Solvency Series: State Audits and Annual Reports
September 27, 2021
While insurance carriers are responsible for underwriting products and maintaining collateral, history shows that doesn’t always happen. Here we’re diving in on state audits and the process for ensuring our insurers stay on the up and up when insuring contracts.
Some of the past series elements include reporting on guaranty associations, ratings agencies, and other pieces of the overall system that maintains the solvency and reliability of the insurance industry. One piece of the early warning system on insurer solvency: state audits.
Insurance carriers (and relevant MGAs/MGUs acting in a carrier capacity and underwriting policies) must already submit an annual financial statement, which gives the states they operate in the basic insights of things like cashflow and balance sheet. But insurers also face annual audits that must be reported to the state they operate in. This gives the state confidence in how large carriers are backing up their guarantees, and, combined with practices like consumer complaints and whistleblower actions, are the chief mechanism for state regulation of insurers.
States set their own auditing standards and guidelines, but commissioners agreed that this is one particular area that having similar or identical rules is mission critical – disparate standards on what it means to be able to pay claims would be a fundamental problem in working across states.
So, the National Association of Insurance Commissioners (NAIC) has a model rule, the Annual Financial Reporting Model Regulation. All states and most territories have adopted this rule or a previous version of it. So, although there are a few variations (and state-specific laws take precedence over the NAIC model), most of the standards for state audits of insurers are the same.
Not all insurers must submit an annual state audit. Insurers with less than $1 million in direct premiums in the state for the calendar year and fewer than 1,000 policy holders nationwide don’t need to do an audit. According to the NAIC’s audit model, that $1 million in annual premium includes any amounts a company has reinsured, as well. Foreign companies are exempt from auditing if they’re subject to a similar audit in another state or in an acceptable audit in their country of origin.
Yet, even these exemptions are subject to exemptions – if a state commissioner “makes a specific finding that compliance [with the audit requirements] is necessary for the commissioner to carry out statutory responsibilities”, then even a small-time carrier will need to complete an audit.
The who’s who of the insurance carrier state auditing process
An insurer that’s subject to the state auditing regulations will need two things: an audit committee and an independent certified public accountant (CPA).
The audit committee should:
- Have resources and access to any information needed to validate the audit
- Not include management, if possible
- Meet independent of management and be free from upper-management interference
The CPA should:
- Be certified by the Association of International Certified Public Accountants (or the British or Canadian equivalent)
- Be independent from the insurer, meaning the CPA or CPA firm
- Can’t be an insurance carrier employee
- Can’t have shared management or ownership
- Can’t be employed by the insurer to provide other services that may interfere with the ability to audit such as bookkeeping, payroll, appraisal, etc. (generally, tax preparation is allowable, however)
- Can’t audit the same insurance company (or a subsidiary or partner company) for longer than five consecutive years, with a break of five consecutive years between allowable auditing cycles
- Not have a rough history with the state when it comes to honesty or insurance (I mean, obviously)
These rules are broad, each with their share of exemptions and state variations. However, factors such as insurer size and state regulatory environment will push an insurance carrier to adhere strictly to the standard or treat it like the pirate code (more like guidelines, really).
For instance, a small insurer with limited staff may have a hard time filling an audit committee with enough knowledgeable non-principal staff – some management team members may need to be committee members. Or, even a midsize carrier may find it difficult to cycle through CPA firms in a low-population state or region where there may be a shortage of qualified businesses capable of performing the audit and will need to petition the state for an exemption (*cough* Wyoming *cough*).
Once a carrier has hired an independent CPA that meets the criteria, the CPA will work with the audit committee to compile an audit of the financial standing of the carrier for the past calendar year, Jan. 1 to Dec. 31. Essentially, the CPA is working to determine how capable the carrier is of paying out claims on its standing contracts.
In most states (this is another point of variance), carriers must file their audit reports for the previous year with the state by June 1.
A complete audit should contain:
- The independent CPA’s report.
- Balance sheet report of assets, liabilities, capital and surplus.
- Statement of operations.
- Statement of cash flow.
- Statement of changes in capital and surplus.
- The CPA’s notes to financial statements, including the reconciliation of differences between the audited financial statements and the insurer’s annual statement filed with the state.
- The financial statements included in the audited financial report shall be prepared in a form and using language and groupings substantially the same as the relevant sections of the annual statement of the insurer filed with the commissioner, and the financial statement shall be comparative.
As you can see, the independent CPA’s report partly serves to validate the financial statement the carrier has already compiled, and to make it clear if there are discrepancies.
In case of adverse financial condition
While most carrier audits are routine, sometimes the CPA finds evidence that the insurer is in danger of coming up short on claims paying. In these cases, the CPA has five days to notify the audit committee or board of directors, which then in turn has five days to pass the report to the commissioner.
Within 60 days of the CPA’s report, the board of directors must file a communication with the state to address any “unremediated material weaknesses” uncovered in the audit. This gives the insurance company leadership a chance to address the low points of the audit, explain any inconsistencies, and lay out how they plan to act to correct these deficiencies.
If your insurance company writes more than $500 million in premium, or if your company’s claims-paying ability is in question, the principal officer – a CEO or similar – must also file a “Management’s Report of Internal Control Over Financial Reporting.” As the NAIC lays out, this is management’s opportunity to take responsibility for the state of things (good or bad), prove that they understand the internal controls in place to prevent financial trouble, and verify whether they can recover from any existing financial difficulty.
The management report, however, is not allowed to be an outright refutation of the CPA’s findings, according to the NAIC:
“Management is not permitted to conclude that the internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles if there is one or more unremediated material weaknesses in its internal control over financial reporting;”
While it may seem like double-work to have a CPA come in and do the same analysis on a company’s books that the company itself has already reported, it’s important to keep in mind that a few companies do enter the receivership and liquidation process every year. With auditing as part of the insurance system of checks and balances, states are better equipped to flag troubled companies in advance.
State Audits and Annual Reports FAQs
In the 1990s, insurer failure was much more frequent, according to the National Organization for Life & Health Guaranty Associations. This clear, independent audit process has helped reduce the likelihood that a company will find itself on poor footing.
If a small insurer finds itself overleveraged, the odds of finding a larger carrier that is able and willing to cover policies in a liquidation sale are pretty good. Plus, the cost of the independent auditing process is more difficult for a small insurer. Conversely, larger insurers that become insolvent could represent a catastrophe, both for the insurance industry and for the broader population, ala AIG being bailed out in 2008 because the cost of letting it go bankrupt was seen to be too high.
Typically, the insurer annual financial report is due to the state by March 31 for the preceding year.
If you’re looking for a hot-button NAIC debate, you sure found it! Putting the CPA on the hook when an insurer goes belly-up – particularly just after the CPA has given them a clean bill of health – is a topic with some of the saltiest commentary in the remarks section of the model legislation.
While different states took different approaches, basically the liability of the CPA in charge of an audit comes down to intent. Regulators don’t want CPAs to be laissez faire about the audit – solvency is no joke. But CPAs don’t want to be held responsible if they’re working with an insurer’s audit committee that works to hide information and cover up any malfeasance.
The NAIC’s final rule attempts to walk that line, protecting CPAs from bad actors while also incentivizing them to be thorough and diligent in pursuing the truth in an audit.