Preparing for Model Audit Rule and ORSA requirements across the insurance industry

Talking points

• Rising regulatory compliance expenses are adding to the cost pressures insurers already face.
• Preparing early for Model Audit Rule (MAR) and Own Risk and Solvency Assessment (ORSA) requirements can help insurers keep costs in check.
• Timely action by insurers subject to MAR and ORSA compliance also supports market credibility and stakeholder trust.

As insurance costs continue to rise across the United States, insurers and customers alike are feeling the squeeze. From higher losses tied to auto repair and medical inflation to more frequent and severe property disasters, claim costs are coming in hot.

But it’s not just claims taking a bite; regulatory compliance costs are also increasing for carriers. That includes potentially higher expenditures for insurers subject to the National Association of Insurance Commissioners (NAIC) Model Audit Rule (MAR) and Own Risk and Solvency Assessment (ORSA) requirements.

MAR and ORSA often become applicable at the same time, creating a narrow window to build sustainable capabilities across internal controls, risk management, and reporting. Without adequate planning, unexpected compliance costs can sneak up on insurers required to comply with these rules. In this edition of The Pulse Blog , we’ll delve into those costs and how planning and readiness can help keep them from spiraling.

Understanding the requirements

MAR applies to insurers with more than $500 million in direct written and assumed premiums.1 Once an insurer exceeds the threshold, expectations accelerate quickly: the audit committee is required to maintain a supermajority (greater than 75%) of independent members, an internal audit function should be established within one year , and the insurer is required to file a report on internal control effectiveness within two years.

Separately, insurers meeting this premium threshold are also subject to ORSA requirements. ORSA calls for a full, enterprise-wide assessment of an organization’s material risks and solvency position—connecting risk appetite, capital adequacy, and governance practices into a cohesive view of resilience. ORSA should be used to inform strategic decisions like pricing, reinsurance, capital allocation, and M&A, rather than simply focusing on compliance, to get the full benefit.

Why readiness matters

MAR and ORSA are more than check-the-box compliance exercises. A delayed or incomplete approach can result in higher audit and compliance costs, increased financial and operational risk, regulatory scrutiny, potential enforcement actions, and reputational harm.

Failure to meet MAR and ORSA requirements can also disrupt day-to-day operations as teams scramble to respond to regulators, compliance functions, and auditors. Timely action supports market credibility, preserves stakeholder trust, and reduces the likelihood of costly remediation under pressure.

Using the same framework for both MAR and ORSA

Both MAR and ORSA require robust model governance. MAR requires documented internal control over financial reporting (ICFR); ORSA’s capital and solvency models rely on this same actuarial and financial data, so weaknesses in ICFR exposed by MAR compliance directly undermine ORSA creditability.

In practice, most companies use a single model governance framework to satisfy both MAR and ORSA requirements. An effective approach is to build an integrated assurance framework in which:

• Model governance standards are consistent between MAR and ORSA;
• Internal audit covers both financial reporting controls and ORSA process integrity; and
• Documentation is structured once and referenced by both processes.

This approach avoids duplication of effort and presents a cohesive picture to regulators across both filings.

A practical, risk-based approach to readiness

MAR and ORSA readiness starts with board-level ownership and clear accountability, then a targeted scoping and risk assessment to pinpoint material risks. From there, organizations can apply practical, repeatable steps drawn from Deloitte’s MAR/ORSA readiness framework.

MAR implementation steps

• Identify and document controls: Create process narratives and flowcharts; clarify control ownership, roles, responsibilities, and escalation paths.
• Perform controls testing: Run walkthroughs and design/operating effectiveness testing to identify overlap and document effectiveness; manage testing progress.
• Execute remediation: Consolidate results and translate findings into management-ready reporting.
• Ongoing monitoring: Establish repeatable monitoring routines and a retes ting cadence as processes, systems, and controls evolve.

ORSA implementation steps

• Define risk appetite statements: Set quantitative and qualitative benchmarks for solvency assessment.
• Develop/refine the capital model: Perform stress testing and forward-looking scenario analysis to assess capital adequacy under stress.
• Project solvency over the planning horizon: Integrate the business plan with risk and capital assessments.
• Verify data quality: Confirm actuarial systems and reporting tools support modeling and documentation needs.
• Compile the internal ORSA report: Maintain a living summary of risk profile, capital assessment, and management actions.

What role can Deloitte play?

Organizations often need specialized experience and scalable execution to meet tight MAR and ORSA timelines without overwhelming the business. Deloitte brings deep MAR and ORSA experience, broad insurance industry knowledge, and hands-on capabilities across internal and external audit—supported by a risk-based methodology focused on what matters most. We also use innovative tools to improve coordination and efficiency.

To learn more, visit our Accounting, Controls & Reporting Advisory page or Audit & Assurance Services for the Financial Services Industry page. You can get in touch with one of our leaders or reach out to us with any questions.

Endnotes

 1.  Excludes premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2026 Deloitte Development LLC. All rights reserved.