Current through Register Vol. 46, No. 39, September 25, 2024
(a) Every
company required to file an audited financial report pursuant to this Part that
has annual direct written and assumed premiums, excluding premiums reinsured
with the Federal Crop Insurance Corporation and Federal Flood Program, of
$500,000,000 or more shall prepare a report of the company's or group of
companies' internal control over financial reporting. This report of internal
control over financial reporting, together with any communication about
unremediated material weaknesses discovered during the CPA's audit described
under section
89.9 of this Part shall be
submitted to the superintendent upon the filing date upon which each audited
financial report is required to be filed. Management's report of internal
control over financial reporting shall be as of December 31st immediately
preceding.
(b)
(1) In lieu of the report required by
subdivision (a) of this section, a company may file its or its parent's SOX
section 404 report with the superintendent, if the company is:
(i) directly subject to SOX section
404;
(ii) not directly subject to
SOX section 404 but is a SOX compliant company; or
(iii) a member of a holding company system
whose parent is:
(a) directly subject to SOX
section 404; or
(b) not directly
subject to SOX section 404, but is a SOX compliant company.
(2) If a company elects
to file the SOX section 404 report described in paragraph (1) of this
subdivision, the company shall submit an addendum that contains:
(i) a statement by the company's chief
executive officer and chief financial officer (or equivalent position or
titles) that no internal controls having a material impact on the preparation
of the company's audited statutory financial statements are excluded from the
report. If either of these two officers is based in a holding company or other
entity outside of the United States, the two most senior United States-based
officers shall be the signatories; or
(ii) if internal controls of the company that
have a material impact on the preparation of the company's audited statutory
financial statements are not described in the SOX section 404 report, a report
that sets forth the impact of these material internal controls on the
preparation of the company's audited financial reports that were not included
in the SOX section 404 report.
(c) Management's report of internal control
over financial reporting shall include:
(1) a
statement that the company has established and continues to maintain adequate
internal control over financial reporting and an assertion, to the best of the
company's knowledge and belief, after diligent inquiry, as to whether its
internal control over financial reporting is effective to provide reasonable
assurance regarding the reliability of financial statements in accordance with
statutory accounting principles;
(2) a statement that briefly describes the
approach or processes by which the company evaluated the effectiveness of its
internal control over financial reporting;
(3) a statement that briefly describes the
scope of work that is included and whether any internal controls were
excluded;
(4) disclosure of any
unremediated material weaknesses in the internal control over financial
reporting identified by the company as of December 31st immediately
preceding;
(5) a statement
regarding the inherent limitations of internal control systems; and
(6) notarized signatures of the company's
chief executive officer and chief financial officer (or equivalent position or
titles) attesting to the statements and disclosures contained in paragraphs (1)
through (5) of this subdivision. If either of these two officers is based in a
holding company or other entity outside of the United States, the two most
senior United States-based officers shall be the signatories.
(d) The company shall document the
basis upon which the assertions, as required by subdivision (c) of this
section, are made. The company may base its assertions, in part, upon its
review, monitoring and testing of internal controls undertaken in the normal
course of its activities. The company shall have discretion as to the nature of
the internal control framework used, and the nature and extent of
documentation, in order to make its assertion in a cost effective manner and,
as such, may include assembly of or reference to existing
documentation.
