risk-focused examinations overview & update - iasa 2015/sessions/arf/arf-2... · risk-focused...
TRANSCRIPT
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations Overview & Update
Session #708
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Understanding the Examination Process
In order to be able to maximize examination efficiency and
have examiners fully leverage your control environment, it is
important to understand the risk-focused examination
process and requirements.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Presentation areas of focus:
1. How to prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
4. Observations from recent examinations
5. Q&A
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
4. Observations from recent examinations
5. Q&A
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
How to Prepare
I received an examination notice, now what?
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Preparing for the Examination
Understand the process (second part of presentation)
Factors to consider in preparing for an examination:
• Timing
• Physical Space
• Personnel Identification
• IT Considerations
• Information Transfer
• Tracking of Open Items and requests
• Auditor Involvement (CPA/Internal)
• C-Suite Interviews
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Timing
Establish an understanding of the timing of the examination (start date,
milestones (exhibit completion deadlines), anticipated end date, and
deadlines).
Discuss multi-state coordination efforts (significant changes in this area)
Discuss on-site vs. off-site examination work and timing of each
Consider the impact of Corporate Governance/ORSA
Use of Experts
Timing of C-level interviews
Timing of CPA involvement
Communication of company constraints (reporting deadlines)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Physical Space
In order to prepare physical space
for the exam team, communication
about the space that will be
needed and the number of
examiners should be discussed
before the start of the exam.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Personnel Identification
Identify who will be involved
Company personnel and responsibilities relating to the exam
Examination personnel and responsibilities
Create a contact list
Off-site Considerations
Other personnel involved
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
IT Considerations
IT Connections
What are the examiner requirements
Method of information exchange
Electronic work-paper considerations
IT Security
Protect data and confidentiality of information
Handbook discussion of confidentiality
Confidentiality
The risk-focused surveillance approach contained within this Handbook will require examiners to incorporate new tools to document their
examination approach and to increase the extent of communication with their department analysts as well other regulators. Similar to other
documentation completed in accordance with a financial condition examination, these tools are considered examination work papers and thus
considered confidential under state law, including the state’s examination law. In addition, sensitive documents of the insurer that are used in the
risk assessment process, such as internal audit reports, will be examination work papers and protected under the confidentiality standards set forth
in the NAIC Model Law on Examinations. Furthermore, the enhanced communication between state insurance department examiners and analysts
and the sharing of information to other state insurance departments shall not impact the confidential status of these work papers. As with the
communication of other confidential information, examination work papers may be shared with other regulators whose state insurance department
has authority under state law to preserve the confidentiality of the information they receive and maintain.
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Transfer of Information / Tracking of Outstanding Items
The insurer and regulator should have a system for the
transfer of information and the tracking of outstanding
items to avoid duplicate requests.
Regular status meetings
Dashboard” reporting of status
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
CPA Work Papers
Auditor Work-papers:
Initiate a meeting and discussion between exam team and CPA, as
early as possible, new guidance allows use of prior year workpapers
Work-papers for years under examination
Current year focus
Prior year work papers allowed as long as changes in approach are
discussed
Lead time for requests
Follow-up meetings
Auditor and examiner should have a discussion prior to finalization of exam and audit
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Internal Audit
The examiner will need to evaluate the internal audit process
for reliance
• If CPAs rely on the Internal Audit function, this process may be short-
cut by having CPAs discuss their evaluation/reliance with examiners
• Information needed by examiners
• Internal audit function overview
• Reporting lines
• Audit plans
• Audit results
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Preparing for Interviews
Interviews will likely take place with:
Board of Directors
Audit Committee
Senior Management
Risk Officer
Educate board members on the examination process:
Explain why interviews are occurring
Provide Exhibit Y for typical questions asked
Fiduciary duties of board members
Examination authority laws
STAT and GAAP accounting basis's
Mission of Examiner’s (protect promises made to policyholder)
Scope of exam includes long-term strategies and prospective risks
Ask Examiners to prepare an agenda and discussion topics
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
4. Observations from recent examinations
5. Q&A
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Exam in a Nutshell
The risk-focused exam procedures are designed to allow
examiners to: • Develop an understanding of the insurer’s key functional activities and the
risks associated with those activities
• Evaluate the effectiveness of the risk mitigation strategies and controls
“Solvency issues generally result from business risks that were not mitigated
to an acceptable level by company controls. Inadequately controlled
operating risks may take several years to be reflected in the company’s
financial statements.”
