Examining the Model Audit Rule

Jackie Gilbert


June 1, 2010

On New Year's Day, many insurance companies found themselves face-to-face with a new challenge: the revised Model Audit Rule (MAR). Officially known as the Annual Financial Reporting Model Regulation, MAR now requires nonpublic insurers to comply with stringent regulatory provisions, increase transparency and improve corporate governance.

At its essence, the revised MAR is the rough equivalent of Sarbanes-Oxley (SOX) for private insurers, containing many of the same auditing and reporting requirements. Corporate governance and financial accountability will similarly be scrutinized. CEOs and CFOs will be required to sign off on financial statements. Noncompliant companies can face significant penalties and regulators even have the ability to take over insurance entities if needed.

But despite their similarities, the two regulations are not equivalent. SOX applies only to publicly held companies, whereas MAR applies to all U.S.-domiciled insurance companies with direct and assumed premiums greater than $500 million. SOX requires the CEO and CFO to certify the adequacy of internal controls over financial reporting (ICFR) in quarterly and annual SEC filings while MAR only requires certification in annual reports. SOX also requires that a company's external auditor attest to and report on management's evaluation of ICFR, but MAR has no such external attestation requirement.

For those who lived through SOX, however, ICFR is familiar territory. Section 404 of SOX requires organizations to assess and test the effectiveness of internal controls on an ongoing basis, and MAR now imposes essentially the same requirement minus the need for an external auditor's attestation.

Because IT supports the processing and reporting of financial transactions, tech controls are a significant part of ICFR. Companies must verify the adequacy of internal controls, including the processing of financial transactions, the preparation of financial reports and the protection of the financial information (since it is stored in various locations throughout the company, including systems, applications and databases).

MAR's new requirements will also require companies to find ways to achieve compliance while managing costs-a difficult proposition, as many subjected to SOX learned the hard way five years ago. Avoiding the following pitfalls is a good start.

Being Reactive
One of the most common mistakes made to meet SOX requirements was treating compliance as a one-time event to pass an audit. Compliance efforts are undermined by focusing solely on meeting an auditor's checklist. A more sustainable approach requires strong internal controls on an ongoing basis.

Missing the Big Picture
Similarly, many companies approached SOX compliance in a piecemeal manner-application by application. This disconnected strategy led to incomplete reporting and ineffective oversight. Having a centralized view creates better decision-making and transparency.

Relying on Manual Processes
For many, the initial rush to comply with SOX was very labor-intensive-in other words, companies just threw people at the problem. Taking an automated approach saves time and money by building predictability and repeatability into compliance tasks. Most importantly, building an automated process gives organizations a method for responding now and in the future.

Failing to Collaborate
Managing compliance is a complex process that requires cooperation. Representatives from finance, legal, business units, HR and IT each play a role. Implementing a strategy that breaks down the barriers between groups can eliminate the blind spots, redundancy and reactive decision-making caused by silos.

Failing to Prioritize
Many companies skipped a crucial step in SOX compliance: risk assessment. Without a way to define or measure risk, they had no way to focus controls and fell into the trap of overcompensating. They were defining too many controls and applying them across the board. Taking a risk-based approach helps prioritize internal controls and audits. As such, it creates a way to reduce compliance costs and the burden on IT staff-something every company can get behind.
Jackie Gilbert is vice president of product and marketing, and a co-founder of the Austin, Texas-based, software solutions provider SailPoint.