Our Lloyd's managing agents FSA Solvency II data audit publication outlines the data audit requirements, the technical challenges you should consider in performing this audit and how Grant Thornton's insurance IT internal audit team can provide support with the effective delivery of this audit to meet the Lloyd's submission deadline of 15th of June 2012.

1. Lloyd’s Managing Agents
FSA Solvency II Data Audit
Working in partnership with you to provide
the independent assurance that your Data
Audit Report fulfils Lloyd’s and FSA
Solvency II requirements

2. Lloyd’s Managing Agents FSA Solvency II Data Audit
FSA Solvency II Data Audit
The FSA Solvency II Data Audit (Data Audit) Purpose of the Data Audit Report
is a component of the FSA’s Solvency II Internal “The primary purpose of the Data Audit Report is to
Model Approval Process (IMAP). It assesses demonstrate that an agent’s data management policies comply
all internal and non-proprietary external data with the tests and standards set out in the Solvency II directive.
which may materially impact the design and In addition, the Data Audit Report should demonstrate how
the overall risk that the data used in the internal model does not
function of the proposed internal model. The
meet the Solvency II requirements on data quality (complete,
Data Audit is focussed on the key sub-risks accurate, appropriate and timely) is considered. This overall risk
around aspects of data policy; oversight and is split into five sub-risks.”
governance; data; vulnerabilities and impact; As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012
data quality and data processing. Following
completion of this assessment, the results
should be presented in a Data Audit Report. Ownership and Independence
“The Data Audit Report should be produced as a result of a
review conducted by a suitably qualified person, independent
Lloyd’s requires all Managing Agents to from the individuals responsible for the design, build,
submit a Data Audit Report by 15 June 2012 parameterisation and implementation of the internal model. The
to Lloyd’s. The primary purpose of the Data author of the Data Audit Report must therefore be independent
Audit Report is to demonstrate that an Agent’s of the normal operation of the model (e.g. Internal Audit).
data management policies comply with the
In conducting the review, the reviewer should apply
tests and standards set out in the Solvency II
professional judgement in deciding how the controls are
Directive to achieve internal model approval. assessed (e.g. sample size, depth of document review,
interviewees, etc.) and how effective they are in addressing the
risk. The review is not intended to assess the appropriateness
of actuarial “Expert Judgements” with regards to data used in
the Internal Model. However, any data, internal or external,
(e.g. claims history, bond price movements, loss events, etc.) on
the basis of which material expert judgments/assumptions and
model calibrations are made, should be included in scope. The
reviewer may make use of previous independent reviews (e.g.
SOX compliance assessments, Internal/External Audit work,
etc.), so long as the data, assumptions, calculation methodology
and IT environment reviewed have not changed significantly.
Where a managing agent makes use of previous reviews for
this purpose, the agent should provide some explanation and
justification as to why the previous review is still relevant and
also for its use.”
As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012

3. Key requirements
The scope of the Data Audit has now been defined through
the draft Lloyd’s guidance (with final versions due for issue on
30 March 2012) and has been developed in line with the FSA’s
published requirements.
The challenges faced by Managing Agents in response to
fulfilling the Data Audit requirements are extensive. Below we
list the key areas, questions and objectives that the audit will
need to address:
Requirement Area Key Questions to Consider Key Control Objective(s)
Data Policy • How can we ensure our framework in Ensuring consistency in data policies and
respect of data is sustainable for the future? adherence to required Solvency II standards of
• Are existing data policies, procedures and data governance
standards suitable? How can we develop or
improve?
• Have we defined ownership and how data
policies will be embedded into the
organisation?
Oversight and Governance • Do management really have a solid Management have a thorough understanding
understanding of internal model data? of, and are accountable for reviewing, internal
• Have we robust oversight and challenge model data processes
of Management Information (MI) and data
processes?
Data use, vulnerabilities and impact • Are exceptions and limitations in data Recognising and remediating data errors,
understood, suitably investigated and corrected? omissions or inaccuracies which may
• How should we best set materiality, in the compromise data quality
context of significant amounts of data?
Assurance over data materiality and ensuring its
consistent application throughout the organisation
Data quality • Do we understand where our data Maintenance of data quality standards to ensure
origination sources are? demonstrable accuracy, appropriateness,
• How do we maintain such data in an completeness and timeliness
appropriate manner for model and other
business use (e.g. MI generation)?
• Are agreed quality standards per our data
policy being adhered to consistently?
Data processing • Are we able to critically evaluate all our IT Adequacy of technical expertise available to
General Controls within the IT control the firm
environment?
• Do we have effectively designed and Maintaining robust IT General Controls (e.g.
operating IT controls (such as data security, change management and access controls) to
change control and processing of data) safeguard data integrity.
to support corresponding data management
controls? Issues around controls design and effectiveness
• Is the information generated by end-user around spreadsheets, SQL databases and other
computing susceptible to distortion or end user computing applications, which may be
manipulation, due to lack of controls to data less controlled
amendments?