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Focused Exam Process
18
• Understand the Company and Identify Key Functional Activities to be Reviewed Phase 1
• Identify and Assess Inherent Risk in Activities Phase 2
• Identify and Evaluate Risk Mitigation Strategies/Controls Phase 3
• Determine Residual Risk Phase 4
• Establish/Conclude Examination Procedures Phase 5
• Update Prioritization and Supervisory Plan Phase 6
• Draft Examination Report and Management Letter based upon Findings Phase 7
Procedures within
the Planning
Process- where
management can
have the most
impact
PHASE 1 Understanding the Company and Key Functional Areas
RISK-FOCUSED EXAMINATIONS
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1: Understand the Company
Understanding the Company
Understanding the Corporate Governance Structure
Assessing the Adequacy of the Audit Function
Identifying Key Functional Activities
Consideration of Prospective Risks for Indication of
Solvency Concerns
20
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Understanding the Company Sample Risk Assessment Catalog Process
Combined Risk
Catalog
Review Prior Examination
Review External Audits
Review Internal Audits
Review SOX
Review ORSA/self
assessments
Meet with Key Members of
Management
Handbook Considerations
Regulatory Concerns
Other sources (news, current
events)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Corporate Governance Structure
Components of effective corporate governance programs
include: 1. Competency
2. Independent and adequate involvement
3. Communication
4. Code of conduct
5. Strategic and financial objectives
6. Business planning
7. Reliable risk management
8. Sound principals of conduct
9. Independence
10. Objective and independent reporting
11. Sarbanes-Oxley provisions
12. Board oversight
Exhibit M – Understanding Corporate Governance Structure
*New Guidance on ORSA Evaluation*
22
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Management Preparation
What can management do to prepare?
• Understand the examination process – understand the goals and the
procedures used to achieve those goals
• Consider the information that examiners will be looking at in advance
of the examination process
• Ensure processes and corporate governance are documented
Starting the Process
• Be Proactive (consider process prior to exam)
• Phase 1 is often where management can be most involved
• Arrange regular meetings (internally and with examiners)
• Ask examiners to prepare formal request lists
• Have an overview meeting to tell about the company and set the
stage
23
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Management Preparation – Exhibits and Questionnaires
Obtain and complete exhibits as early in process as possible
Don’t “skimp” on answers – use memos and attachments as necessary
Exhibit B – Planning questionnaire
“The questionnaire responses should be considered when identifying the inherent risks of the insurer.
They should also impact the planned examination approach, and the nature, timing and extent of
examination procedures performed”
• The more complete the questionnaire, the less work examiners need to do
• Plan ahead - document processes as they are being done
Exhibit C – Evaluation of controls in information technology
• Work program – examples of common risks, controls, example requests, tests
procedures
• Use as a guide to what examiners are looking for
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Management Preparation Importance of Interviews
Exhibit Y – Examination Interviews
“It is critical for the examination team to understand and leverage the
company’s risk management program; i.e. how the company identifies,
controls, monitors, evaluates and responds to its risks….An examiner
can perform alternate, additional or fewer detail and control tests as a
result of interviews with the company.”
• Make sure examiners have an overall understanding of the company before
conducting high level interviews
• Get an agenda in advance of the meeting
• Exhibit Y has sample questions
• Provide management’s view of governance and control structure
(Top down approach).
