AAF Report 31 March 2012 Spence

AAF01/06 Report

AAF01/06 Report on Internal Controls For the year ended 31 March 2012

spenceandpartners.co.uk

AAF01/06 Report on Internal Controls

Table of Contents 1. Introduction

2

2. Background and organisational structure

4

3. Company structure

6

4. Pension Administration

9

5. Information Security

14

6. Risk Management

16

7. Information Technology

18

8. Report of the Directors of Spence & Partners Limited

20

9. Report by the reporting accountants

22

10. Summary of control objectives

26

11. Control procedures and audit testing

33

Appendix 1 Letter of Engagement

68

01

Section 1 Introduction

AAF01/06 Report on Internal Controls

The directors of Spence & Partners Limited (Spence) are pleased to present our annual report detailing the control procedures in place for our Pension Administration and Pension Database Functions in line with the AAF 01/06 requirements which covers the period 1 April 2011 to 31 March 2012. Spence provides a full range of pension administration services and is a leading provider of pensions data audit and pension scheme trustees. We see database work core to our business and the strength of our pension database expertise has enabled us to develop a powerful suite of software to perform remedial pension scheme data work which is often required where a scheme is considering buying out its liabilities or during Pension Protection Fund (PPF) or Financial Assistance Scheme (FAS) assessment periods. Effective pension scheme management is the trustees’ responsibility. Together with expert consultancy that our Trustee Advisory Service provides, which includes a range of practical solutions to trustees of occupational schemes that meet the objectives of the scheme and the responsibilities of the trustees. In addition to our work with trustees of ongoing schemes we have developed specialist expertise in pension scheme termination work, and in particular managing schemes through the PPF and FAS assessment periods. Is a primary focus of our business. A specialist PPF/FAS team handles all aspects

of the assessment process including administration and fund accounting. This expertise is increasingly relevant to all schemes given the Pensions Regulator’s increasing focus on scheme record keeping. Spence has been appointed to the PPF’s new Specialist Administration Services Panel and was also appointed to the Actuarial Services Panel in 2011 to provide S143 entry valuations. Our pension administration service is controlled by a governance framework structured within a quality controlled environment. The directors of Spence are committed to providing the highest quality services to clients and maintaining a strong process, control and compliance environment throughout its practice areas. This report has been prepared in accordance with the Institute of Chartered Accountants in England & Wales Technical Release AAF01/06 Assurance Reports on Internal Controls. Our detailed procedures are set out against each control objective in Section 11 on pages 33 to 67 of the report which has been audited and reported upon by RSM McClure Watters. This report provides the reader (including trustees, auditors and clients) with information and assurances about our processes and the strongly controlled environment that is in place to assist us in delivering high quality pension administration services to our diverse portfolio of clients.

03

Section 2 Background and organisational structure Spence was established in 2000 as a consultants, pension scheme IT specialists and administrators. Since our inception we have had a particular focus on advising and on managing stages of their lives including ongoing schemes, in the process of winding up and transition to the Pension Protection Fund (PPF) and Financial Assistance Scheme (FAS).

In 2003, Dalriada Trustees Limited (Dalriada) was established as a separate company to provide high quality independent professional trusteeship services to pension schemes in the United Kingdom. Dalriada Pension Trustees was established in 2008 to provide similar independent professional trustee services in Ireland. In 2011, The Pensions Hosting Company Limited was established as an IT software business developing and licensing an integrated pensions administration and actuarial software application. Ellcon Investments Limited, is the holding company for the group.

The Pensions Hosting Company

Under our matrix management structure Spence is able to draw on the experience of over 60 pensions professionals across a range of disciplines. Specialist staff include actuaries, consultants, administrators, fund accountants and pensions

ensuring a consistency of service.

AAF01/06 Report on Internal Controls

Dalriada Pension Trustees

Spence provides an extensive range of pension administration services for all types of occupational pension schemes and we have developed an expertise and deep specialism in project managing schemes that are in the process of winding up or transitioning to either the PPF or the FAS.

Spence offers a highly proactive and dynamic service and employs service standards and controls which have

Spence was recently appointed to the PPF’s Specialist Administration Services Panel and in June 2011 was appointed to the PPF’s Panel of Actuaries to provide S143 entry valuations. As a group we have transferred 16 schemes

engaged and professional staff with a depth and breadth of experience. This allows us to provide our clients with a market leading service proposition.

professionals with many years’ experience. Our focus is on providing innovation with intelligent thinking and using technology to provide a more

schemes to ever transfer. Spence is recognised as having extensive experience in dealing with pension schemes in the “endgame” phase of their life cycle. The services required by a scheme in the endgame phase differ materially from the requirements of on-going schemes. Spence recognises this and tailors its services appropriately.

05

Section 3 Company structure

AAF01/06 Report on Internal Controls

Our structure is illustrated in the table below as a two-dimensional matrix.

Our Practice Heads are responsible for all aspects of our service to a particular market. Practice Heads take overall responsibility for services to clients by drawing on specialist staff from within our functions.

Each function is managed by a Function Head who controls all resources for client delivery and provides these to the practice areas as required. The most relevant functions for this report are our Administration, Pensions Database and Client Management functions.

07

The division between our functions is not hard and fast. Although staff members are primarily associated with one function it is not uncommon for them to perform a role in more than one function because we deliberately train them to develop multiple skills. For example, many of our staff are able to perform both actuarial technician and pension administration roles. In addition to our professional functions we have an Internal Function that contains our internal marketing resources. All Function Heads and Practice Heads Brian Spence who is supported by Director Liz Fergusson. Liz is responsible for development of resources in our business encompassing recruitment, internal communication, culture, training and leadership development. Brian is also supported by a number of advisory groups: Practice Heads’ Group – external affairs and business development (meets quarterly)

AAF01/06 Report on Internal Controls

Function Heads’ Group – coordination of resources (meets quarterly) Planning Group – long term planning (meets as required) Marketing Group – sales and marketing (bi-weekly conference call and meets as required) PPF/FAS Group – coordinates all PPF/ FAS work (weekly conference call)

(meets as required) Our statutory company boards meet quarterly and perform an oversight and governance role. The role of the Client Manager is key to our working relationship with clients. The Client Manager is the client’s “champion” within Spence. From the trustees’ point of view they have assurance that there is one person who has the overall responsibility for their account. The Function Heads and Client Manager have access to management information to enable them to plan and monitor progress on particular projects and against agreed fee budgets.

Section 4 Pension Administration

09

Spence provides a full range of Pensions Administration and Pensions Database services operated within a quality controlled environment. Our pension administration team carries out all tasks and operations under a strict quality control and governance framework. We have procedures and checks in place to ensure the accuracy and quality of our service. Spence recognises that its administration service is the interface between a pension scheme and its members and our pension administration team fully understands the importance of this. We never lose sight of the fact that the primary objective of and information to its members in a timely manner. Pension administration is a core service for our business rather than an adjunct to other services and we are committed to a process of continuous improvement in terms of the services we provide to our clients. A complete range of administration services are provided as a core and/or distinct element of our service including:

of the scheme bank account, and disinvestment of funds as

AAF01/06 Report on Internal Controls

team to produce formal pension scheme annual report and

audit reporting system to comply with the Pensions Regulator’s record keeping requirements. Key elements of our management systems and controls to ensure quality of service for our clients include: STRUCTURE A key component of our approach to quality is the separation of responsibility within our group between the Practice Head who is responsible for identifying the needs of the client and strategically developing our service to meet these needs and our Function Heads (Client Management, Administration, Fund Accounting and Pensions Database Functions) who manage the resources and day to day delivery of services. PROCEDURES Our procedures are owned by the relevant Function Head and documented as a series of controlled documents available on our intranet site. Where relevant all documents are managed within our formal Information Security Mangement System (ISMS). Spence’s ISO/IEC 27001:2005 – Information Technology – Security Techniques – Information Security Management Systems – Requirements.

