Contents Introduction Management report Appendices Corporate governance Consolidated Financial Statements Company Financial Statements
Key audit matter
Design and effectiveness of IT-General Controls
IT-General Controls (ITGCs) are controls, implemented in
IT-processes, ensuring the integrity and continuity of IT-programs
and data. Effective ITGCs are conditional for reliance on
automated controls in the Bank's operations.
In addition, in 2017 the Bank has started a number of long term
strategic regulatory and transformation projects, with important
IT-components to continue to meet the high reporting standards
and expectations from stakeholders relating to operating
effectiveness, efficiency and data quality. Deficiencies in IT general
controls as such could have a pervasive impact across the Bank's
internal control framework.
Therefore we identified the Bank's IT-General Controls as a key
audit matter.
How our audit addressed the matter
Our efforts relating to understanding, evaluating and testing the design and operating
effectiveness of ITGCs focused on:
Entity level controls over information technology in the IT-organisation, including
IT-governance, IT-risk management and cyber security management;
Management of access to programs and data, including user access to the network, access to
and authorizations within applications, privileged access rights to applications, databases and
operating systems and physical access to data centres. As the Bank uses automated tools to
manage access rights we have evaluated the use of these tools.
Governance over the strategic IT-transformation projects;
Having meetings periodically with and obtaining project reports from the IT organisation on
the long term strategic projects. We validated that none of the projects where implemented
and could have an impact on our 2017 audit;
Management of changes to applications and IT-infrastructure, including the change
management process and the implementation of changes in the production systems using
automated deploy mechanisms; and
Computer Operations, including batch monitoring, back-up and recovery and incident
management.
Disclosure over the estimated impact of IFRS 9 in accordance
with IAS 8
Refer to note 2.1 'Basis on preparation' section 'IFRS 9 Financial
Instruments'.
IFRS 9, Financial Instruments becomes effective for annual
reporting periods beginning on or after 1 January 2018. As of 31
December 2017 Rabobank needs to disclose the estimated impact
of this new standard in accordance with IAS 8.
As per the disclosure, the IFRS 9 adoption is expected to overall
reduce IFRS equity as of 1 January 2018 by EUR 0.1 billion. The
classification and measurement changes increase equity by EUR
0.1 billion and impairment reduces equity by EUR 0.2 billion.
In determining the classification and measurement of the financial
instruments management has identified 37 business models for
their financial assets stratified by product type and where relevant
by geographical location. Management has performed a business
model assessment for each business model to determine whether
these are hold to collect, hold to collect and sell or trading. Hold to
collect assets are measured at amortised cost. Hold to collect and
sell assets are measured at Fair value through OCI, while trading
assets are measured at Fair Value through profit or loss (FVtPL).
For the financial assets in every business model, management has
performed an assessment to conclude whether the cash-flows
from financial instruments fulfil the solely of payment of principal
of interest criteria ('SPPI').
With respect to financial liabilities, Rabobank has decided to
record callable notes at amortised cost under IFRS 9 as opposed to
fair value through profit or loss under IAS 39. These callable notes
include embedded derivatives and management has concluded
to bifurcate and separately present the embedded derivatives on
the balance sheet at FVtPL as the economic characteristics and
risks of the embedded derivatives are not closely related to the
host note contracts.
We focused on the ITGCs to the extent relevant for the purpose of our audit of the financial
statements. Most of these controls operated effectively. For certain controls, specifically relating
to privileged access rights to a limited number of systems and business controls, remedial
control actions were taken by management. Based on the testing of controls and additional
testing of remedial actions we determined that we could place reliance on these controls for the
purpose of our audit.
Regarding the accounting policy choices we reviewed technical memos and accounting
position papers to determine whether this has been set up in accordance with the requirements
of IFRS 9. We challenged management on their accounting policy choices judgements and they
provided us with reasonable explanations and evidence supporting the judgements.
For classification and measurement we evaluated management's business model assessments
and the evidence supporting the business model decisions for every business model. For each
of the 37 business models we selected a representative sample of individual loans and debt
instruments and obtained supporting documentation that the cash flows represent solely
payment of principal and interest.
For the SPPI criteria. Our procedures did not identify any deviations from management's
assessment.
With respect to the classification and measurement of callable notes we assessed
management's analysis based on which they determined that the embedded derivatives are
not closely related to the host note contracts. This comprised of reperformance of the analysis
by management to demonstrate that the exercise price of the embedded derivative does not
equal the amortised cost value of the host note contracts. We consider the assumptions and
conclusions of management in this analysis to be reasonable.
With regard to impairment we performed the following procedures to support our conclusions:
Controls over governance and model development were tested. We, together with our
modelling specialists tested the modelling methodology for the most significant portfolios;
Risk based testing of models including challenging the main assumptions, was performed;
Assessing the design of management's validation and integrity checks on data used as input
for impairment calculation via walkthrough procedures;
Where possible testing of operating effectiveness on data input and validation controls;
Testing of the compensating review controls performed by management to assess the
reasonableness of the disclosed impact of adopting IFRS 9;
We assessed management's disclosure on the presentation of the impact, judgements and
uncertainties of IFRS 9 in the context of the IAS 8 disclosure requirements.
We considered the estimated impact, as disclosed in the consolidated financial statements,
given the inherent estimation uncertainty in determining the impact of IFRS 9 to be reasonable.
With respect to impairment Rabobank has developed five new
IFRS 9 impairment models. Judgements have been applied in
the development of the new models which have been built and
implemented to measure the expected credit losses on loans
measured at amortised cost.
Furthermore there is an increase in the data inputs required
by these models. This increases the risk of completeness and
accuracy of the data that has been used to create assumptions and
is used to operate the model.
Given the significance of the new standard and the number of
accounting policy choices and judgement decisions to be taken
by management on the implementation of IFRS 9 we consider this
a key audit matter.
Rabobank Annual Report 2017 - Company financial statements
273