Model Audit Rule 205 Explained

The Model Audit Rule 205, Model Audit Rule, or MAR 205 are the commonly applied terms for the Annual Financial Reporting Model Regulation.[1] Model Audit Rule is a financial reporting regulation applicable to insurance companies, and borrows significantly from the Sarbanes Oxley Act of 2002 (see ‘key sections’ below). The Model Audit Rule is co-developed by the American Institute of Certified Public Accountants (“AICPA”) and National Association of Insurance Commissioners (“NAIC”) and issued by NAIC [2] with revisions in 2006 and has taken effect in 2010.[3]

The NAIC internal designation for the Annual Financial Reporting Model Regulation is MDL 205, where MDL stands for Model, and the number of the model rule is 205.[4] Because the regulation was issued by NAIC, which is not a federal agency with direct regulatory power, its adoption is on a state-by-state basis.[5]

Purpose

The Model Audit Rule was issued to:

The Model Audit Rule requires the following to be submitted by insurance companies operating in states which have adopted the regulation:

Key Sections

Section 4 – Financial Report Filing Requirements

All insurers must have an annual audit by an independent CPA. This audit must be filed by June 1 following the preceding December 31 year end. An insurer may receive an extension for both the Audit report (performed by an independent CPA) and Managements report on internal controls. Here, the term Management refers to the management of the insurer.

For example, filing for the year ending December 31, 2012 must be done by June 1, 2013.

Section 5 – Financial Report Contents

The annual audited financial report should show the financial position, results of its operations, cash flows and changes in capital and surplus. The insurers report must be in conformity with statutory accounting practices of the Department of Insurance of the insurers’ state.

§5(G) The financial reports must be comparative, that is, to show the most recent year end against the preceding year end. For example, in a financial report for the year ending December 31, 2013, for each line item, the report must show the result for December 31, 2013, and December 31, 2012.

§5(A – F) The financial report must include:

Section 7 – Qualifications of Independent External Auditor

Many items in this section are based on the underlying requirement that the audit of the insurer must be performed by an independent CPA / CPA firm.

This section of the Model Audit Rule describes the qualifications of an Independent external auditor for an insurer through the following major themes:

Liability§7(A)(2) The external auditor is liable for representations made in the audit of the insurer. This promotes auditors independence because the external auditor has “skin in the game” and can be held liable for misrepresentations made on its audit report, and other responsibilities.
Disassociation§7(D)(1) is similar to SOX 203 in requiring the rotation of the lead audit partner, with a five-year “cool off” period, after a five-year consecutive period with the audit of the insurer. In addition to this, Section 7(L)(1) addresses that a CPA firms senior manager or partner cannot be a part of the insurers leadership for one year prior to the audit.
Non-Audit Services§7(G)(1) is similar to SOX 201 in the restriction of non-audit services being performed by the CPA firm conducting the audit of the insurers financials.

The principles governing non-audit services are that the CPA / CPA firm cannot:

Particular non-audit services mentioned include (Section 7(G)(1))

§7(F) provides that state insurance commissioner the authority to, following a hearing on the matter, force an insurer to change the auditor of its financial statements. In addition, according to drafting notes contained within this section, the state insurance commissioner shall consider using guidance provided in the Securities and Exchange Commission (SEC) final rule No.33-8183,[7] strengthening the commissions requirements regarding auditor independence.

§7(J) provides that all audit and non-audit services to the insurer must be approved first by the insurers audit committee.

Section 9 – Scope of Audit and Independent External Audit Report

This section of the Model Audit Rule describes the resources that the external auditor must consult in planning and performing the audit of an insurers financial statements. The following are the requirements noted and standards borrowed to complete the requirement. The Auditor must:

Component of Audit Scope, per MAR §9 External Rule / Standard / Reference
Conduct the audit in accordance with Generally Accepted Auditing Standards (GAAS) Generally Accepted Auditing Standards (GAAS)
AU319 of the American Institute of Certified Public Accountants (AICPA)
Scoping for audits of insurers that file a report on internal controls (MAR §16) to accompany the financial statements Statement of Auditing Standards (SAS) No. 102 or its replacement, and Financial Condition Examiners Handbook (by NAIC)

Section 11 – Communication of Internal Control Matters

The insurer must provide to the state insurance commissioner a report on internal control weaknesses that are still outstanding as of the close of the audit. The terminology used here is unremediated material weaknesses in internal control over financial reporting.

