The financial reporting changes tied to IFRS 17 will lead to more detailed and more understandable information about insurance contract accounting. The new IFRS 17 operating model is based on a highly complex accounting standard with far-reaching implications for the business and IT architecture. This is especially true for accounting, actuarial, performance management and governance processes as well as for the technical solution, particularly data flows and the supporting application architecture.
Though many IFRS 17 projects are moving towards the finishing line, the majority of adopters are still facing challenges as set out above. Deloitte has conducted the „IFRS 17 Global Peer Snapshot1 “ - a comprehensive market survey - which involved over 20 international insurance groups. It has been concluded that "end-to-end data flow" remains one of the biggest issues. Data complexity as a result of various drivers - especially data delivery and data processing - was identified as one of the main reasons. According to the survey, common related issues include decentralized processes such as data integration, data validation and cash flow generation. A traceable and comprehensively documented audit trail is essential for ensuring auditability within the IFRS 17 business process and system landscape.
Below we highlight selected challenges relating to IFRS 17 end-to-end auditability.
Internationally operating insurance companies in particular need to comply with both international and local requirements: relevant laws and regulations for insurance companies include the VAG2 , HGB3 / GOB4 and - in the context of IT operations and Data - also the GoBD5 , the VAIT6 , GDPR7 and BDSG8 . Furthermore, a significant number of audit standards and regulations issued by standard-setting bodies like IDW9 , IAASB10 and IIA11 must be complied with. Complying with all relevant regulatory requirements on a continuous basis is a tough task that requires an ongoing effort, as there are frequent changes, additions, and updates to requirements.
In many companies, IFRS 17 leads to a changed governance model in the finance, actuarial and risk functions. Examples are new or adjusted roles and responsibilities within both the actuarial and finance departments and new or adjusted outsourcing contracts. Committees and boards responsible for setting and approving IFRS 17 model assumptions are being established, the roles of closing managers and financial reporting teams change, new shared service structures and third-party vendors are set up, amongst others. Furthermore, the interactions between group entities and local business units change. These adjustments and sometimes significant changes must comply with the laws and regulations outlined above. Evidence of such compliance needs to be maintained for audit purposes. The governance model implemented around the IFRS 17 solution will be a focus topic for the upcoming first IFRS 17 audits. Exemplary questions auditors are likely to ask may be:
New actuarial, accounting and risk processes must be seamlessly documented, both with respect to design and implementation. Detailed process documentation - such as the internal control system over financial reporting - forms the basis for auditors to assess risks and controls and scope their audit accordingly. Questions that auditors may ask are:
For many IFRS 17 adopters the underlying data architecture and data flow has changed significantly. Seamless data audit trails are required from the balance sheet and P&L level all the way back to the relevant source system transaction and master data (e.g. core systems, non-/economic assumption modellings, interest curves determination). Furthermore, the complexity of designing and implementing controls around data access, data protection and regulatory data management requirements should not be underestimated. Conflicting legal and regulatory requirements across a multi-jurisdiction environment can be a further driver of effort. Example audit focus areas may be:
Besides implementing a standalone IFRS 17 sub ledger solution, many companies have used the IFRS 17 momentum to upgrade their finance IT architecture (e.g. establishing data pools, migrating SAP to S/4HANA). The advancements made in finance landscapes have led to an increase in functionality, usability, and process efficiencies. With such advancements, IT security considerations and risk mitigation should be considered. From our experience, typical security pitfalls can be seen in the areas of hybrid environments, user enablement and vulnerability management. If applicable, risks associated with using outsourcing and cloud service providers should be considered. Insurers need to ready themselves for continued compliance with all relevant regulatory requirements (e.g. VAG, MaGo, VAIT). Example aspects auditors may focus on are:
The aspects described above serve to provide a brief overview of the most common and most frequent challenges insurers are facing within the context of IFRS 17 end-to-end audit requirements. Auditability needs to be guaranteed vis-à-vis all stakeholders from the very beginning. If not already done, it is thus essential to address the topics discussed in this article as a matter of urgency.
A risk-based ex-post adjustment and implementation of these legal requirements can be achieved by applying our “Deloitte Audit Readiness Assessment & Remediation Approach”. By this approach shortcomings will be identified and prioritized implementation/remediation measures can be considered before a non-satisfactory audit report.
From our point of view, further close collaboration of all relevant parties, including internal and external auditors, significantly contributes to sustainable IFRS 17 operational success.
Finally, one thing is for sure: a well-planned, coordinated, tested, and documented handover of all project milestones - after audit signoff as considered appropriate in the individual circumstances - is likely to significantly contribute to smoothly functioning operations under IFRS 17. Continuous audit involvement is even more crucial where third parties rely on the IFRS 17 platform and require assurance in this regard.
1 Deloitte, 2020 IFRS 17 Global Peer Snapshot
2 Insurance supervision law
3 German Commercial Code
4 Base Principles of Proper Accounting
5 Principles for properly maintaining and storing books, records, and documents in electronic form and for data access
6 Supervisory Requirements for IT in Insurance Undertakings
7 General Data Protection Regulation
8 Federal Data Protection Act
9 Institute of Auditors in Germany
10 The International Auditing and Assurance Standards Board
11 Institute of Internal Auditors