Model Audit Rule 205

The Model Audit Rule 205, Model Audit Rule, or MAR 205 are the commonly applied terms for the Annual Financial Reporting Model Regulation. Model Audit Rule is a financial reporting regulation applicable to insurance companies, and borrows significantly from the Sarbanes Oxley Act of 2002 (see ‘key sections’ below). The Model Audit Rule is co-developed by the American Institute of Certified Public Accountants (“AICPA”) and National Association of Insurance Commissioners (“NAIC”) and issued by NAIC with revisions in 2006 and has taken effect in 2010.

The NAIC internal designation for the Annual Financial Reporting Model Regulation is MDL 205, where MDL stands for Model, and the number of the model rule is 205. Because the regulation was issued by NAIC, which is not a federal agency with direct regulatory power, its adoption is on a state-by-state basis.

Purpose
The Model Audit Rule was issued to:
 * Govern the submission of audited statutory financial statements by insurance companies
 * Drive Consistency Across Insurance Regulators
 * Improve the ability of state insurance departments to oversee the financial condition of insurers

The Model Audit Rule requires the following to be submitted by insurance companies operating in states which have adopted the regulation:
 * An Annual Financial Statement Audit by an Independent CPA
 * Communication of Internal Control Related Matters Noted in the Audit
 * Managements Report of Internal Control over Financial Reporting

Section 4 – Financial Report Filing Requirements
All insurers must have an annual audit by an independent CPA. This audit must be filed by June 1 following the preceding December 31 year end. An insurer may receive an extension for both the Audit report (performed by an independent CPA) and Managements report on internal controls. Here, the term Management refers to the management of the insurer.

For example, filing for the year ending December 31, 2012 must be done by June 1, 2013.

Section 5 – Financial Report Contents
The annual audited financial report should show the financial position, results of its operations, cash flows and changes in capital and surplus. The insurers report must be in conformity with statutory accounting practices of the Department of Insurance of the insurers’ state.

§5(G) The financial reports must be comparative, that is, to show the most recent year end against the preceding year end. For example, in a financial report for the year ending December 31, 2013, for each line item, the report must show the result for December 31, 2013, and December 31, 2012.

§5(A – F) The financial report must include:
 * Report by an Independent CPA (i.e. Independent Auditors Report)
 * Balance Sheet
 * Statement of Operations (i.e. Income Statement in a for-profit operation)
 * Statement of Cash Flow
 * Statement of Changes in Capital and Surplus
 * Notes to the Financial Statements

Section 7 – Qualifications of Independent External Auditor
Many items in this section are based on the underlying requirement that the audit of the insurer must be performed by an independent CPA / CPA firm.

This section of the Model Audit Rule describes the qualifications of an Independent external auditor for an insurer through the following major themes:
 * Liability – External Auditor Liability and
 * Disassociation – Mandatory Audit Partner Rotation, and Audit Leadership being apart from insurers leadership through a minimum time frame
 * Non Audit Services – Description of Services that the External Auditor cannot perform while engaged in the audit of the insurers financial statement

§7(A)(2) The external auditor is liable for representations made in the audit of the insurer. This promotes auditors independence because the external auditor has “skin in the game” and can be held liable for misrepresentations made on its audit report, and other responsibilities.
 * Liability

§7(D)(1) is similar to SOX 203 in requiring the rotation of the lead audit partner, with a five-year “cool off” period, after a five-year consecutive period with the audit of the insurer. In addition to this, Section 7(L)(1) addresses that a CPA firms senior manager or partner cannot be a part of the insurers leadership for one year prior to the audit.
 * Disassociation

§7(G)(1) is similar to SOX 201 in the restriction of non-audit services being performed by the CPA firm conducting the audit of the insurers financials.
 * Non-Audit Services

The principles governing non-audit services are that the CPA / CPA firm cannot:
 * Function in the role of management (§7(G)(2))
 * Audit their own work (§7(G)(2)), and
 * Serve in an advocacy role for the insurer (§7(G)(2))

Particular non-audit services mentioned include (Section 7(G)(1))
 * Bookkeeping or other services related to accounting records of the Insurer
 * Financial Information System Design & Implementation
 * Appraisal or Valuation Services
 * Actuarial advisory services involving determination of financial statement amounts
 * Internal Audit Outsourcing
 * Management or Human Resources functions
 * Broker / Dealer functions
 * Legal services or expert services unrelated to the audit
 * Any other services that the commissioner determines, by regulation, to be impermissible.

