Casualty Loss Reserve Seminar General Session II September 9, 2003 Section 302/404 of Sarbanes-Oxley Act What Actuaries Need to Know Jan A. Lommele, FCAS, MAAA, FCA

2 Overview of the Act (and the Related SEC Rules) Became law July 30, 2002 Became law July 30, 2002 Key features: Key features: Established an independent, full-time Public Company Accounting and Oversight Board (PCAOB) to establish auditing standards and to regulate the independent auditors for all SEC registrants Established an independent, full-time Public Company Accounting and Oversight Board (PCAOB) to establish auditing standards and to regulate the independent auditors for all SEC registrants Set forth specific auditor independence requirements Set forth specific auditor independence requirements Specified corporate responsibility including: Specified corporate responsibility including: Management's responsibility for financial reporting and internal controls and Management's responsibility for financial reporting and internal controls and Audit committee standards and requirements Audit committee standards and requirements Enacted new rules relevant to attorneys, securities analysts and brokers/dealers Enacted new rules relevant to attorneys, securities analysts and brokers/dealers Established corporate and criminal penalties Established corporate and criminal penalties

3 Objectives of Internal Control Requirements Restore public trust and confidence in the public securities markets Restore public trust and confidence in the public securities markets Improve corporate governance and promote ethical business practices Improve corporate governance and promote ethical business practices Enhance transparency and completeness of financial statements and disclosures Enhance transparency and completeness of financial statements and disclosures Ensure that company executives are aware of material information emanating from a well- controlled environment Ensure that company executives are aware of material information emanating from a well- controlled environment Hold company management accountable for material information that is filed with the SEC and released to investors Hold company management accountable for material information that is filed with the SEC and released to investors Achieve new levels of corporate excellence Achieve new levels of corporate excellence

4 Overview of Internal Control Requirements Section 302 (Evaluation and Certification) CEO and CFO to certify quarterly and annually: CEO and CFO to certify quarterly and annually: – Financial information contains no untrue statements and is fairly presented in all material respects – Effectiveness of their disclosure controls and procedures – Disclosed certain changes in internal controls over financial reporting Became effective in 2002 (amended in June 2003) Became effective in 2002 (amended in June 2003)

5 Definition of Disclosure Controls and Procedures Designed to ensure that required disclosed information is recorded, processed, summarized, and reported within the time periods specified by the SEC Designed to ensure that required disclosed information is recorded, processed, summarized, and reported within the time periods specified by the SEC Includes controls and procedures to help ensure that information is accumulated and communicated to executive management to allow timely decisions regarding required disclosure Includes controls and procedures to help ensure that information is accumulated and communicated to executive management to allow timely decisions regarding required disclosure

6 Definition of Internal Control over Financial Reporting A process designed by, or under the supervision of, the registrant’s principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant’s board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes: Maintenance of records in reasonable detail Maintenance of records in reasonable detail Proper recording and authorization of transactions Proper recording and authorization of transactions Safeguarding of assets Safeguarding of assets

7 Disclosure Controls vs. Financial Reporting Controls Company Notes Cash Flow Income Statement Balance Sheet Financial Statements Internal Controls Over Financial Reporting Financial Statements Business Properties Legal Proceedings Annual Report on Form 10-K Disclosure Controls Procedures

8 Overview of Internal Control Requirements Section 302 (Evaluation and Certification) CEO and CFO to certify quarterly and annually: CEO and CFO to certify quarterly and annually: – Financial information contains no untrue statements and is fairly presented in all material respects – Effectiveness of their disclosure controls and procedures – Disclosed certain changes in internal controls over financial reporting Became effective in 2002 (amended in June 2003) Became effective in 2002 (amended in June 2003) Section 404 (Assessment and Report) CEO and CFO to include certain statements and conclusions relating to internal control over financial reporting in their annual report Effective for annual periods ending after June 15, 2004 (small business and foreign filers April 15, 2005).

9 Management’s Report under 404 The following must be included: The following must be included: Management is responsible for establishing and maintaining effective internal controls over financial reporting Management is responsible for establishing and maintaining effective internal controls over financial reporting The internal control framework used by management to evaluate internal controls over financial reporting (e.g. COSO) The internal control framework used by management to evaluate internal controls over financial reporting (e.g. COSO) Management’s assessment of internal controls over financial reporting at the date of its assertion Management’s assessment of internal controls over financial reporting at the date of its assertion Identification of any material weaknesses at the date of the assertion Identification of any material weaknesses at the date of the assertion A statement that the registered public accounting firm that audited the company's financial statements has issued an attestation report on management's assessment of the company's internal control over financial reporting A statement that the registered public accounting firm that audited the company's financial statements has issued an attestation report on management's assessment of the company's internal control over financial reporting

10 What is COSO What is COSO The control conscience of an organization. The “tone at the top” The evaluation of internal and external factors that impact an organization’s performance The policies and procedures that help ensure that actions identified to manage risk are executed and timely The process which ensures that relevant information is identified and communicated in a timely manner The process to determine whether internal control is adequately designed, executed, effective and adaptive

11 404: Key Provisions Assessment must be based on procedures sufficient to both: Assessment must be based on procedures sufficient to both: Evaluate the effectiveness of the design of internal control over financial reporting Evaluate the effectiveness of the design of internal control over financial reporting Test and document their operating effectiveness Test and document their operating effectiveness Must have evidential matter, including documentation, to provide reasonable support Must have evidential matter, including documentation, to provide reasonable support Management cannot state that internal controls over financial reporting are effective if a material weakness exists at the date of its assertion Management cannot state that internal controls over financial reporting are effective if a material weakness exists at the date of its assertion

