Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

February 25, 2025

Model Audit Rule: Timeline and Planning Guide

Insurance companies experiencing premium growth know that success brings new opportunities—and new regulatory requirements. Chief among them is the Annual Financial Reporting Model Regulation, commonly referred to as the Model Audit Rule (MAR). 

While MAR compliance adds a layer of scrutiny to your organization’s governance, internal controls, and audit committee independence, it also presents an opportunity to elevate your control environment and drive greater value throughout the business.

Below, we take an in-depth look at timing around MAR requirements as well as recommended planning strategies.

A Quick Refresher on MAR

The Model Audit Rule is a set of standards set forth by the National Association of Insurance Commissioners (NAIC) designed to strengthen insurers’ financial reporting processes. While it draws inspiration from Sarbanes-Oxley requirements, MAR is state-regulated and specifically tailored to the insurance industry.

MAR Thresholds and Timelines

$300 Million: Enhanced Oversight Begins

Premium Breach YearYear 1
If an insurer reports $300 million in direct and assumed written premiums on December 31 of a given year, MAR considers this a “breach year.”By the end of the following year, you must be compliant with the regulation’s audit committee requirements. This requires that at least 50% of your audit committee members meet the independence criteria.

Why It Matters: Even if you have historically operated with a robust governance structure, crossing this threshold demands new levels of independence. The shift often includes formalizing charters, rethinking board composition, and introducing or revising key accountability measures.

$500 Million: Stepping Up Internal Controls

Premium Breach YearYear 1Year 2
Once your reported direct and assumed premiums exceed $500 million on December 31, the clock starts ticking on more comprehensive MAR obligations.At the following year’s end, your audit committee’s independence requirement jumps to 75%, and you must establish (or formally document) your internal audit function.Management’s Report on Internal Control over Financial Reporting (ICFR) is required to be filed with the Communication of Internal Control Related Matters Noted in the Audit over the second year after crossing $500 million. This includes disclosing any unremediated material weaknesses, along with assurances that your financial reporting controls have been designed and operated effectively.

Why It Matters: Ramping up from an ad hoc or partially formalized internal audit approach to a fully operationalized function can be daunting. At the same time, your organization is preparing to publicly attest to the efficacy of its internal controls—spotlighting any areas of weakness

Planning for Success: 5 Phases of MAR Readiness

1. Strategic Forecasting and Gap Identification 

(estimated duration: 2–4 months)

  • Forecast Premium Growth. Work closely with your finance and actuarial teams to project when you could breach the $300 million or $500 million threshold. Ideally, start 12–18 months before you anticipate hitting a threshold, so you have sufficient lead time to develop your compliance roadmap.
  • Risk Assessment. Assess your existing governance, internal controls, and internal audit function against MAR requirements. This way, you’ll have a clear summary of where you stand and what needs to be addressed.

While it’s not necessary to formally appoint your audit partner at this stage, it’s smart to begin shortlisting and conducting preliminary conversations. Gaining insight into the external auditor’s perspective can validate your self-assessment and highlight hidden risks early on.

2. Detailed Scoping, Champion Identification, and Project Launch

(estimated duration: 2-3 months) 

  • Determine “In-Scope” Processes: Identify the processes that materially affect financial reporting. This includes IT systems, third-party relationships, and any unique transactions.
  • Identify Champions: Determine what individuals or groups will lead and be responsible for each aspect of the MAR compliance program including planning, risk assessment, testing, remediation, and monitoring. 
  • Set a Timeline: Develop a detailed project plan with key deliverables, responsibilities, and deadlines. Ideally, you start this step right after you finalize your gap analysis, ensuring a smooth transition from discovery to action.

If you’ve narrowed your choice of compliance partners, now is an excellent time to bring them into the planning process. Collaboration at this early stage can improve the efficiency of your overall project and prevent surprises down the line.