Most procedures are automated as software that also captures and measures our performance against Service Level Agreements. CONTENT MANAGEMENT All procedures, documents, records and information are managed within an extensively developed SharePoint implementation with version control and document creation and approval

All staff have access to a wide variety of technical information sources. CHECKING There are strict checking procedures for all calculations and correspondence with trustees, members and third parties. Checklists are completed to ensure that all the required steps are followed. All calculations are peer reviewed by a senior administrator (the checker) along with the checklist to ensure there are no errors or omissions.

and correspondence are held electronically on SharePoint. SERVICE LEVEL AGREEMENTS Traditionally a Service Level Agreement (SLA) for pension administration

focuses on carrying out an action (e.g. responding to an individual item of post The creation of an “action” becomes more of an end in itself rather than meeting the needs of a member. Our monitoring is around whole events (i.e. a member’s death) rather than actions. The traditional approach would have been to allow a turnaround of one day, say in respect of any incoming correspondence or trigger for action. A true measure of the performance of the Trustees, and of us as administrators, actually paid out. A member (or in the event of their death, their dependants) will not really place great value on a particular letter having been answered within one day will be settled. The administration team aim to carry out services and tasks accurately and continuously monitored internally and reported externally to trustees in the form of a Stewardship report. The report details the tasks undertaken during the relevant period and whether the SLAs have been met. This allows the trustees to monitor the performance against the SLA.

11

ELECTRONIC DOCUMENT AND TASK MANAGEMENT system, we have implemented Microsoft SharePoint 2007 (SharePoint) software enabling us to introduce comprehensive electronic document management. All correspondence for our clients is scanned and available for searching and retrieval. SharePoint is SharePoint deployment utilises both functionality such that appropriate control procedures can be followed. It is also integrated with our bespoke which enables client managers to monitor closely the turnaround times on individual pieces of work, the total amount of outstanding work and where any particular job is at any moment in time. Spence has also developed advanced reporting tools so detailed activity and performance information can be extracted at any point in time and, indeed, forms the basis of our standard Stewardship Reporting. AUDIT Compliance with our procedures is subject to internal audit and external audit (AAF01/06). The ISMS is of course subject to separate external audit for ISO27001 purposes. PEOPLE People are our key resource and our Human Resources team supports our Function Heads in ensuring that our staff members are developed to their maximum potential.

AAF01/06 Report on Internal Controls

Our policy is to ensure the highest calibre of staff through capability building, performance and engagement of our people. This is at the centre of our organisational approach to maintaining standards:

documented policies and procedures governing the services we provide which are clearly communicated to all relevant staff.

for improvement and any changes are clearly communicated to all staff and relevant contractors.

relevant policies and procedures is subject to internal and external audit as part of our ISO27001 and AAF01/06 accreditation. Annual appraisals are performed and a bonus system rewards high performance against agreed objectives which contain

Our major focus is on recruiting and training from scratch and we have a number of measures in place to secure quality people including a work placement scheme that we operate in conjunction with the Management School at Queen’s University, sponsorship of Management Partnership that we have entered into with the University.

New members of staff undergo external vetting and are subject to a rigorous induction and training programme. All administration and IT staff are supported in Pensions Management Institute (PMI)

In practice, leadership commitment to developing and maintaining staff key steps of the employee journey:

Sharing of expertise is paramount to us and we hold regular team meetings to discuss industry developments. CULTURE Our culture needs to support our ethos in achieving quality. Our belief is that our culture has to be embedded and truly lived out by our staff, so for example we are currently in a process involving every member of staff to develop a manifesto that articulates what we stand for as a business.

13

Section 5 Information Security

AAF01/06 Report on Internal Controls

Information security is of paramount importance to our organisation and we are committed to the protection of information from a wide range of threats in order to ensure business continuity and to minimise business risk for our clients. Spence have been successfully

Our information security policy outlines our:

Information Security

information, personnel, technology, processes

internationally recognised standard for Information Security Management, since December 2011. and third parties ISO/IEC 27001 is fast becoming the international touchstone for effective, secure information management practices that protect organisations and ensure their compliance with data protection, privacy and computer misuse regulations. The application and use of this standard primarily ensures business continuity, minimising business damage by preventing and reducing the impact of security incidents while maximising business investments and opportunities.

information security breaches

Management System.

The security practices adopted within Spence to comply with the accreditation are essential to protect the interests in ensuring the secure and safe deployment of IT systems and services.

15

Section 6 Risk Management

AAF01/06 Report on Internal Controls

Our risk assessment process involves identifying risk scenarios based on our key information assets. Associated

acceptance criteria. Once risks have to manage risk fall into one or more of these categories:

with the vulnerabilities that might be exploited by the threats. Our Information Security Focus Group (ISFG) meets quarterly and analyses risk scenarios. The business impact of each risk is assessed on its consequences in terms or availability. This is scored and multiplied by a risk rating for business operational (costs), impact (severity impact), likelihood (probability score) and business criticality rating giving a

A Risk Treatment Plan is drawn up knowingly and objectively accepting risks or deferring countermeasures.

are analysed and evaluated against risk

in the underlying environment.

The Risk Register is reviewed at planned

17

Section 7 Information Technology Novosco has been the primary IT supplier to Spence & Partners since 2001 and supplies:

on providing IT support services to all Spence & Partners staff spanning both locations.

helpdesk for call escalation and 3rd level support services.

community. In 2009, we adopted virtualisation technology to reduce the reliance on physical hardware and to reduce the risk of a ‘one application, one server’ model. We use VMware vSphere 4.1 for virtualisation management. vSphere is the leading virtualisation platform and offers the highest levels of availability and responsiveness in the hypervisor marketplace.

alerting system to ensure early warning of system failure.

SHAREPOINT We use SharePoint as a central resource for document management

of hours support services.

member correspondence and internal function process documents are worked on and stored in this repository. Security permissions are in place to ensure that

and monthly restores and recovery tests.

our clients, and sensitive documents NETWORK INFRASTRUCTURE Spence & Partners utilises Cloudstream, which serves a virtual private network (VPN). Cloudstream is a high-speed

effectively over secure private network connections. Built on the Hibernia Global Financial Network, it is designed to meet the demanding performance

AAF01/06 Report on Internal Controls

working practices across all client related functions, including a bespoke document tagging feature. It is now integrated into associated systems and services for all staff.

