IFRS 17 Auditability
Is your IFRS 17 solution audit-ready?
New IFRS 17 Operating Models need to be auditable and transparent to third party experts – internal and external auditors are preparing for and performing the first IFRS 17 audits. Are you ‘audit ready’? After multiple years of intense implementation work, a non-satisfactory audit report would be the worst-case.
The financial reporting changes tied to IFRS 17 will lead to more detailed and more understandable information about insurance contract accounting. The new IFRS 17 operating model is based on a highly complex accounting standard with far-reaching implications for the business and IT architecture. This is especially true for accounting, actuarial, performance management and governance processes as well as for the technical solution, particularly data flows and the supporting application architecture.
Though many IFRS 17 projects are moving towards the finishing line, the majority of adopters are still facing challenges as set out above. Deloitte has conducted the „IFRS 17 Global Peer Snapshot1 “ - a comprehensive market survey - which involved over 20 international insurance groups. It has been concluded that "end-to-end data flow" remains one of the biggest issues. Data complexity as a result of various drivers - especially data delivery and data processing - was identified as one of the main reasons. According to the survey, common related issues include decentralized processes such as data integration, data validation and cash flow generation. A traceable and comprehensively documented audit trail is essential for ensuring auditability within the IFRS 17 business process and system landscape.
Below we highlight selected challenges relating to IFRS 17 end-to-end auditability.
Regulatory and legal requirements: still a black box or already an open book?
Internationally operating insurance companies in particular need to comply with both international and local requirements: relevant laws and regulations for insurance companies include the VAG2 , HGB3 / GOB4 and - in the context of IT operations and Data - also the GoBD5 , the VAIT6 , GDPR7 and BDSG8 . Furthermore, a significant number of audit standards and regulations issued by standard-setting bodies like IDW9 , IAASB10 and IIA11 must be complied with. Complying with all relevant regulatory requirements on a continuous basis is a tough task that requires an ongoing effort, as there are frequent changes, additions, and updates to requirements.
Assessment domains: these topics will definitely be within the scope of upcoming IFRS 17 audits
Governance, organization and people
In many companies, IFRS 17 leads to a changed governance model in the finance, actuarial and risk functions. Examples are new or adjusted roles and responsibilities within both the actuarial and finance departments and new or adjusted outsourcing contracts. Committees and boards responsible for setting and approving IFRS 17 model assumptions are being established, the roles of closing managers and financial reporting teams change, new shared service structures and third-party vendors are set up, amongst others. Furthermore, the interactions between group entities and local business units change. These adjustments and sometimes significant changes must comply with the laws and regulations outlined above. Evidence of such compliance needs to be maintained for audit purposes. The governance model implemented around the IFRS 17 solution will be a focus topic for the upcoming first IFRS 17 audits. Exemplary questions auditors are likely to ask may be:
- How are changes in governance organized and managed (processes, rules, roles/parties, risk assessments, policies, documentation)?
- How are new roles and responsibilities documented and organized?
- Which relationship changes in the context of (intra-group) outsourcing have been necessary; how are these managed and documented?
- Can you ensure SoD (Segregation of Duties) conflicts are detected and technically prevented across different applications, e.g. to avoid conflicts of interest?
- Can you demonstrate that the four eyes principle is consistently implemented and complied with?
- Can you prove that users of the IFRS 17 solution only have the minimum access rights needed for their respective roles?
Policies and processes
New actuarial, accounting and risk processes must be seamlessly documented, both with respect to design and implementation. Detailed process documentation - such as the internal control system over financial reporting - forms the basis for auditors to assess risks and controls and scope their audit accordingly. Questions that auditors may ask are:
- Has all relevant guidance and have all instructions with regards to IFRS 17/9 closing, valuation, approval and reporting processes been established and documented?
- Have (key-) controls been appropriately designed and implemented for each of the identified operational process risks?
- Are modeling assumptions (incl. decision-making) well documented?
For many IFRS 17 adopters the underlying data architecture and data flow has changed significantly. Seamless data audit trails are required from the balance sheet and P&L level all the way back to the relevant source system transaction and master data (e.g. core systems, non-/economic assumption modellings, interest curves determination). Furthermore, the complexity of designing and implementing controls around data access, data protection and regulatory data management requirements should not be underestimated. Conflicting legal and regulatory requirements across a multi-jurisdiction environment can be a further driver of effort. Example audit focus areas may be:
- Are all relevant data flows resulting from the conversion, migration and/or aggregation of data pools and actuarial valuation models documented appropriately?
- What data reconciliation and validation controls are in place, e.g. to other Generally Accepted Accounting Practice (GAAP) frameworks?
- How is data quality ensured and measured? What data security and data separation controls have been implemented?
- Do you use a consistent data classification and protection schema within the data architecture?
IT and infrastructure
Besides implementing a standalone IFRS 17 sub ledger solution, many companies have used the IFRS 17 momentum to upgrade their finance IT architecture (e.g. establishing data pools, migrating SAP to S/4HANA). The advancements made in finance landscapes have led to an increase in functionality, usability, and process efficiencies. With such advancements, IT security considerations and risk mitigation should be considered. From our experience, typical security pitfalls can be seen in the areas of hybrid environments, user enablement and vulnerability management. If applicable, risks associated with using outsourcing and cloud service providers should be considered. Insurers need to ready themselves for continued compliance with all relevant regulatory requirements (e.g. VAG, MaGo, VAIT). Example aspects auditors may focus on are:
- Identity and access management: is there a comprehensive set of guidelines and procedures in place for IAM, e.g. for authorization, (de-)provisioning, recertification, reconciliation? Can all authorizations, including those provided to technical users, be mapped to responsible individuals?
- Segregation of duties: is an appropriate and documented segregation of duties in place for all new IT architecture components (for all applications), which cannot be circumvented?
- Infrastructure security and cryptography/encryption: is there adequate logical and physical differentiation between the distinct application staging environments, reliable backup, and cryptography key management, as well as a formal and tested IT-service continuity plan (ITSCM)?
- Is there an appropriate third-party management process in place?
Summary and recommendations: the path to becoming "audit-ready"
The aspects described above serve to provide a brief overview of the most common and most frequent challenges insurers are facing within the context of IFRS 17 end-to-end audit requirements. Auditability needs to be guaranteed vis-à-vis all stakeholders from the very beginning. If not already done, it is thus essential to address the topics discussed in this article as a matter of urgency.
A risk-based ex-post adjustment and implementation of these legal requirements can be achieved by applying our “Deloitte Audit Readiness Assessment & Remediation Approach”. By this approach shortcomings will be identified and prioritized implementation/remediation measures can be considered before a non-satisfactory audit report.
From our point of view, further close collaboration of all relevant parties, including internal and external auditors, significantly contributes to sustainable IFRS 17 operational success.
Finally, one thing is for sure: a well-planned, coordinated, tested, and documented handover of all project milestones - after audit signoff as considered appropriate in the individual circumstances - is likely to significantly contribute to smoothly functioning operations under IFRS 17. Continuous audit involvement is even more crucial where third parties rely on the IFRS 17 platform and require assurance in this regard.
1 Deloitte, 2020 IFRS 17 Global Peer Snapshot
2 Insurance supervision law
3 German Commercial Code
4 Base Principles of Proper Accounting
5 Principles for properly maintaining and storing books, records, and documents in electronic form and for data access
6 Supervisory Requirements for IT in Insurance Undertakings
7 General Data Protection Regulation
8 Federal Data Protection Act
9 Institute of Auditors in Germany
10 The International Auditing and Assurance Standards Board
11 Institute of Internal Auditors