Auditor insights - IFRS 17 actuarial transition audits

What we wished we knew a year ago


It is IFRS 17 transition audit season. Our clients with December year-ends are by now knee deep, if not up to their noses, in calculations and auditor discussions. Through being involved with our various clients’ transition audits (through both audit and advisory work), we have valuable insights on what auditors are expecting from clients, what is good practice, and what are some of the key areas for insurers to watch out for up front. For insurers making ready to jump into the IFRS 17 transition audit, or just dipping their toes, we share what we wished we knew a year ago. For insurers currently undergoing IFRS 17 transition audits, this article provides useful context.

Summary

Given the heavy actuarial component of transition exercises we’ve seen, internal controls and their evidencing seems to be one of a key challenge in actuarial IFRS 17 transition audits. Control evidence is essential in complex audits such as these, where there is heavy reliance on data and the volume of transaction flow is high. In such cases, substantive procedures alone do not provide sufficient and appropriate audit evidence. We have seen examples where controls are seen as either not appropriately designed, not implemented as designed, or not properly evidenced. A spreadsheet with checks by itself is not seen as a control – a control is broader concept speaking to the whole governance around the transition process. Controls are specifically designed to prevent, detect or correct potential misstatements.

Another challenge being experienced is in the area of all fully retrospective cohorts – demonstrating to external audit that the correct historic data, assumption sets and, where relevant, models have been used in the calculations, avoiding the re-audit of these historic components as far as possible. Management sign-off or review of these items is unlikely to meet this requirement. Solid evidence needs to be provided that the IFRS 17 transition data, assumptions and, where relevant, models, are materially in line with what was used and audited in the past.

If it is still feasible, a conversation with your client, whether in an audit or advisory capacity, on these topics well before the transition process is started is really crucial – it provides a much better opportunity for you and the client to get on the same page in terms of what control evidence you would need to see and what checks and reconciliations you would expect them to produce as part of the transition exercise. It is much easier to have this conversation in advance as opposed to asking or advising your client to build all of this in mid-flight.

Aren’t actuaries control freaks already?

What we have seen so far across the industry is that the IFRS17 transition exercise is driven heavily or predominantly by insurers’ actuarial teams, with the finance teams largely assisting. One of the consequences of such an actuarially-driven process relates to controls built around the transition calculations. The average actuary, particularly one within a traditional insurer space, is generally not well educated on the accounting and audit understanding/definition of what a control is and what a control is not (which is not unexpected). As a result, we are seeing examples of insurer transition teams running into problems demonstrating a robust control environment to their external auditors around their transition calculations.

As an example, consider the following scenario we frequently come across: After being asked for internal control evidence, the insurer provides the auditor with documentation on the transition process and some spreadsheet checks. The auditor comes back being happy with these but asks for evidence of controls, leaving the insurer somewhat perplexed – “what do you mean? I just showed you my spreadsheets?”

Then what is a control? 

Internal controls speak to governance (the ‘checks and balances’) around the transition process. A spreadsheet with checks by itself is not seen as a control in an accounting/auditing space – a control is a broader concept. It is not enough for a check to exist – that in itself is not a control. A proper control would also include evidence of what the check does, it is also information on who the check was performed by, when the check was performed, who reviewed it on what date and what governance the check went through (i.e. have the results of the check being presented at any relevant forums, such as an internal steerco, management sign-off meeting or an actuarial committee). Additionally, information may be required such as “What is the threshold for investigation/follow up?”, “What data or IT report does the control itself depend on?”, etc.

What are some of the suggested actions to take?

The key to having good internal controls is to ensure you clearly document information around the controls before sending files to your auditor. This will save you the effort of having to go back and ‘formalise’ your checks into internal controls during the audit. Each valuation team must apply their minds to how they will develop robust evidencing and internal controls.

Why are controls important?

Remember, an auditor has two options when deciding on an audit approach – combined (control testing and substantive procedures) or purely substantive. If controls are found to be weak or insufficient, this is where the audit team opens up the bonnet and deep-dives into the nitty-gritty of the calculations or processes to verify for themselves that the process works. From experience, the more controls-based the approach is, the less onerous and painful for an insurer compared to a fully substantive audit approach. So, the stronger the controls, the less likely it is that the auditor will re-audit numbers via a full-on substantive deep-dive. If controls are weak, then auditors will not be able to place reliance on controls and will have to spend a lot more time and effort interrogating management and the exact details of their workings. Control evidence is essential in complex audits such as IFRS 17 transition audits, where there is heavy reliance on data and the volume of transaction flow is high. In such cases, substantive procedures alone are just not enough to fully address the risks, and a robust, well-designed and effective control environment is essential for as painless an audit as possible.

