Lloyd s Managing Agents FSA Solvency II Data Audit

Transcription

1 Lloyd s Managing Agents FSA Solvency II Data Audit Working in partnership with you to provide the independent assurance that your Data Audit Report fulfils Lloyd s and FSA Solvency II requirements

2 Lloyd s Managing Agents FSA Solvency II Data Audit FSA Solvency II Data Audit The FSA Solvency II Data Audit (Data Audit) is a component of the FSA s Solvency II Internal Model Approval Process (IMAP). It assesses all internal and non-proprietary external data which may materially impact the design and function of the proposed internal model. The Data Audit is focussed on the key sub-risks around aspects of data policy; oversight and governance; data; vulnerabilities and impact; data quality and data processing. Following completion of this assessment, the results should be presented in a Data Audit Report. Lloyd s requires all Managing Agents to submit a Data Audit Report by 15 June 2012 to Lloyd s. The primary purpose of the Data Audit Report is to demonstrate that an Agent s data management policies comply with the tests and standards set out in the Solvency II Directive to achieve internal model approval. Purpose of the Data Audit Report The primary purpose of the Data Audit Report is to demonstrate that an agent s data management policies comply with the tests and standards set out in the Solvency II directive. In addition, the Data Audit Report should demonstrate how the overall risk that the data used in the internal model does not meet the Solvency II requirements on data quality (complete, accurate, appropriate and timely) is considered. This overall risk is split into five sub-risks. As per Lloyd s Data Audit Report Guidelines (Draft) February 2012 Ownership and Independence The Data Audit Report should be produced as a result of a review conducted by a suitably qualified person, independent from the individuals responsible for the design, build, parameterisation and implementation of the internal model. The author of the Data Audit Report must therefore be independent of the normal operation of the model (e.g. Internal Audit). In conducting the review, the reviewer should apply professional judgement in deciding how the controls are assessed (e.g. sample size, depth of document review, interviewees, etc.) and how effective they are in addressing the risk. The review is not intended to assess the appropriateness of actuarial Expert Judgements with regards to data used in the Internal Model. However, any data, internal or external, (e.g. claims history, bond price movements, loss events, etc.) on the basis of which material expert judgments/assumptions and model calibrations are made, should be included in scope. The reviewer may make use of previous independent reviews (e.g. SOX compliance assessments, Internal/External Audit work, etc.), so long as the data, assumptions, calculation methodology and IT environment reviewed have not changed significantly. Where a managing agent makes use of previous reviews for this purpose, the agent should provide some explanation and justification as to why the previous review is still relevant and also for its use. As per Lloyd s Data Audit Report Guidelines (Draft) February 2012

3 Key requirements The scope of the Data Audit has now been defined through the draft Lloyd s guidance (with final versions due for issue on 30 March 2012) and has been developed in line with the FSA s published requirements. The challenges faced by Managing Agents in response to fulfilling the Data Audit requirements are extensive. Below we list the key areas, questions and objectives that the audit will need to address: Requirement Area Key Questions to Consider Key Control Objective(s) Data Policy How can we ensure our framework in respect of data is sustainable for the future? Are existing data policies, procedures and standards suitable? How can we develop or improve? Have we defined ownership and how data policies will be embedded into the organisation? Ensuring consistency in data policies and adherence to required Solvency II standards of data governance Oversight and Governance Data use, vulnerabilities and impact Data quality Data processing Do management really have a solid understanding of internal model data? Have we robust oversight and challenge of Management Information (MI) and data processes? Are exceptions and limitations in data understood, suitably investigated and corrected? How should we best set materiality, in the context of significant amounts of data? Do we understand where our data origination sources are? How do we maintain such data in an appropriate manner for model and other business use (e.g. MI generation)? Are agreed quality standards per our data policy being adhered to consistently? Are we able to critically evaluate all our IT General Controls within the IT control environment? Do we have effectively designed and operating IT controls (such as data security, change control and processing of data) to support corresponding data management controls? Is the information generated by end-user computing susceptible to distortion or manipulation, due to lack of controls to data amendments? Management have a thorough understanding of, and are accountable for reviewing, internal model data processes Recognising and remediating data errors, omissions or inaccuracies which may compromise data quality Assurance over data materiality and ensuring its consistent application throughout the organisation Maintenance of data quality standards to ensure demonstrable accuracy, appropriateness, completeness and timeliness Adequacy of technical expertise available to the firm Maintaining robust IT General Controls (e.g. change management and access controls) to safeguard data integrity. Issues around controls design and effectiveness around spreadsheets, SQL databases and other end user computing applications, which may be less controlled

