IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Risk-Focused Examinations

Session 704

Understanding the Examination Process

In order to be able to maximize examination efficiency and

have examiners fully leverage work being done by your

company, it is important to understand the risk-focused

examination process and requirements.

Risk-Focused Examinations

Presentation areas of focus:

1. How to prepare for an examination

2. Overview of the risk-focused examination process

3. What’s new in examinations

4. Observations from recent examinations

5. Q&A

Risk-Focused Examinations

Presentation areas of focus:

1. How to best prepare for an examination

2. Overview of the risk-focused examination process

3. What’s new in examinations

4. Observations from recent examinations

5. Q&A

How to Prepare

I received an examination notice, now what?

Preparing for the Examination

Understand the process (second part of presentation)

Factors to consider in preparing for an examination:

• Timing

• Physical Space

• Personnel Identification

• IT Considerations

• Information Transfer

• Tracking of Open Items and requests

• Auditor Involvement (CPA/Internal)

• C-Suite Interviews

Timing

Frequency and scope of examinations

Establish an understanding of the timing of the examination (start date,

milestones (exhibit completion deadlines), anticipated end date, and

deadlines).

Discuss on-site vs. off-site examination work and timing of each

Consider the impact of the risk-focused change on examination timing

Risk assessment historically part of planning

Now extends through all seven phases

(more management involvement)

Examination Coordination considerations

Use of Experts

Timing of C-level interviews

Timing of CPA involvement

Communication of company constraints (reporting deadlines)

Physical Space

In order to prepare physical space

for the exam team, communication

about the space that will be

needed and the number of

examiners should be discussed

before the start of the exam.

Personnel Identification

Identify who will be involved

Company personnel and responsibilities relating to the exam

Examination personnel and responsibilities

Create a contact list

Off-site Considerations

Other personnel involved

IT Considerations

IT Connections

What are the examiner requirements

Method of information exchange

Electronic work-paper considerations

IT Security

Protect data and confidentiality of information

Handbook discussion of confidentiality

Confidentiality

The risk-focused surveillance approach contained within this Handbook will require examiners to incorporate new tools to document their

examination approach and to increase the extent of communication with their department analysts as well other regulators. Similar to other

documentation completed in accordance with a financial condition examination, these tools are considered examination work papers and thus

considered confidential under state law, including the state’s examination law. In addition, sensitive documents of the insurer that are used in the

risk assessment process, such as internal audit reports, will be examination work papers and protected under the confidentiality standards set forth

in the NAIC Model Law on Examinations. Furthermore, the enhanced communication between state insurance department examiners and analysts

and the sharing of information to other state insurance departments shall not impact the confidential status of these work papers. As with the

communication of other confidential information, examination work papers may be shared with other regulators whose state insurance department

has authority under state law to preserve the confidentiality of the information they receive and maintain.

Transfer of Information / Tracking of Outstanding Items

The insurer and regulator should have a system for the

transfer of information and the tracking of outstanding

items to avoid duplicate requests.

Regular status meetings

“Dashboard” reporting of status

CPA Work Papers

Auditor Work-papers:

Initiate a meeting and discussion between exam team and CPA

Work-papers for years under examination

Current year focus

Prior year work paper applicability

Current year not yet available

Rotational testing of controls

Prior year remediated issues

Lead time for requests

Follow-up meetings

Auditor and examiner should have a discussion prior to finalization of exam and audit

Internal Audit

The examiner will need to evaluate the internal audit process

for reliance

• If CPAs rely on the Internal Audit function, this process may be short-

cut by having CPAs discuss their evaluation/reliance with examiners

• Information needed by examiners

• Internal audit function overview

• Reporting lines

• Audit plans

• Audit results

Preparing for Interviews

Interviews will likely take place with:

Board of Directors

Audit Committee

Senior Management

Educate board members on the examination process:

Explain why interviews are occurring

Provide Exhibit Y for typical questions asked

Fiduciary duties of board members

Examination authority laws

STAT and GAAP accounting basis's

Mission of Examiner’s (protect promises made to policyholder)

Scope of exam includes long-term strategies and prospective risks

Ask Examiners to prepare an agenda and discussion topics

Risk-Focused Examinations

Presentation areas of focus:

1. How to best prepare for an examination

2. Overview of the risk-focused examination process

3. What’s new in examinations

4. Observations from recent examinations

5. Q&A

Traditional and Risk-Focused Approach Comparison

Traditional

Details

Checklists

Symptoms

Reporting Findings

Transaction Testing

Task Oriented

Static Reviews

Current Issues

Risk-Focused

Big Picture/Top Down

Priorities (Risk Focus)

Cause

Make Recommendations

Process/Control Review

Results-Oriented

Ongoing Monitoring

Emerging/Prospective Issues

Risk-Focused Exam in a Nutshell

The risk-focused exam procedures are designed to allow

examiners to: • Develop an understanding of the insurer’s key functional activities and the

risks associated with those activities

• Evaluate the effectiveness of the risk mitigation strategies and controls

“Solvency issues generally result from business risks that were not mitigated

to an acceptable level by company controls. Inadequately controlled

operating risks may take several years to be reflected in the company’s

financial statements.”

Risk Focused Exam Process

19

• Understand the Company and Identify Key Functional Activities to be Reviewed Phase 1

• Identify and Assess Inherent Risk in Activities Phase 2

• Identify and Evaluate Risk Mitigation Strategies/Controls Phase 3

• Determine Residual Risk Phase 4

• Establish/Conclude Examination Procedures Phase 5

• Update Prioritization and Supervisory Plan Phase 6

• Draft Examination Report and Management Letter based upon Findings Phase 7

Procedures within

the Planning

Process- where

management can

have the most

impact

PHASE 1 Understanding the Company and Key Functional Areas

RISK-FOCUSED EXAMINATIONS

Phase 1: Understand the Company

Understanding the Company

Understanding the Corporate Governance Structure

Assessing the Adequacy of the Audit Function

Identifying Key Functional Activities

Consideration of Prospective Risks for Indication of

Solvency Concerns

21

Phase 1 Understanding the Company Sample Risk Assessment Catalog Process

Combined Risk

Catalog

Review Prior Examination

Review Prior External Audit

Review Internal Audits

Review SOX

Review self assessments

Meet with Key Members of

Management

Handbook Considerations

Regulatory Concerns

Other sources (news, current

events)

Phase 1 Corporate Governance Structure

Components of effective corporate governance programs

include: 1. Competency

2. Independent and adequate involvement

3. Communication

4. Code of conduct

5. Strategic and financial objectives

6. Business planning

7. Reliable risk management

8. Sound principals of conduct

9. Independence

10. Objective and independent reporting

11. Sarbanes-Oxley provisions

12. Board oversight

Exhibit M – Understanding Corporate Governance Structure 23

Phase 1 Management Preparation

What can management do to prepare?

• Understand the examination process – understand the goals and the

procedures used to achieve those goals

• Consider the information that examiners will be looking at in advance

of the examination process

• Ensure processes and corporate governance are documented

Starting the Process

• Be Proactive (consider process prior to exam)

• Phase 1 is often where management can be most involved

• Arrange regular meetings (internally and with examiners)

• Ask examiners to prepare formal request lists

• Have an overview meeting to tell about the company and set the

stage

24

Phase 1 Management Preparation – Exhibits and Questionnaires

Obtain and complete exhibits as early in process as possible

Don’t “skimp” on answers – use memos and attachments as necessary

Exhibit B – Planning questionnaire

“The questionnaire responses should be considered when identifying the inherent risks of the insurer.

They should also impact the planned examination approach, and the nature, timing and extent of

examination procedures performed”

• The more complete the questionnaire, the less work examiners need to do

• Plan ahead - document processes as they are being done

Exhibit C – Evaluation of controls in information technology

• Work program – examples of common risks, controls, example requests, tests

procedures

• Use as a guide to what examiners are looking for

Management Preparation Importance of Interviews

Exhibit Y – Examination Interviews

“It is critical for the examination team to understand and leverage the

company’s risk management program; i.e. how the company identifies,

controls, monitors, evaluates and responds to its risks….An examiner

can perform alternate, additional or fewer detail and control tests as a

result of interviews with the company.”

• Make sure examiners have an overall understanding of the company before

conducting high level interviews

• Get an agenda in advance of the meeting

• Exhibit Y has sample questions

• Provide management’s view of governance and control structure

(Top down approach).

