Grant Thornton - Data Audit UK


Published on

Our Lloyd's managing agents FSA Solvency II data audit publication outlines the data audit requirements, the technical challenges you should consider in performing this audit and how Grant Thornton's insurance IT internal audit team can provide support with the effective delivery of this audit to meet the Lloyd's submission deadline of 15th of June 2012.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Grant Thornton - Data Audit UK

  1. 1. Lloyd’s Managing AgentsFSA Solvency II Data AuditWorking in partnership with you to providethe independent assurance that your DataAudit Report fulfils Lloyd’s and FSASolvency II requirements
  2. 2. Lloyd’s Managing Agents FSA Solvency II Data AuditFSA Solvency II Data AuditThe FSA Solvency II Data Audit (Data Audit) Purpose of the Data Audit Reportis a component of the FSA’s Solvency II Internal “The primary purpose of the Data Audit Report is toModel Approval Process (IMAP). It assesses demonstrate that an agent’s data management policies complyall internal and non-proprietary external data with the tests and standards set out in the Solvency II directive.which may materially impact the design and In addition, the Data Audit Report should demonstrate how the overall risk that the data used in the internal model does notfunction of the proposed internal model. The meet the Solvency II requirements on data quality (complete,Data Audit is focussed on the key sub-risks accurate, appropriate and timely) is considered. This overall riskaround aspects of data policy; oversight and is split into five sub-risks.”governance; data; vulnerabilities and impact; As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012data quality and data processing. Followingcompletion of this assessment, the resultsshould be presented in a Data Audit Report. Ownership and Independence “The Data Audit Report should be produced as a result of a review conducted by a suitably qualified person, independentLloyd’s requires all Managing Agents to from the individuals responsible for the design, build,submit a Data Audit Report by 15 June 2012 parameterisation and implementation of the internal model. Theto Lloyd’s. The primary purpose of the Data author of the Data Audit Report must therefore be independentAudit Report is to demonstrate that an Agent’s of the normal operation of the model (e.g. Internal Audit).data management policies comply with the In conducting the review, the reviewer should applytests and standards set out in the Solvency II professional judgement in deciding how the controls areDirective to achieve internal model approval. assessed (e.g. sample size, depth of document review, interviewees, etc.) and how effective they are in addressing the risk. The review is not intended to assess the appropriateness of actuarial “Expert Judgements” with regards to data used in the Internal Model. However, any data, internal or external, (e.g. claims history, bond price movements, loss events, etc.) on the basis of which material expert judgments/assumptions and model calibrations are made, should be included in scope. The reviewer may make use of previous independent reviews (e.g. SOX compliance assessments, Internal/External Audit work, etc.), so long as the data, assumptions, calculation methodology and IT environment reviewed have not changed significantly. Where a managing agent makes use of previous reviews for this purpose, the agent should provide some explanation and justification as to why the previous review is still relevant and also for its use.” As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012
  3. 3. Key requirementsThe scope of the Data Audit has now been defined throughthe draft Lloyd’s guidance (with final versions due for issue on30 March 2012) and has been developed in line with the FSA’spublished requirements. The challenges faced by Managing Agents in response tofulfilling the Data Audit requirements are extensive. Below welist the key areas, questions and objectives that the audit willneed to address: Requirement Area Key Questions to Consider Key Control Objective(s) Data Policy • How can we ensure our framework in Ensuring consistency in data policies and respect of data is sustainable for the future? adherence to required Solvency II standards of • Are existing data policies, procedures and data governance standards suitable? How can we develop or improve? • Have we defined ownership and how data policies will be embedded into the organisation? Oversight and Governance • Do management really have a solid Management have a thorough understanding understanding of internal model data? of, and are accountable for reviewing, internal • Have we robust oversight and challenge model data processes of Management Information (MI) and data processes? Data use, vulnerabilities and impact • Are exceptions and limitations in data Recognising and remediating data errors, understood, suitably investigated and corrected? omissions or inaccuracies which may • How should we best set materiality, in the compromise data quality context of significant amounts of data? Assurance over data materiality and ensuring its consistent application throughout the organisation Data quality • Do we understand where our data Maintenance of data quality standards to ensure origination sources are? demonstrable accuracy, appropriateness, • How do we maintain such data in an completeness and timeliness appropriate manner for model and other business use (e.g. MI generation)? • Are agreed quality standards per our data policy being adhered to consistently? Data processing • Are we able to critically evaluate all our IT Adequacy of technical expertise available to General Controls within the IT control the firm environment? • Do we have effectively designed and Maintaining robust IT General Controls (e.g. operating IT controls (such as data security, change management and access controls) to change control and processing of data) safeguard data integrity. to support corresponding data management controls? Issues around controls design and effectiveness • Is the information generated by end-user around spreadsheets, SQL databases and other computing susceptible to distortion or end user computing applications, which may be manipulation, due to lack of controls to data less controlled amendments?