12 404: Key Provisions as Set Forth in the Act Management is responsible for documenting and evaluating internal control over financial reporting in order to make the required certifications Management is responsible for documenting and evaluating internal control over financial reporting in order to make the required certifications Auditors cannot perform management functions without impairing independence Auditors cannot perform management functions without impairing independence Auditors can advise and assist management as management documents its internal controls over financial reporting; however, management has to be actively engaged in all aspects Auditors can advise and assist management as management documents its internal controls over financial reporting; however, management has to be actively engaged in all aspects

13 Understanding Control Deficiencies Control deficiency is a flaw in the design, implementation, and/or operating effectiveness of a control activity that could adversely affect the company’s ability to initiate, record, process, summarize, and report accurate financial and nonfinancial data. Control deficiency is a flaw in the design, implementation, and/or operating effectiveness of a control activity that could adversely affect the company’s ability to initiate, record, process, summarize, and report accurate financial and nonfinancial data. Significant deficiency is an internal control deficiency in a significant control or an aggregation of such deficiencies that could result in a misstatement of the financial statements that is more than inconsequential. Significant deficiency is an internal control deficiency in a significant control or an aggregation of such deficiencies that could result in a misstatement of the financial statements that is more than inconsequential. Material weakness is a significant deficiency or aggregation of deficiencies that precludes the internal control from providing reasonable assurance that material misstatements will be prevented or detected on a timely basis by employees in the normal course of performing their assigned functions. Material weakness is a significant deficiency or aggregation of deficiencies that precludes the internal control from providing reasonable assurance that material misstatements will be prevented or detected on a timely basis by employees in the normal course of performing their assigned functions.

14 COSO- Process Level for Risk Assessment and Control Activity Identify the significant processes and related IT systems; e.g. loss reserve process Identify the significant processes and related IT systems; e.g. loss reserve process Evaluate the effectiveness of the design of internal control by: Evaluate the effectiveness of the design of internal control by: Documenting the process; e.g. flowcharts, narratives Documenting the process; e.g. flowcharts, narratives Identifying the relevant objectives; e.g. valuation of loss reserves Identifying the relevant objectives; e.g. valuation of loss reserves Identifying the key risks that may impair meeting the objective; e.g. historical claim data is not accurate Identifying the key risks that may impair meeting the objective; e.g. historical claim data is not accurate Developing a response (control activity) to mitigate the risk; e.g. controls over the input and maintenance of actual claims Developing a response (control activity) to mitigate the risk; e.g. controls over the input and maintenance of actual claims

15 COSO- Process Level Obtain evidence that the controls are in fact operating effectively: Obtain evidence that the controls are in fact operating effectively: Self-assessment Self-assessment Internal Audit Internal Audit Identify any control gaps or operating deficiencies Identify any control gaps or operating deficiencies Aggregate for consideration under 302/404 Aggregate for consideration under 302/404 Remediate Remediate

16 Examples of Loss Reserve Internal Controls Data flows from the financial system to the loss reserve system Data flows from the financial system to the loss reserve system Estimation processes underlying the loss reserve methods Estimation processes underlying the loss reserve methods Timing of and responsibility for the reviews Timing of and responsibility for the reviews Balancing company actuarial loss reserves, and other reserves (e.g., pools) to the financial reports Balancing company actuarial loss reserves, and other reserves (e.g., pools) to the financial reports jeff getz (Open): jan, I am not the insurance expert but this might list the typical processes/sub- processes that an actuary may be involved in as it relates to IC I think this needs some refining. jeff getz (Open): jan, I am not the insurance expert but this might list the typical processes/sub- processes that an actuary may be involved in as it relates to IC I think this needs some refining.

17 Management’s Assessment Should include, but is not limited to: Controls over initiating, recording, processing, and reconciling account balances, classes of transactions, and disclosure and related assertions Controls over initiating, recording, processing, and reconciling account balances, classes of transactions, and disclosure and related assertions Controls related to the initiation and processing of non-routine and non-systematic transactions Controls related to the initiation and processing of non-routine and non-systematic transactions Controls related to the selection and application of appropriate accounting policies Controls related to the selection and application of appropriate accounting policies Controls related to the prevention, identification, and detection of fraud Controls related to the prevention, identification, and detection of fraud

18 Evidential Matter Management should have reasonable support: Management should have reasonable support: For the evaluation of whether the control is designed to prevent or detect material misstatement or omissions For the evaluation of whether the control is designed to prevent or detect material misstatement or omissions For the conclusion that the tests were appropriately planned and performed For the conclusion that the tests were appropriately planned and performed That the results of the tests were appropriately considered That the results of the tests were appropriately considered Management will also be required to provide adequate support for their assessment to enable the auditor to perform their attestation procedures Management will also be required to provide adequate support for their assessment to enable the auditor to perform their attestation procedures

19 Controls Documentation Documentation to support management’s assessment may take various forms: policy manuals, accounting manuals, narrative memoranda, flow charts, decision tables, procedural write-ups, or completed questionnaires. The extent of documentation is expected to vary depending on the size and complexity of the entity Documentation to support management’s assessment may take various forms: policy manuals, accounting manuals, narrative memoranda, flow charts, decision tables, procedural write-ups, or completed questionnaires. The extent of documentation is expected to vary depending on the size and complexity of the entity

20 Group Discussion You’re on a 404 Implementation Team for Loss Reserves You’re on a 404 Implementation Team for Loss Reserves Possible considerations from the company perspective? Possible considerations from the company perspective?