Current through Register Vol. 46, No. 45, November 2, 2024
Section 89.14 - Management's report of internal control over financial reporting(a) Every company required to file an audited financial report pursuant to this Part that has annual direct written and assumed premiums, excluding premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program, of $500,000,000 or more shall prepare a report of the company's or group of companies' internal control over financial reporting. This report of internal control over financial reporting, together with any communication about unremediated material weaknesses discovered during the CPA's audit described under section 89.9 of this Part shall be submitted to the superintendent upon the filing date upon which each audited financial report is required to be filed. Management's report of internal control over financial reporting shall be as of December 31st immediately preceding.(b)(1) In lieu of the report required by subdivision (a) of this section, a company may file its or its parent's SOX section 404 report with the superintendent, if the company is: (i) directly subject to SOX section 404;(ii) not directly subject to SOX section 404 but is a SOX compliant company; or(iii) a member of a holding company system whose parent is: (a) directly subject to SOX section 404; or(b) not directly subject to SOX section 404, but is a SOX compliant company.(2) If a company elects to file the SOX section 404 report described in paragraph (1) of this subdivision, the company shall submit an addendum that contains: (i) a statement by the company's chief executive officer and chief financial officer (or equivalent position or titles) that no internal controls having a material impact on the preparation of the company's audited statutory financial statements are excluded from the report. If either of these two officers is based in a holding company or other entity outside of the United States, the two most senior United States-based officers shall be the signatories; or(ii) if internal controls of the company that have a material impact on the preparation of the company's audited statutory financial statements are not described in the SOX section 404 report, a report that sets forth the impact of these material internal controls on the preparation of the company's audited financial reports that were not included in the SOX section 404 report.(c) Management's report of internal control over financial reporting shall include: (1) a statement that the company has established and continues to maintain adequate internal control over financial reporting and an assertion, to the best of the company's knowledge and belief, after diligent inquiry, as to whether its internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles;(2) a statement that briefly describes the approach or processes by which the company evaluated the effectiveness of its internal control over financial reporting;(3) a statement that briefly describes the scope of work that is included and whether any internal controls were excluded;(4) disclosure of any unremediated material weaknesses in the internal control over financial reporting identified by the company as of December 31st immediately preceding;(5) a statement regarding the inherent limitations of internal control systems; and(6) notarized signatures of the company's chief executive officer and chief financial officer (or equivalent position or titles) attesting to the statements and disclosures contained in paragraphs (1) through (5) of this subdivision. If either of these two officers is based in a holding company or other entity outside of the United States, the two most senior United States-based officers shall be the signatories.(d) The company shall document the basis upon which the assertions, as required by subdivision (c) of this section, are made. The company may base its assertions, in part, upon its review, monitoring and testing of internal controls undertaken in the normal course of its activities. The company shall have discretion as to the nature of the internal control framework used, and the nature and extent of documentation, in order to make its assertion in a cost effective manner and, as such, may include assembly of or reference to existing documentation.N.Y. Comp. Codes R. & Regs. Tit. 11 § 89.14