risk-focused examinations overview & update - iasa 2015/sessions/arf/arf-2... · risk-focused...

IASA 87TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Risk-Focused Examinations Overview & Update

Session #708


Understanding the Examination Process

In order to be able to maximize examination efficiency and

have examiners fully leverage your control environment, it is

important to understand the risk-focused examination

process and requirements.


Risk-Focused Examinations

Presentation areas of focus:

1. How to prepare for an examination

2. Overview of the risk-focused examination process

3. What’s new in examinations

4. Observations from recent examinations

5. Q&A




1. How to best prepare for an examination




5. Q&A


How to Prepare

I received an examination notice, now what?


Preparing for the Examination

Understand the process (second part of presentation)

Factors to consider in preparing for an examination:

• Timing

• Physical Space

• Personnel Identification

• IT Considerations

• Information Transfer

• Tracking of Open Items and requests

• Auditor Involvement (CPA/Internal)

• C-Suite Interviews


Timing

Establish an understanding of the timing of the examination (start date,

milestones (exhibit completion deadlines), anticipated end date, and

deadlines).

Discuss multi-state coordination efforts (significant changes in this area)

Discuss on-site vs. off-site examination work and timing of each

Consider the impact of Corporate Governance/ORSA

Use of Experts

Timing of C-level interviews

Timing of CPA involvement

Communication of company constraints (reporting deadlines)


Physical Space

In order to prepare physical space

for the exam team, communication

about the space that will be

needed and the number of

examiners should be discussed

before the start of the exam.


Personnel Identification

Identify who will be involved

Company personnel and responsibilities relating to the exam

Examination personnel and responsibilities

Create a contact list

Off-site Considerations

Other personnel involved


IT Considerations

IT Connections

What are the examiner requirements

Method of information exchange

Electronic work-paper considerations

IT Security

Protect data and confidentiality of information

Handbook discussion of confidentiality

Confidentiality

The risk-focused surveillance approach contained within this Handbook will require examiners to incorporate new tools to document their

examination approach and to increase the extent of communication with their department analysts as well other regulators. Similar to other

documentation completed in accordance with a financial condition examination, these tools are considered examination work papers and thus

considered confidential under state law, including the state’s examination law. In addition, sensitive documents of the insurer that are used in the

risk assessment process, such as internal audit reports, will be examination work papers and protected under the confidentiality standards set forth

in the NAIC Model Law on Examinations. Furthermore, the enhanced communication between state insurance department examiners and analysts

and the sharing of information to other state insurance departments shall not impact the confidential status of these work papers. As with the

communication of other confidential information, examination work papers may be shared with other regulators whose state insurance department

has authority under state law to preserve the confidentiality of the information they receive and maintain.


Transfer of Information / Tracking of Outstanding Items

The insurer and regulator should have a system for the

transfer of information and the tracking of outstanding

items to avoid duplicate requests.

Regular status meetings

Dashboard” reporting of status


CPA Work Papers

Auditor Work-papers:

Initiate a meeting and discussion between exam team and CPA, as

early as possible, new guidance allows use of prior year workpapers

Work-papers for years under examination

Current year focus

Prior year work papers allowed as long as changes in approach are

discussed

Lead time for requests

Follow-up meetings

Auditor and examiner should have a discussion prior to finalization of exam and audit


Internal Audit

The examiner will need to evaluate the internal audit process

for reliance

• If CPAs rely on the Internal Audit function, this process may be short-

cut by having CPAs discuss their evaluation/reliance with examiners

• Information needed by examiners

• Internal audit function overview

• Reporting lines

• Audit plans

• Audit results


Preparing for Interviews

Interviews will likely take place with:

Board of Directors

Audit Committee

Senior Management

Risk Officer

Educate board members on the examination process:

Explain why interviews are occurring

Provide Exhibit Y for typical questions asked

Fiduciary duties of board members

Examination authority laws

STAT and GAAP accounting basis's

Mission of Examiner’s (protect promises made to policyholder)

Scope of exam includes long-term strategies and prospective risks

Ask Examiners to prepare an agenda and discussion topics








5. Q&A


Risk-Focused Exam in a Nutshell

The risk-focused exam procedures are designed to allow

examiners to: • Develop an understanding of the insurer’s key functional activities and the

risks associated with those activities

• Evaluate the effectiveness of the risk mitigation strategies and controls

“Solvency issues generally result from business risks that were not mitigated

to an acceptable level by company controls. Inadequately controlled

operating risks may take several years to be reflected in the company’s

financial statements.”


