Contact Us Submit RFP

  • Search For

Contact Us Submit RFP
insight-ingle-left-2
insight-ingle-left-3
Go back to Articles

October 21, 2024

Step-by-Step Preparation for IT Regulatory Exam

Key Highlights

  • NAIC regulatory exams assess an insurance company’s financial health, compliance, and governance.
  • Strong IT general controls and cybersecurity are essential for passing the IT portion of the exam.
  • Advance preparation, including reviewing past exam results and conducting mock exams, is key to success.
  • Johnson Lambert offers services like IT review readiness and full IT review testing to help companies navigate the examination process.

Preparing for a regulatory examination is a crucial process for any financial institution. These examinations are conducted by state insurance departments in accordance with the National Association of Insurance Commissioners (NAIC) NAIC Financial Condition Examiners Handbook (the handbook). The examinations are designed to assess an insurance company’s financial health, compliance with regulations, and operational soundness. A successful examination is one with no major violations or issues. This not only avoids penalties but also strengthens a company’s reputation and builds trust with stakeholders. By proactively addressing key areas such as financial reporting, information technology general controls, and risk management, companies can approach these examinations with confidence and ensure a smooth and successful outcome.

Every three to five years, insurers licensed to do business in the U.S. (companies) undergo a NAIC risk-focused examination. The primary purposes of this examination are to:

  • Review and evaluate a company’s business processes and controls.
  • Assess the quality and reliability of corporate governance.
  • Monitor the company’s current financial condition and prospective solvency.

Information technology (IT) is a critical part in the efficiency and the overall quality of a company’s business processes and controls. Poor management of the systems (e.g. hardware, software, and data) can lead to a wide range of risks, including security problems, inefficiency, and downtime. As such, an IT review of the IT general control environment is a key component of the examination. An effective IT general control environment provides examiners with greater assurance regarding the overall reliability of a company’s IT systems and the reports generated from those systems. As the IT examiner reviews IT processes, they will also assess the company’s cybersecurity risk mitigation strategies and test controls that identify, prevent and detect cybersecurity incidents, including the cybersecurity controls of IT service providers. The IT examiner procedures are based on guidance in Exhibit C – Evaluation of Controls In Information Technology (IT) in the handbook. The parts to this exhibit include the following:

  • Part One: Information Technology Planning Questionnaire (ITPQ) – A document consisting of questions to be asked in the planning process of an IT review.
  • Part Two: IT Work Program – A framework designed to assist examiners in completing an IT review.

Advance preparation (e.g. reviewing prior examination results, assigning appropriate resources to the compliance team), along with ability to promptly provide thorough documentation of processes and procedures, are imperative for an efficient IT review. While it is expected that the IT review procedures are performed by the IT examiner, leveraging the work performed by other IT specialists and/or cybersecurity experts can significantly streamline the examiner’s IT review process. Johnson Lambert’s business advisory services practice provides the following services to support companies during the IT review process:

IT Review Readiness

Conduct a mock examination to identify the areas of risk within the company’s IT environment and the vulnerabilities in processes, controls, or documentation before the exam. Our interviews are designed to mimic the interview practices used by examiners to prepare the IT team for the examination process and their roles. We can assist with the development of the prioritized list and action plan on how to address gaps prior to the IT review.

Full IT Review Testing

Assist with the completion of ITPQ and test the effectiveness of the company’s IT general and cybersecurity controls in the IT Work Program for evaluation by the regulatory IT review team. In addition, provide a summary of findings that are identified through the completion of our fieldwork. This testing may be leveraged by the examiner to reduce the amount of procedures they must perform.

Our goal is to make this IT review as smooth as possible for both the company and IT review team.

Understandably, there may be some anxiety when a company is first notified of an examination. We often hear the question, “How should I (or my team) best prepare for an examination?” upon receiving notification of an upcoming examination. Our team of experienced professionals have performed IT examinations, and have deep knowledge of IT general control and cybersecurity requirements within the examiners handbook to assist companies with preparing for and successfully managing the IT review portion of a regulatory exam.

Regulatory Exam Readiness Checklist

  • Review Previous Examination Results: Analyze past examination findings, address any unresolved issues, and ensure that any prior recommendations have been fully implemented or mitigating controls documented.
  • Assemble a Compliance Team: Assign a team with representation from finance, IT, risk management, and compliance. Ensure roles are clear and responsibilities are delegated in advance of the exam.
  • Prepare Financial and Operational Documentation: Ensure accuracy and completeness in financial reporting, and have all necessary operational documentation ready, including governance policies and risk management strategies.
  • Conduct a Mock Examination: Perform a simulated exam to identify potential gaps in processes or controls. Review critical areas like IT general controls, cybersecurity protocols, and vendor management.
  • Evaluate IT General Controls: Ensure your IT systems, software, and data management processes are secure and compliant.
  • Complete the IT Planning Questionnaire (ITPQ): Review and update the ITPQ document, ensuring all responses reflect your current IT control environment.
  • Assess Cybersecurity Measures: Confirm that cybersecurity controls are robust and well-documented, and ensure IT vendors’ cybersecurity measures meet regulatory standards.
  • Maintain Open Communication: Establish a communication plan to respond promptly to examiner requests, and keep stakeholders informed about the exam progress and any findings.
  • Leverage External Expertise: Engage third-party specialists, such as Johnson Lambert, to assist with IT review readiness or provide examination support if necessary.

Do not let examinations be a source of stress and uncertainty. Contact us today to learn more about how our thorough and effective IT review services contribute to your company’s commitment to financial strength and regulatory compliance.

