Risk-Focused Examinations

Transcription

1

2 Risk-Focused Examinations Session 704 IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

3 Understanding the Examination Process In order to be able to maximize examination efficiency and have examiners fully leverage work being done by your company, it is important to understand the risk-focused examination process and requirements.

4 Risk-Focused Examinations Presentation areas of focus: 1. How to prepare for an examination 2. Overview of the risk-focused examination process 3. What s new in examinations 4. Observations from recent examinations 5. Q&A

5 Risk-Focused Examinations Presentation areas of focus: 1. How to best prepare for an examination 2. Overview of the risk-focused examination process 3. What s new in examinations 4. Observations from recent examinations 5. Q&A

6 How to Prepare I received an examination notice, now what?

7 Preparing for the Examination Understand the process (second part of presentation) Factors to consider in preparing for an examination: Timing Physical Space Personnel Identification IT Considerations Information Transfer Tracking of Open Items and requests Auditor Involvement (CPA/Internal) C-Suite Interviews

8 Timing Frequency and scope of examinations Establish an understanding of the timing of the examination (start date, milestones (exhibit completion deadlines), anticipated end date, and deadlines). Discuss on-site vs. off-site examination work and timing of each Consider the impact of the risk-focused change on examination timing Risk assessment historically part of planning Now extends through all seven phases (more management involvement) Examination Coordination considerations Use of Experts Timing of C-level interviews Timing of CPA involvement Communication of company constraints (reporting deadlines)

9 Physical Space In order to prepare physical space for the exam team, communication about the space that will be needed and the number of examiners should be discussed before the start of the exam.

10 Personnel Identification Identify who will be involved Company personnel and responsibilities relating to the exam Examination personnel and responsibilities Create a contact list Off-site Considerations Other personnel involved

11 IT Considerations IT Connections What are the examiner requirements Method of information exchange Electronic work-paper considerations IT Security Protect data and confidentiality of information Handbook discussion of confidentiality Confidentiality The risk-focused surveillance approach contained within this Handbook will require examiners to incorporate new tools to document their examination approach and to increase the extent of communication with their department analysts as well other regulators. Similar to other documentation completed in accordance with a financial condition examination, these tools are considered examination work papers and thus considered confidential under state law, including the state s examination law. In addition, sensitive documents of the insurer that are used in the risk assessment process, such as internal audit reports, will be examination work papers and protected under the confidentiality standards set forth in the NAIC Model Law on Examinations. Furthermore, the enhanced communication between state insurance department examiners and analysts and the sharing of information to other state insurance departments shall not impact the confidential status of these work papers. As with the communication of other confidential information, examination work papers may be shared with other regulators whose state insurance department has authority under state law to preserve the confidentiality of the information they receive and maintain.

12 Transfer of Information / Tracking of Outstanding Items The insurer and regulator should have a system for the transfer of information and the tracking of outstanding items to avoid duplicate requests. Regular status meetings Dashboard reporting of status

13 CPA Work Papers Auditor Work-papers: Initiate a meeting and discussion between exam team and CPA Work-papers for years under examination Current year focus Prior year work paper applicability Current year not yet available Rotational testing of controls Prior year remediated issues Lead time for requests Follow-up meetings Auditor and examiner should have a discussion prior to finalization of exam and audit

14 Internal Audit The examiner will need to evaluate the internal audit process for reliance If CPAs rely on the Internal Audit function, this process may be shortcut by having CPAs discuss their evaluation/reliance with examiners Information needed by examiners Internal audit function overview Reporting lines Audit plans Audit results

15 Preparing for Interviews Interviews will likely take place with: Board of Directors Audit Committee Senior Management Educate board members on the examination process: Explain why interviews are occurring Provide Exhibit Y for typical questions asked Fiduciary duties of board members Examination authority laws STAT and GAAP accounting basis's Mission of Examiner s (protect promises made to policyholder) Scope of exam includes long-term strategies and prospective risks Ask Examiners to prepare an agenda and discussion topics