Risk Focused Exam Process

18

• Understand the Company and Identify Key Functional Activities to be Reviewed Phase 1

• Identify and Assess Inherent Risk in Activities Phase 2

• Identify and Evaluate Risk Mitigation Strategies/Controls Phase 3

• Determine Residual Risk Phase 4

• Establish/Conclude Examination Procedures Phase 5

• Update Prioritization and Supervisory Plan Phase 6

• Draft Examination Report and Management Letter based upon Findings Phase 7

Procedures within

the Planning

Process- where

management can

have the most

impact

PHASE 1 Understanding the Company and Key Functional Areas

RISK-FOCUSED EXAMINATIONS


Phase 1: Understand the Company

Understanding the Company

Understanding the Corporate Governance Structure

Assessing the Adequacy of the Audit Function

Identifying Key Functional Activities

Consideration of Prospective Risks for Indication of

Solvency Concerns

20


Phase 1 Understanding the Company Sample Risk Assessment Catalog Process

Combined Risk

Catalog

Review Prior Examination

Review External Audits

Review Internal Audits

Review SOX

Review ORSA/self

assessments

Meet with Key Members of

Management

Handbook Considerations

Regulatory Concerns

Other sources (news, current

events)


Phase 1 Corporate Governance Structure

Components of effective corporate governance programs

include: 1. Competency

2. Independent and adequate involvement

3. Communication

4. Code of conduct

5. Strategic and financial objectives

6. Business planning

7. Reliable risk management

8. Sound principals of conduct

9. Independence

10. Objective and independent reporting

11. Sarbanes-Oxley provisions

12. Board oversight

Exhibit M – Understanding Corporate Governance Structure

*New Guidance on ORSA Evaluation*

22


Phase 1 Management Preparation

What can management do to prepare?

• Understand the examination process – understand the goals and the

procedures used to achieve those goals

• Consider the information that examiners will be looking at in advance

of the examination process

• Ensure processes and corporate governance are documented

Starting the Process

• Be Proactive (consider process prior to exam)

• Phase 1 is often where management can be most involved

• Arrange regular meetings (internally and with examiners)

• Ask examiners to prepare formal request lists

• Have an overview meeting to tell about the company and set the

stage

23


Phase 1 Management Preparation – Exhibits and Questionnaires

Obtain and complete exhibits as early in process as possible

Don’t “skimp” on answers – use memos and attachments as necessary

Exhibit B – Planning questionnaire

“The questionnaire responses should be considered when identifying the inherent risks of the insurer.

They should also impact the planned examination approach, and the nature, timing and extent of

examination procedures performed”

• The more complete the questionnaire, the less work examiners need to do

• Plan ahead - document processes as they are being done

Exhibit C – Evaluation of controls in information technology

• Work program – examples of common risks, controls, example requests, tests

procedures

• Use as a guide to what examiners are looking for


Management Preparation Importance of Interviews

Exhibit Y – Examination Interviews

“It is critical for the examination team to understand and leverage the

company’s risk management program; i.e. how the company identifies,

controls, monitors, evaluates and responds to its risks….An examiner

can perform alternate, additional or fewer detail and control tests as a

result of interviews with the company.”

• Make sure examiners have an overall understanding of the company before

conducting high level interviews

• Get an agenda in advance of the meeting

• Exhibit Y has sample questions

• Provide management’s view of governance and control structure

(Top down approach).


