(2) An insurer or HMO or group of insurers or HMOs
subject to this subsection must establish an internal audit function
providing independent, objective, and reasonable assurance to the
audit committee and insurer or HMO management regarding the insurer's
or HMO's governance, risk management, and internal controls. This
assurance must be provided by performing general and specific audits,
reviews, and tests, and by employing other techniques deemed necessary
to protect assets, evaluate control effectiveness and efficiency,
and evaluate compliance with policies and regulations.
(3) In order to ensure that internal auditors remain
objective, the internal audit function must be organizationally independent.
Specifically, the internal audit function cannot defer ultimate judgment
on audit matters to others and must appoint an individual to head
the internal audit function who has direct and unrestricted access
to the board of directors. Organizational independence does not prevent
dual-reporting relationships.
(4) The head of the internal audit function must report
to the audit committee regularly but no less than annually on the
periodic audit plan, factors that may adversely impact the internal
audit function's independence or effectiveness, material findings
from completed audits, and the appropriateness of corrective actions
implemented by management as a result of audit findings.
(5) If an insurer or HMO is a member of an insurance
holding company system or included in a group of insurers or HMOs,
the insurer or HMO may satisfy the internal audit function requirements
set forth in this section at the ultimate controlling parent level,
an intermediate holding company level, or the individual legal entity
level.
(m) Prohibited conduct in connection with preparation
of Required Reports and documents.
(1) A director or officer of an insurer or HMO may
not, directly or indirectly:
(A) make or cause to be made a materially false or
misleading statement to an accountant in connection with an audit,
review, or communication required by Insurance Code Chapter 401, Subchapter
A, or this section; or
(B) omit to state, or cause another person to omit
to state, any material fact necessary in order to make statements
made, in light of the circumstances under which the statements were
made, not misleading to an accountant in connection with any audit,
review, or communication required under Insurance Code Chapter 401,
Subchapter A, or this section.
(2) An officer or director of an insurer or HMO, or
another person acting under the direction of an officer or director
of an insurer or HMO, may not directly or indirectly coerce, manipulate,
mislead, or fraudulently influence an accountant performing an audit
under Insurance Code Chapter 401, Subchapter A, or this section if
that person knew or should have known that the action, if successful,
could result in rendering the insurer's or HMO's financial statements
materially misleading. For purposes of this paragraph, actions that
could result in rendering the insurer's or HMO's financial statements
materially misleading include actions taken at any time with respect
to the professional engagement period to coerce, manipulate, mislead,
or fraudulently influence an accountant:
(A) to issue or reissue a report on an insurer's or
HMO's financial statements that is not warranted and would result
in material violations of statutory accounting principles prescribed
by the Commissioner, generally accepted auditing standards, or other
professional or regulatory standards;
(B) not to perform an audit, review, or other procedure
required by generally accepted auditing standards or other professional
standards;
(C) not to withdraw an issued report; or
(D) not to communicate matters to an insurer's or HMO's
audit committee.
(n) Report of internal control over financial reporting.
(1) Each insurer or HMO required to file an audited
financial report under Insurance Code Chapter 401, Subchapter A, and
this section that has annual direct written and assumed premiums,
excluding premiums reinsured with the Federal Crop Insurance Corporation
and the National Flood Insurance Program, of $500 million or more
must prepare a report of the insurer's or HMO's or group of insurers'
or HMOs' internal control over financial reporting. The report must
be filed with the Commissioner with the communication described by
subsection (j) of this section. The report of internal control over
financial reporting shall be filed with the Commissioner as of the
immediately preceding December 31.
(2) Notwithstanding the premium threshold under paragraph
(1) of this subsection, the Commissioner may require an insurer or
HMO to file the management's report of internal control over financial
reporting if the insurer or HMO is in any risk-based capital level
event or meets one or more of the standards of an insurer or HMO considered
to be in hazardous financial condition as described by or provided
in Insurance Code Chapter 404, 441, 822, 841, 843, or 884 or rules
adopted thereunder, including §7.402 of this title, Chapter 8
of this title, and §11.811 of this title.
(3) An insurer or HMO or a group of insurers or HMOs
may file the insurer's or HMO's or the insurer's or HMO's parent's
Section 404 report and an addendum if the insurer or HMO or group
of insurers or HMOs is:
(A) directly subject to Section 404;
(B) part of a holding company system whose parent is
directly subject to Section 404;
(C) not directly subject to Section 404 but is a SOX-compliant
entity; or
(D) a member of a holding company system whose parent
is not directly subject to Section 404 but is a SOX-compliant entity.
(4) A Section 404 report described by paragraph (3)
of this subsection must include those internal controls of the insurer
or HMO or group of insurers or HMOs that have a material impact on
the preparation of the insurer's or HMO's or group of insurers' or
HMOs' audited statutory financial statements, including those items
listed in Insurance Code §401.009(a)(3)(B) - (H) and (b). The
addendum must be a positive statement by management that there are
no material processes excluded from the Section 404 report with respect
to the preparation of the insurer's or HMO's or group of insurers'
or HMOs' audited statutory financial statements, including those items
specified in Insurance Code §401.009(a)(3)(B) - (H) and (b).
If there are internal controls of the insurer or HMO or group of insurers
or HMOs that have a material impact on the preparation of the insurer's
or HMO's or group of insurers' or HMOs' audited statutory financial
statements and those internal controls are not included in the Section
404 report, the insurer or HMO or group of insurers or HMOs may either
file:
(A) a report under this subsection; or
(B) the Section 404 report and a report under this
subsection for those internal controls that have a material impact
on the preparation of the insurer's or HMO's or group of insurers'
or HMOs' audited statutory financial statements not covered by the
Section 404 report.
(5) The insurer's or HMO's management report of internal
control over financial reporting must include:
(A) a statement that management is responsible for
establishing and maintaining adequate internal control over financial
reporting;
(B) a statement that management has established internal
control over financial reporting and an opinion concerning whether,
to the best of management's knowledge and belief, after diligent inquiry,
its internal control over financial reporting is effective to provide
reasonable assurance regarding the reliability of financial statements
in accordance with statutory accounting principles;
(C) a statement that briefly describes the approach
or processes by which management evaluates the effectiveness of its
internal control over financial reporting;
(D) a statement that briefly describes the scope of
work that is included and whether any internal controls were excluded;
(E) disclosure of any unremediated material weaknesses
in the internal control over financial reporting identified by management
as of the immediately preceding December 31;
(F) a statement regarding the inherent limitations
of internal control systems; and
(G) signatures of the chief executive officer and the
chief financial officer or an equivalent position or title.
(6) For purposes of paragraph (5)(E) of this subsection,
an insurer's or HMO's management may not conclude that the internal
control over financial reporting is effective to provide reasonable
assurance regarding the reliability of financial statements in accordance
with statutory accounting principles if there is one or more unremediated
material weaknesses in its internal control over financial reporting.
Cont'd... |