Audit pack — what auditors get

SaaS tenant. The MFI Suite is delivered as a fully managed service — there is nothing to install or configure at the OS level. Self-hosted one-time licence buyers receive a dedicated installation runbook with the licence delivery; this page describes the user-facing workflow only.

The audit pack is the single bundle of evidence that the external auditor reads to sign off on the ECL number. It is generated automatically after each run is posted and contains the model documentation, governance sign-offs, validation results and sensitivities the auditor needs to form an opinion.

Audit pack source
Each run is the source of the IFRS 9 audit pack.

Why the pack exists

Two reasons. First — IFRS 9 is judgement-heavy and external auditors will not accept a number without a documented model. Second — Kenyan banking supervision (CBK) requires that the institution can demonstrate, at any time, the model, the assumptions, the governance and the controls behind every reported provision.

The pack is built per run and per period. It is immutable once generated (regenerating creates a new versioned document; old versions are kept). At year end the four quarterly packs are bundled into an Annual ECL File that is the primary deliverable to the external audit.

Pack contents

Each pack is a single navigable PDF (typically 60-120 pages) with the following sections. The structure is fixed; the contents are pulled from the run.

SectionTitleSource
1Executive SummaryHeadline ECL, coverage ratio, Q/Q bridge
2Methodology & Model DocumentationModel paper (v-controlled) + scenario design
3Portfolio OverviewGross book, segment mix, top exposures
4StagingStage distribution + migration matrix + override list
5AssumptionsPD, LGD term structures, version, calibration memo
6Macro ScenariosThree scenarios, weights, factor projections, sign-offs
7ECL ResultsBy segment, stage, scenario; sensitivity
8Governance & Sign-OffsRisk Committee minute, CFO approval, audit log
9ReconciliationGL vs run, journal listing, reference mapping
10Validation ResultsBuilt-in validation outcomes; explained overrides
11Adjustments & ReversalsAny reverse-and-replay during the period
12AppendicesRaw run-line export (CSV link), assumption versions, control owners

How it's built

After a run is posted, the engine schedules an async build job. The build pulls live data from the run, the assumption versions, the scenario records and the journal entries, and renders each section through a QWeb PDF template. The job runs in ~5-15 minutes.

  1. Run is posted → ifrs9.audit.pack created in state queued.
  2. Worker picks up; pulls run data, fetches all sign-off records, embeds attachments.
  3. QWeb template renders to PDF; supporting CSVs are attached as separate files.
  4. Pack moves to state built; CFO is notified via email.
  5. CFO reviews; clicks Approve audit pack → state approved.
  6. From approved, the pack can be downloaded or shared with the auditor via secure link.

The four sign-offs

Each pack carries four sign-offs which are reproduced in the cover page and validated by the auditor:

Sign-offRoleCaptures
AnalystIFRS 9 AnalystRun completed and reviewed for data quality
Risk ManagerRisk ManagerStaging, assumptions, scenarios appropriately applied
CFOCFONumbers approved for accounts; journal posted
Internal AuditInternal Audit leadControls and governance tested; no exceptions
Note — The fourth sign-off (Internal Audit) is the most often missed by new tenants. It is captured by Internal Audit opening the pack and ticking 'Reviewed — no exceptions' or 'Reviewed — exceptions noted [free text]'. Without this sign-off the pack is marked 'Partial' on download.

Giving the auditor access

Two options for the external auditor:

The portal route also gives the auditor access to the raw ifrs9.run.line table — they can pull their own samples and reconcile lines to mfi.loan directly. This is the gold-standard audit interaction and we recommend it for the year-end audit.

  1. Portal user — create a portal user (group MFI / IFRS 9 / Auditor (read-only)) for the audit partner. They log in to the system and view runs, packs, lines and journals directly. Best for in-depth audits.
  2. Secure download link — from the approved pack click Share with auditor. System generates a time-limited (7-day) signed URL emailed to the partner. They download the PDF + supporting CSVs without an account. Best for the partner who wants to review offline.

Year-end annual file

At year end the four quarterly packs roll up into a single Annual ECL File. This adds the year-on-year ECL bridge, the annual assumption recalibration memo, the back-test of prior-year predictions against actual defaults, and the Risk Committee year-in-review minute.

  • Q1-Q4 packs as appendices
  • Year-on-year ECL bridge by attribution (staging migration, macro overlay, originations, write-offs, recoveries, assumption changes)
  • Annual back-test: predicted PD vs actual default rate per segment
  • Annual recalibration memo and Risk Committee approval
  • Governance summary: who signed off what, when

What auditors actually look for

Across the four most recent year-end audits, this is what consistently shows up in the auditor's enquiry list:

All of these can be answered from a well-built audit pack without ever opening Excel. The single best investment in audit preparation time is ensuring every override has a 50-character-plus justification at the time it is applied — auditors flag thin justifications and revisits cost days.