Phase 1 Assess the Audit Function

External auditors

• Provide an understanding of control structure to examiners

• CPA’s risk assessment is a starting point for examiners

• Compliance/control testing and substantive procedures reviewed for possible reliance

• Should be complementary to exam process

• Examiner must consider quality, adequacy and results of auditors work

Internal audit - Must be independent, objective and perform quality audits

• Provides insight into risk identification and control structure

• Financial

• Operational

• Compliance

• IT

• Should be complementary to external audit

• Examiner must understand IA’s role in internal control structure

• Examiner must understand qualifications and independence

26


Phase 1 Audit Function - Management Facilitation

Management Facilitation

• Discuss expected cooperation with external auditors

• Facilitate meetings

• Prepare required authorization letters

• Ensure availability of auditor work-papers

• Understand the required information (Exhibit E)

• Document role and structure of internal audit

• Provide a list of internal audit activities

27


Phase 1 Identify Key Functional Activities

Key Functional Activities

& Prospective Risks

Audit Assessment

(step 3)

Corporate Governance Assessment

(step 2)

Information Obtained (step 1)

13

Consideration is given to

qualitative and quantitative

measures


Phase 1 Key Activities and Prospective Risk Management Facilitation

Discuss key activities with examiners

Ensure activities match actual business

Match key activities with those identified by the company

Understand the company’s prospective risks

• Asset/liability matching

• Loss reserve development methods

• Pricing and underwriting

• Reinsurance

• Growth, M&A activity

• Liquidity of assets

• Other business risks

PHASE 2 Identify and Assess Inherent Risk



Phase 2 Identify and Assess Inherent Risk

Step 1: Identifying the Risk

Step 2: Identifying the Type of Risk

Step 3: Assessing the Inherent Risk

• Exhibit J - Risk Assessment Worksheets

• Exhibit K - Risk Assessment Matrix

• Exhibit L – Branded Risk Classifications

Repositories – Common risks, control best practices, test of

controls, sample testing, reduced in 2015

31


Phase 2 Step 1: Identifying the Risk

Key activities and sub-activities identified in Phase 1

are the building blocks for identifying inherent risk.

• Risks Other than Financial Reporting

• Financial Reporting Risks

Ask the question “What can go wrong?” for each of the

key activities.

Repositories included in handbook

32


Phase 2 Step 2: Identifying the Type of Risk

33

• Credit

• Market

• Pricing/underwriting

• Reserving

• Liquidity

• Operational

• Legal

• Strategic

• Reputational

Branded Risk Classifications:


Critical Risk Categories

Exam should focus on most critical solvency risks for an

insurer

Examiners use Exhibit DD (Critical Risk Categories) to

ensure all critical risks have been included during Phase 2

Examiner will need to assess each risk category, or explain

why it is not relevant

Started with 2013 Examinations


Critical Risk Categories

Valuation/Impairment of Complex Invested

Assets Liquidity

Appropriateness of Investment Strategy

Appropriateness of Reinsurance

Reinsurance Reporting & Collectability

Underwriting and Pricing Strategy

Reserve Data Reserve Adequacy

Related Party & Holding Company

Considerations Capital Management

PHASE 3 Identify and Evaluate Risk Mitigation Strategies and Controls



Phase 3 Strategy/Control Assessment

Step 1: Identify Risk Mitigation Strategies/Controls

Step 2: Evaluate Risk Mitigation Strategies/Controls

Step 3: Consideration of Small/Medium-Size Insurers

Step 4: Examiner Use of Sarbanes-Oxley

Documentation

37


Phase 3 Step 1: Identify Risk Mitigation Controls

The insurer’s control risk should be assessed by

determining how well the risk mitigation strategies/controls

offset the inherent risks identified

Leverage off work of external and internal audit and

company self-assessments (e.g. SOX)

38


Phase 3 Step 2: Evaluate Risk Mitigation Controls

Controls over Financial Reporting Risks tested to ensure:

• Operating as expected

• Applied consistently throughout the entire period of reliance

• Performed on a timely basis

• Encompassing all transactions

• Identifying errors

Reliance on External Auditors

Reliance on Controls Testing Performed in Prior Years

39


Risk Mitigation Strategies/Controls Ratings

The Risk Mitigation Strategy/Control Assessment ratings to

be indicated in the Risk Assessment Matrix are:

• Strong Risk Management

• Moderate Risk Management

• Weak Risk Management

40

Phase 3 Step 2: Evaluate Risk Mitigation Controls


Phase 3 Management Considerations

Control structure and mitigating controls have a significant

impact on the level of work performed during the

examination

Testing of Financial Reporting Risks greatly reduced by

reliance on external auditor

Designing and self evaluating controls is cost effective from

an audit and examination perspective.