BACKUP AND RECOVERY In our VMware implementation all servers bar two are virtualized, with each virtual machine (VM)’s workload the operating system, applications, and data. Virtualization enables faster recovery in terms of provisioning and getting data back online. A VM is not dependent upon particular hardware. EMC Avamar backup and recovery software is used to obtain fast daily full back-ups to a remote secure ISO 27001 at rest. The Avamar Data Store on which backup data is stored uses a grid architecture eliminating a single point of failure by employing an array of independent nodes. System and data integrity is A spare server capable of operating our entire virtualised server workload and storage is held securely off-site and used to test server restores. This server can potentially be used in a disaster recovery scenario either in Belfast or Glasgow in which case the backup data would remain in the Avamar Data Store and once production recommences on the spare server backups would continue to be taken daily. Target recovery window for all services backed up to Avamar is 72 hours. ARCHIVING All of our sent and received emails are archived using Mimosa NearPoint. Any email can be accessed within a matter of seconds using the Mimosa Archive

search facility. Backups are taken of the entire archive on a regular basis and stored off-site. MOBILITY All of the desktops and laptops in our no data can be stored on the device locally. This helps improve security for remote working. Remote access to the network is achieved with the use of 2 factor authentication. This is to help protect against increased security risks and intelligent manipulative methods used by external sources. Users are given a token, either stored on their laptop or iPhone, which will generate a code to be used as well as the normal logon credentials when logging in. Citrix XenApp is used to provide ondemand virtual application delivery to all staff. All our Windows applications are virtualised and managed centrally. Our staff can access them from any device in any location at any time. Access to data is controlled and encrypted to further enhance security. ADMINISTRATION DATABASE Our administration software is one of systems available in the market. The automated functionality it provides assists in streamlining scheme record keeping and communication. Our aim system with process automation. We also design our own software and tools to enhance our service capabilities such as data audit, fund accounting and

19

Section 8 Report of the Directors of Spence & Partners Limited

AAF01/06 Report on Internal Controls

to clients’ assets and liabilities and related transactions in the provision of pension administration and the design, implementation and operation of the control procedures of Spence to provide reasonable assurance that the control objectives are achieved. In carrying out those responsibilities we have regard not only to the interests of clients, but also to those of the owners of the business and the general effectiveness

We have evaluated the effectiveness of Spence control procedures having regard to the Institute of Chartered Accountants in England and Wales Technical Release AAF 01/06 and the criteria for pension administration and associated IT services. We set out in this report a description of the relevant control procedures together with the related control objectives which are in place for the year ended 31 March

i.

the report describes fairly the control procedures that relate to the control

ii.

the control procedures described are suitably designed such that there be achieved if the described control procedures were complied with

effectiveness to provide reasonable assurance that the related control objectives were achieved during the year.

Neil Copeland Director Signed on behalf of the Board of Directors Spence & Partners Limited Date: 16th July 2012

21

Section 9 Report by the Reporting Accountants

AAF01/06 Report on Internal Controls

Reporting accountants’ assurance report on internal controls to the directors of Spence & Partners Limited USE OF REPORT This report is made solely for the use of the directors, as a body, of Spence and solely for the purpose of reporting on the internal controls of Spence, in accordance with the terms of our engagement letter dated 16 April 2012 and attached as Appendix 1 of your report. Our work has been undertaken so that we might report to the directors and those matters that we have agreed to state to them in this report and for no other purpose. Our report must not be recited or referred to in whole or in part in any other document nor made available, copied or recited to any other party, in any circumstances, without our express prior written permission. We permit the disclosure of our report, in full only, to customers and potential customers (together “Customers”) of Spence using Spence pension administration customers, to enable customers and their auditors to verify that a report by reporting accountants has been commissioned by the directors of Spence and issued in connection with the internal controls of Spence without assuming or accepting any responsibility or liability to them on our part, and on the condition that the directors provide all such customers a written statement at the commencement of the Spence report in the form set out in our engagement letter. To the fullest extent permitted by law, we do not accept or assume responsibility to anyone other than the directors as a body and Spence for our work, for this report or for the opinions we have formed. SUBJECT MATTER This report covers solely the internal controls of Spence as described in your report as at 31 March 2012. Internal controls are processes designed to provide reasonable assurance regarding the level of control over customers’ assets and related transactions achieved by Spence in the provision of pension administration services by Spence. RESPECTIVE RESPONSIBILITIES The directors’ responsibilities and assertions are set out on page 21 of your report. Our responsibility is to form an independent conclusion, based on the work carried out in relation to the control procedures of Spence pension administration function report this to you as the directors of Spence.

23

CRITERIA AND SCOPE We conducted our engagement in accordance with International Standard on Assurance Engagements (ISAE) 3000 and the Institute of Chartered Accountants in England and Wales Technical Release AAF 01/06. The criteria against which the control procedures were evaluated are the internal control objectives developed for service organisations as set out within the Technical Release AAF 01/06 and control over customers’ assets and related transactions in the provision of pension administration services. Our work was based upon obtaining an understanding of the control procedures as described on pages 33 to 67 in the report by the directors, and evaluating the directors’ assertions as described on page 21 in the same report to obtain reasonable assurance so as to form our conclusion. Our work also included meeting the related control objectives. The nature, timing and extent of the tests we applied are detailed on pages 33 to 67. Our tests are related to Spence as a whole rather than performed to meet the needs of any particular customer. INHERENT LIMITATIONS inherent limitations and, accordingly, errors or irregularities may occur and not be detected. Such control procedures cannot guarantee protection against (among other things) fraudulent collusion especially on the part of those holding positions of authority or trust. Furthermore, our conclusion is based on historical information and the projection of any information or conclusions in the attached report to any future periods would be inappropriate.

AAF01/06 Report on Internal Controls

CONCLUSION In our opinion, in all material respects: 1.

the accompanying report by the directors describes fairly the control procedures that relate to the control objectives referred to above which were in place as at

2.

the control procedures described on pages 33 to 67 were suitably designed such objectives would have been achieved if the described control procedures were

3.

the control procedures that were tested, as set out in the attachment to this but not absolute, assurance that the related control objectives were achieved in the period 1 April 2011 to 31 March 2012.

David Watters Managing Partner RSM McClure Watters Chartered Accountants Belfast DATE: 1st August 2012

25

Section 10 Summary of Control Objectives

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

AUDIT FINDINGS

1. Accepting Clients Accounts are set up and administered in accordance with client agreements and applicable regulations.

No exceptions noted.

Complete and authorised client agreements are operative prior to initialising administration activity.

No exceptions noted.

Pension schemes taken on are properly established in the system in accordance with the scheme rules and individual elections.

No exceptions noted.

2. Authorisation and Processing Transactions No exceptions noted. both, and transfers of members’ funds between investment options are processed accurately and in a timely manner. No exceptions noted. are calculated in accordance with scheme rules and relevant legislation and are paid on a timely basis.

27

CONTROL OBJECTIVE

AUDIT FINDINGS

3. Maintaining Financial and other Records Member records consist of up to date and accurate information and are updated and reconciled regularly.

No exceptions noted.

No exceptions noted. completely and accurately recorded in the proper period. Investment transactions, balances and related income are completely and accurately recorded in the proper period.

No exceptions noted.

Scheme documents are complete, up to date and securely held.

No exceptions noted.

4. Safeguarding Assets Member and scheme data is appropriately stored to ensure security and protection from unauthorised use.

No exceptions noted.

Cash is safeguarded and payments are suitably authorised and controlled.

No exceptions noted.

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

AUDIT FINDINGS

5. Monitoring Compliance Contributions are received in accordance with the scheme rules and relevant legislation.

No exceptions noted.

Services provided to pension schemes are in line with service level agreements.

No exceptions noted.

No exceptions noted. and clients treated fairly.

