This article covers the Model Audit Rule (MAR) and its purpose, as well as the trends and industry common misconceptions associated with MAR. For a more in-depth look into MAR, and to learn more about our MAR approach, check out our MAR webpage.
The National Association of Insurance Commissioners' (NAIC) Annual Financial Reporting Model Regulation #205, commonly known as the Model Audit Rule (MAR), requires that insurance companies that exceed certain thresholds of direct and assumed written premiums adopt auditor independence, corporate governance and internal control over financial reporting standards.
It is important to note that although a majority of states have adopted MAR in its entirety based on the NAIC’s recommendations, some have chosen to adopt or modify specific sections. In 2021, the NAIC published a guide to assist MAR compliance by state.
Section 17 Management’s Report of Internal Control over Financial Reporting – Annual Attestation on Internal Control mandates that every insurer having annual, direct-written and assumed premiums of $500 million or more (i.e., the act provides a calculation for life and health entities) shall prepare a report, for the prior calendar year’s year-end, attesting to the insurer’s, or the group of insurer’s, internal controls over financial reporting.
The report is to be filed with the state commissioner 60 days after the audited financial report is filed, with a cutoff and requirement to file by Aug. 1. The only exception is the state of New York, which requires the report to be filed by May 31.
The rule provides the insurer with a two-year grace period, which starts Dec. 31 of the year that the threshold is breached, to formalize the company’s internal controls and to prepare for filing management’s report of internal control over financial reporting. For example, if an insurer has breached the $500 million direct written and assumed premium threshold on Dec. 31 201X, the company would be required to comply by filing management’s assertion regarding the effectiveness of the insurer’s internal control over financial reporting as of Dec. 31, 201X+2, with the filing due by August 201X+3).
However, New York did not adopt the model audit rule, but instead passed similar requirements through Regulation 118. Regulation 118 does not allow a two-year grace period unless the threshold is breached through a business combination or acquisition. Therefore, according to Regulation 118, compliance and associated management filing would occur immediately following the year as of Dec. 31, 201X, that the premium threshold is breached.
Under section 18, MAR has granted insurers the ability to file with the commissioner for hardship, which will allow the insurer to be exempt from MAR compliance. Hardship is granted under the discretion of the commissioner and is usually approved if it can be determined that the act will cause the insurer financial/organizational hardship.
If an insurer meets the requirements and is not granted a hardship waiver, the MAR requirement mandates that management’s filing be signed by the chief executive officer (CEO) and chief financial officer (CFO), and must include the following key statements:
If your institution is already compliant with the Sarbanes-Oxley Act (SOX), MAR section 16/17 states that if the insurer, group of insurers, or parent company are directly subject to SOX section 404, the insurer may file its, or their parent’s, section 404 SOX report, including an addendum to satisfy the section 16/17 requirement. An insurer, or group of insurers, can take advantage of this as long as their internal controls that have a material impact on the preparation of the audited statutory financial statements were included within the scope of the section 404 SOX report.
A common question insurers have regarding MAR implementation is in regard to the amount of testing that is generally required. Section 17D(2) states that management’s assertion regarding the effectiveness of the insurer’s financial reporting controls must be made to the best of their knowledge after diligent inquiry. To define “diligent inquiry,” refer to the Annual Financial Reporting Model Regulation Implementation Guide, which defines it as “conducting a search and thorough review of relevant documents which are reasonably likely to contain significant information with regards to internal control over financial reporting.” (Further discussion regarding testing requirements is discussed below under common misconceptions).
Additional consideration should be taken regarding section 17D(5), which requires the insurer to identify all material weaknesses in internal control over financial reporting that exist as of the balance sheet date. If the insurer has identified unremediated material weaknesses, the company will be required to disclose the material weaknesses within its required reporting to the commissioner of their domiciled state. Material weaknesses can often be determined by identifying the significance of an internal control failure, and if it is reasonable to concur that the probability of a material error in future financial statements, which would not be detected by other controls (i.e., compensating controls), ranges from 5% to 10%.
Below are common misconceptions, as it relates to MAR, based on our work with clients and feedback received at industry conferences and events:
Misconception: Materiality and scoping can be completed without regards to risks
Materiality and annual risk assessments should drive the MAR program’s overall scope and plan. Ensuring that a formalized risk assessment is completed annually by obtaining business owner and management input is key to ensuring that internal audit is testing/focusing on the appropriate key areas.