16 Risk-Focused Examinations Presentation areas of focus: 1. How to best prepare for an examination 2. Overview of the risk-focused examination process 3. What s new in examinations 4. Observations from recent examinations 5. Q&A

17 Traditional and Risk-Focused Approach Comparison Traditional Risk-Focused Details Checklists Symptoms Reporting Findings Transaction Testing Task Oriented Static Reviews Current Issues Big Picture/Top Down Priorities (Risk Focus) Cause Make Recommendations Process/Control Review Results-Oriented Ongoing Monitoring Emerging/Prospective Issues

18 Risk-Focused Exam in a Nutshell The risk-focused exam procedures are designed to allow examiners to: Develop an understanding of the insurer s key functional activities and the risks associated with those activities Evaluate the effectiveness of the risk mitigation strategies and controls Solvency issues generally result from business risks that were not mitigated to an acceptable level by company controls. Inadequately controlled operating risks may take several years to be reflected in the company s financial statements.

19 Risk Focused Exam Process Phase 1 Phase 2 Phase 3 Phase 4 Understand the Company and Identify Key Functional Activities to be Reviewed Identify and Assess Inherent Risk in Activities Identify and Evaluate Risk Mitigation Strategies/Controls Determine Residual Risk Procedures within the Planning Process- where management can have the most impact Phase 5 Establish/Conclude Examination Procedures Phase 6 Update Prioritization and Supervisory Plan Phase 7 Draft Examination Report and Management Letter based upon Findings 19

20 RISK-FOCUSED EXAMINATIONS PHASE 1 Understanding the Company and Key Functional Areas

21 Phase 1: Understand the Company Understanding the Company Understanding the Corporate Governance Structure Assessing the Adequacy of the Audit Function Identifying Key Functional Activities Consideration of Prospective Risks for Indication of Solvency Concerns 21

22 Phase 1 Understanding the Company Sample Risk Assessment Catalog Process Review Prior Examination Other sources (news, current events) Review Prior External Audit Regulatory Concerns Combined Risk Catalog Review Internal Audits Handbook Considerations Review SOX Meet with Key Members of Management Review self assessments

23 Phase 1 Corporate Governance Structure Components of effective corporate governance programs include: 1. Competency 2. Independent and adequate involvement 3. Communication 4. Code of conduct 5. Strategic and financial objectives 6. Business planning 7. Reliable risk management 8. Sound principals of conduct 9. Independence 10. Objective and independent reporting 11. Sarbanes-Oxley provisions 12. Board oversight Exhibit M Understanding Corporate Governance Structure 23

24 Phase 1 Management Preparation What can management do to prepare? Understand the examination process understand the goals and the procedures used to achieve those goals Consider the information that examiners will be looking at in advance of the examination process Ensure processes and corporate governance are documented Starting the Process Be Proactive (consider process prior to exam) Phase 1 is often where management can be most involved Arrange regular meetings (internally and with examiners) Ask examiners to prepare formal request lists Have an overview meeting to tell about the company and set the stage 24

25 Phase 1 Management Preparation Exhibits and Questionnaires Obtain and complete exhibits as early in process as possible Don t skimp on answers use memos and attachments as necessary Exhibit B Planning questionnaire The questionnaire responses should be considered when identifying the inherent risks of the insurer. They should also impact the planned examination approach, and the nature, timing and extent of examination procedures performed The more complete the questionnaire, the less work examiners need to do Plan ahead - document processes as they are being done Exhibit C Evaluation of controls in information technology Work program examples of common risks, controls, example requests, tests procedures Use as a guide to what examiners are looking for

26 Management Preparation Importance of Interviews Exhibit Y Examination Interviews It is critical for the examination team to understand and leverage the company s risk management program; i.e. how the company identifies, controls, monitors, evaluates and responds to its risks.an examiner can perform alternate, additional or fewer detail and control tests as a result of interviews with the company. Make sure examiners have an overall understanding of the company before conducting high level interviews Get an agenda in advance of the meeting Exhibit Y has sample questions Provide management s view of governance and control structure (Top down approach).

