2007 Annual Meeting ● Assemblée annuelle 2007 Vancouver 2007 Annual Meeting ● Assemblée annuelle 2007 Vancouver Canadian Institute of Actuaries Canadian Institute of Actuaries L’Institut canadien des actuaires L’Institut canadien des actuaires

Internal Control Over Financial Reporting Regulatory Development Internal Control Over Financial Reporting Regulatory Development

ICFR Regulatory Development Section 404 Developments SEC Interpretive Guidance for Management’s Assessment of Internal Control Over Financial Reporting PCAOB Auditing Standards No.5, An Audit of Internal Control over Financial Reporting that is Integrated with An Audit of Financial Statements Multilateral Instrument Current certification requirements Proposed changes to MI Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Overview of SEC Actions On Wednesday, May 23, 2007, the SEC: Approved the final interpretive guidance regarding management’s assessment of ICFR Approved various rule amendments: Codified the definition of a material weakness Auditor opinion only on effectiveness of ICFR Company assessment performed in accordance with the interpretive guidance satisfies the annual evaluation required by the Exchange Act Effective 30 after being published in the Federal Register 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Overview of PCAOB Actions On Thursday, May 24, 2007, the PCAOB: Approved the issuance of AS5 Approved various conforming amendments to PCAOB interim auditing standards Adopted a rule on audit committee pre-approval of non-audit services relating to ICFR Final standard, conforming amendments and rule are subject to SEC approval Subject to SEC approval, AS5 is effective for audits for fiscal years ending on or after 11/15/07, with earlier application encouraged 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

SEC Management Guidance Expected to be available shortly on the SEC’s web site Key concepts from the SEC interpretive guidance for management: Principles-based and flexible Top-down and risk-based Scalable to a company’s size and complexity Management can use its judgement to determine the nature and extent of documentation to support the assessment process and its conclusion Acknowledges that management and auditors have different roles and responsibilities (so respective processes and evidence needed to support management assessment and auditor’s opinion can be different) 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 PCAOB’s Principal Objectives Focus the audit on the most important matters Include only the requirements necessary for an effective audits Make the audit scalable to fit the size and complexity of any company Simplify the text of the standard 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Key Elements Single standard for all companies Principles-based Reasonable assurance on design and operating effectiveness Top-down, risk-based approach No rotational testing of controls Ability to use the work of others 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Top-Down Approach The requirement for the auditor to identify significant processes or major classes of transactions was removed. Instead, the general principle is to identify significant accounts and disclosures, relevant assertions, and the controls that address the risks of material misstatement relating to each relevant assertion. As a practical matter, the auditor will generally need to understand the company’s processes to appropriately identify the correct controls to test Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Walkthroughs AS5 removes the requirement to perform a walkthrough. Instead, it requires auditors to achieve certain objectives in understanding the flow of transactions, the points where misstatements could occur, and the controls to address those potential misstatements. AS5 (paragraph 37) acknowledges that performing walkthroughs will frequently be the most effective way of achieving the objectives Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Entity-Level Controls AS5 includes three broad categories of entity-level controls and how each category might have a different effect on the performance of tests of other controls. Indirect — Might affect the other controls the auditor selects for testing and the nature, timing, and extent of procedures the auditor performs on other controls (e.g., control environment) Direct — But not sufficiently precise by themselves to address the assessed risk of misstatement — e.g., controls that monitor the effectiveness of other controls Operate at a level of precision that would adequately prevent or detect on a timely basis misstatements to one or more relevant assertions The inclusion of the three categories conforms the discussion of entity-level controls in AS5 to the SEC management guidance Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Fraud Controls Greater focus on fraud risk and anti-fraud controls to emphasize the importance of these matters in a top-down, risk-based approach to the audit. The auditor should evaluate whether controls sufficiently address— Identified risks of material misstatement due to fraud Risk of management override of other controls Consider controls that address— Significant, unusual transactions Journal entries and adjustments in FSCP Related party transactions Significant management estimates Incentives and pressures to falsify or inappropriately manage financial results 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Fraud Controls - Risk of Management Override Addressed as part of indirect ELCs, including anti- fraud programs However, because fraudulent financial reporting often involves the override of controls related to the FSCP, also should consider: Standardized accounting policies Standardized closing procedures Required “reporting packages” Business- or unit-level reviews of financial results Internal audit activities 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Evaluating and Communicating Deficiencies The definition of a material weakness has been conformed with the definition in the SEC management guidance. A deficiency, or combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the company’s annual or interim financial statements will not be prevented or detected on a timely basis. Changed the definition of a significant deficiency A deficiency, or combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight of the company’s financial reporting Management and auditors will now have more judgment in determining which matters are considered significant deficiencies, which may result in fewer of them being communicated to the audit committee Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