§7(F) provides that state insurance commissioner the authority to, following a hearing on the matter, force an insurer to change the auditor of its financial statements. In addition, according to drafting notes contained within this section, the state insurance commissioner shall consider using guidance provided in the Securities and Exchange Commission (SEC) final rule No.33-8183, strengthening the commissions requirements regarding auditor independence.

§7(J) provides that all audit and non-audit services to the insurer must be approved first by the insurers audit committee.

Section 9 – Scope of Audit and Independent External Audit Report
This section of the Model Audit Rule describes the resources that the external auditor must consult in planning and performing the audit of an insurers financial statements. The following are the requirements noted and standards borrowed to complete the requirement. The Auditor must:

Section 11 – Communication of Internal Control Matters
The insurer must provide to the state insurance commissioner a report on internal control weaknesses that are still outstanding as of the close of the audit. The terminology used here is unremediated material weaknesses in internal control over financial reporting.

To successfully provide the unremediated internal control weaknesses report, the concept of materiality must be explained. Here, the insurer and external auditor are directed to the Statements on Auditing Standards No. 60 (SAS 60), Internal Control Related Matters Noted in the Audit regarding the term material weakness.

The Internal Controls Report must, for each material weakness:
 * Describe the unremediated material weakness
 * Describe Actions taken or planned on to remediate the weakness going forward (if not already communicated by the auditor)
 * (If none exist), then the report must state that fact
 * The report must also coincide with the most recent insurers annual financial statements

An example of this communication, as would be sent to the state insurance commissioner, is the following:

Section 15 – Conduct of Insurer for Documentation
The insurers’ leadership (officers, directors) cannot improperly influence an external auditor of the insurers’ financial statements. “When the officer, director, or person acting under his or her direction knew or should have known that the action, if successful (but regardless of whether the action is in fact successful) could result in rendering the issuers financial statements materially misleading”

Fraud and Gross Negligence
§15 is closely related to Rule 13b2-2(b) under the Securities Exchange Act of 1934. The standard for violation used here includes fraud (acting with intent to deceive) as well as gross negligence (reckless disregard for the truth). Gross negligence is invoked under the phrase “known or should have known”.

Section 16 – Management Report on Internal Control
This section of the Model Audit Rule is most closely related to and departs from Sarbanes Oxley Section 404 (SOX 404) on Internal Control.


 * Similar to SOX 404, Management (the insurer) is required to issue an internal controls assessment report.
 * Departing from SOX 404, the external auditor does not attest to Managements assessment of internal controls.

§16(A - D) Which Insurers must file – generally, this report is required for large insurers, those with:
 * Premiums of $500,000,000 or more (with exceptions), or
 * That are subject to Sarbanes Oxley section 404 (with exceptions)

No need for Duplicate Internal Control Reports

If an insurer is a publicly traded and subject to SOX 404, then they are already preparing an internal controls report. Therefore, the Model Audit Rule specifically states that this type of insurer “may file its or its parent’s section 404 report and an addendum in satisfaction of this §16 requirement”.

The addendum is a statement by the insurer that “there are no material processes with respect to the preparation of the insurer’s or group of insurers’ audited statutory financial statements...[]... excluded from the section 404 report.”

§16(D) Internal Control Report Contents – Managements Report on Internal Control for statutory financial statements must include:
 * Statement that Management is Responsible for establishing and maintaining Internal Controls
 * Statement that Management has in-fact established internal controls over financial reporting
 * Statement on the effectiveness of Internal Controls (providing reasonable assurance regarding the reliability of financial statements according to statutory accounting principles)
 * Approach or processes regarding Managements internal control evaluation
 * Scope of Work regarding Management internal control evaluation
 * Disclosure of unremediated material weaknesses of internal control (If there is at least one, management cannot conclude that internal controls are effective)
 * Statement on inherent limitations of internal control
 * Signatures of CEO and CFO

§16(E) Management (Insurer) Supporting Activities – During an Audit or financial condition examination, the insurer must make available the basis for assertions used in evaluation of internal control.

The insurer is given the freedom (discretion) regarding:


 * Internal control framework used, and
 * Nature and extent of documentation

The insurer has aforementioned discretion under the Model Audit Rule to achieve internal control objectives in a cost-effective manner.

Report and Addendum Example: The following is of an SEC registrant who had all Internal Controls covered in the 404 Report.