(1) Every insurer required to file an audited financial report pursuant to this chapter that has annual direct written and assumed premiums, excluding premiums reinsured with the federal crop insurance corporation and federal flood program, of $500,000,000.00 or more shall prepare a report of the insurer’s or group of insurers‘ internal control over financial reporting, which shall be as of the immediately preceding December 31. The report shall be filed with the commissioner along with the communication of internal control related matters noted in an audit described under section 1017.

  (2) Notwithstanding the premium threshold in subsection (1), the commissioner may require an insurer to file a report of internal control over financial reporting if the insurer is in a risk-based capital level event or meets 1 or more of the standards listed in chapter 4 of an insurer considered to be in hazardous financial condition, or otherwise exhibits signs of a troubled insurer.

  (3) An insurer or a group of insurers that is directly subject to section 404, part of a holding company system whose parent is directly subject to section 404, not directly subject to section 404 but is a SOX compliant entity, or a member of a holding company system whose parent is not directly subject to section 404 but is a SOX compliant entity may file its or its parent’s section 404 report and an addendum in satisfaction of the requirements of this section provided that those internal controls of the insurer or group of insurers having a material impact on the preparation of the insurer’s or group of insurers’ audited statutory financial statements as required in section 1007 were included in the scope of the section 404 report. The addendum shall be a positive statement by management that there are no material processes with respect to the preparation of the insurer’s or group of insurers’ audited statutory financial statements as required in section 1007 excluded from the section 404 report. If there are internal controls of the insurer or group of insurers that have a material impact on the preparation of the insurer’s or group of insurers’ audited statutory financial statements and those internal controls were not included in the scope of the section 404 report, the insurer or group of insurers may either file a report as specified in subsection (1), or the section 404 report and a report as specified in subsection (1) for those internal controls that have a material impact on the preparation of the insurer’s or group of insurers’ audited statutory financial statements not covered by the section 404 report.

  (4) The report of internal control over financial reporting shall include all of the following:

  (a) A statement that management is responsible for establishing and maintaining adequate internal control over financial reporting.

  (b) A statement that management has established internal control over financial reporting and an assertion, to the best of management’s knowledge and belief, after diligent inquiry, as to whether its internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles.

  (c) A statement that briefly describes the approach or processes by which management evaluated the effectiveness of its internal control over financial reporting.

  (d) A statement that briefly describes the scope of work that is included and whether any internal controls were excluded.

  (e) Disclosure of any unremediated material weaknesses in the internal control over financial reporting identified by management as of the immediately preceding December 31. Management shall not conclude that the internal control over financial reporting is effective to provide reasonable assurance regarding the reliability of financial statements in accordance with statutory accounting principles if there is 1 or more unremediated material weaknesses in its internal control over financial reporting.

  (f) A statement regarding the inherent limitations of internal control systems.

  (g) Signatures of the chief executive officer and the chief financial officer or his or her equivalent.

  (5) Management shall document and make available upon financial condition examination the basis upon which its assertions, required in subsection (4), are made. Management may base its assertions, in part, upon its review, monitoring, and testing of internal controls undertaken in the normal course of its activities. Management has discretion as to the nature of the internal control framework used, and the nature and extent of documentation, in order to make its assertion in a cost-effective manner and, as such, may include assembly of or reference to existing documentation.

  (6) The office of financial and insurance regulation shall keep confidential the report on internal control over financial reporting, required by subsection (1), and any documentation provided in support thereof during the course of a financial condition examination.

  (7) This section takes effect beginning with the reporting period that ends December 31, 2010. An insurer or group of insurers that is not required to file a report because the total written premium is below the required threshold and subsequently becomes subject to the reporting requirement, whether through business combination or not, shall have 2 years after the year the threshold is exceeded to comply with this section’s reporting requirements.