27 Phase 1 Assess the Audit Function External auditors Provide an understanding of control structure to examiners CPA s risk assessment is a starting point for examiners Compliance/control testing and substantive procedures reviewed for possible reliance Should be complementary to exam process Examiner must consider quality, adequacy and results of auditors work Internal audit - Must be independent, objective and perform quality audits Provides insight into risk identification and control structure Financial Operational Compliance IT Should be complementary to external audit Examiner must understand IA s role in internal control structure Examiner must understand qualifications and independence New Corporate Governance Requirement 27

28 Phase 1 Audit Function - Management Facilitation Management Facilitation Discuss expected cooperation with external auditors Facilitate meetings Prepare required authorization letters Ensure availability of auditor work-papers Understand the required information (Exhibit E) Document role and structure of internal audit Provide a list of internal audit activities 28

29 Phase 1 Identify Key Functional Activities Corporate Governance Assessment (step 2) Information Obtained (step 1) Audit Assessment (step 3) Consideration is given to qualitative and quantitative measures Key Functional Activities & Prospective Risks 13

30 Phase 1 Key Activities and Prospective Risk Management Facilitation Discuss key activities with examiners Ensure activities match actual business Match key activities with those identified by the company Understand the company s prospective risks Asset/liability matching Loss reserve development methods Pricing and underwriting Reinsurance Growth, M&A activity Liquidity of assets Other business risks

31 RISK-FOCUSED EXAMINATIONS PHASE 2 Identify and Assess Inherent Risk

32 Phase 2 Identify and Assess Inherent Risk Step 1: Identifying the Risk Step 2: Identifying the Type of Risk Step 3: Assessing the Inherent Risk Exhibit J - Risk Assessment Worksheets Exhibit K - Risk Assessment Matrix Exhibit L Branded Risk Classifications Repositories Common risks, control best practices, test of controls, sample testing 32

33 Phase 2 Step 1: Identifying the Risk Key activities and sub-activities identified in Phase 1 are the building blocks for identifying inherent risk. Risks Other than Financial Reporting Financial Reporting Risks Ask the question What can go wrong? for each of the key activities. Repositories included in handbook 33

34 Phase 2 Step 2: Identifying the Type of Risk Branded Risk Classifications: Credit Market Pricing/underwriting Reserving Liquidity Operational Legal Strategic Reputational 34

35 Critical Risk Why Critical Risk? How will this change the exam process? Flexibility Removal of Tolerable Error As of 12/31/13 Schedule DD- Critical risk 10 areas that represent significant threats to a company s overall solvency position. Used for accreditation as of 12/31/13

36 Critical Risk Valuation/ Impairment of Complex or Subjectively Valued Invested Assets Liquidity Considerations Appropriateness/ Adequacy of Reinsurance Program Reinsurance Reporting and Collectability Underwriting and Pricing Strategy/Quality Reserve Data Reserve Adequacy Related Party/Holding Company Considerations Capital Management

37 RISK-FOCUSED EXAMINATIONS PHASE 3 Identify and Evaluate Risk Mitigation Strategies and Controls

38 Phase 3 Strategy/Control Assessment Step 1: Identify Risk Mitigation Strategies/Controls Step 2: Evaluate Risk Mitigation Strategies/Controls Step 3: Consideration of Small/Medium-Size Insurers Step 4: Examiner Use of Sarbanes-Oxley Documentation 38

39 Phase 3 Step 1: Identify Risk Mitigation Controls The insurer s control risk should be assessed by determining how well the risk mitigation strategies/controls offset the inherent risks identified Leverage off work of external and internal audit and company self-assessments (e.g. SOX) 39

40 Phase 3 Step 2: Evaluate Risk Mitigation Controls Controls over Financial Reporting Risks tested to ensure: Operating as expected Applied consistently throughout the entire period of reliance Performed on a timely basis Encompassing all transactions Identifying errors Reliance on External Auditors Reliance on Controls Testing Performed in Prior Years 40

