For a Chief Financial Officer (CFO) in the insurance sector, the situation is defined by more than just premiums and claims. It’s a world where complex regulations, market volatility and a constant drive for operational efficiency converge. Behind every annual report and strategic decision lies a critical - and often under-appreciated - process: Internal Control over Financial Reporting (ICOFR).
Far from being a mere compliance checkbox, a reliable ICOFR system is the bedrock of trust, accuracy and long-term resilience for any insurer. Let's delve into what ICOFR means for insurance companies, how the global COSO framework provides a roadmap and why applying it is essential for a company's financial health.
Understanding ICOFR: The core of financial integrity
In its simplest form, ICOFR is a system of processes and controls designed to ensure that a company’s financial statements are reliable and compliant with relevant accounting standards. The COSO framework (Committee of Sponsoring Organisations of the Treadway Commission) provides the standard for building and maintaining these controls. It's built on five interconnected pillars:
- Control environment: The ‘tone at the top’, focusing on an organisation's ethical values, integrity and commitment to competence
- Risk assessment: Identifying and analysing risks that could threaten the achievement of financial reporting objectives
- Control activities: The policies and procedures that ensure management directives are carried out - this is where the practical controls live
- Information & communication: The systems and channels that enable personnel to exchange the information needed to carry out their responsibilities
- Monitoring activities: Ongoing evaluations to ensure the other four components are functioning as intended.
Operationalising ICOFR: Key controls in practice
For an insurer, translating the COSO framework into action involves establishing controls at different levels of the organisation:
1. Entity-level controls (ELCs)
ELCs are the foundation of a control system. They set the stage for all other controls and reflect the ‘tone at the top’. These include:
- Corporate governance: A clear governance framework with a well-defined Board and Committee structure is paramount. This includes establishing a robust code of conduct, managing conflicts of interest and setting a clear delegation of authority to prevent misuse of power
- Risk management: An effective enterprise risk management (ERM) process and a dedicated fraud risk management framework are crucial for proactively identifying and mitigating threats
- Oversight and communication: Regular, transparent communication with the Board and regulatory bodies ensures accountability and quick action on identified control weaknesses.
2. Process-level controls
This is where the day-to-day work happens. These controls are embedded within an insurer’s key operational processes, from underwriting to claims and beyond. Key processes include:
- Underwriting and claims management: Controls here ensure policies are issued correctly and claims are settled accurately. For example, segregation of duties is vital - the person who approves a claim must be different from the one who processes the payment
- Reinsurance and actuarial: Controls are needed to ensure reinsurance contracts are properly accounted for and actuarial assumptions, especially those for reserves, are reasonable and documented
- Finance & investments: Regular reconciliations between sub-ledgers and the general ledger are crucial to ensure investment valuations and financial reporting are accurate.
3. Information Technology general controls (ITGCs)
In today’s digital world, IT is the central nervous system of any insurer. Robust ITGCs are non-negotiable and cover areas such as:
- User access management: Implementing role-based access control (RBAC) and multi-factor authentication (MFA) to ensure only authorised personnel can access critical data and systems
- Change management: All changes to core systems must be approved, tested and logged to prevent unauthorised alterations that could impact financial data.
- Data Backup & Recovery: Regular backups and tested disaster recovery plans are essential to protect against data loss and ensure business continuity.
The regulatory and market landscape
For regulators across the region, strong ICOFR is not just good practice, it’s a prerequisite for meeting their expectations. The regulators demand timely and accurate submissions, complete audit trails and consistent board-level oversight.
Furthermore, The Recent Adoption Of IFRS 17 Has Fundamentally Raised The Bar. This New standard, which changes how insurance contracts are measured and reported, has forced insurers to overhaul their systems and data flows. Consequently, new controls are required to ensure the accuracy and consistency of complex actuarial models and data inputs. This has made the link between finance, actuarial and IT teams stronger than ever before.
The Benefits and the Road Ahead
For a CFO, the payoff for investing in strong ICOFR is immense:
- Enhanced trust: Reliable financial statements build confidence with regulators, shareholders and policyholders
- Operational excellence: Well-designed controls streamline processes, reduce manual effort and improve data quality, freeing up resources for strategic initiatives
- Risk mitigation: Proactive controls help in the early detection of errors or fraudulent activities, protecting the company from financial losses and reputational damage
- Regulatory peace of mind: Strong controls transform compliance from a reactive scramble into a proactive, embedded part of daily operations.
While challenges remain, such as keeping pace with evolving regulatory requirements managing legacy systems – as well as attracting specialised talent - the path forward is clear. For insurers, embracing ICOFR under the COSO framework is about more than ticking a box, it's about building a culture of integrity and accountability. The result is a more resilient, efficient and trustworthy organisation that is better positioned to navigate the complexities of the modern insurance market and, ultimately, protect its policyholders and stakeholders.
How BDO can help
BDO’s expert audit teams apply the practical experience and knowledge gained from working with clients locally and worldwide and can actively assist insurers in managing the above-listed risks.
Please reach out to the relevant partner in your local BDO firm for further information.
Author: Hasnain Ejaz
Director - Assurance Services, BDO UAE
PLEASE MAKE CONTACT