6. Reporting to Clients Periodic reports to participants and scheme sponsors are accurate and complete and provided within required timescales.

No exceptions noted.

Annual reports and accounts are prepared in accordance with applicable law and regulations.

No exceptions noted.

Regulatory reports are made if necessary.

No exceptions noted.

29

CONTROL OBJECTIVE

AUDIT FINDINGS

INFORMATION TECHNOLOGY 7. Restricting access to systems and data Physical access to computer networks, equipment, storage media and program documentation is restricted to authorised individuals.

No exceptions noted.

Logical access to computer systems, programs, master data, transaction data and parameters, including access by administrators to applications, databases, systems and networks, is restricted to authorised individuals via information security tools and techniques.

No exceptions noted.

Segregation of incompatible duties is

No exceptions noted.

logical security controls in accordance with job roles.

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

AUDIT FINDINGS

8. Providing integrity and resilience to the information processing environment, commensurate with the value of the information held, information processing performed and external threats IT processing is authorised and scheduled appropriately and

No exceptions noted.

in a timely manner. Data transmissions between the service organisation and its counterparties are complete, accurate, timely and secure.

No exceptions noted.

Appropriate measures are implemented to counter the threat from malicious electronic attack (e.g. Firewalls, antivirus etc). The physical IT equipment is maintained in a controlled environment.

No exceptions noted.

31

CONTROL OBJECTIVE

AUDIT FINDINGS

9. Maintaining and developing systems hardware and software Development and implementation of new systems, applications and software, and changes to existing systems, applications and software, are authorised, tested, approved and implemented.

No exceptions noted.

No exceptions noted. authorised, tested and, once performed, reconciled back to the source data.

10. Recovering from processing interruptions Data and systems are backed up regularly, retained offsite and regularly tested for recoverability.

No exceptions noted.

IT software and hardware issues are monitored and resolved in a timely manner. Business and information systems recovery plans are documented, approved, tested and maintained.

No exceptions noted.

11. Monitoring compliance Outsourced activities are properly managed and monitored.

AAF01/06 Report on Internal Controls

No exceptions noted.

Section 11 Control Procedures and Audit Testing

33

CONTROL OBJECTIVE

AUDIT FINDINGS

1. Accepting Clients

appointed to provide administration services a New Client Implementation Document is prepared to act as a project planning document. A Fee & Service Agreement is issued for signature on behalf of the trustees.

Agreement Fee has been signed by the trustees and Spence. A further sample of signed Agreements with on-going client schemes was selected. No exceptions noted.

Spence are being contracted to provide and the agreed method of charging. Standard administration tasks are also performance timescales or bespoke timescales as may detailed in the Fee & Service Agreement. As part of the implementation process a copy of all scheme documentation is requested. This documentation is reviewed and where administration services are provided forms the basis are reviewed and signed off. Where reviewed and signed off by the trustees and/or the scheme’s legal advisers, particularly if there is any ambiguity in interpretation or if there is any concern comply with legislative requirements. Data is requested in all forms and any electronic data is imported onto Spence administration system and tested against the data quality standards set out by the Pensions Regulator.

AAF01/06 Report on Internal Controls

documents for the ongoing client take-on. Prior to this client take-on a checklist was not used to evidence the progress on the client takeon process. Data migration and reconciliation has been carried out for the new client as well as a data audit to test the data quality standards. No exceptions noted.

CONTROL OBJECTIVE

AUDIT FINDINGS

Membership statistics are reconciled to the last set of audited Accounts and to control totals provided by the preceding administrator. Where necessary remedial action is proposed in the event that data Spence cannot carry out some or all of the services they have been contracted to perform.

appointed, a Fee & Service Agreement is issued for signature on behalf of the trustees and, except in exceptional circumstances, work should not commence until a signed Agreement is in place. The Agreement will be based on Spence template agreement, suitably

Agreement has been signed for the new client take-on in the period under review. No exceptions noted.

are being contracted to provide and the agreed method of charging. Production of the Fee & Service Agreement is carried out centrally to ensure appropriate control over the template to be used and, also, maintenance of a central record of all Agreements issued. Similarly, any amendments to the template agreement can only be made by certain individuals. Separate template Agreements are in place for corporate and trustee engagements.

with the trustees and the agreement with the corporate has been signed for new client take-on. No exceptions noted.

35

CONTROL OBJECTIVE

AUDIT FINDINGS

Only on receipt of a signed Fee & Service Agreement can the client be

The Fee & Service Agreement has been signed and scanned onto SharePoint.

able to record time against the client. Occasionally, due to time constraints, Spence may be required to carry out some work before it is possible to have the Agreement signed. In these circumstances, the work to be carried out and any expense limit will be agreed with the trustees and this will be conveyed in writing, typically when issuing the Fee & Service Agreement for signature. On receipt of a signed Agreement, this is scanned to SharePoint and tagged appropriately. Original Agreements are held centrally under the control of the Operations Director. In accordance with the procedures governing original documents these are held securely offsite. As part of the implementation process a copy of all scheme documentation is requested. This documentation is reviewed and forms the basis of any

No exceptions noted.

The client take on checklist has been completed for documentation received. No exceptions noted.

As part of the scheme installation process, scheme data is installed and audited, with any queries raised with the client manager. Data is analysed using Spence’s bespoke data audit software, which generates reports that identify any gaps or errors in the data received.

AAF01/06 Report on Internal Controls

migration projects that a checklist is maintained, data reconciled to source and sign offs evidenced. A query log was kept with actions taken to close. No exceptions noted.

CONTROL OBJECTIVE

Prior to commencement of administration services, the data team’s business analyst reconciles scheme data provided by the previous administrator to Spence’s administration system, and raises any exceptions regarding missing or incorrect data with the client manager. Reports generated by the data audit, along with correspondence to resolve any data gaps or errors, are held on our document management system. Scheme data reconciliations and correspondence relating to the follow up

as evidenced by the sign off on the scheme installation checklist. Copies of work relating to the installation are held on our document management system.

AUDIT FINDINGS

migration projects that a checklist is maintained, data reconciled to source and sign offs evidenced. A query log was kept with actions taken to close. No exceptions noted.

migration projects that a checklist is maintained, data reconciled to source and sign offs evidenced. A query log was kept with actions taken to close. No exceptions noted.

Wherever possible, Spence request sight of any preceding administrators’

Reviewed individual announcement letter for a new client take on

and practice to establish any precedent in areas of interpretation of the Rules where this might not be clear and where

senior employee of the client. No exceptions noted.

for example where senior employees have an entitlement to different announcement letter.

37

CONTROL OBJECTIVE

AUDIT FINDINGS

the administrator and reviewed by the client manager. Where appropriate the

for the new client take on ensuring that it had been signed off by the administrator and reviewer. There was no need for review and sign off by the trustees and scheme legal advisors.

signed off by the trustees and/or the scheme’s legal advisers, particularly if there is any ambiguity in interpretation or if there is any concern that the

No exceptions noted.

legislative requirements. All documentation is scanned, indexed and held in a prescribed format in a

have been saved to the SharePoint document centre.

of reference. No exceptions noted.

