Privately held and mutual insurance companies should not consider themselves off the hook when it comes to Sarbanes-Oxley compliance. Even though the law, which passed in 2002, applies only to publicly held companies, the National Association of Insurance Commissioners (NAIC), the Kansas City, Mo.-based organization that oversees state insurance regulation, is working on adding SOX-like provisions to its model audit rule.At press time, a working group composed of members of the NAIC and the American Institute of Certified Public Accountants (AICPA), New York, was considering specific alterations to the NAIC's "Model Regulation Requiring Audited Annual Financial Reports." Those alterations are based on Titles II, III, and IV of Sarbanes-Oxley, according to Doug Stolte, chairman of the NAIC/AICPA working group and deputy commissioner over the financial regulation division of Virginia's Department of Insurance.
"In 2003, we began analyzing certain sections of SOX and compared it to our model audit rule," Stolte says. Then, last April, the NAIC developed a draft of its audit rule with proposed SOX-like changes. In March, Stolte expected two subgroups-the ones working on Titles II and III-to complete their work by June. Another subgroup, addressing the more controversial changes based on Section 404 internal controls-was aiming to finish its work by the end of this year.
Several industry trade associations are voicing their opposition to adding more regulatory burden on nonpublic insurance companies. The Property Casualty Insurers Association of America (PCI), Des Plaines, Ill., in an open letter to the nation's insurance commissioners, urged them to raise questions about the NAIC's efforts to apply SOX standards to the entire insurance industry.
Current financial reporting standards for insurers, including special accounting rules, line-by-line forms for financial statements, and actuarial opinions on loss reserves, are unique to this industry and are significantly more extensive than those imposed on other businesses, according to Ernie Csiszar, PCI president and CEO.
"The state regulators have assumed that SOX needs to be applied to the entire insurance industry, and they haven't even looked at some basic questions," says Stephen Broadie, PCI assistant vice president-financial. "First of all, is there a problem that needs to be addressed? Secondly, if there is a problem, what are the alternative solutions-and what are the costs and benefits of each solution?" Until those questions are answered, PCI believes there's no reason to impose additional requirements on insurers, he says.
Those requirements will be costly, according to sources. For example, a survey of 321 public companies conducted by Financial Insurance Executives International in January 2004 found those companies expected to spend an average of $732,100 to comply with Section 404 of Sarbanes-Oxley. Companies with less than $25 million in revenue expected to pay an average of $170,000, while those with more than $5 billion in revenue planned on SOX expenses of $1,390,100 on average.
For large companies, new SOX-like auditing requirements can run into millions of dollars, Stolte admits. "But insolvencies run into millions of dollars too," he says. The regulators realize changing the audit rule won't prevent all insolvencies, he adds. "But we do believe if insurers have strong corporate governance and a robust audit function with management and an external auditor certifying that internal controls over financial reporting are in place, we as regulators are going to be better able to do our jobs." And the public and policyholders deserve that, he says.
