Lloyd’s Managing Agents FSA Solvency II Data Audit

Working in partnership with you to provide the independent assurance that your Data Audit Report fulfils Lloyd’s and FSA Solvency II requirements

Lloyd’s Managing Agents FSA Solvency II Data Audit

FSA Solvency II Data Audit

Purpose of the Data Audit Report “The primary purpose of the Data Audit Report is to demonstrate that an agent’s data management policies comply with the tests and standards set out in the Solvency II directive. In addition, the Data Audit Report should demonstrate how the overall risk that the data used in the internal model does not meet the Solvency II requirements on data quality (complete, accurate, appropriate and timely) is considered. This overall risk is split into five sub-risks.”As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012

The FSA Solvency II Data Audit (Data Audit) is a component of the FSA’s Solvency II Internal Model Approval Process (IMAP). It assesses all internal and non-proprietary external data which may materially impact the design and function of the proposed internal model. The Data Audit is focussed on the key sub-risks around aspects of data policy; oversight and governance; data; vulnerabilities and impact; data quality and data processing. Following completion of this assessment, the results should be presented in a Data Audit Report.

Lloyd’s requires all Managing Agents to submit a Data Audit Report by 15 June 2012 to Lloyd’s. The primary purpose of the Data Audit Report is to demonstrate that an Agent’s data management policies comply with the tests and standards set out in the Solvency II Directive to achieve internal model approval.

Ownership and Independence “The Data Audit Report should be produced as a result of a review conducted by a suitably qualified person, independent from the individuals responsible for the design, build, parameterisation and implementation of the internal model. The author of the Data Audit Report must therefore be independent of the normal operation of the model (e.g. Internal Audit).

In conducting the review, the reviewer should apply professional judgement in deciding how the controls are assessed (e.g. sample size, depth of document review, interviewees, etc.) and how effective they are in addressing the risk. The review is not intended to assess the appropriateness of actuarial “Expert Judgements” with regards to data used in the Internal Model. However, any data, internal or external, (e.g. claims history, bond price movements, loss events, etc.) on the basis of which material expert judgments/assumptions and model calibrations are made, should be included in scope. The reviewer may make use of previous independent reviews (e.g. SOX compliance assessments, Internal/External Audit work, etc.), so long as the data, assumptions, calculation methodology and IT environment reviewed have not changed significantly.

Where a managing agent makes use of previous reviews for this purpose, the agent should provide some explanation and justification as to why the previous review is still relevant and also for its use.”As per Lloyd’s Data Audit Report Guidelines (Draft) – February 2012

Key requirementsThe scope of the Data Audit has now been defined through the draft Lloyd’s guidance (with final versions due for issue on 30 March 2012) and has been developed in line with the FSA’s published requirements.

The challenges faced by Managing Agents in response to fulfilling the Data Audit requirements are extensive. Below we list the key areas, questions and objectives that the audit will need to address:

Requirement Area Key Questions to Consider Key Control Objective(s)

Data Policy • Howcanweensureourframeworkin respectofdataissustainableforthefuture?• Areexistingdatapolicies,proceduresand standardssuitable?Howcanwedevelopor improve?• Havewedefinedownershipandhowdata policieswillbeembeddedintothe organisation?

EnsuringconsistencyindatapoliciesandadherencetorequiredSolvencyIIstandardsofdatagovernance

OversightandGovernance • Domanagementreallyhaveasolid understandingofinternalmodeldata?• Havewerobustoversightandchallenge ofManagementInformation(MI)anddata processes?

Managementhaveathoroughunderstandingof,andareaccountableforreviewing,internalmodeldataprocesses

Datause,vulnerabilitiesandimpact • Areexceptionsandlimitationsindata understood,suitablyinvestigatedandcorrected?• Howshouldwebestsetmateriality,inthe contextofsignificantamountsofdata?

Recognisingandremediatingdataerrors,omissionsorinaccuracieswhichmaycompromisedataquality

Assuranceoverdatamaterialityandensuringitsconsistentapplicationthroughouttheorganisation

Dataquality • Doweunderstandwhereourdata originationsourcesare?• Howdowemaintainsuchdatainan appropriatemannerformodelandother businessuse(e.g.MIgeneration)?• Areagreedqualitystandardsperourdata policybeingadheredtoconsistently?

Maintenanceofdataqualitystandardstoensuredemonstrableaccuracy,appropriateness,completenessandtimeliness

Dataprocessing • AreweabletocriticallyevaluateallourIT GeneralControlswithintheITcontrol environment?• Dowehaveeffectivelydesignedand operatingITcontrols(suchasdatasecurity, changecontrolandprocessingofdata) tosupportcorrespondingdatamanagement controls?• Istheinformationgeneratedbyend-user computingsusceptibletodistortionor manipulation,duetolackofcontrolstodata amendments?

Adequacyoftechnicalexpertiseavailabletothefirm

MaintainingrobustITGeneralControls(e.g.changemanagementandaccesscontrols)tosafeguarddataintegrity.

Issuesaroundcontrolsdesignandeffectivenessaroundspreadsheets,SQLdatabasesandotherendusercomputingapplications,whichmaybelesscontrolled

Our approach to completing the Data Audit

Given the requirements and challenges noted in the adjacent table, a diverse set of skill-sets will be required to perform this audit and the review must be performed by suitably qualified individuals who are independent of model design, build, and operation (as per the Lloyd’s Data Audit Report draft guidance published in February 2012 and the FSA External Review guidance published in July 2011).