PCAOB Auditing Standard No. 5 Using the Work of Others After considering comments received, the PCAOB concluded that the existing SAS 65 framework in the auditing standards (AU 322) is sufficient. AS5 allows the auditor to use the work of others to obtain evidence about the design and operating effectiveness of controls and eliminates the principal evidence provision. Auditors will still have significant flexibility to use the work of others for the audit of internal control and to obtain evidence supporting the auditor’s assessment of control risk for the audit of the financial statements Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Questions? 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Multilateral Instrument Current Certification Requirements Certifying officers must certify the following: Filings do not contain any misrepresentations Financial information fairly presents financial condition, results from operations and cash flows Design disclosure controls and procedures (DC&P) Evaluation of the effectiveness of DC&P Disclosure in MD&A of conclusions about the effectiveness of DC&P Design of internal control over financial reporting (ICFR) Disclosure in MD&A of any recent changes in the issuer’s ICFR CSA Staff Notice – certifying the design of ICFR when aware of a weakness Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Multilateral Instrument Proposed Changes Reflects the proposed approach for additional provisions relating to ICFR described in CSA Notice released on March 10, 2006, which: Require certifying officers to evaluate an issuer's ICFR and provide MD&A disclosure about their conclusion on the effectiveness of ICFR based on such evaluation Does not require auditors attestation on ICFR Includes considerations for the design of DC&P and ICFR 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Multilateral Instrument Proposed Changes - Key Features Use of Top-Down, Risk Based Approach Definition of “Reportable Deficiency” a deficiency, or combination of deficiencies, in the design or operation of one or more controls that would cause a reasonable person to doubt that the design or operation of ICFR provides reasonable assurance regarding the reliability of financial reporting or the preparation of financial statements for external purposes in accordance with the issuer’s GAAP ICFR Design accommodation for venture issuer If a venture issuer has a reportable deficiency relating to design which exists as at the end of the period covered by its annual or interim filings, as the case may be; and cannot reasonably remediate the reportable deficiency, it must disclose in its MD&A: the reportable deficiency; why the issuer cannot reasonably remediate the reportable deficiency; the risks the issuer faces relating to the reportable deficiency; and whether the issuer has mitigated those risks and if so, how Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Multilateral Instrument Proposed Changes - Key Features Permits the certifying officers to limit the scope of their design of DC&P and ICFR to exclude controls, policies and procedures carried out by: a proportionately consolidated entity in which the issuer has an interest; a variable interest entity in which the issuer has an interest; or a business that the issuer acquired not more than 90 days before the end of the period to which the certificate relates. If the scope of the issuer’s design is limited due to any of these circumstances the issuer must disclose in its MD&A: the scope limitation and summary financial information of the proportionately consolidated entity, variable interest entity or acquired business that has been proportionately consolidated or consolidated in the issuer’s financial statements. Effective date – June 30, 2008 Comment period – due in 90 days (end of June 2007) 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Questions? 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Best Practices Start the process early Identify roles, responsibilities and communication protocols Discuss deficiencies with management promptly Hold quarterly meetings with management and the independent auditor to address any changes in the overall business or methodology employed. Communication between company actuaries and independent auditor actuaries needs to occur early and throughout the process. Timely discussions should occur with the independent auditor surrounding prior year significant deficiencies and any impact they might have on current year reserve estimates Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Best Practices Because overall actuarial processes are often non- routine/estimation processes, where using a test of transactions approach is typically not the most effective testing strategy, it is important for client actuaries to meet with the independent auditor actuaries to discuss the testing strategy used for the actuarial processes. Demonstrate program change control and user acceptance testing on reserve systems early in the internal control testing process to allow enough time for re-testing or remediation if deficiencies exist. If actuarial methodologies/assumptions change throughout the year, testing performed to validate these changes should be retained and provided to the independent auditor’s actuaries for review during internal control testing Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Best Practices Migrating from use of spreadsheets to system- generated reserve reports to calculate reserve data. Establishing formal, written policies and procedures documenting the criteria for deferred expenses. Reviewing criteria for deferrable acquisition costs and the related period of amortization at least annually. Performing loss recognition and recoverability analyses on a quarterly basis instead of annually. Periodically testing commission rates and agent statements for accuracy and agreement with the rate schedule or other written approval. Taking steps to automate DAC calculations instead of relying on spreadsheets Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007

Questions? 2007 Annual Meeting Assemblée annuelle Annual Meeting Assemblée annuelle 2007