41 Phase 3 Step 2: Evaluate Risk Mitigation Controls Risk Mitigation Strategies/Controls Ratings The Risk Mitigation Strategy/Control Assessment ratings to be indicated in the Risk Assessment Matrix are: Strong Risk Management Moderate Risk Management Weak Risk Management 41

42 Phase 3 Management Considerations Control structure and mitigating controls have a significant impact on the level of work performed during the examination Designing and self evaluating controls is cost effective from an audit and examination perspective. Ensure examiners fully understand control structure and testing done by external auditors, internal auditors, Sox testing

43 RISK-FOCUSED EXAMINATIONS PHASES 4-7

44 Phases 4 & 5 Phase 4 Determination of residual risk Combination of inherent risk and control risk Also allows for examiner judgmental risk Extent of testing in Phase 5 is determinant on residual risk High Detail procedures required Moderate Fewer detailed procedures, more analytical Low Limited or no detail procedures performed, may be limited to analytical Phase 5 Detailed Examination Procedures Testing should focus on risk areas May also include state-specific procedures

45 Phases 6 & 7 Phase 6 Update prioritization and supervisory plan Examiners use material findings and risk assessment to update ongoing supervisory plan for the insurer Management involvement - None Phase 7 Draft examination report and management letter Management involvement: Ensure exam report is accurate and does not disclose confidential information Draft management letter responses, take credit for controls already instituted

46 Risk-Focused Examinations Presentation areas of focus: 1. How to best prepare for an examination 2. Overview of the risk-focused examination process 3. What s new in examinations 3. Observations from recent examinations 4. Q&A

47 What s New in Examinations Form F Enterprise Risk Report ORSA Summary Report ORSA exam/ analysis procedures exposed for comment under the Risk-Focused Surveillance (E) Working Group Exhibit DD Critical Risk 10 Critical Risk Categories Tolerable error (TE)removal- 12/31/2013 Exhibit DD- Accreditation requirement as of 12/31/2013

48 Recent Examination Guidance Changes Exhibit V Prospective Risk Assessment Examiners should corroborate assertions that management has made regarding identified risks and their mitigation Examiners should identify follow-up procedures for analysts Examples provided for completing exhibit Exhibit- E- Internal/ External Audit Corporate Governance

49 Risk-Focused Examinations Presentation areas of focus: 1. How to best prepare for an examination 2. Overview of the risk-focused examination process 3. What s new in examinations 3. Observations from recent examinations 4. Q&A

50 Risk-Focused Exams Observations Sound practices Schedule regular face-to-face meetings between insurer, examiner and analysts Provide forms (planning questionnaire, IT planning questionnaire and preliminary company request as early as practical Consider constraints on company personnel when establishing request due dates Interviews: Review Annual statement, prior year reports, AM Best report, news reports and inquiry of analyst to obtain basic insurer understanding before conducting interviews Provide topical agenda as a guide for discussion Give adequate advance notice (30 days)

51 Risk-Focused Exams Observations Interviews cont d C-Level interviews should be performed in Phase 1 to gain a better understanding of the company and its significant risks Using work of others (CPA, IA) Issues in obtaining work of others should be communicated promptly Deficiencies noted in work of others that limits usefulness for exam purposes should be communicated to allow company to correct deficiencies in future exams Control identification Discuss perceived missing controls with company before documenting control weaknesses Leverage information from prior examinations

52 Risk-Focused Examinations Presentation areas of focus: 1. How to best prepare for an examination 2. Overview of the risk-focused examination process 3. Observations from recent examinations 4. Q&A

53 Contact Information Sherry Cyranna L. Flippo, CPA, FLMI Financial Program Manager 1100 Walnut Street, Suite 1500 Kansas City, MO Dianne Batistoni, CPA, CFE Partner, Insurance Services 111 Wood Ave South, Iselin, NJ

54 Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2015 Annual Conference! NOTE: Your Conference Registration ID# is Located at the Bottom Left Hand Corner of Your Badge. IASA 86 TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW