Executives at non-public insurance companies preparing to comply with the industry’s version of Sarbanes-Oxley Section 404 may be able to learn something from their pubic-company counterparts.

A new report published by internal controls consulting firm Lord & Benoit and based on data from Audit Analytics identifies the material weaknesses in internal controls over financial reporting at 415 publicly held insurance companies during a five-year period.

The findings may be of interest to non-public insurance companies preparing for the National Association of Insurance Commissioners’ new Annual Financial Reporting Model Regulation, which takes effect Jan. 1, 2010.

The regulation requiring annual audited financial reports, commonly known as the Model Audit Rule, was amended in 2006 to require all insurance companies to have audit committees with a certain percentage of independent members and to require insurance companies with $500 million or more in direct and assumed premiums file a report with the state insurance department regarding its assessment of internal control over financial reporting.

Pending the adoption of the Model by individual states, the report’s co-authors, Bob and Kristina Benoit, note that non-public insurance companies will be required to comply with various SOX-type provisions, while public insurers that are already SOX-compliant will be subject to additional reporting requirements regarding their statutory financial statements. The 42-page report includes a summary of the internal control reports of the insurance companies with material weaknesses in ICFR in years ending 2004-2008.

“When we drilled down into insurance company ICFR weaknesses, we saw a full spectrum of reportable deficiencies,” Bob Benoit tells Compliance Week. Among them: proper accounting for income taxes, including the allocation of its income tax provision (benefit) among income from continuing operations and other comprehensive loss, and significant audit adjustments and segregation of duties.

Further deficiencies included accounting of insurance policy benefits, liabilities for insurance products, value of policies enforced at the effective date, revenue recognition, actuarial reporting processes and recording of certain reinsurance transactions with affiliated companies. Reportable IT weaknesses included access to information technology applications and infrastructure, unauthorized users, lack of policies and procedures governing information technology, security, and logging and monitoring of servers and databases.

The authors note that insurers looking to comply with the NAIC Model Regulation for the first time might want to look at reports issued in the year 2004, when many companies had a significant list of reportable material weaknesses. Another surge was reported in 2007 when smaller public companies reported control weaknesses for the first time. However, the authors note that the management assessments weren’t subject to auditor attestation, as required by the NAIC Model Regulation, “so the 2004 year may still be a better comparison for first-time compliance.”