpose, as well as the trends and industry common misconceptions associated with MAR. For a more in-depth look into MAR, and to learn more about our MAR approach, check out our MAR webpage.

The National Association of Insurance Commissioners' (NAIC) Annual Financial Reporting Model Regulation #205, commonly known as the Model Audit Rule (MAR), requires that insurance companies that exceed certain thresholds of direct and assumed written premiums adopt auditor independence, corporate governance and internal control over financial reporting standards.

MAR was enacted for three primary purposes:

To provide regulators with greater confidence that their domiciled insurance entities have effective controls in place to mitigate the risk of publishing inaccurate annual statements
To increase efficiency of the risk-focused examinations by allowing the examination teams to rely on the control testing performed by the insurer regarding their financial reporting risks
To enhance corporate governance by increasing management’s confidence in their internal controls environment

It is important to note that although a majority of states have adopted MAR in its entirety based on the NAIC’s recommendations, some have chosen to adopt or modify specific sections. In 2021, the NAIC published a guide to assist MAR compliance by state.

Effective threshold: $500 million in direct and assumed written premium

John Romano

John Romano

Principal

Related sections

Article Tags

Insurance Model Audit Rule (MAR)internal audit life insurance

government building washington

Next up

New K-2s and K-3s: partial relief for some, burdens and delays for others

Management’s report filing key statements

If an insurer meets the requirements and is not granted a hardship waiver, the MAR requirement mandates that management’s filing be signed by the chief executive officer (CEO) and chief financial officer (CFO), and must include the following key statements:

Management is responsible for establishing and maintaining internal controls
Internal controls have been established and are operating effectively
Brief description regarding the scope, any controls excluded and the overall approach utilized to evaluate effectiveness
Disclosure of any unremediated material weaknesses of internal controls
Statement regarding any inherent limitations of internal control

SOX compliance expedient for MAR compliance

If your institution is already compliant with the Sarbanes-Oxley Act (SOX), MAR section 16/17 states that if the insurer, group of insurers, or parent company are directly subject to SOX section 404, the insurer may file its, or their parent’s, section 404 SOX report, including an addendum to satisfy the section 16/17 requirement. An insurer, or group of insurers, can take advantage of this as long as their internal controls that have a material impact on the preparation of the audited statutory financial statements were included within the scope of the section 404 SOX report.

Management’s responsibility for diligent inquiry

A common question insurers have regarding MAR implementation is in regard to the amount of testing that is generally required. Section 17D(2) states that management’s assertion regarding the effectiveness of the insurer’s financial reporting controls must be made to the best of their knowledge after diligent inquiry. To define “diligent inquiry,” refer to the Annual Financial Reporting Model Regulation Implementation Guide, which defines it as “conducting a search and thorough review of relevant documents which are reasonably likely to contain significant information with regards to internal control over financial reporting.” (Further discussion regarding testing requirements is discussed below under common misconceptions).

Additional consideration should be taken regarding section 17D(5), which requires the insurer to identify all material weaknesses in internal control over financial reporting that exist as of the balance sheet date. If the insurer has identified unremediated material weaknesses, the company will be required to disclose the material weaknesses within its required reporting to the commissioner of their domiciled state. Material weaknesses can often be determined by identifying the significance of an internal control failure, and if it is reasonable to concur that the probability of a material error in future financial statements, which would not be detected by other controls (i.e., compensating controls), ranges from 5% to 10%.

Materiality and scoping

Misconception: Materiality and scoping can be completed without regards to risks

Materiality and annual risk assessments should drive the MAR program’s overall scope and plan. Ensuring that a formalized risk assessment is completed annually by obtaining business owner and management input is key to ensuring that internal audit is testing/focusing on the appropriate key areas. 

Misconception: All general sub-ledger accounts need to be in scope

This is generally not the case as it largely is impacted by materiality. Areas that are not material can be excluded from the scope to increase efficiency and keep costs down. Performing materiality on a subaccount level will allow the company to focus on subaccounts that drive the overall materiality of the line item on the financials and avoid wasting time on areas that are not material.