Phase 1 Assess the Audit Function

External auditors

• Provide an understanding of control structure to examiners

• CPA’s risk assessment is a starting point for examiners

• Compliance/control testing and substantive procedures reviewed for possible reliance

• Should be complementary to exam process

• Examiner must consider quality, adequacy and results of auditors work

Internal audit - Must be independent, objective and perform quality audits

• Provides insight into risk identification and control structure

• Financial

• Operational

• Compliance

• IT

• Should be complementary to external audit

• Examiner must understand IA’s role in internal control structure

• Examiner must understand qualifications and independence

27

New

Corporate

Governance

Requirement

Phase 1 Audit Function - Management Facilitation

Management Facilitation

• Discuss expected cooperation with external auditors

• Facilitate meetings

• Prepare required authorization letters

• Ensure availability of auditor work-papers

• Understand the required information (Exhibit E)

• Document role and structure of internal audit

• Provide a list of internal audit activities

28

Phase 1 Identify Key Functional Activities

Key Functional Activities

& Prospective Risks

Audit Assessment

(step 3)

Corporate Governance Assessment

(step 2)

Information Obtained (step 1)

13

Consideration is given to

qualitative and quantitative

measures

Phase 1 Key Activities and Prospective Risk Management Facilitation

Discuss key activities with examiners

Ensure activities match actual business

Match key activities with those identified by the company

Understand the company’s prospective risks

• Asset/liability matching

• Loss reserve development methods

• Pricing and underwriting

• Reinsurance

• Growth, M&A activity

• Liquidity of assets

• Other business risks

PHASE 2 Identify and Assess Inherent Risk

RISK-FOCUSED EXAMINATIONS

Phase 2 Identify and Assess Inherent Risk

Step 1: Identifying the Risk

Step 2: Identifying the Type of Risk

Step 3: Assessing the Inherent Risk

• Exhibit J - Risk Assessment Worksheets

• Exhibit K - Risk Assessment Matrix

• Exhibit L – Branded Risk Classifications

Repositories – Common risks, control best practices, test of

controls, sample testing

32

Phase 2 Step 1: Identifying the Risk

Key activities and sub-activities identified in Phase 1

are the building blocks for identifying inherent risk.

• Risks Other than Financial Reporting

• Financial Reporting Risks

Ask the question “What can go wrong?” for each of the

key activities.

Repositories included in handbook

33

Phase 2 Step 2: Identifying the Type of Risk

34

• Credit

• Market

• Pricing/underwriting

• Reserving

• Liquidity

• Operational

• Legal

• Strategic

• Reputational

Branded Risk Classifications:

Critical Risk

Why Critical Risk?

How will this change the exam process?

• Flexibility

• Removal of Tolerable Error

Schedule DD- Critical risk – 10 areas that

represent significant threats to a company’s

overall solvency position.

As of 12/31/13

Used for accreditation as of 12/31/13

Critical Risk

Valuation/ Impairment of Complex or Subjectively Valued Invested Assets

Liquidity Considerations

Appropriateness/

Adequacy of Reinsurance Program

Reinsurance Reporting and Collectability

Underwriting and Pricing Strategy/Quality

Reserve Data

Reserve Adequacy

Related Party/Holding Company Considerations

Capital Management

PHASE 3 Identify and Evaluate Risk Mitigation Strategies and Controls

RISK-FOCUSED EXAMINATIONS

Phase 3 Strategy/Control Assessment

Step 1: Identify Risk Mitigation Strategies/Controls

Step 2: Evaluate Risk Mitigation Strategies/Controls

Step 3: Consideration of Small/Medium-Size Insurers

Step 4: Examiner Use of Sarbanes-Oxley

Documentation

38

Phase 3 Step 1: Identify Risk Mitigation Controls

The insurer’s control risk should be assessed by

determining how well the risk mitigation strategies/controls

offset the inherent risks identified

Leverage off work of external and internal audit and

company self-assessments (e.g. SOX)

39

Phase 3 Step 2: Evaluate Risk Mitigation Controls

Controls over Financial Reporting Risks tested to ensure:

• Operating as expected

• Applied consistently throughout the entire period of reliance

• Performed on a timely basis

• Encompassing all transactions

• Identifying errors

Reliance on External Auditors

Reliance on Controls Testing Performed in Prior Years

40

Risk Mitigation Strategies/Controls Ratings

The Risk Mitigation Strategy/Control Assessment ratings to

be indicated in the Risk Assessment Matrix are:

• Strong Risk Management

• Moderate Risk Management

• Weak Risk Management

41

Phase 3 Step 2: Evaluate Risk Mitigation Controls

Phase 3 Management Considerations

Control structure and mitigating controls have a significant

impact on the level of work performed during the

examination

Designing and self evaluating controls is cost effective from

an audit and examination perspective.