3. Program Documentation and Implementation 

(estimated duration: 6-12 months)

  • Document MAR Program: Formalize the company plan and approach for MAR attestation including planning, risk assessment, sampling, rotational testing, reporting, remediation, and monitoring of program results. 
  • Document Internal Controls: Utilizing the MAR champions or the Internal Audit function, align policies and procedures with a recognized framework to cover each business and IT process critical to financial reporting.

Some insurers opt to engage their compliance partner no later than 9–12 months before the first MAR-compliant annual filing. This ensures they have adequate time to understand your environment, assess controls, and coordinate with management. By collaborating with a compliance partner during this phase, you can receive immediate feedback on control design and testing approaches, streamlining later stages of the audit.

4. Readiness and Annual Testing 

(estimated duration: 6-12 months)

  • Readiness Testing: Perform pilot tests on new or revised controls to detect deficiencies early, allowing time for remediation. Be sure to schedule multiple testing cycles (e.g., in accordance with the rotational testing plan) to track progress, evaluate any needed changes, and get staff familiar with testing requirements.
  • Annual Testing: Perform full sample testing according to the established MAR program. Record testing results and develop remediation plans for any identified deficiencies.

5. Final Reporting and Ongoing Optimization

(estimated duration: 3-6 months leading up to filing deadlines)

  • Prepare Management’s Report on ICFR: This report is required to be filed with the Communication of Internal Control Related Matters Noted in the Audit over the second year after surpassing the $500 million threshold. Work with legal, finance, and internal audit to finalize reporting. 
  • Evolve Your Testing: After your first filing, continue refining processes and controls as your business and regulatory environment evolve. Leverage emerging technologies, data analytics, and continuous auditing methodologies for efficient and effective compliance.
  • Involve Your Internal Audit Function: If not already done so, your internal audit function can serve as a great resource for assisting in the MAR Compliance effect. Internal Audit can assist in updating MAR documentation and testing internal controls. Since the Internal Audit function is organizationally independent, their testing can be more readily relied upon by financial statement auditors and regulators. 

With the initial compliance cycle complete, you’ll gain a clearer picture of ongoing requirements and can adjust your timeline accordingly for subsequent years.

5 Ways We Help Insurers Navigate MAR

  • Expert Risk Assessment: We begin by assessing your existing controls, governance, and audit committee practices. Leveraging our deep specialization in insurance, we provide insights into how your current environment aligns with MAR requirements—and where adjustments may be needed.
  • Focused Roadmaps: Our team collaborates with your stakeholders to design a tailored MAR compliance roadmap, complete with action items, timelines, and risk prioritization. This approach ensures you’re prepared to meet critical Year 1 and Year 2 milestones when thresholds are crossed.
  • Practical Internal Audit Setup: From establishing a brand-new internal audit function to optimizing an existing one, Johnson Lambert’s professionals bring the hands-on experience needed to integrate MAR testing seamlessly into your wider compliance framework. Our support can also include co-sourcing or outsourcing arrangements, depending on your strategic objectives.
  • Control Testing and Remediation: We guide your organization through control identification, documentation, testing, and remediation. This includes helping you identify technology and automation opportunities that can enhance the accuracy and efficiency of your financial reporting processes.
  • Training and Ongoing Advising: MAR compliance isn’t a one-time event. Through continuous monitoring support, we equip your internal teams and leadership with the knowledge and strategies they need to sustain long-term compliance.

MAR compliance may seem daunting, but proactive planning can significantly reduce last-minute scrambles and strengthen the overall governance structure of your organization. Whether you’re inching toward $300 million in premiums or preparing to surpass $500 million, now is the time to lay a solid foundation for stronger internal controls, more effective governance, and greater organizational resilience.

Need Assistance Charting Your Path Forward?

Johnson Lambert’s dedicated team of insurance and internal audit specialists is ready to help you anticipate regulatory hurdles and transform them into opportunities for operational excellence. Contact us today to learn how we can support your MAR compliance journey.

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit

View Bio

Questions?

Contact Johnson Lambert to learn how we can support your MAR compliance journey.

