For small and mid-sized insurers, compliance with the Model Audit Rule (MAR) requires an enormous lift from the internal audit function. A proactive mindset can reduce the long-term cost and headache associated with compliance, but it requires a well-executed and strategic approach. If your organization is making first-time preparations for MAR compliance, or is preparing to make improvements upon its current annual MAR compliance program, you should consider the following four questions:
1. Are your accounting policies documented and understood throughout the company?
Having well-documented accounting policies is, of course, a provision of the MAR. It can be one of the most time-consuming and difficult tasks for insurers preparing for MAR for the first time - particularly for those insurers without an in-house internal audit or risk management function. In some cases, existing policies may be sufficient, but in others, entirely new policies and procedures must be created to complete the assessment. Because of the demands this can place on your organization, we advise that insurers begin the policy and procedure assessment well in advance of pursuing MAR compliance. By evaluating and improving existing policies and procedures, your organization can begin to improve its governance culture, even before actively pursuing MAR compliance.
2. Are your internal controls adequate to detect and report errors and fraud?
One of the stated goals of the MAR is to help insurers minimize the likelihood of fraud and errors. To do this, management must demonstrate that their control environment is effectively designed, and that key controls are in place for a number of important processes, including corporate governance, underwriting, losses and loss reserves, reinsurance, operating expenses, etc. In addition, insurers must account for the risks and controls of the IT systems that play a role in the production of their annual financial statements. Assessing the control environment and remediating deficiencies can be a challenge, but it can also be a rewarding and valuable exercise for growing companies, as it sets the stage for more effective fraud mitigation and simplifies compliance with a number of common regulations, including both MAR and SOX.
3. Are key performance metrics being maintained?
Once your policies have been documented and controls have been effectively designed, it is time to begin tracking your key performance metrics, including solvency, loss ratios, liquidity, and profitability rations. In theory, insurers of all sizes and in all stages of MAR compliance should be tracking these metrics, but in practice, it often requires more legwork than smaller insurers are able to supply. As your organization nears MAR compliance or prepares to advance to the next tier, it is important to reevaluate your performance metrics to confirm that they are accurately and consistently measuring the aspects of your business that are of the most interest to regulators. Proactively implementing and confirming these metrics will save a significant amount of time and effort during the MAR compliance process.
4. Are company risks, controls and compliance activities continuously assessed?
MAR encourages insurers to build a culture that emphasizes continuous monitoring. Key controls, in particular, should be regularly assessed to confirm that they are operating effectively, and remain adequate and appropriate for the risks they are mitigating. Management should use discretion when building an action plan for ongoing monitoring of these controls, with priority given to controls that cover high-risk activities. These controls should be assessed annually, at a minimum, while lower-risk controls may be assessed every three years. Insurers with no existing documented plans for continuous assessment should begin to develop a regular assessment plan, starting with the documentation of any informal practices that may exist within the organization.
With MAR, just as it is with SOX, internal audit is the most important function when it comes to achieving and maintaining compliance. Too many companies wait for external auditors and regulators to find problems, and then suffer through time-consuming and expensive remediation. Your internal audit function can be the key to identifying these issues before the external auditor does, allowing your organization to remediate according to your own timelines and budget. If your organization lacks a defined internal audit department, identifying a trusted outsourced provider such as Focal Point can make the difference between a smooth compliance process and one that is exceedingly expensive and disruptive to your business.