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Assess the Audit Function
External auditors
• Provide an understanding of control structure to examiners
• CPA’s risk assessment is a starting point for examiners
• Compliance/control testing and substantive procedures reviewed for possible reliance
• Should be complementary to exam process
• Examiner must consider quality, adequacy and results of auditors work
Internal audit - Must be independent, objective and perform quality audits
• Provides insight into risk identification and control structure
• Financial
• Operational
• Compliance
• IT
• Should be complementary to external audit
• Examiner must understand IA’s role in internal control structure
• Examiner must understand qualifications and independence
26
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Audit Function - Management Facilitation
Management Facilitation
• Discuss expected cooperation with external auditors
• Facilitate meetings
• Prepare required authorization letters
• Ensure availability of auditor work-papers
• Understand the required information (Exhibit E)
• Document role and structure of internal audit
• Provide a list of internal audit activities
27
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Identify Key Functional Activities
Key Functional Activities
& Prospective Risks
Audit Assessment
(step 3)
Corporate Governance Assessment
(step 2)
Information Obtained (step 1)
13
Consideration is given to
qualitative and quantitative
measures
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 1 Key Activities and Prospective Risk Management Facilitation
Discuss key activities with examiners
Ensure activities match actual business
Match key activities with those identified by the company
Understand the company’s prospective risks
• Asset/liability matching
• Loss reserve development methods
• Pricing and underwriting
• Reinsurance
• Growth, M&A activity
• Liquidity of assets
• Other business risks
PHASE 2 Identify and Assess Inherent Risk
RISK-FOCUSED EXAMINATIONS
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 2 Identify and Assess Inherent Risk
Step 1: Identifying the Risk
Step 2: Identifying the Type of Risk
Step 3: Assessing the Inherent Risk
• Exhibit J - Risk Assessment Worksheets
• Exhibit K - Risk Assessment Matrix
• Exhibit L – Branded Risk Classifications
Repositories – Common risks, control best practices, test of
controls, sample testing, reduced in 2015
31
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 2 Step 1: Identifying the Risk
Key activities and sub-activities identified in Phase 1
are the building blocks for identifying inherent risk.
• Risks Other than Financial Reporting
• Financial Reporting Risks
Ask the question “What can go wrong?” for each of the
key activities.
Repositories included in handbook
32
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 2 Step 2: Identifying the Type of Risk
33
• Credit
• Market
• Pricing/underwriting
• Reserving
• Liquidity
• Operational
• Legal
• Strategic
• Reputational
Branded Risk Classifications:
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Critical Risk Categories
Exam should focus on most critical solvency risks for an
insurer
Examiners use Exhibit DD (Critical Risk Categories) to
ensure all critical risks have been included during Phase 2
Examiner will need to assess each risk category, or explain
why it is not relevant
Started with 2013 Examinations
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Critical Risk Categories
Valuation/Impairment of Complex Invested
Assets Liquidity
Appropriateness of Investment Strategy
Appropriateness of Reinsurance
Reinsurance Reporting & Collectability
Underwriting and Pricing Strategy
Reserve Data Reserve Adequacy
Related Party & Holding Company
Considerations Capital Management
PHASE 3 Identify and Evaluate Risk Mitigation Strategies and Controls
RISK-FOCUSED EXAMINATIONS
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 3 Strategy/Control Assessment
Step 1: Identify Risk Mitigation Strategies/Controls
Step 2: Evaluate Risk Mitigation Strategies/Controls
Step 3: Consideration of Small/Medium-Size Insurers
Step 4: Examiner Use of Sarbanes-Oxley
Documentation
37
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 3 Step 1: Identify Risk Mitigation Controls
The insurer’s control risk should be assessed by
determining how well the risk mitigation strategies/controls
offset the inherent risks identified
Leverage off work of external and internal audit and
company self-assessments (e.g. SOX)
38
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 3 Step 2: Evaluate Risk Mitigation Controls
Controls over Financial Reporting Risks tested to ensure:
• Operating as expected
• Applied consistently throughout the entire period of reliance
• Performed on a timely basis
• Encompassing all transactions
• Identifying errors
Reliance on External Auditors
Reliance on Controls Testing Performed in Prior Years
39
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk Mitigation Strategies/Controls Ratings
The Risk Mitigation Strategy/Control Assessment ratings to
be indicated in the Risk Assessment Matrix are:
• Strong Risk Management
• Moderate Risk Management
• Weak Risk Management
40
Phase 3 Step 2: Evaluate Risk Mitigation Controls
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phase 3 Management Considerations
Control structure and mitigating controls have a significant
impact on the level of work performed during the
examination
Testing of Financial Reporting Risks greatly reduced by
reliance on external auditor
Designing and self evaluating controls is cost effective from
an audit and examination perspective.
