OIR Proposes Changes to Model Audit Rule
The OIR has announced a notice of proposed rulemaking for Rule 69O-137.002, Model Audit Rule. If requested a hearing will be held on April 23, 2010.
Some highlights of the rule, which attempts to match Florida’s rule with the NAIC model.
1. It now expressly requires: (a) Communication of Internal Control Related Matters in an audit and (b) a Management Report of Internal Control over Financial Reporting in certain cases.
2. A definition of “audit committee” has been added. The audit committee is defined so that an “audit committee of any entity that controls a Group of insurers may be deemed to be the Audit committee for one or more of these controlled insurers solely for the purposes of this regulation at the election of the controlling person.” (14)(e) provides a process for this election. Paragraph (14) also sets out requirements for the Audit Committee. However it exempts insurers that are a “Sox Complaint Entity or a direct or indirect wholly-owned subsidiary of a SOX Complaint Entity.” There is a subparagraph (c) of 14 which defines “independent” for audit committee membership purposes. It also says there is no “minimum requirements” for number of independent committee members for companies with less than $300,000 in premium (with a few exceptions). Above $300,000 the rule requires a majority to be independent. Interestingly, there is also definition of “independent board member” in paragraph (3)(f) which adopts this definition.
3. A new section (7)(a)2 states that OIR will not recognize as qualified to complete an independent audit any person or firm which has entered into an “agreement of indemnity or release from liability” with respect to the audit. Indemnification is defined as “an agreement…or release of liability where the intent or effect is to shift or limit in any manner the potential liability of the person or firm for failure to adhere to applicable auditing or professional standards, whether or not resulting in part from knowing of other misrepresentations made by the insurer or its representatives.”
4. The lead or coordinating partner in an audit may not serve in that role for more than 5 (was 7) consecutive years (exceptions can be obtained).
5. Auditors cannot be considered independent if they provide any of a list of “non-audit” services to the insurer. (See (7)(g)). An insurer with less than $100,000,000 in premium can request an exemption from this requirement. There is also a provision proposed to adopt three “principles of independence” for auditors – “the accountant cannot function in the role of management, cannot audit his own work, and cannot serve in an advocacy role for the insurer.” For services which are “non-audit” services not limited by (g) (e.g. tax work) the auditor must have approval from the Audit Committee to perform them. The rule requires all services to be approved by the audit committee.
6. The independent auditor must obtain “an understanding of internal control sufficient to plan the audit and in accordance with AU section 319, “Consideration of Internal Control in a Financial Statement Audit.”
7. The requirement (section 11) that the independent auditor furnish the Office with a written report describing deficiencies in the insurer’s internal control structure has been revised. The “report” is now called a communication and is due within sixty days after the audit is filed.
8. The rule specifically prohibits an officer or director of an insurer from making or causing to be made a materially false or misleading statement to an accountant in connection with an audit or from omitting to state or cause another person to omit to state, “any material fact necessary in order to make statements made, in light of the circumstances under which the statements were made, not misleading to an accountant in connection with any audit…” The rule also forbids officers or directors or any person acting under their direction from taking any action to “coerce, manipulate, mislead or fraudulently influence any accountant”…performing an audit.
9. Finally, a section entitled “Management’s Report of Internal Control over Financial Reporting” has been added. It only applies to companies with premium over $500,000,000 and those OIR designates to file and which have an “RBC level event, or meets any or more of the standards of an insurer deemed to be in hazardous financial condition…”