Our Lloyd's managing agents FSA Solvency II data audit publication outlines the data audit requirements, the technical challenges you should consider in performing this audit and how Grant Thornton's insurance IT internal audit team can provide support with the effective delivery of this audit to meet the Lloyd's submission deadline of 15th of June 2012.
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Grant Thornton - Data Audit UK
1. Lloyd’s Managing Agents
FSA Solvency II Data Audit
Working in partnership with you to provide
the independent assurance that your Data
Audit Report fulfils Lloyd’s and FSA
Solvency II requirements
2. Lloyd’s Managing Agents FSA Solvency II Data Audit
FSA Solvency II Data Audit
The FSA Solvency II Data Audit (Data Audit) Purpose of the Data Audit Report
is a component of the FSA’s Solvency II Internal “The primary purpose of the Data Audit Report is to
Model Approval Process (IMAP). It assesses demonstrate that an agent’s data management policies comply
all internal and non-proprietary external data with the tests and standards set out in the Solvency II directive.
which may materially impact the design and In addition, the Data Audit Report should demonstrate how
the overall risk that the data used in the internal model does not
function of the proposed internal model. The
meet the Solvency II requirements on data quality (complete,
Data Audit is focussed on the key sub-risks accurate, appropriate and timely) is considered. This overall risk
around aspects of data policy; oversight and is split into five sub-risks.”
governance; data; vulnerabilities and impact; As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012
data quality and data processing. Following
completion of this assessment, the results
should be presented in a Data Audit Report. Ownership and Independence
“The Data Audit Report should be produced as a result of a
review conducted by a suitably qualified person, independent
Lloyd’s requires all Managing Agents to from the individuals responsible for the design, build,
submit a Data Audit Report by 15 June 2012 parameterisation and implementation of the internal model. The
to Lloyd’s. The primary purpose of the Data author of the Data Audit Report must therefore be independent
Audit Report is to demonstrate that an Agent’s of the normal operation of the model (e.g. Internal Audit).
data management policies comply with the
In conducting the review, the reviewer should apply
tests and standards set out in the Solvency II
professional judgement in deciding how the controls are
Directive to achieve internal model approval. assessed (e.g. sample size, depth of document review,
interviewees, etc.) and how effective they are in addressing the
risk. The review is not intended to assess the appropriateness
of actuarial “Expert Judgements” with regards to data used in
the Internal Model. However, any data, internal or external,
(e.g. claims history, bond price movements, loss events, etc.) on
the basis of which material expert judgments/assumptions and
model calibrations are made, should be included in scope. The
reviewer may make use of previous independent reviews (e.g.
SOX compliance assessments, Internal/External Audit work,
etc.), so long as the data, assumptions, calculation methodology
and IT environment reviewed have not changed significantly.
Where a managing agent makes use of previous reviews for
this purpose, the agent should provide some explanation and
justification as to why the previous review is still relevant and
also for its use.”
As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012
3. Key requirements
The scope of the Data Audit has now been defined through
the draft Lloyd’s guidance (with final versions due for issue on
30 March 2012) and has been developed in line with the FSA’s
published requirements.
The challenges faced by Managing Agents in response to
fulfilling the Data Audit requirements are extensive. Below we
list the key areas, questions and objectives that the audit will
need to address:
Requirement Area Key Questions to Consider Key Control Objective(s)
Data Policy • How can we ensure our framework in Ensuring consistency in data policies and
respect of data is sustainable for the future? adherence to required Solvency II standards of
• Are existing data policies, procedures and data governance
standards suitable? How can we develop or
improve?
• Have we defined ownership and how data
policies will be embedded into the
organisation?
Oversight and Governance • Do management really have a solid Management have a thorough understanding
understanding of internal model data? of, and are accountable for reviewing, internal
• Have we robust oversight and challenge model data processes
of Management Information (MI) and data
processes?