Misconception: All general sub-ledger accounts need to be in scope
This is generally not the case as it largely is impacted by materiality. Areas that are not material can be excluded from the scope to increase efficiency and keep costs down. Performing materiality on a subaccount level will allow the company to focus on subaccounts that drive the overall materiality of the line item on the financials and avoid wasting time on areas that are not material.
Misconception: Entity level controls can be ignored
Entity level controls should be included within the scoping if it materially affects the subsidiaries (i.e., insurer) audited financial statements. As aforementioned, if the parent is SOX compliant, the insurer can file the SOX 404 report to cover entity level controls and reduce duplication of efforts. Regulators, when conducting their analysis and financial examinations of domiciled insurers, actively consider and assess corporate governance and entity level controls. In addition, the MAR Implementation guide refers to the following as aspects and components of internal control that insurers may want to consider when making the assertions and determining relevant documentary evidence: “The internal control environment including oversight provided by the Audit committee of the Board of Directors. Insurers may want to consider how they can demonstrate “Tone at the Top.” The insurer’s compliance programs, code of conduct and the processes for reporting policy exceptions and overrides of controls may also be appropriate to consider.” The previous example is a clear outline of consideration of entity level controls.
Misconception: Management cannot elect their own framework
MAR does not mandate a specific framework for management’s review and evaluation of internal controls. SEC registrants typically (but are not required to) use the COSO Internal Control-Integrated Framework in assessing the effectiveness of internal control over financial reporting. Management should assess and select an appropriate framework or approach based upon its business risks and objectives.
Misconception: IT systems are not significant unless they relate to the general ledger
IT systems including the general ledger system, policy and claims administration systems, as well as data warehouses and overall network, should be included within scope as it all relates to data integrity. Remember the term “garbage in, garbage out.” If IT systems are not appropriately coded or mapped, the data being extracted will be inaccurate and lead to misstated financial statements.
Misconception: All key controls should be independently tested annually
In order to remain efficient and cost effective, insurers can consider rotation of formal independent testing by supplementing with management self-assessments. The MAR guidance allows management to determine the nature, scope and timing of testing suitable to their environment.
Misconception: A walkthrough alone is sufficient to determine operation effectiveness, and diligent inquiry, for key control testing
Although for IT automated controls, where a walkthrough alone is sufficient, testing a population or a frequency (i.e., daily/monthly/quarterly) requires a formal sample selection, and cannot be determined based on a sample of one. Internal audit/management should reference the American Institute of Certified Public Accountants (AICPA)/Institute of Internal Auditors (IIA) standards to determine appropriate sample sizes.
Misconception: All supporting documentation should be obtained and stored centrally
MAR does not require the insurer to centrally house all supporting documentation; rather the insurer can reference where the documentation can be found (i.e., claims administration system, policy administration system, etc.) From an NAIC state examination efficiency perspective, all supporting documentation should be readily available, specifically documentation related to the last scope year (unless the company plans to give the examination team access to the where documentation is maintained).
Insurers in the process of implementing, or that have implemented, MAR programs are consistently revitalizing processes to better increase alignment, effectiveness and efficiency, and thus the following trends have emerged:
Alignment trends include utilizing risk analytics and materiality scoping to ensure the MAR key areas are appropriate to address identified financial reporting risk. Enhancing an insurer’s alignment with its MAR program can be realized by:
Management should ensure the appropriate amount of key controls are identified to mitigate the financial reporting risk without being duplicative or not substantially covering the risk. By reducing the number of key controls while still maintaining adequate coverage over the risk, organizations will realize a more efficient MAR process. Additional efficiency trends include:
Effectiveness trends include:
The aforementioned trends are holistic and can be applied to current and new MAR programs. Some additional trends and best practices apply specifically to the implementation process, including:
Information technology (IT) is a key component in MAR implementation and testing. There are multiple ways to improve overall efficiency and effectiveness, including:
Efficiency trends/best practices
Effectiveness trends
MAR can be a significant undertaking for most insurers. Taking action to understand the controls and identifying weaknesses is crucial to ensure the insurer is prepared when the threshold is reached. For insurers that have already reached the threshold and are required to be compliant with MAR, however, reviewing your organization’s process annually to identify efficiencies and ways to improve overall effectiveness will ensure that key risks are addressed and the program is overall cost effective.
By taking small steps to improve your MAR program, your organization will benefit in the long term and be more likely to increase your MAR program’s overall efficiency and effectiveness.
Below you will find the presentation and recording from our recent webinar, Lessons learned through Model Audit Rule implementation. For more information on the subject, and to learn more about our MAR approach, refer to our MAR webpage.