4. Given the requirements and challenges noted in Grant Thornton’s data review and data
the adjacent table, a diverse set of skill-sets will be management professionals are able to provide
required to perform this audit and the review must be assurance to your Management and Non-
performed by suitably qualified individuals who are Executives, Lloyd’s and the FSA that they are
independent of model design, build, and operation compliant with the requirements.
(as per the Lloyd’s Data Audit Report draft guidance
published in February 2012 and the FSA External We feel our team’s experience of supporting clients
Review guidance published in July 2011). in the marketplace enables us to provide you with
pragmatic, and independent audit challenge.
Managing Agents should be actively seeking
specialist review assistance now to ensure the
regulatory timeline for Data Audits is met and
that a robust, independent and objective review is
performed (in line with the Lloyd’s draft guidance).
Our approach to completing the Data Audit
To address the requirements of the Data Audit, we have split our approach into 2 sections:
1 Foundation elements and
2 Specific elements
Foundation elements
Examining the adequacy of the oversight of data by management and the effectiveness of IT General Controls
Specific elements
Performing detailed analysis over data policies, quality and usage through 3 aspects
The understanding Experience of advising Where applicable,
of data management clients on data framework the use of data
principles enhancements interrogation tools

5. Lloyd’s Managing Agents FSA Solvency II Data Audit
The Lloyd’s Timeline for Data Audits
Managing Agents are required to complete Data Audits between May and June
2012, with final Data Audit Reports due for submission to Lloyd’s on 15 June 2012:
Feb March t
April May June t
t
*10 February 2012
Draft Data Report guidance
*30 March 2012
Final Data Audit Report guidance
*15 June 2012
Data Audit
Report due
Our experience and how we can help
Grant Thornton’s experienced data review and data
management professionals are ideally placed to perform
your Data Audit. We will draw on our experienced
IT and business audit specialists to deliver objective,
efficient and robust data audit assurance.
We have experience of:
• objectively examining all required aspects of
Solvency II data management (including data
policy, governance, limitations, processing and IT
environment including change management and • assessing the use of non-proprietary external and
spreadsheet assurance), using our highly experienced third-party data reliance, policies, processes and
Technology Audit, Data and IT specialists agreements, as well as corresponding internal
governance and oversight
• working closely with key business areas (such
as modelling teams, risk specialists, IT and • delivering high quality audit evidence and results
Compliance) to fully understand and evaluate data to fulfil the designated Lloyd’s scope, detailing the
management and data quality against Solvency II and assessment of internal control design and operating
FSA requirements effectiveness, assessment of business process flows
and gap analysis
• providing assurance over all areas of IT environment,
technology, tools and subsequent processing • providing a continued presence to support future
and controls and evaluating the impact on data discussions with senior stakeholders and Lloyd’s
management where required.

6. Why Grant Thornton?
Grant Thornton can assist your organisation with the Lloyd’s Data Audit through:
• highly experienced audit professionals, with dedicated specialist Data and IT staff and unparalleled access to deep
expertise and relationship oversight
• proven experience using a specialist resource with regulatory and industry insight, allowing your organisation to
meet all review deadlines on time and within budget
• providing objective, robust assurance and pragmatic solutions for improvement or ‘next steps’ to be used internally
and in discussion with Lloyd’s and the FSA
• providing ongoing assurance for Solvency II internal model validation
• a long-standing commitment to excellent client service and support both during and after all engagements.
Who should I contact for Other Related Services
Data Audit assistance? While this document focuses on the
requirements of Data Audit for Lloyd’s
Sandy Kumar
Managing Agents and how our data review
Partner
Head of Financial Services and data management professionals can help,
Business Risk Services Grant Thornton’s Business Consulting Division
T 020 7728 3248 can also assist in the design and build of your
E sandy.kumar@uk.gt.com data management framework, if required. This
team has worked with a number of Managing
Kiran Sudhakar Agents in designing their data dictionary and
Lead for IT Internal Audit performing gap analysis. Should you require
Financial Services/Head of Technology Services
further assistance regarding this please do not
Business Risk Services
T 020 7728 2909 hesitate to contact our Business Consulting
E kiran.sudhakar@uk.gt.com Division. A contact is provided directly below.
Sarah Talbott Mark A Spurlock
Lead for Insurance Internal Audit Lead for Insurance Business Consulting
Financial Services Business Consulting Division
Business Risk Services Financial Services Advisory
T 020 7865 2815 T 020 7865 2346
E sarah.d.talbott@uk.gt.com E mark.a.spurlock@uk.gt.com
© 2012 Grant Thornton UK LLP. All rights reserved.
‘Grant Thornton’ means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd (‘Grant Thornton International’).
Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.
This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occassioned to any person acting or refraining from acting as a result of any material in this publication.
www.grant-thornton.co.uk
V21426