Lloyd s Managing Agents FSA Solvency II Data Audit

Lloyd’s Managing Agents

FSA Solvency II Data Audit

Working in partnership with you to provide

the independent assurance that your Data

Audit Report fulfils Lloyd’s and FSA

Solvency II requirements

Lloyd’s Managing Agents FSA Solvency II Data Audit

FSA Solvency II Data Audit

Purpose of the Data Audit Report

“The primary purpose of the Data Audit Report is to demonstrate that an agent’s data management policies comply with the tests and standards set out in the Solvency II directive. In addition, the Data Audit Report should demonstrate how the overall risk that the data used in the internal model does not meet the Solvency II requirements on data quality (complete, accurate, appropriate and timely) is considered. This overall risk is split into five sub-risks.”

As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012

The FSA Solvency II Data Audit (Data Audit)

is a component of the FSA’s Solvency II Internal

Model Approval Process (IMAP). It assesses

all internal and non-proprietary external data

which may materially impact the design and

function of the proposed internal model. The

Data Audit is focussed on the key sub-risks

around aspects of data policy; oversight and

governance; data; vulnerabilities and impact;

data quality and data processing. Following

completion of this assessment, the results

should be presented in a Data Audit Report.

Lloyd’s requires all Managing Agents to

submit a Data Audit Report by 15 June 2012

to Lloyd’s. The primary purpose of the Data

Audit Report is to demonstrate that an Agent’s

data management policies comply with the

tests and standards set out in the Solvency II

Directive to achieve internal model approval.

Ownership and Independence

“The Data Audit Report should be produced as a result of a review conducted by a suitably qualified person, independent from the individuals responsible for the design, build,

parameterisation and implementation of the internal model. The author of the Data Audit Report must therefore be independent of the normal operation of the model (e.g. Internal Audit). In conducting the review, the reviewer should apply professional judgement in deciding how the controls are assessed (e.g. sample size, depth of document review,

interviewees, etc.) and how effective they are in addressing the risk. The review is not intended to assess the appropriateness of actuarial “Expert Judgements” with regards to data used in the Internal Model. However, any data, internal or external, (e.g. claims history, bond price movements, loss events, etc.) on the basis of which material expert judgments/assumptions and model calibrations are made, should be included in scope. The reviewer may make use of previous independent reviews (e.g. SOX compliance assessments, Internal/External Audit work, etc.), so long as the data, assumptions, calculation methodology and IT environment reviewed have not changed significantly. Where a managing agent makes use of previous reviews for this purpose, the agent should provide some explanation and justification as to why the previous review is still relevant and also for its use.”

Key requirements

The scope of the Data Audit has now been defined through the draft Lloyd’s guidance (with final versions due for issue on 30 March 2012) and has been developed in line with the FSA’s published requirements.

The challenges faced by Managing Agents in response to fulfilling the Data Audit requirements are extensive. Below we list the key areas, questions and objectives that the audit will need to address:

Requirement Area Key Questions to Consider Key Control Objective(s)

Data Policy • How can we ensure our framework in respect of data is sustainable for the future? • Are existing data policies, procedures and standards suitable? How can we develop or improve? • Have we defined ownership and how data policies will be embedded into the organisation? Ensuring consistency in data policies and adherence to required Solvency II standards of data governance Oversight and Governance • Do management really have a solid understanding of internal model data? • Have we robust oversight and challenge of Management Information (MI) and data processes? Management have a thorough understanding of, and are accountable for reviewing, internal model data processes Data use, vulnerabilities and impact • Are exceptions and limitations in data understood, suitably investigated and corrected? • How should we best set materiality, in the context of significant amounts of data? Recognising and remediating data errors, omissions or inaccuracies which may compromise data quality Assurance over data materiality and ensuring its consistent application throughout the organisation Data quality • Do we understand where our data origination sources are? • How do we maintain such data in an appropriate manner for model and other business use (e.g. MI generation)? • Are agreed quality standards per our data policy being adhered to consistently? Maintenance of data quality standards to ensure demonstrable accuracy, appropriateness, completeness and timeliness Data processing • Are we able to critically evaluate all our IT General Controls within the IT control environment? • Do we have effectively designed and operating IT controls (such as data security, change control and processing of data) to support corresponding data management controls? • Is the information generated by end-user computing susceptible to distortion or manipulation, due to lack of controls to data amendments? Adequacy of technical expertise available to the firm Maintaining robust IT General Controls (e.g. change management and access controls) to safeguard data integrity. Issues around controls design and effectiveness around spreadsheets, SQL databases and other end user computing applications, which may be less controlled

Our approach to completing the Data Audit

Given the requirements and challenges noted in the adjacent table, a diverse set of skill-sets will be required to perform this audit and the review must be performed by suitably qualified individuals who are independent of model design, build, and operation (as per the Lloyd’s Data Audit Report draft guidance published in February 2012 and the FSA External Review guidance published in July 2011). Managing Agents should be actively seeking specialist review assistance now to ensure the regulatory timeline for Data Audits is met and that a robust, independent and objective review is performed (in line with the Lloyd’s draft guidance).