Ensure examiners fully understand control structure and
testing done by external auditors, internal auditors, Sox
testing
The Rest : Phases 4 - 7
RISK-FOCUSED EXAMINATIONS
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phases 4 & 5
Phase 4 – Determination of residual risk
Combination of inherent risk and control risk
Also allows for examiner judgmental risk
Extent of testing in Phase 5 is determinant on residual risk
• High – Detail procedures required
• Moderate – Fewer detailed procedures, more analytical
• Low – Limited or no detail procedures performed, may be limited to
analytical
Phase 5 – Detailed Examination Procedures
Testing should focus on risk areas
May also include state-specific procedures
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Phases 6 & 7
Phase 6 – Update prioritization and supervisory plan
• Examiners use material findings and risk assessment to update
ongoing supervisory plan for the insurer
Management involvement - None
Phase 7 – Draft examination report and management letter
Management involvement:
Ensure exam report is accurate and does not disclose confidential
information
Draft management letter responses, take credit for controls already
instituted
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
3. Observations from recent examinations
4. Q&A
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
What’s New in Examinations
2015 Handbook Changes
•Purpose of an examination changed to focus on:
»Business processes and controls
»Current and Prospective Risks
» In addition to risks impacting surplus (previous)
•Repositories reduced from 18 to 9 to align with
Critical Risk Categories (avoid checklist mentality)
Examination Reports Revised to reduce
non-essential items and allow more flexibility
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Recent Examination Guidance Changes
Changes to Handbook to emphasize coordination between
examiners and analysts and reduce duplication of requests
• Exhibit A and B changed
• Insurer Profile Summaries changed
Guidance on review of CPA workpapers including allowing
use of PY wp’s with update procedures, encouraging more
use of CPA wp’s to reduce financial reporting risk
Significant changes to coordination framework to further
define roles of examination participants
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Recent Examination Guidance Changes
ORSA Review Guidance Added to 2015 Handbook
Evaluation is based on the RIMS Risk Maturity Model (0-5)
Non Existent (0)
Ad Hoc (1) Initial (2) Repeatable
(3) Managed
(4) Leadership
(5)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Recent Examination Guidance Changes
ORSA Part 1 is evaluated on 5 Principles
Risk Culture and Governance
Risk Identification and Prioritization
Risk Appetite, Tolerances and Limits
Risk Management and Controls
Risk Reporting and Communication
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Recent Examination Guidance Changes
ORSA Part 2 is evaluated against branded risks
• Credit
• Legal
• Liquidity
• Market
• Operational
• Pricing/Underwriting
• Reputational
• Reserving
• Strategic
• Other
Branded risks are not
required to be included
in the Insurers ORSA
report
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Recent Examination Guidance Changes
ORSA Part 3 evaluation includes reviewing assumptions
and models used, including the appropriateness of internal
and external models and stress testing
ORSA evaluation guidance includes cross referencing table
for leveraging ORSA results throughout the exam
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. What’s new in examinations
3. Observations from recent examinations
4. Q&A
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Exams Observations
Sound practices
• Schedule regular face-to-face meetings between insurer, examiner
and analysts
• Provide forms (planning questionnaire, IT planning questionnaire and
preliminary company request as early as practical
• Consider constraints on company personnel when establishing
request due dates
• Interviews:
• Review Annual statement, prior year reports, AM Best report, news reports
and inquiry of analyst to obtain basic insurer understanding before
conducting interviews
• Provide topical agenda as a guide for discussion
• Give adequate advance notice (30 days)
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Exams Observations
Interviews – cont’d
• C-Level interviews should be performed in Phase 1 to gain a better
understanding of the company and its significant risks
Using work of others (CPA, IA)
• Issues in obtaining work of others should be communicated promptly
• Deficiencies noted in work of others that limits usefulness for exam
purposes should be communicated to allow company to correct
deficiencies in future exams
Control identification
• Discuss perceived missing controls with company before
documenting control weaknesses
Leverage information from prior examinations
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Risk-Focused Examinations
Presentation areas of focus:
1. How to best prepare for an examination
2. Overview of the risk-focused examination process
3. Observations from recent examinations
4. Q&A
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Contact Information
Sherry “Cyranna” L. Flippo, CPA, FLMI
Financial Program Manager
1100 Walnut Street, Suite 1500 Kansas City, MO 64106
816-783-8133
Dianne Batistoni, CPA, CFE
Partner, Insurance Services
111 Wood Ave South, Iselin, NJ 08830
732-243-7220
IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW
Please Complete the Session Evaluation Form on the Conference App