Lloyd’s Managing Agents
FSA Solvency II Data Audit
Working in partnership with you to provide
the independent assurance that your Data
Audit Report fulfils Lloyd’s and FSA
Solvency II requirements
Lloyd’s Managing Agents FSA Solvency II Data Audit
FSA Solvency II Data Audit
Purpose of the Data Audit Report
“The primary purpose of the Data Audit Report is to demonstrate that an agent’s data management policies comply with the tests and standards set out in the Solvency II directive. In addition, the Data Audit Report should demonstrate how the overall risk that the data used in the internal model does not meet the Solvency II requirements on data quality (complete, accurate, appropriate and timely) is considered. This overall risk is split into five sub-risks.”
As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012
The FSA Solvency II Data Audit (Data Audit)
is a component of the FSA’s Solvency II Internal
Model Approval Process (IMAP). It assesses
all internal and non-proprietary external data
which may materially impact the design and
function of the proposed internal model. The
Data Audit is focussed on the key sub-risks
around aspects of data policy; oversight and
governance; data; vulnerabilities and impact;
data quality and data processing. Following
completion of this assessment, the results
should be presented in a Data Audit Report.
Lloyd’s requires all Managing Agents to
submit a Data Audit Report by 15 June 2012
to Lloyd’s. The primary purpose of the Data
Audit Report is to demonstrate that an Agent’s
data management policies comply with the
tests and standards set out in the Solvency II
Directive to achieve internal model approval.
Ownership and Independence
“The Data Audit Report should be produced as a result of a review conducted by a suitably qualified person, independent from the individuals responsible for the design, build,
parameterisation and implementation of the internal model. The author of the Data Audit Report must therefore be independent of the normal operation of the model (e.g. Internal Audit). In conducting the review, the reviewer should apply professional judgement in deciding how the controls are assessed (e.g. sample size, depth of document review,
interviewees, etc.) and how effective they are in addressing the risk. The review is not intended to assess the appropriateness of actuarial “Expert Judgements” with regards to data used in the Internal Model. However, any data, internal or external, (e.g. claims history, bond price movements, loss events, etc.) on the basis of which material expert judgments/assumptions and model calibrations are made, should be included in scope. The reviewer may make use of previous independent reviews (e.g. SOX compliance assessments, Internal/External Audit work, etc.), so long as the data, assumptions, calculation methodology and IT environment reviewed have not changed significantly. Where a managing agent makes use of previous reviews for this purpose, the agent should provide some explanation and justification as to why the previous review is still relevant and also for its use.”
Key requirements
The scope of the Data Audit has now been defined through the draft Lloyd’s guidance (with final versions due for issue on 30 March 2012) and has been developed in line with the FSA’s published requirements.
The challenges faced by Managing Agents in response to fulfilling the Data Audit requirements are extensive. Below we list the key areas, questions and objectives that the audit will need to address:
Requirement Area Key Questions to Consider Key Control Objective(s)
Data Policy • How can we ensure our framework in respect of data is sustainable for the future? • Are existing data policies, procedures and standards suitable? How can we develop or improve? • Have we defined ownership and how data policies will be embedded into the organisation? Ensuring consistency in data policies and adherence to required Solvency II standards of data governance Oversight and Governance • Do management really have a solid understanding of internal model data? • Have we robust oversight and challenge of Management Information (MI) and data processes? Management have a thorough understanding of, and are accountable for reviewing, internal model data processes Data use, vulnerabilities and impact • Are exceptions and limitations in data understood, suitably investigated and corrected? • How should we best set materiality, in the context of significant amounts of data? Recognising and remediating data errors, omissions or inaccuracies which may compromise data quality Assurance over data materiality and ensuring its consistent application throughout the organisation Data quality • Do we understand where our data origination sources are? • How do we maintain such data in an appropriate manner for model and other business use (e.g. MI generation)? • Are agreed quality standards per our data policy being adhered to consistently? Maintenance of data quality standards to ensure demonstrable accuracy, appropriateness, completeness and timeliness Data processing • Are we able to critically evaluate all our IT General Controls within the IT control environment? • Do we have effectively designed and operating IT controls (such as data security, change control and processing of data) to support corresponding data management controls? • Is the information generated by end-user computing susceptible to distortion or manipulation, due to lack of controls to data amendments? Adequacy of technical expertise available to the firm Maintaining robust IT General Controls (e.g. change management and access controls) to safeguard data integrity. Issues around controls design and effectiveness around spreadsheets, SQL databases and other end user computing applications, which may be less controlled
Our approach to completing the Data Audit
Given the requirements and challenges noted in the adjacent table, a diverse set of skill-sets will be required to perform this audit and the review must be performed by suitably qualified individuals who are independent of model design, build, and operation (as per the Lloyd’s Data Audit Report draft guidance published in February 2012 and the FSA External Review guidance published in July 2011). Managing Agents should be actively seeking specialist review assistance now to ensure the regulatory timeline for Data Audits is met and that a robust, independent and objective review is performed (in line with the Lloyd’s draft guidance).
