Resources

The Model Audit Rule (MAR): Enhancing Compliance With Strategic Audits

Written by: Todd G. Burns , CISA , Drew V. Coveney , CIA ,

Key Takeaways

  • For healthcare insurers, the Model Audit Rule (MAR) ensures governance and accountability in financial reporting.
  • It emphasizes the establishment of internal audit functions, risk management processes, and more to uphold financial integrity.
  • MAR compliance requires a comprehensive evaluation of business process controls and Information Technology General Controls (ITGCs).
  • MAR compliance enhances operational efficiency, regulatory confidence, and data security for healthcare insurers.

All public companies must comply with Sarbanes-Oxley Act (SOX), a federal act passed in 2002 to improve auditing and public disclosure in response to several accounting scandals in the early 2000s. Other industries need to comply with activities very similar (i.e., Federal Deposit Insurance Corporation Improvement Act (FDICIA) for bank compliance), and the healthcare space is no different.

Healthcare insurers must comply with the National Association of Insurance Commissioners’ (NAIC) Annual Financial Reporting Model Regulation #205, commonly known as the Model Audit Rule (MAR) – but what does this mean to you? MAR requires insurance companies that exceed certain thresholds of written premiums to adopt similar standards, including auditor independence, governance frameworks and internal control of financial reporting.

In the ever-evolving landscape of healthcare insurance, the importance of robust regulatory frameworks is paramount. The Model Audit Rule is a regulatory measure that plays a pivotal role in ensuring the integrity and security of insurers’ operations.

Understanding the Model Audit Rule (MAR)

MAR is a regulatory framework designed to enhance the governance and accountability of insurers. It provides guidelines, and standards for the internal controls and audit processes that insurers must adhere to. This ensures the reliability of financial reporting and safeguarding the interests of policyholders. MAR has been compared to SOX regarding its focus on internal controls. Below, we break down some components of MAR that offer enhancements to the organization:

  • Internal Audit Function: The company should establish an internal audit function. This provides independent, objective, and reasonable assurance to the audit committee and insurer’s management regarding the insurer’s governance, risk management, and internal controls. This assurance must be provided by performing general and specific audits, reviews, and tests. It should also be provided by employing other techniques deemed necessary to protect assets, evaluate control effectiveness and efficiency, and evaluate compliance with policies and regulations.
  • Governance, Oversight, and Risk Management: The rule underscores the importance of identifying, assessing, and managing financial risks. Insurance companies are expected to have robust processes in place to address and mitigate these potential financial risks.
  • Training and Awareness: Insurance companies are encouraged to provide training to employees involved in financial reporting, ensuring a proper understanding of the regulatory requirements and best practices.
  • Compliance and Reporting: Insurers are required to comply with the provisions of MAR and report their compliance status to regulatory authorities. Non-compliance may lead to regulatory actions or penalties.

Significance of Business Process & Information Technology General Controls (ITGCs) in MAR Compliance

MAR compliance necessitates a comprehensive evaluation of both business processes and IT systems. Business process controls ensure the accuracy and reliability of financial transactions, while Information Technology General Controls (ITGCs) focus on the integrity, confidentiality, and availability of data processed through information systems.

Business process controls encompass various aspects such as underwriting, claims processing, and premium collection. Insurers must implement controls to mitigate risks related to accuracy, completeness, and authorization within these processes. Failure to maintain effective business process controls can lead to errors, fraud, and regulatory penalties.

On the other hand, ITGCs address the operational effectiveness of IT systems supporting critical business processes. These controls encompass areas such as access controls, change management, and data security. In today’s digital landscape where insurers rely heavily on technology for data processing and analysis, robust ITGCs are indispensable for safeguarding sensitive information and ensuring the integrity of financial reporting.

Benefits of MAR Compliance for Healthcare Insurers

  • Improved Operational Efficiency and Reliability: By ensuring the reliability and stability of IT systems, MAR compliance could facilitate smoother and more efficient operational processes within healthcare insurers. Data travelling through these well-controlled systems can provide reasonable assurance that financial data and financial reporting is reliable, complete, and accurate.
  • Regulatory Confidence: Compliance with MAR instills confidence among regulators, policyholders, and other stakeholders in the governance and risk management practices of healthcare insurers.
  • Enhanced Data Security: Having adequately designed and effectively operating MAR ITGCs, as validated by periodic testing of these controls, could significantly contribute to the overall security of sensitive healthcare and financial data. This reduces the risk of data breaches and unauthorized access.

How Can Wolf Help?

MAR plays a crucial role in upholding the integrity and security of healthcare insurers. Compliance with MAR ensures that insurers can navigate the complex landscape with confidence, safeguarding the interests of policyholders and maintaining the trust of regulatory authorities. As external risks and changes in technology continues to shape the future of healthcare insurance, MAR remains a steadfast guide in promoting transparency, accountability, and resilience in the face of evolving challenges.

However, navigating the complexities of MAR compliance requires expertise and specialized knowledge. This is where partnering with a trusted audit firm like Wolf & Company, P.C. can yield significant benefits for insurers. Wolf & Company, P.C. boasts a team of seasoned professionals with extensive experience in internal audit and information technology within the healthcare industry. By leveraging our expertise, insurers can streamline their MAR compliance efforts and mitigate the risk of non-compliance.

Through a comprehensive audit approach, Wolf & Company, P.C. assists companies in evaluating the design, and effectiveness of their business process controls and ITGCs. This involves conducting thorough assessments, identifying areas of weakness or non-compliance, and providing tailored recommendations for improvement.

Reach out to a member of Wolf’s Internal Audit or IT Audit teams to learn how we can help you navigate this complex landscape!

Wolf & Company's direct collaboration with control owners, meticulous testing procedures, and comprehensive documentation has streamlined our internal audit Information Technology (IT) processes. Our audit department leveraged Wolf's IT expertise, including MAR-specific IT control testing, to enhance our knowledge and capabilities. They are responsive throughout the process and always willing to offer their assistance and make recommendations or best practices to help our organization. They proactively shared the outcomes with our external SOC auditor, enabling us to rely confidently on their work to increase efficiencies and success within our teams.”

Internal Audit Director

Fallon Health