To successfully provide the unremediated internal control weaknesses report, the concept of materiality must be explained. Here, the insurer and external auditor are directed to the Statements on Auditing Standards No. 60 (SAS 60), Internal Control Related Matters Noted in the Audit regarding the term material weakness.

The Internal Controls Report must, for each material weakness:

An example of this communication, as would be sent to the state insurance commissioner, is the following:

Honorable CommissionerState of Domicile Insurance Department State of Domicile

Dear Honorable Commissioner:

During the audit completed for the year ended December 31, 20XX, for XYZ Holding Company Inc (“XYZ”), a material weakness was noted in XYZ’s internal control over financial reporting related to the calculation of insurance reserves. Due to the manner in which the data for homeowners policies are captured by the systems used in its Southeastern US regional office, changes in XYZ’s estimate of insurance reserves for certain policies are not reviewed by XYZ’s Actuarial Department prior to being recorded in the company’s accounting records.

A material weakness is a deficiency or a combination of deficiencies in internal control, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected on a timely basis. In connection with the weakness noted above, XYZ’s management has taken remedial actions to change its procedures for coding policies issued in the states affected so that all homeowners’ policy data are included in the Actuarial Department review of estimate of insurance reserves. This change was effective on July 1, 20XX.

Should you have any questions regarding this matter, please do not hesitate to contact me at the number noted above.
Regards,

XYZ Holding Company, Inc.

Section 15 – Conduct of Insurer for Documentation

The insurers’ leadership (officers, directors) cannot improperly influence an external auditor of the insurers’ financial statements. “When the officer, director, or person acting under his or her direction knew or should have known that the action, if successful (but regardless of whether the action is in fact successful) could result in rendering the issuers financial statements materially misleading”

Fraud and Gross Negligence

§15 is closely related to Rule 13b2-2(b) under the Securities Exchange Act of 1934. The standard for violation used here includes fraud (acting with intent to deceive) as well as gross negligence (reckless disregard for the truth). Gross negligence is invoked under the phrase “known or should have known”.[8] [9] [10]

Section 16 – Management Report on Internal Control

This section of the Model Audit Rule is most closely related to and departs from Sarbanes Oxley Section 404 (SOX 404) on Internal Control.

§16(A - D) Which Insurers must file – generally, this report is required for large insurers, those with:

No need for Duplicate Internal Control Reports

If an insurer is a publicly traded and subject to SOX 404, then they are already preparing an internal controls report. Therefore, the Model Audit Rule specifically states that this type of insurer “may file its or its parent’s section 404 report and an addendum in satisfaction of this §16 requirement”.

The addendum is a statement by the insurer that “there are no material processes with respect to the preparation of the insurer’s or group of insurers’ audited statutory financial statements...[]... excluded from the section 404 report.”

§16(D) Internal Control Report Contents – Managements Report on Internal Control for statutory financial statements must include:

§16(E) Management (Insurer) Supporting Activities – During an Audit or financial condition examination, the insurer must make available the basis for assertions used in evaluation of internal control.

The insurer is given the freedom (discretion) regarding:

The insurer has aforementioned discretion under the Model Audit Rule to achieve internal control objectives in a cost-effective manner.

Report and Addendum Example: The following is of an SEC registrant who had all Internal Controls covered in the 404 Report.

XYZ Holding Company Inc (“XYZ”) is required to file annual reports on Form 10-K/20-F with the U.S. Securities and Exchange Commission. Each of the insurance companies listed on Attachment B is a wholly owned subsidiary of XYZ. For the purpose of XYZ’s Management’s Report of Internal Control over Financial Reporting, management has identified its “Group of insurers,” as that term is defined in [relevant state statute or Section 3H of the Model], as the insurance companies listed on Attachment B.