Grant Thornton’s data review and data management professionals are able to provide assurance to your Management and Non-Executives, Lloyd’s and the FSA that they are compliant with the requirements.

We feel our team’s experience of supporting clients in the marketplace enables us to provide you with pragmatic, and independent audit challenge.

To address the requirements of the Data Audit, we have split our approach into 2 sections: 1 Foundation elements and

2 Specific elements

Foundation elements

Examining the adequacy of the oversight of data by management and the effectiveness of IT General Controls

Where applicable,

the use of data

interrogation tools

Experience of advising

clients on data framework

enhancements

The understanding

of data management

principles

Specific elements

Lloyd’s Managing Agents FSA Solvency II Data Audit

Managing Agents are required to complete Data Audits between May and June 2012, with final Data Audit Reports due for submission to Lloyd’s on 15 June 2012:

The Lloyd’s Timeline for Data Audits

Grant Thornton’s experienced data review and data management professionals are ideally placed to perform your Data Audit. We will draw on our experienced IT and business audit specialists to deliver objective, efficient and robust data audit assurance.

We have experience of:

• objectively examining all required aspects of Solvency II data management (including data policy, governance, limitations, processing and IT environment including change management and spreadsheet assurance), using our highly experienced Technology Audit, Data and IT specialists

• working closely with key business areas (such as modelling teams, risk specialists, IT and

Compliance) to fully understand and evaluate data management and data quality against Solvency II and FSA requirements

• providing assurance over all areas of IT environment, technology, tools and subsequent processing

and controls and evaluating the impact on data management

• assessing the use of non-proprietary external and third-party data reliance, policies, processes and agreements, as well as corresponding internal governance and oversight

• delivering high quality audit evidence and results to fulfil the designated Lloyd’s scope, detailing the assessment of internal control design and operating effectiveness, assessment of business process flows and gap analysis

• providing a continued presence to support future discussions with senior stakeholders and Lloyd’s where required.

Our experience and how we can help

Feb March April May June

*10 February 2012

Draft Data Report guidance

*30 March 2012

Final Data Audit Report guidance

*15 June 2012

Data Audit Report due

Why Grant Thornton?

Grant Thornton can assist your organisation with the Lloyd’s Data Audit through:

• highly experienced audit professionals, with dedicated specialist Data and IT staff and unparalleled access to deep expertise and relationship oversight

• proven experience using a specialist resource with regulatory and industry insight, allowing your organisation to meet all review deadlines on time and within budget

• providing objective, robust assurance and pragmatic solutions for improvement or ‘next steps’ to be used internally and in discussion with Lloyd’s and the FSA

• providing ongoing assurance for Solvency II internal model validation

• a long-standing commitment to excellent client service and support both during and after all engagements.

Who should I contact for

Data Audit assistance?

Sandy Kumar

Partner

Head of Financial Services Business Risk Services T 020 7728 3248 E sandy.kumar@uk.gt.com

Kiran Sudhakar

Lead for IT Internal Audit

Financial Services/Head of Technology Services Business Risk Services

T 020 7728 2909 E kiran.sudhakar@uk.gt.com

Sarah Talbott

Lead for Insurance Internal Audit Financial Services

Business Risk Services T 020 7865 2815

E sarah.d.talbott@uk.gt.com

Mark A Spurlock

Lead for Insurance Business Consulting Business Consulting Division

Financial Services Advisory T 020 7865 2346

E mark.a.spurlock@uk.gt.com

© 2012 Grant Thornton UK LLP. All rights reserved.

‘Grant Thornton’ means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd (‘Grant Thornton International’). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.

This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occassioned to any person acting or refraining from acting as a result of any material in this publication. www.grant-thornton.co.uk V21426

Other Related Services

While this document focuses on the requirements of Data Audit for Lloyd’s Managing Agents and how our data review and data management professionals can help, Grant Thornton’s Business Consulting Division can also assist in the design and build of your data management framework, if required. This team has worked with a number of Managing Agents in designing their data dictionary and performing gap analysis. Should you require further assistance regarding this please do not hesitate to contact our Business Consulting Division. A contact is provided directly below.