Managing Agents should be actively seeking specialist review assistance now to ensure the regulatory timeline for Data Audits is met and that a robust, independent and objective review is performed (in line with the Lloyd’s draft guidance).

Grant Thornton’s data review and data management professionals are able to provide assurance to your Management and Non-Executives, Lloyd’s and the FSA that they are compliant with the requirements.

We feel our team’s experience of supporting clients in the marketplace enables us to provide you with pragmatic, and independent audit challenge.

To address the requirements of the Data Audit, we have split our approach into 2 sections:1 Foundation elements and2 Specific elements

Foundation elementsExamining the adequacy of the oversight of data by management and the effectiveness of IT General Controls

Where applicable, the use of data

interrogation tools

Experience of advising clients on data framework

enhancements

The understanding of data management

principles

Specific elementsPerforming detailed analysis over data policies, quality and usage through 3 aspects

Lloyd’s Managing Agents FSA Solvency II Data Audit

Managing Agents are required to complete Data Audits between May and June 2012, with final Data Audit Reports due for submission to Lloyd’s on 15 June 2012:

The Lloyd’s Timeline for Data Audits

Grant Thornton’s experienced data review and data management professionals are ideally placed to perform your Data Audit. We will draw on our experienced IT and business audit specialists to deliver objective, efficient and robust data audit assurance.

We have experience of:• objectivelyexaminingallrequiredaspectsof

Solvency II data management (including data policy, governance, limitations, processing and IT environment including change management and spreadsheet assurance), using our highly experienced Technology Audit, Data and IT specialists

• workingcloselywithkeybusinessareas(suchasmodellingteams,riskspecialists,ITandCompliance) to fully understand and evaluate data management and data quality against Solvency II and FSA requirements

• providingassuranceoverallareasofITenvironment,technology, tools and subsequent processing and controls and evaluating the impact on data management

• assessingtheuseofnon-proprietaryexternalandthird-partydatareliance,policies,processesandagreements, as well as corresponding internal governance and oversight

• deliveringhighqualityauditevidenceandresultsto fulfil the designated Lloyd’s scope, detailing the assessment of internal control design and operating effectiveness, assessment of business process flows and gap analysis

• providingacontinuedpresencetosupportfuturediscussionswithseniorstakeholdersandLloyd’swhere required.

Our experience and how we can help

Feb March April May June

*10 February 2012

Draft Data Report guidance

*30 March 2012

Final Data Audit Report guidance

*15 June 2012

Data Audit Report due

t t t

Why Grant Thornton?Grant Thornton can assist your organisation with the Lloyd’s Data Audit through:

• highlyexperiencedauditprofessionals,withdedicatedspecialistDataandITstaffandunparalleledaccesstodeepexpertiseandrelationshipoversight

• provenexperienceusingaspecialistresourcewithregulatoryandindustryinsight,allowingyourorganisationtomeetallreviewdeadlinesontimeandwithinbudget

• providingobjective,robustassuranceandpragmaticsolutionsforimprovementor‘nextsteps’tobeusedinternallyand in discussion with Lloyd’s and the FSA

• providingongoingassuranceforSolvencyIIinternalmodelvalidation

• along-standingcommitmenttoexcellentclientserviceandsupportbothduringandafterallengagements.

WhoshouldIcontactforData Audit assistance?Sandy KumarPartnerHead of Financial Services Business Risk Services T 020 7728 3248 E sandy.kumar@uk.gt.com

Kiran SudhakarLead for IT Internal AuditFinancial Services/Head of Technology ServicesBusiness Risk ServicesT 020 7728 2909 E kiran.sudhakar@uk.gt.com

Sarah TalbottLead for Insurance Internal AuditFinancial ServicesBusiness Risk ServicesT 020 7865 2815E sarah.d.talbott@uk.gt.com

Mark A SpurlockLead for Insurance Business Consulting Business Consulting DivisionFinancial Services AdvisoryT 020 7865 2346E mark.a.spurlock@uk.gt.com

© 2012 Grant Thornton UK LLP. All rights reserved.

‘Grant Thornton’ means Grant Thornton UK LLP, a limited liability partnership. Grant Thornton UK LLP is a member firm within Grant Thornton International Ltd (‘Grant Thornton International’). Grant Thornton International and the member firms are not a worldwide partnership. Services are delivered by the member firms independently.

This publication has been prepared only as a guide. No responsibility can be accepted by us for loss occassioned to any person acting or refraining from acting as a result of any material in this publication.

www.grant-thornton.co.uk

V21426

OtherRelatedServicesWhilethisdocumentfocusesontherequirementsofDataAuditforLloyd’sManagingAgentsandhowourdatareviewanddatamanagementprofessionalscanhelp,GrantThornton’sBusinessConsultingDivisioncanalsoassistinthedesignandbuildofyourdatamanagementframework,ifrequired.ThisteamhasworkedwithanumberofManagingAgents in designing their data dictionary and performinggapanalysis.Shouldyourequirefurtherassistanceregardingthispleasedonothesitate to contact our Business Consulting Division.Acontactisprovideddirectlybelow.