Ensure examiners fully understand control structure and

testing done by external auditors, internal auditors, Sox

testing

PHASES 4-7

RISK-FOCUSED EXAMINATIONS

Phases 4 & 5

Phase 4 – Determination of residual risk

Combination of inherent risk and control risk

Also allows for examiner judgmental risk

Extent of testing in Phase 5 is determinant on residual risk

• High – Detail procedures required

• Moderate – Fewer detailed procedures, more analytical

• Low – Limited or no detail procedures performed, may be limited to

analytical

Phase 5 – Detailed Examination Procedures

Testing should focus on risk areas

May also include state-specific procedures

Phases 6 & 7

Phase 6 – Update prioritization and supervisory plan

• Examiners use material findings and risk assessment to update

ongoing supervisory plan for the insurer

Management involvement - None

Phase 7 – Draft examination report and management letter

Management involvement:

Ensure exam report is accurate and does not disclose confidential

information

Draft management letter responses, take credit for controls already

instituted

Risk-Focused Examinations

Presentation areas of focus:

1. How to best prepare for an examination

2. Overview of the risk-focused examination process

3. What’s new in examinations

3. Observations from recent examinations

4. Q&A

What’s New in Examinations

Form F – Enterprise Risk Report

ORSA Summary Report

• ORSA exam/ analysis procedures exposed for comment under the

Risk-Focused Surveillance (E) Working Group

Exhibit DD – Critical Risk

• 10 Critical Risk Categories

• Tolerable error (TE)removal- 12/31/2013

• Exhibit DD- Accreditation requirement

as of 12/31/2013

Recent Examination Guidance Changes

Exhibit V – Prospective Risk Assessment

• Examiners should corroborate assertions that management has made

regarding identified risks and their mitigation

• Examiners should identify follow-up procedures for analysts

• Examples provided for completing exhibit

Exhibit- E- Internal/ External Audit

• Corporate Governance

Risk-Focused Examinations

Presentation areas of focus:

1. How to best prepare for an examination

2. Overview of the risk-focused examination process

3. What’s new in examinations

3. Observations from recent examinations

4. Q&A

Risk-Focused Exams Observations

Sound practices

• Schedule regular face-to-face meetings between insurer, examiner

and analysts

• Provide forms (planning questionnaire, IT planning questionnaire and

preliminary company request as early as practical

• Consider constraints on company personnel when establishing

request due dates

• Interviews:

• Review Annual statement, prior year reports, AM Best report, news reports

and inquiry of analyst to obtain basic insurer understanding before

conducting interviews

• Provide topical agenda as a guide for discussion

• Give adequate advance notice (30 days)

Risk-Focused Exams Observations

Interviews – cont’d

• C-Level interviews should be performed in Phase 1 to gain a better

understanding of the company and its significant risks

Using work of others (CPA, IA)

• Issues in obtaining work of others should be communicated promptly

• Deficiencies noted in work of others that limits usefulness for exam

purposes should be communicated to allow company to correct

deficiencies in future exams

Control identification

• Discuss perceived missing controls with company before

documenting control weaknesses

Leverage information from prior examinations

Risk-Focused Examinations

Presentation areas of focus:

1. How to best prepare for an examination

2. Overview of the risk-focused examination process

3. Observations from recent examinations

4. Q&A

Contact Information

Sherry “Cyranna” L. Flippo, CPA, FLMI

Financial Program Manager

1100 Walnut Street, Suite 1500 Kansas City, MO 64106

816-783-8133

sflippo@naic.com

Dianne Batistoni, CPA, CFE

Partner, Insurance Services

111 Wood Ave South, Iselin, NJ 08830

732-243-7220

dianne.batistoni@eisneramper.com

IASA 86TH ANNUAL EDUCATIONAL CONFERENCE & BUSINESS SHOW

Please Complete the Session Evaluation Form on the Conference App and Include Your Conference Registration ID# to be Included in a Drawing for a Free Conference Registration for the 2015 Annual Conference! NOTE: Your Conference Registration ID# is Located at the

Bottom Left Hand Corner of Your Badge.