  4. 4. Given the requirements and challenges noted in Grant Thornton’s data review and datathe adjacent table, a diverse set of skill-sets will be management professionals are able to providerequired to perform this audit and the review must be assurance to your Management and Non-performed by suitably qualified individuals who are Executives, Lloyd’s and the FSA that they areindependent of model design, build, and operation compliant with the requirements.(as per the Lloyd’s Data Audit Report draft guidancepublished in February 2012 and the FSA External We feel our team’s experience of supporting clientsReview guidance published in July 2011). in the marketplace enables us to provide you with pragmatic, and independent audit challenge.Managing Agents should be actively seekingspecialist review assistance now to ensure theregulatory timeline for Data Audits is met andthat a robust, independent and objective review isperformed (in line with the Lloyd’s draft guidance).Our approach to completing the Data AuditTo address the requirements of the Data Audit, we have split our approach into 2 sections:1 Foundation elements and2 Specific elements Foundation elements Examining the adequacy of the oversight of data by management and the effectiveness of IT General Controls Specific elements Performing detailed analysis over data policies, quality and usage through 3 aspects The understanding Experience of advising Where applicable, of data management clients on data framework the use of data principles enhancements interrogation tools
  5. 5. Lloyd’s Managing Agents FSA Solvency II Data AuditThe Lloyd’s Timeline for Data AuditsManaging Agents are required to complete Data Audits between May and June2012, with final Data Audit Reports due for submission to Lloyd’s on 15 June 2012: Feb March t April May June t t *10 February 2012 Draft Data Report guidance *30 March 2012 Final Data Audit Report guidance *15 June 2012 Data Audit Report due Our experience and how we can help Grant Thornton’s experienced data review and data management professionals are ideally placed to perform your Data Audit. We will draw on our experienced IT and business audit specialists to deliver objective, efficient and robust data audit assurance. We have experience of: • objectively examining all required aspects of Solvency II data management (including data policy, governance, limitations, processing and IT environment including change management and • assessing the use of non-proprietary external and spreadsheet assurance), using our highly experienced third-party data reliance, policies, processes and Technology Audit, Data and IT specialists agreements, as well as corresponding internal governance and oversight • working closely with key business areas (such as modelling teams, risk specialists, IT and • delivering high quality audit evidence and results Compliance) to fully understand and evaluate data to fulfil the designated Lloyd’s scope, detailing the management and data quality against Solvency II and assessment of internal control design and operating FSA requirements effectiveness, assessment of business process flows and gap analysis • providing assurance over all areas of IT environment, technology, tools and subsequent processing • providing a continued presence to support future and controls and evaluating the impact on data discussions with senior stakeholders and Lloyd’s management where required.
  6. 6. Why Grant Thornton? Grant Thornton can assist your organisation with the Lloyd’s Data Audit through: • highly experienced audit professionals, with dedicated specialist Data and IT staff and unparalleled access to deep expertise and relationship oversight • proven experience using a specialist resource with regulatory and industry insight, allowing your organisation to meet all review deadlines on time and within budget • providing objective, robust assurance and pragmatic solutions for improvement or ‘next steps’ to be used internally and in discussion with Lloyd’s and the FSA • providing ongoing assurance for Solvency II internal model validation • a long-standing commitment to excellent client service and support both during and after all engagements.Who should I contact for Other Related ServicesData Audit assistance? While this document focuses on the requirements of Data Audit for Lloyd’sSandy Kumar Managing Agents and how our data reviewPartnerHead of Financial Services and data management professionals can help,Business Risk Services Grant Thornton’s Business Consulting DivisionT 020 7728 3248 can also assist in the design and build of yourE data management framework, if required. This team has worked with a number of ManagingKiran Sudhakar Agents in designing their data dictionary andLead for IT Internal Audit performing gap analysis. Should you requireFinancial Services/Head of Technology Services further assistance regarding this please do notBusiness Risk ServicesT 020 7728 2909 hesitate to contact our Business ConsultingE Division. A contact is provided directly below.Sarah Talbott Mark A SpurlockLead for Insurance Internal Audit Lead for Insurance Business ConsultingFinancial Services Business Consulting DivisionBusiness Risk Services Financial Services AdvisoryT 020 7865 2815 T 020 7865 2346E E© 2012 Grant Thornton UK LLP. All rights reserved.‘Grant Thornton’ means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd (‘Grant Thornton International’).Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occassioned to any person acting or refraining from acting as a result of any material in this