  • Stage 2 sampling — pull 10 loans by judgement, confirm SICR captured and reasonable.
  • Stage 3 sampling — pull 10 loans, confirm LGD and EAD; check specific allowance.
  • Manual overrides — every override reviewed with justification.
  • Macro scenario weighting — challenge the weights; ask for the minute.
  • PD back-test — predicted vs actual default rate per segment for the year.
  • Reverse-and-replay — any reversals during the year reviewed individually.
  • Reconciliation — pack figure to GL closing balance on 1290.
  • Going concern — does the downside scenario affect going concern conclusion?

Worked scenarios

Scenario — External audit walkthrough — Aisha samples the Q4 pack

Setting: Year-end audit fieldwork, second week of February. Aisha's team is on site for one week.

CharacterRole
Aisha HassanExternal Audit Partner
Florence AchiengCFO
Kimani MwangiRisk Manager
David KaranjaInternal Audit lead

Timeline

  1. Feb 8, 09:00: Aisha given portal access (MFI / IFRS 9 / Auditor read-only). Aisha logs in, opens Q4 run. (res.users new — login audit captured)
  2. Feb 8, 10:30: Aisha downloads the audit pack PDF + the run-line CSV. Confirms sign-offs all present. (Download logged)
  3. Feb 8, 14:00: Aisha samples 25 Stage 1 loans. Pulls each loan record in the portal. Confirms DPD < 30 and no SICR trigger. All 25 OK. (Sample evidence printed)
  4. Feb 9, 09:00: Aisha samples 10 Stage 2. One looks borderline (member tenure 11 months, normal loan, no SICR per system — Aisha suspects PD doubling). (—)
  5. Feb 9, 10:00: Kimani walks Aisha through the loan: PD at origination was 5.4%, current PD is 8.2%, ratio 1.52× — below the 2× SICR trigger. Stage 1 correct. (Justification captured live)
  6. Feb 9, 14:00: Aisha tests the macro overlay. Asks for sensitivity if downside weight raised to 40% from 25%. Kimani runs scenario sandbox, shows +KES 5.4M ECL. Floor for going-concern: KES 22M weighted ECL doesn't change conclusion. (Sandbox run id=99 (not posted))
  7. Feb 10, 11:00: Aisha tests reverse-and-replay. Pulls the Q3 reversal trio (see provisioning_je scenario). Confirms documentation in pack section 11. Clean. (—)
  8. Feb 11, 09:00: Aisha tests Stage 3 LGD. Samples 5 written-off loans from the prior year. Compares actual recovery to LGD assumption. 4 within 5pp, 1 outside (vehicle-secured, recovered 70% vs LGD assumption 45% — over-provisioned). Captured as audit observation, not adjustment. (Observation in management letter draft)
  9. Feb 12, 16:00: Aisha closes fieldwork. One management letter point (revisit vehicle-secured LGD assumption). No material adjustment. (Audit sign-off issued Feb 22)

Outcome — Year-end audit closes clean; one management-letter point on vehicle LGD calibration; no qualification.

Reference

Audit pack states

StateMeaningNext state
queuedAwaiting build workerbuilding
buildingPDF rendering in progressbuilt or failed
builtPDF generated; awaiting CFO reviewapproved or rebuilding
approvedCFO approved; can be shared with auditorarchived
archivedYear-end roll-up complete
failedBuild error; check engine logqueued (retry)

Files produced

FileFormatPurpose
audit_pack_Qx_yyyy.pdfPDFMain bundle, 60-120 pages, navigable
run_lines.csvCSVPer-loan: id, segment, stage, EAD, PD, LGD, ECL (one row per loan)
assumption_versions.csvCSVAll assumption rows applied to the run
scenarios.jsonJSONScenario records with macro factor projections
sign_offs.csvCSVSign-off audit trail with user and timestamp
validation_results.csvCSVValidation check outcomes
journal_listing.csvCSVJournals posted by the run

Troubleshooting

SymptomLikely causeFix
Pack stuck in 'building' for > 30 minutes.wkhtmltopdf hanging on a complex chart, or worker killed.(managed by the platform team — raise a support case if needed) — kill any zombie. From the pack, click Retry build. If repeated, simplify the bridge chart or split into multiple smaller charts.
Internal Audit sign-off not appearing.David's user not in 'Internal Audit' group, or he ticked 'reviewed' on the wrong run.Settings → Users → David Karanja → groups → tick MFI / Internal Audit. Then ask David to re-open the correct pack and tick the sign-off.
Auditor reports 'sign-offs missing' in the PDF cover.Pack was built before all four sign-offs were captured.Capture missing sign-offs, then click Rebuild. The new version supersedes the old; old kept for audit-of-audit purposes.
CSV exports missing one or more files.Run had zero rows for that section (e.g. no manual overrides, no reversals). Engine skips empty CSVs.Expected. If you need a placeholder for the auditor, tick Include empty CSVs in Settings → IFRS 9 → Audit pack and rebuild.
Auditor's secure download link returns 404.Link expired (default 7 days), or pack was rebuilt after the link was shared (old version archived).From the latest approved pack click Share with auditor to issue a fresh link. Communicate the new URL to the auditor.

See also

Was this page helpful?