Take Control of Your 404

Sarbanes-Oxley Act Section 404a compliance exercise, or a value-added process that can help insurance companies improve controls and reduce risk? If you answered value-added exercise, you are correct. And if you included IT controls as part of your answer, go to the head of the class.

Consider for a moment what could happen to a company that goes through downsizing and a series of layoffs that fragment the IT department and blur the roles of the people left to carry out the companys IT functions. Documentation could suffer. IT controls could be weakened. This itself is a major problem. Add in the new internal controls reporting requirements of the Sarbanes-Oxley Act, and you could have the recipe for a major corporate calamity.

Like other public companies, insurance companies are grappling with the impact of the Sarbanes-Oxley legislation. One aspect of the process they need to pay particularly close attention to as they implement Section 404, Internal Control Reportingwhich requires public companies to document, evaluate, and report on the effectiveness of their internal controlsis information technology controls.

Some insurers consider their 404 implementation a compliance exercise. Others correctly view it as a value-added process that can improve controls and control awareness and reduce risk. The overall objective of 404 is to provide shareholders with an accurate report of the state of internal controls. The exercise also provides an opportunity to identify controls deficiencies and enhance them, thereby having the added benefit of improving shareholder trust. Following are 404 best practices for the insurance industry, as well as components of a framework for approaching 404, including the impact 404 can have on IT controls.

A Significant Financial Statement Account View
When approaching 404, theres one perspective that will prove to be the right one for insurance carriers: Insurers should approach their 404 projects in a manner that tightly links significant financial statement accounts, related processes, and the systems that support those processes. Figure 1 below provides a framework for approaching 404 projects from a significant financial statement account perspective. This framework gives an insurer a foundation for:

Identifying its significant financial statement accounts and the major processes that affect those accounts, such as premium billing and collection, enrollment (for health insurers), claims processing, reinsurance, investments, commissions, and the general-ledger close process.
Reviewing the workflows of significant processes and analyzing risks.
Identifying and documenting controls that address those risks.
Evaluating the overall effectiveness of controls and testing those controls.
Identifying matters for improvement as well as establishing monitoring systems.
Building on this, an insurer also must evaluate key controls within this framework. The Committee of Sponsoring Organizations of the Treadway Commis-sion (COSO) Report, which contains the most widely accepted definition of internal control, has identified five interrelated components that must be present and functioning for an insurer to have an effective internal control system:
Control environmentreflects the overall attitude, awareness, and actions of management concerning the importance of controls.
Risk assessmentthe process of identifying, analyzing, and managing risks.
Control activitiesthe policies, procedures, and practices that ensure managements control objectives are achieved.
Information and communication the process of capturing and exchanging the information needed to conduct, manage, and control operations.
Monitoringthe oversight of in-ternal controls by management.

COSO is an excellent framework for establishing controls and often is utilized during 404 projects because of the structure it provides and the comprehensiveness of its components. Whatever framework is selected, it must be comprehensive, clearly communicated, and agreed upon by management and external auditors.

Assessing ITThe Earlier, the Better As a 404 project framework is implemented, significant accounts and their related significant processes are identified. At this point, as each insurance company maps its significant accounts to processes, IT must be considered early. Keep in mind, it may not be necessary to assess all systems and technology processes within the company. Answer the following questions to determine which need to be assessed:
How many systems are involved, and which are material to the financial statement account in question? Remember most processes are IT dependent in some form or fashion. Management often relies on IT controls for both routine and nonroutine processes.
What is the role of the system(s) in the process itself, and where are the key controls located? Often the system is central to processing but does not provide key controls, as there may be compensating user controls.
What is the underlying technology that supports the system? Is it mainframe or client server? What database management system (DBMS) is employed?
Is IT organized in a decentralized or centralized fashion? Are external IT service organizations utilized, and how are they controlled?
Youre on the right track, but after identifying the systems that support significant processes, a determination must be made as to whether key controls, such as edit checks, are within the systems in question. We have seen instances in the insurance industry where significant systems lack key functionality and require manual work-arounds. In those cases, we have found it may not be appropriate to review the system, since the key controls do not reside within the system.

