02-031 C.M.R. ch. 235, § 10 - Evaluation of Insurer's Internal Controls

A. An insurer's board of directors and management shall have effective internal controls designed to provide reasonable assurance regarding the reliability of the financial statements required by Subsections 3(B) through 3(F) of this Rule, including policies and procedures that:

(1) Pertain to the maintenance of records that, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets;

(2) Provide reasonable assurance that transactions are recorded as necessary to permit preparation of the financial statements and that receipts and expenditures are being made only in accordance with authorizations of management and directors; and

(3) Provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use, or disposition of assets that could have a material effect on the financial statements.

B. At the time the annual audited financial report is filed, each insurer shall furnish the Superintendent with a Communication of Internal Control Related Matters Noted in an Audit, which is a written report prepared by the accountant acknowledging that the accountant has evaluated the insurer's internal controls pursuant to generally accepted auditing standards, and describing any material weaknesses in the insurer's internal control structure that were noted by the accountant during the audit and were unremediated as of the financial statement date. No further detail need be provided if the accountant does not identify any unremediated material weaknesses. If the internal control evaluation cannot be finalized by the time the annual audited financial report is filed, the insurer may file the evaluation up to 60 days later. If unremediated material weaknesses are identified, the insurer must provide a description of remedial actions taken or proposed, if those actions are not described in the accountant's report. The accountant shall communicate any material weaknesses and significant deficiencies noted during a financial statement audit to the insurer's management and Audit Committee. The insurer must retain all communications with the independent certified public accountant relating to material weaknesses or significant deficiencies in accordance with Subsection 12(D), and make them available for examination by the Superintendent.

C. Together with the Communication of Internal Control Related Matters Noted in an Audit required pursuant to Subsection B, all insurers, and all groups of insurers filing annual audited financial reports on a consolidated basis, shall file Management's Report of Internal Control over Financial Reporting, as of December 31 immediately preceding if their direct written and assumed premiums for the year, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, were $500,000,000 or more, or if the insurer has been ordered by the Superintendent to file the report after the occurrence of a risk-based-capital action level event pursuant to 24-A M.R.S.A. §§ 6453 through 6456 or a determination of hazardous financial condition pursuant to Bureau of Insurance Rule 710. Except as otherwise provided in Subsection 16(C) for SOX-Compliant Insurers, Management's Report of Internal Control over Financial Reporting shall include:

(1) A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting;

(2) A statement that management has established internal control over financial reporting and an assertion, to the best of management's knowledge and belief, after diligent inquiry, as to whether its internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles;

(3) A statement that briefly describes the approach or processes by which management evaluated the effectiveness of its internal control over financial reporting;

(4) A statement that briefly describes the scope of work that is included and whether any internal controls were excluded;

(5) Disclosure of any unremediated material weaknesses in the internal control over financial reporting identified by management as of December 31 immediately preceding. Management is not permitted to conclude that the internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles if there are any unremediated material weaknesses in its internal control over financial reporting;

(6) A statement regarding the inherent limitations of internal control systems; and

(7) Signatures of the chief executive officer and the chief financial officer (or equivalent position/title).

D. Management shall document and make available upon financial condition examination the basis upon which the assertions in Management's Report of Internal Control are made. Management may base its assertions, in part, upon its review, monitoring, and testing of internal controls undertaken in the normal course of its activities.

(1) Management shall have discretion as to the nature of the internal control framework used, and the nature and extent of documentation, in order to make its assertion in a cost effective manner and, as such, may include assembly of or reference to existing documentation.

(2) Any documentation provided by the insurer in support of its internal control evaluation during the course of a financial condition examination shall be kept confidential pursuant to Subsection 12(E).

(3) If the insurer considers any information disclosed by a report filed pursuant to Subsection B or C to be confidential under Maine law, the insurer shall file a request for protection from disclosure, identifying with particularity the information the insurer considers to be confidential and the reasons the insurer believes the information filed is not a public record within the meaning of the Maine Freedom of Access Law, 1 M.R.S.A. §§401 et seq.

Drafting Note: It is recommended that the company officer responsible for financial reporting not be a member of the Audit Committee and that the independent committee members meet periodically with the independent certified public accountant, with no management present, to discuss the strengths and weaknesses of the insurer's or group's internal control environments.

Notes

02-031 C.M.R. ch. 235, § 10