Data use, vulnerabilities and impact • Are exceptions and limitations in data Recognising and remediating data errors,
understood, suitably investigated and corrected? omissions or inaccuracies which may
• How should we best set materiality, in the compromise data quality
context of significant amounts of data?
Assurance over data materiality and ensuring its
consistent application throughout the organisation
Data quality • Do we understand where our data Maintenance of data quality standards to ensure
origination sources are? demonstrable accuracy, appropriateness,
• How do we maintain such data in an completeness and timeliness
appropriate manner for model and other
business use (e.g. MI generation)?
• Are agreed quality standards per our data
policy being adhered to consistently?
Data processing • Are we able to critically evaluate all our IT Adequacy of technical expertise available to
General Controls within the IT control the firm
environment?
• Do we have effectively designed and Maintaining robust IT General Controls (e.g.
operating IT controls (such as data security, change management and access controls) to
change control and processing of data) safeguard data integrity.
to support corresponding data management
controls? Issues around controls design and effectiveness
• Is the information generated by end-user around spreadsheets, SQL databases and other
computing susceptible to distortion or end user computing applications, which may be
manipulation, due to lack of controls to data less controlled
amendments?
4. Given the requirements and challenges noted in Grant Thornton’s data review and data
the adjacent table, a diverse set of skill-sets will be management professionals are able to provide
required to perform this audit and the review must be assurance to your Management and Non-
performed by suitably qualified individuals who are Executives, Lloyd’s and the FSA that they are
independent of model design, build, and operation compliant with the requirements.
(as per the Lloyd’s Data Audit Report draft guidance
published in February 2012 and the FSA External We feel our team’s experience of supporting clients
Review guidance published in July 2011). in the marketplace enables us to provide you with
pragmatic, and independent audit challenge.
Managing Agents should be actively seeking
specialist review assistance now to ensure the
regulatory timeline for Data Audits is met and
that a robust, independent and objective review is
performed (in line with the Lloyd’s draft guidance).
Our approach to completing the Data Audit
To address the requirements of the Data Audit, we have split our approach into 2 sections:
1 Foundation elements and
2 Specific elements
Foundation elements
Examining the adequacy of the oversight of data by management and the effectiveness of IT General Controls
Specific elements
Performing detailed analysis over data policies, quality and usage through 3 aspects
The understanding Experience of advising Where applicable,
of data management clients on data framework the use of data
principles enhancements interrogation tools
5. Lloyd’s Managing Agents FSA Solvency II Data Audit
The Lloyd’s Timeline for Data Audits
Managing Agents are required to complete Data Audits between May and June
2012, with final Data Audit Reports due for submission to Lloyd’s on 15 June 2012:
Feb March t
April May June t
t
*10 February 2012
Draft Data Report guidance
*30 March 2012
Final Data Audit Report guidance
*15 June 2012
Data Audit
Report due
Our experience and how we can help
Grant Thornton’s experienced data review and data
management professionals are ideally placed to perform
your Data Audit. We will draw on our experienced
IT and business audit specialists to deliver objective,
efficient and robust data audit assurance.
We have experience of:
• objectively examining all required aspects of
Solvency II data management (including data
policy, governance, limitations, processing and IT
environment including change management and • assessing the use of non-proprietary external and
spreadsheet assurance), using our highly experienced third-party data reliance, policies, processes and
Technology Audit, Data and IT specialists agreements, as well as corresponding internal
governance and oversight
• working closely with key business areas (such
as modelling teams, risk specialists, IT and • delivering high quality audit evidence and results
Compliance) to fully understand and evaluate data to fulfil the designated Lloyd’s scope, detailing the
management and data quality against Solvency II and assessment of internal control design and operating
FSA requirements effectiveness, assessment of business process flows
and gap analysis
• providing assurance over all areas of IT environment,
technology, tools and subsequent processing • providing a continued presence to support future
and controls and evaluating the impact on data discussions with senior stakeholders and Lloyd’s
management where required.