Contact Us

Related Insights

Model Audit Rule: Timeline and Planning Guide

Insurance companies experiencing premium growth know that success brings new opportunities—and new regulatory requirements. Chief among them is the Annual Financial Reporting Model Regulation, commonly referred to as the Model Audit Rule (MAR). 

While MAR compliance adds a layer of scrutiny to your organization’s governance, internal controls, and audit committee independence, it also presents an opportunity to elevate your control environment and drive greater value throughout the business.

Below, we take an in-depth look at timing around MAR requirements as well as recommended planning strategies.

A Quick Refresher on MAR

The Model Audit Rule is a set of standards set forth by the National Association of Insurance Commissioners (NAIC) designed to strengthen insurers’ financial reporting processes. While it draws inspiration from Sarbanes-Oxley requirements, MAR is state-regulated and specifically tailored to the insurance industry.

MAR Thresholds and Timelines

$300 Million: Enhanced Oversight Begins

Premium Breach YearYear 1
If an insurer reports $300 million in direct and assumed written premiums on December 31 of a given year, MAR considers this a “breach year.”By the end of the following year, you must be compliant with the regulation’s audit committee requirements. This requires that at least 50% of your audit committee members meet the independence criteria.

Why It Matters: Even if you have historically operated with a robust governance structure, crossing this threshold demands new levels of independence. The shift often includes formalizing charters, rethinking board composition, and introducing or revising key accountability measures.

$500 Million: Stepping Up Internal Controls

Premium Breach YearYear 1Year 2
Once your reported direct and assumed premiums exceed $500 million on December 31, the clock starts ticking on more comprehensive MAR obligations.At the following year’s end, your audit committee’s independence requirement jumps to 75%, and you must establish (or formally document) your internal audit function.Management’s Report on Internal Control over Financial Reporting (ICFR) is required to be filed with the Communication of Internal Control Related Matters Noted in the Audit over the second year after crossing $500 million. This includes disclosing any unremediated material weaknesses, along with assurances that your financial reporting controls have been designed and operated effectively.

Why It Matters: Ramping up from an ad hoc or partially formalized internal audit approach to a fully operationalized function can be daunting. At the same time, your organization is preparing to publicly attest to the efficacy of its internal controls—spotlighting any areas of weakness

Planning for Success: 5 Phases of MAR Readiness

1. Strategic Forecasting and Gap Identification 

(estimated duration: 2–4 months)

  • Forecast Premium Growth. Work closely with your finance and actuarial teams to project when you could breach the $300 million or $500 million threshold. Ideally, start 12–18 months before you anticipate hitting a threshold, so you have sufficient lead time to develop your compliance roadmap.
  • Risk Assessment. Assess your existing governance, internal controls, and internal audit function against MAR requirements. This way, you’ll have a clear summary of where you stand and what needs to be addressed.

While it’s not necessary to formally appoint your audit partner at this stage, it’s smart to begin shortlisting and conducting preliminary conversations. Gaining insight into the external auditor’s perspective can validate your self-assessment and highlight hidden risks early on.

2. Detailed Scoping, Champion Identification, and Project Launch

(estimated duration: 2-3 months) 

  • Determine “In-Scope” Processes: Identify the processes that materially affect financial reporting. This includes IT systems, third-party relationships, and any unique transactions.
  • Identify Champions: Determine what individuals or groups will lead and be responsible for each aspect of the MAR compliance program including planning, risk assessment, testing, remediation, and monitoring. 
  • Set a Timeline: Develop a detailed project plan with key deliverables, responsibilities, and deadlines. Ideally, you start this step right after you finalize your gap analysis, ensuring a smooth transition from discovery to action.

If you’ve narrowed your choice of compliance partners, now is an excellent time to bring them into the planning process. Collaboration at this early stage can improve the efficiency of your overall project and prevent surprises down the line.

