Internal control readiness for health plans subject to the Model Audit Rule and Own Risk and Solvency Assessment

Talking points

• The health plan sector faces mounting cost pressure in 2026, driven by operational complexity and rising compliance spend.
• Model Audit Rule (MAR) controls readiness and Own Risk and Solvency Assessment (ORSA) compliance can help contain these expenses. 
• By strengthening internal controls, health plans can potentially reduce MAR and ORSA compliance costs and redirect savings to patient care.

The start of each year typically brings a wave of new priorities to health plans. This year it also brought something else to the sector: a perfect storm of tax policy and regulatory change beginning January 1. With the expiration of enhanced Affordable Care Act (ACA) premium tax credits and new federal tax legislation tightening health care funding, health plans are facing serious pressure to keep the cost of regulatory compliance from rising.

One potential contributor to higher costs for many insurers is compliance with the National Association of Insurance Commissioners (NAIC) Model Audit Rule (MAR). MAR applies to insurers with more than $500 million in direct written and assumed premiums.¹ Organizations that meet this threshold are often subject to the NAIC Own Risk and Solvency Assessment (ORSA) requirements as well. 

The good news: There are practical ways to meet these demands without letting compliance overhead spiral. In this blog, we’ll explore effective methods to help you keep pace with change, strengthen internal controls, and reduce the overall cost of MAR and ORSA compliance.

MAR and ORSA readiness

So, what are the costs of MAR and ORSA compliance? First, once the MAR threshold is crossed, an internal audit function should be established within one year, and the insurer is required to file a report on internal control effectiveness within two years. ORSA calls for a comprehensive, enterprise-wide evaluation of material risks and solvency positions for insurance companies subject to MAR rules.

Failure to meet MAR and ORSA requirements opens insurers up to regulatory scrutiny, enforcement actions, and reputational damage. Delayed compliance may also disrupt business operations and impact stakeholder trust. Timely action protects continued market credibility and avoids penalties. 

Why readiness matters

Reducing the cost of internal control readiness and compliance can deliver meaningful financial benefits for organizations subject to MAR and ORSA requirements. By streamlining implementation, health plans can capture savings and redirect them to patient care and other patient-facing programs. At a time when health insurance costs are rising, shifting resources from regulatory effort to care can make a tangible difference for patients, caregivers, and other stakeholders. 

Leading practices for MAR/ORSA implementation

Drawing on Deloitte’s MAR readiness framework, the steps below highlight key focus areas for health plan providers as they prepare for MAR/ORSA compliance:

• Scope and risk assessment: Start by assessing and prioritizing risks, including mapping the relevant processes and systems. Then review existing compliance activities to identify overlap across MAR, the Sarbanes-Oxley Act (SOX), and System and Organization Controls (SOC) audits.
• Identify and document controls: Develop clear business process narratives and flowcharts, and define and document control ownership, roles and responsibilities, and escalation paths.
• Perform controls testing: Conduct walkthroughs and design operating-effectiveness testing procedures. Identify potential control overlap (for example, multiple controls addressing the same risk), evaluate and document control effectiveness, and actively manage testing progress by escalating issues and tracking remediation activities as needed.
• Execute the remediation process: Consolidate testing results and translate them into management-ready reporting (including dashboards, where helpful). Collaborate with stakeholders to remediate deficiencies, update control design and documentation, and recommend enhancements to strengthen ongoing oversight.
• Ongoing monitoring: Put repeatable monitoring routines in place and establish a cadence for retesting as processes, systems, and the control environment evolve.

Benefits of regulatory and internal controls readiness

There is no doubt that proactive planning for MAR implementation and ORSA compliance delivers a breadth of benefits—from enabling organizations to meet compliance requirements and reducing external costs to improving their use of internal resources by understanding and assessing their internal controls and risk environment. Other potential advantages include the ability to better plan for change, create synergies, reduce disruption, enhance communication and collaboration, and increase transparency and insight for those charged with governance. 

What role can Deloitte play?

Deloitte can advise health plan providers as they navigate the opportunities and challenges of preparing for and implementing Model Audit Rule and Own Risk and Solvency Assessment requirements. We combine a best-in-class MAR readiness framework with deep knowledge and experience in insurance regulatory matters, controls, governance, and risk management. To learn more, visit our services page and get in touch with one of our leaders.

Endnote

1. Excludes premiums reinsured with the Federal Crop Insurance Corporation and Federal Flood Program.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright © 2026 Deloitte Development LLC. All rights reserved.