Since the National Association of Insurance Commissioners (NAIC) made revisions to the Financial Reporting Model Regulation (Model Audit Rule) in June 2006, the insurance industry’s attention to the risks associated with financial reporting has been on the rise. Structured similarly to Section 404 of the Sarbanes‐Oxley Act, the Model Audit rule places a significant burden on C‐level executives to ensure their oversight in the internal controls for financial reporting (ICFR) process. Executives within these insurance organizations, both public and private, will be required to evaluate their internal controls in preparation for the first reports due in 2010 for the 2009 reporting period.
According to Baseline Consulting, approximately 32% of corporate data is contained in enduser computing (EUC) applications and approximately 68% is stored in IT controlled applications. These EUCs – primarily spreadsheets, PC databases (e.g. Access databases), BI reports, and word documents – are often stored on employee desktops and corporate file shares, and for the most part, are uncontrolled. They lack the proper safeguards and controls one would expect with IT controlled applications, including documentation, version control, back-up and archival, change control, testing, security and access control, and more.