2. Authorising and processing transactions procedure Procedures are followed for banking cheques and electronic credits and contributions monitoring whereby all cheques received are logged and banked on the same day by the Business Support Team (BST). Electronic credits are logged by the fund accounts team. The paperwork accompanying the cheque/ electronic credit is passed to the fund accounting team who prepare a deposit form and update the transaction on QuickBooks to record receipt of the contributions. The deposit form is signed

AAF01/06 Report on Internal Controls

For each of the months selected underlying documentation was in place to support the contribution receipt and that the deposit form was signed off by the necessary signatories. No exceptions noted.

CONTROL OBJECTIVE

AUDIT FINDINGS

The contributions monitoring spread sheet is reviewed on 15th of each month and any outstanding contributions usually received by that date are followed up. The receipt of the remainder is monitored. Any

For each of the months selected, ensured that contributions are paid in accordance with a schedule agreed between the employer and the trustees with member contributions having to be paid to the trustees before the 19th.

to the client manager, actuary and trustees. They are recorded on the breaches log which is on the agenda at the quarterly board meetings.

or ‘other’ e.g. phone call, verbally, as per the SharePoint User Guide. A work is associated with an existing task) Administrators complete the appropriate checklist accessed from the Checklists Templates document list on the Intranet.

No exceptions noted.

selected, ensured that processing requests are authorised and checked prior to submission, payments are processed accurately and on a timely basis, and the appropriate checklist is completed and signed by the relevant administrators. No exceptions noted.

39

CONTROL OBJECTIVE

AUDIT FINDINGS

Calculations are carried out by an administrator in accordance with the scheme rules with reference to the appropriate. All calculations are checked by a senior administrator or administration manager. Approval

completed and signed off by two members of the administration team. No exceptions noted.

calculations and documents prepared, along with the checklist. All transfer value calculations are carried out and checked by the actuarial department. by the administrator and the administration manager with the aim service level agreement agreed with the client. Once all items have been approved they can be processed and then submitted to the document centre. Procedures are followed for making cheques and electronic payments from the scheme bank account. Payments are processed by the fund accountant within 1 day of the request and with the appropriate backing papers detailing the amount payable. Payment withdrawal forms are requested, processed and checked by separate staff and cheques/ electronic payment instructions are signed in accordance with the bank mandate by staff who are different from the requestor, processor and checker. Once a task has been completed it is

AAF01/06 Report on Internal Controls

selected, ensured that payments are processed accurately and on a timely basis, and the appropriate checklist is completed and signed by the relevant administrators. No exceptions noted.

CONTROL OBJECTIVE

Monthly payrolls are checked and approved for payment by the administrator. The administrator will reconcile any changes to the payroll against the administration data to check that the correct pensions are being paid. Pension increases are calculated in accordance with the scheme rules.

AUDIT FINDINGS

been checked and approved for payment by two members of the administration team. No exceptions noted.

for the increases to be calculated either on anniversary or annually depending on the scheme rules. The increases are checked by a senior administrator and a checklist is completed.

and other records For schemes that have active members a pre renewal schedules to be sent to each client site prior to the renewal date. A checklist is updated throughout the process. Once all the data has been returned the administrator follows the annual renewal checklist and updates members’ salary and status data which is reconciled against the data received from the client. Any discrepancies are investigated and resolved. The renewal is

that the scheme data has been updated and reconciled against data received from the client. Ensured that a renewal checklist had been completed for each scheme and that the checklist had been peer reviewed. No exceptions noted.

for each active member are produced. All calculations and statements are checked by a senior administrator.

41

CONTROL OBJECTIVE

AUDIT FINDINGS

Where applicable, member data is also kept up to date through periodic and adhoc data loads including payroll data, pension increase data and changes to personal details. The information relating to these data loads is provided to the data team. On receipt of data a business analyst follows the scheme update checklist to load the data onto Spence’s administration system. The data is reconciled back to the source data. Copies of work relating to data loads are held on our document management system.

For a sample of data loads ensured that the scheme update checklist

Any changes to the scheme membership are recorded on our administration database when advised by members or clients or trustees. When calls are

For a sample of schemes ensured that the member’s details are updated, the relevant backing documentation is received,

sought by asking for date of birth and national insurance number. Changes can be made on receipt in writing from members. Ad hoc checklists are completed and backing documentation

the appropriate checklist is completed and peer reviewed.

All changes are checked by another administrator. Following a new application, cessation of service, the member’s status is updated on our administration database. An approval member print for any status changes and the appropriate checklist is completed and checked by a senior administrator.

AAF01/06 Report on Internal Controls

the checklist is maintained on the document management system. No exceptions noted.

No exceptions noted.

CONTROL OBJECTIVE

AUDIT FINDINGS

Movements in active, deferred and pensioner numbers are reconciled on an annual basis as part of the accounts preparation process. Any discrepancies are investigated and resolved.

Ensured that a periodic report on membership is prepared for a sample of schemes, a checklist had been completed for each scheme and that the checklist had been peer reviewed. No exceptions noted.

Receipt of any documentation from members or third parties is scanned onto SharePoint and checked by the administrator. Documentation for transfers out includes the discharge forms (CETV CO, CETV Enhanced CO, CETV Enhanced FS & MP CI) signed by the member and details of the receiving scheme and for deaths and retirements includes birth/

that the relevant forms have been signed, client documentation has been scanned onto the system and checklists completed. No exceptions noted.

forms and trustee or company authorisation where required. Copies of the document centre. Any original documents are returned to the member by recorded delivery. The pension payroll provider is advised of any new pensions to be added to the payroll using a New Pensioner Advice form which is checked by another administrator. The cessation of a pension on for example a pensioner death is advised to the pension payroll provider immediately by the administrator.

pension payroll provider for a sample of deaths. No exceptions noted.

43

CONTROL OBJECTIVE

AUDIT FINDINGS

Each scheme has its own bank account separately. Passwords are required to access each scheme account. All credits and payments are recorded on a scheme cashbook following the procedures for banking cheques and electronic credits and the procedures for making cheques and electronic payments from the scheme bank account. The scheme

scheme bank accounts throughout the period that reconciliation had been carried out either monthly or quarterly and peer reviewed. No exceptions noted.

supporting documentation and the amount received is checked against any scheme withdrawal form is checked

The procedures for carrying out bank reconciliations are followed whereby the cashbook is reconciled against the bank statement for the trust account each month/quarter and any anomalies are investigated. Bank reconciliations are completed within 5 working days of receipt of the bank statement unless where queries arise which causes a delay. Uncashed cheques are monitored by the fund accountant and if more than scheme administrator. The cheque system is reviewed and any outstanding lodgements are processed or queried and cleared down. Bank statements and the bank reconciliation

From our sample of contributions made by cheque, all lodgements had been cleared down and the bank

paper copies of bank statements are

No exceptions noted.

separate folder.

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

As part of the annual scheme accounting process the fund accountant reconciles the contributions to the schedule of the member movement report produced from our administration database. Any discrepancies are investigated and resolved.

AUDIT FINDINGS

are paid in accordance with a schedule agreed between the employer and the trustees, and obtained evidence that for a late contribution, the details had been appropriately recorded in to Trustee Board. No exceptions noted.