4 Given the requirements and challenges noted in the adjacent table, a diverse set of skill-sets will be required to perform this audit and the review must be performed by suitably qualified individuals who are independent of model design, build, and operation (as per the Lloyd s Data Audit Report draft guidance published in February 2012 and the FSA External Review guidance published in July 2011). Managing Agents should be actively seeking specialist review assistance now to ensure the regulatory timeline for Data Audits is met and that a robust, independent and objective review is performed (in line with the Lloyd s draft guidance). Grant Thornton s data review and data management professionals are able to provide assurance to your Management and Non- Executives, Lloyd s and the FSA that they are compliant with the requirements. We feel our team s experience of supporting clients in the marketplace enables us to provide you with pragmatic, and independent audit challenge. Our approach to completing the Data Audit To address the requirements of the Data Audit, we have split our approach into 2 sections: 1 Foundation elements and 2 Specific elements Foundation elements Examining the adequacy of the oversight of data by management and the effectiveness of IT General Controls Specific elements Performing detailed analysis over data policies, quality and usage through 3 aspects The understanding of data management principles Experience of advising clients on data framework enhancements Where applicable, the use of data interrogation tools

5 Lloyd s Managing Agents FSA Solvency II Data Audit The Lloyd s Timeline for Data Audits Managing Agents are required to complete Data Audits between May and June 2012, with final Data Audit Reports due for submission to Lloyd s on 15 June 2012: Feb March April May June t *10 February 2012 Draft Data Report guidance t t *30 March 2012 Final Data Audit Report guidance *15 June 2012 Data Audit Report due Our experience and how we can help Grant Thornton s experienced data review and data management professionals are ideally placed to perform your Data Audit. We will draw on our experienced IT and business audit specialists to deliver objective, efficient and robust data audit assurance. We have experience of: objectively examining all required aspects of Solvency II data management (including data policy, governance, limitations, processing and IT environment including change management and spreadsheet assurance), using our highly experienced Technology Audit, Data and IT specialists working closely with key business areas (such as modelling teams, risk specialists, IT and Compliance) to fully understand and evaluate data management and data quality against Solvency II and FSA requirements providing assurance over all areas of IT environment, technology, tools and subsequent processing and controls and evaluating the impact on data management assessing the use of non-proprietary external and third-party data reliance, policies, processes and agreements, as well as corresponding internal governance and oversight delivering high quality audit evidence and results to fulfil the designated Lloyd s scope, detailing the assessment of internal control design and operating effectiveness, assessment of business process flows and gap analysis providing a continued presence to support future discussions with senior stakeholders and Lloyd s where required.

6 Why Grant Thornton? Grant Thornton can assist your organisation with the Lloyd s Data Audit through: highly experienced audit professionals, with dedicated specialist Data and IT staff and unparalleled access to deep expertise and relationship oversight proven experience using a specialist resource with regulatory and industry insight, allowing your organisation to meet all review deadlines on time and within budget providing objective, robust assurance and pragmatic solutions for improvement or next steps to be used internally and in discussion with Lloyd s and the FSA providing ongoing assurance for Solvency II internal model validation a long-standing commitment to excellent client service and support both during and after all engagements. Who should I contact for Data Audit assistance? Sandy Kumar Partner Head of Financial Services Business Risk Services T E sandy.kumar@uk.gt.com Kiran Sudhakar Lead for IT Internal Audit Financial Services/Head of Technology Services Business Risk Services T E kiran.sudhakar@uk.gt.com Other Related Services While this document focuses on the requirements of Data Audit for Lloyd s Managing Agents and how our data review and data management professionals can help, Grant Thornton s Business Consulting Division can also assist in the design and build of your data management framework, if required. This team has worked with a number of Managing Agents in designing their data dictionary and performing gap analysis. Should you require further assistance regarding this please do not hesitate to contact our Business Consulting Division. A contact is provided directly below. Sarah Talbott Lead for Insurance Internal Audit Financial Services Business Risk Services T E sarah.d.talbott@uk.gt.com Mark A Spurlock Lead for Insurance Business Consulting Business Consulting Division Financial Services Advisory T E mark.a.spurlock@uk.gt.com 2012 Grant Thornton UK LLP. All rights reserved. Grant Thornton means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd ( Grant Thornton International ). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently. This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occassioned to any person acting or refraining from acting as a result of any material in this publication. V21426