Grant Thornton’s data review and data management professionals are able to provide assurance to your Management and Non-Executives, Lloyd’s and the FSA that they are compliant with the requirements.
We feel our team’s experience of supporting clients in the marketplace enables us to provide you with pragmatic, and independent audit challenge.
To address the requirements of the Data Audit, we have split our approach into 2 sections: 1 Foundation elements and
2 Specific elements
Foundation elements
Examining the adequacy of the oversight of data by management and the effectiveness of IT General Controls
Where applicable,
the use of data
interrogation tools
Experience of advising
clients on data framework
enhancements
The understanding
of data management
principles
Specific elements
Lloyd’s Managing Agents FSA Solvency II Data Audit
Managing Agents are required to complete Data Audits between May and June 2012, with final Data Audit Reports due for submission to Lloyd’s on 15 June 2012:
The Lloyd’s Timeline for Data Audits
Grant Thornton’s experienced data review and data management professionals are ideally placed to perform your Data Audit. We will draw on our experienced IT and business audit specialists to deliver objective, efficient and robust data audit assurance.
We have experience of:
• objectively examining all required aspects of Solvency II data management (including data policy, governance, limitations, processing and IT environment including change management and spreadsheet assurance), using our highly experienced Technology Audit, Data and IT specialists
• working closely with key business areas (such as modelling teams, risk specialists, IT and
Compliance) to fully understand and evaluate data management and data quality against Solvency II and FSA requirements
• providing assurance over all areas of IT environment, technology, tools and subsequent processing
and controls and evaluating the impact on data management
• assessing the use of non-proprietary external and third-party data reliance, policies, processes and agreements, as well as corresponding internal governance and oversight
• delivering high quality audit evidence and results to fulfil the designated Lloyd’s scope, detailing the assessment of internal control design and operating effectiveness, assessment of business process flows and gap analysis
• providing a continued presence to support future discussions with senior stakeholders and Lloyd’s where required.
Our experience and how we can help
Feb March April May June
*10 February 2012
Draft Data Report guidance
*30 March 2012
Final Data Audit Report guidance
*15 June 2012
Data Audit Report due
Why Grant Thornton?
Grant Thornton can assist your organisation with the Lloyd’s Data Audit through:
• highly experienced audit professionals, with dedicated specialist Data and IT staff and unparalleled access to deep expertise and relationship oversight
• proven experience using a specialist resource with regulatory and industry insight, allowing your organisation to meet all review deadlines on time and within budget
• providing objective, robust assurance and pragmatic solutions for improvement or ‘next steps’ to be used internally and in discussion with Lloyd’s and the FSA
• providing ongoing assurance for Solvency II internal model validation
• a long-standing commitment to excellent client service and support both during and after all engagements.
Who should I contact for
Data Audit assistance?
Sandy KumarPartner
Head of Financial Services Business Risk Services T 020 7728 3248 E sandy.kumar@uk.gt.com
Kiran Sudhakar
Lead for IT Internal Audit
Financial Services/Head of Technology Services Business Risk Services
T 020 7728 2909 E kiran.sudhakar@uk.gt.com
Sarah Talbott
Lead for Insurance Internal Audit Financial Services
Business Risk Services T 020 7865 2815
E sarah.d.talbott@uk.gt.com
Mark A Spurlock
Lead for Insurance Business Consulting Business Consulting Division
Financial Services Advisory T 020 7865 2346
E mark.a.spurlock@uk.gt.com
© 2012 Grant Thornton UK LLP. All rights reserved.
‘Grant Thornton’ means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd (‘Grant Thornton International’). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.
This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occassioned to any person acting or refraining from acting as a result of any material in this publication. www.grant-thornton.co.uk V21426