As part of the annual accounting process, the fund accountant reconciles the investment valuation, investment income, purchases and sales with data received from the investment managers. Any discrepancies are checked and investigated by the fund accountant. Investments and disinvestments in the scheme cashbook are reconciled to the investment manager’s transactions. Journals are posted to the trial balance and period end balances inserted into the accounts template on an annual basis in accordance with the Statement of Recommeneded Practice (SORP) and disclosure regulations.

reconciliations are carried out with the investment manager’s data records. No exceptions noted.

the template used to prepare the accounts is in accordance with SORP and disclosure regulations and have been peer reviewed. No exceptions noted.

but are sent to the legal advisers, trustees or offsite storage. All scheme SharePoint. Scheme documents are

that any original documents are lodged with the Scheme’s legal advisors or held securely offsite and have been scanned onto SharePoint.

Any new or amending documentation is

No exceptions noted.

latest scheme documentation is

45

CONTROL OBJECTIVE

AUDIT FINDINGS

4. Safeguarding Assets Access to Spence’s premises is restricted to authorised personnel. Additional restrictions are in place in respect of access to IT areas.

place at the to prevent unauthorised additional restrictions to authorised personnel only for access to the server room. No exceptions noted.

Passwords are used by individual members of staff and PCs are locked when staff are away from their desks. Only the IT team can set up access to systems and access to scheme data on our administration database.

Tested as part of IT section.

Access to Spence’s networks and administration database is restricted to authorised individuals, who gain access with unique logins and passwords that are compliant with industry standards.

Tested as part of IT section.

No exceptions noted.

No exceptions noted.

Segregation of duties rules for pensions administrators are enforced by security

pensions administrators based on their roles and responsibilities. User access to the systems is reviewed on a regular basis. Responsibility for ensuring that the collection and use of data complies with data protection law is allocated to the data protection manager. All new staff are given data protection training when they join the business, and refresher training is given periodically. Staff sign

attendance at Data Protection training is maintained and is up to date. All new staff are given data protection training when they join the business and periodically thereafter. No exceptions noted.

copy of which is held on their HR record.

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

Member and scheme data is stored electronically on our administration database and SharePoint. Any data/ correspondence held in paper form pre-dating the introduction of SharePoint is securely held offsite. Spence outsource their off-site storage and archive facilities to a specialist organisation. In the event it is necessary

AUDIT FINDINGS

the administration database and SharePoint and the existence of the SLA in place with the off-site storage company. No exceptions noted.

scanned to the system and the originals returned to off-site storage. All incoming correspondence is scanned using Knowledge Lake software by the business support team. Outgoing mail functionality. No paper is retained in the work area and any printed material from the system is securely destroyed.

correspondence is scanned to SharePoint and for a sample of outgoing correspondence ensured that there was evidence the correspondence had been peer reviewed prior to being sent out. No exceptions noted.

The Business Continuity Plan (BCP) sets out the processes and procedures used to counteract interruptions to business activities and to protect critical business processes from the effects of failures or disasters affecting our information and broader IT systems and to ensure their timely resumption. Spence have obtained ISO27001 (data security) accreditation.

place and that events triggering the and recommendations. No exceptions noted.

Tested as part of IT section. No exceptions noted.

47

CONTROL OBJECTIVE

When taking on the administration of the trust account, bank forms and required information is sent to the bank along with a copy of the trust deed. cheque signatories and appropriate documentation is forwarded to the bank.

AUDIT FINDINGS

selected that for new bank accounts opened application forms and mandate papers had been obtained with evidence of authorised signature by the trustees. Also cheque signatory documentation was secure. No exceptions noted.

Cheques are banked on the day of receipt unless they are subject to query. Payments are processed on the same day or the next day. Cash movements are recorded on a daily basis on the internal accounting system.

Tested as part of section 2, Authorising and Processing Transactions.

Trust account balances are circulated to the administration team and any of the client managers who have requested bi-monthly updates (approximately on 1st and 15th day of each month). Payments are requested, processed and checked by separate individuals. Two cheque signatories are required for all payments and are different from the requester, processor and checker.

Tested as part of section 2, Authorising and Processing Transactions.

Cheque books are held in a secure location only accessible by staff.

No exceptions noted.

No exceptions noted.

are held in a secure location only accessible by staff. No exceptions noted.

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

AUDIT FINDINGS

investment or disinvestments are carried administrator ensures that the investment manager processes the investment/disinvestment and the disinvestment amount requested is received into the scheme bank account.

administrator, reviewed by the scheme administrator and signature approval received. No exceptions noted.

Scheme expenses are not processed unless authorised by the relevant authoriser on the invoice, by email or in

Tested as part of section 2, Authorising and Processing Transactions.

also needs to be aware of the payment.

No exceptions noted.

5. Monitoring Compliance The procedures for contributions monitoring are followed. The credit is logged and at the same time processed on the accounting system. Cheques are banked on the same day unless a query arises. A scanned copy of the latest Schedule of Contributions is held on SharePoint. The amounts due are entered on the contributions monitoring spread sheet and monitored. Any unusual differences are investigated. The contributions monitoring spread sheet is reviewed on 15th of each month and any outstanding contributions usually received by that date are followed up. The receipt of the remainder is monitored. Any

Tested as part of section 2, Authorising and Processing Transactions. For the sample selected, obtained evidence that any late contributions had been appropriately recorded in the compliance breaches log and had been brought to the attention of the relevant actuary or trustees. No exceptions noted.

to the client manager, actuary and trustees. They are recorded on the breaches log which is on the agenda at the quarterly board meetings.

49

CONTROL OBJECTIVE

AUDIT FINDINGS

Service level agreements (SLAs) are agreed with the trustees and the administration team aim to carry out services and tasks accurately and

Ensured for a sample of schemes that signed SLAs are in place between Spence and the trustees for the relevant schemes selected. No exceptions noted.

tasks carried out by the administration team. As soon as a task is initiated administrator (the owner). Each task when the task begins and when it ends. As a control an administrator cannot record time against a task unless it therefore ensuring that all tasks are recorded on the system. Tasks appear on the owners’ task list in Outlook in order of priority according to deadline date. The tasks are therefore easily monitored by the owner. Reports can SLAs and statutory deadlines can be monitored. The administrator and the administration manager monitor each task against the service standards and disclosure deadlines so as to highlight any instances where service standards are being breached. Service standards are always shorter than disclosure deadlines and therefore disclosure breaches should be avoided unless extenuating circumstances arise. Administration reports’ contents and frequency are agreed by the scheme trustees. They will contain a report undertaken during the relevant period and whether the SLAs have been met. This allows the trustees to monitor the administrators’ performance.

AAF01/06 Report on Internal Controls

noted that Spence have internal reporting deadlines which are shorter than disclosure deadlines, therefore minimising the number of service standards being breached. Also in owners’ Outlook highlighting and acting as a reminder of tasks to be completed. No exceptions noted.

CONTROL OBJECTIVE

AUDIT FINDINGS

Procedures are followed for errors & omissions whereby any transaction

From a sample of transaction errors recorded during the period,

administrator to their line manager and the client manager. Details of the error or omission are entered in the appropriate section in the ‘Regulatory Breaches Log’ and consideration is given to the need for any further action that may be required. All errors and

No exceptions noted.

of directors as part of the internal management information reporting process. The client manager/scheme actuary determine if any further action is required and notify the relevant parties to implement.

51

CONTROL OBJECTIVE

AUDIT FINDINGS

6. Reporting to Clients A report of members reaching normal retirement date in the next 12 months is produced as part of the stewardship report. Any other movement requiring trustee approval is also recorded and detailed on the stewardship report. Stewardship reports are provided for each scheme as agreed by the trustees and client manager. The reports contain membership details provided from our administration database and a reconciliation of membership is carried out. They also contain details of any member movements for the period of the report. When the scheme administrator has checked the report it is forwarded to the client manager for issue to the trustees.

selected that stewardship reports are prepared detailing member movements in each period and that the report is peer reviewed before being issued to trustees. No exceptions noted.