3. Program Documentation and Implementation 

(estimated duration: 6-12 months)

  • Document MAR Program: Formalize the company plan and approach for MAR attestation including planning, risk assessment, sampling, rotational testing, reporting, remediation, and monitoring of program results. 
  • Document Internal Controls: Utilizing the MAR champions or the Internal Audit function, align policies and procedures with a recognized framework to cover each business and IT process critical to financial reporting.

Some insurers opt to engage their compliance partner no later than 9–12 months before the first MAR-compliant annual filing. This ensures they have adequate time to understand your environment, assess controls, and coordinate with management. By collaborating with a compliance partner during this phase, you can receive immediate feedback on control design and testing approaches, streamlining later stages of the audit.

4. Readiness and Annual Testing 

(estimated duration: 6-12 months)

  • Readiness Testing: Perform pilot tests on new or revised controls to detect deficiencies early, allowing time for remediation. Be sure to schedule multiple testing cycles (e.g., in accordance with the rotational testing plan) to track progress, evaluate any needed changes, and get staff familiar with testing requirements.
  • Annual Testing: Perform full sample testing according to the established MAR program. Record testing results and develop remediation plans for any identified deficiencies.

5. Final Reporting and Ongoing Optimization

(estimated duration: 3-6 months leading up to filing deadlines)

  • Prepare Management’s Report on ICFR: This report is required to be filed with the Communication of Internal Control Related Matters Noted in the Audit over the second year after surpassing the $500 million threshold. Work with legal, finance, and internal audit to finalize reporting. 
  • Evolve Your Testing: After your first filing, continue refining processes and controls as your business and regulatory environment evolve. Leverage emerging technologies, data analytics, and continuous auditing methodologies for efficient and effective compliance.
  • Involve Your Internal Audit Function: If not already done so, your internal audit function can serve as a great resource for assisting in the MAR Compliance effect. Internal Audit can assist in updating MAR documentation and testing internal controls. Since the Internal Audit function is organizationally independent, their testing can be more readily relied upon by financial statement auditors and regulators. 

With the initial compliance cycle complete, you’ll gain a clearer picture of ongoing requirements and can adjust your timeline accordingly for subsequent years.

5 Ways We Help Insurers Navigate MAR

  • Expert Risk Assessment: We begin by assessing your existing controls, governance, and audit committee practices. Leveraging our deep specialization in insurance, we provide insights into how your current environment aligns with MAR requirements—and where adjustments may be needed.
  • Focused Roadmaps: Our team collaborates with your stakeholders to design a tailored MAR compliance roadmap, complete with action items, timelines, and risk prioritization. This approach ensures you’re prepared to meet critical Year 1 and Year 2 milestones when thresholds are crossed.
  • Practical Internal Audit Setup: From establishing a brand-new internal audit function to optimizing an existing one, Johnson Lambert’s professionals bring the hands-on experience needed to integrate MAR testing seamlessly into your wider compliance framework. Our support can also include co-sourcing or outsourcing arrangements, depending on your strategic objectives.
  • Control Testing and Remediation: We guide your organization through control identification, documentation, testing, and remediation. This includes helping you identify technology and automation opportunities that can enhance the accuracy and efficiency of your financial reporting processes.
  • Training and Ongoing Advising: MAR compliance isn’t a one-time event. Through continuous monitoring support, we equip your internal teams and leadership with the knowledge and strategies they need to sustain long-term compliance.

MAR compliance may seem daunting, but proactive planning can significantly reduce last-minute scrambles and strengthen the overall governance structure of your organization. Whether you’re inching toward $300 million in premiums or preparing to surpass $500 million, now is the time to lay a solid foundation for stronger internal controls, more effective governance, and greater organizational resilience.

Need Assistance Charting Your Path Forward?

Johnson Lambert’s dedicated team of insurance and internal audit specialists is ready to help you anticipate regulatory hurdles and transform them into opportunities for operational excellence. Contact us today to learn how we can support your MAR compliance journey.

Jordan Fulbright

Jordan Fulbright

Senior Manager - Internal Audit