| |
By Janet
Byrne,
Financial Control Analyst
Pinnacol Assurance
 In
June 2006, the National Association of Insurance Commissioners
(NAIC) adopted several revisions to the Annual Financial Reporting
Model Regulation (Model Audit Rule). These revisions relate to
three main areas: auditor independence, corporate governance, and
internal control over financial reporting (ICOFR).
The most challenging of these changes to implement is the requirement
for management to report on ICOFR. If you have yet to start planning
and performing the work necessary for this, the time to start is
now!
The planning phase of the work is critical to the project’s
success. Here are the major things you need to do during the planning
phase of ICOFR:
- Get executive sponsorship. This effort will require resources
from virtually every area of your organization. For this reason,
developing a preliminary project plan and gaining executive sponsorship
is a must.
- Adopt a framework. The Internal Control – Integrated
Framework, published in 1992 by the Committee of Sponsoring Organizations
(COSO), is the original framework used by many organizations for
reporting on ICOFR. In June 2006, COSO published “Internal
Control over Financial Reporting – Guidance for Smaller Public
Companies”. It is also appropriate for most non-public
entities. This guidance is easy to follow and provides useful
tools for documenting
and testing internal controls.
- Perform a financial statement
risk assessment. Regulatory guidance that has emerged over the
past two years suggests that
a “top down approach” is the most efficient and effective
way to tackle the requirement for management to report on ICOFR.
The top down approach requires management to perform a financial
statement risk assessment to identify its financial reporting objectives
and the most significant risks to achieving those objectives. To
perform a financial statement risk assessment, management must
identify and analyze the various risks of material misstatement
and evaluate their likelihood of occurrence and the significance
of impact to the financial statements. The controls that address
the highest risk areas should receive the most attention during
the documentation and testing phase of the process. Fraud risk
should be explicitly considered and documented as part of the risk
assessment.
Once your risk assessment is complete, document and test your
organization’s control environment and control activities.
- Document Control Environment – A sound control environment
is the foundation of any effective system of internal control.
Companies must demonstrate that the “tone at the top” supports
integrity and ethical values, adequate oversight, and financial
reporting competence.
- Document Control Activities - Document
how major classes of transactions are initiated, authorized,
processed, recorded,
and reported. Identify the controls that mitigate the risks related
to the affected accounts.
- Test controls – Identify and
test your key controls. There are a variety of ways to test your
key controls. Let your
risk assessment guide you in determining the type of test and the
extent of the evidence that is required.
- Remediate Weaknesses and
Deficiencies – Along the
way, you may find that certain controls are not operating as intended.
Many of these issues will not rise to the level of a material weakness
or a significant deficiency. Fix and retest any issues deemed material.
- Prepare
your certification –The final step is to
prepare your report and file it with your state. You may want to
consider implementing a sub-certification process, whereby control
owners sign individual certifications stating that their controls
were working as intended throughout the reporting period.
Gathering sufficient evidence for management to report on ICOFR
is no simple task. Getting started early may be the most important
thing you can do to ensure success in meeting the new requirement.
|