For schemes that have active members for pre renewal schedules to be sent to each client site prior to the renewal date. A checklist is updated throughout the process. Once all the data has been returned the administrator follows the annual renewal checklist and updates members’ salary and status data which is reconciled against the data received from the client. Any discrepancies are investigated and resolved. The renewal for each active member are produced. All calculations and statements are checked by a senior administrator.

AAF01/06 Report on Internal Controls

schemes selected that members’ data is kept up to date via an annual data load as part of the renewal process, differences are investigated and resolved, annual membership schedules are prepared and peer reviewed before being sent to members. No exceptions noted.

CONTROL OBJECTIVE

Annual reports and accounts are prepared using the accounts template which complies with the latest Statement of Recommended Practice (SORP) for pension schemes. Any changes to the standard template are logged on a proposed amendments spread sheet. As part of the drafting process annual reports are peer reviewed by another fund accountant in the team prior to audit. Evidence of peer review is maintained through the SharePoint functionality. A report and accounts project is set up to record completion of each task by the statutory deadline.

AUDIT FINDINGS

format was in place for the creation of annual reports and accounts and that this format has been updated as a result of the most for a sample of annual reports prepared, that they have been checked by a second member of and accuracy, and signed by both the trustees and auditors. No exceptions noted.

Initially a timetable is set for signing are scheduled to monitor progress of the report and accounts projects against the statutory deadlines. Following the meeting a report is circulated to the client management team.

53

CONTROL OBJECTIVE

AUDIT FINDINGS

7. Restricting access to systems and data

sites, Belfast and Glasgow. Physical and Environmental Process (ISP 09) outlines rooms, facilities, protecting against external and environmental threats, working in secure areas, public access, delivery and loading areas, equipment security, power supplies, cabling security, equipment maintenance, secure disposal or re-use of equipment, removal of property. Critical on-site server and network equipment are located in secure server rooms in both locations. Access is restricted to those who hold keys or key codes and only these key/key code holders can admit others (e.g. engineers). Only the Head of Business Support or directors can authorise the issue of keys/

are given keys as approved and issued by the Business Support team who maintain a list of key holders. Opening and closing procedures for each location have been issued to all staff and awareness training has been conducted. A key fob is required is issued to all staff.

AAF01/06 Report on Internal Controls

As pension administration activity is largely performed from the Belfast

secure and that only authorised persons can access the secure server room where a visitors log is completed upon entry and exit and the documentation room. No exceptions noted.

CONTROL OBJECTIVE

AUDIT FINDINGS

Staff inform the Business Support team if keys or key fobs are lost. to entry by a keypad code in Belfast and a key fob in Glasgow which is only provided to staff. Access to storage to staff in possession of a key fob. are locked by individual staff. Other authorised personnel (e.g. temporary staff and cleaners) are issued with key pad codes and key fobs providing to restricted areas. Any visitors are recorded in the visitors’ books and are issued with a pass which contains their name, company, who they are visiting and the time and date of entry. Passes are returned to reception on leaving.

build to have password protection, and users do not have the right to override this. This is controlled via active directory. All laptops are encrypted, no data allowed to be stored locally. External devices are forcibly encrypted. Access Control Process (ISP 11).

authorised personnel and the outsourced provider of IT services, Novosco Limited, have access to change passwords via active directory. No exceptions noted.

55

CONTROL OBJECTIVE

AUDIT FINDINGS

The company enforce a clear desk and clear screen policy. This is enforced

documentation is held in the secure

Policy. Security Training and awareness sessions are run periodically for all staff.

and offsite with the off-site storage company.

Any client correspondence or documentation containing client information left on any desk or on the printers at the end of each day

Reviewed a sample of minutes from the Information Security Focus Group

waste. Individual staff members are accountable. An Information Security Focus Group manage all security weaknesses and vulnerabilities and meet quarterly and /or when required to review risks, vulnerabilities, treatment, corrective and preventive plans. All security events / weaknesses are analysed for root cause and business impact reviewed and issues escalated to Board for further action.

No exceptions noted.

Documentation is either stored electronically on the network or inpaper form. Documentation in paper form is generally stored off-site in secure storage facilities with Doxbond (for local (based in Glasgow). When there is a need for paper documentation to be secure storage areas in accordance with our clear desk policy.

AAF01/06 Report on Internal Controls

logged security events/weaknesses.

CONTROL OBJECTIVE

AUDIT FINDINGS

As part of the Human Resources Security Process (ISP 08) upon termination of employment, all access rights are disabled and any IT assets e.g. Laptop, BlackBerry, keys or fobs are returned and codes are changed.

and permanent employee leavers that access rights are disabled, all assets returned and door access codes changed. No exceptions noted.

All access to computer equipment and systems is protected by passwords. Passwords expire after 42 days and users are prompted to change. The domain security policy requires that passwords must be complex, at least 8 characters in length, alpha numeric. This is detailed in the companies Security

Reviewed the password policy and change control request process. No exceptions noted.

backed up by the Access Control Process (ISP 11). Access to data stored on the network is restricted using appropriate permissions. Functional groups of users are maintained each with appropriate levels of access permissions based upon their job function. Only the outsourced IT provider and Authorised IT Representative can amend an individual’s permissions. Details of the restrictions in place on the network are documented. Most of the application software used is not restricted to authorised individuals however, some applications example cash management, pensions administration, etc., are restricted to only those who have the associated privilege. User access is approved by line managers and actioned by the outsourced IT provider. (ISP 11 Access Control)

57

CONTROL OBJECTIVE

AUDIT FINDINGS

Network and application access is assigned to users based on their functional groups. Access rights are reviewed and amended as necessary i.e. when roles change or new members of staff join the company.

review of functional group membership showing user permissions and exception report of any changes made.

(ISP 11 Access Control)

No exceptions noted.

Access to the administration system is controlled by windows authentication. Segregation of duties and rules are

showing the changes made to data, by whom and when.

into the administration system.

No exceptions noted.

individuals and aligned to their roles and responsibilities. Associated with which determines schemes to which they have access, functionality they can access, member records they can access, whether they are permitted to amend data or view data only. Built into the administration system are security procedures controlling access to sensitive data and facilities. The audit trail facility records changes made to the data, including who made the changes and when.

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

AUDIT FINDINGS

8. Providing integrity and resilience to the information processing environment, commensurate with the value of the information held, information processing performed and external threats. All IT processing is carried out on desktop PCs in real time.

administration system has built in audit functionality and that all changes to data are recorded. Only the system administrator has access to the administration database. Key stages of processing are evidenced on a log with staff sign offs and date of processing. No exceptions noted.

Email is used as the electronic means of communication in the business. The business utilises a combination of Microsoft Outlook and Microsoft Exchange Server to handle the storage and delivery of all business email. Individual staff members are responsible for complying with the

communications that data sent is password protected, followed up by a phone call to the recipient with the password. No exceptions noted.

for password protecting documents sensitive data.