Ensure examiners fully understand control structure and

testing done by external auditors, internal auditors, Sox

testing

The Rest : Phases 4 - 7



Phases 4 & 5

Phase 4 – Determination of residual risk

Combination of inherent risk and control risk

Also allows for examiner judgmental risk

Extent of testing in Phase 5 is determinant on residual risk

• High – Detail procedures required

• Moderate – Fewer detailed procedures, more analytical

• Low – Limited or no detail procedures performed, may be limited to

analytical

Phase 5 – Detailed Examination Procedures

Testing should focus on risk areas

May also include state-specific procedures


Phases 6 & 7

Phase 6 – Update prioritization and supervisory plan

• Examiners use material findings and risk assessment to update

ongoing supervisory plan for the insurer

Management involvement - None

Phase 7 – Draft examination report and management letter

Management involvement:

Ensure exam report is accurate and does not disclose confidential

information

Draft management letter responses, take credit for controls already

instituted








4. Q&A


What’s New in Examinations

2015 Handbook Changes

•Purpose of an examination changed to focus on:

»Business processes and controls

»Current and Prospective Risks

» In addition to risks impacting surplus (previous)

•Repositories reduced from 18 to 9 to align with

Critical Risk Categories (avoid checklist mentality)

Examination Reports Revised to reduce

non-essential items and allow more flexibility


Recent Examination Guidance Changes

Changes to Handbook to emphasize coordination between

examiners and analysts and reduce duplication of requests

• Exhibit A and B changed

• Insurer Profile Summaries changed

Guidance on review of CPA workpapers including allowing

use of PY wp’s with update procedures, encouraging more

use of CPA wp’s to reduce financial reporting risk

Significant changes to coordination framework to further

define roles of examination participants



ORSA Review Guidance Added to 2015 Handbook

Evaluation is based on the RIMS Risk Maturity Model (0-5)

Non Existent (0)

Ad Hoc (1) Initial (2) Repeatable

(3) Managed

(4) Leadership

(5)



ORSA Part 1 is evaluated on 5 Principles

Risk Culture and Governance

Risk Identification and Prioritization

Risk Appetite, Tolerances and Limits

Risk Management and Controls

Risk Reporting and Communication



ORSA Part 2 is evaluated against branded risks

• Credit

• Legal

• Liquidity

• Market

• Operational

• Pricing/Underwriting

• Reputational

• Reserving

• Strategic

• Other

Branded risks are not

required to be included

in the Insurers ORSA

report



ORSA Part 3 evaluation includes reviewing assumptions

and models used, including the appropriateness of internal

and external models and stress testing

ORSA evaluation guidance includes cross referencing table

for leveraging ORSA results throughout the exam








4. Q&A


Risk-Focused Exams Observations

Sound practices

• Schedule regular face-to-face meetings between insurer, examiner

and analysts

• Provide forms (planning questionnaire, IT planning questionnaire and

preliminary company request as early as practical

• Consider constraints on company personnel when establishing

request due dates

• Interviews:

• Review Annual statement, prior year reports, AM Best report, news reports

and inquiry of analyst to obtain basic insurer understanding before

conducting interviews

• Provide topical agenda as a guide for discussion

• Give adequate advance notice (30 days)


Risk-Focused Exams Observations

Interviews – cont’d

• C-Level interviews should be performed in Phase 1 to gain a better

understanding of the company and its significant risks

Using work of others (CPA, IA)

• Issues in obtaining work of others should be communicated promptly

• Deficiencies noted in work of others that limits usefulness for exam

purposes should be communicated to allow company to correct

deficiencies in future exams

Control identification

• Discuss perceived missing controls with company before

documenting control weaknesses

Leverage information from prior examinations







4. Q&A


Contact Information

Sherry “Cyranna” L. Flippo, CPA, FLMI

Financial Program Manager

1100 Walnut Street, Suite 1500 Kansas City, MO 64106

816-783-8133

[email protected]

Dianne Batistoni, CPA, CFE

Partner, Insurance Services

111 Wood Ave South, Iselin, NJ 08830

732-243-7220

[email protected]

mailto:[email protected]

mailto:[email protected]


Please Complete the Session Evaluation Form on the Conference App

risk-focused examinations overview & update - iasa 2015/sessions/arf/arf-2... · risk-focused...

Documents