Counting Down to the New Model Audit Rule

In less than three months, the new Model Audit Rule (MAR) will go into effect. Beginning January 1st, many non-public insurers will for the first time be required to comply with more stringent regulatory provisions, and public insurers that are already subject to SOX will be subject to additional reporting requirements. One key aspect of addressing MAR compliance will be the ability to protect the integrity of financial systems by preventing and detecting unauthorized or inappropriate access by employees, contractors, partners, or customers.

Most industry analysts agree that the MAR applies SOX requirements to privately-held insurance companies. While it’s true that the new rule was based on SOX and contains many of the same auditing and reporting requirements, the two regulations are not the same. In fact, there are some key differences:

  • SOX applies only to publicly-held companies, whereas the Model Audit Rule applies to all insurance companies domiciled in the United States with direct and assumed premiums greater than $500 million.
  • SOX requires the CEO and CFO to certify in quarterly and annual SEC filings the adequacy of the company’s disclosure controls and whether there have been changes in its IFCR. The Model Audit Rule applies only to the internal controls over annual statutory financial statements filed by insurers. Therefore, the certifications apply only to the annual reports.
  • SOX requires that a company’s external auditor attest to and report on management’s evaluation of ICFR. The Model Audit Rule has no such external attestation requirement.

For identity management and IT security professionals, the most significant aspect of the new MAR is the requirement to perform an assessment of internal controls over financial reporting (if you’ve undergone a SOX audit before, this will be familiar territory). In the coming weeks, we’ll be spending more time exploring the new MAR because we believe there are several best practices from SOX compliance efforts that can provide a baseline for achieving MAR compliance.

We’re also partnering with Michael Rasmussen, a renowned GRC analyst at Corporate Integrity, for a webinar, “Addressing the New Model Audit Rule 2010” on October 22nd. During this webinar, Michael will review the identity-related controls associated with the 2010 MAR requirements, how these affect managing access to key financial applications and data, and how to be prepared for audits and executive reporting needs.