Establishing Controls for IT
Once the systems that are in scope have been identified, general controls over the underlying IT processes (typically within the data center environment) must be considered. One approach is to use a recognized IT framework, such as Control Objectives for Information and related Technology (COBIT), to review general controls. The following IT processes, at a minimum, should be reviewed during the 404 project:
Systems development and change controls
Data center operations management
Logical security (at the network, platform, and system layers)
Physical security, including not only the data center, but significant server and telecommunications rooms
IT management, including key monitoring metrics
Database management
Telecommunications/Network
Vendor management, including service level agreements
Problem management
Disaster recovery and business continuity

What Could Go Wrong?
A great deal should have been accomplished at this point, but there are a few more critical steps that need to be taken. One of the most important is the What Could Go Wrong? analysis, which will help identify possible IT errors that could have a material effect (individually or collectively) on the companys financial statements. Root cause for errors can range from high-level issues, such as a lack of IT policies and procedures, to more specific deficiencies, such as data integrity, missing or bad functionality, or even basic security over data files and systems. This analysis should be performed utilizing a control framework that is applied to the systems and underlying IT processes in scope.
To illustrate, consider Hypothetical Insurance, which is assessing its IT control structure within the framework of the five COSO components. Hypothetical would need to:
Assess its control environment, considering such factors as the IT organization and managements interest and oversight of IT. The assessment reveals that Hypothetical has a competent and well-trained IT staff; its decentralized IT operations are balanced with strong overall IT policies and procedures; user management appears to do a good job of owning and controlling systems; and the overall control environment is very good.
Consider its risk assessment pro-cess. This reveals a mechanism to identify technology risks in conjunction with the internal audit department; an approved strategic plan; and frequent interaction with Hypothetical external auditors, all supporting an effective, annual risk assessment process. Hypo-thetical also demonstrates appropriate risk assessment during a recent major acquisition.
Examine its information and communication. Hypotheticals IT enables timely and accurate reporting of operational and financial results; coordination bet-ween Finance and IT on major projects is very good; and appropriate backup procedures and business continuity processes are observed. Overall, information and communication processes appear to be adequate.
Consider its control activities. This is where many companies may be lacking in certain areas. Hypothetical, for example, does not have adequate documentation of systems and controls. In addition, due to a recent layoff, segregation of IT duties in the program-maintenance function is not strong. Hypotheticals management will have to work to remediate this deficiency and create documentation of key controls before year-end. Luckily for Hypo-thetical, these are the only control areas requiring improvement. Other control activities, such as automated system controls and IT security, did not have such deficiencies.
Review monitoring procedures. Hypothetical utilizes IT performance monitoring and service level agreements for outside service organizations used for data center and claims processing. Hypothetical also has adequate internal monitoring programs, such as an intrusion detection system for its Web activities and an adequately staffed IT internal audit function. Overall, monitoring procedures appear to be strong.

Documentation: A Crucial Step
Gathering and preparing appropriate documentation, which has not been a traditionally strong area for insurance companies, should be a primary area of focus in complying with 404. After the IT control activities and key controls are identified, the insurance company should document them to describe how transactions are initiated, recorded, processed, and reported via flowcharts, diagrams, and narratives. The level of required system control documentation will depend on:
Number of businesses
Degree of IT centralization
Nature/Complexity of transactions
Degree of management reliance on IT systems
High degree of automation in processing day-to-day transactions (e.g., claims processing)
Whether IT data elements are the primary source of data used in decision-making (e.g., valuation systems)
Whether IT availability/integrity is critical to each system in question (e.g., cash management systems need high availability)

Another area that may present a challenge is identifying the outside organizations that provide a significant portion of processing for the company and determining whether controls are adequate and documented. This is an important step that should be taken early, in the event there are issues that need to be addressed.

Identifying key IT controls provides an opportunity for meaningful collaboration between system owners and IT management that can improve future systems development. Careful consideration of IT within the 404 project is essential to success and will make the 404 project a value-added process for the insurance company.

Maurice DiMeo leads the insurance technology segment of the New York Technology and Security Risk Services practice of Ernst & Young. He can be reached at 212-773-1064, maurice.dimeo@ey.com.

The content of Inside Track is the responsibility of each columns author. The views and opinions are those of the author and do not necessarily represent those of Tech Decisions.
Best Practices for Sarbanes-Oxley Act Section 404