As Deadline Approaches, Insurers Face Sarbanes-Oxley Test Time
Insurers are facing a steep learning curve–with plenty of deficiency reports–as they test their compliance systems for the Sarbanes-Oxley Act of 2002, often referred to as SOX. At KPMG’s insurance conference in New York, industry professionals said that a key to ensuring success when testing an internal control system is preparing an insurance company’s management and audit committees for problems.
“You need to manage expectations, and if you haven’t done it yet, you need to,” said Brian Reilly, senior vice president and chief auditor for St. Paul Travelers.
Under SOX, publicly held companies need to document their internal controls. The documentation requirements are often referred to as “Section 404 Requirements” for the corresponding part of the legislation. Many public companies are already testing their 404 systems, putting back-office functions associated with documentation through their paces in order to meet a January 2005 deadline.
If an insurance company’s internal control system encounters an issue that does not meet SOX criteria, the insurer creates a deficiency report. The Public Company Accounting Oversight Board divides reports into three categories: control deficiencies, significant deficiencies, and material weaknesses. Only material weaknesses must be disclosed, but numerous other deficiencies can add up to a reportable material weakness.
For example, a company may conduct a cradle-to-grave test that reviews documents (such as vendor invoices) to ensure the documents show up in a company’s financial statement. If the invoice in not included, the insurer creates a deficiency report. As insurers test systems, it’s inevitable that they’ll come across problems, Reilly said. But that should be considered part of the process and not a systemic failure–a fact that management needs to impart to boards and management committees.
“Not that [deficiencies are] acceptable or good, but it really should come as no surprise,” he said.
But once a deficiency is reported, everyone needs to get involved.
“It’s important to communicate to the audit committee that the barrier for deficiencies is very low,” said Jeremiah Downing, vice president of Platinum Underwriters Re. What is a reportable deficiency today would not have been prior to 2002.
“At the same time, the project team needs to adequately track [deficiency] issues and management needs to take ownership of deficiencies and their remediation,” Downing said.
It’s also necessary to keep the lines of communication open between all responsible for 404 compliance, including management, internal audit, and board members, said Michael Hession, vice president of The Hartford. He agreed with other speakers that getting “buy-in” from everyone involved makes it easier to quickly correct internal control issues and battle apathy.
“When we set out, we knew we would find deficiencies,” Hession said. “But we want [management] to be very aggressive about this … especially in gray areas.”
Beyond deficiencies, many insurance executives finding 404 system testing is a full-time job that requires money and manpower, especially when it comes to IT systems. And that means involving the company’s chief information officer to assist with the process.
“It has been a challenge for the IT organization to track [the testing process],” St. Paul Travelers’ Reilly said. “There is a lot of ground to cover to validate management controls.”
A survey of insurance executives at the conference emphasized the time and effort needed to implement and test SOX requirements. The survey showed that 83 percent felt SOX was the most important legislation having an impact on the insurance business in 2004, compared to 58 percent last year. Additionally, 12 percent of survey respondents said technology was the most important issue having an impact on profitability, compared to just three percent in 2003. “This points to the technology effort that is being focused on 404 this year,” said Fred Donner, partner and National Insurance Industry Leader for KPMG.
And although most of U.S. public companies are preparing for SOX compliance by the start of 2005, the testing and effort that executives are doing now may well reveal bigger issues. “We really still have a lot to learn how Corporate America will respond to these requirements,” said Robert Lipstein, national partner in charge of SOX 404 Services with KPMG.