Greg Daniel

Greg Daniel

Managing Director

View Bio

Related Resources

Step-by-Step Preparation for IT Regulatory Exam

Key Highlights

  • NAIC regulatory exams assess an insurance company’s financial health, compliance, and governance.
  • Strong IT general controls and cybersecurity are essential for passing the IT portion of the exam.
  • Advance preparation, including reviewing past exam results and conducting mock exams, is key to success.
  • Johnson Lambert offers services like IT review readiness and full IT review testing to help companies navigate the examination process.

Preparing for a regulatory examination is a crucial process for any financial institution. These examinations are conducted by state insurance departments in accordance with the National Association of Insurance Commissioners (NAIC) NAIC Financial Condition Examiners Handbook (the handbook). The examinations are designed to assess an insurance company’s financial health, compliance with regulations, and operational soundness. A successful examination is one with no major violations or issues. This not only avoids penalties but also strengthens a company’s reputation and builds trust with stakeholders. By proactively addressing key areas such as financial reporting, information technology general controls, and risk management, companies can approach these examinations with confidence and ensure a smooth and successful outcome.

Every three to five years, insurers licensed to do business in the U.S. (companies) undergo a NAIC risk-focused examination. The primary purposes of this examination are to:

  • Review and evaluate a company’s business processes and controls.
  • Assess the quality and reliability of corporate governance.
  • Monitor the company’s current financial condition and prospective solvency.

Information technology (IT) is a critical part in the efficiency and the overall quality of a company’s business processes and controls. Poor management of the systems (e.g. hardware, software, and data) can lead to a wide range of risks, including security problems, inefficiency, and downtime. As such, an IT review of the IT general control environment is a key component of the examination. An effective IT general control environment provides examiners with greater assurance regarding the overall reliability of a company’s IT systems and the reports generated from those systems. As the IT examiner reviews IT processes, they will also assess the company’s cybersecurity risk mitigation strategies and test controls that identify, prevent and detect cybersecurity incidents, including the cybersecurity controls of IT service providers. The IT examiner procedures are based on guidance in Exhibit C – Evaluation of Controls In Information Technology (IT) in the handbook. The parts to this exhibit include the following:

  • Part One: Information Technology Planning Questionnaire (ITPQ) – A document consisting of questions to be asked in the planning process of an IT review.
  • Part Two: IT Work Program – A framework designed to assist examiners in completing an IT review.

Advance preparation (e.g. reviewing prior examination results, assigning appropriate resources to the compliance team), along with ability to promptly provide thorough documentation of processes and procedures, are imperative for an efficient IT review. While it is expected that the IT review procedures are performed by the IT examiner, leveraging the work performed by other IT specialists and/or cybersecurity experts can significantly streamline the examiner’s IT review process. Johnson Lambert’s business advisory services practice provides the following services to support companies during the IT review process:

IT Review Readiness

Conduct a mock examination to identify the areas of risk within the company’s IT environment and the vulnerabilities in processes, controls, or documentation before the exam. Our interviews are designed to mimic the interview practices used by examiners to prepare the IT team for the examination process and their roles. We can assist with the development of the prioritized list and action plan on how to address gaps prior to the IT review.

Full IT Review Testing

Assist with the completion of ITPQ and test the effectiveness of the company’s IT general and cybersecurity controls in the IT Work Program for evaluation by the regulatory IT review team. In addition, provide a summary of findings that are identified through the completion of our fieldwork. This testing may be leveraged by the examiner to reduce the amount of procedures they must perform.

Our goal is to make this IT review as smooth as possible for both the company and IT review team.

Understandably, there may be some anxiety when a company is first notified of an examination. We often hear the question, “How should I (or my team) best prepare for an examination?” upon receiving notification of an upcoming examination. Our team of experienced professionals have performed IT examinations, and have deep knowledge of IT general control and cybersecurity requirements within the examiners handbook to assist companies with preparing for and successfully managing the IT review portion of a regulatory exam.

Regulatory Exam Readiness Checklist

  • Review Previous Examination Results: Analyze past examination findings, address any unresolved issues, and ensure that any prior recommendations have been fully implemented or mitigating controls documented.
  • Assemble a Compliance Team: Assign a team with representation from finance, IT, risk management, and compliance. Ensure roles are clear and responsibilities are delegated in advance of the exam.
  • Prepare Financial and Operational Documentation: Ensure accuracy and completeness in financial reporting, and have all necessary operational documentation ready, including governance policies and risk management strategies.
  • Conduct a Mock Examination: Perform a simulated exam to identify potential gaps in processes or controls. Review critical areas like IT general controls, cybersecurity protocols, and vendor management.
  • Evaluate IT General Controls: Ensure your IT systems, software, and data management processes are secure and compliant.
  • Complete the IT Planning Questionnaire (ITPQ): Review and update the ITPQ document, ensuring all responses reflect your current IT control environment.
  • Assess Cybersecurity Measures: Confirm that cybersecurity controls are robust and well-documented, and ensure IT vendors’ cybersecurity measures meet regulatory standards.
  • Maintain Open Communication: Establish a communication plan to respond promptly to examiner requests, and keep stakeholders informed about the exam progress and any findings.
  • Leverage External Expertise: Engage third-party specialists, such as Johnson Lambert, to assist with IT review readiness or provide examination support if necessary.

Do not let examinations be a source of stress and uncertainty. Contact us today to learn more about how our thorough and effective IT review services contribute to your company’s commitment to financial strength and regulatory compliance.

Greg Daniel

Greg Daniel

Managing Director