“Fully retrospective transition calculations is not a trust-based exercise”

Applying the fully retrospective approach for any line of business, particularly the further back one looks, is not a trivial exercise. An insurer would need to go back and collect historic policyholder data, assumption sets and potential valuation models, some of which have not been used for a number of years. One of the crucial bodies of evidence that an insurer would need to present to its auditors for the fully retrospective calculation is sufficient proof that such historic models, assumptions and results are the ones that are meant to be used, are reflective of the business at that point in time, and have not been damaged or tampered with since their last use. If this cannot be sufficiently proven, in theory, the auditor would need to go and re-audit all such historic artefacts – which is a monumental task…

An ideal solution would be to give the auditors comfort that the items referred to above tie in to some non-IFSR17 metrics that have already been audited. They cannot take the prior year numbers for granted, and evidence such as “product/segment management confirmed these are the right assumption sets to use” is in most cases not accepted as valid audit evidence. Insurers should do what they can to avoid having the auditor re-audit prior years.

What are ways to meet this hurdle?

The answer to this can depend on the exact approach an insurer is taking towards the fully retrospective calculations. We’ve seen two broad approaches being used in the industry:

  • one that “reanimates” historic models and with some (usually relatively minor) modifications uses those, together with historic data and assumption sets to produce historic numbers;

  • the other that uses the most current IFRS17-compliant set of models, and feeds historic data sets and assumptions (often with modifications to enable the new model to accept them) through this model to produce its fully retrospective results.

With the “reanimate historic models” approach, we often see our clients drawing a link between the IFRS 17 BEL and the SAM BEL that was signed off during prior year audits. This speaks to proving the historical model, data inputs and assumptions were correct at the time. This is potentially one of the easiest ways to prove correct model, data and assumptions – re-run of this reanimated model materially matches what was audited and signed off at the time, therefore ticking all three boxes in one go, without the need to dig deeper. It then becomes important what you are comparing these produces results against - management sign-off or review of these numbers will generally not meet the hurdle, and a tie-in to a number that was known to have been audited carries more weight.

The above recon is not too onerous for the last few years where SAM has been audited. This gets harder to prove in years where SAM was not audited, and even more so pre-SAM. If the bridge from a prior audited number to the IFRS 17 number cannot be proven, the auditors would need to do additional work to gain comfort. An additional complication we have seen is doing such reconciliations for initial recognition BEL numbers – while this is crucial to kickstart the CSM process, the initial recognition/new business BEL is not something that was traditionally a focus of any SAM calculations or audits. We see that providing sufficient evidence around the new business cohorts, their data, assumptions and models is proving trickier than just a full in-force book at a point in time.

Furthermore, following on from the previous section, providing the recon is a good starting point, but what is equally important is the governance around pre-transition numbers and having accurate documentation.

For the “use current model with historic data and assumptions” approach, which we see some of our clients doing, tying back the numbers produced by prior year models to numbers from current models becomes more complicated, particularly the further back one looks. There may have been various modelling changes over the years, or the data fields, their granularity, or extent and variety of assumptions might have changed, complicating such recons. Proving a tie-in to a historically audited number becomes a much harder task.

In the above scenario, management needs to provide robust evidence that the IFRS 17 transition data and assumptions are exactly in line with what were used in models at past points in time – and were audited as part the liability number e.g., best estimate demographic assumptions used for transition should be proven to be the same assumptions that were best estimate at past points in time. In terms of data, reference could be made to the sources of data, or the locations stored in, or reconciliations between historic model points and some verifiable, audited data source, could also be done. However, this could be questioned by the auditor – how do we know if this location hasn’t been tampered with, for example? Proof that these inputs were audited and that the file has not been tampered with may also be required.

What are some of the suggested actions to take?

Admittedly the requirements around pre-transition numbers may be very onerous. Being proactive is the best advice that we can give.  Discuss with your client teams up front how they can show that data and assumption inputs in the fully retrospective calculation are the same as the data and assumption inputs previously audited. Confirm what is possible in advance and come to an agreement with either your client’s auditors, or with your client if you are on the audit team, on the approach and what they require. If you have not yet done this, start engaging now, to avoid as many disagreements as one can later on.

Concluding remarks

The key to having good internal controls is specific and clear documentation. The stronger the controls, the less likely it is that the auditor will need to re-audit all of the numbers. If controls are weak, then auditors will not be able to place reliance on controls and will have to do more substantive work. Discuss with your clients, both in advisory and audit capacities, what is possible in terms of proving that pre-transition numbers used in the transition calculations are in fact, audited numbers. Having proactive discussions and agreeing the approach up front is by far the best strategy.

For assistance, advice, or discussion of the contents in this article, please get in touch with us.