Management of XYZ is responsible for establishing and maintaining adequate internal control over statutory financial reporting. XYZ’s internal control over financial reporting is a process designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of statutory financial statements in accordance with statutory accounting principles. Management conducted an assessment of the effectiveness, as of December 31, 201X, of the Group of insurers’ internal control over statutory financial reporting, based on the framework established in Internal Control—Integrated Framework Issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Based on our assessment under that framework, management concluded that the Group of insurers’ internal control over statutory financial reporting is effective to provide reasonable assurance regarding the reliability of financial reporting and the preparation of statutory financial statements as of December 31, 201X.

Because of its inherent limitations, internal control over financial reporting may not prevent or detect misstatements. Projections of any evaluation of effectiveness to future periods are also subject to the risk that controls may become inadequate because of changes in conditions, or that the degree of compliance with the policies or procedures may deteriorate.

In satisfaction of the Group of insurers’ obligation to deliver Management’s Report of Internal Control over Financial Reporting for the fiscal year ended December 31, 201X, as permitted by [relevant state statute or Section 16C of the Model], XYZ is hereby providing the Insurance Commissioner of [domiciliary state] copies of Management’s Report of Internal Control over Financial Reporting and the report of independent registered public accounting firm on internal control over financial reporting for XYZ included in XYZ’s Form 10-K/20-F for the fiscal year ended December 31, 201X (or alternatively the Annual Report to Stockholders). In addition, an Addendum (Attachment A) is included to this report which identifies the material processes that were not included in the Section 404 Report (as defined in Attachment A).

Based on management review of internal controls, there were no unremediated material weaknesses as of December 31, 201X identified as part of the Group of insurers’ internal control structure over the statutory financial statements for the year ended December 31, 201X.

(Signed)____________________________________________ (Date)______________
(Chief Executive Officer)

(Signed)____________________________________________ (Date)______________
(Chief Financial Officer)

XYZ Holding Company, Inc.

Addendum to Management’s Report of Internal Control over Financial Reporting

For the Year Ended December 31, 201X

For purposes of this addendum, the “Section 404 Report” means Management’s Report on Internal Control over Financial Reporting and the report of independent registered public accounting firm on internal control over financial reporting contained in or incorporated by reference in the Form 10-K/20-F. Accordingly, as required by [relevant state statute or Section 16C of the Model], management of XYZ hereby affirms that there are no material processes with respect to the preparation of the audited statutory financial statements of the Group of insurers that were excluded from the Section 404 Report.

Further reading

  1. SECURITIES EXCHANGE ACT OF 1934 . Securities and Exchange Commission . August 10, 2012 .
  2. PUBLIC COMPANY ACCOUNTING REFORM AND CORPORATE RESPONSIBILITY . 107th United States Congress . July 30, 2002 .

Notes and References

  1. The NAIC's New Model Audit Rule: Is Your Organization Ready? . Burton . Scott B. . Krus . Cynthia M. . Roth . Stephen E. . Wilson-Bilik . Mary Jane . Sutherland . October 29, 2009 .
  2. Web site: The NAIC Model Audit Rule: Change is Imminent – Will Your Organization be Prepared? . Murphy . James, CPA . July 3, 2013 .
  3. Web site: SUNERA – Model Audit Rule . 2005. 2013 . Sunera LLC. . July 1, 2013 .
  4. Web site: NAIC Model Laws, Regulations and Guidelines. 2013 . 1991 . National Association of Insurance Commissioners. July 8, 2013 .
  5. Web site: FAQ. NAIC. June 28, 2013.
  6. Web site: Annual Financial Reporting Model Regulation. National Association of Insurance Commissioners – Model Regulation Service. October 2007. June 28, 2013.
  7. Web site: Securities and Exchange Commission, Release No. 33-8183. March 27, 2003 . July 8, 2013 .
  8. Web site: Financial Mistakes to Avoid. May 18, 2016.
  9. Web site: Law.com Legal Dictionary - Fraud. 2013 . July 8, 2013 .
  10. Web site: Law.com Legal Dictionary – Gross Negligence. 2013. July 8, 2013 .