Misconception: Entity level controls can be ignored

Entity level controls should be included within the scoping if it materially affects the subsidiaries (i.e., insurer) audited financial statements. As aforementioned, if the parent is SOX compliant, the insurer can file the SOX 404 report to cover entity level controls and reduce duplication of efforts.  Regulators, when conducting their analysis and financial examinations of domiciled insurers, actively consider and assess corporate governance and entity level controls. In addition, the MAR Implementation guide refers to the following as aspects and components of internal control that insurers may want to consider when making the assertions and determining relevant documentary evidence: “The internal control environment including oversight provided by the Audit committee of the Board of Directors. Insurers may want to consider how they can demonstrate “Tone at the Top.” The insurer’s compliance programs, code of conduct and the processes for reporting policy exceptions and overrides of controls may also be appropriate to consider.” The previous example is a clear outline of consideration of entity level controls.

Misconception: Management cannot elect their own framework 

MAR does not mandate a specific framework for management’s review and evaluation of internal controls. SEC registrants typically (but are not required to) use the COSO Internal Control-Integrated Framework in assessing the effectiveness of internal control over financial reporting. Management should assess and select an appropriate framework or approach based upon its business risks and objectives.

Misconception: IT systems are not significant unless they relate to the general ledger

IT systems including the general ledger system, policy and claims administration systems, as well as data warehouses and overall network, should be included within scope as it all relates to data integrity. Remember the term “garbage in, garbage out.” If IT systems are not appropriately coded or mapped, the data being extracted will be inaccurate and lead to misstated financial statements.

Control testing

Misconception: All key controls should be independently tested annually

In order to remain efficient and cost effective, insurers can consider rotation of formal independent testing by supplementing with management self-assessments. The MAR guidance allows management to determine the nature, scope and timing of testing suitable to their environment.

Misconception: A walkthrough alone is sufficient to determine operation effectiveness, and diligent inquiry, for key control testing

Although for IT automated controls, where a walkthrough alone is sufficient, testing a population or a frequency (i.e., daily/monthly/quarterly) requires a formal sample selection, and cannot be determined based on a sample of one. Internal audit/management should reference the American Institute of Certified Public Accountants (AICPA)/Institute of Internal Auditors (IIA) standards to determine appropriate sample sizes.

Misconception: All supporting documentation should be obtained and stored centrally

MAR does not require the insurer to centrally house all supporting documentation; rather the insurer can reference where the documentation can be found (i.e., claims administration system, policy administration system, etc.) From an NAIC state examination efficiency perspective, all supporting documentation should be readily available, specifically documentation related to the last scope year (unless the company plans to give the examination team access to the where documentation is maintained).

Alignment trends

Alignment trends include utilizing risk analytics and materiality scoping to ensure the MAR key areas are appropriate to address identified financial reporting risk. Enhancing an insurer’s alignment with its MAR program can be realized by:

Taking a risk-based, instead of control-based, approach
Revisiting the financial statements to determine materiality through a combination of the following methods:
Utilizing the NAIC’s benchmark (e.g., 5% of surplus for planning materiality)
Applying sub-ledger materiality (i.e., percent of the general ledger account greater than or equal to the dollar amount)
Utilizing management judgment based on qualitative judgment scores, areas of audit weaknesses or strengths, or areas of emerging risks
Aligning the key risks identified to management assertions
Having management (not internal audit) own and attest to the key controls, resulting in the company continuing to remove/add controls based on its changing control environment to ensure the risks are inherently mitigated

Efficiency trends

Management should ensure the appropriate amount of key controls are identified to mitigate the financial reporting risk without being duplicative or not substantially covering the risk. By reducing the number of key controls while still maintaining adequate coverage over the risk, organizations will realize a more efficient MAR process. Additional efficiency trends include:

Rotational auditing and supplementing with management self-assessments for low-risk areas that are on rotation
Conducting periodic control rationalization exercises
Utilizing a Governance Risk and Compliance (GRC) cloud-based software
State examination/NAIC risk matrix approach

Effectiveness trends

Effectiveness trends include:

Reviewing key control and compensating control assessments
Completing a deficiency evaluation for each control failure identified to determine if the control is a material deficiency/weakness
Dashboards to understand the broader impact of the results. Results should be tabulated based on overall function and a trend assessment over time conducted
Utilizing state examination language and building the testing lead sheets to include the risk, management assertion(s), overall inherent risk assessment, control and control testing results

Implementation trends

The aforementioned trends are holistic and can be applied to current and new MAR programs. Some additional trends and best practices apply specifically to the implementation process, including:

Discussing internally, and with the board of directors, management’s planned approach to executing MAR
Performing a high-level assessment of the insurer’s current control state versus the requirements of MAR
Taking time to perform a thorough risk assessment including addressing accounts and assertions
Preparing a comprehensive road map for execution, including resource management
Recruiting or contracting with experienced MAR professions, and delegating an internally dedicated liaison (i.e., MAR champion) to manage the MAR program
Developing a sustainable program for ongoing reliance by either external audit or the state examiners

IT trends

Information technology (IT) is a key component in MAR implementation and testing. There are multiple ways to improve overall efficiency and effectiveness, including:

Efficiency trends/best practices

Taking a risk-based approach and identifying the volume of transactions, the level of automation and any compensating downstream detective controls
Leveraging other assessments completed such as System and Organization Controls (SOC) examinations, Health Information Trust Alliance (HITRUST), International Organization for Standardization (ISO), National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), etc.
Understanding the control framework and identifying areas where controls have already been tested will aid in increasing the overall efficiency of the program

Effectiveness trends

Identifying automated controls within the business process which reduce manual intervention and the potential for human error. (Automated controls generally only require a sample of one to determine operational effectiveness and can increase efficiency of the program overall.)
Obtaining a further understanding of completeness and accuracy including data mapping, when data can be manually input or edited, etc. (i.e., garbage in, garbage out)

Reengineering your processes

MAR can be a significant undertaking for most insurers. Taking action to understand the controls and identifying weaknesses is crucial to ensure the insurer is prepared when the threshold is reached. For insurers that have already reached the threshold and are required to be compliant with MAR, however, reviewing your organization’s process annually to identify efficiencies and ways to improve overall effectiveness will ensure that key risks are addressed and the program is overall cost effective.

Some ways an insurer can improve their organization’s existing program include:
Increasing corporate governance unity and control confidence
Providing and obtaining senior management and audit committee understanding, training, and buy-in to the program
Implementing a MAR steering committee to ensure significant financial reporting areas are addressed
Incorporating functional area certifications to provide to the CEO and CFO prior to certifying to help them gain comfort over their control environment
Increasing organizational unity
Identifying a MAR champion for each functional area; this does not have to be the key process owner
Providing training annually and requesting feedback from the business owners/key personnel of each area to determine if training needs are met
Increasing leverage of departmental testing through self-assessments, ensuring that the process is guided by someone independent of the function
Revisiting the risk assessments and materiality scoping annually to determine that areas under review are appropriate
Consider incorporating a sub-ledger materiality to reduce accounts in scope, including clear explanations for the exclusion
Implementing effective project management including, but not limited to, a MAR calendar of kickoff meetings, testing timeline and deliverables and making all affected parties aware
Conducting rotational auditing which is determined based on the area’s inherent risk assessment
Incorporating MAR testing as part of other planned operational/compliance internal audits to increase efficiency
Increasing the use of technology
Incorporating dashboards and analysis of key controls and deficiencies
Utilizing SharePoint or other workflow functions for signoffs and version control and to create an audit trail
Conducting cost analysis of MAR compliance including opportunity costs, identifying bottlenecks and cost drivers, and replacing with automation, computer assisted audit techniques (CAAT) or a third-party software

By taking small steps to improve your MAR program, your organization will benefit in the long term and be more likely to increase your MAR program’s overall efficiency and effectiveness.

Below you will find the presentation and recording from our recent webinar, Lessons learned through Model Audit Rule implementation. For more information on the subject, and to learn more about our MAR approach, refer to our MAR webpage.

For more information get in contact with our specialists