Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


Understanding compliance mandates: Model Audit Rule vs. SOX

Mar 15, 2022

Insurance companies subject to the Model Audit Rule may not always be clear on how this reporting requirement differs from the mandates of the Sarbanes-Oxley Act. 

The Model Audit Rule, known formally as the Annual Financial Reporting Model Regulation, was co-developed by the American Institute of Certified Public Accountants and the National Association of Insurance Commissioners (NAIC). It was first issued by the NAIC with revisions in 2006 and adopted in 2010.

The Model Audit Rule is applicable to insurance companies having annual direct written and assumed premiums of $500 million or more. As the NAIC is not a federal agency, the rule is adopted on a state-by-state basis.

The federal Sarbanes-Oxley Act (SOX), in effect since 2002, applies to all public companies. The Public Company Accounting Oversight Board is charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies.

SOX mandates certain practices in financial recordkeeping and reporting for corporations. Section 404 requires company management and the external auditor to report on the adequacy of the company’s internal control on financial reporting. 

States that have adopted the Model Audit Rule regulation place submission requirements on insurance companies that go beyond SOX. These include:

  • An annual financial statement audit by an independent certified public accountant (CPA)
  • Communication of internal control-related matters noted in the audit
  • Management report of internal control over financial reporting

While these areas may look similar to SOX requirements, be aware of some key differences.

Annual financial statements by an independent CPA

Annual financial statements must be filed by June 1 following a December 31 year end. The financial statements must include:

  • An independent auditor’s report
  • A balance sheet
  • Statement of operations
  • Statement of cash flows
  • Statement of changes in capital and surplus
  • Notes to the financial statements

The external auditor under the Model Audit Rule must be independent and is liable for the statements made in the audit. In addition, the lead partner must be rotated after a five-year consecutive period, and the auditor is not to perform non-audit services, including functioning in the role of management, auditing their own work or serving in an advocacy role.

By contrast, Section 203 of the SOX Act specifies that both the lead partner and concurring partner must be subject to the rotation requirements and specifically defines an audit partner as a partner who is a member of the audit engagement team who has responsibility for decision-making on significant auditing, accounting and reporting matters that affect the financial statements or who maintains regular contact with management and the audit committee. Firms with fewer than five audit clients and fewer than 10 partners may be exempt from this rule provided each engagement is subject to a special review by the PCAOB every three years.   

Keep in mind that non-audit services include (but are not limited to) bookkeeping, internal audit outsourcing, human resources functions and legal services. The external auditor must perform the audit in accordance with generally accepted auditing standards and obtain an understanding of internal control. All audits (and non-audit services) to the insurer must be approved by the audit committee.

Communication of internal control-related matters noted in the audit

Under the Model Audit Rule, the external auditors must issue a report on internal control weaknesses (unremediated material weaknesses) that are outstanding at the close of the audit and provide it to the state insurance commissioner. The report must describe the unremediated material weakness, actions taken (or planned on) to remediate the weakness going forward and must coincide with the most recent annual financial statements.  

SOX Section 302, by comparison, requires external auditors to issue an opinion on whether effective internal control over financial reporting was maintained in all material respects by management. This is in addition to the financial statement opinion regarding the accuracy of the financial statements. 

Management report of internal controls over financial reporting

Management must issue an internal controls assessment report, but unlike SOX requirements, the external auditor does not attest to management's assessment of internal controls. If the insurer is publicly traded and subject to SOX 404, it's not required to duplicate internal controls reports. It can file the SOX 404 report with an addendum stating that no material processes with respect to the preparation of the audited statutory financial statements have been excluded from the Section 404 report.

How Wipfli can help

When you're seeking information or a fresh perspective about the requirements of the Model Audit Rule, Wipfli's risk advisory services team can help. We also offer co-sourced and outsourced services related to internal audits, as well as one-off engagements for special audit areas or projects.

Sign up to receive additional content about risk advisory services in your inbox, or continue reading on:


Janice E. Harden, CPA
Senior Manager, Internal Audit
View Profile