59

CONTROL OBJECTIVE

All external access to the network is outsourced to ISO 27001 accredited IT experts Novosco Limited. Remote access set up is authorised by the Change Control Process Owner and connections can only be made through VPN software or terminal services. The (fort iGATE) to control port access both in and out of the business and to also manage the companies VPNs. Firewalls are deployed at the perimeter of the network to protect the internal devices and also to control and protect outgoing

any email threats i.e. viruses/spyware & inappropriate content. Inappropriate content also triggers a rules-based alerting system that keeps staff members aware of any trends requiring action. Trend Anti-Virus software is installed on all servers, desktops and laptops and is designed to keep users safe from viruses and other forms of on-line malicious threats. The deployment of Trend including updates is centrally controlled and monitored by Novosco Limited.

AAF01/06 Report on Internal Controls

AUDIT FINDINGS

anti-virus applications in place and

No exceptions noted.

CONTROL OBJECTIVE

Critical on-site server and network equipment are located in secure server accessible by authorised staff who hold a key or key code. The server rooms are equipped with air-conditioning systems which are maintained on a regular basis. A system is in place to control the temperature

AUDIT FINDINGS

that secure server rooms are in operation, subject to environmental controls and can only be accessed by authorised personnel. No exceptions noted.

located nearby. 9.Maintaining and developing systems hardware and software Our pension administration technologies have not required migration or Any such process would follow our change management procedures as described in Maintaining and developing systems hardware and software. For new scheme implementations please refer to Accepting clients.

Operational Change Control procedure. No projects were undertaken during the year that required the Operational Change Control procedure to be followed. No exceptions noted.

For periodic and adhoc data loads and other records.

61

CONTROL OBJECTIVE

AUDIT FINDINGS

Any changes to existing, or the implementation of new, infrastructure and systems follows the Operational Change Control process outlined in ISP 10 Communications & Operations Process.

Operational Change Control procedure. No projects were undertaken during the year that required the Operational Change Control procedure to be followed. No exceptions noted.

Major Change Minor Change Major Change examples include: Server OS upgrade/security patch Server hardware upgrade/replacement Implementation of new software package Changes to system or network security Changes to web site functionality or additional modules improvements Major Change will typically be a planned implementation and this will be discussed at Managed Service reviews with Novosco or ad hoc as required. When a major change is required business impact is reviewed and formal sign off and authorisation is required. (ISP 10 Communications and Operations Process)

AAF01/06 Report on Internal Controls

CONTROL OBJECTIVE

The data team are responsible for data migration projects. A scheme installation checklist is completed which follows the key stages of the migration. Logs are maintained of all issues along with details of their resolution. The results of sample data checks and the reconciliation are reviewed by the data team manager to ensure procedures have been followed.

AUDIT FINDINGS

migration projects that a checklist is maintained, data reconciled to source and sign offs evidenced. A query log was kept with actions taken to close. No exceptions noted.

10. Recovering from processing interruptions Spence have engaged with Novosco on a CloudStream Backup Managed Service contract based upon EMC Avamar technology. This solution removes the reliance in physical tape and hardware devices to provide local backup whilst at the same time providing a faster and more reliable recovery time in the event of a major incident.

Backup Managed Service contract and that a backup to physical tape takes place on a weekly basis. No exceptions noted.

This backs up server data, operating data centre that is an ISO27001 The data centre is located in Belfast. Spence receive a full back up on a daily basis. Backups consist of any changes

by only storing unique daily changes while always maintaining daily full back ups for immediate single step restore.

63

CONTROL OBJECTIVE

All data is saved to servers with RAID disk systems (typically RAID 5) which of data through media failure. The CEO controls the ordering process and

AUDIT FINDINGS

Copy was being used and that back up of data occurs every day at 7am and noon. No exceptions noted.

be purchased. Replication software and Windows Shadow Copy software are reviewed periodically to ensure they are functioning correctly. Windows Shadow Copy is enabled across all storage servers allowing instant restoration of deleted or not less than two times per day. Spence outsource the provision of IT services to Novosco Limited. Documented service level agreements are in place. Novosco operate a helpdesk and calls are logged and assigned unique reference numbers. An alarm system triggers at the helpdesk if calls are not processed within an agreed timescale. The IT Internal representative can access the helpdesk logging system and monitors the progress of all calls raised. (ISP 06 Organisation of Information Security)

AAF01/06 Report on Internal Controls

Copy was being used and that back up of data occurs every day at 7am and noon. No exceptions noted.

CONTROL OBJECTIVE

This Business Continuity Plan (BCP) details processes to minimise the impact on the organisation and recover from loss of information assets (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventive and recovery controls to ensure their timely resumption.

AUDIT FINDINGS

in place and that events triggering the BCP are summarised with

No exceptions noted.

The critical business processes and information security management requirements of business (operations, Spence third party resourcing, information / data hard copy and facilities) have also been included. The BCP provides a framework vulnerability and threat in the event of incidents of catastrophic failure as well as other unforeseen events. Hard copies of the BCP and supporting documents are held securely and Manager and Gold team members. The BCP and supporting documents for the Information Security Management System are in line with ISO 27001 framework and guidelines taken from the BS25999 part 2 Business Continuity Management Standard. All plans are based around a recovery point, time and capacity objectives that have been agreed with the business. Maintenance of the plans is controlled as part of the evaluation of each disaster recovery event.

65

CONTROL OBJECTIVE

AUDIT FINDINGS

Spence work securely within a virtual environment. In the event of the failure of a physical server, functionality is temporarily transferred to other servers via automated dynamic resource allocation processes minimising interruption to business operations. The IT infrastructure and data centre facilitate the continuation of business

The Spence BCP Team are ultimately responsible for designing and maintaining the Business Continuity Plan. The main BCP is managed and implemented by the BCP Manager and deputy. A command structure is in place to manage an incident. We have adopted the Gold/Silver command structure, as widely used elsewhere in contingency planning. This ensures an effective division of duty between command and control and operational recovery responsibilities. Several key Spence third party resources will form this command structure. (ISP 14 Business Continuity

and results 2011 to 2012).

AAF01/06 Report on Internal Controls

Reviewed the BCP testing schedule, test log and BCP incidents log for the period under review. No exceptions noted.

CONTROL OBJECTIVE

AUDIT FINDINGS

11. Monitoring compliance Spence outsource the provision of IT services to Novosco Limited. Documented service level agreements are in place, covered by appropriate contracts and monitored by the directors. Regular governance and service review meetings are held. (ISP 06 Organisation of Information Security, ISP 10 Communications and Operations Management).

and service review meetings are held with Novosco Limited by review of minutes of meetings and that a signed SLA is in place between Spence and Novosco. No exceptions noted.

67

Appendix 1 Letter of Engagement

AAF01/06 Report on Internal Controls

69

AAF01/06 Report on Internal Controls

71

AAF01/06 Report on Internal Controls

73

AAF01/06 Report on Internal Controls

75

AAF01/06 Report on Internal Controls

77

AAF01/06 Report on Internal Controls

79

AAF01/06 Report on Internal Controls

Spence & Partners Limited 22 Great Victoria Street Belfast BT2 7BA T : +44 (0) 28 9041 2000 4 West Regent Street Glasgow G2 1RW T : +44 (0) 141 331 1004 1 Berkeley Street London W1J 8DJ T : +44 (0) 20 7495 5505 E : [email protected] spenceandpartners.co.uk

Authorised and regulated by the Financial Services Authority. Registered No. NI37760